nettle-4.0/0000755000000000000000000000000015141166425007603 5ustar00nettle-4.0/.bootstrap0000755000000000000000000000004315141166424011620 0ustar00#! /bin/sh autoconf && autoheader nettle-4.0/AUTHORS0000644000000000000000000001025315141166424010653 0ustar00Authors of GNU Nettle The oldest code in Nettle was copied into precursors of the Nettle library from other public domain or LGPLv2 sources. Steve Reid Original CAST128 implementation Dana L. How Original DES implementation, Colin Plumb Original MD5 implementation Peter Gutmann Original SHA1 implementation Andrew Kuchling Original MD2 implementation Free Software Foundation Holds copyrights on code ported from libgcrypt, written by Werner Koch and others. J.H.M. Dassen Original port of blowfish to GNU lsh, later split off into Nettle. (This blowfish implementation was replaced later). Twofish tests. Ruud de Rooij Twofish implementation for GNU lsh, later split off into Nettle. Rafael Sevilla AES C and x86 implementation, original port of Serpent, for GNU lsh, later split off into Nettle. Authors of Nettle (in roughly chronological order of initial contribution) Niels Möller Main author. Dan Egnor Base64 conversion. Andreas Sigfridsson Port of MD2, from Andrew Kuchling's python cryptography toolkit. Marcus Comstedt Implemented MD4. D. J. Bernstein Salsa20 public domain reference implementation. Simon Josefsson Port of Arctwo, from GnuTLS and libgcrypt. New ports of LGPL Serpent and Blowfish code, from libgcrypt. Port of Salsa20, based on djb's reference. Implementation of PBKDF2 (RFC 2898) and drbg-ctr. Henrik Grubbström AES assembly for Sparc64. Magnus Holmgren Conversion of DSA keys from DER format to SEXP format. Daniel Kahn Gillmor Added the lists for nettle_get_ciphers, nettle_get_hashes and nettle_get_armors. Test vectors for hashes and hmac. Nippon Telegraph and Telephone Corporation LGPL:ed reference implementation of the Camellia cipher. Andrew M. (floodyberry) The poly1305 code nettle's C implementation is derived from. Aleksey Kravchenko The gosthash94 implementation in rhash library. Stefan Metzmacher, Jeremy Allison, Michael Adam Contributed to the CMAC code, which was added to Nettle by Nikos Mavroyanopoulos. Nikos Mavroyanopoulos GCM implementation, RSA blinding code, interface for general rsa-pkcs1 signatures. Port of gosthash94 implementation from rhash. Port of poly1305. Salsa20r12 variant. HKDF (RFC 5869) implementation. CMAC and SIV-CMAV implementation. CTR and GCM optimizations. Implementation of versioned symbols. Setup of .gitlab-ci.yml. Large number of smaller fixes. Andres Mejia Ported Ripemd160 from libgcrypt. Martin Storsjö Implemented m4 macrology to make x86_64 assembly files work with the windows ABI. Several other portability improvements. Jeronimo Pellegrini Documentation for base16 and base64 functions. Tim Ruehsen Several smaller cleanups and bugfixes. Fredrik Thulin Test vectors for pbkdf2-hmac-sha512. Joachim Strömbergson Chacha implementation. Support for sha512_224 and sha512_256. Owen Kirby Implementation of CCM mode. Amos Jeffries Implementation of base64url encoding. Daiki Ueno Implementation of RSA-PSS signatures, curve448, SHA3 shake, ed448-shake256 signatures, chacha functions for 32-bit nonce, struct nettle_mac interface, siv-gcm, RSA-OAEP. Dmitry Baryshkov CFB and CFB8 modes, CMAC64. gosthash94cp and Streebog hash functions, GOST DSA signatures and curves GC256B and GC512A. Various bug fixes and cleanups. Simo Sorce Side-channel silent RSA functions. XTS implementation. H.J. Lu Assembly annotations for Intel "Control-flow Enforcement Technology". Stephen R. van den Berg Port of bcrypt. Mamone Tarsha Kurdi Powerpc64 assembly and fat build setup, including AES, GCM and poly1305. Arm64 assembly and fat build setup, including AES, Chacha, GCM, SHA1, SHA256. S390x assembly and fat build setup, including AES, Chacha, memxor, memxor3, SHA1, SHA256, SHA512, SHA3. Nicolas Mora RFC 3394 keywrap, RSA-OAEP. Tianjia Zhang SM3 hash function, SM4 block cipher. Amitay Isaacs Powerpc64 assembly for secp192r1, secp224r1 and secp256r1. Martin Schwenke Powerpc64 assembly for secp384r1, secp521r1, curve25519 and curve448. Zoltan Fridrich Balloon password hashing. Danny Tsen Powerpc64 assembly for combined GCM-AES. Eric Richter Powerpc64 sha256 assembly. nettle-4.0/CONTRIBUTING.md0000644000000000000000000000114115141166424012030 0ustar00# nettle -- Information about our contribution rules # Test suite: New functionality should be accompanied by a test case which verifies its correctness, on successful use of the new functionality, as well as on failure cases. The nettle test suite is run on "make check". # Continuous Integration (CI) We utilize a continuous integration systems, using gitlab-ci. This is run on a repository mirror at: https://gitlab.com/gnutls/nettle # Sending patches Please do not utilize the gitlab web interfaces. They are not being followed on. Please send your patches to nettle-bugs@lists.lysator.liu.se nettle-4.0/COPYING.LESSERv30000644000000000000000000001674415141166424012116 0ustar00 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. nettle-4.0/COPYINGv20000644000000000000000000004325415141166424011115 0ustar00 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. nettle-4.0/COPYINGv30000644000000000000000000010451615141166424011115 0ustar00 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . nettle-4.0/ChangeLog0000644000000000000000000205440515141166424011366 0ustar002026-01-31 Niels Möller From Daiki Ueno: * drbg-ctr-aes256.c (drbg_ctr_aes256_update): Change argument list to take use a struct drbg_ctr_aes256_ctx, and make non-static. Update callers. * drbg-ctr.h (drbg_ctr_aes256_update): Declare it. * nettle.texinfo (Randomness): Update documentation. 2026-01-29 Niels Möller * testsuite/testutils.h (struct tstring): Change traditional data[1] to C99 flexible array member data[]. * testsuite/testutils.c (tstring_alloc): Update allocation accordingly. 2026-01-28 Niels Möller * arm64: Add alignment at each function prologue. * powerpc64/p8/sha256-compress-n.asm: Add consistent alignment. * x86/sha1-compress.asm: Likewise. * x86_64: Likewise, several files. 2026-01-24 Niels Möller Copy files from https://git.savannah.gnu.org/cgit/config.git/plain/ * config.guess: Update to 2025-07-10 version. * config.sub: Update to 2025-07-10 version. 2026-01-22 Niels Möller * ed448-shake256-verify.c (ed448_shake256_verify): By RFC 8032, the final octet of an ed448 signature must always be zero. Add missing check that it indeed is zero. Reported by Oren Yomtov. * testsuite/ed448-test.c (test_wycheproof): New testcase. 2026-01-18 Niels Möller * nettle.texinfo (Hash functions): Update hash intro. (Authenticated encryption): Revise intro. (Randomness): Recommend using operating system randomness facilities. 2026-01-14 Niels Möller * nettle.texinfo (OCB): Update OCB documentation. * ocb.h (struct ocb_ctx): New field tag_length, storing the size passed to ocb_set_nonce. * ocb.c (ocb_set_nonce): Store tag length in context. (ocb_digest): Delete length argument. Size of digest was stored in the context by ocb_set_nonce. Updated all callers. * ocb-aes128.c (ocb_aes128_digest): Deleted length argument. * non-nettle.c (ocb_aes128_t96_digest): Deleted. * nettle.texinfo (CCM): Update CCM documentation. * ccm.h (CCM_MIN_DIGEST_SIZE): New constant. (struct ccm_ctx): New field tag_length, storing the size used for constructing the IV in ccm_set_nonce. * ccm.c (ccm_set_nonce): Check that tag length is according to spec, and store in context. (ccm_digest): Delete length argument. Size of digest was stored in the context by ccm_set_nonce. Updated all callers. * ccm-aes128.c (ccm_aes128_digest): Delete length argument. * ccm-aes192.c (ccm_aes192_digest): Likewise. * ccm-aes256.c: Likewise. * testsuite/ccm-test.c (test_main): Delete test from IEEE 802.15.4-2011, C.2.2, since it uses an invalid zero tag length. 2026-01-08 Niels Möller * ocb.c (update_offset): Deleted function, replaced with... (ocb_mul_xk): New function. (ocb_fill_n): Use ocb_mul_xk both in main loop and for final block. * ocb.h (struct ocb_ctx): Change types of data_count and message_count to uint32_t and uint64_t, respectively, from size_t. Makes the implementation limits on the size of associated data and cleartext be platform independent. 2026-01-02 Niels Möller * sexp.c (sexp_iterator_exit_list): Rewrite to not recurse via sexp_iterator_next. 2025-12-17 Niels Möller * sexp.c (sexp_iterator_simple): Fix off-by-one error in length check. Reported via oss-fuzz. 2025-12-15 Niels Möller * base16-decode.c (base16_decode_update): Fix returned value on failure, should be 0. Previous change accidentally returned -1 instead. * base64-decode.c (base64_decode_update): Analogous fix. This regression was reported by Robert Augusteijn. 2025-12-02 Niels Möller Copy getopt files from current gnulib, using gnulib-tool.sh --copy-file. * lib/getopt_int.h: New file (replacing old getopt_int.h). * lib/getopt-ext.h: New file. * lib/getopt-core.h: New File. * lib/getopt.c: New file. Only change from gnulib is to wrap the gettext.h usage inside an #ifndef _. * lib/getopt1.c: New file. * getopt.h: Rewritten as a wrapper for lib/getopt-core.h and lib/getopt-ext.h. * getopt.c: Rewritten as a wrapper for lib/getopt.c, including an ELIDE_CODE check. * getopt1.c: Analogous wrapper for lib/getopt1.c. * Makefile.in (PRE_CPPFLAGS): Add -I$(srcdir), needed for #include from files in lib/. (gnulib_FILES): New variable. (DISTFILES): Drop getopt_int.h, moved to lib/. (distdir): Populate lib/ directory with $(gnulib_FILES). 2025-11-05 Niels Möller * testsuite/slh-dsa-test.c (read_hex_file): Simplify, using base16_decode_update. 2025-10-30 Niels Möller * base16-decode.c (base16_decode_single): Rewrite as a call to base16_decode_update. (base16_decode_update): Make *dst_length an input argument, should hold size of dst buffer. Fail if decoding would exceed this size. Update all callers. * base64-decode.c (base64_decode_single, base64_decode_update): Analogous changes. 2025-10-29 Niels Möller * base64-encode.c (base64_encode_group): Delete unused and undocumented function. 2025-10-16 Niels Möller Delete the undocumented nettle_armor abstraction. * nettle-types.h (nettle_armor_length_func) (nettle_armor_init_func, nettle_armor_encode_update_func) (nettle_armor_encode_final_func, nettle_armor_decode_update_func) (nettle_armor_decode_final_func): Deleted typedefs. * nettle-meta.h (struct nettle_armor): Deleted struct. (_NETTLE_ARMOR, _NETTLE_ARMOR_0): Deleted macros. (nettle_get_armors, nettle_armors, nettle_base64) (nettle_base64url, nettle_base16): Deleted declarations. * base16-meta.c: Deleted file. * base64-meta.c: Deleted file. * base64url-meta.c: Deleted file. * nettle-meta-armors.c: Deleted file. * Makefile.in (nettle_SOURCES): Drop deleted files. * testsuite/base16-test.c (test_base16): New more concrete test function. (test_main): Updated to use test_base16 rather than test_armor. * testsuite/base64-test.c (test_base64): New more concretetest function, parameterized only by init functions to use. (test_main): Updated to use test_base64 rather than test_armor. * testsuite/testutils.c (test_armor): Deleted function. * testsuite/meta-armor-test.c: Deleted file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Drop meta-armor-test.c. 2025-10-13 Niels Möller * tools/input.h (struct sexp_input): Replace use of struct nette_armor, replaced with... (struct input_coding): New simpler struct. * tools/input.c (sexp_input_start_base64) (sexp_input_start_base16): New functions, replacing... (sexp_input_start_coding, sexp_input_end_coding): Deleted functions. * tools/output.h (struct sexp_output): Replace use of struct nettle_armor, instead use just a put_char function pointer. * tools/output.c (sexp_put_base16_start, sexp_put_base16_end) (sexp_put_base64_start, sexp_put_base64_end): New functions, replacing... (sexp_put_code_start, sexp_put_code_end): Deleted functions. 2025-10-08 Niels Möller * tools/sexp-conv.c (list_hashes): New function. (parse_options): Make --hash option use nettle_lookup_hash, and change default to sha256. New option --list-hashes. Delete obsolete option --raw-hash. 2025-10-03 Niels Möller * tools/output.c (sexp_output_init): Add hash argument, allocate context if non-null. (sexp_output_hash_init): Deleted function. * tools/sexp-conv.c (main): Update call to sexp_output_init. Free context before exiting. 2025-10-02 Niels Möller * tools/sexp-conv-test: Improve tests, including --hash feature. (test_hash): New function. 2025-09-27 Niels Möller * nettle.texinfo (SLH-DSA): Document SLH-DSA. 2025-09-24 Niels Möller * configure.ac (CFLAGS): When using mini-gmp, define MINI_GMP_ENABLE_FLOAT=0. * mini-gmp.c, mini-gmp.h: Update from the GMP repository. 2025-09-18 Niels Möller * nettle.texinfo (Using Nettle): Group the sections Example, Conventions, Linking, and Compatibility into a new chapter. * configure.ac: Delete unusual configure options --with-lib-path and --with-lib-path. (libdir): Delete logic to set the default libdir depending on ABI. * aclocal.m4 (LSH_PATH_ADD, LSH_RPATH_ADD, LSH_RPATH_INIT) (LSH_RPATH_FIX): Deleted now unused macros. 2025-09-15 Niels Möller * slh-dsa-sha2-128f.c (slh_dsa_sha2_128f_root) (slh_dsa_sha2_128f_generate_keypair, slh_dsa_sha2_128f_sign) (slh_dsa_sha2_128f_verify): New file, new functions. * Makefile.in (nettle_SOURCES): Add slh-dsa-sha2-128f.c. * testsuite/slh-dsa-test.c (test_main): Add tests for slh-dsa-sha2-128f. * examples/hogweed-benchmark.c (alg_list): Add benchmarking of slh-dsa-sha2-128f. 2025-09-14 Niels Möller * slh-sha256.c: New file. (_slh_hash_sha256): New slh_hash struct, and corresponding functions. * slh-dsa-sha2-128s.c (slh_dsa_sha2_128s_root) (slh_dsa_sha2_128s_generate_keypair, slh_dsa_sha2_128s_sign) (slh_dsa_sha2_128s_verify): New file, new functions. * Makefile.in (nettle_SOURCES): Add slh-sha256.c and slh-dsa-sha2-128s.c. * testsuite/slh-dsa-test.c (test_main): Add tests for slh_dsa_sha2_128s. * examples/hogweed-benchmark.c (bench_slh_dsa_init_sha2_s): New function. (alg_list): Add benchmarking of slh-dsa-sha2-128s. 2025-09-12 Niels Möller * slh-dsa-internal.h (slh_hash_randomizer_func) (slh_hash_msg_digest_func, slh_hash_init_tree_func) (slh_hash_init_hash_func, slh_hash_secret_func) (slh_hash_node_func): New typedefs, for slh-related hash operations. (struct slh_hash): New struct. (struct slh_merkle_ctx_public): Add slh_hash pointer, and use const void * for context. (struct slh_merkle_ctx_secret): Add scratch_ctx, needed by xmss_leaf. * slh-shake.c (slh_shake_init_tree): Renamed and made static. (_slh_shake_init): ... old name. (slh_shake_secret): Renamed and made static. (_slh_shake): ...old name. (slh_shake_init_hash, slh_shake_node) (slh_shake_digest, slh_shake_randomizer) (slh_shake_msg_digest): New functions. ( _slh_hash_shake): New slh_hash struct. * slh-fors.c: Update for new hash abstraction. * slh-wots.c: Likewise. * slh-xmss.c: Likewise. * slh-dsa.c (_slh_dsa_pure_digest, _slh_dsa_pure_rdigest): New functions. (_slh_dsa_sign): Add slh_hash argument, and contexts allocated by caller. (_slh_dsa_verify): Likewise. * slh-dsa-shake-128f.c (slh_dsa_shake_128f_root): Allocate sha3 contexts, use _slh_hash_shake. (slh_dsa_shake_128f_sign): Allocate sha3 contexts, call _slh_dsa_pure_rdigest. (slh_dsa_shake_128f_verify): Allocate sha3 contexts, call _slh_dsa_pure_digest. * slh-dsa-shake-128s.c: Analogous changes. 2025-09-09 Niels Möller * slh-dsa-internal.h (slh_parse_digest_func): New typedef. (struct slh_dsa_params): New function pointer parse_digest. * slh-dsa.c (_slh_dsa_sign): Delete tree_idx and leaf_idx arguments. Instead, call params->parse_digest to get them from the digest. Introduce c99 mid-block declarations, for convenience. (_slh_dsa_verify): Likewise. * slh-dsa-128s.c: New file. (_slh_dsa_128s_params): Params struct moved here. (parse_digest): Corresponding function to extract tree and leaf indices from digest. * slh-dsa-shake-128s.c (_slh_dsa_128s_params, parse_digest): ... old location. * slh-dsa-128f.c: New file. (_slh_dsa_128f_params): Params struct moved here. (parse_digest): Corresponding function to extract tree and leaf indices from digest. * slh-dsa-shake-128f.c (_slh_dsa_128f_params, parse_digest): ... old location. * Makefile.in (nettle_SOURCES): Add slh-dsa-128s.c slh-dsa-128f.c. 2025-09-08 Niels Möller * slh-dsa-shake-128s.c (_slh_dsa_128s_params): Renamed, from... (_slh_dsa_shake_128s_params): ... old name. * slh-dsa-shake-128f.c (_slh_dsa_128f_params): Renamed, from... (_slh_dsa_shake_128f_params): ... old name. 2025-09-05 Niels Möller * slh-dsa.h (SLH_DSA_128_SEED_SIZE, SLH_DSA_128_KEY_SIZE) (SLH_DSA_128S_SIGNATURE_SIZE, SLH_DSA_128F_SIGNATURE_SIZE): Renamed and updated all uses, from... (SLH_DSA_SHAKE_128_SEED_SIZE, SLH_DSA_SHAKE_128_KEY_SIZE) (SLH_DSA_SHAKE_128S_SIGNATURE_SIZE) (SLH_DSA_SHAKE_128F_SIGNATURE_SIZE): ... old names. 2025-07-07 Niels Möller * ecc-secp384r1.c (ecc_secp384r1_modp) [GMP_NUMB_BITS == 32]: Analogous change to use assert_maybe. Report and patch by Taketo Kabe. 2025-07-06 Niels Möller * ecc-secp192r1.c (ecc_secp192r1_modp) [GMP_NUMB_BITS == 32]: Use assert_maybe. This version of the function was overlooked in the 2023-11-14 change. 2025-07-03 Niels Möller * testsuite/slh-dsa-test.c (test_main): Additional test cases, from https://github.com/usnistgov/ACVP-Server. 2025-07-01 Niels Möller * slh-dsa-shake-128f.c (slh_dsa_shake_128f_root) (slh_dsa_shake_128f_generate_keypair, slh_dsa_shake_128f_sign) (slh_dsa_shake_128f_verify): New functions. * slh-dsa.h: Declare new functions. (SLH_DSA_SHAKE_128F_SIGNATURE_SIZE): New constant. * Makefile.in (nettle_SOURCES): Add slh-dsa-shake-128f.c. * testsuite/slh-dsa-test.c (test_main): Add test for slh-dsa-shake-128f. * testsuite/slh-dsa-shake-128f.ref: New Reference signature. * testsuite/Makefile.in (DISTFILES): Add slh-dsa-shake-128f.ref. * examples/hogweed-benchmark.c (bench_slh_dsa_sign): New function. (alg_list): Add benchmarking of slh-dsa-shake128f. 2025-06-30 Niels Möller Implement slh-dsa-shake128s. * slh-dsa.h: New public header file. * slh-dsa-shake-128s.c (slh_dsa_shake_128s_root) (slh_dsa_shake_128s_generate_keypair, slh_dsa_shake_128s_sign) (slh_dsa_shake_128s_verify): New file, new public functions. (parse_digest): New internal function. * slh-dsa-internal.h: New header file with internal declarations. (slh_addr_type): New enum. (slh_address_hash, slh_merkle_ctx_public, slh_merkle_ctx_secret) (slh_xmss_params, slh_fors_params, slh_dsa_params): New structs. (merkle_leaf_hash_func, merkle_node_hash_func): New typedefs. * slh-dsa.c (_slh_dsa_randomizer, _slh_dsa_digest) (_slh_dsa_sign, _slh_dsa_verify): New file, new functions. * slh-fors.c (_fors_gen, fors_leaf, fors_node, fors_sign_one) (_fors_sign, fors_verify_one, _fors_verify): New file, new functions. * slh-merkle.c (_merkle_root, _merkle_sign, _merkle_verify): New file, new functions. * slh-shake.c (_slh_shake_init, _slh_shake): New file, new functions. * slh-wots.c (wots_chain, wots_pk_init, _wots_gen) (wots_sign_one, _wots_sign, wots_verify_one, _wots_verify): New file, new functions. * slh-xmss.c (xmss_leaf, xmss_node, _xmss_gen, _xmss_sign) (_xmss_verify): New file, new functions. * Makefile.in (nettle_SOURCES): Add slh-fors.c, slh-merkle.c, slh-shake.c, slh-wots.c, slh-xmss.c, slh-dsa.c, and slh-dsa-shake-128s.c. (HEADERS): Add slh-dsa.h. (DISTFILES): Add slh-dsa-internal.h. * testsuite/slh-dsa-test.c: New tests. * testsuite/slh-dsa-shake-128s.ref: Reference signature. * testsuite/sc-slh-dsa-test: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add slh-dsa-test.c. (TS_SC_NETTLE): Add sc-slh-dsa-test. (DISTFILES): Add slh-dsa-shake-128s.ref. * examples/hogweed-benchmark.c: Add benchmarking of slh-dsa-shake128s. (bench_alg): Change unit to sign/s and verify/s. 2025-06-27 Niels Möller * testsuite/testutils.c (open_srcdir_file): New function. * testsuite/yarrow-test.c (open_file): Deleted function. (test_main): Use open_srcdir_file instead. 2025-06-26 Niels Möller Cherry-picked from branch nettle-3.10-fixes: * config.guess: Update to 2024-07-27 version. * config.sub: Update to 2024-05-27 version. Minimal patch for compilers that require prototypes, e.g., gcc-15. * getopt.c (getenv): Delete non-prototype declaration. * getopt.h (getopt): Declare getopt with a prototype, also for non-glibc systems. 2025-06-24 Niels Möller * sha-example.c (main): Update to use sha256 rather than sha1, and new use sha256_digest interface. 2025-06-23 Niels Möller * blowfish-bcrypt.c (ibcrypt): Simplify salt logic, eliminating a compiler warning. 2025-06-22 Niels Möller Delete the old "generic" HMAC API. * hmac.h (HMAC_CTX, HMAC_SET_KEY, HMAC_DIGEST): Deleted macros. * hmac.c (hmac_set_key, hmac_update, hmac_digest): Deleted file and functions. * nettle.texinfo (HMAC): Delete corresponding documentation. Refactor HMAC. Reduces the size of HMAC contexts, sha256 reduced from 336 bytes to 192, sha512 from 648 to 376, and sha1 from 312 to 168. * hmac.h (_NETTLE_HMAC_CTX): New macro. The outer and inner members no longer include any block buffers. Change all the hmac_*_ctx structs to use the new definition. * hmac-internal.h (_NETTLE_HMAC_DIGEST, _NETTLE_HMAC_DIGEST_U): New file, new macros. Update all hmac_*_digest functions to use one of these macros. * hmac-internal.c (_nettle_hmac_set_key): New file, new function, using the new style of context struct. Update all hmac_*_set_key functions. * Makefile.in (nettle_SOURCES): Add hmac-internal.c. (DISTFILES): Add hmac-internal.h. 2025-06-22 Niels Möller * testsuite/testutils.c (test_mac): Print name of mac algorithm on failure. * gosthash94.c (gosthash94_init): Trim memset call, no need to clear block buffer. * md2.c (md2_init): Likewise. * nettle-types.h (_NETTLE_ALIGN16): New macro, to require 16-byte alignment. Enabled only on platforms where uint64_t needs 8-byte alignment. Intended to improve performance for SIMD load and store, which on some platforms may be faster with proper alignment. Depends on stdalign.h, defined in C11. (union nettle_block16): Use _NETTLE_ALIGN16. * ctr16.c (_nettle_ctr_crypt16): Update alignedness check to use alignof(union nettle_block16). * aes.h (struct aes128_ctx): Use _NETTLE_ALIGN16 for the array of subkeys. (struct aes192_ctx): Likewise. (struct aes256_ctx): Likewise. * umac.h (_UMAC_STATE): Use _NETTLE_ALIGN16 for the l1_key array. 2025-06-02 Niels Möller * ctr.c (ctr_fill16) [!WORDS_BIGENDIAN]: Use nettle_bswap64. (ctr_crypt): For block size 16, always use _nettle_ctr_crypt16. 2025-05-13 Niels Möller Reduce size of sha3 context size to 216 bytes. * sha3.h (struct sha3_ctx): New struct, replacing all sha3_*_ctx. (struct sha3_128_ctx, struct sha3_224_ctx, struct sha3_256_ctx, struct sha3_384_ctx) (struct sha3_512_ctx): Redefined as aliases to sha3_ctx. * sha3-internal.h (_NETTLE_SHA3_HASH): New macro. * sha3.c (sha3_xor_block, sha3_absorb): Deleted functions. (sha3_init): New function, replacing all sha3_*_init. (_nettle_sha3_update): Updated to take a struct sha3_ctx * argument, updated all callers. (_nettle_sha3_update) [WORDS_BIGENDIAN]: Use only a single 64-bit word, 8 bytes, for input buffer. (_nettle_sha3_update) [!WORDS_BIGENDIAN]: No buffering, xor input into state directly. (_nettle_sha3_pad): Updated to take a struct sha3_ctx * argument, updated all callers. (_nettle_sha3_digest): New function. * sha3-shake.c (_nettle_sha3_shake_output): Updated to take a struct sha3_ctx * argument, updated all callers. (_nettle_sha3_shake_output) [WORDS_BIGENDIAN]: Use only a single 64-bit word, 8 bytes, for buffering partial output. (_nettle_sha3_shake_output) [!WORDS_BIGENDIAN]: No buffering, copy output directly from state. * shake128.c (sha3_128_init): Deleted (redefined as alias for sha3_init in sha3.h). * sha3-224.c (sha3_224_init): Likewise. * sha3-256.c (sha3_256_init): Likewise. * sha3-384.c (sha3_384_init): Likewise. * sha3-512.c (sha3_512_init): Likewise. * nettle-internal.h (NETTLE_MAX_HASH_CONTEXT_SIZE): Lower, streebog512_ctx is now the largest hash context struct. 2025-04-28 Niels Möller * bignum-random-prime.c (miller_rabin_pocklington): Adopt mp_bitcnt_t type. * ecc-mod-inv.c (ecc_mod_inv): Likewise. * ecc-mul-a-eh.c (ecc_mul_a_eh): Likewise. * ecc-mul-a.c (ecc_mul_a): Likewise. * ecc-mul-g-eh.c (ecc_mul_g_eh): Likewise. * ecc-mul-g.c (ecc_mul_g): Likewise. * eccdata.c (ecc_mul_binary): Likewise. * sha.h: Deleted file. * nettle.texinfo: Delete all mention of sha.h. * Makefile.in (HEADERS): Delete sha.h. * ghosthash94.h, md*.h, ripemd160.h, sha*.h, umac.h: Delete all _DATA_SIZE constant, they were backwards compatibility aliases for _BLOCK_SIZE, from 2014 renaming. * salsa20.h (salsa20_set_iv, SALSA20_IV_SIZE): Delete backwards compatibility aliases. * testsuite/salsa20-test.c: Update to consistently use "nonce" names. * yarrow.h (yarrow256_force_reseed): Deleted backwards compatibility alias. 2025-04-27 Niels Möller * powerpc64/p8/sha256-compress-n.asm: Use 64-bit unsigned compare for blocks == 0 check, cmpldi instruction. 2025-04-09 Niels Möller * testsuite/testutils.c (test_cipher): Test encrypt and decrypt methods with varying data alignment. 2025-04-08 Niels Möller * twofish.c (twofish_encrypt, twofish_decrypt): Avoid copying via a uint32_t words[4] array. Speedup of 15% benchmarked on an x86_64 laptop (AMD Ryzen 5). 2025-04-02 Niels Möller Cherry-picked from branch nettle-3.10-fixes: * configure.ac: For ppc64, check if __VSX__ is defined, and disable use of assembly if it isn't. * .gitlab-ci.yml: Fix native/fat to actually run make check-fat-override. Add an EXTRA_CHECK_TARGET variable also for the .cross-build template, use it for check-fat-override where applicable, and add check-fat-emulate to the powerpc64 builds. * Makefile.in (check-fat-override): Renamed target, from... (check-fat): ... old name. (check-fat-emulate): New target, similar to above, but varies the -cpu flag passed to the emulator, instead of using NETTLE_FAT_OVERRIDE. * configure.ac (FAT_OVERRIDE_LIST): Renamed variable, from... (FAT_TEST_LIST): ... old name. (FAT_EMULATE_LIST): New substituted variable. Set to "power8 power9" for fat ppc64 builds. 2025-03-24 Niels Möller * gcm.h (GCM_TABLE_BITS): Delete constant. (struct gcm_key): Halve the allocation size for precomputed values, to 2048 bytes, or 128 16-byte blocks. 2025-03-18 Niels Möller Delete the output size argument from almost all digest functions. * chacha-poly1305.h (chacha_poly1305_digest): Delete length argument. * cmac.h (cmac128_digest, cmac64_digest) (CMAC128_DIGEST, cmac_aes128_digest, cmac_aes256_digest) (cmac_des3_digest, CMAC64_DIGEST): Likewise. * eax.h (eax_digest, eax_aes128_digest, EAX_DIGEST): Likewise. * gcm.h (gcm_digest, gcm_aes128_digest, gcm_aes192_digest) (gcm_aes256_digest, gcm_camellia128_digest) (gcm_camellia256_digest, gcm_sm4_digest, GCM_DIGEST): Likewise. * gosthash94.h (gosthash94_digest, gosthash94cp_digest): Likewise. * hkdf.h (hkdf_extract): Likewise. * hmac.h (hmac_digest, hmac_md5_digest, hmac_ripemd160_digest) (hmac_sha1_digest, hmac_sha256_digest, hmac_sha224_digest) (hmac_sha512_digest, hmac_sha384_digest, hmac_gosthash94_digest) (hmac_gosthash94cp_digest, hmac_streebog512_digest) (hmac_streebog256_digest, hmac_sm3_digest, HMAC_DIGEST): Likewise. * md2.h (md2_digest): Likewise. * md4.h (md4_digest): Likewise. * md5.h (md5_digest): Likewise. * poly1305.h (poly1305_aes_digest): Likewise. * ripemd160.h (ripemd160_digest): Likewise. * sha1.h (sha1_digest): Likewise. * sha2.h (sha256_digest, sha224_digest, sha512_digest) (sha384_digest, sha512_224_digest, sha512_256_digest): Likewise. * sha3.h (sha3_224_digest, sha3_256_digest, sha3_384_digest) (sha3_512_digest): Likewise. * sm3.h (sm3_digest): Likewise. * streebog.h (streebog512_digest, streebog256_digest): Likewise * umac.h (umac32_digest, umac64_digest, umac96_digest) (umac128_digest): Likewise. * nettle-types.h (nettle_output_func): New typedef, same signature as nettle_random_func. (nettle_random_func): Redefine as alias to nettle_output_func. (nettle_hash_digest_func): Delete length argument. 2025-03-10 Niels Möller Delete the old deprecated DSA functions declared in dsa-compat.h. * dsa-compat-keygen.c: Deleted. * dsa-compat.c: Deleted. * dsa-compat.h: Deleted. * dsa-sha1-sign.c: Deleted. * dsa-sha1-verify.c: Deleted. * dsa-sha256-sign.c: Deleted. * dsa-sha256-verify.c: Deleted. * Makefile.in (hogweed_SOURCES): Delete source files. (HEADERS): Delete dsa-compat.h. * nettle.texinfo (DSA): Delete documentation of the deprecated DSA API. * testsuite/testutils.c (test_dsa160, test_dsa256): Update to not depend on deprecated functions. * testsuite/dsa-test.c (test_main): Likewise. * testsuite/dsa-keygen-test.c (test_main): Likewise. 2025-03-09 Niels Möller * ccm-aes128.c (ccm_aes128_encrypt_message) (ccm_aes128_decrypt_message): Change type of ctx argument to const struct aes128_ctx *. * ccm-aes192.c (ccm_aes192_encrypt_message) (ccm_aes192_decrypt_message): Change type of ctx argument to const struct aes192_ctx *. * ccm-aes256.c (ccm_aes256_encrypt_message) (ccm_aes256_decrypt_message): Change type of ctx argument to const struct aes256_ctx *. * testsuite/ccm-test.c (test_cipher_ccm): Add tests for ccm_aes*_message functions, * nettle.texinfo (CCM): Update documentation. 2025-03-06 Niels Möller * nettle-types.h (union nettle_block16): Delete deprecated unsigned long member of this union. * rsa-blind.c (_rsa_blind, _rsa_unblind): Delete file, delete obsolete functions (current RSA blinding functions are not exported). 2025-03-05 Niels Möller Delete old AES interface. * aes.h (struct aes_ctx): Deleted. (AES_MIN_KEY_SIZE, AES_MAX_KEY_SIZE): Deleted constants. * gcm.h (struct gcm_aes_ctx): Deleted. * aes-encrypt.c: Deleted file. * aes-decrypt.c: Deleted file. * aes-set-encrypt-key.c: Deleted file. * aes-set-decrypt-key.c: Deleted file. * gcm-aes.c: Deleted file. * Makefile.in (nettle_SOURCES): Drop above files. * nettle.texinfo: Delete corresponding documentation. * testsuite/aes-test.c (test_invert): Generalize to take a struct nettle_cipher and an invert function. (test_cipher2): Deleted function. (test_main): Delete tests of old AES interface. * testsuite/gcm-test.c (test_main): Delete tests of struct gcm_aes_ctx functions. Delete incomplete and old openpgp support. * pgp-encode.c: Deleted file. * pgp.h: Deleted file. * rsa2openpgp.c: Deleted file. * rsa.h (rsa_keypair_to_openpgp): Delete declaration. * Makefile.in (hogweed_SOURCES): Delete pgp-encode.c and rsa2openpgp.c. (HEADERS): Delete pgp.h. * md5-compat.c (MD5Init, MD5Update, MD5Final): Delete file and functions. Also delete corresponding header file, tests, and documentation. * configure.ac: Bump version numbers, to prepare for changes that break API or ABI. Bump package version to 4.0. (LIBNETTLE_MAJOR, LIBNETTLE_MINOR): Bump, to 9.0. (LIBHOGWEED_MAJOR, LIBHOGWEED_MINOR): Bump, to 7.0. 2025-03-02 Niels Möller * powerpc64/p8/gcm-aes-decrypt.asm: Avoid using lxvb16x instruction in powerpc64/p8 files. Reported by Sean McGovern. * powerpc64/p8/gcm-aes-encrypt.asm: Likewise. 2025-02-09 Niels Möller * powerpc64/p8/gcm-aes-decrypt.asm: Use stxvd2x/lxvd2x rather than stxv/lxv for save and restore of vector registers, since the latter instructions are not available on Power8 (ISA v2.07). * powerpc64/p8/gcm-aes-encrypt.asm: Likewise. 2024-12-30 Niels Möller * Released Nettle-3.10.1. 2024-12-28 Niels Möller * testsuite/testutils.c (mark_bytes_undefined) (mark_bytes_defined) [!HAVE_VALGRIND_MEMCHECK_H]: Add UNUSED attribute on dummy version of these functions. 2024-12-14 Niels Möller * configure.ac: Bump package version, to 3.10.1. (LIBNETTLE_MINOR): Bump minor number, to 8.10. (LIBHOGWEED_MINOR): Bump minor number, to 6.10. 2024-12-13 Niels Möller * aclocal.m4 (NETTLE_PROG_VALGRIND): Check if executable appears to include lsan, asan or msan symbols, and if so, don't attempt to run valgrind. 2024-10-16 Niels Möller * run-tests: Cleanup, guided by shellcheck warnings. Use $() rather than `` and $(()) rather than expr. 2024-09-08 Niels Möller From Brad Smith: Support elf_aux_info (OpenBSD and FreeBSD). * configure.ac: Check for elf_aux_info. * fat-arm64.c (get_arm64_features): Use elf_aux_info if available. * fat-ppc.c (get_ppc_features): Likewise. 2024-06-23 Niels Möller * testsuite/testutils.h (struct nettle_xof): New struct type. * testsuite/testutils.c (test_hash): Delete support for tests with arbitrary digest size, reverting part of 2019-12-25 change. (test_xof): New function, test both digest and output functions. * testsuite/shake128-test.c (test_main): Change from using test_hash to test_xof. * testsuite/shake256-test.c (test_incremental): Deleted function, superseded by test_xof. (test_main): Change from using test_hash to test_xof, delete use of test_incremental. 2024-06-16 Niels Möller * testsuite/testutils.c (test_mac): Add set_key function argument, to support tests with key size != mac->key_size. * testsuite/cmac-test.c: Update test_mac usage. * testsuite/hmac-test.c (HMAC_TEST): Deleted macro, replace with test_mac, passing set_key function when needed. (test_main): Add more test vectors from RFC 4868, previously draft-kelly-ipsec-ciph-sha2. * hmac-gosthash94-meta.c: New file. * nettle-meta.h (nettle_hmac_gosthash94) (nettle_hmac_gosthash94cp): Declare. * nettle-meta-macs.c (_nettle_macs): Add nettle_hmac_gosthash94 and nettle_hmac_gosthash94cp. * Makefile.in (nettle_SOURCES): Add hmac-gosthash94-meta.c. * testsuite/meta-mac-test.c: Update test. * Released Nettle-3.10. * examples/rsa-encrypt-test: Consistently add $EXEEXT to executable names. * examples/rsa-sign-test: Likewise. * examples/rsa-verify-test: Likewise. * examples/setup-env: Likewise. * tools/nettle-pbkdf2-test: Likewise. * tools/pkcs1-conv-test: Likewise * tools/sexp-conv-test: Likewise. * configure.ac: When cross-compiling targetting windows, always use "wine" as EMULATOR; using "wine64" for 64-bit windows seems no longer needed. 2024-06-15 Niels Möller * testsuite/Makefile.in (TS_SC_NETTLE): New variable. (DISTFILES): Unconditionally include side-channel tests, fix accidental dependence on IF_VALGRIND. 2024-06-11 Niels Möller * fat-arm64.c: Enable use of getauxval on android, for __ANDROID_API__ >= 18. 2024-06-10 Niels Möller From Eric Richter: * powerpc64/p8/sha256-compress-n.asm: New file. * powerpc64/fat/sha256-compress-n-2.asm: New file. * fat-ppc.c: Add fat setup for _nettle_sha256_compress_n. 2024-06-09 Niels Möller * ecc-internal.h (assert_maybe) [!WITH_EXTRA_ASSERTS]: Cast to void, to avoid warnings. 2024-06-05 Niels Möller * config.guess: Update to 2024-01-01 version. * config.sub: Update to 2024-01-01 version. 2024-06-02 Niels Möller * configure.ac: Bump package version, to 3.10. (LIBNETTLE_MINOR): Bump minor number, to 8.9. (LIBHOGWEED_MINOR): Bump minor number, to 6.9. 2024-06-01 Niels Möller * eddsa-hash.c (_eddsa_hash): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. * ecc-hash.c (ecc_hash, gost_hash): Deleted file, moved functions to... * dsa-hash.c (_nettle_dsa_hash): Change to use mpn interface instead of mpz, replacing ecc_hash. (_nettle_gostdsa_hash): Moved here, renamed from gost_hash. * dsa-internal.h (_nettle_dsa_hash): Update declaration. (_nettle_gostdsa_hash): Moved declaration here. * ecc-internal.h (ecc_hash, gost_hash): Delete old declarations. * gmp-glue.h (NETTLE_BIT_SIZE_TO_LIMB_SIZE): New macro. * dsa-sign.c (dsa_sign): Adapt to _nettle_dsa_hash change. * dsa-verify.c (dsa_verify): Likewise. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use _nettle_dsa_hash. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Use _nettle_gostdsa_hash. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. * Makefile.in (hogweed_SOURCES): Delete ecc-hash.c 2024-05-15 Niels Möller * powerpc64/p8/gcm-aes-encrypt.asm: Reduce register usage. * powerpc64/p8/gcm-aes-decrypt.asm: Analogous changes. 2024-04-14 Niels Möller From Danny Tsen: Combined gcm-aes implementation for powerpc64. * configure.ac: Define HAVE_NATIVE_gcm_aes_encrypt and HAVE_NATIVE_gcm_aes_decrypt. (asm_nettle_optional_list): Add gcm-aes-encrypt.asm, gcm-aes-encrypt-2.asm, gcm-aes-decrypt.asm, and gcm-aes-decrypt-2.asm. * gcm-internal.h (_gcm_aes_encrypt, _gcm_aes_decrypt): Declare internal functions, and define as dummy macros when not supported. * gcm-aes128.c (gcm_aes128_encrypt): Use _gcm_aes_encrypt. (gcm_aes128_decrypt): Use _gcm_aes_encrypt. * gcm-aes192.c (gcm_aes192_encrypt, gcm_aes128_decrypt): Likewise. * gcm-aes256.c (gcm_aes256_encrypt, gcm_aes256_decrypt): Likewise. * Makefile.in (DISTFILES): Add gcm-internal.h. * powerpc64/machine.m4 (GF_MUL): New macro. * powerpc64/fat/gcm-aes-decrypt-2.asm: New file. * powerpc64/fat/gcm-aes-encrypt-2.asm: New file. * powerpc64/p8/gcm-aes-decrypt.asm: New file. * powerpc64/p8/gcm-aes-encrypt.asm: New file. * fat-setup.h (gcm_aes_crypt_func): New typedef. * fat-ppc.c: Fat setup for gcm_aes_encrypt and gcm_aes_decrypt. (gcm_aes_crypt_c): New nop implementation. 2024-03-29 Niels Möller * bswap-internal.h (nettle_bswap32_n): New inline function. (bswap32_n_if_le): New macro, to reduce code duplication. * blowfish-bcrypt.c (bswap32_if_le_n): Deleted, usage replaced with shared bswap32_n_if_le. * umac-set-key.c (bswap32_if_le_n): Likewise. 2024-03-28 Niels Möller * sha512-224-meta.c (nettle_sha512_224): Change name to "sha512_224", with underscore rather than dash. * sha512-256-meta.c (nettle_sha512_256): Analogous change. * nettle-meta-hashes.c (_nettle_hashes): Add nettle_sha512_224 and nettle_sha512_256. * testsuite/meta-hash-test.c: Update test. 2024-03-24 Niels Möller * testsuite/gcm-test.c (test_main): Add a test case that triggers 32-bit counter wraparound for gcm_aes256, and a larger 719 byte message. 2024-03-28 Niels Möller From Daiki Ueno: * shake128.c (sha3_128_init, sha3_128_update, sha3_128_shake) (sha3_128_shake_output): New file, new functions. * testsuite/shake128-test.c: New testcases. * Makefile.in (nettle_SOURCES): Add shake128.c. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake128-test.c. 2024-03-24 Niels Möller * sha3-shake.c (_nettle_sha3_shake, _nettle_sha3_shake_output): New file, new functions. Generalizations of sha3_256_shake and sha3_256_shake_output, respectively. (_nettle_sha3_shake_output): Use one's complement of index, instead of just setting high bit. * shake256.c (sha3_256_shake, sha3_256_shake_output): Implement in terms of calls to the new functions. * Makefile.in (nettle_SOURCES): Add sha3-shake.c. * sha3.c (_nettle_sha3_update): Use MD_FILL_OR_RETURN_INDEX. (sha3_xor_block): New function, taken out from sha3_absorb. (_nettle_sha3_pad): Call sha3_xor_block, not sha3_absorb. * sha3-internal.h (_sha3_pad_shake): By above change, no longer implies sha3_permute. (_sha3_pad_hash): Update, to still include a call to sha3_permute. * shake256.c (sha3_256_shake, sha3_256_shake_output): Update to call sha3_permute before generating output. 2024-03-20 Niels Möller * testsuite/gcm-test.c (test_main): Add a test case that triggers 32-bit counter wraparound for gcm_aes128. 2024-03-10 Niels Möller From Daiki Ueno: * shake256.c (sha3_256_shake_output): New function, incremental shake256 output. * testsuite/shake256-test.c (test_incremental): New function, for testing sha3_256_shake_output. (test_main): Use it. 2024-03-10 Niels Möller * poly1305-update.c (_nettle_poly1305_update): Explicitly check for empty input and return. * testsuite/testutils.c (test_aead): Test with associated split data into two pieces in different ways, respecting block boundaries. Also add a call to update(ctx, 0, NULL) in the middle, and encrypt and decrypt calls with empty input. 2024-03-08 Niels Möller Fix ubsan issues for empty hash updates. * macros.h (MD_UPDATE): Check upfront if length is zero. Avoids calling memcpy(dst, NULL, 0), which is undefined behavior. * sha256.c (sha256_update): Likewise. * sha3.c (_nettle_sha3_update): Likewise. * testsuite/testutils.c (test_hash): Test with message split into two pieces in different ways, and also add an call to update(ctx, 0, NULL) in the middle. 2024-02-16 Niels Möller RSA-OAEP support contributed by Nicolas Mora and Daiki Ueno: * rsa-oaep-encrypt.c (_rsa_oaep_encrypt) (rsa_oaep_sha256_encrypt, rsa_oaep_sha384_encrypt) (rsa_oaep_sha512_encrypt): New file, new functions. * rsa-oaep-decrypt.c (_rsa_oaep_decrypt) (rsa_oaep_sha256_decrypt, rsa_oaep_sha384_decrypt) (rsa_oaep_sha512_decrypt): New file, new functions. * rsa.h: Declare new RSA OAEP functions. * rsa-internal.h: Declare internal RSA OAEP functions. * oaep.c (_oaep_sec_decrypt_variable, _oaep_decode_mgf1) (_oaep_encode_mgf1): New file, new functions. * oaep.h: New file, declaring internal functions. * Makefile.in (hogweed_SOURCES): Add oaep.c, rsa-oaep-encrypt.c rsa-oaep-decrypt.c. (DISTFILES): Add oaep.h. * nettle.texinfo (RSA): Document RSA-OAEP functions. * testsuite/rsa-oaep-encrypt-test.c: New tests. * testsuite/testutils.c (test_rsa_set_key_2): New function. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add rsa-oaep-encrypt-test.c (TS_SC_HOGWEED): Add sc-rsa-oaep-encrypt-test. 2024-02-02 Niels Möller Optimize powerpc64 aes decrypt. Speedup of 80%-100%, depending on key size, when benchmarked on Power 10: * configure.ac (asm_replace_list): Add aes-invert-internal.asm. (asm_nettle_optional_list): Add aes-invert-internal-2.asm. * powerpc64/p8/aes-invert-internal.asm (_aes_invert): New file. Implementat _aes_invert as just a memcpy. * powerpc64/p8/aes-decrypt-internal.asm: Rework to use unmixed encryption subkeys, which fits better with the vncipher instruction, and eliminates lots of vxor instructions. * powerpc64/fat/aes-invert-internal-2.asm: New file. * aes-invert-internal.c: Check HAVE_NATIVE_aes_invert, and define _nettle_aes_invert_c wen needed. * fat-setup.h (aes_invert_internal_func): New typedef. * fat-ppc.c: Add fat setup for _aes_invert. 2024-01-28 Niels Möller * powerpc64/p8/aes-encrypt-internal.asm: Use r10-r12 consistently for indexing, and reducing number of used callee-save registers. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. 2024-01-27 Niels Möller * aes-invert-internal.c (_nettle_aes_invert): Don't reorder the subkeys. * aes-decrypt-internal.c (_nettle_aes_decrypt): Updated to process subkeys starting from the end, and let subkeys pointer point at the subkey for the first decrypt round, located at the end of the array. * aes128-decrypt.c (nettle_aes128_decrypt): Updated accordingly. * aes192-decrypt.c (nettle_aes192_decrypt): Likewise. * aes256-decrypt.c (nettle_aes256_decrypt): Likewise. * arm/aes.m4 (AES_LOAD_INCR): New macro, specifying desired increment of key pointer. * arm/aes-decrypt-internal.asm: Updated for new conventions. * arm/v6/aes-decrypt-internal.asm: Likewise. * arm64/crypto/aes128-decrypt.asm: Likewise. * arm64/crypto/aes192-decrypt.asm: Likewise. * arm64/crypto/aes256-decrypt.asm: Likewise. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. * sparc64/aes-decrypt-internal.asm: Likewise. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aesni/aes128-decrypt.asm: Likewise. * x86_64/aesni/aes192-decrypt.asm: Likewise. * x86_64/aesni/aes256-decrypt.asm: Likewise. 2024-01-26 Niels Möller Delete all sparc32 assembly. * sparc32/aes-decrypt-internal.asm: Deleted file. * sparc32/aes-encrypt-internal.asm: Deleted file. * configure.ac: Don't enable any assembly for 32-bit sparc. * Makefile.in (distdir): Don't distribute sparc32 files. * sparc64/aes.m4: Moved file, from... * sparc32/aes.m4: ... old location. * sparc64/aes-encrypt-internal.asm: Update for location of aes.m4. * sparc64/aes-decrypt-internal.asm: Likewise. 2024-01-23 Niels Möller * powerpc64/machine.m4 (GHASH_REDUCE): New macro. Improve scheduling, adding vpmsumd result last. * powerpc64/p8/ghash-update.asm: Use GHASH_REDUCE, slightly reduce vector register usage, simplify use of index registers. 2024-01-21 Niels Möller * powerpc64/machine.m4 (OPN_XXY, OPN_XXXY): New macros. * powerpc64/p8/aes-encrypt-internal.asm: Use macros for repeated instruction patterns. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. 2023-12-27 Niels Möller * testsuite/gcm-test.c (test_main): Additional gcm test case, with 719 byte message, contributed by Danny Tsen. 2023-12-08 Niels Möller Delete all md5 assembly code. * md5.c (nettle_md5_compress): Move function and related macros here, from... * md5-compress.c: ... deleted file. * x86/md5-compress.asm: Deleted file. * x86_64/md5-compress.asm: Deleted file. * configure.ac: When checking for openssl, use AC_LINK_IFELSE to check if needed functions really are available. Just using AC_CHECK_LIB to check for, e.g., EVP_RSA_gen, doesn't work, since that is a macro that depends on including openssl/rsa.h.' 2023-12-06 Niels Möller * drbg-ctr-aes256.c (drbg_ctr_aes256_output): New helper function. (drbg_ctr_aes256_update, drbg_ctr_aes256_random): Use it. From Simon Josefsson: * drbg-ctr.h (struct drbg_ctr_aes256_ctx): New context struct. (DRBG_CTR_AES256_SEED_SIZE): New constant. * drbg-ctr-aes256.c (drbg_ctr_aes256_update) (drbg_ctr_aes256_init, drbg_ctr_aes256_random): New file, new functions. * testsuite/drbg-ctr-aes256-test.c: New testcase. * nettle.texinfo (Randomness): Document DRBG-CTR. 2023-12-05 Niels Möller From Tim Kosse: * fat-arm64.c (check_sysctlbyname) [__APPLE__]: New function. (get_arm64_features) [__APPLE__]: Fix feature detection for Apple M1 devices. * configure.ac: In openssl tests, check for the headers actually used by the benchmarking code, and for a subset of the relevant functions. * examples/nettle-openssl.c: Trim openssl includes and defines, and use Nettle's definition of sha1 and md5 constants. (nettle_openssl_init): Deleted. * examples/nettle-benchmark.c (main): Delete call to nettle_openssl_init. 2023-12-04 Niels Möller * examples/nettle-openssl.c (nettle_openssl_blowfish128) (nettle_openssl_des, openssl_cast128_set_encrypt_key): Deleted, since these algorithms are now available in openssl only via the "legacy provider". Also deleted declarations and usage. * examples/hogweed-benchmark.c (struct openssl_ctx): Unified struct, replacing openssl_rsa_ctx and openssl_ecdsa_ctx. (bench_openssl_init, bench_openssl_sign, bench_openssl_verify) (bench_openssl_clear): New functions, using EVP interfaces to signing, replacing rsa- and ecdsa-specific functions. (bench_openssl_rsa_init, bench_openssl_ecdsa_init): Use bench_openssl_init. 2023-11-23 Niels Möller * nettle-internal.h: Keep only declarations actually used internally in the library. * non-nettle.h: New file, contents extracted from nettle-internal.h, for use in test and benchmark code. * non-nettle.c: New file, renamed from ... * nettle-internal.c: ... old name, deleted. * Makefile.in (internal_SOURCES, DISTFILES): Updated accordingly. * testsuite/Makefile.in (TEST_OBJS): Replace ../nettle-internal.o with ../non-nettle.o, and update corresponding make rule. * examples/Makefile.in (BENCH_OBJS): Likewise. 2023-11-22 Niels Möller Revert part of the 2023-08-05 change. * rsa-sec-decrypt.c (rsa_sec_decrypt): Merge with _rsa_sec_decrypt, including input range check. (_rsa_sec_decrypt): Deleted. * rsa-internal.h (_rsa_sec_decrypt): Delete declaration. * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Always call rsa_sec_decrypt, but don't annotate the ciphertext input as undefined/secret. 2023-11-15 Niels Möller * ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe. * ecc-curve448.c (ecc_curve448_modp): Likewise. * ecc-curve25519.c (ecc_curve25519_modq): Likewise. * eddsa-hash.c (_eddsa_hash): Likewise. * eddsa-sign.c (_eddsa_sign): Likewise. * testsuite/curve25519-dh-test.c (test_g): Add calls to mark_bytes_undefined and mark_bytes_defined. (test_a): Likewise. (test_main): Skip side-channel tests in builds with mini-gmp or extra asserts enabled. * testsuite/curve448-dh-test.c: Analogous changes. * testsuite/ed448-test.c (test_one): Analogous changes. * testsuite/ed25519-test.c: Analogous changes. * testsuite/Makefile.in (TS_SC_HOGWEED): New make variable. Added sc-curve25519-dh-test, sc-curve448-dh-test, sc-ed25519-test, and sc-ed448-test to list. * testsuite/sc-curve25519-dh-test: New testcase. * testsuite/sc-curve448-dh-test: New testcase. * testsuite/sc-ed448-test: New testcase. * testsuite/sc-ed25519-test: New testcase. 2023-11-14 Niels Möller Add a first side-channel test for the ECC code. * configure.ac: New option --enable-extra-asserts. Enables asserts that are disabled by default, due to conflict with tests of side-channel silence. (WITH_EXTRA_ASSERTS): Corresponding new define. * ecc-internal.h (assert_maybe): Conditionally define this assert macro, depending on WITH_EXTRA_ASSERTS. * ecc-mod-arith.c: Convert most asserts to assert_maybe. * ecc-mod-inv.c (ecc_mod_inv): Likewise. * ecc-mod.c (ecc_mod): Likewise. * ecc-pm1-redc.c (ecc_pm1_redc): Likewise. * ecc-pp1-redc.c (ecc_pp1_redc): Likewise. * ecc-secp192r1.c (ecc_secp192r1_modp): Likewise. * ecc-secp384r1.c (ecc_secp384r1_modp): Likewise. * testsuite/ecdsa-sign-test.c (test_ecdsa): Add calls to mark_bytes_undefined and mark_bytes_defined. (test_main): Skip side-channel tests in builds with mini-gmp or extra asserts enabled. * testsuite/sc-ecdsa-sign-test: New testcase. * testsuite/Makefile.in (TS_SC): Add sc-ecdsa-sign-test. 2023-11-12 Niels Möller * gmp-glue.h (GMP_LIMB_BITS) [NETTLE_USE_MINI_GMP]: Define as alias for GMP_NUMB_BITS. (is_zero_limb): Move inline function here. Add static, for compatibility with c89. and mini-gmp builds. * gmp-glue.c (sec_zero_p): Use is_zero_limb. 2023-11-06 Niels Möller Avoid comparison like cnd = (x == 0) in code intended to be side-channel silent, since to eliminate branches with some compilers/architectures, in particular 32-bit x86 and the msvc compiler. * nettle-internal.h (IS_ZERO_SMALL): New macro. * memeql-sec.c (memeql_sec): Use IS_ZERO_SMALL. * pkcs1-sec-decrypt.c (EQUAL): Likewise. * cnd-copy.c (cnd_copy): Require that cnd argument is 1 or 0. * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS == 0]: Rearrange loop to pass 0 or 1 to cnd_copy. * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Likewise. * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS > 0]: Use IS_ZERO_SMALL, and pass 0 or 1 to cnd_copy. * ecc-mul-g.c (ecc_mul_g): Likewise. * ecc-internal.h (is_zero_limb): New inline function. * eddsa-decompress.c (_eddsa_decompress): Likewise. * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Likewise. * ecc-mod-arith.c (ecc_mod_zero_p): Likewise. (ecc_mod_equal_p): Avoid comparison cy == 0. * ecc-j-to-a.c (ecc_j_to_a): Avoid comparison cy == 0. 2023-10-06 Niels Möller * testsuite/rsa-sec-decrypt-test.c (test_main): Skip side-channel test if built with mini-gmp. * testsuite/sc-valgrind.sh (with_valgrind): Pass --exit-on-first-error=yes. * aclocal.m4 (NETTLE_PROG_VALGRIND): New macro. * configure.ac: Use it. * testsuite/Makefile.in (TS_SH): Include side-channel tests only if we have a working valgrind. * misc/c89: New wrapper script to force compiling in c89 mode. 2023-10-04 Niels Möller * bswap-internal.h (bswap32_if_be, bswap32_if_le): New macros. * blowfish-bcrypt.c (bswap32_if_le_n): Rename, to not collide with new macro. (bswap32_if_le): ... old name, deleted. * umac-set-key.c (bswap32_if_le_n): Define in the same way as for bcrypt, replacing... (BE_SWAP32_N): ...deleted macro. * umac-l3.c (_nettle_umac_l3_init): Use bswap64_if_le. * umac-l2.c (_nettle_umac_l2_init): Use bswap32_if_le. * chacha-core-internal.c (_nettle_chacha_core): Use bswap32_if_be. * salsa20-core-internal.c (_nettle_salsa20_core): Likewise * umac-l2.c (_nettle_umac_l2_final): Delete redundant assignment. 2023-10-03 Niels Möller * Makefile.in (check-fat): Reduce tests to run to TS_FAT, to speed up tests. * testsuite/Makefile.in (TS_FAT): Define list of tests relevant for testing algorithm variants in fat builds. * testsuite/ecc-mod-arith-test.c: Reduce test count, aiming to get test to complete in roughly 0.1s. * testsuite/ecc-mod-test.c: Likewise. * testsuite/ecc-modinv-test.c: Likewise. * testsuite/ecc-mul-a-test.c: Likewise. * testsuite/ecc-redc-test.c: Likewise. * testsuite/ecc-sqrt-test.c: Likewise. * testsuite/eddsa-compress-test.c: Likewise. * testsuite/poly1305-test.c: Likewise. * testsuite/random-prime-test.c: Likewise. * testsuite/rsa-compute-root-test.c: Likewise. * testsuite/rsa-sec-decrypt-test.c: Likewise. * testsuite/Makefile.in (TS_SH): Delete tools tests from list. * tools/Makefile.in (check): Run tools tests from this target. (TS_ALL): New variable. (DISTFILES): Add TS_ALL files. * testsuite/teardown-env: Deleted, intead let make clean delete test files. * tools/nettle-pbkdf2-test: Moved, from testseuite/. * tools/sexp-conv-test: Likewise. * tools/pkcs1-conv-test: Likewise. 2023-08-05 Niels Möller * testsuite/testutils.c (mark_bytes_undefined) (mark_bytes_defined): New functions. Update side-channel related tests to use them. (main): Check environment variable NETTLE_TEST_SIDE_CHANNEL. (test_side_channel): New global variable. * testsuite/sc-valgrind.sh (with_valgrind): New file, new shell utility function. * testsuite/sc-pkcs1-sec-decrypt-test: New test, for side channel silence. * testsuite/sc-memeql-test: Likewise. * testsuite/sc-gcm-test: Likewise. * testsuite/sc-cnd-memcpy-test: Likewise. * testsuite/rsa-sec-decrypt-test: Likewise. * rsa-sec-decrypt.c (_rsa_sec_decrypt): New internal function, without input range checks. (rsa_sec_decrypt): Use it. 2023-08-02 Niels Möller * configure.ac: Replace obsoleted macros, require autoconf-2.69, from 2012, or later. * aclocal.m4: Likewise. * aclocal.m4 (LSH_FUNC_STRERROR): Delete macro. (LSH_FUNC_STRSIGNAL): Delete unused macro. * configure.ac: Delete usage of LSH_FUNC_STRERROR. * tools/nettle-hash.c (main): Use strerror unconditionally. * tools/nettle-pbkdf2.c (main): Likewise. 2023-08-01 Niels Möller * configure.ac: Delete special handling of rntcl; it should be treated like any other cross compiler. Delete obsolete check of ac_cv_prog_cc_stdc. 2023-06-01 Niels Möller * Released Nettle-3.9.1. 2023-05-26 Niels Möller * configure.ac: Bump package version, to 3.9.1. (LIBNETTLE_MINOR): Bump minor number, to 8.8. (LIBHOGWEED_MINOR): Bump minor number, to 6.8. 2023-05-19 Niels Möller From Jussi Kivilinna: * ocb.c (ocb_crypt_n): Fix broken loop logic. * testsuite/ocb-test.c (test_main): Add test vector from libgcrypt, with larger message, to exercise above loop. 2023-05-16 Niels Möller * x86_64/ghash-update.asm: Use separate unaligned load instructions (movups) to load the tabulated values, since they are only 8-byte aligned and pand memory operands require 16-byte alignment. 2023-05-15 Niels Möller * eccdata.c (output_bignum_redc): Add missing mpz_clear, reported by Noah Watkins. (output_digits): Delete a gratuitous mpz_init. 2023-05-14 Niels Möller * Released nettle-3.9. 2023-05-12 Niels Möller * texinfo.tex: Delete unused file. Copy files from https://git.savannah.gnu.org/cgit/gnulib.git/plain/build-aux/ * install-sh: Update to 2020-11-14.01 version. * config.guess: Update to 2023-01-01 version. * config.sub: Update to 2023-01-21 version. 2023-05-10 Niels Möller Fix compile error in --disable-public-key configuration. * testsuite/sha1-test.c: Add missing include of sha1.h. * testsuite/sha256-test.c: Add missing include of sha2.h. 2023-05-07 Niels Möller * configure.ac: Bump package version, to 3.9. (LIBNETTLE_MINOR): Bump minor number, to 8.7 (8.6 was used for Nettle-3.8.1). (LIBHOGWEED_MINOR): Bump minor number, to 6.7. 2023-04-25 Niels Möller Rework tests of SIV message functions. * testsuite/siv-gcm-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Delete typedefs. (test_compare_results, test_cipher_siv_gcm): Delete functions. (test_siv_gcm_aes128, test_siv_gcm_aes256): Delete macros. (siv_gcm_aes128, siv_gcm_aes256): New algorithm structs. (test_main): Use test_aead_message. * testsuite/siv-cmac-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Delete typedefs. (test_compare_results, test_cipher_siv): Delete functions. (test_siv_aes128, test_siv_aes256): Delete macros. (siv_cmac_aes128, siv_cmac_aes256): New algorithm structs. (test_main): Use test_aead_message. 2023-04-24 Niels Möller Rework tests of OCB message functions. * testsuite/testutils.c (test_aead_message): New function, for testing AEAD message functions. * testsuite/testutils.h (nettle_encrypt_message_func) (nettle_decrypt_message_func): New typedefs. (struct nettle_aead_message): New struct. * testsuite/ocb-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Deleted typedefs. (test_compare_results): Deleted function. (test_ocb_aes128): Deleted macro. (struct ocb_aes128_message_key): New struct. (ocb_aes128_set_encrypt_key_wrapper) (ocb_aes128_set_decrypt_key_wrapper) (ocb_aes128_encrypt_message_wrapper) (ocb_aes128_decrypt_message_wrapper): New wrapper functions, using above ocb_aes128_message_key for both encrypt and decrypt, and a fix tag length of 16 octets. (ocb_aes128_message): New algorithm struct, with above wrappers. (test_main): Use test_aead_message. 2023-04-23 Niels Möller * testsuite/siv-cmac-test.c: Renamed file, from... * testsuite/siv-test.c: ... old name. 2023-04-13 Niels Möller * ghash-update.c (gcm_gf_mul): Rewrite to avoid side-channel leakage. Now processes the message bits one at a time, using tabulated values of the key premultiplied by appropriate powers of x, so that the table is accessed in a fixed sequential order. Performance penalty, on x86_64, is roughly 3 times. (shift_table): Deleted table. (gcm_gf_shift_8): Deleted function. * ghash-set-key.c (_ghash_set_key): Rewrite table generation. * gcmdata.c: Deleted. * Makefile.in: Delete references to gcmdata. * x86_64/ghash-update.asm: Rewritten, similar side-channel silent method as the C implementation, with same table layout, but using sse2 instructions. * testsuite/gcm-test.c (test_ghash_internal): Add valgrind annotations, to verify that the ghash implementation makes no data-dependent branches or memory accesses. * examples/nettle-benchmark.c (bench_ghash_update): New function. 2023-04-03 Niels Möller From Mamone Tarsha: * x86_64/pclmul/ghash-update.asm: New loop to process two blocks at a time. * x86_64/pclmul/ghash-set-key.asm: Likewise. 2023-03-25 Niels Möller * ocb.h (OCB_MAX_NONCE_SIZE): New constant. 2023-02-16 Niels Möller * x86_64/sha256-compress-n.asm: Fix incorrect w64 setup. Report and fix from Gisle Vanem. 2023-02-08 Niels Möller * examples/nettle-benchmark.c (main): Benchmark ocb_aes128. 2023-02-07 Niels Möller Implement OCB mode. RFC 7253. * block-internal.h (block16_set): New function. * ocb.c (ocb_set_key, ocb_set_nonce, ocb_update, ocb_encrypt) (ocb_decrypt, ocb_encrypt_message, ocb_decrypt_message): New public functions. (MEM_ROTATE_RIGHT, MEM_MASK): New macros. (extract, update_offset, pad_block, ocb_fill_n, ocb_crypt_n) (ocb_checksum_n): New helper functions. * ocb-aes128.c (ocb_aes128_set_encrypt_key) (ocb_aes128_set_decrypt_key, ocb_aes128_set_nonce) (ocb_aes128_update, ocb_aes128_encrypt, ocb_aes128_decrypt) (ocb_aes128_digest, ocb_aes128_encrypt_message) (ocb_aes128_decrypt_message): New file, new functions. * ocb.h: Declare ocb functions. (struct ocb_key): New struct. (struct ocb_ctx): New struct. (struct ocb_aes128_encrypt_key): New struct. * Makefile.in (nettle_SOURCES): Add ocb.c ocb-aes128.c. (HEADERS): Add ocb.h. * nettle-internal.c (nettle_ocb_aes128) (ocb_aes128_set_encrypt_key_wrapper) (ocb_aes128_set_decrypt_key_wrapper) (ocb_aes128_set_nonce_wrapper, ocb_aes128_update_wrapper) (ocb_aes128_encrypt_wrapper, ocb_aes128_decrypt_wrapper) (ocb_aes128_digest_wrapper): New aead algorithm, and related wrapper functions. * nettle-internal.h (OCB_NONCE_SIZE): New constant. (struct ocb_aes128_ctx): New struct. * testsuite/ocb-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add ocb-test.c. 2023-02-06 Niels Möller * testsuite/testutils.c (test_aead): Always use set_nonce function pointer if non-NULL, test varying alignment, output the unexpected data when test fails. 2022-12-05 Niels Möller * xts-aes128.c (xts_aes128_encrypt_message) (xts_aes128_decrypt_message): const-declare the xts_key argument. * xts-aes256.c (xts_aes256_encrypt_message) (xts_aes256_decrypt_message): Likewise. 2022-11-09 Niels Möller From Mamone Tarsha: * powerpc64/p9/poly1305-blocks.asm: New file, multi-block radix 2^44 implementation. Benchmarked to give a speedup of 3.2 times on Power9. * powerpc64/p9/poly1305.m4 (DEFINES_BLOCK_R64, BLOCK_R64): New file, new macros. * powerpc64/p9/poly1305-internal.asm: Use BLOCK_R64 macro. * powerpc64/machine.m4 (INC_GPR, INC_VR): New macros. * powerpc64/fat/poly1305-blocks.asm: New file. * poly1305-update.c: Check HAVE_NATIVE_fat_poly1305_blocks, and define _nettle_poly1305_blocks_c when needed. * fat-ppc.c: Fat setup for _nettle_poly1305_blocks. 2022-11-07 Niels Möller * configure.ac (ASM_FLAGS): New configure environment variable. * aclocal.m4 (GMP_TRY_ASSEMBLE): Use $ASM_FLAGS. * config.make.in (ASM_FLAGS): Add substitution. * Makefile.in: Use $(ASM_FLAGS) when compiling .asm files. 2022-10-31 Niels Möller * configure.ac: (asm_file_list): Add HAVE_NATIVE_poly1305_blocks. (asm_nettle_optional_list): Add poly1305-blocks.asm. * x86_64/poly1305-blocks.asm: New file. * md-internal.h (MD_FILL_OR_RETURN_INDEX): New macro. * poly1305-update.c (_nettle_poly1305_update): New file and function. * poly1305-internal.h: Declare _nettle_poly1305_blocks and _nettle_poly1305_update. * chacha-poly1305.c (poly1305_update): Use _nettle_poly1305_update. * poly1305-aes.c (poly1305_aes_update): Likewise. * Makefile.in (nettle_SOURCES): Add poly1305-update.c. 2022-10-13 Niels Möller * gmp-glue.c (mpn_sec_tabselect) [NETTLE_USE_MINI_GMP]: Add back here, to support mini-gmp builds. Updated signature to be compatible with the gmp version. * gmp-glue.h: Add declaration. 2022-10-11 Niels Möller * sec-tabselect.c (sec_tabselect): Delete file and function. All callers updated to use gmp's mpn_sec_tabselect instead, which is implemented in assembly on many platforms. 2022-10-02 Niels Möller * examples/ecc-benchmark.c (bench_curve): Add benchmarking of modulo q inversion. 2022-09-29 Niels Möller * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Call ecc_mul_g and ecc_mul_a directly, not via function pointers. (ecc_ecdsa_verify_itch): Use ECC_MUL_A_ITCH rather than ecc->mul_itch. * ecc-gostdsa-verify.c (ecc_gostdsa_verify_itch) (ecc_gostdsa_verify): Analogous changes. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Call ecc_mul_g and ecc_j_to_a directly, not via function pointers. (ecc_ecdsa_sign_itch): Use ECC_MUL_G_ITCH rather than ecc->mul_g_itch. * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): Analogous changes. 2022-09-28 Niels Möller * testsuite/meta-hash-test.c (test_main): Add check of NETTLE_MAX_HASH_BLOCK_SIZE. * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE): Increase to 144, to accommodate sha3_224. * testsuite/meta-cipher-test.c (test_main): Check that cipher metadata doesn't exceed NETTLE_MAX_CIPHER_BLOCK_SIZE or NETTLE_MAX_CIPHER_KEY_SIZE. From Daiki Ueno: * siv-gcm.c (siv_gcm_encrypt_message, siv_gcm_decrypt_message): New file, implementation of SIV-GCM. * siv-gcm.h (SIV_GCM_BLOCK_SIZE, SIV_GCM_DIGEST_SIZE) (SIV_GCM_NONCE_SIZE): New header file, new constants and declarations. * siv-gcm-aes128.c (siv_gcm_aes128_encrypt_message) (siv_gcm_aes128_decrypt_message): New file and functions. * siv-gcm-aes256.c (siv_gcm_aes256_encrypt_message) (siv_gcm_aes256_decrypt_message): Likewise. * siv-ghash-set-key.c (_siv_ghash_set_key): New file, new internal function. * siv-ghash-update.c (_siv_ghash_update): Likewise. * block-internal.h (block16_bswap): New inline function. * bswap-internal.h (bswap64_if_be): New macro. * nettle-internal.h (NETTLE_MAX_CIPHER_KEY_SIZE): New constant. * Makefile.in (nettle_SOURCES): Add new source files. (HEADERS): Add siv-gcm.h. * testsuite/siv-gcm-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add siv-gcm-test.c. * nettle.texinfo (SIV-GCM): Documentation. From Zoltan Fridrich: * balloon.c (balloon, balloon_itch): Implementation of balloon password hash. * balloon.h: New header file. * balloon-sha1.c (balloon_sha1): New file and function. * balloon-sha256.c (balloon_sha256): Likewise. * balloon-sha384.c (balloon_sha384): Likewise. * balloon-sha512.c (balloon_sha512): Likewise. * Makefile.in (nettle_SOURCES): Add balloon source files. (HEADERS): Add ballon.h. * testsuite/balloon-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add balloon-test.c. 2022-09-14 Niels Möller * ecc-nonsec-add-jjj.c (ecc_nonsec_add_jjj): New file and function. * ecc-internal.h: Declare it. * Makefile.in (hogweed_SOURCES): Add ecc-nonsec-add-jjj.c. * testsuite/ecc-add-test.c (test_main): Add tests for ecc_nonsec_add_jjj. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj, to produce correct result in a corner case where point addition needs to use point duplication. Also use ecc_j_to_a rather than ecc->h_to_a, since ecdsa supports only weierstrass curves. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change. * testsuite/ecdsa-verify-test.c (test_main): Add corresponding test. * testsuite/ecdsa-sign-test.c (test_main): And a test producing the problematic signature. 2022-09-08 Niels Möller * eccdata.c (string_toupper): New utility function. (output_modulo): Move more of the per-modulo output here. (output_curve): Remove corresponding code. 2022-08-31 Niels Möller * bswap-internal.h (nettle_bswap64, nettle_bswap32) (bswap64_if_le): New header file, new inline functions/macros. * gcm.c (gcm_hash_sizes): Use bswap64_if_le, and bswap-internal.h, replacing local definition of bswap_if_le. * nist-keywrap.c (nist_keywrap16): Likewise. * blowfish-bcrypt.c (swap32): Renamed function, to... (bswap32_if_le): ...new name, rewritten to use nettle_bswap32. Update call sites. * Makefile.in (DISTFILES): Add bswap-internal.h. 2022-08-18 Niels Möller * Makefile.in (HEADERS): Add sm4.h. From Tianjia Zhang: SM4 block cipher. * sm4.c: New file. * sm4.h: New file. * sm4-meta.c: New file. * gcm-sm4.c: New file * gcm-sm4-meta.c: New file. * nettle.texinfo: Document SM4. * testsuite/gcm-test.c (test_main): Add SM4 tests. * testsuite/sm4-test.c: New file. * configure.ac (ABI): Change mips abi check to apply only to mips64. 2022-08-17 Niels Möller * testsuite/testutils.c (mpz_urandomm) [NETTLE_USE_MINI_GMP]: New fallback definition when building with mini-gmp. 2022-08-16 Niels Möller * ecc-mod-arith.c (ecc_mod_sub): Ensure that if inputs are in the range 0 <= a, b < 2m, then output is in the same range. * eccdata.c (output_curve): New outputs ecc_Bm2p and ecc_Bm2q. * ecc-internal.h (struct ecc_modulo): New member Bm2m (B^size - 2m), needed by ecc_mod_sub. Update all curves. * testsuite/ecc-mod-arith-test.c: New tests for ecc_mod_add and ecc_mod_sub. * eccdata.c (output_modulo): Output the limb size, delete return value. (output_curve): Update calls to output_modulo, other minor cleanup. 2022-08-07 Niels Möller Delete all arcfour assembly code. * arcfour.c (arcfour_crypt): Moved function here, from... * arcfour-crypt.c: ... deleted file. * sparc32/arcfour-crypt.asm: Deleted. * sparc64/arcfour-crypt.asm: Deleted. * x86/arcfour-crypt.asm: Deleted. * asm.m4: Delete arcfour structure offsets. 2022-08-07 Niels Möller Based on patch from Corentin Labbe: * nettle.texinfo: Document sha256_compress, sha512_compress, md5_compress and sha1_compress. * configure.ac: Refer to nettle-types.h, rather than arcfour.c, for AC_CONFIG_SRCDIR. 2022-08-05 Niels Möller * nettle-internal.h: Include stdlib.h, fix alloca warnings on BSD. * hmac.c: Delete corresponding include here, no longer needed. * getopt.c: Include stdlib.h and unistd.h unconditionally, similarly to the gnulib version of this file. 2022-08-04 Niels Möller From Brad Smith: * configure.ac: Fix 64-bit MIPS ABI check for other OS's like *BSD / Linux. * aclocal.m4 (LSH_CCPIC): Use proper PIC flag for *BSD OS's. * blowfish-bcrypt.c (swap32): Eliminate conflict with OpenBSD's swap32 macro. 2022-07-29 Niels Möller * s390x/msa_x1/sha256-compress-n.asm: New file. replacing... * s390x/msa_x1/sha256-compress.asm: ...deleted file. * s390x/fat/sha256-compress-n-2.asm: New file. replacing... * s390x/fat/sha256-compress-2.asm: ...deleted file. * fat-s390x.c: Update fat setup. 2022-07-26 Niels Möller * arm/v6/sha256-compress-n.asm: New file. replacing... * arm/v6/sha256-compress.asm: ...deleted file. * arm/fat/sha256-compress-n-2.asm: New file. replacing... * arm/fat/sha256-compress-2.asm: ...deleted file. * fat-arm.c: Update fat setup. 2022-07-11 Niels Möller * arm64/crypto/sha256-compress-n.asm: New file. replacing... * arm64/crypto/sha256-compress.asm: ...deleted file. * arm64/fat/sha256-compress-n-2.asm: New file. replacing... * arm64/fat/sha256-compress-2.asm: ...deleted file. * fat-arm64.c: Update fat setup. 2022-07-05 Niels Möller * md-internal.h (MD_FILL_OR_RETURN): New file, new macro. * sha256-compress-n.c (_nettle_sha256_compress_n): New file and function, replacing... * sha256-compress.c (_nettle_sha256_compress): ...deleted file and function. * sha2-internal.h (_nettle_sha256_compress_n): Declare new function.. * sha256.c (sha256_compress): Update to use _nettle_sha256_compress_n and MD_FILL_OR_RETURN. * x86_64/sha256-compress-n.asm: New file. replacing... * x86_64/sha256-compress.asm: ...deleted file. * x86_64/sha_ni/sha256-compress-n.asm: New file. replacing... * x86_64/sha_ni/sha256-compress.asm: ...deleted file. * fat-setup.h (sha256_compress_n_func): New typedef, replacing... (sha256_compress_func): ... deleted typedef. * fat-x86_64.c: Update fat setup. 2022-06-20 Niels Möller * testsuite/sha1-test.c (test_sha1_compress): New function. (test_main): Add tests for compressing 0, 1 or 2 blocks. * testsuite/sha256-test.c (test_sha256_compress): New function. (test_main): Add tests for compressing 0, 1 or 2 blocks. 2022-06-12 Niels Möller From Christian Weisgerber: * fat-arm64.c (get_arm64_features): Enable runtime feature detection for openbsd. 2022-06-09 Niels Möller * md5.h (md5_compress): New public name for compression function. * sha1.h (sha1_compress): Likewise. Based on patches from Corentin Labbe: * sha2.h: Declare new functions. * sha256.c (sha256_compress): New function. (COMPRESS): Updated to use sha256_compress. (sha256_write_digest): Use sha256_compress directly. * sha512.c (sha512_compress): New function. (COMPRESS): Updated to use sha512_compress. (sha512_write_digest): Use sha512_compress directly. 2022-06-02 Niels Möller * Released nettle-3.8. 2022-05-23 Niels Möller * Makefile.in (OPT_SOURCES): Add missing file fat-arm64.c. * config.guess: Update to 2022-05-08 version. * config.sub: Update to 2022-01-03 version. 2022-05-20 Niels Möller * configure.ac: Bump package version, to 3.8. (LIBNETTLE_MINOR): Bump minor number, to 8.5. (LIBHOGWEED_MINOR): Bump minor number, to 6.5. 2022-05-05 Niels Möller * nettle.texinfo (CBC): Document cbc_aes128_encrypt, cbc_aes192_encrypt and cbc_aes256_encrypt. 2022-04-28 Niels Möller * nettle.texinfo (Copyright): Deleted incomplete and out of date list of authors. Replaced by... * AUTHORS: New updated list of authors and contributions. 2022-02-23 Niels Möller Analogous s390x update, by Mamone Tarsha: * fat-s390x.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * s390x/fat/ghash-update-2.asm: New file. * s390x/fat/ghash-set-key-2.asm: New file. * s390x/fat/gcm-hash.asm: Deleted. * s390x/msa_x4/gcm-hash.asm: Deleted, split into two new files... * s390x/msa_x4/ghash-update.asm: New file. * s390x/msa_x4/ghash-set-key.asm: New file 2022-02-22 Niels Möller * fat-ppc.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * powerpc64/fat/ghash-update-2.asm: New file. * powerpc64/fat/ghash-set-key-2.asm: New file. * powerpc64/fat/gcm-hash.asm: Deleted. * powerpc64/p8/gcm-hash.asm: Deleted, split into two new files... * powerpc64/p8/ghash-update.asm: New file. * powerpc64/p8/ghash-set-key.asm: New file 2022-02-21 Niels Möller * fat-arm64.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * arm64/fat/ghash-update-2.asm: New file. * arm64/fat/ghash-set-key-2.asm: New file. * arm64/fat/gcm-hash.asm: Deleted. * ghash-update.c (_nettle_ghash_update_c): New name, for fat builds. * arm64/crypto/gcm-hash.asm: Deleted, split into two new files... * arm64/crypto/ghash-set-key.asm: New file. * arm64/crypto/ghash-update.asm: New file. 2022-02-19 Niels Möller * fat-x86_64.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * fat-setup.h (ghash_set_key_func, ghash_update_func): New typedefs. (gcm_init_key_func, gcm_hash_func): Deleted typedefs. * x86_64/fat/ghash-update.asm: New file. * x86_64/fat/ghash-update-2.asm: New file. * x86_64/fat/ghash-set-key-2.asm: New file. * x86_64/fat/gcm-hash.asm: Deleted. * ghash-set-key.c (_nettle_ghash_set_key_c): New name, for fat builds. * configure.ac (asm_nettle_optional_list): Add ghash-set-key-2.asm ghash-update-2.asm. * ghash-set-key.c (_ghash_digest): Deleted, and also deleted assembly implementations. * gcm.c (gcm_digest): Replace call to _ghash_digest with block16_xor. * x86_64/pclmul/gcm-hash.asm: Deleted, split into two new files... * x86_64/pclmul/ghash-set-key.asm: New file. * x86_64/pclmul/ghash-update.asm: New file. * configure.ac (asm_replace_list): Add ghash-set-key.asm ghash-update.asm. (asm_nettle_optional_list): Delete gcm-hash.asm gcm-hash8.asm. * x86_64/ghash-update.asm: New file, based on old gcm-hash8.asm, but without any handling of partial blocks. * x86_64/gcm-hash8.asm: Deleted. * ghash-set-key.c (_ghash_digest): Moved function from... * ghash-update.c (_ghash_digest): ...old location. 2022-02-18 Niels Möller * block-internal.h (block16_zero): New function. * ghash-internal.h: New file, declaring new internal ghash interface. * gcm-internal.h: Deleted file. * ghash-update.c (gcm_gf_shift_8): Moved here (from gcm.c) (gcm_gf_mul): Likewise. (_ghash_update): New function, extracted from _nettle_gcm_hash_c. (_ghash_digest): New function. * ghash-set-key.c (_ghash_set_key): New file and function. Extracted from _nettle_gcm_init_key_c and _nettle_gcm_set_key. * gcm.c (INC32): Deleted macro, used in only one place. (gcm_set_key): Update to use _ghash_set_key. (gcm_hash): Renamed, was _gcm_hash, and implemented in terms of _ghash_update. (bswap_if_le): New function (copied from nist-keywrap.c). (gcm_hash_sizes): Use bswap_if_le and _ghash_update. (gcm_set_iv): Updated to use gcm_hash and block16_zero. (gcm_digest): Use _ghash_digest. * testsuite/gcm-test.c (test_ghash_internal): Updated to use _ghash_set_key and _ghash_update. * Makefile.in (nettle_SOURCES): Add ghash-set-key.c ghash-update.c. (DISTFILES): Replaced gcm-internal.h with ghash-internal.h. 2022-02-17 Niels Möller * gcm.c: Require that GCM_TABLE_BITS == 8. Delete old code for GCM_TABLE_BITS == 0 and GCM_TABLE_BITS == 4. * gcm-internal.h: Delete checks for GCM_TABLE_BITS != 8. * fat-x86_64.c: Likewise. * fat-s390x.c: Likewise. * fat-ppc.c: Likewise. * fat-arm64.c: Likewise. 2022-02-15 Niels Möller * fat-x86_64.c: Add fat setup for gcm. * x86_64/fat/gcm-hash.asm: New file. * Makefile.in (distdir): Add x86_64/pclmul directory. * configure.ac: New configure option --enable-x86-pclmul. (asm_path): Add x86_64/pclmul, if above option is set. * x86_64/pclmul/gcm-hash.asm: New file, initial implementation of GCM using the pclmulqdq instructions. 2022-02-08 Niels Möller * gcm-internal.h (_gcm_hash): Arrange so that this is an alias for the appropriate implementation. Updated all users. * gcm.c (_nettle_gcm_set_key): New internal function, intended to make tests of internal ghash functions easier. (gcm_set_key): Use it. * testsuite/gcm-test.c (test_ghash_internal): New function. (test_main): Add tests of internal ghash functions, with keys corresponding to various single-bit polynomials. 2022-01-28 Niels Möller * testsuite/poly1305-test.c (poly1305_internal): Renamed function, was test_poly1305_internal. (test_poly1305_internal): New helper function. (test_fixed): New function, to test internal functions with fixed test inputs. (test_random): Use test_poly1305_internal. (test_main): Call test_fixed. * misc/poly1305-gen-example.pike: Program to generate poly1305 inputs with a given digest. 2022-01-27 Niels Möller * x86_64/poly1305-internal.asm: Rewrote. Rearrange folding, so that all the multiply instructions needed to process a block are independent of each other. Measured speedup of 16% on AMD zen2 and 28% on Intel broadwell, and expected to be generally faster. * asm.m4 (P1305): Rearrange struct contents, to fit 64-bit entries S0 and H2. Total struct size unchanged. 2022-01-25 Niels Möller Chacha implementation for arm64, contributed by Mamone Tarsha. * arm64/chacha-core-internal.asm: New file. * arm64/chacha-2core.asm: New file. * arm64/chacha-4core.asm: New file 2022-01-24 Niels Möller * powerpc64/ecc-secp224r1-modp.asm: New file, contributed by Amitay Isaacs. * powerpc64/ecc-curve25519-modp.asm: New file, contributed by Martin Schwenke & Alastair D´Silva * powerpc64/ecc-curve448-modp.asm: New file, contributed by Martin Schwenke & Amitay Isaacs. 2022-01-23 Niels Möller * testsuite/poly1305-test.c (test_poly1305_internal): New function. (ref_poly1305_internal): New function. (test_random): New function. (test_main): Call test_random. Arrange so that GMP or mini-gmp is always available for tests. * testsuite/testutils.h [!WITH_HOGWEED]: Include mini-gmp.h. * testsuite/testutils.c [!WITH_HOGWEED]: Include mini-gmp.c. 2022-01-21 Niels Möller * powerpc64/ecc-secp192r1-modp.asm: New file, contributed by Amitay Isaacs. * powerpc64/ecc-secp384r1-modp.asm: New file, contributed by Martin Schwenke, Amitay Isaacs & Alastair D´Silva. * powerpc64/ecc-secp521r1-modp.asm: New file, contributed by Martin Schwenke & Alastair D´Silva. 2022-01-17 Niels Möller * testsuite/testutils.c (test_ecc_point_valid_p): New function, moved from... * testsuite/ecdsa-keygen-test.c (ecc_valid_p): ... old copy. * testsuite/gostdsa-keygen-test.c (ecc_valid_p): ... old copy. * testsuite/testutils.h: Declare it. (test_randomize) [NETTLE_USE_MINI_GMP]: Use inline function rather than macro for dummy definition, to avoid compile time warnings. 2022-01-10 Niels Möller * powerpc64/ecc-secp256r1-redc.asm: Reduce number of registers used, eliminating save and restore of callee-save registers. Speedup of 7% reported for POWER9 (and marginal speedup of secp256 sign and verify operations). 2022-01-04 Niels Möller * configure.ac (ELFV2_ABI): New substituted variable, set on powerpc64 based on the _CALL_ELF define. * config.m4.in (ELFV2_ABI): Substituted here. * powerpc64/machine.m4: Use ELFV2_ABI rather than WORDS_BIGENDIAN to select abi flavor. Intended to support ppc64be + musl, which, unlike other big-endian configurations, uses ELFv2. 2021-12-09 Niels Möller * x86_64/ecc-secp256r1-redc.asm: New folding scheme with one less carry propagation phase, and fewer registers, avoiding save and restore of callee-save registers. 17% speedup of this function on AMD Ryzen 5, resulting in a modest improvement in ecdsa performance. * powerpc64/ecc-secp256r1-redc.asm: New file, contributed by Amitay Isaacs. 2021-11-29 Niels Möller From Tianjia Zhang: SM3 hash function. * sm3.h: New file. * sm3.c: New file. * sm3-meta.c: New file. * hmac-sm3.c: New file. * hmac-sm3-meta.c: New file. * testsuite/sm3-test.c: New file. * nettle.texinfo: Document SM3. 2021-11-19 Niels Möller * gmp-glue.c (mpz_limbs_cmp): Deleted function. Usage replaced with mpz_roinit_n and mpz_cmp. (mpz_limbs_read_n): Deleted function. Usage in tests only, replaced with mpz_limbs_copy. 2021-11-15 Niels Möller * testsuite/eddsa-compress-test.c (test_main): Use test_randomize. * testsuite/ecc-redc-test.c (test_main): Likewise. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * testsuite/ecc-mul-a-test.c (test_main): Likewise. * testsuite/ecc-modinv-test.c (test_modulo): Trim allocation for result area. (test_main): Use test_randomize. * testsuite/ecc-sqrt-test.c (test_sqrt): Trim allocation. (test_sqrt_ratio): Trim allocation. Fix sqrt_ratio test for v = 0, failure is expected. (test_main): Use test_randomize. 2021-11-13 Niels Möller * testsuite/testutils.c (get_random_seed): Move function here. (test_randomize): New function. * testsuite/ecc-mod-test.c (get_random_seed): Delete old copy. (test_main): Use test_randomize. * testsuite/rsa-compute-root-test.c (get_random_seed): Delete old copy. (test_main): Use test_randomize. * ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero input, which needs handling as a special case in the Tonelli-Shanks algorithm. * testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0) returns 0. (test_sqrt_ratio): Check that sqrt (0/1) returns 0. 2021-11-11 Niels Möller * eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only when computed. Fixes uninitialized value bug from previous change. * ecc-secp384r1.c (ecc_mod_pow_288m32m1): New function. (ecc_secp384r1_inv): Use ecc_mod_pow_288m32m1. (ecc_secp384r1_sqrt): Likewise. * eccdata.c (output_curve): Delete generation of unused values ecc_sqrt_t and ECC_SQRT_T_BITS. 2021-11-10 Niels Möller * eccdata.c (output_bignum_redc): New function. (output_curve): Generate both redc and non-redc versions of ecc_sqrt_z. Fixes secp224r1 sqrt, in configs using redc. 2021-11-08 Niels Möller Square root functions, based on patch by Wim Lewis. * ecc-internal.h (ecc_mod_sqrt_func): New typedef. (struct ecc_modulo): Add sqrt function pointer and sqrt_itch. Update all curve definitions. * ecc-secp192r1.c (ECC_SECP192R1_SQRT_ITCH): New constant. (ecc_secp192r1_sqrt): New function. * ecc-secp256r1.c (ecc_secp256r1_sqrt): New function. * ecc-secp384r1.c (ecc_secp384r1_sqrt): New function. * ecc-secp521r1.c (ecc_secp521r1_sqrt): New function. * ecc-secp224r1.c (ecc_secp224r1_sqrt): New function, using Tonelli-Shanks' algorithm. * testsuite/ecc-sqrt-test.c (test_sqrt): New function. (test_sqrt_ratio): Renamed function (was test_modulo). (test_main): Test sqrt function, for curves that define it. * ecc-secp224r1.c (ecc_mod_pow_127m1): New function. 2021-11-07 Niels Möller * ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to sqrt_ratio_itch. * eddsa-decompress.c (_eddsa_decompress_itch): Updated. * ecc-curve448.c (ECC_CURVE448_SQRT_RATIO_ITCH): Renamed, from ... (ECC_CURVE448_SQRT_ITCH): ... old name. (ecc_curve448_sqrt_ratio): Renamed, from ... (ecc_curve448_sqrt): ... old name. (_nettle_curve448): Updated. * ecc-curve25519.c (ECC_25519_SQRT_RATIO_ITCH): Renamed, from ... (ECC_25519_SQRT_ITCH): ... old name (ecc_curve25519_sqrt_ratio): Renamed, from ... (ecc_curve25519_sqrt): ... old name. (_nettle_curve25519): Updated. * ecc-internal.h (ecc_mod_sqrt_ratio_func): Renamed typedef... (ecc_mod_sqrt_func): ... from old name. (struct ecc_modulo): Renamed corresponding function pointer to sqrt_ratio. Updated all uses. 2021-10-28 Niels Möller * ecc-mod-arith.c (ecc_mod_equal_p): New function, moved from ecc-modinv-test.c. Based on patch by Wim Lewis. * testsuite/ecc-modinv-test.c (mod_eq_p): Deleted, replaced with ecc_mod_equal_p. 2021-10-26 Niels Möller * ecc-mod-arith.c (ecc_mod_zero_p): New function. * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. * ecc-curve448.c (ecc_curve448_zero_p): Deleted, usage replaced with ecc_mod_zero_p. * testsuite/ecc-modinv-test.c (mod_eq_p): Rewritten to use ecc_mod_zero_p, and require that one input is canonically reduced. (zero_p): Deleted, usage replaced with ecc_mod_zero_p. 2021-10-23 Niels Möller * gmp-glue.c (sec_zero_p): New function. * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. * ecc-curve448.c (ecc_curve448_zero_p): Use it. * ecc-random.c (ecdsa_in_range): Use it. (zero_p): Delete static function. 2021-10-22 Niels Möller * ecc-secp256r1.c: Rework ad-hoc reduction functions. In particular, arranged to always use single-limb quotients, no q2 quotient carry. (ecc_secp256r1_modp): Reimplemented, closer to 2/1 division, (ecc_secp256r1_modq): Reimplemented, closer to divappr2 division. 2021-10-06 Niels Möller * testsuite/ecc-mod-test.c: Extend tests to give better coverage of corner cases, with input close to a multiple of the modulo. 2021-09-21 Niels Möller * Makefile.in (nettle.pdf): Generate pdf manual using texi2pdf, rather than texi2dvi + dvips + ps2pdf, which makes hyperlinks work better. * nettle.texinfo: Delete explicit node pointers in nettle.texinfo Instead, rely on makeinfo's automatic pointer creation. (Cipher functions): Split into nodes, with proper menu. 2021-09-14 Niels Möller * cbc.h (cbc_aes128_encrypt, cbc_aes192_encrypt) (cbc_aes256_encrypt): Change interface, take cipher context pointer and iv as separate arguments. Update C and x86_64 implementations and corresponding glue code. * testsuite/testutils.c (test_aead): Test encrypt/decrypt with message split into pieces. 2021-09-12 Niels Möller * Merged CBC-AES changes into master branch. 2021-09-09 Niels Möller Implementation of CBC-AES for x86_64 aesni. Roughly 40%-50% speedup benchmarked on Ryzen 5. * x86_64/aesni/cbc-aes128-encrypt.asm: New file. * x86_64/aesni/cbc-aes192-encrypt.asm: New file. * x86_64/aesni/cbc-aes256-encrypt.asm: New file. * x86_64/fat/cbc-aes128-encrypt-2.asm: New file. * x86_64/fat/cbc-aes192-encrypt-2.asm: New file. * x86_64/fat/cbc-aes256-encrypt-2.asm: New file. * configure.ac (asm_nettle_optional_list, asm_replace_list): Add new asm files. * fat-setup.h (cbc_aes128_encrypt_func, cbc_aes192_encrypt_func) (cbc_aes256_encrypt_func): New typedefs. * fat-x86_64.c (fat_init): Use new functions, when aesni is available 2021-09-08 Niels Möller * cbc-aes128-encrypt.c (nettle_cbc_aes128_encrypt): New file and function. * cbc-aes192-encrypt.c (cbc_aes192_set_encrypt_key): New file. * cbc-aes256-encrypt.c (cbc_aes256_set_encrypt_key): New file. * cbc.h (cbc_aes128_ctx, struct cbc_aes192_ctx, cbc_aes256_ctx): New context structs. Declare new functions. * Makefile.in (nettle_SOURCES): Add new files. * nettle-internal.c (nettle_cbc_aes128, nettle_cbc_aes192) (nettle_cbc_aes256): New algorithm structs, for tests and benchmarking. * testsuite/testutils.c (test_aead): Skip tests of decryption and authentication, if corresponding function pointers are NULL. * testsuite/cbc-test.c (test_main): Add tests of new cbc functions. * examples/nettle-benchmark.c (time_aead): Skip decrypt benchmark, if corresponding function pointer is NULL. 2021-09-09 Niels Möller * x86_64/fat/cpuid.asm: Fix usage of W64_ENTRY and W64_EXIT, to make fat builds work on 64-bit windows. 2021-08-16 Niels Möller S390x functions for sha1, sha256 and sha512, from Mamone Tarsha: * s390x/msa/sha1-compress.asm: New file. * s390x/msa_x1/sha256-compress.asm: Likewise. * s390x/msa_x2/sha512-compress.asm: Likewise. * s390x/fat/sha1-compress-2.asm: Likewise. * s390x/fat/sha256-compress-2.asm: Likewise. * s390x/fat/sha512-compress-2.asm: Likewise. * fat-s390x.c: Update fat setup. * Makefile.in (distdir): Add s390x/msa_x1. 2021-08-10 Niels Möller * x86_64/aesni/aes128-encrypt.asm: New file, with 2-way loop. * x86_64/aesni/aes128-decrypt.asm: Likewise. * x86_64/aesni/aes192-encrypt.asm: Likewise. * x86_64/aesni/aes192-decrypt.asm: Likewise. * x86_64/aesni/aes256-encrypt.asm: Likewise. * x86_64/aesni/aes256-decrypt.asm: Likewise. * x86_64/aesni/aes-encrypt-internal.asm: Deleted. * x86_64/aesni/aes-decrypt-internal.asm: Deleted. * x86_64/fat/: Corresponding new and deleted files. * fat-x86_64.c: Update fat setup accordingly. 2021-08-09 Niels Möller Arm64 AES functions, from Mamone Tarsha: * arm64/crypto/aes128-decrypt.asm: New file. * arm64/crypto/aes128-encrypt.asm: New file. * arm64/crypto/aes192-decrypt.asm: New file. * arm64/crypto/aes192-encrypt.asm: New file. * arm64/crypto/aes256-decrypt.asm: New file. * arm64/crypto/aes256-encrypt.asm: New file. * arm64/fat/aes128-decrypt-2.asm: New file. * arm64/fat/aes128-encrypt-2.asm: New file. * arm64/fat/aes192-decrypt-2.asm: New file. * arm64/fat/aes192-encrypt-2.asm: New file. * arm64/fat/aes256-decrypt-2.asm: New file. * arm64/fat/aes256-encrypt-2.asm: New file. * configure.ac: Add aes to arm64 FAT_TEST_LIST. * fat-arm64.c: Update fat setup. 2021-08-06 Niels Möller S390x xor functions, from Mamone Tarsha: * configure.ac: New configure option --enable-s390x-vf. * fat-s390x.c: Fat setup for memxor3. * s390x/vf/memxor3.asm: New file. * s390x/memxor.asm: New file. * s390x/machine.m4 (XOR_LEN): New macro. * s390x/fat/memxor3-2.asm: New file. 2021-07-24 Niels Möller Merged s390x code. GCM and fat build support for s390x, contributed by Mamone Tarsha: * s390x/machine.m4: New file. * s390x/msa_x4/gcm-hash.asm: New file. * fat-s390x.c: New file. * s390x/fat/cpu-facility.asm: New file. * s390x/fat/: New wrapper files for aes and gcm assembly. 2021-07-21 Niels Möller * Makefile.in (OPT_SOURCES): Add fat-s390x.c. 2021-05-09 Niels Möller Implementation of AES using s390x "message security assist" extensions. Contributed by Mamone Tarsha: * s390x/msa_x1/aes128-decrypt.asm: New file. * s390x/msa_x1/aes128-encrypt.asm: New file. * s390x/msa_x1/aes128-set-decrypt-key.asm: New file. * s390x/msa_x1/aes128-set-encrypt-key.asm: New file. * s390x/msa_x2/aes192-decrypt.asm: New file. * s390x/msa_x2/aes192-encrypt.asm: New file. * s390x/msa_x2/aes192-set-decrypt-key.asm: New file. * s390x/msa_x2/aes192-set-encrypt-key.asm: New file. * s390x/msa_x2/aes256-decrypt.asm: New file. * s390x/msa_x2/aes256-encrypt.asm: New file. * s390x/msa_x2/aes256-set-decrypt-key.asm: New file. * s390x/msa_x2/aes256-set-encrypt-key.asm: New file. * configure.ac: Renamed option to --enable-s390x-msa. Enables both mas_x1 and msa_x2. (asm_replace_list): Add more aes files. * Makefile.in (distdir): Add s390x/msa_x1 s390x/msa_x2 directories. 2021-04-01 Niels Möller Move aes128_encrypt and similar functions to their own files. To make it easier for assembly implementations to override specific AES variants. * aes-decrypt.c: Split file, keep only legacy function aes_decrypt here. * aes-decrypt-table.c (_nettle_aes_decrypt_table): New file, moved table here. * aes128-decrypt.c (aes128_decrypt): New file, moved function here. * aes192-decrypt.c (aes192_decrypt): New file, moved function here. * aes256-decrypt.c (aes256_decrypt): New file, moved function here. * aes-encrypt.c: Split file, keep only legacy function aes_encrypt here. * aes128-encrypt.c (aes128_encrypt): New file, moved function here. * aes192-encrypt.c (aes192_encrypt): New file, moved function here. * aes256-encrypt.c (aes256_encrypt): New file, moved function here. * Makefile.in (nettle_SOURCES): Add new files. 2021-03-28 Niels Möller Initial config for s390x, contributed by Mamone Tarsha. * configure.ac: Add flag --enable-s390x-msa-x1. Add ABI check for s390x, and setup asm_path. * Makefile.in (distdir): Add s390x directory. * s390x/README: New file 2021-07-08 Niels Möller * configure.ac (FAT_TEST_LIST): Add sha2 to aarch64 fat tests. From Mamone Tarsha: * arm64/fat/sha256-compress-2.asm: New file. * arm64/crypto/sha256-compress.asm: New file. * fat-arm64.c: Add setup for nettle_sha1_compress. 2021-06-30 Niels Möller * configure.ac (FAT_TEST_LIST): Add sha1 to aarch64 fat tests. From Mamone Tarsha: * fat-arm64.c: Add setup for nettle_sha1_compress. * arm64/fat/sha1-compress-2.asm: New file. 2021-06-01 Niels Möller From Mamone Tarsha: * arm64/crypto/sha1-compress.asm: New file. 2021-05-17 Niels Möller Bug fixes merged from from 3.7.3 release (starting from 2021-05-06). * rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is in range. * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. * rsa-decrypt.c (rsa_decrypt): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n. 2021-05-14 Niels Möller * rsa-sign-tr.c (rsa_sec_blind): Delete mn argument. (_rsa_sec_compute_root_tr): Delete mn argument, instead require that input size matches key size. Rearrange use of temporary storage, to support in-place operation, x == m. Update all callers. * rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of input, for calling _rsa_sec_compute_root_tr. * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Test calling all of rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input. 2021-05-06 Niels Möller * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message length is valid, for given key size. * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for calls to rsa_sec_decrypt specifying a too large message length. 2021-05-23 Niels Möller From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394). * nist-keywrap.c (bswap_if_le, nist_keywrap16, nist_keyunwrap16) (aes128_keywrap, aes192_keywrap, aes256_keywrap) (aes128_keyunwrap, aes192_keyunwrap, aes256_keyunwrap): New file, new functions. * nist-keywrap.h: New header file. * Makefile.in (nettle_SOURCES): Add nist-keywrap.c. (HEADERS): Add nist-keywrap.h. * testsuite/aes-keywrap-test.c (test_main): New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add aes-keywrap-test.c. 2021-04-13 Niels Möller * powerpc64/p8/aes-encrypt-internal.asm (SWAP_MASK): Change macro name to use all uppercase. * powerpc64/p8/aes-decrypt-internal.asm (SWAP_MASK): Likewise. 2021-04-11 Niels Möller * config.guess: Update to 2021-01-25 version, from savannah's config.git. Needed to recognize M1 Macs. * config.sub: Similarly update to 2021-03-10 version. 2021-03-24 Niels Möller * .gitlab-ci.yml: Add remote tests for s390x. 2021-03-22 Niels Möller Arm64 improvements, including fat build support. Contributed by Mamone Tarsha: * configure.ac (asm_path): Setup for arm64 fat builds. * fat-arm64.c: New file. * fat-arm64.c: New file. * arm64/fat/gcm-hash.asm: New file. * arm64/crypto/gcm-hash.asm: Improved docs. Use m4 macros rather than as macros. (LOAD_REV_PARTIAL_BLOCK): New macro. * arm64/README: Improved docs. 2021-03-21 Niels Möller * Released nettle-3.7.2 with ecc bug-fixes only. * NEWS: NEWS entries for 3.7.2. 2021-03-13 Niels Möller * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to compute the scalar used for ecc multiplication. * eddsa-hash.c (_eddsa_hash): Ensure result is canonically reduced. Two of the three call sites need that. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical to compute the scalars used for ecc multiplication. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to canonical range. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical to compute the scalars used for ecc multiplication. * testsuite/ecdsa-verify-test.c (test_main): Add test case that triggers an assert on 64-bit platforms, without above fix. * testsuite/ecdsa-sign-test.c (test_main): Test case generating the same signature. 2021-03-13 Niels Möller * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. 2021-03-11 Niels Möller * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): New functions. * ecc-internal.h: Declare and document new functions. * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. * ecc-j-to-a.c (ecc_j_to_a): Likewise. * ecc-mul-m.c (ecc_mul_m): Likewise. 2021-03-04 Niels Möller Merged initial arm64 code. 2021-02-03 Niels Möller * arm64/crypto/gcm-hash.asm: Renamed directory, moved file,... * arm64/v8/gcm-hash.asm: ... old name. 2021-02-02 Niels Möller * arm64/v8/gcm-hash.asm: Add ".arch armv8-a+crypto" directive. Supported by both GNU as and clang (the latter at least from version 3.9.1). * configure.ac: Don't add -march=armv8-a+crypto to CFLAGS. 2021-01-31 Niels Möller * arm64/v8/gcm-hash.asm: New file, contributed by Maamoun TK and Michael Weiser. * arm64/README: New file. Document endianness issues, contributed by Michael Weiser. 2021-02-17 Niels Möller * Released Nettle-3.7.1. 2021-02-15 Niels Möller * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted glue to openssl arcfour. (openssl_arcfour128_set_encrypt_key) (openssl_arcfour128_set_decrypt_key): Deleted. * nettle-internal.h: Deleted declaration. * examples/nettle-benchmark.c (aeads): Delete benchmarking. 2021-02-13 Niels Möller * configure.ac: Bump package version, to 3.7.1. (LIBNETTLE_MINOR): Bump minor number, to 8.2. (LIBHOGWEED_MINOR): Bump minor number, to 6.2. 2021-02-10 Niels Möller * chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case that counter increment should be 3 (129 <= message length <= 192). (_nettle_chacha_crypt32_4core): Likewise. * testsuite/chacha-test.c (test_chacha_rounds): New function, for tests with non-standard round count. Extracted from _test_chacha. (_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32 handling. When testing message prefixes of varying length, also encrypt the remainder of the message, to catch errors in counter value update. (test_main): Add a few tests with large messages (16 blocks, 1024 octets), to improve test coverage for _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core. 2021-01-25 Niels Möller * arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon implementation reportedly gave a speedup of 45% on Cortex A9, compared to the C implementation, when it was added back in 2013. That appears to no longer be the case with more recent processors and compilers. And it's even significantly slower than the C implementation on some platforms, including the Raspberry Pi 4. With the introduction of salsa20-2core.asm, performance of this function is also less important. * arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons. * arm/fat/salsa20-core-internal-2.asm: Deleted file. * arm/fat/chacha-core-internal-2.asm: Deleted file. * fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup. 2021-01-31 Niels Möller New variants, contributed by Nicolas Mora. * pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function. * pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function. * testsuite/pbkdf2-test.c (test_main): Corresponding tests. 2021-01-20 Niels Möller * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with all-zero hash. Reported by Guido Vranken. * testsuite/ecdsa-verify-test.c: Add corresponding test case. 2021-01-10 Niels Möller * fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor conditional as defined(__GLIBC_PREREQ), but move to a nested #if conditional. Fixes compile error on OpenBSD/powerpc64, reported by Jasper Lievisse Adriaanse. 2021-01-04 Niels Möller * Released Nettle-3.7. 2020-12-27 Niels Möller * configure.ac: Enable fat build by default. 2020-12-26 Niels Möller * NEWS: News entries for Nettle-3.7. * Makefile.in (distdir): Distribute the README files in assembly directories. * configure.ac: Bump package version, to 3.7. (LIBNETTLE_MINOR): Bump minor number, to 8.1. (LIBHOGWEED_MINOR): Bump minor number, to 6.1. 2020-12-21 Niels Möller From Mamone Tarsha: * fat-ppc.c: Check glibc version, and use getauxval only when available. 2020-12-12 Niels Möller * powerpc64/p7/chacha-4core.asm: More interleaving of independent instructions, gives slight speedup on Power9. 2020-12-01 Niels Möller * powerpc64/p7/chacha-4core.asm: Use protected zone below stack pointer to save registers, without modifying the stack pointer. (QR): Instruction level interleaving in the main loop, written by Torbjörn Granlund. 2020-11-30 Niels Möller * m4-utils.m4 (m4_unquote): New macro, copied from GMP's mpn/asm-defs.m4. * chacha-crypt.c: (_nettle_chacha_crypt_4core) (_nettle_chacha_crypt32_4core): New functions. (_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core): Deleted, no longer needed. * chacha-internal.h: Add prototypes for _nettle_chacha_4core and related functions. * configure.ac (asm_nettle_optional_list): Add chacha-4core.asm. * powerpc64/fat/chacha-4core.asm: New file. * powerpc64/p7/chacha-4core.asm: New file. * fat-ppc.c (fat_init): When altivec is available, use _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core instead of _2core variants. * chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in handling of counter; this function should not propagate any carry. * aes-internal.h: Delete name mangling of internal symbols. Update all internal references to use _nettle prefix. * camellia-internal.h: Likewise. * chacha-internal.h: Likewise. * ctr-internal.h: Likewise. * dsa-internal.h: Likewise. * gost28147-internal.h: Likewise. * poly1305-internal.h: Likewise. * salsa20-internal.h: Likewise. * sha3-internal.h: Likewise. * umac-internal.h: Likewise. 2020-11-26 Niels Möller Enable powerpc64 gcm code in fat builds. Based on patch contributed by Mamone Tarsha: * powerpc64/fat/gcm-hash.asm: New file. * configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and HAVE_NATIVE_fat_gcm_hash. * gcm.c (gcm_init_key): Renamed, to ... (_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals. (gcm_hash): Renamed, to... (_nettle_gcm_hash_c): ... new name. Add fat setup conditionals. * fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs. * fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash. * gcm-internal.h: New file. * Makefile.in (DISTFILES): Add gcm-internal.h. * powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash. 2020-11-28 Niels Möller * powerpc64/p7/chacha-2core.asm: Simplify counter carry handling using the vaddcuw instruction. Merge changes by Marco Bodrato and Torbjorn Granlund, from the gmp/mini-gmp copy of this file. * run-tests: Delete special handling of zero arguments. Update WINEPATH, instead of overwriting it. 2020-11-27 Niels Möller * aclocal.m4: Replace some calls to exit with return, since exit requires stdlib.h. Including patch contributed by Adrien Béraud. * testsuite/version-test.c: Include version.h. Patch contributed by Brian Smith. 2020-11-25 Niels Möller * powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for big-endian builds. 2020-11-24 Niels Möller Enable ppc chacha_2core in fat builds. * configure.ac: Add HAVE_NATIVE_fat_chacha_2core. * chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core. * chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core): Add declarations. * fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and _nettle_chacha_crypt32_2core when altivec is available. * powerpc64/fat/chacha-2core.asm: New file, including p7 version. 2020-11-23 Niels Möller * powerpc64/p7/chacha-2core.asm: New file. * chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New variants of chacha_crypt, using _chacha_2core to do two blocks at a time. * chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations. * configure.ac (asm_nettle_optional_list): Add chacha-2core.asm. 2020-11-14 Niels Möller * ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all scratch needs, don't use memory after the result area. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. * ecc-j-to-a.c (ecc_j_to_a): Likewise. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. * curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise. * curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and reduce scratch need from 9*size to 5*size. * ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH) (ECC_EH_TO_A_ITCH): Update accordingly, but no change in total scratch need. 2020-11-13 Niels Möller * ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all secp and gost curve definitions to use it. 2020-10-21 Niels Möller * ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular inverse using powering. (_nettle_secp_384r1): Analogous updates. Increases signing performance roughly 15% on x86_64. 2020-10-20 Niels Möller * ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed. (ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv. * ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular inverse using powering. (_nettle_secp_256r1): Analogous updates. Increases signing performance roughly 6% on x86_64. * ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular inverse using powering. (_nettle_secp_224r1): Analogous updates. Increases signing performance roughly 17% on x86_64. 2020-10-19 Niels Möller * ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular inverse using powering. (_nettle_secp_521r1): Analogous updates. Increases signing performance roughly 15% on x86_64. 2020-10-15 Niels Möller * ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular inverse using powering. (_nettle_secp_192r1): Use it for p.invert, and also update h_to_a_itch. Increases signing performance roughly 25% on x86_64. * testsuite/ecc-modinv-test.c (test_modulo): Allow invert function to return a non-canonical representation. 2020-11-08 Niels Möller Merge refactoring of ecc modulo and reduce functions. * eddsa-sign.c (_eddsa_sign_itch): Update, since now point multiplication needs less scratch than point compression. * eddsa-pubkey.c (_eddsa_public_key_itch): Likewise. * ecc-internal.h: Update *_ITCH macros for point multiplication and signatures. They need slightly less scratch after optimization of the point addition functions. * ecc-mul-m.c (ecc_mul_m): Reduce scratch need. (ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap per iteration. * ecc-add-jja.c (ecc_add_jja): Reduce scratch need. * ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need. * ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size. (ECC_MUL_M_ITCH): New 8*size. 2020-11-06 Niels Möller After these changes, both curve25519 and curve448 need 4*size for invert and 6*size for sqrt. * ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need. (ecc_curve448_inv): Likewise. (ecc_curve448_sqrt): Likewise. * ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need. * ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy. 2020-11-05 Niels Möller * ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need. * ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size. 2020-11-03 Niels Möller * ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need. * ecc-dup-th.c (ecc_dup_th): Analogous changes. * ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size. * ecc-internal.h (ecc_add_func): Document in-place operation. * ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly. * testsuite/ecc-add-test.c (test_main): Likewise. * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. * ecc-add-th.c (ecc_add_th): Analogous changes. * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. * ecc-add-thh.c (ecc_add_thh): Analogous changes. * ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH) (ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size. 2020-11-02 Niels Möller * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. (ecc_curve25519_inv): Likewise. (ecc_curve25519_sqrt): Likewise. 2020-11-01 Niels Möller * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument for scratch area, reducing required size of result area. Update all callers to naïvely keep using result in scratch area. (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing required size of result area. * testsuite/testutils.c (test_ecc_point): Show curve bits on failure. 2020-10-31 Niels Möller * ecc-internal.h (typedef ecc_mod_func): Updated all assembly implementations. * testsuite/ecc-mod-test.c (test_one): Extend tests, to also test with different destination area. * testsuite/ecc-redc-test.c (test_main): Likewise. 2020-10-30 Niels Möller * ecc-internal.h (typedef ecc_mod_func): Add separate result argument. Updated all C implementations and callers. 2020-10-29 Niels Möller * ecc-mod.c (ecc_mod): More unified handling of final carry folding. Also eliminates a goto statement. 2020-11-07 Niels Möller Merged initial powerpc64 implementation of chacha. * configure.ac: New command line option --enable-power-altivec. Update asm_path logic, and add altivec to FAT_TEST_LIST. * fat-ppc.c (get_ppc_features): Add logic to check for altivec and vsx support, and select aither C or altivec implementation of chacha_core. * powerpc64/p7/chacha-core-internal.asm: New file. 2020-09-25 Niels Möller * powerpc64/p7/chacha-core-internal.asm: New file. * Makefile.in (distdir): Add powerpc64/p7. 2020-10-29 Niels Möller * blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids undefined behavior, since shifting an 8-bit value left by 24 bits overflows the range of signed int. Reported by Guido Vranken. 2020-10-28 Niels Möller * gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap, available from GMP version 6.1.0. Update all callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one more argument than the old functions. * gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap) [NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds. 2020-10-14 Niels Möller * ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved functions here. * ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more general ecc_mod_pow_2k_mul. * ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function. * ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted static functions. 2020-10-13 Niels Möller * ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function, not preserving input argument. Extracted from old ecc_mod_inv. (ecc_mod_inv): Call ecc_mod_inv_destructive. (ecc_mod_inv_redc): New inversion function, with input and output in redc form. * ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc. * ecc-secp256r1.c: Likewise. * ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking advantage of ecc->p.invert handling redc, when appropriate. Reduce scratch need from 5n to 4n in the process (assuming inversion needs 2n). * testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if appropriate. 2020-09-25 Niels Möller * gcm.c (gcm_fill): Added separate implementations for big- and little-endian, to use uint64_t stores and less overhead. 2020-09-24 Niels Möller * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register names. Can be tested by configuring with CC='gcc -Wa,-mregnames'. 2020-09-21 Niels Möller * m4-utils.m4: New file with m4 utilities, copied from GMP's mpn/asm-defs.m4. * Makefile.in (DISTFILES): Add m4-utils.m4. (%.asm): Include m4-utils.m4 for preprocessing of .asm files, and include config.m4 before machine.m4. * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test, adapted from corresponding test in GMP's acinlude.m4. * configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64 assembly code is enabled. * config.m4.in: Substituted here. * powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and if needed, replace register names like r0, r1, ... with integers. 2020-09-15 Niels Möller * Makefile.in (DISTFILES): Add missing file blowfish-internal.h. 2020-09-14 Niels Möller * asm.m4: Delete use of changequote, stick to the m4 default quoting characters `'. Updated all assembly and m4 files. * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround. 2020-09-12 Niels Möller * x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT. 2020-08-29 Niels Möller Initial powerpc64 assembly support, contributed by Mamone Tarsha: * configure.ac: New configure option --enable-power-crypto-ext. (asm_path): Setup this and related variables for powerpc64. * powerpc64/machine.m4: New file. * powerpc64/README: New file. * powerpc64/p8/aes-encrypt-internal.asm: New file. * powerpc64/p8/aes-decrypt-internal.asm: New file. * powerpc64/fat/aes-encrypt-internal-2.asm: New file. * powerpc64/fat/aes-decrypt-internal-2.asm: New file. * fat-ppc.c: New file. * Makefile.in (OPT_SOURCES): Add fat-ppc.c. (distdir): Add powerpc64 directories. * aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative name, for fat builds. * aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise. 2020-07-28 Niels Möller * configure.ac (FAT_TEST_LIST): New substituted variable. Set for fat builds, otherwise empty. * Makefile.in (check-fat): New target, using $(FAT_TEST_LIST). 2020-07-13 Niels Möller * chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use _chacha_3core. * arm/neon/chacha-3core.asm: New file, 3-way interleaving of chacha. 2020-07-11 Niels Möller * testsuite/chacha-test.c (test_main): Delete obsolete tests for chacha with 128-bit keys. #if:ed out since 2014-03-04, see below. (test_chacha_core): New function, test chacha with simple input structure. 2020-07-10 Niels Möller * x86_64/salsa20-2core.asm: New file. * x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is faster. 2020-07-08 Niels Möller Rearrange salsa20, enabling ARM fat builds to use sala20_2core. * salsa20-crypt-internal.c (_salsa20_crypt_2core) (_salsa20_crypt_1core): New file, new functions. One or the other is used for implementing salsa20_crypt and salsa20r12_crypt, depending on availability of salsa20_2core. * salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt. * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. * salsa20-internal.h: Declare new internal functions. * Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c. * fat-setup.h (salsa20_crypt_func): New typedef. * fat-arm.c (_salsa20_crypt): Select _salsa20_crypt implementation, use 2core version when Neon instructions are available. * arm/fat/salsa20-2core.asm: New file, including Neon implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core, * configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the case that salsa20_2core is defined, but runtime checks are needed to determine if it is usable. 2020-07-06 Niels Möller * testsuite/salsa20-test.c (test_salsa20_core): New function, test salsa20 with simple input structure. * configure.ac: Obey --enable-arm-neon=yes, even if not explicitly targetting ARM v6 or later. 2020-07-01 Niels Möller * testsuite/bcrypt-test.c: New file. Moved bcrypt tests here. Support for bcrypt, contributed by Stephen R. van den Berg. * blowfish-bcrypt.c (blowfish_bcrypt_hash) (blowfish_bcrypt_verify): New file, new functions. * blowfish-internal.h: New header file, declaring internals needed for bcrypt. * testsuite/blowfish-test.c: Add bcrypt tests. * nettle.texinfo (Cipher functions): Document bcrypt. 2020-06-30 Niels Möller * nettle.texinfo (Miscellaneous hash functions): New section, with Streebog documentation, contributed by Dmitry Baryshkov. (Top): Added some missing entries to the detailed node listing 2020-06-29 Niels Möller * .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch by Maamoun TK. 2020-06-25 Niels Möller * x86_64/chacha-core-internal.asm (QROUND): Fix use of macro arguments. Spotted by Torbjörn Granlund. 2020-06-02 Niels Möller * examples/nettle-benchmark.c (main): Delete call to time_overhead. The attempt to measure function call overhead is not very useful or accurate. The benchmarking loop is optimized away by gcc-10, making the benchmark program hang. (bench_nothing, time_overhead): Deleted. 2020-04-29 Niels Möller * Released Nettle-3.6. 2020-04-27 Niels Möller * configure.ac: Tweak gcc command line options. Delete checks for older gcc versions. Add -Wno-sign-compare, since warnings for signed/unsigned comparisons adds a lot of noise, in particular when building mini-gmp. * mini-gmp.c: Updated mini-gmp from the gmp repository, latest change from 2020-04-20. * mini-gmp.h: Likewise. 2020-04-25 Niels Möller * gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify) (mpz_limbs_finish, mpz_roinit_n): Delete compatibility definitions. These functions available in GMP since version 6.0.0. * gmp-glue.h: Delete corresponding declarations, and preprocessor conditions. * configure.ac: Update required version of GMP to 6.1.0, needed for mpn_zero_p. * ecc-ecdsa-verify.c (zero_p): Deleted static function, usage replaced with mpn_zero_p. * testsuite/testutils.c (mpn_zero_p): Delete conditional definition. * testsuite/testutils.h: Delete corresponding declarations. * Makefile.in (DISTFILES): Add poly1305-internal.h. * testsuite/Makefile.in (DISTFILES): Delete setup-env. 2020-04-23 Niels Möller * run-tests: Set WINEPATH, since it appears wine doesn't search for dlls in the unix PATH. * examples/setup-env: Delete creation of extra dll symlinks. * examples/teardown-env: Delete corresponding cleanup. * testsuite/setup-env: Deleted file (same symlink creation). * testsuite/teardown-env: Delete corresponding cleanup. * testsuite/ecc-add-test.c (test_main): Delete ASSERTs with functions pointer comparisons. They provide little value, and fail when linking with hogweed.dll on windows. * testsuite/ecc-dup-test.c (test_main): Likewise. 2020-04-22 Niels Möller * testsuite/Makefile.in: Use pattern rules for test executables, replacing... (test-rules): ...deleted rule. * testsuite/.test-rules.make: Deleted file. 2020-04-21 Niels Möller From Dmitry Baryshkov: * gostdsa-vko.c (gostdsa_vko): New file and function. * testsuite/gostdsa-vko-test.c (test_vko): New test. * nettle.texinfo (GOSTDSA): Document it. 2020-04-19 Niels Möller From Dmitry Baryshkov: * gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable use of MD_UPDATE macro, in particular, replacing byte count with block count and index. Also move buffer last, for consistency with other hash functions. * gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro. (gosthash94_write_digest): Update for block count rather than byte count. 2020-04-17 Niels Möller * configure.ac (LIBNETTLE_MAJOR): Increase libnettle version number to 8.0, for move of internal poly1305 functions. (LIBNETTLE_MINOR): Reset to zero. 2020-04-15 Niels Möller From Dmitry Baryshkov: * poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block): Removed declarations from this public header file. * poly1305-internal.h: New file, with declarations of internal poly1305 functions. (_poly1305_set_key, _poly1305_digest): Renamed, with leading underscore. Updated definitions and all uses. 2020-04-12 Niels Möller * Makefile.in (DISTFILES): Reorder to ensure that generated des headers can't be older than desdata.stamp. * testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc -std=c89. 2020-04-06 Niels Möller * configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version number to 6.0, at request of Gnutls team. (LIBHOGWEED_MINOR): Reset to zero. 2020-04-01 Niels Möller * config.guess: Update to 2020-01-01 version, from savannah's config.git. * config.sub: Likewise. 2020-03-31 Niels Möller * aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP) (LSH_MAKE_CONDITIONAL): Delete unused macros. * config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables. * run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and related member variables. * testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR to the run-tests script, and leave setting of LD_LIBRARY_PATH and related variables to that script. * examples/Makefile.in (check): Likewise. 2020-03-26 Niels Möller * configure.ac: Bump package version to 3.6. (LIBNETTLE_MINOR): Bump minor number, now 7.1. (LIBHOGWEED_MINOR): Bump minor numbers, now 5.1 2020-03-14 Niels Möller From H.J. Lu: * configure.ac (ASM_X86_ENDBR, ASM_X86_MARK_CET_ALIGN): New substituted variables. * config.m4.in: Substituted here. Add ASM_X86_MARK_CET to diversion inserted at end of assembly files. * asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point. 2020-03-09 Niels Möller From Daiki Ueno: * chacha-crypt.c (chacha_crypt32): New function. * chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32): New functions. * chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants. * chacha-poly1305.c (chacha_poly1305_encrypt) (chacha_poly1305_decrypt): Use chacha_crypt32. * testsuite/chacha-test.c: Update tests to use new functions. * nettle.texinfo: Document new chacha functions, and update out-of-date chacha-poly1305 documentation. 2020-03-08 Niels Möller From Dmitry Baryshkov: * cmac-des3-meta.c (nettle_cmac_des): New file, moving definition from... * testsuite/cmac-test.c: ... old location. * nettle-meta.h (nettle_cmac_des): Declare it. 2020-02-15 Niels Möller From Dmitry Baryshkov: * ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr) (ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add) (ecc_modp_sub): Deleted macros. Updated callers to use respective functions instead. (ecc_modp_addmul_1): Delete unused macro. 2020-02-09 Niels Möller Addition of struct nettle_mac based on patches by Daiki Ueno. * nettle-meta-macs.c (nettle_get_macs): New file, new function. * testsuite/meta-mac-test.c: New test. * nettle-meta.h (_NETTLE_HMAC): New macro. (nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1) (nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384) (nettle_hmac_sha512): Declare. (struct nettle_mac): New public struct, * testsuite/testutils.h: ...moved from this file. * hmac-md5-meta.c: New file. * hmac-ripemd160-meta.c: Likewise. * hmac-sha1-meta.c: Likewise. * hmac-sha224-meta.c: Likewise. * hmac-sha256-meta.c: Likewise. * hmac-sha384-meta.c: Likewise. * hmac-sha512-meta.c: Likewise. * Makefile.in (nettle_SOURCES): Add new files. * testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of this macro. * testsuite/testutils.c (test_mac): Allow testing with smaller digest size. * testsuite/hmac-test.c (test_main): Use test_mac for tests using key size == digest size. * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): Moved to... * cmac-aes128-meta.c: New file. * cmac-aes256-meta.c: New file. * nettle-meta.h (struct nettle_mac): New public struct, * testsuite/testutils.h: ...moved from this file. 2020-02-06 Niels Möller From Dmitry Baryshkov: * gost28147.h: Deleted, move declarations to gost28147-internal.h. 2020-02-05 Niels Möller * configure.ac: On Solaris, link shared libraries with --shared rather than -G. For gcc, --shared is the proper way. For Solaris' proprietary cc, according to docs, it accepts --shared as an alias for -G since Oracle Solaris Studio 12.4, and it was made more gcc compatible in later versions. Since 12.4 was released in 2014, don't attempt to cater for older versions. 2020-01-26 Niels Möller * ecc-internal.h (struct ecc_curve): Delete g, the curve generator, since it was used only by tests. Update all curve instances. * eccdata.c (output_curve): Delete output of ecc_g. (output_point): Delete name argument, and update callers. * testsuite/testutils.c (ecc_ref): Table of reference points moved out of test_ecc_mul_a. Add generator to the list of points. (test_ecc_mul_a): Use ecc_ref table also for the n == 1 case. (test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions, using the tabulated generator. * testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of accessing ecc->g. * testsuite/ecc-dup-test.c: Likewise. * testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga. Delete special case for n == 1. * testsuite/ecc-mul-g-test.c: Use test_ecc_ga. Support for GOST DSA, contributed by Dmitry Baryshkov. * gostdsa-verify.c (gostdsa_verify): New file and function. * gostdsa-sign.c (gostdsa_sign): New file and function. * ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch) (ecc_gostdsa_verify): New file and functions. * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): New file and functions. * ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro. * ecc-hash.c (gost_hash): New function. * testsuite/gostdsa-verify-test.c: New test. * testsuite/gostdsa-sign-test.c: New test. * testsuite/gostdsa-keygen-test.c: New test. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests. Support for GOST gc256b and gc512a curves, contributed by Dmitry Baryshkov. * eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and gost_gc512a. * ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b. * ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a. * Makefile.in: Add rules to generate ecc-gost-gc256b.h and ecc-gost-gc512a.h. (hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c. * examples/ecc-benchmark.c (curves): Add to list. * testsuite/testutils.c (ecc_curves): Add to list. (test_ecc_mul_a): Reference points for new curves. * NEWS: Started on entries for Nettle-3.6. 2020-01-25 Niels Möller * examples/hogweed-benchmark.c (bench_curve_init): Pass correct sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov. 2020-01-15 Niels Möller * Makefile.in: Replace suffix rules by pattern rules. Move .asm rule above .c rule, since now the order of rules in the Makefile matters, rather than the order in the .SUFFIXES list. (aesdata, desdata, twofishdata, shadata, gcmdata, eccparams): Individual rules replaced by a pattern rule. (eccdata): Add explicit dependencies, to complement the pattern rule. * examples/Makefile.in: Replace suffix rules by pattern rules. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * config.make.in: Empty .SUFFIXES, to not accidentally use any suffix rules. * aclocal.m4 (DEP_INCLUDE): Delete substituted variable. * Makefile.in: Use the GNU make directive -include to include dependency .d files. Delete dependency files on make clean. * examples/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly. * tools/Makefile.in: Likewise. * configure.ac (dummy-dep-files): Delete these config commands. 2020-01-10 Niels Möller From Dmitry Eremin-Solenikov: Consistently rename ecc files and internal functions to include curve name rather than just number of bits. E.g., * ecc-256.c (nettle_ecc_256_redc): File and function renamed to... * ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names. * eccdata.c (ecc_curve_init, main): Take curve name as input, not bit size. 2020-01-03 Niels Möller Add benchmarking of ed25519, ed448 and curve448. * examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct. (bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify) (bench_eddsa_clear): New functions. (struct curve_ctx): New struct, generalizing struct curve25519_ctx. (bench_curve_init, bench_curve_mul_g, bench_curve_mul) (bench_curve_clear): New functions. (struct curve25519_ctx, bench_curve25519_mul_g) (bench_curve25519_mul, bench_curve25519): Deleted. (alg_list): Add eddsa and curve entries. (main): Delete call to bench_curve25519. 2020-01-02 Niels Möller * eddsa-internal.h (nettle_eddsa_dom_func): New typedef. (struct ecc_eddsa): Use function pointer to represent eddsa dom string. To avoid calling sha512_update with empty input for ed25519. * ed448-shake256.c (ed448_dom): New function, calling sha3_256_update with the magic dom prefix. (_nettle_ed448_shake256): Point to it. * ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function. * eddsa-sign.c (_eddsa_sign): Update to use dom function pointer. * eddsa-verify.c (_eddsa_verify): Likewise. * eddsa-internal.h (struct ecc_eddsa): Add magic dom string, needed for ed448. * ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string. * ed448-shake256.c (_nettle_ed448_shake256): New file and parameter struct. * eddsa-hash.c (_eddsa_hash): Add digest_size as input argument. Handle ed448 digests with two extra bytes. Update callers. * eddsa-verify.c (_eddsa_verify): Hash dom string. * eddsa-sign.c (_eddsa_sign_itch): Assert that _eddsa_compress_itch isn't too large. (_eddsa_sign): New argument k1, with the hash prefix. Add hashing of this prefix and the dom string. Update callers. Fix final reduction, it's different for ed25519, with q slightly larger than a power of two, and ed448, with q slightly smaller. * eddsa-pubkey.c (_eddsa_public_key_itch): Assert that _eddsa_compress_itch isn't too large. Implementation of ed448-shake256, based on patch by Daiki Ueno. * ed448-shake256-pubkey.c (ed448_shake256_public_key): New file and function. * ed448-shake256-sign.c (ed448_shake256_sign): New file and function. * ed448-shake256-verify.c (ed448_shake256_verify): New file and function. * Makefile.in (hogweed_SOURCES): Add new ed448 files. * testsuite/eddsa-verify-test.c (test_ed448): New function. (test_main): New ed448 tests. * testsuite/eddsa-sign-test.c (test_ed448_sign): New function. (test_main): New ed448 tests. * testsuite/ed448-test.c: New tests. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c. * nettle.texinfo (Curve 25519 and Curve 448): Document ed448. 2020-01-01 Niels Möller * ecc-448.c (ecc_mod_pow_2kp1): New function. (ecc_mod_pow_446m224m1): Reduce scratch usage from 6*n to 5*n, at the cost of one copy operation. Also use ecc_mod_pow_2kp1 where applicable. (ECC_448_INV_ITCH): Reduce to 5*ECC_LIMB_SIZE. (ECC_448_SQRT_ITCH): Reduce to 9*ECC_LIMB_SIZE. * testsuite/eddsa-compress-test.c: Test also with curve448. 2019-12-30 Niels Möller Preparation for ed448, based on patch by Daiki Ueno. * eddsa-internal.h (struct ecc_eddsa): New struct for eddsa parameters. * ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct. * eddsa-expand.c (_eddsa_expand_key): Replace input struct nettle_hash with struct ecc_eddsa, and generalize for ed448. Update all callers. * eddsa-sign.c (_eddsa_sign): Likewise. * eddsa-verify.c (_eddsa_verify): Likewise. * eddsa-compress.c (_eddsa_compress): Store sign bit in most significant bit of last byte, as specified by RFC 8032. * eddsa-decompress.c (_eddsa_decompress): Corresponding update. Also generalize to support ed448, and make validity checks stricter. * testsuite/eddsa-sign-test.c (test_ed25519_sign): New function. (test_main): Use it. * testsuite/eddsa-verify-test.c (test_ed25519): New function. (test_main): Use it. 2019-12-28 Niels Möller * bignum.h: Drop unrelated include of nettle-meta.h. * pss.h: Include nettle-meta.h explicitly. * eddsa-internal.h: Likewise. 2019-12-25 Niels Möller Support for SHAKE256, based on patch by Daiki Ueno. * shake256.c (sha3_256_shake): New file and function. * Makefile.in (nettle_SOURCES): Add shake256.c. * testsuite/testutils.c (test_hash): Allow arbitrary digest size, if hash->digest_size == 0. * testsuite/shake.awk: New script to extract test vectors. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c. (DISTFILES): Add shake.awk. * nettle.texinfo (Recommended hash functions): Document SHAKE-256. * sha3.c (_sha3_pad): Generalized with an argument for the magic suffix defining the sha3 instance. * sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes. Updated all callers of _sha3_pad. (_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f. 2019-12-19 Niels Möller * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use add_hh rather than add_hhh. (table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise. * ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]: Reduced from 13*n to 12*n. 2019-12-18 Niels Möller Rename add and dup functions for Edwards curves. * ecc-dup-th.c (ecc_dup_th): New file, move and rename ecc_dup_eh. * ecc-add-th.c (ecc_add_th): New file, move and rename ecc_add_eh. * ecc-add-thh.c (ecc_add_thh): New file, move and rename ecc_add_ehh. * ecc-dup-eh.c (ecc_dup_eh_untwisted): Rename to just ecc_dup_eh. * ecc-add-eh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_eh. * ecc-add-ehh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_ehh. * ecc-internal.h (ecc_dup_th, ecc_add_th, ecc_add_thh): Declare new functions, delete declarations of ecc_*_untwisted variants. (ECC_DUP_TH_ITCH, ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): New macros. * ecc-25519.c (_nettle_curve25519): Update, use ecc_dup_th and friends. * ecc-448.c (_nettle_curve448): Update for rename, without _untwisted suffix. * Makefile.in (hogweed_SOURCES): Added ecc-dup-th.c, ecc-add-th.c, and ecc-add-thh.c * testsuite/ecc-dup-test.c (test_main): Update asserts. * testsuite/ecc-add-test.c (test_main): Likewise. * eddsa-verify.c (_eddsa_verify): Use function pointer rather than calling ecc_add_eh directly. Preparation for eddsa over curve448. 2019-12-17 Niels Möller * examples/ecc-benchmark.c (bench_dup_hh): Rename, and use ecc->dup pointer. (bench_dup_jj): ... old name. (bench_add_hh): Rename, and use ecc->addd_hh pointer. (bench_add_jja): ... old name. (bench_dup_eh, bench_add_eh): Deleted. (bench_curve): Update, and delete curve25519 special case. (main): Update table headers accordingly. 2019-12-15 Niels Möller * ecc-dup-eh.c (ecc_dup_eh): Eliminate one unneeded ecc_modp_add. 2019-12-14 Niels Möller * ecc-mul-m.c (ecc_mul_m): New file and function. Implements multipliction for curves in Montgomery representation, as used for curve25519 and curve448. Extracted from curve25519_mul. * ecc-internal.h (ecc_mul_m): Declare. (ECC_MUL_M_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c. * curve25519-mul.c (curve25519_mul): Use ecc_mul_m. * curve448-mul.c (curve448_mul): Likewise. 2019-12-13 Niels Möller * Merge curve448 implementation. 2019-12-09 Niels Möller * ecc-internal.h: Revert itch macro changes. We now have h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few places relying on this. (ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros. (ECC_ECDSA_SIGN_ITCH): Revert previous change. * ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n to 6*n. (ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly. * curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n. 2019-12-08 Niels Möller * x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New assembly function. * ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use native nettle_ecc_curve448_modp if available. * configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm. (HAVE_NATIVE_ecc_curve448_modp): New config.h define. 2019-12-03 Niels Möller * ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function. 2019-12-01 Niels Möller Curve 448 support contributed by Daiki Ueno. * eccdata.c (enum ecc_type): Add ECC_TYPE_EDWARDS. (ecc_add): Support untwisted edwards curves. (ecc_curve_init): Add curve448 parameters. * ecc-internal.h (ECC_ECDSA_KEYGEN_ITCH): New macro. (ECC_ECDSA_SIGN_ITCH): Increased from 12*size to 13*size. (ECC_MAX): New macro. * ecc-448.c: New file. (ecc_mod_pow_2k, ecc_mod_pow_446m224m1, ecc_448_inv) (ecc_448_zero_p, ecc_448_sqrt): New functions. (_nettle_curve448): New curve definition. * curve448.h (CURVE448_SIZE): New constant. (curve448_mul_g, curve448_mul): Declare new public functions. * ecc-eh-to-a.c (ecc_eh_to_a): Update assert to allow the curve448 Edwards curve. * curve448-mul.c (curve448_mul): New file and function. * curve448-mul-g.c (curve448_mul_g): New file and function. * curve448-eh-to-x.c (curve448_eh_to_x): New file and function. * ecc-dup-eh.c (ecc_dup_eh_untwisted): New function. * ecc-add-ehh.c (ecc_add_ehh_untwisted): New function. * ecc-add-eh.c (ecc_add_eh_untwisted): New function. * ecc-point.c (ecc_point_set): Add point validation for curve448. * ecc-point-mul.c (ecc_point_mul): Allow h_to_a_itch larger than mul_itch. * ecc-point-mul-g.c (ecc_point_mul_g): Allow h_to_a_itch larger than mul_g_itch. Switch from TMP_DECL/_ALLOC/_FREE to gmp_alloc_limbs/gmp_free_limbs. * ecdsa-keygen.c (ecdsa_generate_keypair): Use ECC_ECDSA_KEYGEN_ITCH. * Makefile.in (hogweed_SOURCES): Add ecc-448.c, curve448-mul-g.c, curve448-mul.c, and curve448-eh-to-x.c. (HEADERS): Add curve448.h. (ecc-448.h): New generated file. * testsuite/testutils.c (ecc_curves): Add _nettle_curve448 to list of tested curves. (test_ecc_mul_a): Add curve448. * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add curve448 support. * testsuite/ecdh-test.c (test_main): Add tests for (non-standard) curve448 diffie-hellman. * testsuite/ecc-add-test.c (test_main): Update for testing of curve448. * testsuite/ecc-dup-test.c (test_main): Likewise. * testsuite/ecc-mul-a-test.c (test_main): Likewise. Also increase scratch allocation for h_to_a_itch. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * testsuite/curve448-dh-test.c: Test for curve448. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add curve448-dh-test.c. * examples/ecc-benchmark.c: Add curve448 to list of benchmarked curves. * nettle.texinfo (Curve 25519 and Curve 448): Add docs. 2019-12-07 Niels Möller * ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only used for non-standard ecdsa over curve25519. * testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa over curve25519. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519 from test. 2019-12-05 Niels Möller * configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to check for __builtin_bswap64. Since calling an non-existing function typically results in a warning only at compile time, but fails at link time. Patch contributed by by George Koehler. 2019-12-04 Niels Möller * testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to unsigned long for argument to fprintf. 2019-11-21 Niels Möller * eccdata.c (ecc_curve_init_str): Delete unused t and d arguments. Related to the the edwards_root member of struct ecc_curve, which was used by ecc_a_to_eh before it was deleted, see 2014-09-17 entry below. (ecc_curve_init): Delete corresponding curve25519 constants, and NULL arguments passed for the other curves. * Merge curve448 preparations, from September 2017. 2017-09-23 Niels Möller * eccdata.c: Reorganize curve25519 precomputation to work directly with the twisted Edwards curve, with new point addition based on a patch from Daiki Ueno. * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery curve constant. * ecc-internal.h (struct ecc_curve): Delete unused pointer edwards_root. Update all instances. * eccdata.c (output_curve): Don't output it. * testsuite/ecc-add-test.c (test_main): Reduce test duplication. Use ecc->add_hhh_itch. * testsuite/ecc-dup-test.c (test_main): Reduce test duplication. Use ecc->dup_itch. 2017-09-23 Daiki Ueno * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of hard-coded value for curve25519. * eddsa-sign.c (_eddsa_sign): Likewise. * ecc-internal.h (ecc_dup_func): New typedef. (struct ecc_curve): New constants add_hh_itch and dup_itch, new function pointers add_hh and dup. * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c, ecc-25519.c: Update accordingly. * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers. * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh): Likewise. * testsuite/ecc-dup-test.c (test_main): Likewise. * testsuite/ecc-add-test.c (test_main): Likewise. 2019-10-01 Niels Möller * testsuite/testutils.c (test_cipher_cfb8): Reset destination area between tests. Encrypt/decrypt final partial block. From Daiki Ueno, fixing bug reported by Stephan Mueller: * cfb.c (cfb8_decrypt): Don't truncate output IV if input is shorter than block size. * testsuite/testutils.c (test_cipher_cfb8): Test splitting input into multiple calls to cfb8_encrypt and cfb8_decrypt. 2019-09-30 Niels Möller * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read. Trim allocation size for de_data, drop some uses of SIV_DIGEST_SIZE, call FAIL for unexpected returned values. (test_compare_results): Delete digest argument. 2019-09-15 Niels Möller From Dmitry Eremin-Solenikov: * gost28147.c (_gost28147_encrypt_block): New file, encrypt function and sbox tables moved here. * gosthash94.c: Update functions to take sbox array as argument. (gost_block_compress): Use _gost28147_encrypt_block. (gosthash94cp_update,gosthash94cp_digest): New functions. * gost28147-internal.h: New file. * gost28147.h: New file. * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm. * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and nettle_gosthash94cp. * hmac-gosthash94.c (hmac_gosthash94_set_key) (hmac_gosthash94_update, hmac_gosthash94_digest) (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update) (hmac_gosthash94cp_digest): New file and functions. * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file and function. * testsuite/pbkdf2-test.c (test_main): Add pbkdf2-hmac-gosthash94cp tests. * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests. * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests. * nettle.texinfo (Legacy hash functions): Document gosthash94cp. * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS. 2019-07-08 Niels Möller * nettle-types.h (union nettle_block16): Mark w member as deprecated. * eax.c (block16_xor): Use uint64_t member of nettle_block16. * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise. 2019-07-10 Niels Möller From Dmitry Eremin-Solenikov: * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init) (cmac64_update, cmac64_digest): New file, new functions. * cmac-des3.c (cmac_des3_set_key, cmac_des3_update) (cmac_des3_digest): New file, new functions. * cmac.h: Add cmac64 and cmac_des3 declarations. * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c. * testsuite/cmac-test.c (test_main): Add tests for cmac_des3. 2019-07-02 Niels Möller From Dmitry Eremin-Solenikov: * testsuite/testutils.c (test_mac): New function. * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): New algorithm structs. (test_cmac_aes128, test_cmac_aes256): Use test_mac. 2019-06-06 Niels Möller Update for cmac changes, enabling const for the _message functions. * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, and use a local struct cmac128_ctx for message-specific state. (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated callers. (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const struct cmac128_key as argument. Updated callers. * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key rather than struct cmac128_ctx. * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) (siv_cmac_aes256_decrypt_message): Likewise. * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) (siv_cmac_aes128_decrypt_message): The ctx argument made const. 2019-05-15 Niels Möller * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): New constants. * testsuite/siv-test.c: Simplify tests a little. * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. * siv-cmac.c (_siv_s2v): Require non-empty nonce. * nettle.texinfo (SIV-CMAC): Update documentation. 2019-05-06 Niels Möller SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. (SIV_CMAC_CTX): New macro. (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New context structs. * siv-cmac.c (_siv_s2v, siv_cmac_set_key) (siv_cmac_encrypt_message) (siv_cmac_decrypt_message): New file, new functions. * siv-cmac-aes128.c (siv_cmac_aes128_set_key) (siv_cmac_aes128_encrypt_message) (siv_cmac_aes128_decrypt_message): New file, new functions. * siv-cmac-aes256.c (siv_cmac_aes256_set_key) (siv_cmac_aes256_encrypt_message) (siv_cmac_aes256_decrypt_message): New file, new functions. * Makefile.in (nettle_SOURCES): Add siv-cmac source files. (HEADERS): Add siv-cmac.h. * testsuite/siv-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c * nettle.texinfo (SIV-CMAC): Documentation. 2019-04-30 Niels Möller Based on a patch contributed by Nikos Mavrogiannopoulos. * cmac.c (_cmac128_block_mulx): Renamed function... (block_mulx): ... from old name. * cmac-internal.h (_cmac128_block_mulx): New file, declare function. * Makefile.in (DISTFILES): Added cmac-internal.h. 2019-06-26 Niels Möller * Released nettle-3.5.1. * configure.ac: Update version number to 3.5.1. * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed directories. * Released nettle-3.5. 2019-06-25 Niels Möller * config.sub: Update to 2019-05-23 version, from savannah's config.git. * config.guess: Update to 2019-06-10 version, from savannah's config.git. Adds recognition of mips R6 and riscv. 2019-06-05 Niels Möller Further separation of CMAC per-message state from the message-independent subkeys, analogous to the gcm implementation. * cmac.h (struct cmac128_ctx): Remove key, instead a struct cmac128_key should be passed separately to functions that need it. (CMAC128_CTX): Include both a struct cmac128_key and a struct cmac128_ctx. (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx to cmac128_key. Use a nettle_block16 for the constant zero block. (cmac128_init): New function, to initialize a cmac128_ctx. (cmac128_digest): Add cmac128_key argument. Move padding memset into the block handling a partial block. Call cmac128_init to reset state. 2019-06-01 Niels Möller * cmac.h (struct cmac128_key): New struct. * cmac.h (struct cmac128_ctx): Use struct cmac128_key. * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. 2019-05-12 Niels Möller Delete old libdes/openssl compatibility interface. * des-compat.c: Delete file. * des-compat.h: Delete file. * testsuite/des-compat-test.c: Delete file. * nettle.texinfo (Compatibility functions): Delete mention in documentation. 2019-05-11 Niels Möller * NEWS: More updates for Nettle-3.5. 2019-04-27 Niels Möller From Simo Sorce: * x86_64/poly1305-internal.asm: Add missing EPILOGUE. * x86_64/serpent-decrypt.asm: Likewise. * x86_64/serpent-encrypt.asm: Likewise. 2019-04-14 Niels Möller * tools/nettle-pbkdf2.c (main): Check strdup return value. 2019-03-29 Niels Möller * aes.h (struct aes_ctx): Redefine using a union of key-size specific contexts. * aes-decrypt.c (aes_decrypt): Use switch on key_size. * aes-encrypt.c (aes_encrypt): Likewise. * aes-set-decrypt-key.c (aes_invert_key): Likewise. * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise. 2019-03-27 Niels Möller * xts.c (xts_shift): Arrange with a single write to u64[1]. * cmac.c (block_mulx): Rewrite to work in the same way as xts_shift, with 64-bit operations. XTS and CMAC use opposite endianness, but otherwise, these two functions are identical. 2019-03-24 Niels Möller From Simo Sorce: * xts.h: New file. * xts.c: New file. (BE_SHIFT): New macro. (xts_shift, check_length, xts_encrypt_message) (xts_decrypt_message): New functions. * xts-aes128.c (xts_aes128_set_encrypt_key) (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message) (xts_aes128_decrypt_message): New file, new functions. * xts-aes256.c (xts_aes256_set_encrypt_key) (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message) (xts_aes256_decrypt_message): New file, new functions. * nettle.texinfo (XTS): Document XTS mode. * Makefile.in (nettle_SOURCES): Add xts sourcce files. (HEADERS): New installed header xts.h. * testsuite/xts-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c. 2019-02-06 Niels Möller * gosthash94.h (struct gosthash94_ctx): Move block buffer last in struct. * md2.h (struct md2_ctx): Likewise. * md4.h (struct md4_ctx): Likewise. * md5.h (struct md5_ctx): Likewise. * ripemd160.h (struct ripemd160_ctx): Likewise. * sha1.h (struct sha1_ctx): Likewise. * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise. 2019-01-19 Niels Möller * examples/Makefile.in (TARGETS): Delete eratosthenes, left over from earlier change. * fat-arm.c: Fix declarations of chacha_core functions. From Yuriy M. Kaminskiy: * fat-setup.h (chacha_core_func): New typedef. * fat-arm.c (fat_init): Enable choice between _nettle_chacha_core_c and _nettle_chacha_core_neon. * configure.ac (asm_nettle_optional_list): Add chacha-core-internal-2.asm. * chacha-core-internal.c: Enable fat build with C and asm version. * arm/fat/chacha-core-internal-2.asm: New file. 2019-01-12 Niels Möller * examples/eratosthenes.c: Deleted program. * examples/Makefile.in: Delete rule to build and distribute it. 2019-01-10 Niels Möller * testsuite/rsa-compute-root-test.c (test_one): Use %u and corresponding cast, when printing bit sizes. 2019-01-09 Niels Möller * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to inline asm. 2019-01-08 Niels Möller * sha512-compress.c: Add missing include of sha2-internal.h. 2019-01-06 Niels Möller * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert call with side-effects. 2019-01-06 Niels Möller * nettle-types.h: Don't use nettle-stdint.h, include directly. * nettle-write.h: Likewise. * configure.ac: Delete use of AX_CREATE_STDINT_H. * aclocal.m4 (AX_CREATE_STDINT_H): Delete. * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of nettle-stdint.h. 2018-12-26 Niels Möller * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper function. Call openssl's RSA_generate_key_ex rather then the deprecated RSA_generate_key. (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it. * eccdata.c (ecc_pippenger_precompute): Check that table size is at least 2. Intended to silence warning from the clang static analyzer. * configure.ac: Bump package version to 3.5. (LIBNETTLE_MAJOR): Bump major number, now 7. (LIBHOGWEED_MAJOR): Bump major number, now 5. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero. * pkcs1-internal.h: New header file, moved declarations of _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here. * rsa-internal.h: ... old location. * Makefile.in (DISTFILES): Added pkcs1-internal.h. * pkcs1-decrypt.c: Include new file. * pkcs1-sec-decrypt.c: Likewise. * rsa-decrypt-tr.c: Likewise. * rsa-sec-decrypt.c: Likewise. * testsuite/pkcs1-sec-decrypt-test.c: Likewise. * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for strdup with gcc -std=c89. * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for getline with gcc -std=c89. * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. Reported by Andreas Gustafsson. * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. 2018-12-04 Niels Möller * Released nettle-3.4.1. 2018-11-28 Niels Möller * configure.ac: Update GMP check. Check for the function mpn_sec_div_r, available since GMP-6.0.0. * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of decrypted storage. Update test of rsa_decrypt, to allow clobbering of all of the passed in message area. * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around _pkcs1_sec_decrypt_variable. Improves side-channel silence of the only caller, rsa_decrypt. * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make dist. Patch from Simo Sorce. * rsa-internal.h: Add include of rsa.h. 2018-11-27 Niels Möller * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New local helper functions, with their own itch functions. (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to use helpers, for clarity. 2018-11-26 Niels Möller * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify selection of psize and qsize, and fix so that qsize is used. (test_main): Add outer loop, to test with more than one key. Deallocate storage before exiting. 2018-11-25 Niels Möller * testsuite/rsa-compute-root-test.c: Renamed, from ... * testsuite/rsa-sec-compute-root-test.c: ... old name. * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... (rsa_sec_compute_root_tr): ... old name. Updated callers. (cnd_mpn_zero): Use a volatile-declared mask variable. * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix masking of most significant bits. * rsa-decrypt-tr.c (rsa_decrypt_tr): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak valgrind marking, and document potential leakage of lowest and highest bits of p and q. * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to mpz_sizeinbase, since that potentially leaks most significant bits of private key parameters a and b. * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix valgrind marking of return value. Merged below changes from Simo Sorce, to make RSA private key operations side-channel silent. 2018-11-08 Simo Sorce * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use _rsa_sec_compute_root. * testsuite/rsa-sec-compute-root-test.c: Add more tests for new side-channel silent functions. * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, since that is required for one of the GMP calls in _rsa_sec_compute_root. * rsa-decrypt-tr.c: Switch to use side-channel silent functions. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private function. Variable size version for backwards compatibility. * testsuite/rsa-sec-decrypt-test.c: Adds more tests. * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. Fixed length side-channel silent version of rsa-decrypt. * testsuite/rsa-encrypt-test.c: add tests for the new function. * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for _pkcs1_sec_decrypt. * gmp-glue.c (mpn_get_base256): New function. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. Fixed length side-channel silent version of pkcs1-decrypt. * cnd-memcpy.c (cnd_memcpy): New function. * memops.h: Declare it. * testsuite/cnd-memcpy-test.c: New test case. * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses _rsa_sec_compute_root, as well as side-channel silent RSA blinding. (rsa_compute_root_tr) Rewritten as a wrapper around rsa_sec_compute_root_tr. (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) (cnd_mpn_zero): New helper functions. (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not side-channel silent wrapper around rsa_compute_root_tr, and the latter function left unchanged. * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) (_rsa_sec_compute_root): New file, new private functions. Side-channel silent version of rsa_compute_root. * rsa-internal.h: New header file with declarations. * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. 2018-11-24 Niels Möller * configure.ac: Bump package version to 3.4.1. (LIBNETTLE_MINOR): Bump library version to 6.5. (LIBHOGWEED_MINOR): Bump library version to 4.5. 2018-11-17 Niels Möller * examples/hogweed-benchmark.c (bench_rsa_verify) (bench_openssl_rsa_tr_init): New functions. (alg_list): Benchmark timing-resistant RSA functions, i.e., including RSA blinding. (main): Increase width of first column, here and in other printouts. 2018-10-10 Dmitry Eremin-Solenikov * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when processing more than on full block of size CTR_BUFFER_LIMIT, src and dst arguments to memxor3 were not properly updated. 2018-10-10 Niels Möller * aes-set-encrypt-key.c: Add missing include of stdlib.h. * des-compat.c: Likewise. 2018-09-13 Niels Möller * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and redundant check for p == q. 2018-08-09 Niels Möller * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with _NETTLE_ATTRIBUTE_DEPRECATED. * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and lookalikes. * ecc-curve.h: Include nettle-types.h, and use _NETTLE_ATTRIBUTE_PURE instead of local definition. * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit #ifdefs. * aes.h: Mark functions using struct aes_ctx interface as deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where the functions are implemented or tested. * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast between incompatible function types (which gcc-8 warns about). Wrappers are expected to compile to a single jmp instruction. * des-compat.c (des_compat_des3_encrypt) (des_compat_des3_decrypt): Change length argument type to size_t. 2018-08-08 Niels Möller * nettle.texinfo (Compatibility): New section on ABI and API compatibility. 2018-07-25 Dmitry Eremin-Solenikov * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. 2018-07-13 Niels Möller * examples/eratosthenes.c (vector_alloc): Add assert related to overflow in the size calculation. Fixes a corner case identified by static analysis. (vector_init): Analogous assert. 2018-07-12 Niels Möller * examples/eratosthenes.c (main): Don't allocate bitmap storage for limit == 2 (early exit), closing memory leak at exit. (main): Fix handling of short -q option. * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, to fix memory leak. (ecc_curve_clear): New function. (main): Call it, to deallocate storage before exit. 2018-07-08 Niels Möller * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. * x86_64/fat/sha1-compress-2.asm: Likewise. 2018-07-07 Niels Möller From Nikos Mavrogiannopoulos. * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to public function, since there's known appliation usage (filezilla). * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor alias for the new name. * md5-compress.c (nettle_md5_compress): Similarly renamed (used by sogo). * md5.h (_nettle_md5_compress): Old name,, now a preprocessor alias for the new name. * chacha-internal.h, dsa-internal.h, eddsa-internal.h: * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: * salsa20-internal.h, sha2-internal.h, sha3-internal.h: * umac-internal.h: Internal declarations moved to new header files, which are not installed.. * Makefile.in (DISTFILES): Added above files. * libnettle.map.in: Use a different symbol version for _nettle_* symbols, depending on the minor release. This marks these symbols explicitly not part of the public Nettle ABI. * libhogweed.map.in: Analogous change. 2018-06-17 Niels Möller * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed by Dmitry Eremin-Solenikov. * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, produced by Apple's Xcode 10 compiler. Patch contributed by Dominyk Tiller. 2018-03-25 Niels Möller From Michael Weiser. * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN. * config.m4.in: Use it to set WORDS_BIGENDIAN. * asm.m4 (IF_BE, IF_LE): New macros. * arm/memxor.asm: Support big-endian ARM. * arm/memxor3.asm: Likewise. * arm/neon/chacha-core-internal.asm: Likewise. * arm/neon/salsa20-core-internal.asm: Likewise. * arm/neon/umac-nh.asm: Likewise. * arm/v6/sha1-compress.asm: Likewise. * arm/v6/sha256-compress.asm: Likewise. * arm/README: Document big-endian considerations. 2018-03-17 Niels Möller Discourage direct access to data symbols with non-public size. Direct references to these symbols may result in copy-relocations like R_X86_64_COPY, which make the symbol size leak into the ABI. * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add leading underscore on these data symbols. * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads) (_nettle_armors): Add leading underscore on these data symbols. Update all internal use. Macros without leading underscore remain, and expand to access via accessor functions nettle_get_ciphers and similar. 2018-03-10 Niels Möller * eccdata.c (ecc_table_size): New helper function. (ecc_pippenger_precompute): Display warning for poor parameters. * eccparams.c (main): New program, to list parameter alternatives for Pippenger's algorithm. * Makefile.in: Tweak parameters for ecc tables. (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6. Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3% for ecdsa signatures. (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c = 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures. (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c = 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures. (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c = 6. Table size unchanged. 12% speedup for ecdsa signatures. (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6. Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit platforms). 15% speedup for ecdsa signatures. (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c = 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures. 2018-03-14 Niels Möller Merge sha256 code using the x86_64 sha_ni instructions, starting 2018-02-21. 2018-03-11 Niels Möller * x86_64/fat/sha256-compress.asm: New file. * x86_64/fat/sha256-compress-2.asm: New file. * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or sha_ni version for sha256_compress. 2018-02-21 Niels Möller * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni instructions. 2018-02-20 Niels Möller * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly. 2018-02-19 Niels Möller Mostly aesthetic changes. Besides indentation: * cmac.h (struct cmac128): Rename, to cmac128_ctx. (CMAC128_CTX): Rename first member from data to ctx. * cmac.c: Use const void * as the type for cipher arguments. (block_mulx): Un-inline. (cmac128_set_key): Make a constant function local. * testsuite/cmac-test.c: Delete local typedefs. 2018-02-19 Nikos Mavrogiannopoulos Add support for CMAC. * cmac.h: New file. (struct cmac128): New struct. * cmac.c (block_mulx, cmac128_set_key, cmac128_update) (cmac128_digest): New file, new functions. * cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update) (cmac_aes128_digest): New file, new functions. * cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update) (cmac_aes256_digest): New file, new functions. * Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c. (HEADERS): Added cmac.h. * testsuite/cmac-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c. * examples/nettle-benchmark.c (time_cmac): New function. (main): Use it. * nettle.texinfo: Document CMAC. 2018-02-20 Niels Möller * testsuite/cbc-test.c (test_cbc_bulk): Use struct aes256_ctx, instead of the deprecated struct aes_ctx. * testsuite/cfb-test.c (test_cfb_bulk): Likewise. * examples/rsa-session.h (struct rsa_session): Likewise. * examples/rsa-encrypt.c (rsa_session_set_encrypt_key) (process_file): Use aes256_* functions. * examples/rsa-decrypt.c (rsa_session_set_decrypt_key) (process_file): Likewise. 2018-02-19 Niels Möller * nettle-internal.h: Include sha3.h, needed for the definition of NETTLE_MAX_HASH_CONTEXT_SIZE. (TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support allocation of context structs with alignment requirements. [!HAVE_ALLOCA]: Also use assert, rather than calling abort directly. * pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros. * pss-mgf1.c (pss_mgf1): Likewise. 2018-02-18 Niels Möller * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c... (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds without public-key support. 2018-02-18 Dmitry Eremin-Solenikov * examples/nettle-openssl.c): Move expressions with side effects out of asserts. 2018-02-17 Dmitry Eremin-Solenikov (openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use EVP_CipherInit_ex. * examples/nettle-openssl.c (nettle_openssl_gcm_aes128) (nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead algorithms, for benchmarking purposes, and supporting wrapper functions. * nettle-internal.h: Corresponding declarations. * examples/nettle-benchmark.c (main): Include openssl's gcm aes in benchmark. 2018-02-16 Niels Möller * nettle.texinfo: Improved index entries. (Cipher functions): Update CAST128/CAST5 docs. Inconsistencies spotted by Henrik Rindlöw. 2018-02-10 Niels Möller * configure.ac: New configure option --enable-x86-sha-ni. 2018-02-07 Niels Möller * x86_64/fat/sha1-compress.asm: New file. * x86_64/fat/sha1-compress-2.asm: New file. * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or sha_ni version for sha1_compress. 2018-02-05 Niels Möller * x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni instructions. * fat-x86_64.c (get_x86_features): Check for sha_ni extension. * x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction. 2018-02-01 Nikos Mavrogiannopoulos * gcm.c (gcm_fill): New function, for use with _ctr_crypt16. (gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of gcm_aes128, benchmarked on x86_64 with aesni instructions. 2018-02-01 Niels Möller Based on a patch contributed by Nikos Mavrogiannopoulos. * ctr16.c (_ctr_crypt16): New file, renamed and generalized function. New function pointer argument, used to fill a block with counter values. Use nettle_block16 * as the type for the buffer to be filled. Always process any final and partial block, and return no value. * ctr.c (ctr_crypt): ... previous, replaced, function. (ctr_fill16): Updated to new argument type. (ctr_crypt): Return immediately after using _ctr_crypt16. * ctr-internal.h: New file, declaring _ctr_crypt16. (nettle_fill16_func): New function typedef. * Makefile.in (nettle_SOURCES): Added ctr16.c. (DISTFILES): Added ctr-internal.h. 2018-01-30 Niels Möller * Makefile.in (clean-here): Don't delete desdata.stamp. 2018-01-24 Jay Foad * Makefile.in (TARGETS): Delete dependencies on aesdata, desdata, twofishdata, shadata and gcmdata. They are not needed for a normal build. (clean-here): Explicitly delete of above files. (desdata.stamp): New stamp target, to avoid building desdata twice in a parallell build. 2018-01-23 Niels Möller * configure.ac (asm_path): Recognize "x86", in addition to "i?86", for 32-bit x86 processors. Reportedly needed for x86 android builds. 2018-01-20 Niels Möller CFB8 support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. * cfb.h: Declare them. (CFB8_ENCRYPT, CFB8_DECRYPT): New macros. * testsuite/cfb-test.c: New tests for CFB8. * nettle.texinfo (CFB and CFB8): Documentation. 2018-01-16 Niels Möller * tools/pkcs1-conv.c (convert_file): Add missing break statements. 2018-01-09 Niels Möller * testsuite/testutils.c (test_cipher_ctr): Test operations with shorter sizes. * testsuite/ctr-test.c: Additional unofficial test vectors, to exercise carry propagation in the counter, and block size different from 16. 2018-01-08 Niels Möller * ctr.c (ctr_crypt16): New function, with optimizations specific to 16-byte block size. (ctr_fill16): New helper function, definition depending on WORDS_BIGENDIAN, and little endian version requiring HAVE_BUILTIN_BSWAP64. (ctr_crypt): Use ctr_crypt16, when appropriate. * nettle-types.h (union nettle_block16): Add uint64_t field. * configure.ac: Check for __builtin_bswap64, define HAVE_BUILTIN_BSWAP64 if available. * ctr.c (ctr_fill): New function. Use in ctr_crypt. * ctr.c (ctr_crypt): For in-place operation, increase max buffer size from 4 blocks to 512 bytes, similarly to CBC and CFB. Improves in-place aes128 CTR performance by 25% on x86_64. * examples/nettle-benchmark.c (time_cipher): Benchmark in-place operation separately, for cbc_decrypt and ctr_crypt. * cbc.c (cbc_decrypt): For in-place operation (src == dst case), eliminate use of src variable. * cfb.c (cfb_decrypt): Likewise. * gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor. 2018-01-03 Niels Möller * x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm registers before the block loop, and completely unroll the round loop. * x86_64/aesni/aes-decrypt-internal.asm: Likewise. 2017-11-19 Niels Möller * Released nettle-3.4. 2017-11-12 Niels Möller * configure.ac: Update check of GMP_NUMB_BITS declaration in assembly files. Was broken by rename of configure variable GMP_NUMB_BITS --> NUMB_BITS. 2017-11-11 Niels Möller * nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers and nettle_get_aeads, and replace nettle_secp_256r1 by nettle_get_secp_256r1. Update version numbers. Delete ancient setting of ispell-skip-region-alist as an emacs file-local variable. 2017-11-08 Niels Möller * ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1) (nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete macro wrappers, partially reverting below 2017-04-09 change. They didn't work at all for applications that only see a forward declaration of struct ecc_curve. Instead, we will have to make an ABI and API break and delete these symbols, when the size of struct ecc_curve is increased. 2017-11-05 Niels Möller * configure.ac Bump package version to 3.4. (LIBNETTLE_MINOR): Bump library version to 6.4. (LIBHOGWEED_MINOR): Bump library version to 4.4. 2017-10-23 Niels Möller * examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the environment, to support Mac OSX shared libraries. * testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise. 2017-10-23 Niels Möller Merge API fixes, starting at 2017-01-12. 2017-04-09 Niels Möller * ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1) (nettle_get_secp_256r1, nettle_get_secp_384r1) (nettle_get_secp_521r1): New functions, returning a pointer to corresponding structure. (nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1) (nettle_secp_384r1, nettle_secp_521r1): Redefined as macros, calling the corresponding function. * nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New macros, analogous to below change to nettle_hashes. * nettle-meta-ciphers.c (nettle_get_ciphers): New function. * nettle-meta-aeads.c (nettle_get_aeads): New function. * nettle-meta-armors.c (nettle_get_armors): New function. 2017-01-12 Niels Möller * tools/nettle-hash.c (find_algorithm): Deleted function. (main): Replaced by call to nettle_lookup_hash. * testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash. * nettle-meta.h (nettle_hashes): New macro, expanding to a call to nettle_get_hashes. Direct access to the array causes the array size to leak into the ABI, since a plain un-relocatable executable linking with libnettle.so gets copy relocations for any referenced data items in the shared library. * nettle-meta-hashes.c (nettle_get_hashes): New function. 2017-10-16 Niels Möller CFB support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions. * cfb.h: New header file. (CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros. * Makefile.in (nettle_SOURCES): Add cfb.c. (HEADERS): Add cfb.h. * testsuite/cfb-test.c: New test case. * testsuite/testutils.c (test_cipher_cfb): New function. * nettle.texinfo (CFB): Documentation. 2017-10-16 Niels Möller * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with gcc. 2017-09-27 Niels Möller Merged armor-signedness branch, starting 2017-08-27. 2017-09-24 Niels Möller * tools/pkcs1-conv.c (base64_decode_in_place): New helper function. (decode_base64): Use it. * sexp-transport-format.c (base64_encode_in_place): New helper function. (sexp_transport_vformat): Use it. * testsuite/base64-test.c (test_fuzz_once): Update to use char type where appropriate. (test_main): Use helper functions base64_encode_in_place and base64_decode_in_place (copied to this file). * testsuite/testutils.c (tstring_data): Use uint8_t for data argument. * testsuite/testutils.h (SDATA): Use US macro to cast data argument. 2017-08-27 Niels Möller * base64-encode.c (base64_encode_raw, base64_encode_group) (base64_encode_single, base64_encode_update) (base64_encode_final): Change type of destination to char *. * base16-encode.c (base16_encode_single, base16_encode_update): Likewise. * base64-decode.c (base64_decode_single, base64_decode_update): Change type of source argument to const char *. Update (almost) all callers. * base16-decode.c (base16_decode_single, base16_decode_update): Likewise. * nettle-types.h (nettle_armor_encode_update_func) (nettle_armor_encode_final_func, nettle_armor_decode_update_func): Corresponding updates to typedefs. 2017-09-14 Niels Möller * hkdf.c: Delete unneeded includes. Use Nettle licensing notice. * hkdf.h: Include only nettle-types.h, not nettle-meta.h. * ecc-mod.c (ecc_mod): Workaround to silence a false positive from the clang static analyzer. 2017-09-12 Niels Möller * testsuite/testutils.h (mpn_zero_p): Avoid redefining mpn_zero_p when building with mini-gmp. Since the mini-gmp update, this function is defined by mini-gmp, causing link errors if nettle is configured with --enable-mini-gmp --disable-shared. Reported by Tim Rühsen. 2017-09-09 Daiki Ueno * testsuite/ecc-mul-g-test.c (test_main): Fixed mpn_cmp call. * testsuite/ecc-mul-a-test.c (test_main): Likewise. * eccdata.c (ecc_point_out): Write to given stream, instead of stderr. * eccdata.c (output_curve): In curve448, the bit size of the order is slightly smaller than the one of p's. Adjust ecc_Bmodq_shifted accordingly. 2017-09-09 Niels Möller * mini-gmp.c: Updated mini-gmp from the gmp repository, latest change from 2017-07-23. * mini-gmp.h: Likewise. 2017-09-06 Niels Möller * hkdf.c (hkdf_expand): Eliminate a (signed) ssize_t variable, use break rather than return at loop termination. 2017-09-06 Niels Möller HKDF implementation, contributed by Nikos Mavrogiannopoulos. * hkdf.c (hkdf_extract, hkdf_expand): New file, new functions. * hkdf.h: New file. * Makefile.in (nettle_SOURCES): Add hkdf.c. (HEADERS): Add hkdf.h. * testsuite/hkdf-test.c: Tests for hkdf-sha256 and hkdf-sha1. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added hkdf-test.c. * nettle.texinfo (Key derivation functions): Document HKDF. 2017-09-04 Andreas Schneider * fat-arm.c: Add missing define for _GNU_SOURCE. 2017-08-27 Niels Möller * configure.ac (GMP_NUMB_BITS): Set to dummy value "n/a" in mini-gmp builds. (NUMB_BITS): New substituted variable which always holds the configured value. * Makefile.in (GMP_NUMB_BITS): Renamed variable... (NUMB_BITS): ...new name * config.make.in: Update corresponding substitution. 2017-08-26 Niels Möller * ecc-mod-inv.c (ecc_mod_inv): Add missing assert. Fixes a "dead increment" warning from the clang static analyzer. 2017-08-26 Niels Möller * examples/nettle-openssl.c (struct openssl_cipher_ctx): New struct. Use everywhere, instead of typing EVP_CIPHER_CTX pointers directly. * configure.ac: Update openssl-related tests. Checks for cipher-specific headers are replaced by a check for openssl/evp.h, and the check for the BF_ecb_encrypt function is replaced by a check for EVP_CIPHER_CTX_new. 2017-08-03 Daniel P. Berrange * examples/nettle-openssl.c: Rewritten to use openssl's EVP APIs. The older cipher-specific functions always use openssl's generic software implementation, while the EVP functions enables platform-specific code, e.g., using the x86 AES-NI instructions. (nettle_openssl_init): New function. 2017-07-18 Niels Möller * ecc-add-eh.c (ecc_add_eh): Fix in-place operation by reordering two multiplies. Previously, in-place operation resulted in an invalid call to mpn_mul with overlapping operands. Reported by Sergei Trofimovich. 2017-06-09 Niels Möller * pss.c (pss_verify_mgf1): Check for m being too large, fixing an assertion failure for certain invalid signatures. Based on a patch contributed by Daiki Ueno. * testsuite/rsa-pss-sign-tr-test.c (test_main): Add test case contributed by Daiki Ueno. Problem originally found by oss-fuzz, see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132. That problem report is currently embargoed, but will hopefully be public in a month or two. 2017-05-23 Niels Möller Rework the previous change, which had the unintended effect of always regenerating .test-rules.make after ./configure is run. * testsuite/Makefile.in (test-rules.stamp): New stamp file target, depend on Makefile.in, and run $(MAKE) test-rules. (.test-rules.make): Add a level of indirection, by depending on test-rules.stamp. 2017-05-20 Niels Möller * testsuite/Makefile.in (test-rules): Use $(srddir)/-prefix for .test-rules.make target, and change dependency from Makefile.in to Makefile. 2017-05-17 Nikos Mavrogiannopoulos * testsuite/Makefile.in: Ensure .test-rules.make is regenerated when Makefile.in is modified. 2017-04-09 Niels Möller * testsuite/dlopen-test.c (main): Call dlclose, to fix memory leak on success. * testsuite/pss-test.c: Delete magic to let valgrind to check if pss_encode_mgf1 is side-channel silent with respect to the salt and digest inputs. It turns out that the most significant bits of the padded bignum, and hence its size, depends on these inputs. Which results in a data-dependent branch in the normalization code of at the end of gmp's mpz_import. 2017-04-04 Niels Möller * pss.c (pss_verify_mgf1): Use const for input mpz_t argument. (pss_encode_mgf1): Avoid unnecessary memset and xor operations. Merged RSA-PSS support, contributed by Daiki Ueno. * pss-mgf1.h, pss.h: New header files. * pss-mgf1.c (pss_mgf1): New file and function. * pss.c (pss_encode_mgf1, pss_verify_mgf1): New file and functions. * rsa-verify.c (_rsa_verify_recover): New function. * rsa-pss-sha256-sign-tr.c: (rsa_pss_sha256_sign_digest_tr): New file and function. * rsa-pss-sha256-verify.c (rsa_pss_sha256_verify_digest): New file and function. * rsa-pss-sha512-sign-tr.c (rsa_pss_sha384_sign_digest_tr) (rsa_pss_sha512_sign_digest_tr): New file and functions. * rsa-pss-sha512-verify.c (rsa_pss_sha384_verify_digest) (rsa_pss_sha512_verify_digest): New file and functions. * rsa.h: Prototypes for new functions. * testsuite/rsa-pss-sign-tr-test.c: New test case. * testsuite/pss-test.c: New test case. * testsuite/pss-mgf1-test.c: New test case. * Makefile.in, testsuite/Makefile.in: Added new files. * nettle.texinfo: Documentation of rsa-pss functions. 2017-03-20 Niels Möller * nettle-internal.h (NETTLE_MAX_HASH_CONTEXT_SIZE): New constant. * testsuite/meta-hash-test.c (test_main): Add sanity check for NETTLE_MAX_HASH_CONTEXT_SIZE. * tools/nettle-hash.c (list_algorithms): Also display the internal context size. 2017-01-03 Nikos Mavrogiannopoulos * ecdsa-verify.c (ecdsa_verify): Eliminated memory leak on error path. 2016-10-10 Niels Möller * write-be32.c (_nettle_write_be32): Use const for source argument. * write-le32.c (_nettle_write_le32): Likewise. * write-le64.c (_nettle_write_le64): Likewise. * nettle-write.h: Update prototypes. 2016-10-01 Niels Möller * Released nettle-3.3. 2016-09-13 Niels Möller * nettle-meta-hashes.c (nettle_hashes): Added SHA3 hashes. Reported missing by Thomas Walter. * testsuite/meta-hash-test.c: Update test accordingly. 2016-09-07 Niels Möller * nettle.texinfo (Elliptic curves): Split into sub-nodes. (Miscellaneous functions): Document memeql_sec. * NEWS: Mention memeql_sec. 2016-09-06 Niels Möller * NEWS: Update for 3.3. * configure.ac: Bump package version to 3.3. (LIBNETTLE_MINOR): Bump library version to 6.3. (LIBHOGWEED_MINOR): Bump library version to 4.3. 2016-09-05 Niels Möller * curve25519.h (NETTLE_CURVE25519_RFC7748): New preprocessor constant. * nettle.texinfo: Document it. 2016-09-03 Niels Möller * config.make.in (.SUFFIXES): Delete no longer used .p$(OBJEXT). * sexp.h (TOKEN_CHAR): Delete macro and declaration of sexp_token_chars. They belong in tools/misc.h, not here. * examples/ecc-benchmark.c (die): Deleted unused function. * testsuite/testutils.h (US): New macro, for unsigned string literals. (LDATA): Use the US macro, to eliminate pointer signedness warnings. * testsuite/eddsa-verify-test.c (test_eddsa): Use LDATA. * testsuite/pbkdf2-test.c (test_main): Likewise. * testsuite/pkcs1-test.c (test_main): Likewise. * testsuite/md5-compat-test.c (test_main): Use US macro. * testsuite/sexp-test.c (test_main): Use const char * for assoc keys. Overlooked in 2016-08-16 change. * testsuite/yarrow-test.c (test_main): Fix pointer signednesss warnings. * testsuite/sexp-format-test.c (test_main): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * tools/nettle-lfib-stream.c (main): Likewise. * tools/output.c (sexp_put_string): Likewise. * testsuite/testutils.c (test_armor): Change ascii argument to const char *. * testsuite/base16-test.c (test_main): Use LDATA for the non-ascii argument to test_armor. * testsuite/base64-test.c (test_main): Likewise. * tools/nettle-pbkdf2.c (main): Fix some pointer signedness warning. * tools/nettle-hash.c (hash_file): Likewise. * examples/rsa-decrypt.c (process_file): Use memeql_sec to check the digest. * memeql-sec.c (memeql_sec): New public function, moved from... * ccm.c (memeql_sec): ... previous location. * memops.h: New header file, generalizing memxor.h. * testsuite/memeql-test.c (test_main): New test case. (memeql_sec_for_test): Wrapper to get valgrind to check for side-channel silence. 2016-08-29 Niels Möller * sexp-format.c (strlen_u8): New helper function. (sexp_vformat): Use uint8_t * for strings instead of char *. 2016-08-16 Niels Möller * examples/io.c (hash_file): Use uint8_t for buffer. * sexp.c (sexp_iterator_check_type, sexp_iterator_check_types) (sexp_iterator_assoc): Use const char * for caller's expression types. Updated all callers. * rsa2openpgp.c (rsa_keypair_to_openpgp): Added cast to const uint8_t *. * pgp-encode.c (write_string): New helper function, replacing... (WRITE): ... deleted macro. * examples/io.c (write_data): Renamed, and use const void * for the input data. Updated all callers. (write_string): ... old name. (write_file): Use const void * for the input data. 2016-08-05 Niels Möller * examples/hogweed-benchmark.c: Use uint8_t for curve25519 values. (bench_rsa_init): Use unsigned char for sexp strings. (bench_dsa_init): Likewise. (hash_string): Delete length argument, calling strlen instead. Cast string to const uint8_t *. Updated callers. * examples/io.c (read_file): Use size_t for sizes, and uint8_t for the contents. 2016-08-04 Niels Möller * dsa-sign.c (dsa_sign): Return failure if p is even, so that an invalid key doesn't result in a crash inside mpz_powm_sec. * rsa-sign-tr.c (rsa_compute_root_tr): Return failure if any of p, q or n is even, to avoid crashing inside mpz_powm_sec. Invalid keys with even modulo are rejected by rsa_public_key_prepare and rsa_private_key_prepare, but some applications, notably gnutls, don't use them. 2016-07-31 Niels Möller * rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using an invalid key may crash in mpz_powm_sec. Problem reported by Hanno Böck. 2016-07-13 Niels Möller * bignum.c (nettle_mpz_from_octets): Unconditionally use mpz_import. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): Deleted compatibility definitions for older versions of GMP. * gmp-glue.h (mpn_sqr): Deleted compatibility definition. * testsuite/testutils.c (mpz_combit): Deleted compatibility definition. 2016-07-12 Niels Möller * configure.ac: Check for mpz_powm_sec, and require GMP-5.0 or later. * bignum.h (mpz_powm_sec): Fall back to plain mpz_powm for mini-gmp build. * dsa-sign.c (dsa_sign): Use mpz_powm_sec. * rsa-sign.c (rsa_compute_root): Likewise. * rsa-sign-tr.c (rsa_blind, rsa_compute_root_tr): Likewise. * rsa-blind.c (_rsa_blind): Likewise. 2016-05-02 Niels Möller * nettle.texinfo: Update Curve25519 documentation. * testsuite/curve25519-dh-test.c: Test that inputs bits which must be ignored really are ignored. 2016-04-25 Niels Möller * curve25519-mul.c (curve25519_mul): Ignore top bit of the input x coordinate, as required by RFC 7748. 2016-03-30 Niels Möller From Nikos Mavrogiannopoulos. * configure.ac: Change dll names to follow the libtool convention with only major version number in the name. 2016-03-15 Niels Möller * twofish.c (gf_multiply): Change return value to uint32_t, to make shifting of the return value well defined, without any type casts. Fixes an undefined shift in compute_s, reported by Nikos Mavrogiannopoulos. (h_byte): Deleted type casts. * blowfish.c (blowfish_encrypt, blowfish_decrypt): Use READ_UINT32 macro. Fixes an undefined shift, reported by Nikos Mavrogiannopoulos. From Nikos Mavrogiannopoulos. * configure.ac (HOGWEED_EXTRA_SYMBOLS): Add "mp_*", when building with mini-gmp. * des.c (des_weak_p): Check that the hash value is in the proper range before using it. Fixes an out-of-bounds read. 2016-03-14 Niels Möller * getopt.c (_getopt_internal_r): Fix c99-ism, move declarations to top of block. Reported by Henrik Grubbström. 2016-02-16 Niels Möller * tools/input.c (sexp_get_string_length): Process advanced string syntax only when in advanced mode. Fixes an assertion failure reported by Hanno Böck, for input where advanced syntax is improperly wrapped inside transport syntax. * tools/parse.c (sexp_parse): Fail with an error message for unexpected ']' characters. Fixes crash reported by Hanno Böck. Also handle SEXP_DISPLAY (internal error) explicitly, without a default clause. 2016-01-28 Niels Möller * Released nettle-3.2. 2016-01-26 Niels Möller * tools/nettle-pbkdf2.c (main): Fix handling of unrecognized options. Bug reported by Dongsheng Zhang. Display usage message and exit non-zero. Also added "Usage: "-prefix to the message. * tools/nettle-hash.c (usage): New function, extracted from main. (main): Analogous fix for unrecognized options. 2016-01-23 Niels Möller * nettle.texinfo: Set UPDATED-FOR to 3.2. 2016-01-21 Niels Möller * .gitlab-ci.yml: New file. Configuration for gitlab's continuous integration system. 2016-01-20 Niels Möller * testsuite/dlopen-test.c (main): Mark arguments as UNUSED. * testsuite/Makefile.in (clean): Delete dlopen-test. * configure.ac: Bump package version, to nettle-3.2. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.2 and and libhogweed.so.4.2. 2016-01-10 Niels Möller * base64-encode.c (encode_raw): Use const uint8_t * for the alphabet argument. * nettle.texinfo (RSA): Document the rsa_pkcs1_verify and rsa_pkcs1_sign functions, and the new rsa_*_tr functions. 2015-12-18 Niels Möller * testsuite/testutils.h: Fix include order, system headers before nettle headers. Always include version.h, needed by version-test.c. It was included indirectly via bignum.h, but only if configured with publickey support. * configure.ac (IF_DLOPEN_TEST): Fixed shell conditional. * testsuite/ecc-mod-test.c (test_main): Handle random seeding if NETTLE_TEST_SEED is set in the environment. 2015-12-15 Niels Möller * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem reported by Hanno Böck. Simplified the folding to always use non-negative carry, the old code attempted to add in a carry which could be either positive or negative, but didn't get that case right. 2015-12-10 Niels Möller * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem reported by Hanno Böck. (ecc_256_modq): Fixed another carry propagation bug. 2015-11-23 Niels Möller * nettle.texinfo: Document rsa_encrypt, rsa_decrypt and rsa_decrypt_tr. Text contributed by Andy Lawrence. 2015-11-15 Niels Möller * rsa.h (_rsa_blind, _rsa_unblind): Mark as deprecated. 2015-09-17 Niels Möller * rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New file, new functions. * rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr): Likewise. * rsa-sha256-sign-tr.c (rsa_sha256_sign_tr) (rsa_sha256_sign_digest_tr): Likewise. * rsa-sha512-sign-tr.c (rsa_sha512_sign_tr) (rsa_sha512_sign_digest_tr): Likewise. * rsa.h: Added corresponding prototypes. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/testutils.c (SIGN): Extend macro to test new functions, and the rsa_*_sign_digest functions. Updated callers. 2015-09-14 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. Mainly for simplicity and consistency, I'm not aware of any CRT fault attacks on RSA decryption. * testsuite/rsa-encrypt-test.c (test_main): Added test with invalid private key. * rsa-sign-tr.c (rsa_compute_root_tr): New file and function. * rsa.h: Declare it. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr. (rsa_verify_res): Deleted, replaced by rsa_compute_root_tr. * testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that signature argument is unchanged on failure. * Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c. 2015-09-07 Niels Möller * testsuite/rsa-sign-tr-test.c: Drop include of nettle-internal.h. (test_main): Fix incorrect use of sizeof, and use LDATA macro. From Nikos Mavrogiannopoulos. * rsa-pkcs1-sign-tr.c (rsa_verify_res): New function. (rsa_pkcs1_sign_tr): Check result of private key operation, to protect against hardware or software errors leaking the private key. * testsuite/rsa-sign-tr-test.c: New testcase. 2015-09-06 Niels Möller * nettle.texinfo: Updated SHA3 documentation. 2015-09-02 Niels Möller * testsuite/dlopen-test.c: New test program, exposing the problem with ifunc and RTLD_NOW. * testsuite/Makefile.in (TS_ALL): Conditionally add dlopen-test. (SOURCES): Added dlopen-test.c. (dlopen-test): New target, unlike other test programs, *not* linked with -lnettle. * configure.ac: Check for dlfcn.h and the dlopen function. (IF_DLOPEN_TEST): New substituted variable, true if dlopen is available and we are building a shared library. * fat-setup.h: Disable use of ifunc, since it breaks dlopen with RTLD_NOW. 2015-08-25 Niels Möller * NEWS: Started on entries for Nettle-3.2. * sha3.h (NETTLE_SHA3_FIPS202): New preprocessor constant. 2015-08-24 Niels Möller * testsuite/sha3.awk: Document origin of test vectors. From Nikos Mavrogiannopoulos. * sha3.c (_sha3_pad): Update for NIST version. * testsuite/sha3-224-test.c: Updated test vectors. * testsuite/sha3-256-test.c: Likewise. * testsuite/sha3-384-test.c: Likewise. * testsuite/sha3-512-test.c: Likewise. 2015-06-03 Niels Möller * arm/neon/chacha-core-internal.asm: New file. 55% speedup over C version on Cortex-A9. 2015-05-19 Niels Möller * configure.ac: ABI detection (n32 or n64) on Irix, and appropriate default for libdir. Patch from Klaus Ziegler. 2015-05-12 Niels Möller * version.c (nettle_version_major, nettle_version_minor): New file. New functions, returning the value of the corresponding preprocessor constant. * Makefile.in (nettle_SOURCES): Added version.c. * testsuite/version-test.c: New testcase. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added version-test.c. 2015-04-29 Niels Möller * arm/v6/sha256-compress.asm: Fix syntax error in offset addressing. Spotted by Jukka Ukkonen. * arm/v6/aes-decrypt-internal.asm: Drop %-prefix on r12 register. * arm/v6/aes-encrypt-internal.asm: Likewise. 2015-04-24 Niels Möller * Released nettle-3.1.1. * configure.ac: Bump package version, to nettle-3.1.1. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.1 and and libhogweed.so.4.1. 2015-04-22 Niels Möller * x86_64/gcm-hash8.asm: Use ".value" instead of ".short", since the latter is not supported by the Sun/Oracle assembler. 2015-04-13 Niels Möller * configure.ac: Fix shell quoting in test of GMP_NUMB_BITS asm compatibility. Reported by Edward Sheldrake. 2015-04-07 Niels Möller * Released nettle-3.1. 2015-03-31 Niels Möller * x86_64/ecc-224-modp.asm: Require that GMP_NUMB_BITS == 64. * x86_64/ecc-521-modp.asm: Likewise. Note that the other ecc-*-modp.asm files happen to work fine on x86_64, with either 32 or 64 bits. * asm.m4 (GMP_NUMB_BITS): New macro, expanding to nothing. * configure.ac: Move tests for compiler characteristics, libraries, and GMP_NUMB_BITS, before assembler-related tests. For files in $asm_hogweed_optional_list, check if they declare a GMP_NUMB_BITS requirement, and skip files which are incompatible with the configuration. Needed for --enable-mini-gmp om w64. * Makefile.in (clean-here): Unconditionally delete *.a (including stub libraries like *.dll.a). 2015-03-30 Niels Möller * version.h.in (GMP_NUMB_BITS) [NETTLE_USE_MINI_GMP]: Move definition here (uses configure substitution). * bignum.h (GMP_NUMB_BITS): ...old location. * nettle.texinfo: Updated version number. (Installation): Document some more configure options. * testsuite/symbols-test: Look for NETTLE_USE_MINI_GMP in version.h, not bignum.h. Allow leading underscore on mini-gmp symbols. 2015-03-26 Niels Möller * Makefile.in (PRE_CPPFLAGS): Drop -I$(srcdir), no longer needed. (HEADERS): Added bignum.h. Removed version.h. (INSTALL_HEADERS): Added version.h. (DISTFILES): Removed bignum.h.in. (bignum.h): Deleted make target. (distclean-here): Don't delete bignum.h. * configure.ac: No longer generate bignum.h. * bignum.h: Renamed. Removed substitution of NETTLE_USE_MINI_GMP, and include version.h instead. * bignum.h.in: ... old name. * version.h.in (NETTLE_USE_MINI_GMP): Substitute here. 2015-03-25 Niels Möller * configure.ac (MAJOR_VERSION, MINOR_VERSION): Tweak sed expressions, to tolerate version suffixes. * Makefile.in (distdir): Include assembly files from the new x86_64/aesni, x86_64/fat, and arm/fat directories. * ed25519-sha512-pubkey.c: Fix stack overwrite. The digest array must have room for a complete sha512 digest. 2015-03-19 Niels Möller * Makefile.in (OPT_HOGWEED_SOURCES): Deleted make variable. (nettle_SOURCES, hogweed_SOURCES): Don't include optional sources here. (OPT_SOURCES): New variable. (SOURCES): Include OPT_SOURCES. (DISTFILES): Drop mini-gmp.c here, included via OPT_SOURCES. (nettle_OBJS, hogweed_OBJS): Add the object files corresponding to the optional source files included in the build. * ecc-curve.h (nettle_curve25519): Removed public declaration. * ecc-internal.h (_nettle_curve25519): New location, new name. Updated all users. * nettle.texinfo: Updated EdDSA documentation. * Makefile.in (DISTFILES): Added version.h.in, libnettle.map.in, and libhogweed.map.in (latter two patch by Nikos). (version.h): New make target. (distclean-here): Added version.h, libnettle.map, and libhogweed.map. From Nikos Mavrogiannopoulos. * configure.ac (MAJOR_VERSION, MINOR_VERSION): New substituted variables. * version.h.in: New file, defining version numbers. 2015-03-18 Niels Möller EdDSA interface change, use plain strings to represent keys. * eddsa.h (_ED25519_LIMB_SIZE): Deleted constant. (struct ed25519_private_key, ed25519_public_key): Deleted. * eddsa-expand.c (_eddsa_expand_key): Don't compute the public key. (_eddsa_expand_key_itch): Deleted function. * eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New file, new functions. * ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file and function. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted function. (ed25519_sha512_verify): Use a string to represent the public key. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted function. (ed25519_sha512_sign): Use strings for the input key pair. * Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and ed25519-sha512-pubkey.c. * testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to _eddsa_expand_key changes, and use _eddsa_public_key. * testsuite/ed25519-test.c (test_one): Test ed25519_sha512_public_key, and adapt to new ed25519 interface. 2015-03-14 Niels Möller * ccm.c (memeql_sec): New function, more side-channel silent than memcmp. (ccm_decrypt_message): Use it. 2015-03-12 Niels Möller * base64.h (struct base64_encode_ctx): Micro optimization of struct layout, saving a few bytes. (struct base64_decode_ctx): Likewise. * base16.h (struct base16_decode_ctx): Likewise. * nettle.texinfo (ASCII encoding): Document base64url functions. 2015-03-10 Niels Möller * nettle.texinfo: Update documentation of curve25519_mul. Say that the output is undefined for points belonging to the twist rather than the proper curve. * curve25519-mul.c (curve25519_mul): Changed return type to void. * curve25519.h (curve25519_mul): Updated prototype. * examples/hogweed-benchmark.c (bench_curve25519_mul): Drop check of curve25519_mul return value. * testsuite/curve25519-dh-test.c (test_a): Likewise. 2015-02-26 Niels Möller * nettle.texinfo: Document curve25519 and eddsa. 2015-02-10 Niels Möller * base64url-meta.c (nettle_base64url): New file. * nettle-meta.h (nettle_base64url): Declare it. * nettle-meta-armors.c (nettle_armors): Added nettle_base64url. * testsuite/meta-armor-test.c: Updated testcase. * testsuite/base64-test.c (test_main): Additional tests, using nettle_base64url. * Makefile.in (nettle_SOURCES): Added base64url-meta.c. Base-64 generalization to support RFC4648 URL safe alphabet, contributed by Amos Jeffries. * base64url-decode.c (base64url_decode_init): New file and function. * base64url-encode.c (base64url_encode_init): New file and function. * Makefile.in (nettle_SOURCES): Added base64url-encode.c and base64url-decode.c. * base64.h: Declare new functions. * testsuite/base64-test.c (test_fuzz): Test base64url encoding and decoding. * base64.h (struct base64_encode_ctx): Added pointer to alphabet. (struct base64_decode_ctx): Added pointer to decoding table. * base64-decode.c (base64_decode_init): Initialize table pointer. Moved definition of table to local scope. (base64_decode_single): Use the context's decoding table. * base64-encode.c (ENCODE): Added alphabet argument. Updated all uses. (encode_raw): New static function, like base64_encode_raw but with an alphabet argument. (base64_encode_raw): Call encode_raw. (base64_encode_init): Initialize alphabet pointer. (base64_encode_single, base64_encode_update, base64_encode_final): Use the context's alphabet. 2015-02-09 Niels Möller * base64-encode.c (base64_encode): Deleted old #if:ed out function. * testsuite/base64-test.c (test_fuzz_once, test_fuzz): Additional tests, based on contribution by Amos Jeffries. 2015-02-05 Niels Möller * configure.ac (LIBHOGWEED_MAJOR): Undo latest bump, 4 should be enough (previous release, nettle-3.0, used 3). 2015-01-30 Niels Möller Update chacha-poly1305 for draft-irtf-cfrg-chacha20-poly1305-08. * chacha-poly1305.h (CHACHA_POLY1305_NONCE_SIZE): Increase to 12 bytes, i.e., CHACHA_NONCE96_SIZE. * chacha-poly1305.c (chacha_poly1305_set_nonce): Use chacha_set_nonce96. (poly1305_pad): New function. (chacha_poly1305_encrypt): Use poly1305_pad. (chacha_poly1305_digest): Call poly1305_pad, and format length fields as a single poly1305 block. * chacha-set-nonce.c (chacha_set_nonce96): New function. * chacha.h (CHACHA_NONCE96_SIZE): New constant. * testsuite/chacha-test.c: Add test for chacha with 96-bit nonce. 2015-01-27 Niels Möller * ecc.h: Deleted declarations of unused itch functions. Moved declarations of internal functions to... * ecc-internal.h: ...new location. Also added a leading under score on the symbols. (ecc_a_to_j, ecc_j_to_a, ecc_eh_to_a, ecc_dup_jj, ecc_add_jja) (ecc_add_jjj, ecc_dup_eh, ecc_add_eh, ecc_add_ehh, ecc_mul_g) (ecc_mul_a, ecc_mul_g_eh, ecc_mul_a_eh): Affected functions. 2015-01-26 Niels Möller * ecc-add-eh.c (ecc_add_eh_itch): Deleted. * ecc-add-ehh.c (ecc_add_ehh_itch): Deleted. * ecc-add-jja.c (ecc_add_jja_itch): Deleted. * ecc-add-jjj.c (ecc_add_jjj_itch): Deleted. * ecc-dup-eh.c (ecc_dup_eh_itch): Deleted. * ecc-dup-jj.c (ecc_dup_jj_itch): Deleted. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Deleted. * ecc-j-to-a.c (ecc_j_to_a_itch): Deleted. * ecc-mul-a-eh.c (ecc_mul_a_eh_itch): Deleted. * ecc-mul-a.c (ecc_mul_a_itch): Deleted. * ecc-mul-g-eh.c (ecc_mul_g_eh_itch): Deleted. * ecc-mul-g.c (ecc_mul_g_itch): Deleted. 2015-01-25 Niels Möller * arm/fat/sha1-compress-2.asm: New file. * arm/fat/sha256-compress-2.asm: Likewise. * fat-arm.c (fat_init): Setup for use of additional v6 assembly functions. * sha1-compress.c: Prepare for fat build with C and assembly implementations. * sha256-compress.c: Likewise. * fat-setup.h (sha1_compress_func, sha256_compress_func): New typedefs. * configure.ac (asm_nettle_optional_list): Added sha1-compress-2.asm and sha256-compress-2.asm, and corresponding HAVE_NATIVE_*. From Martin Storsjö: * arm: Add .arch directives for armv6. This allows building these files as part of a fat build, even if the assembler by default targets a lower architecture version. 2015-01-23 Niels Möller * fat-setup.h (DEFINE_FAT_FUNC): Check value of function pointer, before calling fat_init. Should be correct even without memory barrier. * fat-x86_64.c (fat_init): Deleted static variable initialized. The checks of the relevant pointer in DEFINE_FAT_FUNC is more robust. * fat-arm.c (fat_init): Likewise. 2015-01-21 Niels Möller * fat-arm.c (fat_init): Setup for use of neon assembly functions. * arm/fat/salsa20-core-internal-2.asm: New file. * arm/fat/sha3-permute-2.asm: New file. * arm/fat/sha512-compress-2.asm: New file. * arm/fat/umac-nh-2.asm: New file. * arm/fat/umac-nh-n-2.asm: New file. * salsa20-core-internal.c: Prepare for fat build with C and assembly implementations. * sha512-compress.c: Likewise. * sha3-permute.c: Likewise. * umac-nh.c: Likewise. * umac-nh-n.c: Likewise. * configure.ac (asm_nettle_optional_list): Added more *-2.asm files, and corresponding HAVE_NATIVE_* defines. Recognize PROLOGUE macro in asm files, also when not at the start of the line. 2015-01-20 Niels Möller * fat-arm.c (get_arm_features): Check NETTLE_FAT_OVERRIDE environment variable. * fat-x86_64.c (get_x86_features): New function. Check NETTLE_FAT_OVERRIDE environment variable. (fat_init): Use it. * fat-setup.h (secure_getenv) [!HAVE_SECURE_GETENV]: Dummy definition, returning NULL. (ENV_OVERRIDE): New constant. * configure.ac: Check for secure_getenv function. 2015-01-19 Niels Möller * configure.ac: Fat library setup for arm. * fat-arm.c: New file. * arm/fat/aes-encrypt-internal.asm: New files. * arm/fat/aes-encrypt-internal-2.asm: New file. * arm/fat/aes-decrypt-internal.asm: New file. * arm/fat/aes-decrypt-internal-2.asm: New file. * Makefile.in (DISTFILES): Added fat-setup.h. * fat-setup.h: New file, declarations moved from... * fat-x86_64.c: ... old location 2015-01-17 Niels Möller * fat-x86_64.c (DECLARE_FAT_FUNC, DEFINE_FAT_FUNC) (DECLARE_FAT_FUNC_VAR): New macros, to define needed resolver and wrapper functions. * config.m4.in (SYMBOL_PREFIX): Define from from autoconf ASM_SYMBOL_PREFIX. (C_NAMS): move definition to... * asm.m4 (C_NAME): Define here, also take fat_transform. (fat_suffix): Replaced by... (fat_transform): New macro, taking symbol name as argument. Updated all uses of fat_suffix. * fat-x86_64.c: Updated for internal "_nettle" prefix on cpu-specific memxor functions. * fat-x86_64.c: Set up for sse2 vs non-sse2 memxor. Patch by Nikos Mavrogiannopoulos. * configure.ac (asm_nettle_optional_list): Added memxor-2.asm. * x86_64/fat/memxor-2.asm: New file. * x86_64/fat/memxor.asm: New file. * x86_64/memxor.asm: Use ifdef, not ifelse, for testing USE_SSE2. 2015-01-16 Niels Möller * configure.ac (OPT_NETTLE_SOURCES): New substituted variable. (asm_path): Fixed x86_64 fat setup. Include only x86_64 and x86_64/fat in the asm_path. Put fat-x86_64.c in OPT_NETTLE_SOURCES, with no symlinking. * fat-x86_64.c: Renamed,... * x86_64/fat/fat.c: ... from old name. 2015-01-13 Niels Möller * x86_64/fat/fat.c: For constructor hack, check HAVE_GCC_ATTRIBUTE, not __GNUC__. Also support sun compilers, as suggested by Nikos Mavrogiannopoulos, and attch the constructor attribute directly to fat_init. (fat_constructor): Deleted wrapper function. * x86_64/fat/fat.c: New file, initialization for x86_64 fat library. * x86_64/fat/cpuid.asm (_nettle_cpuid): New file and function. * x86_64/fat/aes-encrypt-internal.asm: New file, including x86_64/aes-encrypt-internal.asm, after setting fat_suffix to _x86_64. * x86_64/fat/aes-decrypt-internal.asm: New file, analogous setup. * x86_64/fat/aes-encrypt-internal-2.asm: New file, including x86_64/aesni/aes-encrypt-internal.asm, after setting fat_suffix to _aesni. * x86_64/fat/aes-decrypt-internal.asm-2: New file, analogous setup. * configure.ac: New command line option --enable-fat. (asm_nettle_optional_list): Added cpuid.asm, fat.c, aes-encrypt-internal-2.asm, and aes-decrypt-internal-2.asm. * asm.m4 (fat_suffix): New suffix added to symbol names. * x86_64/aesni/aes-encrypt-internal.asm: Use explicit .byte sequences for aes instructions, don't rely on assembler support. * x86_64/aesni/aes-decrypt-internal.asm: Likewise. * aclocal.m4 (NETTLE_CHECK_IFUNC): New macro, checking for ifunc and settting HAVE_LINK_IFUNC if working. * configure.ac: Use it. 2015-01-12 Niels Möller * asm.m4 (DECLARE_FUNC): New macro, extracted from PROLOGUE. (PROLOGUE): Use it. * configure.ac (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Renamed substituted variables, and list the object files rather than source files. (OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES): ...Old names. * Makefile.in (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Use new variables. 2015-01-11 Niels Möller * x86_64/aesni/aes-decrypt-internal.asm: New file. * x86_64/aesni/aes-encrypt-internal.asm: New file. * configure.ac: New configure flag --enable-x86-aesni. * aclocal.m4 (LSH_RPATH_INIT): Handle freebsd, in the same way as gnu/linux, with -Wl,-rpath,. Merged memxor-reorg changes, starting at 2014-10-23. 2015-01-10 Niels Möller * arm/memxor.asm (memxor3): Moved to new file. * arm/memxor3.asm: New file. 2014-11-24 Niels Möller * x86_64/memxor3.asm (memxor3): New file, code moved from old memxor.asm. * x86_64/memxor.asm (memxor): Rewritten, no longer jumps into memxor3. * configure.ac (asm_replace_list): Added memxor.asm and memxor3.asm. 2014-10-23 Niels Möller * configure.ac (IF_ASM): New substituted variable. * testsuite/Makefile.in (VALGRIND): Allow partial loads only when build includes assembly files. * memxor-internal.h (READ_PARTIAL): New macro. * memxor.c (memxor_different_alignment): Avoid out-of-bounds reads, corresponding to valgrind's --partial-loads-ok. Use READ_PARTIAL. * memxor3.c: Analogous changes for unaligned operations. * configure.ac (asm_replace_list): Deleted memxor.asm, now incompatible with the memxor/memxor3 split. * memxor3.c: New file, split off from memxor.c. * memxor-internal.h: New file, declarations shared by memxor.c and memxor3.c. * memxor.c: memxor3 functions moved out from this file. * Makefile.in (nettle_SOURCES): Added memxor3.c. (DISTFILES): Added memxor-internal.h. * memxor.c (memxor_common_alignment, memxor_different_alignment) (memxor): Change loop order, iterate from the end. (memxor3_common_alignment): Unroll twice. (word_t): On x86_64, unconditionally define as uint64_t, to get 64 bits also in M$ windows. Replaced all uses of SIZEOF_LONG. 2014-12-12 Niels Möller * cbc.h (CBC_ENCRYPT, CBC_DECRYPT): Make type-checking hack stricter, warn if type of length argument is smaller than size_t. * ctr.h (CTR_CRYPT): Likewise. * eax.h (EAX_SET_KEY, EAX_SET_NONCE, EAX_UPDATE, EAX_ENCRYPT) (EAX_DECRYPT, EAX_DIGEST): Likewise. * gcm.h (GCM_SET_KEY, GCM_ENCRYPT, GCM_DECRYPT, GCM_DIGEST): Likewise. 2014-12-08 Niels Möller * aclocal.m4 (LD_VERSION_SCRIPT): Linker scripts no longer located in the source tree. * configure.ac (LIBNETTLE_MAJOR): Bump major number, now 6. (LIBHOGWEED_MAJOR): Bump major number, now 5. From Nikos Mavrogiannopoulos. Support for versioned symbols. * aclocal.m4 (LD_VERSION_SCRIPT): New macro. Substitute EXTRA_LINKER_FLAGS and EXTRA_HOGWEED_LINKER_FLAGS. * configure.ac: Use LD_VERSION_SCRIPT. Generate libnettle.map and libhogweed.map. (HOGWEED_EXTRA_SYMBOLS): New substituted variable. * libnettle.map.in: New file, libnettle.so linker script * libhogweed.map.in: New file, libhogweed.so linker script. * Makefile.in ($(LIBNETTLE_FORLINK)): Use EXTRA_LINKER_FLAGS. ($(LIBHOGWEED_FORLINK)): Use EXTRA_HOGWEED_LINKER_FLAGS. 2014-11-24 Niels Möller * gcm.h (GCM_SET_KEY): Rename macro argument KEY to avoid collision with a struct tag. Spotted by Nikos Mavrogiannopoulos. * testsuite/eddsa-verify-test.c (test_eddsa): Fixed test case bug, showing up as use of uninitialized data with valgrind. 2014-10-23 Niels Möller * examples/nettle-benchmark.c (time_memxor): Allocate buffers as arrays of unsigned long, for more reliable alignment. 2014-10-22 Niels Möller * configure.ac: Check for getline function. * testsuite/ed25519-test.c (getline) [!HAVE_GETLINE]: Fallback definition. * Makefile.in (clean-here): Unconditionally delete .so and .dll files. (IMPLICIT_TARGETS): Deleted variable. 2014-10-21 Niels Möller * testsuite/ed25519-test.c: New test case. Optionally reads the file pointed to by $ED25519_SIGN_INPUT. * testsuite/testutils.c (tstring_hex): Rewrite, using Nettle's base16 functions. (decode_hex, decode_hex_length): Deleted functions. 2014-10-20 Niels Möller * eddsa.h (ED25519_KEY_SIZE): New constant. (ED25519_SIGNATURE_SIZE): New constant. (struct ed25519_private_key): New struct. (struct ed25519_public_key): New struct. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key) (ed25519_sha512_sign): New file and functions. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key) (ed25519_sha512_verify): New file and functions. * Makefile.in (hogweed_SOURCES): Added ed25519-sha512-sign.c and ed25519-sha512-verify.c. 2014-10-18 Niels Möller * eddsa-verify.c (_eddsa_verify): Change argument order, putting A before ctx. * eddsa.h: Updated prototype. * testsuite/eddsa-verify-test.c (test_eddsa): Updated _eddsa_verify calls. 2014-10-14 Niels Möller * eddsa-verify.c (equal_h): New function. (_eddsa_verify): Use it for a proper point compare, replacing an ecc_add_ehh. * testsuite/eddsa-verify-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-verify-test.c. * eddsa-verify.c (_eddsa_verify, eddsa_verify_itch): New file, new functions. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-verify.c. 2014-10-08 Niels Möller * testsuite/eddsa-sign-test.c (test_eddsa_sign): Use _eddsa_expand_key, and check its public key output. * eddsa-expand.c (_eddsa_expand_key): New file, new function. * eddsa.h (_eddsa_expand_key): Declare it. * Makefile.in (hogweed_SOURCES): Added eddsa-expand.c. * eddsa-sign.c: Drop unneeded include of nettle-internal.h. 2014-10-04 Niels Möller * testsuite/eddsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-sign-test.c. * eddsa-sign.c (_eddsa_sign, _eddsa_sign_itch): New file, new functions. * eddsa-hash.c (_eddsa_hash): New file and function. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-hash.c and eddsa-sign.c. 2014-10-03 Niels Möller * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Enable test. (test_main): Replace gmp_fprintf calls. * testsuite/ecc-mul-a-test.c: Likewise. * testsuite/ecc-mul-g-test.c: Likewise. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_modinv): Use mpz_gcdext, instead of mpn_gcdext. (test_modulo): Replace gmp_fprintf calls. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_mod): Use mpz_mod and mpz_limbs_copy, instead of mpn_tdiv_qr. (test_modulo): Replace gmp_fprintf calls by plain fprintf and mpn_out_str. * testsuite/testutils.c (mpn_out_str): New function, needed to replace uses of gmp_fprintf. * testsuite/ecc-sqrt-test.c (mpz_ui_kronecker) [NETTLE_USE_MINI_GMP]: New fallback definition when building with mini-gmp. * testsuite/testutils.c (gmp_randinit_default) [NETTLE_USE_MINI_GMP]: Likewise. (mpz_urandomb): Likewise. * testsuite/testutils.h (gmp_randstate_t) [NETTLE_USE_MINI_GMP]: Fallback typedef, using knuth_lfib_ctx. 2014-10-02 Niels Möller * testsuite/eddsa-compress-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-compress-test.c. * eddsa-decompress.c (_eddsa_decompress): New file, new function. * eddsa-compress.c (_eddsa_compress): New file, new function. * eddsa.h: New file. * Makefile.in (HEADERS): Added eddsa.h. (hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c. * testsuite/ecc-sqrt-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-sqrt-test.c. * ecc-25519.c (PHIGH_BITS): Always define this constant. (ecc_25519_zero_p): New function. (ecc_25519_sqrt): Take a ratio u/v as input. Added scratch argument. Made static. * ecc-internal.h (ecc_mod_sqrt_func): New typedef. (struct ecc_modulo): Added sqrt_itch and sqrt function pointer. Updated all instances. (ecc_25519_sqrt): Deleted declaration, function now static. 2014-09-24 Niels Möller * curve25519.h [__cplusplus]: Fixed extern "C" block. 2014-09-23 Niels Möller * ecc-hash.c (ecc_hash): Changed argument type from struct ecc_curve to struct ecc_modulo. Updated callers. * testsuite/ecdsa-sign-test.c (test_main): Updated curve25519 signature s. Changed since the hash value is truncated a few bits more, to match the size of q. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * testsuite/ecc-modinv-test.c (zero_p): New function, checking for zero modulo p. (test_modulo): Use zero_p. Switch to dynamic allocation. Updated for larger modinv result area, and use invert_itch. * ecc-25519.c (ecc_mod_pow_2kp1): Renamed, and take a struct ecc_modulo * as argument. (ecc_modp_powm_2kp1): ... old name. (ecc_mod_pow_252m3): New function, extracted from ecc_25519_sqrt. (ecc_25519_inv): New modp invert function, about 5.5 times faster then ecc_mod_inv. (ecc_25519_sqrt): Use ecc_mod_pow_252m3. (nettle_curve25519): Point to ecc_25519_inv. Updated p.invert_itch and h_to_a_itch. * ecc-internal.h (struct ecc_modulo): New field invert_itch. Updated all implementations. (ECC_EH_TO_A_ITCH): Updated, and take invert itch as an argument. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Take invert scratch into account. * testsuite/testutils.c (test_ecc_mul_h): Use ecc->h_to_a_itch. * ecc-mod-inv.c (ecc_mod_inv): Interface change, make ap input const, and require 2n limbs at rp. Preparing for powm-based alternative implementations. Drop #if:ed out code and dp temporary. Updated all callers, more complicated cases described below. * ecc-internal.h (typedef ecc_mod_inv_func): Added const to input argument. (ECC_MOD_INV_ITCH): Renamed, was ECC_MODINV_ITCH, and reduced to 2*n. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Overhauled allocation, putting mod_inv scratch at the end. 2014-09-22 Niels Möller * ecc-random.c (ecc_mod_random): Renamed, and take a const struct ecc_modulo * as argument. Updated callers. (ecc_modq_random): ... old name. * ecc-mod-arith.c: New file, replacing ecc-modp.c and ecc-modq.c. All functions take a struct ecc_modulo as argument. (ecc_mod_add, ecc_mod_sub, ecc_mod_mul_1, ecc_mod_addmul_1) (ecc_mod_submul_1, ecc_mod_mul, ecc_mod_sqr): New functions, replacing the corresponding ecc_modp_* functions. For convenience, old names are defined as macros wrapping the new functions. * ecc-modp.c: Deleted file. * ecc-modq.c: Deleted file. * Makefile.in (hogweed_SOURCES): Updated accordingly. * testsuite/ecc-redc-test.c (test_main): Relaxed tests for which tests to run. * testsuite/ecc-modinv-test.c (test_modulo): New function, same organization as in ecc-mod-test.c below. * testsuite/ecc-mod-test.c (test_modulo): New function, testing one modulo. Replacing... (test_curve): ... old function. (test_main): Invoke test_modulo for p and q of each curve. * ecc-internal.h (ecc_mod_inv_func): New typedef. (struct ecc_modulo): Added mp1h constant and invert function pointer. Updated all callers. * ecc-modp.c (ecc_modp_inv): Deleted wrapper function. * ecc-modq.c (ecc_modq_inv): Deleted wrapper function. * ecc-mod-inv.c (ecc_mod_inv): Renamed file and function. Also take a struct ecc_modulo * as argument. * sec-modinv.c (sec_modinv): ... the old names. Deleted. * Makefile.in (hogweed_SOURCES): Updated accordingly. * examples/ecc-benchmark.c (bench_modinv_powm, bench_curve): Updated benchmarking of mpn_sec_powm. * ecc-internal.h (struct ecc_curve): Deleted redc function pointer. Use only reduce pointer, which is redc or modp as applicable. Updated all users. (struct ecc_modulo): Moved mod and reduce function pointers to this struct. * ecc-generic-modp.c (ecc_generic_modp): Deleted file and function. We no longer need a wrapper around ecc_mod. * ecc-generic-modq.c (ecc_generic_modq): Likewise deleted. * Makefile.in (hogweed_SOURCES): Removed ecc-generic-modp.c and ecc-generic-modq.c. * ecc-internal.h (typedef ecc_mod_func): Take a const struct ecc_modulo * argument, not const struct ecc_curve *. Updated all implementations and all callers. * ecc-mod.c (ecc_mod): Use struct ecc_modulo to specify the modulo. Drop input size argument, always reduce from 2*size to size. * ecc-internal.h (struct ecc_modulo): New struct, collecting constants needed for modulo arithmetic. (struct ecc_curve): Use struct ecc_modulo for p and q arithmetic. Updated all ecc-related files. 2014-09-17 Niels Möller * gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn counter, making the function clear some bytes beyond the end of the output buffer. The bug triggered a make check failure on ARM. * testsuite/testutils.c (ecc_curves): Include curve25519 in list. (test_ecc_mul_a): Include reference points for curve25519 (with Edwards coordinates). Allow n == 0 and n == 1, comparing to zero and the generator, respectively. * testsuite/ecc-add-test.c (point_zero_p): Deleted function. (test_main): Replace calls to point_zero_p by calls to test_ecc_mul_h with n == 0. * testsuite/ecc-dup-test.c: Likewise. * testsuite/ecc-modinv-test.c (mpn_zero_p): Moved function, to... * testsuite/testutils.c (mpn_zero_p): New location. Also make non-static. * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add special case for curve25519. * testsuite/ecc-mul-a-test.c (test_main): Fix point negation to support curve25519. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * ecc-a-to-eh.c (ecc_a_to_eh_itch, ecc_a_to_eh): Deleted file and functions. * ecc.h: Deleted corresponding declarations. * ecc-internal.h (ECC_A_TO_EH_ITCH): Deleted macro. * Makefile.in (hogweed_SOURCES): Removed ecc-a-to-eh.c. * testsuite/ecdh-test.c (test_main): Update curve25519 test to use Edwards coordinates. * testsuite/ecdsa-sign-test.c (test_main): Likewise. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery curve. * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point as input, not a Montgomery point. Hence, use ecc_a_to_j, not ecc_a_to_eh. * ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates, don't transform from Edwards to Montgomery form. Also reduces scratch need slightly. * ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced. * ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve function pointers. * testsuite/curve25519-dup-test.c: Deleted file. In the way for conversion to Edwards coordinate convention, and in the end the tests will be done by ecc-dup-test.c. * testsuite/curve25519-add-test.c: Similarly deleted. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Removed curve25519-dup-test.c and curve25519-add-test.c. 2014-09-16 Niels Möller * testsuite/ecc-add-test.c: New generalized testcase, to replace curve25519-add-test.c. * testsuite/ecc-dup-test.c: New generalized testcase, to replace curve25519-dup-test.c. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-add-test.c and ecc-dup-test.c. 2014-09-14 Niels Möller * testsuite/ecc-mul-a-test.c (test_main): Use struct ecc_curve function pointers. * testsuite/ecc-mul-g-test.c (test_main): Likewise. 2014-09-09 Niels Möller * curve25519-mul.c (curve25519_mul): Switch to use Montgomery ladder. About 20% faster than current Edwards curve operations. Difference is expected to shrink when Edwards operations are optimized to take advantage of the twist, but it seems unlikely to get significantly faster than the Montgomery ladder. * gmp-glue.c (cnd_swap): Moved function here, made non-static. Changed cnd type to mp_limb_t, for consistency with GMP mpn_cnd_add_n. * sec-modinv.c (cnd_swap): ... old location. * gmp-glue.h (cnd_swap): Declare function. 2014-09-06 Niels Möller * examples/hogweed-benchmark.c (bench_curve25519_mul_g) (bench_curve25519_mul, bench_curve25519): New functions. (main): Added benchmarking of curve25519 functions. 2014-09-03 Niels Möller * Makefile.in: Revert 2013-02-06 Makefile changes: use a single rule for transforming .asm to .o, and drop include of asm.d. Possible now since we generate a single object file from each asm file. This change also helps Solaris' make recognize .asm files. * config.make.in (.SUFFIXES): Drop .s from list. * configure.ac: Delete code to generate asm.d. * Makefile.in: Delete all uses of *.po files, use the same object files for both shared and static libraries. * configure.ac (dummy-dep-files): Don't create any .po.d files. * aclocal.m4 (LSH_CCPIC): Don't substitute CCPIC here, let configure.ac do that if needed. * configure.ac (CCPIC_MAYBE, SHLIBCFLAGS): Deleted substituted variables. Instead, use CCPIC directly when compiling all library files. (CCPIC): Set to empty, if --disable-pic is used. * config.make.in (SHLIBCFLAGS, CCPIC_MAYBE): Deleted. (COMPILE, COMPILE_CXX): Drop CCPIC. New variable EXTRA_CFLAGS, which can be set by individual Makefiles. * Makefile.in (EXTRA_CFLAGS): Set using CCPIC. Also delete all uses of CCPIC_MAYBE and SHLIBCFLAGS. 2014-09-02 Niels Möller * curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new function. The curve25519 transform currently done by ecc_eh_to_a, but which should eventually be eliminted from that function. * Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c. * ecc-internal.h (curve25519_eh_to_x): Declare it. * curve25519-mul.c (curve25519_mul): Use it. * curve25519-mul-g.c (curve25519_mul_g): Likewise. Also introduce local variable ecc, and use ecc->mul_g_itch. 2014-08-29 Niels Möller * testsuite/testutils.c (test_ecc_mul_j): Renamed, to ... (test_ecc_mul_h): ... new name. Use ecc->h_to_a function pointer. Updated callers. * examples/ecc-benchmark.c (bench_add_jjj): Renamed, to ... (bench_add_hhh): ... new name. Use ecc->add_hhh function pointer. (bench_add_ehh): Deleted. (bench_curve): Use bench_add_hhh for all curves. Use ecc->mul_itch for scratch size. Switch the curve25519 implementation to use the isomorphism to the twisted Edwards curve which is used for Ed25519 signatures. * eccdata.c (ecc_curve_init): Tweaked the transformation constant for the isomorphism between curve25519 and the twisted Edwards curve. * ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve. * ecc-add-eh.c (ecc_add_eh): Likewise. * ecc-dup-eh.c (ecc_dup_eh): Likewise. 2014-08-28 Niels Möller * ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h, use ecc_size function instead. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use the struct ecc_curve function pointers: mul, mul_g, add_hhh, h_to_a. * ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed scratch depends on curve type, not just size. (ecc_add_func): New typedef. (struct ecc_curve): New function pointer add_hhh, and constant add_hhh_itch. Updated all instances. * ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch function, not the corresponding macro. * ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch into account. Also reduce to 5*ecc->size + ecc->mul_itch. * testsuite/ecdsa-sign-test.c (test_main): Added test for the obscure case of ecdsa using curve25519. * testsuite/ecdsa-verify-test.c (test_main): Likewise (depends on above changes). * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use mul_g and h_to_a function pointers. Implies (obscure) support for curve25519. * ecc-25519.c (ecc_25519_modq): Access q via the ecc struct. * ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a. The modulo q case (op == 2) is hardcoded for curve25519. * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert back from redc form. When producing x coordinate only, optionally reduce it modulo q. Completely changes the meaning of the "flags" argument, and renames it to "op". Update all users of this function or ecc->h_to_a. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q feature. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * testsuite/symbols-test: Regexp fixes, to better filter out get_pc_thunk functions. * ecc-generic-redc.c (ecc_generic_redc): Deleted file and function. Split into... * ecc-pp1-redc.c (ecc_pp1_redc): New file and function. * ecc-pm1-redc.c (ecc_pm1_redc): New file and function. * ecc-internal.h: Updated declarations. * Makefile.in (hogweed_SOURCES): Replace ecc-generic-redc.c by ecc-pp1-redc.c and ecc-pm1-redc.c. * ecc-192.c: Use ecc_pp1_redc (benchmarking only). * ecc-224.c: Use ecc_pm1_redc when applicable. * ecc-256.c: Use ecc_pp1_redc when applicable. * ecc-384.c: Use ecc_pp1_redc (benchmarking only). * ecc-521.c: Use ecc_pp1_redc (benchmarking only). * testsuite/ecc-redc-test.c (test_main): Replace use of ecc_generic_redc by ecc_pp1_redc and ecc_pm1_redc. * eccdata.c (output_curve): Don't output ecc_redc_g. * ecc-internal.h (struct ecc_curve): Deleted unused field redc_g. Updated all instances. 2014-08-27 Niels Möller * ecc-modq.c (ecc_modq_inv): Use q_bit_size. * ecc-internal.h (struct ecc_curve): New field q_bit_size. Updated all instances. * configure.ac: Bumped package version number to 3.1. (LIBHOGWEED_MAJOR): Bumped library version to 4.0. Merged curve25519 changes (starting at 2014-07-04). * Makefile.in (clean-here): Added ecc-25519.h. 2014-08-26 Niels Möller * examples/ecc-benchmark.c (bench_mul_g, bench_mul_a): Use struct ecc_curve function pointers. (bench_mul_g_eh, bench_mul_a_eh): Deleted. (bench_curve): Make modq benchmark unconditional. Use bench_mul_g and bench_mul_a also for curve25519. * testsuite/ecc-mod-test.c (test_curve): Make modq test unconditional, partially reverting 2014-07-04 change. * ecc-25519.c (ecc_25519_modq): New function. * eccdata.c (output_curve): Precomputation for curve25519 mod q. * mini-gmp.c (mpz_abs_sub_bit): Do full normalization, needed in case the most significant bit is cleared. 2014-08-25 Niels Möller * testsuite/ecdh-test.c (set_point): Check return value of ecc_point_set. (test_main): Enable curve25519 test. * ecc-point-mul-g.c (ecc_point_mul_g): Use ecc->mul_g and ecc->h_to_a function pointers. * ecc-point-mul.c (ecc_point_mul): Use the ecc->mul and ecc->h_to_a function pointers. * ecc-internal.h (ecc_mul_g_func, ecc_mul_func, ecc_h_to_a_func): New typedefs. (struct ecc_curve): New function pointers mul, mul_g, h_to_a, and constans for their scratch requirements. Updated all instances. * ecc-point.c (ecc_point_set): Handle curve25519 as a special case, when checking if the point is on the curve. 2014-08-24 Niels Möller * testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g, using test data generated by ecc-ref.gp. Tests for all curves except curve25519, which doesn't yet work with the general ecc_point interface. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c. * misc/ecc-ref.gp: Script to generate ECDH test data. 2014-08-23 Niels Möller * ecc-a-to-j.c (ecc_a_to_j): Deleted INITIAL argument. * ecc.h (ecc_a_to_j): Updated prototype. * ecc-mul-a.c (ecc_mul_a, table_init): Updated calls to ecc_a_to_j. * ecc-mul-a.c (ecc_mul_a): Deleted INITIAL argument, all callers, except the tests, pass 1. Updated all callers. (table_init): Likewise deleted INITIAL. * ecc.h (ecc_mul_a): Updated prototype. * testsuite/ecc-mul-a-test.c (test_main): Deleted tests for ecc_mul_a with INITIAL == 0. * ecc-internal.h (struct ecc_curve): Reordered struct, moved function pointers before pointers to bignum constants. * sec-modinv.c (sec_modinv): Document that for a == 0 (mod m), we should produce the "inverse" 0. * testsuite/ecc-modinv-test.c (test_main): Check that ecc_modp_inv produces 0 if a == 0 or a == p. 2014-08-22 Niels Möller * x86_64/ecc-25519-modp.asm: New file. Assembly implementation, initial version yields 30% speedup of ecc_25519_modp. Early folding eliminates one pass of carry propagation, and yields almost 20% additional speedup. * ecc-25519.c [HAVE_NATIVE_ecc_25519_modp]: Use assembly version if available. * configure.ac (asm_hogweed_optional_list): Added ecc-25519-modp.asm. Also add HAVE_NATIVE_ecc_25519_modp to config.h.in. 2014-08-19 Niels Möller * examples/ecc-benchmark.c (bench_curve): Support benchmarking of curve25519, for now handled as a special case. (curves): Added nettle_curve25519. (bench_dup_eh, bench_add_eh, bench_add_ehh, bench_mul_g_eh): New functions. 2014-08-18 Niels Möller * testsuite/curve25519-dh-test.c (test_a): Use curve25519_mul. (test_main): Use little-endian inputs for test_a. (curve25519_sqrt, curve_25519): Deleted static helper functions, no longer needed. * curve25519-mul.c (curve25519_mul): New file and function. * curve25519.h (curve25519_mul): Declare it. * Makefile.in (hogweed_SOURCES): Added curve25519-mul.c. * curve25519-mul-g.c (curve25519_mul_g): Renamed file and function, updated callers. * curve25519-base.c (curve25519_base): ... old names. * Makefile.in (hogweed_SOURCES): Updated for rename. * eccdata.c (output_curve): Compute constants needed for Shanks-Tonelli. * ecc-25519.c (ecc_modp_powm_2kp1, ecc_25519_sqrt): New functions. * ecc-internal.h (ecc_25519_sqrt): Declare it. 2014-08-06 Niels Möller * testsuite/curve25519-dh-test.c (test_g): Use curve25519_base. (test_main): Use little-endian inputs for test_g. * curve25519-base.c (curve25519_base): New file, new function. Analogous to NaCl's crypto_scalarmult_base. * curve25519.h: New file. * Makefile.in (hogweed_SOURCES): Added curve25519-base.c. (HEADERS): Added curve25519.h. * gmp-glue.c (mpn_set_base256_le, mpn_get_base256_le): New functions. * gmp-glue.h: Declare them. 2014-08-02 Niels Möller * testsuite/curve25519-dh-test.c (curve25519_sqrt): Fixed memory leak, a mpz_clear call was missing. * ecc-internal.h (ECC_MUL_A_EH_WBITS): Set to 4, to enable window-based scalar multiplication. * ecc-mul-a-eh.c (table_init) [ECC_MUL_A_EH_WBITS > 0]: Fixed initialization of TABLE(1). 2014-07-29 Niels Möller * ecc-internal.h (ECC_MUL_A_EH_WBITS): New constant. (ECC_A_TO_EH_ITCH, ECC_MUL_A_EH_ITCH): New macros. * ecc-a-to-eh.c (ecc_a_to_eh, ecc_a_to_eh_itch): New file, new functions. * ecc-mul-a-eh.c: New file. (ecc_mul_a_eh): New function. The case [ECC_MUL_A_EH_WBITS > 0] not yet working). (ecc_mul_a_eh_itch): New function. * ecc.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added ecc-a-to-eh.c and ecc-mul-a-eh.c. * testsuite/curve25519-dh-test.c (curve25519_sqrt): New function. (curve_25519): Use ecc_mul_a_eh. (test_a): New function. (test_main): Test construction of shared secret, using scalar multiplication with points other than the fix generator. 2014-07-26 Niels Möller * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EHH_ITCH): Reduced to 7*size. 2014-07-23 Niels Möller * testsuite/curve25519-dh-test.c: New test case, based on draft-josefsson-tls-curve25519-05 test vectors. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dh-test.c. 2014-07-18 Niels Möller * ecc-mul-g-eh.c (ecc_mul_g_eh, ecc_mul_g_eh_itch): New file and functions. Untested. * ecc.h (ecc_mul_g_eh_itch): Declare new functions. * ecc-internal.h (ECC_MUL_G_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-mul-g-eh.c. 2014-07-17 Niels Möller * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EH_ITCH): Reduced to 6*size. * testsuite/curve25519-dup-test.c (test_main): Free allocated storage. 2014-07-15 Niels Möller * ecc-add-eh.c (ecc_add_eh, ecc_add_eh_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_ADD_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-eh.c. * testsuite/curve25519-add-test.c (test_main): Test ecc_add_eh. Additional test for g2+g2. Free allocated storage. 2014-07-14 Niels Möller * testsuite/curve25519-add-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-add-test.c. * ecc-add-ehh.c (ecc_add_ehh, ecc_add_ehh_itch): New file, new functions. * ecc.h (ecc_add_ehh, ecc_add_ehh_itch): Declare them. * ecc-internal.h (ECC_ADD_EHH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-ehh.c. * ecc-25519.c (nettle_curve25519): Use ecc_d instead of ecc_b. * eccdata.c: For curve25519, output the Edwards curve constant, ecc_d = (121665/121666) mod p. * testsuite/curve25519-dup-test.c (test_main): Add test for 4g. Delete some left-over debug output. 2014-07-11 Niels Möller * misc/ecc-formulas.tex: Some ECC notes. * testsuite/curve25519-dup-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dup-test.c. * testsuite/testutils.c (test_ecc_point): Made non-static. * testsuite/testutils.h (struct ecc_ref_point): Moved here, from testutils.h. (test_ecc_point): Declare it. * ecc-dup-eh.c (ecc_dup_eh, ecc_dup_eh_itch): New file, new functions. * ecc-eh-to-a.c (ecc_eh_to_a, ecc_eh_to_a_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_EH_TO_A_ITCH, ECC_DUP_EH_ITCH): New macros. * Makefile.in (hogweed_SOURCES): Added ecc-dup-eh.c and ecc-eh-to-a.c. * ecc-internal.h (struct ecc_curve): New constant edwards_root. * ecc-192.c (nettle_secp_192r1): Updated accordingly, additional NULL pointer. * ecc-224.c (nettle_secp_224r1): Likewise. * ecc-256.c (nettle_secp_256r1): Likewise. * ecc-384.c (nettle_secp_384r1): Likewise. * ecc-521.c (nettle_secp_521r1): Likewise. * ecc-25519.c (nettle_curve25519): Initialize new constant. * eccdata.c (ecc_curve_init): For curve 25519, use correct constant for edwards coordinate transform, and output the constant as ecc_edwards. 2014-07-06 Niels Möller * eccdata.c: Use separate is_zero flag to represent the neutral element. (output_point, output_point_redc): Unified to a single function, with a use_redc flag argument. Also support conversion to Edwards form. (ecc_curve_init_str): New argument for Edwards curve conversion constant. 2014-07-04 Niels Möller Started curve25519 branch. * ecc-25519.c: New file. (ecc_25519_modp): New function. (nettle_curve25519): New curve. * ecc-curve.h (nettle_curve25519): Declare it. * Makefile.in (hogweed_SOURCES): Added ecc-25519.c. (ecc-25519.h): New generated file. Add as explicit dependency for ecc-25519.o. * testsuite/ecc-mod-test.c (test_curve): New function, extracted from test_main. Tolerate NULL modq function pointer. (test_main): Use test_curve, iterate over supported curves, and also test curve_25519 for the new modp function. 2014-08-23 Niels Möller * ecc-modp.c (ecc_modp_sub_1): Deleted unused function. * ecc-internal.h: Deleted corresponding declaration. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls, amending the totally broken change from 2014-02-06. 2014-07-02 Niels Möller * eccdata.c (ecc_dup): Use mpz_submul_ui, now available in mini-gmp. (ecc_type): New enum, for Weierstrass and Montgomery curves (ecc_curve): New field type. (ecc_dup): Support montgomery curves. (ecc_add): Likewise. (ecc_curve_init_str): New argument, for the curve type. (ecc_curve_init): Pass curve type to all ecc_curve_init_str calls. Recognize curve25519, for bit_size 255. (output_modulo): Deleted assert, which isn't true for curve25519. 2014-06-30 Niels Möller * camellia-absorb.c: Include , needed for correct use of HAVE_NATIVE_64_BIT. Reported and debugged by Magnus Holmgren. Fixes debian build failure on s390x. 2014-06-26 Niels Möller From Martin Storsjö: * configure.ac (IF_NOT_SHARED): New substituted variable. * hogweed.pc.in: Use @LIBS@, instead of hardcoding -lgmp. When shared libraries are disabled, move needed libraries from Requires.private: to Requires: and from Libs.private: to Libs:. From Nikos Mavrogiannopoulos. * examples/hogweed-benchmark.c (bench_alg): Tolerate alg->init returning NULL. (bench_openssl_ecdsa_init): Return NULL if EC_KEY_new_by_curve_name fails, indicating the curve is not supported. 2014-06-25 Niels Möller Support for building with mini-gmp instead of the real GMP. Loosely based on work by Nikos Mavrogiannopoulos. * configure.ac: New command line option --enable-mini-gmp. Also disable all libgmp-related checks when enabled. (NETTLE_USE_MINI_GMP): New substituted variable. (LIBHOGWEED_LIBS): Use $(LIBS) instead of -lgmp. (IF_MINI_GMP): New Makefile conditional. (GMP_NUMB_BITS): Alternative test for the mini-gmp case. Substituted also in bignum.h. (HAVE_MPZ_POWM_SEC): Drop this unused check. * bignum.h: Renamed, to... * bignum.h.in: New name. (NETTLE_USE_MINI_GMP): Substituted by configure. (GMP_NUMB_BITS): Substituted by configure, for the mini-gmp case. * Makefile.in (OPT_HOGWEED_SOURCES): New variable, value conditional on @IF_MINI_GMP@. (hogweed_SOURCES): Add $(OPT_HOGWEED_SOURCES). (PRE_CPPFLAGS): Add -I$(srcdir). (HEADERS): Delete bignum.h. (INSTALL_HEADERS): Add bignum.h. Also add mini-gmp.h, if mini-gmp is enabled. (DISTFILES): Added bignum.h.in. (bignum.h): New target. (distclean-here): Delete bignum.h. * examples/ecc-benchmark.c (modinv_gcd) [NETTLE_USE_MINI_GMP]: Disable this benchmark. (mpn_random) [NETTLE_USE_MINI_GMP]: Provide a simple implementation. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Skip test, it depends on gmp_randstate_t. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-a-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-g-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Likewise. Various preparations for mini-gmp support. * testsuite/bignum-test.c: Use WITH_HOGWEED instead of HAVE_LIBGMP for preprocessor conditionals. * testsuite/testutils.h: Likewise. * testsuite/sexp-format-test.c: Likewise. * testsuite/ecdsa-keygen-test.c (test_main): Use printf, mpz_out_str and write_mpn instead of gmp_fprintf. * testsuite/ecdsa-sign-test.c (test_ecdsa): Likewise. * testsuite/ecdsa-verify-test.c (test_ecdsa): Likewise. * dsa.h: Include bignum.h instead of gmp.h. * ecc-internal.h: Likewise. * ecc.h: Likewise. * gmp-glue.h: Likewise. * pkcs1.h: Likewise. * rsa.h: Likewise. * testsuite/testutils.c (die): Use plain vfprintf, not gmp_vfprintf. (write_mpn): New function. (test_ecc_point): Use it, replacing gmp_fprintf. * testsuite/testutils.h (write_mpn): Declare it. * der-iterator.c: Deleted HAVE_LIBGMP conditionals. 2014-06-07 Niels Möller * Released nettle-3.0. 2014-06-04 Niels Möller * NEWS: List des-compat.h as a candidate for removal in the next release. * testsuite/des-compat-test.c (test_main): Fixed out of bounds memory read, reported by Nikos Mavrogiannopoulos. * nettle-write.h: Include , fixing compilation on freebsd. * aclocal.m4 (ac_stdint): Fixed "unsinged" typo, spotted by Andy Goth. 2014-06-01 Niels Möller * x86_64/gcm-hash8.asm: Pass correct argument count to W64_EXIT. * x86_64/camellia-crypt-internal.asm: Pass correct argument count to W64_ENTRY and W64_EXIT. * x86_64/machine.m4 [W64_ABI]: Fix for the case of 6 function arguments. Also push %rdi unconditionally, and use aligned accesses for save and restore %xmm registers (movdqa). 2014-05-31 Niels Möller * configure.ac: Check for COFF type directives. (ASM_COFF_STYLE): New substituted variable. * config.m4.in: Set COFF_STYLE from configure. * asm.m4 (PROLOGUE): Use COFF type directive, if enabled by configure. Fixes problem with windows dll linking. * asm.m4: Deleted unused offsets for struct aes_ctx. 2014-05-28 Niels Möller * testsuite/nettle-pbkdf2-test: Delete carriage return characters from output. * configure.ac (LIBHOGWEED_LIBS): Be explicit and link libhogweed.so with libnettle.so, not -lnettle. (LIBHOGWEED_LINK): Drop -L. flag, no longer needed, and previously not at the correct position in the link command line. 2014-05-27 Niels Möller * examples/ecc-benchmark.c: If mpn_sec_powm is available, benchmark it, for modinv. (bench_modinv_powm): New function. (bench_curve): Use it. 2014-05-22 Niels Möller From Claudio Bley: * Makefile.in ($(des_headers)): Use the EXEEXT_FOR_BUILD. 2014-05-15 Niels Möller * NEWS: Updated with library version numbers. * configure.ac (dummy-dep-files): Use simpler and more portable sed expression. Problem reported by Peter Eriksson. (LIBHOGWEED_MAJOR): Bumped shared library version to 3.0. (LIBHOGWEED_MINOR): Reset to zero. Also increased the package version number to 3.0. * getopt.c: Don't use gettext. 2014-05-14 Niels Möller * testsuite/nettle-pbkdf2-test: Avoid the bash construction ${#foo}. * getopt.c: Copied from glibc tree, tag glibc-2.19. * getopt.h: Likewise. * getopt1.c: Likewise. * getopt_int.h: New file, also copied from glibc. * Makefile.in (DISTFILES): Added getopt_int.h. 2014-05-09 Niels Möller * mini-gmp.c: Updated, use version from gmp-6.0.0. * mini-gmp.h: Likewise. * testsuite/Makefile.in (all): Drop dependency on $(TARGETS), to delay building of test programs until make check. 2014-05-08 Niels Möller * nettle.texinfo (nettle_aead abstraction): Document nettle_aead. * Makefile.in (nettle_SOURCES): Added nettle-meta-aeads.c. * nettle-meta.h (nettle_aeads): Declare array. * nettle-meta-aeads.c (nettle_aeads): New file, new array. * testsuite/meta-aead-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-aead-test.c. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): If CC_FOR_BUILD is gcc, add -O option. This makes eccdata twice as fast. 2014-05-06 Niels Möller * nettle.texinfo: Document SHA3 and ChaCha-Poly1305 as experimental. 2014-05-05 Niels Möller * nettle.texinfo (POLY1305): Document poly1305-aes. (Authenticated encryption): Move AEAD algorithms to their own section. (RSA, DSA, ECDSA): Change some subsections to subsubsections. (ChaCha-Poly1305): Document ChaCha-Poly1305. 2014-05-04 Niels Möller * nettle.texinfo (DSA): Document new DSA interface. (Salsa20): Update salsa20 docs. (ChaCha): Document ChaCha. 2014-05-03 Niels Möller * configure.ac: Check for SIZEOF_SIZE_T. * ccm.c (ccm_set_nonce): Skip code for 64-bit encoding when size_t is only 32 bits. * nettle.texinfo (CCM): Document new ccm macros and constants. Describe ccm restrictions. * ccm.h (CCM_DIGEST_SIZE): New constant. 2014-04-30 Niels Möller * ccm.c (CCM_IV_MAX_SIZE, CCM_IV_MIN_SIZE): Deleted, replaced by public constants CCM_MIN_NONCE_SIZE and CCM_MAX_NONCE_SIZE. (ccm_build_iv): Updated for above rename. (CCM_L_MAX_SIZE): Deleted, no longer used. * ccm.h (CCM_MIN_NONCE_SIZE, CCM_MAX_NONCE_SIZE): New constants. (CCM_MAX_MSG_SIZE): New macro. 2014-04-27 Niels Möller * nettle.texinfo (Cipher modes): Subsection on AEAD constructions. (GCM): Update GCM documentation, including functions for gcm_aes128, gcm_camellia128, ... 2014-04-26 Niels Möller * nettle.texinfo: Update for introduction of nettle_cipher_func. (GCM): Document GCM_DIGEST_SIZE. (UMAC): Document new UMAC constants. (Keyed hash functions): Make HMAC and UMAC their own info nodes. (EAX): Document EAX. * umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New constants. 2014-04-25 Niels Möller * All hash-related files: Renamed all _DATA_SIZE constants to _BLOCK_SIZE, for consistency. Old names kept for backwards compatibility. * nettle.texinfo (CCM): Documentation for CCM mode, contributed by Owen Kirby. * testsuite/ccm-test.c (test_cipher_ccm): And tests. * ccm.c (ccm_decrypt_message): Change length argument, should now be clear text (dst) length. * ccm-aes128.c (ccm_aes128_decrypt_message): Likewise. * ccm-aes192.c (ccm_aes192_decrypt_message): Likewise. * ccm-aes256.c (ccm_aes256_decrypt_message): Likewise. * ccm.h: Updated prototypes. 2014-04-22 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha512 variants. * sha2.h (sha512_224_ctx, sha512_256_ctx): New aliases for the sha512_ctx struct tag. 2014-04-17 Niels Möller * examples/Makefile.in (SOURCES): Deleted next-prime.c (forgotten in 2014-04-13 change). 2014-04-16 Niels Möller * testsuite/ccm-test.c (test_cipher_ccm): Deleted check for NULL authdata. * sha3-224.c (sha3_224_init): Pass pointer to context struct, not pointer to first element, to memset. * sha3-256.c (sha3_256_init): Likewise. * sha3-384.c (sha3_384_init): Likewise. * sha3-512.c (sha3_512_init): Likewise. * examples/eratosthenes.c (vector_alloc): Use sizeof(*vector) instead of explicit type in malloc call. (vector_init): Make constant explicitly unsigned long. * tools/input.c (sexp_get_quoted_char): Deleted useless for loop. 2014-04-13 Niels Möller * rsa-compat.c: Deleted file. * rsa-compat.h: Deleted file. * Makefile.in (hogweed_SOURCES): Deleted rsa-compat.c. (HEADERS): Deleted rsa-compat.h. * examples/next-prime.c: Deleted file. * bignum-next-prime.c (nettle_next_prime): Deleted file and function. * prime-list.h: Deleted file. * bignum.h (nettle_next_prime): Deleted prototype. * Makefile.in (hogweed_SOURCES): Deleted bignum-next-prime.c. (DISTFILES): Deleted prime-list.h. * examples/Makefile.in (HOGWEED_TARGETS): Deleted next-prime, and corresponding make target. 2014-04-12 Niels Möller * nettle.texinfo (Copyright): Updated licensing info. * README: Likewise. * Makefile.in (DISTFILES): Distribute new COPYING* files. * COPYING.LESSERv3: New file. * COPYINGv3: New file. * COPYING.LIB: Deleted. * COPYINGv2: New name for GPL version 2 file. * COPYING: Old name, deleted. * Update license headers for LGPL3+ and GPL2+ dual licensing. 2014-04-11 Niels Möller * testsuite/testutils.c (test_aead): Use aead->digest_size. * configure.ac: Skip GMP tests if public key support is disabled. * eax.c (block16_xor): Fixed bug effecting 32-bit platforms. * Makefile.in (DISTFILES): Deleted memxor.c, already included via nettle_SOURCES. * tools/Makefile.in (SOURCES): Add nettle-pbkdf2.c. 2014-04-10 Niels Möller From Nikos Mavrogiannopoulos: * examples/hogweed-benchmark.c (bench_openssl_ecdsa_init): Support for secp192r1 and secp256r1. (alg_list): Add them. 2014-04-09 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha512_224 and sha512_256. * testsuite/sha512-224-test.c: New file. * testsuite/sha512-256-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new files. * nettle-meta.h (nettle_sha512_224, nettle_sha512_256): Declare. * sha512-224-meta.c (nettle_sha512_224): New file, new nettle_hash. * sha512-256-meta.c (nettle_sha512_256): New file, new nettle_hash. * sha2.h (SHA512_224_DIGEST_SIZE, SHA512_224_DATA_SIZE) (SHA512_256_DIGEST_SIZE, SHA512_256_DATA_SIZE): New constants. * sha512.c (sha512_256_digest): Typo fix, call sha512_256_init. * testsuite/testutils.c (test_hash): Removed redundant init call. Tests that digest implies init. 2014-03-28 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Explicitly use dsa_compat_generate_keypair. (test_main): Test dsa_generate_params and dsa_generate_keypair with a large q; p_bits = 1024, q_bits = 768. * testsuite/testutils.h: Undo dsa-compat.h name mangling. * dsa-keygen.c (dsa_generate_keypair): New interface, generating only a keypair, and no new parameters. * dsa-compat-keygen.c (dsa_compat_generate_keypair): New file. Moved old key generation function here. Use dsa_generate_keypair. 2014-03-27 Niels Möller * dsa-compat.c (dsa_public_key_init, dsa_public_key_clear) (dsa_private_key_init, dsa_private_key_clear): : Move deprecated DSA functions to a separate file... * dsa.c: ...from here. * dsa-compat.h: New file, declaring deprecated DSA interface. Include in corresponding C files. * Makefile.in (hogweed_SOURCES): Add dsa-compat.c. (HEADERS): Add dsa-compat.h. * dsa-gen-params.c (dsa_generate_params): New file and function, extracted from DSA key generation. * dsa-keygen.c (dsa_generate_keypair): Use dsa_generate_params. 2014-03-26 Niels Möller * der2dsa.c (dsa_params_from_der_iterator): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_public_key_from_der_iterator): Converted to new DSA interface. Also check that the public value is in the correct range. (dsa_openssl_private_key_from_der_iterator): Converted to new DSA interface. Additional validity checks. (dsa_openssl_private_key_from_der): Converted to new DSA interface. * tools/pkcs1-conv.c (convert_dsa_private_key): Update to use struct dsa_params, and adapt to the der decoding changes. (convert_public_key): Likewise. * examples/hogweed-benchmark.c: Update dsa benchmarking to use new DSA interface. * dsa.c (dsa_params_init, dsa_params_clear): New functions. (dsa_public_key_init): Use dsa_params_init. (dsa_public_key_clear): Use dsa_params_clear. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_sha1_keypair_from_sexp, dsa_sha256_keypair_from_sexp): Converted to new DSA interface. * dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA interface. * tools/pkcs1-conv.c: Updated uses of dsa_keypair_to_sexp. * dsa.h (struct dsa_params): New struct. * dsa-sign.c (dsa_sign): Use struct dsa_params, with key as a separate mpz_t. * dsa-verify.c (dsa_verify): Likewise. * dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use dsa_verify, cast the struct dsa_public_key * input to a struct dsa_params * * dsa-sha256-verify.c (dsa_sha256_verify_digest) (dsa_sha256_verify): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise use dsa_sign, with a cast from struct dsa_public_key * to struct dsa_params *. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * testsuite/testutils.c (test_dsa_verify): Use struct dsa_params. (test_dsa_key): Likewise. * testsuite/dsa-test.c (test_main): Adapt to test_dsa_key and test_dsa_verify changes. * testsuite/dsa-keygen-test.c (test_main): Adapt to test_dsa_key change. * testsuite/testutils.c (test_dsa_sign): #if out, currently unused. 2014-03-23 Niels Möller From Owen Kirby: * ccm.c: New file. * ccm.h: New file. * ccm-aes128.c: New file. * ccm-aes192.c: New file. * ccm-aes256.c: New file. * Makefile.in (nettle_SOURCES): Added ccm source files. (HEADERS): Added ccm.h. * testsuite/ccm-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ccm-test.c. 2014-03-20 Niels Möller From Joachim Strömbergson: * sha512.c (K): Indentation fix. (sha512_224_init, sha512_224_digest, sha512_256_init) (sha512_256_digest): New functions. * sha2.h: Add prototypes. (sha512_224_update, sha512_256_update): New aliases for sha512_update. 2014-03-18 Niels Möller * examples/nettle-benchmark.c (main): Add benchmarking of arcfour, salsa20 and chacha, via time_aead. * nettle-internal.c (nettle_arcfour128): Define, as a struct nettle_aead (with NULL set_nonce, update, and digest methods). * examples/nettle-openssl.c (nettle_openssl_arcfour128): Likewise. * nettle-internal.h (nettle_arcfour128) (nettle_openssl_arcfour128): Declare. * nettle-types.h (nettle_cipher_func): New typedef, similar to nettle_crypt_func, but with a const context, intended for block ciphers. * nettle-meta.h (struct nettle_cipher): Use the nettle_cipher_func type. * Many other files affected: aes*-meta.c, camellia*-meta.c, cast128-meta.c, serpent-meta.c, twofish-meta.c, cbc.[ch], ctr.[ch], ctr.[ch], des-compat.c, eax.[ch], gcm*.[ch], nettle-internal.*, testsuite/aes-test.c, examples/nettle-benchmark.c, examples/nettle-openssl.c. 2014-03-16 Niels Möller * chacha-set-key.c: Include string.h. * arcfour-meta.c: Deleted file. * nettle-meta.h (nettle_arcfour128): Deleted declaration. * nettle-meta-ciphers.c (nettle_ciphers): Deleted nettle_arcfour128 from list. * Makefile.in (nettle_SOURCES): Deleted arcfour-meta.c. * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted. * testsuite/meta-cipher-test.c: Adjust test for removal of nettle_arcfour128. 2014-03-15 Niels Möller * examples/nettle-benchmark.c (struct bench_aead_info): New struct. (bench_aead_crypt, bench_aead_update, init_nonce, time_aead): New functions, for benchmarking aead algorithms. (time_gcm, time_eax): Deleted functions. (main): Use time_aead to benchmark gcm, eax and chacha-poly1305. * salsa20.h (SALSA20_NONCE_SIZE): Renamed constant, old name SALSA20_IV_SIZE kept as an alias. (salsa20_set_nonce): Update prototype for the 2014-01-20 rename. * Makefile.in (.asm.s): Add dependencies. (.s.o, .s.po): Empty any dependency .d file. 2014-03-04 Niels Möller * testsuite/chacha-test.c (test_main): Additional test cases, for 256-bit keys. * Makefile.in (nettle_SOURCES): Deleted chacha128-set-key.c and chacha256-set-key.c. * chacha.h (CHACHA256_KEY_SIZE): Deleted. (chacha_set_key): Updated prototype. * chacha256-set-key.c (chacha256_set_key): Deleted file and function, moved to... * chacha-set-key.c (chacha_set_key): Do 256-bit keys only. Deleted length argument. Updated all callers. * chacha128-set-key.c (chacha128_set_key): Deleted file and function. Support for 128-bit chacha keys may be reintroduced later, if really needed. * chacha.h: Deleted chacha128-related declarations. * chacha-set-key.c (chacha_set_key): Drop support for 128-bit keys. * testsuite/chacha-test.c (test_main): #if:ed out all tests with 128-bit keys. 2014-02-16 Niels Möller * gcm.h: Declarations for gcm-camellia256. * gcm-camellia256.c: New file. * gcm-camellia256-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia256): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia256.c and gcm-camellia256-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia256. * gcm.h: Include camellia.h. Declarations for gcm-camellia128. * gcm-camellia128.c: New file. * gcm-camellia128-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia128): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia128.c and gcm-camellia128-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia128. From Nikos Mavrogiannopoulos. 2014-02-13 Niels Möller * Makefile.in (nettle_SOURCES): Added eax-aes128.c eax-aes128-meta.c. * examples/nettle-benchmark.c: Include eax.h. * nettle-meta.h (nettle_eax_aes128): Declare, moved from nettle-internal.h. * eax.h: Declare eax_aes128_ctx and related functions. Moved from nettle-internal.h (EAX_IV_SIZE): New constant. * eax-aes128-meta.c (nettle_eax_aes128): Moved definition to new file. * eax-aes128.c (eax_aes128_set_key, eax_aes128_set_nonce) (eax_aes128_update, eax_aes128_encrypt, eax_aes128_decrypt) (eax_aes128_digest): Moved functions to a new file. * nettle-internal.c: ... from old location. * nettle-internal.h: Moved eax declarations elsewhere. * tools/nettle-pbkdf2.c (main): Added missing deallocation. 2014-02-12 Niels Möller * chacha-poly1305.h: New file. * chacha-poly1305.c: New file. * chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new aead algorithm. * nettle-meta.h (nettle_chacha_poly1305): Declare. * Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and chacha-poly1305-meta.c. (HEADERS): Added chacha-poly1305.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-poly1305-test.c. * testsuite/chacha-poly1305-test.c: New file. * nettle-meta.h (struct nettle_aead): New generalized version if this struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256) (nettle_eax_aes128): Declare, moved from nettle-internal.h. * nettle-internal.h (struct nettle_aead): Deleted struct, moved to nettle-meta.h. Deleted declarations of unused instances. (_NETTLE_AEAD): Deleted macro. * nettle-internal.c (nettle_eax_aes128): Updated for new nettle_aead struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256): Deleted, moved to new files. * gcm-aes128-meta.c (nettle_gcm_aes128): Moved to new file, updated for new nettle_aead struct. * gcm-aes192-meta.c (nettle_gcm_aes192): Likewise. * gcm-aes256-meta.c (nettle_gcm_aes256): Likewise. * testsuite/testutils.c (test_aead): Take alternative set_nonce function as argument, and use it when nonce size differs from aead->nonce_length. * testsuite/testutils.h (test_aead): Updated prototype. * testsuite/gcm-test.c (nettle_gcm_unified_aes128): Updated for new nettle_aead struct. (test_main): Pass additional argument to test_aead. * testsuite/eax-test.c (test_main): Pass additional NULL argument to test_aead. * eax.h (EAX_DIGEST_SIZE): New constant. * gcm.h (GCM_DIGEST_SIZE): Likewise. 2014-02-10 Niels Möller * chacha-set-nonce.c (chacha_set_nonce): Renamed file and function, updated callers and Makefile.in. * chacha-set-iv.c (chacha_set_iv): ... from old names. 2014-02-08 Niels Möller * testsuite/chacha-test.c (test_chacha): For 20 rounds, use chacha_crypt, and test varying the message length. (test_main): Add second key stream block, for all testcases with 20 rounds. * chacha-crypt.c (chacha_crypt): Fixed block counter update. 2014-02-07 Niels Möller * nettle.texinfo (ASCII encoding): Document that base16_encode_update and base64_encode_update now uses dst_length as an output only. * testsuite/base64-test.c (test_main): Updated base64_decode_update test case. * sexp-transport.c (sexp_transport_iterator_first): For base64_decode_update, omit initialization of coded_length. * examples/base64dec.c (main): Likewise. * examples/base16dec.c (main): Likewise, for base16_decode_update. * base64-decode.c (base64_decode_update): Use *dst_length for output only. Don't require callers to pass a sane value. * base16-decode.c (base16_decode_update): Likewise. 2014-02-06 Niels Möller * NEWS: List _set_key incompatibilities. * nettle-meta.h (_NETTLE_CIPHER_SEP, _NETTLE_CIPHER_SEP_SET_KEY) (_NETTLE_CIPHER_FIX, _NETTLE_CIPHER): Deleted unused macros. * nettle-internal.c (nettle_blowfish128): Deleted only use of _NETTLE_CIPHER. * blowfish.c (blowfish128_set_key): New function. * blowfish.h (BLOWFISH128_KEY_SIZE): New constant. * cast128-meta.c (nettle_cast128): Deleted only use of _NETTLE_CIPHER_FIX. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls. 2014-01-30 Niels Möller * Makefile.in (nettle_SOURCES): Arrange in alphabetic order. * nettle.texinfo: Updated, document size_t for length arguments. Document new AES and Camellia interfaces. * ecc-size.c (ecc_bit_size): New function. * ecc.h (ecc_bit_size): Declare it. 2014-01-29 Niels Möller * nettle-types.h (typedef nettle_set_key_func): Deleted length argument. * arctwo.c (arctwo40_set_key, arctwo64_set_key) (arctwo128_set_key, arctwo128_set_key_gutmann): New functions. * arctwo.h: Declare them. * arctwo-meta.c (ARCTWO): New macro. (nettle_arctwo40, nettle_arctwo64, nettle_arctwo128) (nettle_arctwo_gutmann128): Use new _set_key functions. * arcfour.h (ARCFOUR128_KEY_SIZE): New constant. * arcfour.c (arcfour128_set_key): New function. * arcfour-meta.c (nettle_arcfour128): Use arcfour128_set_key and ARCFOUR128_KEY_SIZE. * cast128.c (cast5_set_key): Renamed, was cast128_set_key. (cast128_set_key): New definition, with fixed key size. * cast128.h (CAST128_MIN_KEY_SIZE, CAST128_MAX_KEY_SIZE): Renamed constants, to... (CAST5_MIN_KEY_SIZE, CAST5_MAX_KEY_SIZE): ... new names. * eax.h (EAX_SET_KEY): Deleted length argument. * aes128-meta.c: Deleted _set_key wrappers. * aes192-meta.c: Likewise. * aes256-meta.c: Likewise. * camellia128-meta.c: Likewise. * camellia192-meta.c: Likewise. * camellia256-meta.c: Likewise. * gcm-aes128.c (gcm_aes128_set_key): Deleted length argument. * gcm-aes192.c (gcm_aes192_set_key): Likewise. * gcm-aes256.c (gcm_aes256_set_key): Likewise. * gcm.h: Updated prototypes. * serpent-set-key.c (serpent128_set_key, serpent192_set_key) (serpent256_set_key): New functions. * serpent.h: Declare new functions. (SERPENT128_KEY_SIZE, SERPENT192_KEY_SIZE) (SERPENT256_KEY_SIZE): New constants. * serpent-meta.c (SERPENT): New macro. (nettle_serpent128, nettle_serpent192, nettle_serpent256): Use new _set_key functions. * twofish-set-key.c (twofish128_set_key, twofish192_set_key) (twofish256_set_key): New functions. * twofish.h: Declare new functions. (TWOFISH128_KEY_SIZE, TWOFISH192_KEY_SIZE) (TWOFISH256_KEY_SIZE): New constants. * twofish-meta.c (TWOFISH): New macro. (nettle_twofish128, nettle_twofish192, nettle_twofish256): Use new _set_key functions. * nettle-internal.h (struct nettle_aead): Use nettle_hash_update_func for the set_iv function pointer. * nettle-internal.c (des_set_key_hack, des3_set_key_hack): Deleted wrapper functions. (chacha_set_key_hack): Deleted length argument. Use chacha256_set_key. (salsa20_set_key_hack): Deleted length argument. Use salsa20_256_set_key. (nettle_unified_aes128, nettle_unified_aes192) (nettle_unified_aes256): Deleted, moved to test program. (eax_aes128_set_key): Deleted length argument. Use EAX_SET_KEY. * examples/nettle-benchmark.c: Updated for _set_key changes. * examples/nettle-openssl.c: Likewise. * testsuite/testutils.c: Likewise. * testsuite/gcm-test.c: Likewise. * testsuite/aes-test.c (UNIFIED_AES): New macro. Moved glue for testing the old aes interface (struct aes_ctx) here. * testsuite/arcfour-test.c (test_arcfour): New function, for key sizes != 128 bits. (test_main): Use it. * testsuite/blowfish-test.c (test_blowfish): New function. (test_main): Use it. Also deleted old #if:ed out code. * testsuite/cast128-test.c (test_cast5): New function. (test_main): Use it, for 40-bit and 80-bit tests. * testsuite/serpent-test.c (test_serpent): New function. (test_main): Use it. 2014-01-27 Niels Möller * eax.h (struct eax_key, struct eax_ctx): Use union nettle_block16, for alignment. * eax.c: Updated everything to use nettle_block16. (block16_xor): New function. * examples/nettle-benchmark.c (time_eax): New function. (main): Use it. * x86_64/chacha-core-internal.asm: Use pshufhw + pshuflw for the 16-bit rotate. * configure.ac (asm_replace_list): Added chacha-core-internal.asm. * x86_64/chacha-core-internal.asm: New file. * examples/nettle-benchmark.c (main): Add benchmarking of chacha. * nettle-internal.c (nettle_chacha): New const struct, for the benchmark. Chacha implementation, based on contribution by Joachim Strömbergson. * chacha.h: New file. * chacha256-set-key.c (chacha256_set_key): New file and function. * chacha128-set-key.c (chacha128_set_key): New file and function. * chacha-set-key.c (chacha_set_key): New file and function. * chacha-set-iv.c (chacha_set_iv): New file and function. * chacha-core-internal.c (_chacha_core): New file and function. * chacha-crypt.c (chacha_crypt): New file and function. * Makefile.in (nettle_SOURCES): Added chacha files. (HEADERS): Added chacha.h. * testsuite/chacha-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-test.c. 2014-01-26 Niels Möller * nettle-internal.h (_NETTLE_AEAD_FIX): Renamed to... (_NETTLE_AEAD): ... new name, and deleted old definition. Also use _set_nonce instead of _set_iv. * nettle-internal.c (nettle_gcm_aes128, nettle_gcm_aes192) (nettle_gcm_aes256): Define in terms of new interface. (nettle_eax_aes128): Updated for _NETTLE_AEAD changes. * testsuite/gcm-test.c (test_gcm_hash): Likewise use struct gcm_aes128_ctx. (test_main): Added a testcase using the old interface based on struct gcm_aes_ctx. * examples/nettle-benchmark.c (time_gcm): Update to use new struct gcm_aes128_ctx. Also use name "gcm-aes128" in output. * gcm.h: New interface for gcm_aes128, gcm_aes192, gcm_aes256, using the new AES interface. (GCM_CTX): Reorder fields, putting the cipher context last. * Makefile.in (nettle_SOURCES): Added gcm-aes128.c, gcm-aes192.c, and gcm-aes256.c. * gcm-aes128.c: New file. * gcm-aes192.c: New file * gcm-aes256.c: New file. 2014-01-25 Niels Möller * gcm.h (GCM_SET_KEY): Deleted length argument. * gcm-aes.c (gcm_aes_set_key): Use aes_set_encrypt_key and gcm_set_key, can no longer use GCM_SET_KEY macro. 2014-01-23 Niels Möller * testsuite/gcm-test.c (test_main): Use the correct nettle_gcm_aes128/192/256 object. 2014-01-21 Niels Möller Merged camellia-reorg changes (starting at 2013-10-07). 2013-10-10 Niels Möller * Makefile.in (nettle_SOURCES): Updated list of camellia files. * testsuite/camellia-test.c (test_invert): Updated for new camellia interface. * camellia.h: Reorganized camellia interface, with distinct context structs and functions for camellia128 and camellia256. * camellia-meta.c: Deleted file. * camellia256-meta.c: New file. * camellia192-meta.c: New file. * camellia128-meta.c: New file. * camellia-set-decrypt-key.c: Deleted file, code moved to: * camellia128-set-decrypt-key.c: New file. (camellia128_invert_key, camellia128_set_decrypt_key): New functions. * camellia256-set-decrypt-key.c: New file. (camellia256_invert_key, camellia256_set_decrypt_key) (camellia192_set_decrypt_key): New functions. * camellia-invert-key.c (_camellia_invert_key): New file and function. * camellia-set-encrypt-key.c: Deleted file, code moved to: * camellia128-set-encrypt-key.c: New file. (camellia128_set_encrypt_key): New function. * camellia256-set-encrypt-key.c: New file. (_camellia256_set_encrypt_key, camellia256_set_encrypt_key) (camellia192_set_encrypt_key): New functions. * camellia-absorb.c (_camellia_absorb): New file and function. * camellia-internal.h: Moved key schedule macros here. * camellia-crypt.c: Deleted file, code moved to: * camellia128-crypt.c (camellia128_crypt): New file and function. * camellia256-crypt.c (camellia256_crypt): New file and function. 2013-10-07 Niels Möller * configure.ac: Delete check for ALIGNOF_UINT64_T, no longer needed. * config.m4.in: Likewise delete ALIGNOF_UINT64_T. * camellia-crypt.c (camellia_crypt): Updated call to _camellia_crypt. * camellia-internal.h (_camellia_crypt): Updated prototype. * camellia-crypt-internal.c (_camellia_crypt): Take separate arguments for rounds and subkey array. * x86_64/camellia-crypt-internal.asm: Likewise. Also corrected .file pseudo-ops. * x86/camellia-crypt-internal.asm: Likewise. 2014-01-20 Niels Möller * poly1305-internal.c (poly1305_digest): Use union nettle_block16 for s argument. * poly1305-aes.c (poly1305_aes_digest): Update for poly1305_digest change. Merged poly1305 changes (starting at 2013-11-08). * x86_64/poly1305-internal.asm: Update to new interface. poly1305_digest much simplified. * poly1305.h (struct poly1305_ctx): Moved block and index fields... (struct poly1305_aes_ctx): ... to here. * asm.m4: Delete also from the assembly definition of struct poly1305_ctx. * poly1305-internal.c (poly1305_digest): Don't do final padding here, leave that to caller. Add digest to the provided nonce s, and deleted length and dst arguments. Also reset h0-h4 to zero when done. (_poly1305_block): Renamed, from... (poly1305_block): ...old name. * poly1305-aes.c (poly1305_aes_update): New function. (poly1305_aes_digest): Update for poly1305_digest changes, do final padding here. * poly1305.c (poly1305_update): Deleted file and function. Moved to poly1305-aes.c. * Makefile.in (nettle_SOURCES): Deleted poly1305.c. 2014-01-17 Niels Möller * poly1305-internal.c (poly1305_block): Additional argument with the high bit. (poly1305_block_internal): Deleted function, code moved into the poly1305_block. (poly1305_digest): Simplified padding code, call poly1305_block with high bit 0. * poly1305.h (poly1305_block): Update prototype. * poly1305.c (poly1305_update): Call poly1305_block with high bit 1. * x86_64/poly1305-internal.asm (poly1305_block): Handle new argument. * poly1305.h (struct poly1305_ctx): Moved nonce field from here... (struct poly1305_aes_ctx): ... to here. * poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest): Updated for above. * poly1305.c (poly1305_set_nonce): Deleted function. * asm.m4: Delete nonce also from the assembly definition of struct poly1305_ctx. 2014-01-16 Niels Möller * poly1305-aes.c: Include poly1305.h. Rewrite functions without using the POLY1305_* macros. * Makefile.in (HEADERS): Deleted poly1305-aes.h. * poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE) (POLY1305_DIGEST): Deleted macros. Only implemented variant is poly1305-aes. (POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE): New constants. (POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here, from poly1305-aes.h. (struct poly1305_aes_ctx): Likewise. (poly1305_aes_set_key, poly1305_aes_set_nonce) (poly1305_aes_update, poly1305_aes_digest): Likewise. * poly1305-aes.h: Deleted file, declarations moved to poly1305.h. Update all users. * poly1305-internal.c (s2, s3, s4): Fixed macros. * poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx by struct aes128_ctx. * poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest): Update to use aes128_* functions. * poly1305.h (POLY1305_SET_KEY): Drop key size argument when calling set_key. 2013-12-19 Niels Möller * poly1305-aes.h (poly1305_aes_update): Define as an alias for poly1305_update, using preprocessor and a type cast. * poly1305-aes.c (poly1305_aes_update): Deleted function. * poly1305.h (poly1305_update): Declare. (_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros. * poly1305.c (poly1305_update): New function. 2013-11-21 Niels Möller * x86_64/poly1305-internal.asm: New file. Almost a factor of two speedup. * configure.ac (asm_replace_list): Added poly1305-internal.asm. * asm.m4: Define struct offsets for 64-bit poly1305_ctx. * poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an additional argument to poly1305_digest. (struct poly1305_ctx): Introduce unions, to support either 26-bit or 64-bit implementation. * poly1305-internal.c (poly1305_digest): Added s argument. * poly1305.c (poly1305_set_s): Deleted function. 2013-11-12 Niels Möller * poly1305-internal.c: New file, for poly1305 functions depending on the internal mod (2^130 - 5) representation. (poly1305_block_internal): New helper function. (poly1305_block, poly1305_digest): Use it. 2013-11-08 Nikos Mavrogiannopoulos * poly1305.h: New file. * poly1305.c: New file. * poly1305-aes.h: New file. * poly1305-aes.c: New file. * Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c. (HEADERS): Added poly1305-aes.h and poly1305.h. * testsuite/poly1305-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c. * examples/nettle-benchmark.c (time_poly1305_aes): New function. (main): Benchmark poly1305. 2014-01-20 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c, salsa20-128-set-key.c, and salsa20-256-set-key.c. * salsa20.h: Declare new functions. (SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants. (salsa20_set_iv): Define as an alias for salsa20_set_nonce. * salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and salsa20_256_set_key. (salsa20_set_iv): Renamed and moved... * salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name. * salsa20-256-set-key.c (salsa20_256_set_key): New file and function. * salsa20-128-set-key.c (salsa20_128_set_key): New file and function. 2014-01-13 Niels Möller * nettle-types.h (union nettle_block16): New type, replacing union gcm_block. * gcm.h (union gcm_block): Deleted. Replaced by nettle_block16. * gcm.c: Replaced all use of gcm_block by nettle_block16. 2014-01-04 Niels Möller * config.guess: Updated to 2014-01-01 version, from git://git.sv.gnu.org/config.git. * config.sub: Likewise. * testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark): New function. (test_memxor, test_memxor3): Use test_mark to tell valgrind the start and end of src and destination areas. * configure.ac: Check for valgrind/memcheck.h. * testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes, needed for the way unaligned data is handled in, e.g., memxor. 2014-01-03 Niels Möller * shadata.c (main): Zero-pad output values to 8 hex digits. * sha256.c (K): Updated table. 2013-12-17 Niels Möller * configure.ac (ASM_RODATA): New substituted variable. Needed for portability to darwin. * config.m4.in: Define RODATA, using configure variable ASM_RODATA * x86_64/gcm-hash8.asm: Use RODATA macro. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Use stronger variants of Pocklington's theorem, to allow p0 of size down to bits/3. 2013-12-15 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_BITS) (NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits. 2013-12-15 Nikos Mavrogiannopoulos Introduced TMP_GMP_ALLOC macro for temporary allocations of potentially large data, e.g, sized as an RSA key. * gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New macros. * gmp-glue.c (gmp_alloc, gmp_free): New functions. * bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC. * bignum-random.c (nettle_mpz_random_size): Likewise. * pkcs1-decrypt.c (pkcs1_decrypt): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Likewise. 2013-12-14 Niels Möller * x86_64/gcm-hash8.asm: Use .short rather than .hword, for compatibility with apple's assembler. 2013-12-03 Niels Möller * x86_64/sha1-compress.asm: Reorganized, to get closer to the x86 version. No difference in running time. * configure.ac (dummy-dep-files): Don't overwrite any existing dependency files. * x86_64/md5-compress.asm: New file, similar to the x86 version. 35% speedup on AMD, 15% speedup on Intel. 2013-11-25 Niels Möller * testsuite/dsa-test.c (test_main): Additional tests from NIST test vectors. * testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New functions, supporting arbitrary digest size. * testsuite/testutils.h (ASSERT): Improved failure message. * dsa-verify.c (dsa_verify): Renamed, from _dsa_verify. * dsa-sign.c (dsa_sign): Renamed, from _dsa_sign. 2013-11-24 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Test generating a key with 224-bit q. * dsa-verify.c (_dsa_verify): Use _dsa_hash. * dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in error case, spotted by Nikos. * dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224. * dsa-hash.c (_dsa_hash): New file and function. Allows digest sizes not matching the bitsize of q. * dsa.h (_dsa_hash): Declare it. * Makefile.in (hogweed_SOURCES): Added dsa-hash.c. 2013-11-23 Niels Möller * configure.ac: Check also for openssl/ecdsa.h. 2013-10-05 Niels Möller * Makefile.in (nettle_SOURCES): Added eax.c. (HEADERS): Added eax.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added eax-test.c. * testsuite/eax-test.c: New file. * nettle-internal.c (nettle_eax_aes128): New aead algorithm. (eax_aes128_set_key, eax_aes128_set_nonce, eax_aes128_update) (eax_aes128_encrypt, eax_aes128_decrypt, eax_aes128_digest): New functions. * eax.c: New file. * eax.h: New file. * aes.h: Fixed typo in name mangling for new aes functions. 2013-09-28 Niels Möller * Merge aes-reorg branch. Changes below, dated 2013-05-17 - 2013-08-13. 2013-08-13 Niels Möller * yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx. * yarrow256.c: Adapted to use new aes256 interface. 2013-08-07 Niels Möller * umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx. * umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface. * umac32.c (umac32_digest): Likewise. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. 2013-06-25 Niels Möller * aes-meta.c: Deleted file. Analogous changes for new aes192 and aes256 interface. * aes.h (struct aes128_ctx): New aes128 declarations. * aes-decrypt.c (aes128_decrypt): New function. * aes-encrypt.c (aes128_encrypt): New function. * aes128-meta.c: New file. * aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and function. * aes128-set-decrypt-key.c (aes128_set_decrypt_key) (aes128_invert_key): New file and functions. * Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c, aes128-set-decrypt-key.c and aes128-meta.c. * nettle-internal.c (nettle_unified_aes128): For testing the old AES interface. * testsuite/aes-test.c (test_cipher2): New function. (test_main): Test both nettle_aes128 and nettle_unified_aes128. 2013-05-22 Niels Möller * Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and aes-set-key-internal.c. * aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants. Similarly also for aes192 and aes256. * aes-internal.h: Declare new functions. * aes-set-key-internal.c (_aes_set_key): New file and funxtion extracted from aes_set_encrypt_key. * aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key. * aes-invert-internal.c (_aes_invert): New file and function, extracted from aes_invert_key. * aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert. * arm/v6/aes-encrypt-internal.asm: Adapted to new interface. Unfortunately, 4% slowdown on Cortex-A9, for unknown reason. * arm/v6/aes-decrypt-internal.asm: Likewise. * arm/aes-encrypt-internal.asm: Adapted to new interface. * arm/aes-decrypt-internal.asm: Likewise. 2013-05-21 Niels Möller * sparc32/aes-encrypt-internal.asm: Adapted to new interface. * sparc32/aes-decrypt-internal.asm: Likewise. * sparc64/aes-encrypt-internal.asm: Likewise. * sparc64/aes-decrypt-internal.asm: Likewise. * x86/aes-encrypt-internal.asm: Adapted to new interface. * x86/aes-decrypt-internal.asm: Likewise. 2013-05-20 Niels Möller * x86_64/aes-encrypt-internal.asm: Adapted to new interface. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-05-17 Niels Möller * aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved first in the structure. * aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming. * aes-set-decrypt-key.c (aes_invert_key): Likewise. * aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and subkeys as separate arguments, not a struct aes_ctx *. Updated callers. * aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise. * aes-internal.h: Updated prototypes. * Start of aes-reorg changes. 2013-09-28 Niels Möller * md4.h (struct md4_ctx): Use single uint64_t variable for block count. * md4.c: Use new block count variable. * md5.c, md5.h (struct md5_ctx): Likewise. * ripemd160.c, ripemd160.h (struct ripemd160_ctx): Likewise. * sha1.c, sha1.h (struct sha1_ctx): Likewise. * sha256.c, sha2.h (struct sha256_ctx): Likewise. * testsuite/testutils.c (test_hash_large): Added simple progress indicator. * macros.h (MD_PAD): Use size argument, don't depend on sizeof of the count field(s). 2013-09-22 Niels Möller * x86_64/gcm-hash8.asm: New file. * x86_64/gcm-gf-mul-8.asm: Deleted. * configure.ac (asm_nettle_optional_list): Look for gcm-hash8.asm, not gcm-gf-mul-8.asm. * gcm.c [HAVE_NATIVE_gcm_hash8]: Make use of (optional) assembly implementation. 2013-09-21 Niels Möller * Makefile.in (des.po): Add same dependencies as for des.o. Reported by Vincent Torri. 2013-09-20 Niels Möller * testsuite/gcm-test.c: Added tests with associated data of varying size. * testsuite/testutils.c (tstring_alloc): Add NUL-termination. 2013-09-18 Niels Möller * Makefile.in: New stampfiles, libnettle.stamp and libhogweed.stamp, updated when both static and shared libraries are rebuilt. Used as link dependencies in subdirectories. * examples/Makefile.in: Make executable targets depend on ../libnettle.stamp and libhogweed.stamp, not directly on the static library files. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. 2013-09-09 Niels Möller * gcm.c [HAVE_NATIVE_gcm_gf_mul_8]: Make use of (optional) assembly implementation. * configure.ac: Support optional assembly files for both nettle and hogweed. Replaced OPT_ASM_SOURCES with OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES, and asm_optional_list with asm_nettle_optional_list and asm_hogweed_optional_list. (asm_nettle_optional_list): Added gcm-gf-mul-8.asm. 2013-06-25 Niels Möller * testsuite/gcm-test.c: Deleted redundant include of aes.h. * testsuite/testutils.c (test_aead): Allow digest size smaller than the block size. * tools/nettle-pbkdf2.c: New command line tool. * tools/Makefile.in (TARGETS): Added nettle-pbkdf2. (nettle-pbkdf2$(EXEEXT)): New target. * testsuite/nettle-pbkdf2-test: New test case. * testsuite/Makefile.in (TS_SH): Added nettle-pbkdf2-test. * tools/nettle-hash.c (digest_file): Use stack allocation for the small hex output buffer. * examples/io.c (MIN): Deleted unused macro. 2013-05-21 Niels Möller From nettle-2.7-fixes branch: * Makefile.in (distdir): Distribute files in arm/v6 subdirectory. 2013-05-20 Niels Möller * arm/v6/sha1-compress.asm: Moved into v6 directory, since it uses the v6 instruction uadd8, sel and rev. * arm/v6/sha256-compress.asm: Likewise. * nettle-types.h: Include , for size_t. 2013-05-17 Niels Möller * macros.h (ROTL32, ROTL64): Avoid undefined behaviour for zero rotation count. Unfortunately makes CAST128 a bit slower with gcc-4.6.3. * ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid invalid overlap of arguments to mpn_mul_n. Problem tracked down by Magnus Holmgren. 2013-05-16 Niels Möller * arm/aes-encrypt-internal.asm: New file, for pre-v6 processors. * arm/aes-decrypt-internal.asm: New file, likewise. * arm/aes.m4 (AES_FINAL_ROUND_V5): Variant without using uxtb. (AES_FINAL_ROUND_V6): New name, updated callers. (AES_FINAL_ROUND): ... old name. Also eliminated one uxtb instruction. (AES_ENCRYPT_ROUND, AES_DECRYPT): Moved macros to the files using them. * arm/v6/aes-encrypt-internal.asm: Use ALIGN macro. Use 16-byte alignment for loops. * arm/v6/aes-decrypt-internal.asm: Likewise. Also added a nop which mysteriously improves benchmark performance on Cortex-A9. 2013-05-15 Niels Möller * configure.ac (asm_path): Handle armv6 and armv7 differently from older ARMs. Add the arm/v6 directory to asm_path when appropriate. * arm/v6/aes-encrypt-internal.asm: Moved into v6 directory. Uses the uxtb instruction which is not available for older ARMs. * arm/v6/aes-decrypt-internal.asm: Likewise. 2013-05-03 Niels Möller * cast128.c: Adapt to new struct cast128_ctx. (cast128_set_key): Rewrite, eliminating lots of conditions and some false warnings. * cast128.h (struct cast128_ctx): Separate the small 5-bit rotation subkeys and the larger 32-bit masking subkeys. 2013-05-02 Niels Möller * testsuite/testutils.c (mpz_combit): Renamed. Define only if not provided GMP. Updated all uses. (mpz_togglebit): ... old name. * sexp-format.c (sexp_vformat): Use type mpz_srcptr rather than the old MP_INT *. 2013-04-26 Niels Möller * Many files: Use size_t rather than unsigned for data sizes. * x86_64/aes-encrypt-internal.asm: Accept 64-bit length. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-04-25 Niels Möller * configure.ac: Changed version number, to 2.8. (LIBNETTLE_MAJOR): Bumped major number, following nettle_memxor ABI break. (LIBNETTLE_MINOR): Reset to zero. * examples/hogweed-benchmark.c: Add benchmarking of OpenSSL's RSA functions. (all functions): Deleted unneeded casts. 2013-04-24 Niels Möller * nettle.texinfo (Miscellaneous functions): Updated memxor prototype. Document memxor3. * salsa20-crypt.c (salsa20_crypt): Deleted cast of memxor argument, no longer needed. * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. * sha3.c (sha3_absorb): Likewise. * memxor.h: Updated prototypes. Drop include of nettle-types.h. * memxor.c: Include nettle-types.h, for uintptr_t. Replace all internal uses of uint8_t by plain char. (memxor): Use void * rather than uint8_t * for arguments. (memxor3): Likewise. * x86_64/memxor.asm: Added nettle_ prefix to symbols. * arm/memxor.asm: Likewise. * testsuite/symbols-test: Don't allow memxor functions without nettle prefix, * memxor.h (memxor3): Added name mangling to add "nettle_" prefix to memxor and memxor3 symbols. * Makefile.in (nettle_OBJS): Deleted $(LIBOBJS), and also deleted LIBOBJS substitution. (nettle_SOURCES): Added memxor.c, to include it in the library unconditionally. * configure.ac: Deleted AC_REPLACE_FUNCS for memxor. * Released nettle-2.7. 2013-04-23 Niels Möller From Martin Storsjö: * x86_64/sha256-compress.asm: Add forgotten W64_EXIT. * x86_64/sha512-compress.asm: Likewise. * x86_64/salsa20-crypt.asm (Lpartial): Don't return via W64_EXIT within this subfunction. * x86_64/machine.m4 (W64_ENTRY): Use movdqu instead of movdqa for saving xmm registers, since the stack is not guaranteed to be 16-byte aligned on win64. Take pushed xmm registers into account when reading the fifth parameter from the stack. * Makefile.in: Consistently use EXEEXT_FOR_BUILD. 2013-04-21 Niels Möller * Makefile.in (DISTFILES): Added mini-gmp.c and mini-gmp.h. (distdir): Use find, for identifying assembly files to copy. 2013-04-18 Niels Möller * configure.ac: Recognize cpu type "arm*", not just "armv7*'. * arm/aes-encrypt-internal.asm: Updated include of aes.m4. * arm/aes-decrypt-internal.asm: Likewise. * Makefile.in (distdir): Updated for ARM reorganization. * configure.ac (asm_path): Generalized, can now be a list of directories. On ARM, check for neon instructions, and add arm/neon if appropriate. New command line options --enable-arm-neon/--disable-arm-neon, for overriding the default. arm/neon: New subdirectory, for assembly files making use of neon instructions. arm: Renamed directory, from... armv7: ...old name. * aclocal.m4 (NETTLE_CHECK_ARM_NEON): New macro. * nettle.texinfo (Keyed hash functions): Document UMAC. * umac.h (UMAC32_DIGEST_SIZE, UMAC64_DIGEST_SIZE) (UMAC96_DIGEST_SIZE, UMAC128_DIGEST_SIZE): New constants. (UMAC_DATA_SIZE): New name, for consistency with hash functions. Updated all uses. (UMAC_BLOCK_SIZE): ... old name. 2013-04-17 Niels Möller * examples/nettle-benchmark.c (main): Benchmark salsa20r12. * nettle-internal.c (nettle_salsa20r12): Cipher struct for benchmarking only. * nettle-internal.h (nettle_salsa20): Declare it. * Makefile.in (eccdata): Depend on mini-gmp files. Drop -lgmp. * eccdata.c: Use mini-gmp, to avoid gmp dependency and associated configure tests for the *build* system. Replaced mpz_submul_ui by mpz_mul_ui + mpz_sub, and gmp_printf and gmp_fprintf by calls to mpz_out_str. * mini-gmp.h, mini-gmp.c: New files, copied from gmp-5.1.1. 2013-04-16 Niels Möller * umac-set-key.c (BE_SWAP32_N): Fixed dummy definition used for big-endian systems. * Makefile.in (TARGETS): Deleted eccdata, it should be build only when public key support is enabled. (clean-here): Exlicitly list it here. * asm.m4 (m4_log2): New macro, similar to the one in gmp. (ALIGN): Changed to take alignment in bytes. Updated all callers, currently used only in x86 and x86_64 files. * umac.h (umac32_ctx, umac64_ctx, umac96_ctx, umac128_ctx): Make block count an uint64_t. Reorder some elements to put short values together. * umac-l2.c (_umac_l2, _umac_l2_final): Make count argument an uint64_t. (_umac_l2): Deleted redundant memcpy. (_umac_l2, _umac_l2_final): Store input buffer at end of the poly64/poly128 state. Deleted l1_out from corresponding context structs, and updated all callers. * configure.ac: Changed version number to 2.7. (LIBNETTLE_MINOR): Bumped library version, to 4.6. (LIBHOGWEED_MINOR): And to 2.4. * Makefile.in (distdir): Include files from armv7 subdirectory. * x86_64/umac-nh-n.asm: New file, 3.5 time speedup. * umac32.c (umac32_digest): Fix nonce caching. * umac64.c (umac64_digest): Likewise. * testsuite/umac-test.c (test_incr): New function. (test_main): Test nonce increment. * misc/umac/umac.py: UMAC reference implementation. * misc/umac/rijndael.py: AES implementation used by umac.py. * misc/umac/mkvectors: Script to generate UMAC test vectors. * misc/umac/vectors.out: Generated test vectors. * umac32.c (umac32_digest): Fix nonce increment, use INCREMENT macro. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. * macros.h (INCREMENT): Allow size == 1. 2013-04-15 Niels Möller * x86_64/umac-nh.asm: New file. 4.4 time speedup. * armv7/umac-nh-n.asm: New file. 2.0-2.3 time speedup. * testsuite/umac-test.c (test_align): Fixed memory leak. 2013-04-12 Niels Möller * armv7/umac-nh.asm: New file. 2.4 time speedup. * armv7/machine.m4 (D0REG, D1REG): New macros. * configure.ac (asm_replace_list): Added umac-nh.asm and umac-nh-n.asm. * testsuite/umac-test.c: Test different alignments for the message. 2013-04-11 Niels Möller * umac-nh-n.c (_umac_nh_n): Rewrote as a single pass over the message data. * examples/nettle-benchmark.c (time_umac): New function. (main): Call it. * umac-set-key.c (_umac_set_key): Drop byteswapping of l3_key2, it can be xored directly to the pad in native byteorder. * umac-l3.c (_umac_l3): Drop key_2 argument, let caller do that xor. Updated all callers. * umac32.c (umac32_digest): Adapt to l3 changes. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. Initial implementation of umac. * umac.h: New file. * umac-nh.c: New file. * umac-nh-n.c: New file. * umac-poly64.c: New file. * umac-poly128.c: New file. * umac-l2.c: New file. * umac-l3.c: New file. * Makefile.in (nettle_SOURCES): Added umac source files. (HEADERS): Added umac.h. * testsuite/umac-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added umac-test.c. * ecc-mul-a.c (ecc_mul_a): Avoid using mp_bitcnt_t, for compatibility with older GMP versions. * ecc-mul-g.c (ecc_mul_g): Likewise. * eccdata.c (ecc_mul_binary): Likewise. * sec-modinv.c (sec_modinv): Likewise. * x86_64/sha3-permute.asm: Go via memory for moves between general registers and xmm registers. 2013-04-06 Niels Möller From Edgar E. Iglesias: * sha3.c (_sha3_update): Fix condition for when the block buffer is full. 2013-04-04 Niels Möller * ecc-point.c (ecc_point_get): Allow NULL x or y, ignore corresponding coordinate. * nettle.texinfo (Elliptic curves): Document high-level ECDSA support. From Martin Storsjö. Fallback functions for older GMP releases. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): New functions. * gmp-glue.h: Declare them. (mpn_sqr): Fallback macro. * gmp-glue.h (cnd_add_n, cnd_sub_n): Moved here, define in terms of mpn_cnd_add_n and mpn_sub_n if available, otherwise in terms of mpn_addmul_1 and mpn_submul_1. This seems to be an improvement for subtraction, but more questionable for addition. * ecc-internal.h: Include gmp-glue.h. Deleted corresponding include in all files using ecc-internal.h. (cnd_add_n, cnd_sub_n): Moved from here. 2013-04-03 Niels Möller * ecc-point-mul-g.c (ecc_point_mul_g): New file and function. * ecc-point-mul.c (ecc_point_mul): New file and function. * ecc.h: Updated declarations and name mangling. * Makefile.in (hogweed_SOURCES): Added ecc-point-mul.c and ecc-point-mul-g.c. * testsuite/salsa20-test.c (test_main): Tests for salsa20r12, contributed by Nikos Mavrogiannopoulos. 2013-03-26 Niels Möller * armv7/salsa20-core-internal.asm: New file. 45% speedup. 2013-03-25 Niels Möller From Martin Storsjö: * examples/timing.c: New file, extracted from nettle-benchmark.c. * examples/timing.h: New file. * examples/Makefile.in (SOURCES): Added timing.c. (DISTFILES): Added timing.h. (BENCH_OBJS, ECC_BENCH_OBJS, HOGWEED_BENCH_OBJS): Added timing.o. * examples/nettle-benchmark.c: Use timing.h. * examples/hogweed-benchmark.c: Likewise. * examples/ecc-benchmark.c: Likewise. From Nikos Mavrogiannopoulos: * salsa20r12-crypt.c (salsa20r12_crypt): New file and function. * salsa20.h (salsa20r12_crypt): Declare. * Makefile.in (nettle_SOURCES): Added salsa20r12-crypt.c. From Martin Storsjö: * examples/hogweed-benchmark.c: Include local headers. * testsuite/ecdsa-keygen-test.c: Likewise. * x86_64/sha3-permute.asm: Workaround for Apple's assembler; write movq instructions as movd. * Makefile.in (hogweed_PURE_OBJS): Don't include OPT_ASM_SOURCES twice. 2013-03-15 Niels Möller * armv7/sha3-permute.asm: New file. 4.5 time speedup. * armv7/machine.m4 (QREG): New macro. 2013-03-14 Niels Möller * configure.ac (asm_replace_list): Added sha3-permute.asm, revering 2012-12-30 change. 34% speedup on intel i5, from 2190 cycles for the C implementation down to 1630. * armv7/sha512-compress.asm: Optimized. Keep expanded data in registers, exploit parallelism. Another 70% speedup. * testsuite/sha512-test.c (test_main): Additional test vectors, including some longer than 128 bytes. 2013-03-13 Niels Möller * armv7/sha512-compress.asm: New file, using neon instructions. 2.3 time speedup. * configure.ac (asm_replace_list): Added sha512-compress.asm. * x86_64/machine.m4 (OFFSET64): New macro. * x86_64/sha512-compress.asm: New file, 20% speedup. * sha512-compress.c (ROUND): Eliminated a temporary, analogous to sha256 change below. * x86_64/sha256-compress.asm: New file, 16% speedup (benchmarked on intel i5). 2013-03-11 Niels Möller * armv7/sha256-compress.asm: New file, 25% speedup. * configure.ac (asm_replace_list): Added sha256-compress.asm. * sha256-compress.c (ROUND): Eliminated a temporary. * armv7/sha1-compress.asm: New file, 9% speedup. * testsuite/testutils.c (test_hash): Test different alignments for the hash input. 2013-03-08 Niels Möller * armv7/aes-decrypt-internal.asm: New file, 15% speedup. * armv7/aes-encrypt-internal.asm: New file, 25% speedup. * armv7/aes.m4: New file. 2013-03-07 Niels Möller * gmp-glue.c (mpz_limbs_cmp): Don't use PTR and SIZ macros. * Makefile.in (aesdata, desdata, twofishdata, shadata, gcmdata) (eccdata): Arrange for compiling these programs for running on the build system, also when cross compiling everything else. * config.make.in (CC_FOR_BUILD, EXEEXT_FOR_BUILD): New variables. * configure.ac: Use GMP_PROG_CC_FOR_BUILD and GMP_PROG_EXEEXT_FOR_BUILD. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD, GMP_PROG_CC_FOR_BUILD_WORKS) (GMP_PROG_EXEEXT_FOR_BUILD): New macros, based on GMP's. * aesdata.c: Deleted includes of config.h and nettle-types.h. Use unsigned char and unsigned long instead of stdint.h types. * desdata.c: Deleted includes of config.h and desCode.h. (main): Return 1 on invalid argument. Don't use ROR macro. Use unsigned long instead of uint32_t, and make it work if unsigned long is larger than 32 bits. * gcmdata.c: Deleted include of config.h and use UNUSED macro. * shadata.c: Likewise. * twofishdata.c: Deleted include of nettle-types.h. Use unsigned char instead of stdint.h types. * x86_64/ecc-521-modp.asm: New file. 2.4 time speedup. 2013-03-06 Niels Möller * x86_64/ecc-384-modp.asm: New file, 3 time speedup. * x86_64/ecc-256-redc.asm: New file, 2.5 time speedup. * x86_64/ecc-224-modp.asm: New file, 5 time speedup over C version. 2013-03-05 Niels Möller * configure.ac (asm_optional_list): Added ecc-521-modp.asm. * ecc-521.c: Check HAVE_NATIVE_ecc_521_modp, and use native version if available. * armv7/ecc-521-modp.asm: New file, 2 time speedup over C version. 2013-03-04 Niels Möller * configure.ac (asm_optional_list): Added ecc-384-modp.asm. Deleted bogus reference to $asm_search_list. * ecc-384.c: Check HAVE_NATIVE_ecc_384_modp, and use native version if available. * armv7/ecc-384-modp.asm: New file, 3 time speedup over C version. 2013-03-03 Niels Möller * ecc-256.c: Fixed definition of USE_REDC. 2013-03-01 Niels Möller * ecc-256.c: Check HAVE_NATIVE_ecc_256_redc, and use native version if available. * armv7/ecc-256-redc.asm: New file, 4 time speedup over C version. * testsuite/ecc-redc-test.c: Increased test count. * ecc-224.c: Check HAVE_NATIVE_ecc_224_modp, and use native version if available. * armv7/ecc-224-modp.asm: New file, 4.5 time speedup over C version. * configure.ac (asm_optional_list): Added ecc-224-modp.asm. (OPT_ASM_SOURCES): Fixed assignment. 2013-02-28 Niels Möller * x86_64/ecc-192-modp.asm: Reorganized to reduce number of additions. Use setc instruction. * examples/Makefile.in: Let $(HOGWEED_TARGETS) depend on ../libhogweed.a. * armv7/ecc-192-modp.asm: New file. 2.5 time speedup over C version. 2013-02-27 Niels Möller * ecc-192.c: Check HAVE_NATIVE_ecc_192_modp, and use native version if available. (ecc_192_modp): Fixed carry handling bug in 32-bit version. * x86_64/ecc-192-modp.asm: New file. 3.8 times speedup over C version. * configure.ac (OPT_ASM_SOURCES): New substituted variable. (asm_replace_list, asm_optional_list): New variables. For files in asm_optional_list, also add them to OPT_ASM_SOURCES and define appropriate HAVE_NATIVE_* symbols found. * Makefile.in (OPT_ASM_SOURCES): New variable. Used for setting hogweed_OBJS and hogweed_PURE_OBJS. * testsuite/ecc-mod-test.c: Increased test count. * ecc-384.c (ecc_384_modp): Fixed typo which broke carry handling in the 64-bit version. * examples/ecc-benchmark.c (bench_add_jjj): Typo fix, benchmark the right function. * gmp-glue.h: Check if GMP provides mpz_limbs_read (expected in next release). * gmp-glue.c: Use GMP's mpz_limbs_read and friends if available. Renamed all functions for consistency with GMP. Updated all callers. 2013-02-20 Niels Möller * examples/Makefile.in (HOGWEED_TARGETS): Added hogweed-benchmark$(EXEEXT). (SOURCES): Added hogweed-benchmark.c. (hogweed-benchmark$(EXEEXT)): New target. * examples/hogweed-benchmark.c: New file. * ecdsa-keygen.c (ecdsa_generate_keypair): New file and function. * Makefile.in (hogweed_SOURCES): Added ecdsa-keygen.c. * testsuite/ecdsa-keygen-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-keygen-test.c. * nettle-internal.h (TMP_ALLOC): Added missing parentheses. 2013-02-18 Niels Möller * testsuite/ecdsa-verify-test.c: New testcase. * testsuite/ecdsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-sign-test.c and ecdsa-verify-test.c. * testsuite/testutils.h: Include ecdsa.h. (SHEX): Deleted const cast. * ecc-point.c: New file, struct ecc_point abstraction. * ecc-scalar.c: New file, struct ecc_scalar abstraction. * ecc-random.c (ecc_modq_random, ecc_scalar_random): New file, new functions. * ecc-hash.c (ecc_hash): New file and function. * ecc-ecdsa-sign.c: New file, low-level signing interface. * ecc-ecdsa-verify.c: New file, low-level ecdsa verify. * ecdsa-sign.c: (ecdsa_sign): New file and function. * ecdsa-verify.c (ecdsa_verify): New file and function. * ecdsa.h: New header file. * ecc.h: Declare ecc_point and ecc_scalar functions. * ecc-internal.h: Added declarations. * Makefile.in (hogweed_SOURCES): Added new source files. (HEADERS): Added ecdsa.h. * gmp-glue.c (_mpz_set_mpn): New convenience function. (_mpn_set_base256): New function. (_gmp_alloc_limbs): New function. (_gmp_free_limbs): New function. * gmp-glue.h: Corresponding declarations. Include nettle-stdinh.h. * examples/Makefile.in (HOGWEED_TARGETS): Renamed, was RSA_TARGETS. Added ecc-benchmark$(EXEEXT). (SOURCES): Added ecc-benchmark.c. (ecc-benchmark$(EXEEXT)): New target. * examples/ecc-benchmark.c: New file, benchmarking ecc primitives. 2013-02-15 Niels Möller Integrate ecc_mul_a. * ecc-a-to-j.c: New file. * ecc-add-jjj.c: New file. * ecc-mul-a.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/ecc-mul-a-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-a-test.c. * testsuite/testutils.c: Removed redundant includes. (die): New function. Integrate ecc_mul_g. * ecc.h: New file. * ecc-j-to-a.c: New file. * ecc-size.c: New file. * ecc-add-jja.c: New file. * ecc-dup-jj.c: New file. * ecc-mul-g.c: New file. * sec-tabselect.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc.h * testsuite/ecc-mul-g-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-g-test.c. * testsuite/testutils.c (xalloc_limbs): New function. (test_mpn): New function. (test_ecc_point): New function. (test_ecc_mul_a): New function. (test_ecc_mul_j): New function. * testsuite/testutils.h: Corresponding declarations. Integrate ECC internals. * ecc-curve.h: New file. * ecc-internal.h: New file. * cnd-copy.c: New file. * ecc-192.c: New file. * ecc-224.c: New file. * ecc-256.c: New file. * ecc-384.c: New file. * ecc-521.c: New file. * ecc-generic-modp.c: New file. * ecc-generic-modq.c: New file. * ecc-generic-redc.c: New file. * ecc-mod.c: New file. * ecc-modp.c: New file. * ecc-modq.c: New file. * sec-add-1.c: New file. * sec-modinv.c: New file. * sec-sub-1.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc-curve.h. (DISTFILES): Added ecc-internal.h. * testsuite/ecc-mod-test.c: New file. * testsuite/ecc-modinv-test.c: New file. * testsuite/ecc-redc-test.c: New file. * testsuite/testutils.c (ecc_curves): New constant array. * testsuite/testutils.h: Include ecc-related headers. Declare ecc_curves array. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c. * gmp-glue.c: New file, mpn <-> mpz conversions. * gmp-glue.h: New file. * Makefile.in: Added to hogweed_SOURCES and DISTFILES, respectively. * eccdata.c: New program, for generating ECC-related tables. * Makefile.in (ecc-192.h, ecc-224.h, ecc-256.h, ecc-384.h) (ecc-512.h): New generated files. 2013-02-19 Niels Möller * armv7/memxor.asm (memxor): Software pipelining for the aligned case. Runs at 6 cycles (0.5 cycles per byte). Delayed push of registers until we know how many registers we need. (memxor3): Use 3-way unrolling also for aligned memxor3. Runs at 8 cycles (0.67 cycles per byte) 2013-02-14 Niels Möller * configure.ac: Find GMP's GMP_NUMB_BITS. Substitute in Makefile. * config.make.in (GMP_NUMB_BITS): New variable. * examples/rsa-keygen.c (uint_arg): New function. (main): New options -s and -e, to specify key size and public exponent. Increased default key size to 2048. 2013-02-12 Niels Möller * armv7/memxor.asm (memxor): Optimized aligned case, using 3-way unrolling. 2013-02-06 Niels Möller * armv7/memxor.asm (memxor, memxor3): Optimized aligned case, now runs at 0.75 cycles/byte. * armv7/README: New file. * armv7/machine.m4: New (empty) file. * armv7/memxor.asm: Initial assembly implementation. * config.m4.in: Substitute ASM_TYPE_PROGBITS as TYPE_PROGBITS. * config.make.in: Added .s to the suffix list. * Makefile.in (.asm.s): Use a separate make target for .asm preprocessing. Include asm.d, which the corresponding dependencies. * configure.ac (asm_file_list): Collect assembly files into this variable. (asm.d): Make config.status write dependencies for .s files into asm.d. (ASM_ALIGN_LOG): Set to "no" when appropriate. (ASM_TYPE_FUNCTION): Default to "@function". (ASM_TYPE_PROGBITS): New substituted variable, set in the same way as ASM_TYPE_FUNCTION. (ASM_MARK_NOEXEC_STACK): Use TYPE_PROGBITS. (asm_path): Set up asm_path for armv7. * asm.m4: Use changecom to disable m4 quoting. Use divert to suppress output. 2013-02-05 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures, after the nettle_mpz_random change below. * testsuite/dsa-test.c (test_main): Likewise. Also fixed the dsa256 test to actually use the expected signature. 2013-01-31 Niels Möller * bignum-random.c (nettle_mpz_random): Increased number of extra bits to 64, following FIPS 186-3. 2013-01-16 Niels Möller * Released nettle-2.6. 2013-01-12 Niels Möller * configure.ac: Use AC_LANG_SOURCE. 2013-01-02 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.5. (LIBHOGWEED_MINOR): And to 2.3. * examples/Makefile.in: Explicit rules for building objects in parent directory. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2013-01-01 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha3 functions. * examples/nettle-benchmark.c (main): Benchmark additional sha3 functions. 2012-12-30 Niels Möller * sha3-224.c, sha3-224-meta.c: New files. * sha3-384.c, sha3-384-meta.c: New files. * sha3-512.c, sha3-512-meta.c: New files. * sha3.h: Prototypes for sha3 with sizes 224, 384 and 512. * nettle-meta.h: Declare nettle_sha3_224, nettle_sha3_384 and nettle_sha3_512. * Makefile.in (nettle_SOURCES): Added new sha3 files. * testsuite/sha3-224-test.c: New file. * testsuite/sha3-384-test.c: New file. * testsuite/sha3-512-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new sha3 test files. * configure.ac: Disabled use of sha3-permute.asm. 2012-12-20 Niels Möller From Tim Rühsen: * testsuite/des-compat-test.c (pt): Use proper prototype, use const. * testsuite/testutils.c (test_dsa_key): Deleted spurious semicolon. 2012-12-15 Niels Möller Based on a patch from Alon Bar-Lev: * Makefile.in (LIBTARGETS, SHLIBTARGET): Define as empty if static or shared libraries, respectively, are disabled. (TARGETS): Deleted @IF_SHARED@ conditional, now in the definition of SHLIBTARGET. From Alon Bar-Lev: * configure.ac: Check for ar program. New option --disable-static. * config.make.in (AR): Use configured value. 2012-12-13 Niels Möller * x86_64/sha3-permute.asm: Rewrote, to keep all state in registers. 2400 cycles on x86_64, only slightly faster than the current C code. 2012-12-09 Niels Möller * sha3-permute.c (sha3_permute): Rewrote to do permutation in place. 80% speedup on x86_64, 2500 cycles. 2012-12-04 Niels Möller * ctr.c (ctr_crypt): Fix bug reported by Tim Kosse. Don't increment the counter when length is zero (was broken for the in-place case). * testsuite/ctr-test.c (test_main): Added test with zero-length data. * testsuite/testutils.c (test_cipher_ctr): Check the ctr value after encrypt and decrypt. 2012-12-03 Niels Möller * sha3-permute.c (sha3_permute): Optimized, to reduce number of passes over the data. 20% speedup on x86_64, 4700 cycles. * configure.ac: Added sha3-permute.asm. * x86_64/sha3-permute.asm: New file. 30% speedup over current C code, 4300 cycles. * nettle.texinfo (Hash functions): Split into several sections, separating recommended hash functions and legacy hash functions. Document sha3-256. 2012-12-02 Niels Möller Split sha.h into new files sha1.h and sha2.h. Replaced all internal usage of sha.h in all files. * sha.h: Kept for compatibility, just includes both new files. * sha1.h: New file. * sha2.h: New file. * Makefile.in (HEADERS): Added sha1.h and sha2.h. 2012-11-28 Niels Möller From Fredrik Thulin: * testsuite/pbkdf2-test.c (test_main): Add PBKDF2-HMAC-SHA512 test cases. 2012-11-15 Niels Möller * sha3-permute.c (sha3_permute): Use ULL suffix on round constants. Avoid passing shift count 0 to ROTL64. * sha3.c (sha3_absorb): Fixed big-endian code. Need macros.h. * macros.h (LE_READ_UINT64): New macro. 2012-11-13 Niels Möller * sha3-permute.c (sha3_permute): Micro optimizations. Partial unrolling. Use lookup table for the permutation. On an x86_64, execution time reduced from appr. 13000 cycles to appr. 6000. * examples/nettle-benchmark.c (TIME_CYCLES): New macro. (bench_sha1_compress, bench_salsa20_core): Use it. (bench_sha3_permute): New function. (main): Call bench_sha3_permute. 2012-11-12 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha3_256. * sha3-permute.c: New file. Permutation function for sha3, aka Keccak. * sha3.h: New header file. * sha3.c: New file, absorption and padding for sha3. * sha3-256.c: New file. * sha3-256-meta.c: New file. * nettle-meta.h (nettle_sha3_256): Declare. * Makefile.in (nettle_SOURCES): Added sha3 files. (HEADERS): Added sha3.h. * testsuite/sha3.awk: New file. Script to extract test vectors. * testsuite/sha3-256-test.c: New file. * testsuite/sha3-permute-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha3-permute-test.c and sha3-256-test.c. (DISTFILES): Added sha3.awk. * testsuite/.test-rules.make: Added sha3 targets. * macros.h (LE_WRITE_UINT64): New macro. * write-le64.c (_nettle_write_le64): New file and function. * nettle-write.h (_nettle_write_le64): Declare. Also deleted declaration of non-existent _nettle_write_be64. * Makefile.in (nettle_SOURCES): Added write-le64.c. * macros.h (ROTL64): New macro, moved from... * sha512-compress.c (ROTL64): ... old location, deleted. * serpent-internal.h [HAVE_NATIVE_64_BIT] (DROTL32): Renamed from... (ROTL64): ... old name. (DRSHIFT32): Renamed from ... (RSHIFT64): ... old name. * serpent-encrypt.c (LINEAR_TRANSFORMATION64): Updated for above renames. * serpent-decrypt.c (LINEAR_TRANSFORMATION64_INVERSE): Likewise. 2012-11-11 Niels Möller From Nikos Mavrogiannopoulos: * nettle.texinfo (Hash functions): Added documentation for gosthash94. * examples/nettle-benchmark.c (main): Benchmark gosthash94. 2012-11-10 Niels Möller * nettle.texinfo (nettle_hashes, nettle_ciphers): Use deftypevr, not deftypevrx. Spotted by Nikos Mavrogiannopoulos. 2012-11-08 Niels Möller Gost hash function, ported from Aleksey Kravchenko's rhash library by Nikos Mavrogiannopoulos. * gosthash94.c: New file. * gosthash94.h: New file. * gosthash94-meta.c: New file. * nettle-meta.h (nettle_gosthash94): Declare. * Makefile.in (nettle_SOURCES): Added gosthash94.c and gosthash94-meta.c. (HEADERS): Added gosthash94.h. * testsuite/gosthash94-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gosthash94-test.c. 2012-10-29 Niels Möller From Martin Storsjö: * configure.ac (dummy-dep-files): Avoid non-posix \|-operator in sed regexp. 2012-10-29 Niels Möller * x86_64/salsa20-core-internal.asm: New file. * configure.ac: Added salsa20-core-internal.asm. * examples/nettle-benchmark.c (bench_salsa20_core): New function. 2012-10-27 Niels Möller * testsuite/Makefile.in (TS_SOURCES, CXX_SOURCES): Include sources unconditionally. (TS_CXX): Moved @IF_CXX@ conditional here. (DISTFILES): Use $(SOURCES), which now includes all C source files. testutils.c was lost in a the 2012-09-20 change. * x86_64/salsa20-crypt.asm: Include x86_64/salsa20.m4. Make all exits go via .Lend and W64_EXIT. * x86_64/salsa20.m4: New file, extracted from x86_64/salsa20-crypt.asm. 2012-10-26 Niels Möller * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LIBS): Add $(CFLAGS) on the link command line. Reported by Dennis Clarke. 2012-10-03 Niels Möller From: Nikos Mavrogiannopoulos: * testsuite/testutils.c (test_hash): On failure, print the expected and returned hash values. 2012-09-23 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-core-internal.c. * salsa20-core-internal.c (_salsa20_core): New file and function, extracted from salsa20_crypt. * salsa20.h (_salsa20_core): Declare it. * salsa20-crypt.c (salsa20_crypt): Use _salsa20_core. 2012-09-21 Niels Möller * pbkdf2.c (pbkdf2): assert that iterations > 0. Reorganized loops. * nettle.texinfo (Cipher functions): Stress that the salsa20 hash function is not suitable as a general hash function. 2012-09-20 Simon Josefsson * pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files. * pbkdf2.h (pbkdf2_hmac_sha1, pbkdf2_hmac_sha256): New prototypes. * Makefile.in (nettle_SOURCES): Add pbkdf2-hmac-sha1.c and pbkdf2-hmac-sha256.c. * nettle.texinfo (Key derivation functions): Improve. * testsuite/pbkdf2-test.c (test_main): Test new functions. 2012-09-20 Niels Möller * pbkdf2.c (pbkdf2): Reordered arguments, for consistency. * pbkdf2.h (PBKDF2): Analogous reordering. * testsuite/pbkdf2-test.c: Adapted to new argument order. Also use LDATA for the salt. * nettle.texinfo (Key derivation functions): Updated documented pbkdf2 prototype. * testsuite/Makefile.in (VALGRIND): New variable, to make valgrind checking easier. * configure.ac: New substitution IF_CXX, replacing CXX_TESTS. (dummy-dep-files): Handle .cxx files. * testsuite/Makefile.in: Use IF_CXX. Include dependency file for cxx-test.o. 2012-09-19 Niels Möller From Tim Rühsen: * examples/rsa-encrypt.c (main): Added missing mpz_clear. * examples/rsa-keygen.c (main): Added missing deallocation. * testsuite/meta-hash-test.c (test_main): Validate NETTLE_MAX_HASH_DIGEST_SIZE. * pbkdf2.h (PBKDF2): New macro. * testsuite/pbkdf2-test.c: Use it. 2012-09-12 Simon Josefsson * NEWS: Mention addition of PBKDF2. * pbkdf2.c (pbkdf2): New file and function. * pbkdf2.h: Declare it. * Makefile.in (nettle_SOURCES): Add pbkdf2.c. (HEADERS): Add pbkdf2.h. * nettle.texinfo (Key derivation functions): New section. * testsuite/pbkdf2-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add pbkdf2-test.c. * testsuite/.test-rules.make (pbkdf2-test): New target. 2012-09-16 Niels Möller * testsuite/: Overhaul of testsuite, affecting almost all files. + Use struct tstring for allocated strings, and deallocate before exit. + Changed most test functions to take struct tstring as arguments. + Made all test_main return on success. * testsuite/testutils.h (struct tstring): New struct type. (H2, HL, MEMEQH, SUCCESS): Deleted macros. (SHEX, SDATA): New macros. (H): Redefined to track storage. * testsuite/testutils.c (tstring_alloc): New function. (tstring_clear): New function. (tstring_data): New function. (tstring_hex): New function. (tstring_print_hex): New function. (decode_hex_length): Made static. (decode_hex): Made static. No return value, abort on error. (main): Expect test_main to return, and call tstring_clear before exit. (test_dsa_key): Added missing mpz_clear. (test_mac): Deleted unused function. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/yarrow-test.c (open_file): Don't leak filename. (test_main): fclose input file properly. * testsuite/sexp-format-test.c (test_main): Added missing calls to nettle_buffer_clear and mpz_clear. * testsuite/serpent-test.c (tstring_hex_reverse): New function, replacing... (decode_hex_reverse): ... deleted function. (RHEX): New macro, replacing... (RH, RHL): ... deleted macros. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/random-prime-test.c (test_main): Added missing mpz_clear. * realloc.c (nettle_realloc): Only call libc realloc if length > 0, otherwise call free. Fixes a small memory leak. (nettle_xrealloc): Likewise. * run-tests (test_program): Don't quote $EMULATOR; allow it to expand to program and arguments (e.g., valgrind). * tools/pkcs1-conv.c (convert_public_key): Added missing calls to dsa_public_key_clear and rsa_public_key_clear. (main): Added missing nettle_buffer_clear. 2012-09-10 Niels Möller * examples/eratosthenes.c (main): Explicitly deallocate storage before exit. * examples/io.c (read_file): Explicitly treat an empty file as an error. Rearrange loop, check for short fread return value. * desdata.c: Don't declare printf, include instead. Also deleted casts of printf return value. From Tim Rühsen: * examples/nettle-benchmark.c (die): Use PRINTF_STYLE attribute. * pgp-encode.c (pgp_put_rsa_sha1_signature): Deleted unused variable. * rsa2openpgp.c (rsa_keypair_to_openpgp): Likewise. * examples/base16enc.c (main): Deleted useless allocations. 2012-09-07 Niels Möller * examples/nettle-benchmark.c (die): Add NORETURN attribute. Patch from Tim Rühsen. * tools/misc.h (die, werror): Use PRINTF_STYLE and NORETURN macros for attributes. Patch from Tim Rühsen. * examples/io.h (werror): Use PRINTF_STYLE macro. 2012-08-22 Niels Möller From Sam Thursfield : * configure.ac: Make documentation optional, to avoid requiring TeX. New option --disable-documentation, and Makefile substitution IF_DOCUMENTATION. * Makefile.in: Use IF_DOCUMENTATION. 2012-07-12 Niels Möller * asm.m4 (ALIGN): Use << operator rather than **, with m4 eval. The latter is not supported by BSD m4. 2012-07-07 Niels Möller Copyright headers: Updated FSF address. Patch from David Woodhouse. * examples/Makefile.in (BENCH_LIBS): Added -lm, needed for the ldexp function. Reported by Anthony G. Basile. * configure.ac: Changed version number to 2.6. * Released nettle-2.5. 2012-07-05 Niels Möller * x86_64/salsa20-crypt.asm (salsa20_crypt): Write the 64-bit movq instructions as "movd", since that makes the osx assembler happier. Assembles to the same machine code on gnu/linux. 2012-07-03 Niels Möller * aclocal.m4 (LSH_FUNC_ALLOCA): In the config.h boilerplate, include malloc.h if it exists, also when compiling with gcc. Needed for cross-compiling with --host=i586-mingw32msvc. * examples/base16dec.c: Don't #include files using , we don't want to pick up installed versions. On windows, include , needed for _setmode. * examples/base16enc.c: Likewise. * examples/base64dec.c: Likewise. * examples/base64enc.c: Likewise * nettle.texinfo (Cipher functions): Document Salsa20. 2012-06-25 Niels Möller * pkcs1.c (_pkcs1_signature_prefix): Renamed function, adding a leading underscore. Updated all callers. * bignum-next-prime.c (nettle_next_prime): Consistently use the type nettle_random_func * (rather then just nettle_random_func) when passing the function pointer as argument. Similar change for nettle_progress_func. Should have been done for the 2.0 release, but a few arguments were overlooked. * bignum-random-prime.c (_nettle_generate_pocklington_prime) (nettle_random_prime): Likewise. * bignum-random.c (nettle_mpz_random_size, nettle_mpz_random): Likewise. * dsa-keygen.c (dsa_generate_keypair): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * dsa-sign.c (_dsa_sign): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * rsa-blind.c (_rsa_blind): Likewise. * rsa-decrypt-tr.c (rsa_decrypt_tr): Likewise. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa-keygen.c (rsa_generate_keypair): Likewise. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Similarly, use the type nettle_crypt_func * rather than just nettle_crypt_func. * ctr.c (ctr_crypt): Likewise. * gcm.c (gcm_set_key): Likewise. * testsuite/des-compat-test.c (test_main): Disable declarations of disabled functions and variables, to avoid warnings. No verbose output unless verbose flag is set. 2012-06-09 Niels Möller * examples/Makefile.in (SOURCES): Added base16dec.c, forgotten earlier. General pkcs1 signatures, with a "DigestInfo" input. Suggested by Nikos Mavrogiannopoulos. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-digest.c, rsa-pkcs1-sign.c, rsa-pkcs1-sign-tr.c, and rsa-pkcs1-verify.c. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): New file and function. * pkcs1.h: Declare it. * rsa-pkcs1-verify.c (rsa_pkcs1_verify): New file and function. * rsa-pkcs1-sign.c (rsa_pkcs1_sign): New file and function. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): New file and function, contributed by Nikos Mavrogiannopoulos. * rsa.h: Declare new functions. * rsa.h (_rsa_blind, _rsa_unblind): Declare functions. * rsa-blind.c (_rsa_blind, _rsa_unblind): Functions moved to a separate file, renamed and made non-static. Moved from... * rsa-decrypt-tr.c: ... here. 2012-06-03 Niels Möller * testsuite/pkcs1-test.c (test_main): Include leading zero in expected result. * pkcs1.c (pkcs1_signature_prefix): Return pointer to where the digest should be written. Let the size input be the key size in octets, rather then key size - 1. * pkcs1-rsa-*.c: Updated for above. * rsa-*-sign.c, rsa-*-verify.c: Pass key->size, not key->size - 1. 2012-05-18 Niels Möller * pkcs1-encrypt.c (pkcs1_encrypt): New file and function. * rsa-encrypt.c (rsa_encrypt): Use pkcs1_encrypt. 2012-05-09 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Added missing mpz_clear, spotted by Nikos Mavrogiannopoulos. 2012-05-07 Niels Möller * nettle-types.h (_STDINT_HAVE_INT_FAST32_T): Define here, to force nettle-stdint.h to not try to define the int_fast*_t types. Avoids compilation problems with gnutls on SunOS-5.8, where the definitions here collide with gnulib's. 2012-04-23 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_SIZE): New constant. Based on NETTLE_MAX_BIGNUM_BITS, rounded upwards. Replaced all uses of NETTLE_MAX_BIGNUM_BITS. 2012-04-19 Niels Möller * list-obj-sizes.awk: Use decimal rather than hexadecimal output. (hex2int): Use local variables. 2012-04-18 Niels Möller * x86_64/salsa20-crypt.asm: New file. 2012-04-17 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): Check that salsa20_crypt doesn't write beyond the given destination area. (test_salsa20): Likewise. * salsa20-crypt.c: Renamed file, from... * salsa20.c: ... old name. * x86_64/machine.m4 (WREG): New macro. * salsa20.c (salsa20_hash): Deleted function, inlined into salsa20_crypt. (salsa20_set_key, salsa20_set_iv): Moved, to... * salsa20-set-key.c: ...new file. 2012-04-15 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): New function. (test_main): Tests for encrypting more than one block at a time. 2012-04-14 Niels Möller * examples/io.c (write_file): Use write_string. * examples/Makefile.in (base64enc): New targets. Also added missing io.o dependency to several other targets. (base64dec, base16enc, base16dec): Likewise. * examples/base64enc.c: New file, based on example code contributed by Jeronimo Pellegrini. * examples/base64dec.c: Likewise. * examples/base16enc.c: Likewise. * examples/base16dec.c: Likewise. * examples/rsa-encrypt.c (process_file): Reorganized fread loop. (usage): New function. (main): Implemented --help option. * examples/rsa-decrypt.c (process_file): Improved error message for too short input file. * aes-set-decrypt-key.c (gf2_log, gf2_exp): Deleted tables. (mult, inv_mix_column): Deleted functions. (mtable): New table. (MIX_COLUMN): New macro. (aes_invert_key): Use MIX_COLUMN and mtable. * aesdata.c (compute_mtable): New table, for the inv mix column operation in aes_invert_key. 2012-04-13 Niels Möller * aes-set-encrypt-key.c (aes_set_encrypt_key): Use LE_READ_UINT32. Tabulate the needed "round constants". (xtime): Deleted function. * aes-internal.h (SUBBYTE): Cast to uint32_t. Use B0, ..., B3 macros. 2012-04-09 Niels Möller Timing resistant RSA decryption, based on RSA blinding code contributed by Nikos Mavrogiannopoulos. * rsa-decrypt-tr.c (rsa_decrypt_tr): New function. (rsa_blind): Helper function. (rsa_unblind): Helper function. * rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include nettle-meta.h, more consistent declarations of function pointer arguments. * testsuite/rsa-encrypt-test.c (test_main): Test rsa_decrypt_tr. Check for writes past the end of the message area. * Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c. * rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt. * pkcs1-decrypt.c (pkcs1_decrypt): New file and function, extracted from rsa_decrypt. 2012-04-01 Niels Möller * salsa20.c (LE_SWAP32): Typo fix for big-endian case. (QROUND): New macro. (salsa20_hash): Use it. 2012-03-31 Niels Möller * salsa20.c: (salsa20_set_iv): Deleted size argument, only one size allowed. (U8TO32_LITTLE): Deleted macro. Use LE_READ_UINT32 instead, which avoids unaligned reads. (salsa20_set_key): Rearranged slightly, to avoid unnecessary byte-to-word conversions. (LE_SWAP32): Renamed macro from... (U32TO32_LITTLE): ... old name. (U32TO8_LITTLE): Deleted macro. (salsa20_wordtobyte): Renamed function to... (salsa20_hash): ... new name. Changed output argument from byte array to word array. Use memxor3, which brings a considerable performance gain. * nettle-internal.c (salsa20_set_key_hack): Updated salsa20_set_iv call. * testsuite/salsa20-test.c (test_salsa20): Deleted iv_length argument, updated all calls. * salsa20.h (SALSA20_BLOCK_SIZE): New constant. (_SALSA20_INPUT_LENGTH): New constant. * salsa20.c: Use these constants. * salsa20.c (ROTL32): Deleted macro, use the one from macros.h instead, with reversed order of arguments. (ROTATE, XOR, PLUS, PLUSONE): Deleted macros, use ROTL32 and builtin operators directly. Unification of rotation macros. * macros.h (ROTL32): New macro, to replace (almost) all other rotation macros. * aes-set-encrypt-key.c: Include macros.h. (aes_set_encrypt_key): Use ROTL32. * aes-internal.h (ROTBYTE, ROTRBYTE): Deleted macros. * camellia-internal.h (ROL32): Deleted macro. (ROTL128): Renamed for consistency, from... (ROL128): ... old name. * camellia-crypt-internal.c: Updated for renamed rotation macros. * camellia-set-encrypt-key.c: Likewise. * cast128.c (ROL): Deleted macro. (F1, F2, F3): Updated to use ROTL32 (reversed order of arguments). Also added proper do { ... } while (0) wrappers. * ripemd160-compress.c (ROL32): Deleted macro. (R): Updated to use ROTL32 (reversed order of arguments). * serpent-internal.h (ROL32): Deleted macro. (ROTL64): Renamed (from ROL64) and reorderd arguments, for consistency. (RSHIFT64): Reordered arguments, for consistency. * serpent-decrypt.c: Updated for renamed rotation macros, with reversed argument order. * serpent-encrypt.c: Likewise. * serpent-set-key.c: Likewise. * sha1-compress.c (ROTL): Deleted macro, use ROTL32 instead. * sha256-compress.c (ROTR): Deleted macro. Replaced by ROTL32, with complemented shift count. (SHR): Deleted macro, use plain shift operator instead. * sha512-compress.c (ROTR): Deleted macro, replaced by... (ROTL64): ...new macro, with complemented shift count (SHR): Deleted macro, use plain shift operator instead. (S0, S1, s0, s1): Updated accordingly. 2012-03-30 Niels Möller * nettle-internal.c (nettle_salsa20): Cipher struct for benchmarking only. Sets a fix zero IV, and ignores block size. * nettle-internal.h (nettle_salsa20): Declare it. * examples/nettle-benchmark.c (block_cipher_p): New function. (time_cipher): Use block_cipher_p. (main): Include salsa20 in benchmark. * Makefile.in (soname link): Fixed logic. (nettle_SOURCES): Removed nettle-internal.c, so that it's not part of the library... (internal_SOURCES): ...and put it here. * testsuite/Makefile.in (TEST_OBJS): Added ../nettle-internal.o. * examples/Makefile.in (BENCH_OBJS): New variable, to simplify the nettle-benchmark rule. Also link with ../nettle-internal.o. 2012-03-29 Niels Möller Implementation of Salsa20, contributed by Simon Josefsson. * salsa20.h: New file. * salsa20.c: New file. * Makefile.in (nettle_SOURCES): Added salsa20.c (HEADERS): Added salsa20.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added salsa20-test.c. * testsuite/salsa20-test.c: New test case. * Makefile.in (soname links): Adding missing space before ]. 2012-03-23 Niels Möller * arcfour.h (arcfour_stream): Deleted obsolete prototype. 2012-03-05 Niels Möller * configure.ac (enable_shared): Build shared libraries by default. 2012-03-04 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.4. (LIBHOGWEED_MINOR): And to 2.2. 2012-02-27 Niels Möller * list-obj-sizes.awk: Recognize elf64 objects. * Makefile.in (.texinfo.dvi): Pass -b option to texi2dvi. * Makefile.in (TARGETS): Added twofishdata. (SOURCES): Added twofishdata.c. (twofishdata): New rule. * twofish.c (q0, q1): Made const, and reformatted to match the twofishdata program. * twofishdata.c: Resurrected old file. Used to be called generate_q.c, when the twofish code was contributed back in 1999. * nettle.texinfo: Documentation for base16 and base64 encoding. Text contributed by Jeronimo Pellegrini , back in April 2006. 2012-02-18 Niels Möller * run-tests, getopt.c, getopt1.c, getopt.h: These files were moved to the top-level in the conversion to an independent git repository. They used to be symlinks to lsh files, from the subdirectories which use them. * Makefile.in: Build and distribute getopt files. Distribute run-tests script. * examples/Makefile.in: Adapt to getopt files and the run-tests script now located in the parent directory. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * index.html: Converted to xhtml (from lsh repository, change dated 2012-02-03). Updated git instructions. * nettle.texinfo: Updated charset declaration. * misc/plan.html: Likewise. 2012-01-17 Niels Möller * testsuite/Makefile.in (DISTFILES): Added setup-env. * examples/rsa-decrypt.c (main): Use _setmode rather than setmode, suggested by Eli Zaretskii. Affects windows builds only. * examples/rsa-encrypt.c: Likewise. * Makefile.in ($(LIBNETTLE_FORLINK)): Always create a .lib symlink to the library file. Use LN_S. ($(LIBHOGWEED_FORLINK)): Likewise. (install-shared-nettle): Use LN_S. (install-shared-hogweed): Likewise. * configure.ac: Use AC_PROG_LN_S. * config.make.in (LN_S): New substitution. * testsuite/setup-env: New file. Wine workaround. Can't get ../.lib into wine's dll search path, so create additional symlinks. * testsuite/teardown-env: ...and delete them here. Also delete file testtmp. * examples/setup-env: Similar links setup here. * examples/teardown-env: ... and deleted. 2012-01-07 Niels Möller * examples/Makefile.in (check): Add ../.lib to PATH, like in testsuite/Makefile. Needed for w*ndows. Reported by Eli Zaretskii. 2011-11-25 Niels Möller From Martin Storsjö: * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): New macros for supporting W64 ABI. * x86_64: Updated all assembly files to use them. * configure.ac (W64_ABI): New variable, set when compiling for W64 ABI (64-bit M$ windows). * config.m4.in (W64_ABI): Define, from configure substitution. 2011-11-24 Niels Möller From Martin Storsjö: * examples/Makefile.in (check): Pass $(EMULATOR) and $(EXEEXT) in the environment of run-tests. * examples/rsa-encrypt-test: Use $EXEEXT and $EMULATOR. * examples/rsa-sign-test: Likewise. * examples/rsa-verify-test: Likewise. * examples/setup-env: Likewise. * testsuite/Makefile.in (check): Pass $(EXEEXT) in the environment of run-tests. * testsuite/pkcs1-conv-test: Use $EXEEXT and $EMULATOR. Ignore \r in rsa-sign output. * examples/rsa-decrypt.c (main) [WIN32]: Set stdout/stdin to binary mode. * examples/rsa-encrypt.c (main): Likewise. 2011-11-24 Niels Möller * configure.ac (HAVE_NATIVE_64_BIT): Workaround to get it set to 1 on w64. * serpent-internal.h (ROL64): Use (uint64_t) 1 rather than 1L, for M$ w64. (RSHIFT64): Likewise. Also added a missing parenthesis. 2011-11-24 Niels Möller From Martin Storsjö: * testsuite/symbols-test: Use $NM, falling back to nm if undefined. * testsuite/Makefile.in (check): Pass $(NM) in the environment of run-tests. * config.make.in (NM): Set NM. * testsuite/sexp-conv-test: Use $EMULATOR when running test programs. Also ignore \r for output in the non-canonical output formats. * testsuite/Makefile.in (check): Pass $(EMULATOR) in the environment of run-tests. * configure.ac (EMULATOR): New substituted variable. Set to wine or wine64 when cross compiling for windows, otherwise empty. * config.make.in (EMULATOR): Set from autoconf value. 2011-11-20 Niels Möller * x86/camellia-crypt-internal.asm: Take ALIGNOF_UINT64_T into account when getting the offset for the subkeys. Differs between w32 and other systems. w32 problem identified by Martin Storsjö. * config.m4.in: Define ALIGNOF_UINT64_T (from configure). * configure.ac: Check alignment of uint64_t, and also use AC_SUBST for use in config.m4.in. 2011-11-19 Niels Möller Cygwin/mingw32 improvements contributed by Martin Storsjö: * Makefile.in (IMPLICIT_TARGETS): New variable for DLL link libraries. (clean-here): Delete the DLL import libraries. * configure.ac: Setup installation of DLL files in $bindir. (IF_DLL, LIBNETTLE_FILE_SRC, LIBHOGWEED_FILE_SRC): New substitutions. * config.make.in (LIBNETTLE_FILE_SRC): Substitute new autoconf variable. (LIBHOGWEED_FILE_SRC): Likewise. * Makefile.in (install-dll-nettle, uninstall-dll-nettle): New target for installing the DLL file in $bindir. (install-shared-nettle): Conditionally depend on install-dll-nettle. Use LIBNETTLE_FILE_SRC. (uninstall-shared-nettle): Conditionally depend on install-dll-nettle. (various hogweed targets): Analogous changes. * configure.ac: Unify shared lib setup for cygwin and mingw. 2011-10-31 Niels Möller * configure.ac (LIBHOGWEED_LIBS): Typo fix for the darwin case. Spotted by Martin Storsjö. 2011-10-25 Niels Möller * configure.ac (LIBHOGWEED_LIBS): cygwin fix, added libnettle.dll.a. Reported by Volker Zell. 2011-10-18 Niels Möller * configure.ac: Improved setup för darwin shared libraries. Patch contributed by Ryan Schmidt. 2011-10-03 Niels Möller * x86_64/memxor.asm: Implemented sse2-loop. Configured at compile time, and currently disabled. * testsuite/testutils.h (ASSERT): Write message to stderr. * testsuite/memxor-test.c: Use 16-byte alignment for "fully aligned" operands. 2011-09-03 Niels Möller * x86/camellia-crypt-internal.asm: Use "l"-suffix on instructions more consistently. Reportedly, freebsd and netbsd systems with clang are more picky about this. * configure.ac: Changed version number to 2.5. * Released nettle-2.4. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.3. * gcm-aes.c: Include config.h. * tools/nettle-lfib-stream.c: Likewise. * ripemd160-compress.c: Added missing include of config.h. Needed for correct operation on big-endian systems. 2011-09-02 Niels Möller * configure.ac: Changed version number to 2.4. * Released nettle-2.3. 2011-08-30 Niels Möller * testsuite/hmac-test.c: Added tests for hmac-ripemd160. * hmac.h: Declare hmac-ripemd160 related functions. * Makefile.in (nettle_SOURCES): Added hmac-ripemd160.c. 2011-08-30 Niels Möller * nettle.texinfo (Hash functions): Document ripemd-160. * hmac-ripemd160.c: New file. * hmac.h: Declare hmac-ripemd160 functions. 2011-08-29 Niels Möller * sha256.c (sha256_update): Updated MD_UPDATE call for new conventions. (sha256_write_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * sha512.c: Analogous changes. * sha1.c (COMPRESS): New macro. (sha1_update): Updated MD_UPDATE call for new conventions. (sha1_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * ripemd160.c (ripemd160_init): Use memcpy for initializing the state vector. (COMPRESS): New macro. (ripemd160_update): Use MD_UPDATE. (ripemd160_digest): Inline ripemd160_final processing. Use MD_PAD and _nettle_write_le32. (ripemd160_final): Deleted function. * ripemd160.h (struct ripemd160_ctx): Use a 64-bit block count. Renamed digest to state. * md5.c (md5_init): Use memcpy for initializing the state vector. (COMPRESS): New macro, wrapping _nettle_md5_compress. (md5_update): Use MD_UPDATE. (md5_digest): Inline md5_final processing. Use MD_PAD and _nettle_write_le32. (md5_final): Deleted. * md5.h (struct md5_ctx): Renamed some fields, for consistency. * md4.h (struct md4_ctx): Renamed some fields, for consistency. * md4.c (md4_init): Use memcpy for initializing the state vector. (md4_update): Use MD_UPDATE. (md4_digest): Inline md4_final processing, using MD_PAD. Use _nettle_write_le32. (md4_block): Renamed, to... (md4_compress): ... new name. Take ctx pinter as argument. (md4_final): Deleted function. * md2.c (md2_update): Use MD_UPDATE. * macros.h (MD_UPDATE): Added incr argument. Invoke compression function with ctx pointer as argument, rather than ctx->state. (MD_FINAL): Just pad, don't store length field. Renamed to MD_PAD. (MD_PAD): Analogous change of compression invocations. * sha512.c: (COMPRESS): New macro wrapping _nettle_sha512_compress. (sha512_update): Use MD_UPDATE. (sha512_final): Deleted function. (sha512_write_digest): Use MD_FINAL. * sha256.c (COMPRESS): New macro wrapping _nettle_sha256_compress. (SHA256_INCR): Deleted macro. (sha256_update): Use MD_UPDATE. (sha256_final): Deleted function. (sha256_write_digest): New function, replacing sha256_final, and using MD_FINAL. (sha256_digest): Use sha256_write_digest. (sha224_digest): Likewise. * tools/nettle-hash.c (list_algorithms): Fixed typo in header. * sha1.c (SHA1_DATA_LENGTH): Deleted unused macro. (sha1_init): Use memcpy to initialize the state vector. (SHA1_INCR): Deleted macro. (sha1_update): Use MD_UPDATE macro, to reduce code duplication. (sha1_digest): Use MD_FINAL macro. (sha1_final): Deleted function. * sha.h (struct sha1_ctx): Renamed attribute digest to state. * macros.h (MD_UPDATE): New macro. (MD_FINAL): New macro. 2011-08-28 Niels Möller * ripemd160.c (ripemd160_final): Use LE_WRITE_UINT32. Deleted byte swapping at the end, leaving it to ripemd160_digest. (ripemd160_digest): Use _nettle_write_le32. * Makefile.in (nettle_SOURCES): Added write-le32.c. * md5.c (md5_digest): Use _nettle_write_le32. * write-le32.c (_nettle_write_le32): New file and function. * ripemd160-compress.c (ROL32): Renamed macro (was "rol"). Deleted x86 version using inline assembly; at least gcc-4.4.5 recognizes shift-and-or expressions which are in fact rotations. (_nettle_ripemd160_compress): Use LE_READ_UINT32. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.2. * testsuite/meta-hash-test.c: Updated for the addition of ripemd-160. * testsuite/.test-rules.make: Added rule for ripemd160-test. * examples/nettle-benchmark.c (main): Benchmark ripemd-160. 2011-08-28 Niels Möller RIPEMD-160 hash function. Ported from libgcrypt by Andres Mejia. * testsuite/ripemd160-test.c: New file. * ripemd160.h: New file. * nettle-meta.h: Declare nettle_ripemd160. * ripemd160.c: New file, ported from libgcrypt. * ripemd160-compress.c: Likewise. * ripemd160-meta.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ripemd160-test.c. * nettle-meta-hashes.c (nettle_hashes): Added nettle_ripemd160. * Makefile.in (nettle_SOURCES): Added ripemd160.c, ripemd160-compress.c, and ripemd160-meta.c. (HEADERS): Added ripemd160.h. 2011-08-10 Niels Möller * nettle.texinfo: Fixed mis-placed const in various prototypes. Spotted by Tatsuhiro Tsujikawa. 2011-07-24 Niels Möller * Makefile.in (PKGCONFIG_FILES, pkgconfigdir): New variables. (DISTFILES): Added nettle.pc.in and hogweed.pc.in. (nettle.pc, hogweed.pc): New targets (invoking config.status). (install-pkgconfig, uninstall-pkgconfig): New targets. (install-here): Depend on install-pkgconfig. (uninstall-here): Depend on uninstall-pkgconfig. (distclean-here): Delete nettle.pc and hogweed.pc. 2011-07-20 Niels Möller * configure.ac: Generate nettle.pc and hogweed.pc. * nettle.pc.in, hogweed.pc.in: New files. 2011-07-17 Niels Möller * nettle-internal.h: Added missing extern declarations. 2011-07-11 Niels Möller * configure.ac: Changed version number to 2.3. * Released nettle-2.2. * Makefile.in (DISTFILES): Distribute COPYING.LIB, not COPYING, 2011-07-07 Niels Möller * tools/misc.h (werror): Removed incorrect noreturn attribute from declaration. * examples/io.c (read_file): Bug fix, in dependence of initial size on max_size. 2011-07-01 Niels Möller * cbc.c (CBC_BUFFER_LIMIT): Reduced to 512 bytes. (cbc_decrypt): For in-place operation, use overlapping memxor3 and eliminate a memcpy. * ctr.c (ctr_crypt): Reorganized to call the encryption function with several blocks at a time. Handle the case of a single block specially. * x86_64/memxor.asm: Added ALIGN for shifting loop. Deleted obsolete ifelse. 2011-06-30 Niels Möller * configure.ac: Link in serpent-decrypt.asm, if found. * x86_64/serpent-decrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * x86_64/serpent-encrypt.asm: Include serpent.m4. Deleted a redundant label. * x86_64/serpent.m4: New file, with serpent-related macros. 2011-06-29 Niels Möller * x86_64/serpent-decrypt.asm: Wrote main (32-bit) loop. (SBOX0I, SBOX1I, SBOX7I): Fixed bugs. * nettle.texinfo (Copyright): Updated for license change to LGPLv2+. Updated copyright info on serpent. * NEWS: Updated information for nettle-2.2. * x86_64/serpent-decrypt.asm: New file. * x86_64/serpent-encrypt.asm: Fixed .file pseudo op. * testsuite/testutils.c (test_cipher_ctr): Display more info on failure. * examples/nettle-benchmark.c (bench_ctr): New function. (time_cipher): Also benchmark CTR mode. * configure.ac (LIBNETTLE_MINOR): Updated library version number to 4.1. (LIBHOGWEED_MINOR): And to 2.1. 2011-06-22 Niels Möller * configure.ac: Use pwd -P when examining lib directories. Link in serpent-encrypt.asm, if found. 2011-06-21 Niels Möller * serpent-decrypt.c (SBOX3_INVERSE): Eliminated temporaries. (SBOX4_INVERSE): Likewise. (SBOX5_INVERSE): Likewise. (SBOX6_INVERSE): Likewise. (SBOX7_INVERSE): Likewise. (All SBOX_INVERSE-macros): Deleted type argument, and updated users. 2011-06-20 Niels Möller * serpent-decrypt.c: Renamed arguments in sbox macros. (SBOX0_INVERSE): Eliminated temporaries. (SBOX1_INVERSE): Likewise. (SBOX2_INVERSE): Likewise. * x86_64/serpent-encrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * testsuite/serpent-test.c (test_main): Added some more multiple block tests. 2011-06-15 Niels Möller * configure.ac (libdir): On 64-bit Linux, we used to assume that libraries are installed according to the FHS. Since at least Fedora and Gentoo follow the FHS convention, while at least Debian doesn't, we have to try to figure out which convention is used. 2011-06-14 Niels Möller * x86_64/serpent-encrypt.asm: Slight simplification of loop logic. * x86_64/serpent-encrypt.asm: New file. 2011-06-12 Niels Möller * testsuite/serpent-test.c (test_main): Added tests with multiple blocks at a time. * serpent-encrypt.c (SBOX6): Renamed arguments. Eliminated temporaries. (SBOX7): Likewise. (All SBOX-macros): Deleted type argument, and updated users. * configure.ac: Display summary at the end of configure.. (asm_path): Set only if enable_assember is yes. 2011-06-10 Niels Möller * serpent-encrypt.c (SBOX5): Renamed arguments. Eliminated temporaries. 2011-06-09 Niels Möller * serpent-encrypt.c (SBOX4): Renamed arguments. Eliminated temporaries. * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LINK): Cygwin fix, from Vincent Torri. 2011-06-08 Niels Möller * examples/eratosthenes.c (find_first_one): Fixed c99-style declaration. Reported by Sebastian Reitenbach. (find_first_one): Declare the lookup table as static const, and use unsigned char rather than unsigned.. 2011-06-07 Niels Möller * serpent-encrypt.c (SBOX0): Renamed arguments. Eliminated temporaries. (SBOX1): Likewise. (SBOX2): Likewise. (SBOX3): Likewise. 2011-06-06 Niels Möller * Makefile.in (DISTFILES): Added serpent-internal.h. (nettle_SOURCES): Replaced serpent.c by serpent-set-key.c, serpent-encrypt.c, and serpent-decrypt.c. * serpent.c: Replaced by several new files. * serpent-set-key.c: New file. * serpent-encrypt.c: New file. * serpent-decrypt.c: New file. * serpent-internal.h: New file. * serpent.c [HAVE_NATIVE_64_BIT]: Process two blocks at a time in parallel. Measured speedup of 10%--25% (higher for encryption) on x86_64. 2011-06-01 Niels Möller * serpent.c (ROUNDS): Deleted macro. (serpent_block_t): Deleted array typedef. (KEYXOR): New macro, replacing BLOCK_XOR. (BLOCK_COPY, SBOX, SBOX_INVERSE): Deleted macros. (LINEAR_TRANSFORMATION): Use four separate arguments. (LINEAR_TRANSFORMATION_INVERSE): Likewise. (ROUND): Take separate arguments for all input and output words. (ROUND_INVERSE): Likewise. (ROUND_LAST, ROUND_FIRST_INVERSE): Deleted macros. (serpent_set_key): Moved loop termination test. (serpent_encrypt): Rewrote with unrolling of just eight rounds, and without serpent_block_t. (serpent_decrypt): Likewise. * serpent.c: Added do { ... } while (0) around block macros. (serpent_key_t): Deleted array typedef. (ROL32, ROR32): Renamed macros, were rol and ror. (KS_RECURRENCE, KS): New macros. (serpent_key_pad): Renamed, from... (serpent_key_prepare): ...old name. (serpent_subkeys_generate): Deleted function. (serpent_set_key): Rewrote the generation of subkeys. Reduced both temporary storage and code size (less unrolling) 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Enabled test with short, 40-bit, key. * serpent.c (byte_swap_32): Deleted macro. (serpent_key_prepare): Use LE_READ_UINT32. Don't require aligned input, and support arbitrary key sizes. 2011-05-30 Simon Josefsson * serpent.c: Rewrite, based on libgcrypt code. License changed from GPL to LGPL. * serpent_sboxes.h: Removed. * Makefile.in: Drop serpent_sboxes.h. 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Added some tests for padding of keys of length which is not a multiple of four bytes. 2011-05-30 Simon Josefsson * testsuite/serpent-test.c (test_main): Add test vectors from libgcrypt. 2011-05-21 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Avoid double init of mpz variable. Spotted by Nikos Mavrogiannopoulos. 2011-05-06 Niels Möller * configure.ac: Fix link flags for shared libraries on Solaris, which needs -h to set the soname. Patch contributed by Dagobert Michelsen. 2011-05-06 Niels Möller * configure.ac: New configure option --enable-gcov. * arcfour.h (arcfour_stream): Deleted obsolete define. 2011-04-27 Niels Möller * tools/nettle-hash.c (find_algorithm): Require exact match. 2011-04-15 Niels Möller Reverted broken byte-order change from 2001-06-17: * serpent.c (serpent_set_key): Use correct byteorder. (serpent_encrypt): Likewise. (serpent_decrypt): Likewise. * testsuite/serpent-test.c (decode_hex_reverse): New function. (RH, RHL): New macros. (test_main): Byte reverse inputs and outputs for the testvectors taken from the serpent submission package. Enable test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/. 2011-03-23 Niels Möller * tools/sexp-conv.c (xalloc): Deleted function, now it's in misc.c instead. * configure.ac: Use LSH_FUNC_STRERROR. * tools/Makefile.in (TARGETS): Added nettle-hash, and related build rules. (SOURCES): Added nettle-hash.c. * tools/misc.c (xalloc): New function. * tools/pkcs1-conv.c (main): Made the OPT_* constants local, and fixed numerical values to start with non-ASCII 0x300. * tools/nettle-hash.c: New file. 2011-03-23 Niels Möller Contributed by Daniel Kahn Gillmor: * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-hash-test.c, meta-cipher-test.c, and meta-armor-test.c. * testsuite/meta-hash-test.c: New file. * testsuite/meta-cipher-test.c: New file. * testsuite/meta-armor-test.c: New file. * nettle.texinfo: Document nettle_hashes and nettle_ciphers. * nettle-meta.h: Declare algorithm lists nettle_ciphers, nettle_hashes, nettle_armors. * Makefile.in (nettle_SOURCES): Added nettle-meta-hashes.c, nettle-meta-ciphers.c, and nettle-meta-armors.c. * nettle-meta-armors.c: New file. * nettle-meta-ciphers.c: New file. * nettle-meta-hashes.c: New file. 2011-02-18 Niels Möller * arcfour.c (arcfour_stream): Deleted function. It's not very useful, and neither documented nor tested. 2011-02-16 Niels Möller * cbc.h (CBC_ENCRYPT): Avoid using NULL; we don't ensure that it is defined. (CBC_DECRYPT): Likewise. * gcm-aes.c (gcm_aes_set_iv): Use GCM_SET_IV. (gcm_aes_set_key): Deleted cast. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. (gcm_aes_update): One less argument to GCM_UPDATE. * gcm.h (GCM_SET_KEY): Added cast to nettle_crypt_func *. Help compiler type checking despite this cast. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (GCM_SET_IV): New macro, for completeness. (GCM_UPDATE): Deleted unused argument encrypt. 2011-02-14 Niels Möller * nettle.texinfo: Split node on cipher modes, and started on the GCM documentation. * testsuite/gcm-test.c (test_gcm_aes): Deleted function, replaced by test_aead. (test_main): Use test_aead. * testsuite/testutils.c (test_aead): New function, replacing test_gcm_aes and before that test_cipher_gcm. * nettle-internal.c (nettle_gcm_aes128): New const struct. (nettle_gcm_aes192): Likewise. (nettle_gcm_aes256): Likewise. * nettle-internal.h (struct nettle_aead): Tentative interface for authenticated encryption with associated data. * examples/nettle-benchmark.c (time_gcm): Renamed. Updated for gcm_aes_auth to gcm_aes_update renaming. Benchmark both encryption and hashing. (time_gmac): ...old name. * nettle-internal.c (des_set_key_hack): Don't touch the bits parity, since thay are now ignored. (des3_set_key_hack): Likewise. * cast128-meta.c (nettle_cast128): Don't pass keysize. * nettle-meta.h (_NETTLE_CIPHER_FIX): Deleted keysize parameter derived from the appropriate constant instead. * testsuite/gcm-test.c (test_gcm_aes): Updated for gcm_aes_auth to gcm_aes_update renaming. 2011-02-13 Niels Möller * gcm.h (GCM_UPDATE): Renamed, from... (GCM_AUTH): ...old name. * gcm-aes.c (gcm_aes_update): Renamed, from... (gcm_aes_auth): ...old name. * gcm.c (gcm_update): Renamed, and fixed an assert. From... (gcm_auth): ...old name. * gcm.h (GCM_TABLE_BITS): Increase table size to 8 bits, corresponding to 4 KByte of key-dependent tables. 2011-02-10 Niels Möller * x86_64/memxor.asm: New file. Improves performance by 22% for the unaligned01 case and 35% for the unaligned12 case, benchmarked on Intel SU1400. * examples/nettle-benchmark.c (cgt_works_p): New function. (cgt_time_start): Likewise. (cgt_time_end): Likewise. (clock_time_start): Likewise. (clock_time_end): Likewise. (time_function): Read clock via function pointers time_start and time_end, so we can select method at runtime. (xalloc): Use die function. (main): Choose timing function. If available, try clock_gettime, and fall back to clock if it doesn't exist. * examples/nettle-benchmark.c (die): New function. (TIME_END, TIME_START): Check return value from clock_gettime. * gcm.h (union gcm_block): Use correct length for w array. * testsuite/gcm-test.c (test_main): Added the rest of the testcases from the spec. 2011-02-09 Niels Möller * testsuite/gcm-test.c (test_main): Enabled testcases 5 and 6, with different IV lengths. * gcm-aes.c (gcm_aes_set_iv): Updated for gcm_set_iv change. * gcm.c (gcm_hash_sizes): New function. (gcm_set_iv): Added support for IVs of arbitrary size. Needed another argument, for the hash subkey. (gcm_digest): Use gcm_hash_sizes. * examples/nettle-benchmark.c (time_gmac): Use gcm_aes interface. * testsuite/gcm-test.c (test_gcm_aes): New function, replacing test_cipher_gcm and using the new gcm_aes interface. (test_main): Updated to use test_gcm_aes. * testsuite/testutils.c (test_cipher_gcm): Deleted function. * Makefile.in (nettle_SOURCES): Added gcm-aes.c. * gcm.c (gcm_set_key): Replaced context argument by a struct gcm_key *. (gcm_hash): Replaced context argument by a struct gcm_key * and a pointer to the hashing state block. (gcm_auth): Added struct gcm_key * argument. (gcm_encrypt): Likewise. (gcm_decrypt): Likewise. (gcm_digest): Likewise. * gcm-aes.c: New file. (gcm_aes_set_key): New function. (gcm_aes_set_iv): Likewise. (gcm_aes_auth): Likewise. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. * gcm.h (struct gcm_key): Moved the key-dependent and message-independent state to its own struct. (struct gcm_ctx): ... and removed it here. (GCM_CTX): New macro. (GCM_SET_KEY): Likewise. (GCM_AUTH): Likewise. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (struct gcm_aes_ctx): New struct. 2011-02-08 Niels Möller * gcm.h (struct gcm_ctx): The hash key is now always an array, named h, with array size depending on GCM_TABLE_BITS. * gcm.c (gcm_gf_shift): Added a separate result argument. (gcm_gf_mul): Compile bitwise version only when GCM_TABLE_BITS == 0. Simplified interface with just two arguments pointing to complete blocks. (gcm_gf_shift_4, gcm_gf_shift_8): Renamed table-based functions, from... (gcm_gf_shift_chunk): ... old name. (gcm_gf_mul): Renamed both table-based versions and made the argument types compatible with the bitwise gcm_gf_mul. (gcm_gf_mul_chunk): ... the old name. (gcm_set_key): Initialize the table using adds and shifts only. When GCM_TABLE_BITS > 0, this eliminates the only use of the bitwise multiplication. (gcm_hash): Simplified, now that we have the same interface for gcm_gf_mul, regardless of table size. * gcm.c (GHASH_POLYNOMIAL): Use unsigned long for this constant. (gcm_gf_shift_chunk): Fixed bugs for the big endian 64-bit case, e.g., sparc64. For both 4-bit and 8-bit tables. * gcm.c: Use the new union gcm_block for all gf operations. * gcm.h (union gcm_block): New union, used to enforce alignment. 2011-02-07 Niels Möller * gcm.c (gcm_gf_shift_chunk) : Bug fix for little-endian 8-bit tables. * gcm.c (gcm_gf_mul_chunk): Special case first and last iteration. (gcm_gf_add): New function, a special case of memxor. Use it for all memxor calls with word-aligned 16 byte blocks. Improves performance to 152 cycles/byte with no tables, 28 cycles per byte with 4-bit tables and 10.5 cycles per byte with 8-bit tables. Introduced 8-bit tables. If enabled, gives gmac performance of 19 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift_chunk): New implementation for 8-bit tables. (gcm_gf_mul_chunk): Likewise. (gcm_set_key): Generate 8-bit tables. * Makefile.in (SOURCES): Added gcmdata.c. * gcm.h (GCM_TABLE_BITS): Set to 4. 2011-02-06 Niels Möller * Makefile.in (TARGETS): Added gcmdata. (gcmdata): New rule. Introduced 4-bit tables. Gives gmac performance of 45 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift): Renamed. Tweaked little-endian masks. (gcm_rightshift): ... old name. (gcm_gf_mul): New argument for the output. Added length argument for one of the inputs (implicitly padding with zeros). (shift_table): New table (in 4-bit and 8-bit versions), generated by gcmdata. (gcm_gf_shift_chunk): New function shifting 4 bits at a time. (gcm_gf_mul_chunk): New function processing 4 bits at a time. (gcm_set_key): Generation of 4-bit key table. (gcm_hash): Use tables, when available. * gcmdata.c (main): New file. * gcm.c (gcm_rightshift): Moved the reduction of the shifted out bit here. (gcm_gf_mul): Updated for gcm_rightshift change. Improves gmac performance to 181 cycles/byte. * gcm.c (gcm_gf_mul): Rewrote. Still uses the bitwise algorithm from the specification, but with separate byte and bit loops. Improves gmac performance a bit further, to 227 cycles/byte. * gcm.c (gcm_rightshift): Complete rewrite, to use word rather than byte operations. Improves gmac performance from 830 cycles / byte to (still poor) 268 cycles per byte on intel x86_64. 2011-02-05 Niels Möller * examples/nettle-benchmark.c (time_gmac): New function. (main): Call time_gmac. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gcm-test.c. * testsuite/testutils.c (test_cipher_gcm): New function, contributed by Nikos Mavrogiannopoulos. * testsuite/gcm-test.c: New file, contributed by Nikos Mavrogiannopoulos. * Makefile.in (nettle_SOURCES): Added gcm.c. (HEADERS): Added gcm.h. * gcm.c: New file, contributed by Nikos Mavrogiannopoulos. * gcm.h: New file, contributed by Nikos Mavrogiannopoulos. * macros.h (INCREMENT): New macro, moved from ctr.c. Deleted third argument. * ctr.c: Use INCREMENT macro from macros.h, deleted local version. 2011-01-07 Niels Möller * testsuite/Makefile.in (check): Add ../.lib to PATH, since that's where w*ndows looks for dlls. * testsuite/testutils.c (test_cipher_stream): More debug output on failure. 2010-12-14 Niels Möller * nettle-types.h: Deleted some unnecessary parenthesis from function typedefs. (nettle_realloc_func): Moved typedef here... * realloc.h: ...from here. * buffer.c (nettle_buffer_init_realloc): Use an explicit pointer for realloc argument. 2010-12-07 Niels Möller * nettle.texinfo (Copyright): Updated info on blowfish. 2010-11-26 Niels Möller Reapplied optimizations (150% speedup on x86_32) and other fixes, relicensing them as LGPL. * blowfish.c (do_encrypt): Renamed, to... (encrypt): ...new name. (F): Added context argument. Shift input explicitly, instead of reading individual bytes via memory. (R): Added context argument. (encrypt): Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. (initial_ctx): Arrange constants into a struct, to simplify key setup. (blowfish_set_key): Some simplification. 2010-11-26 Simon Josefsson * blowfish.c: New version ported from libgcrypt. License changed from GPL to LGPL. 2010-11-25 Niels Möller * Makefile.in (install-shared-nettle): Use INSTALL_DATA, which clears the execute permission bits. (install-shared-hogweed): Likewise. 2010-11-16 Niels Möller * configure.ac: Updated gmp url. 2010-11-01 Niels Möller * tools/misc.c (werror): Don't call exit (copy&paste-error). 2010-10-26 Niels Möller * examples/rsa-encrypt.c (main): No extra message for bad options. * examples/rsa-keygen.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/next-prime.c (main): Deleted -?, and fixed handling of bad options. * examples/random-prime.c (main): Likewise. 2010-10-22 Niels Möller * examples/nettle-benchmark.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/eratosthenes.c (main): Added long options. Deleted -?, and fixed handling of bad options. Renamed -s to -q (long option --quiet). * tools/pkcs1-conv.c (main): Deleted short alias -? for --help, and fixed handling of bad options. * tools/sexp-conv.c (parse_options): Likewise. 2010-10-06 Niels Möller * memxor.c (memxor3): Optimized. (memxor3_common_alignment): New function. (memxor3_different_alignment_b): New function. (memxor3_different_alignment_ab): New function. (memxor3_different_alignment_all): New function. * examples/nettle-benchmark.c (time_function): Reorganized, to reduce overhead. (time_memxor): Also benchmark memxor3. * x86_64/memxor.asm: New file. * examples/nettle-benchmark.c (overhead): New global variable. (time_function): Compensate for call overhead. (bench_nothing, time_overhead): New functions. (time_memxor): Tweaked src size, making it an integral number of words. (main): Call time_overhead. 2010-10-01 Niels Möller * x86_64/camellia-crypt-internal.asm (ROUND): Reordered sbox lookups. * testsuite/memxor-test.c: Also test memxor3. 2010-09-30 Niels Möller * configure.ac: Link in memxor.asm, if found. * testsuite/testutils.c (test_cipher_cbc): Print more info when failing. * testsuite/memxor-test.c (test_xor): Added verbose printout. * examples/nettle-benchmark.c (time_memxor): Count size of unsigned long as "block size" for memxor. 2010-09-24 Niels Möller * testsuite/.test-rules.make: Added rule for memxor-test. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added memxor-test.c * testsuite/memxor-test.c: New file. * memxor.c (memxor_common_alignment): New function. (memxor_different_alignment): New function. (memxor): Optimized to do word-operations rather than byte operations. * configure.ac (HAVE_NATIVE_64_BIT): New config.h define. Partial revert of 2010-09-20 changes. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reintroduce CAMELLIA_F_HALF_INV, for 32-bit machines. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Two variants, differing in where addition of the key is done. * x86/camellia-crypt-internal.asm: Moved addition of key. 2010-09-22 Niels Möller * examples/nettle-benchmark.c (BENCH_INTERVAL): Changed unit to seconds. (time_function): Use clock_gettime with CLOCK_PROCESS_CPUTIME_ID, if available. This gives better accuracy, at least on recent linux. (BENCH_INTERVAL): Reduced to 0.1 s. (struct bench_memxor_info): New struct. (bench_memxor): New function. (time_memxor): New function. (main): Use time_memxor. Added optional argument used to limit the algorithms being benchmarked. (GET_CYCLE_COUNTER): Define also for x86_64. (time_memxor): Improved display. * examples/Makefile.in (nettle-benchmark): Link using $(BENCH_LIBS) rather than $(LIBS). * configure.ac: Check for clock_gettime, and add -lrt to BENCH_LIBS if needed. 2010-09-20 Niels Möller * configure.ac: Less quoting when invoking $CC, to allow CC="gcc -m32". * x86/camellia-crypt-internal.asm (ROUND): Adapted to new key convention, moving key xor to the end. * camellia-set-encrypt-key.c (CAMELLIA_F_HALF_INV): Deleted macro. (camellia_set_encrypt_key): Deleted the CAMELLIA_F_HALF_INV operations intended for moving the key xor into the middle of the round. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Moved addition of key to the end, to use a 64-bit xor operation. * x86_64/camellia-crypt-internal.asm: New file. * x86_64/machine.m4 (LREG, HREG, XREG): New macros. 2010-09-17 Niels Möller * configure.ac: Support shared libraries (dlls) with mingw32. Contributed by David Hoyt. 2010-07-25 Niels Möller * configure.ac: Changed version number to nettle-2.2. * Released nettle-2.1. * configure.ac: Use camellia-crypt-internal.asm, if available. Bumped soname to libnettle.so.4, and reset LIBNETTLE_MINOR to zero. * x86/machine.m4 (LREG, HREG): Moved macros here, from... * x86/aes.m4: ...here. * x86/camellia-crypt-internal.asm: New file. * nettle.texinfo: Updated and expanded section on DSA. Document aes_invert_key, and camellia. Added missing functions rsa_sha512_verify and rsa_sha512_verify_digest. * camellia.h (struct camellia_ctx): Eliminate the two unused subkeys, and renumber the remaining ones. * camellia-crypt-internal.c (_camellia_crypt): Updated for renumbered subkeys. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise. * camellia-set-decrypt-key.c (camellia_invert_key): Likewise. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline the expansion of camellia_setup128 and camellia_setup256, keeping the unexpanded key in scalar variables. (camellia_setup128): Deleted. (camellia_setup256): Deleted. 2010-07-24 Niels Möller * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced code size, no complete loop unroll. Use one loop for each phase of the post-processing. * testsuite/camellia-test.c: New tests for camellia_invert_key. * testsuite/aes-test.c: New tests for aes_invert_key. * aes.h (aes_invert_key): Declare it. * aes-set-decrypt-key.c (aes_invert_key): New function, key inversion code extracted from aes_set_decrypt_key. (aes_set_decrypt_key): Use aes_invert_key. * camellia-set-encrypt-key.c (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. (camellia_set_encrypt_key): Moved subkey post-processing code here, and reduce code duplication between 128-bit keys and larger keys. * camellia.c: Deleted file, split into several new files... * camellia-table.c (_camellia_table): New file with the constant sbox tables. * camellia-set-encrypt-key.c: New file. (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. * camellia-set-decrypt-key.c: New file. (camellia_invert_key): Key inversion function. (camellia_set_decrypt_key): New key setup function. * camellia-internal.h: New file. * camellia-crypt.c (camellia_crypt): New file, new wrapper function passing the sbox table to _camellia_crypt. * camellia-crypt-internal.c (_camellia_crypt): New file, with main encrypt/decrypt function. * Makefile.in (nettle_SOURCES): Updated list of camellia source files. (DISTFILES): Added camellia-internal.h. 2010-07-20 Niels Möller * camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY. * camellia.h (struct camellia_ctx): Replaced flag camellia128 by expanded key length nkeys. * camellia.c (camellia_set_encrypt_key): Renamed, from... (camellia_set_key): ... old name. (camellia_invert_key): New function. (camellia_set_decrypt_key): New function, using camellia_invert_key. (camellia_crypt): Renamed, from... (camellia_encrypt): ... old name. (camellia_decrypt): Deleted, no longer needed. camellia_crypt used for both encryption and decryption. * nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro. * dsa-keygen.c: Removed unnecessary include of memxor.h. * camellia.c: Rewrote to use 64-bit type for subkeys and use 64-bit operations throughout. Performance on x86_32, when compiled with gcc-4.4.4, is reduced by roughly 15%, this should be fixed later. * camellia.h (struct camellia_ctx): Use type uint64_t for subkeys. 2010-07-07 Niels Möller * aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const. Also updated implementation. * blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise. * cast128.h (cast128_encrypt, cast128_decrypt): Likewise. * serpent.h (serpent_encrypt, serpent_decrypt): Likewise. * twofish.h (twofish_encrypt, twofish_decrypt): Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added camellia-test.c. * examples/nettle-benchmark.c: Added camellia ciphers. * Makefile.in (nettle_SOURCES): Added camellia.c and camellia-meta.c. (HEADERS): Added camellia.h. * nettle-meta.h (nettle_camellia128): Declare. (nettle_camellia192): Likewise. (nettle_camellia256): Likewise. * camellia-meta.c: New file. * camellia.h: Rewrote interface to match nettle conventions. * camellia.c: Converted to nettle conventions. (camellia_encrypt128, camellia_encrypt256): Unified to new function... (camellia_encrypt): ...New function, with a loop doing 6 regular rounds, one FL round and one FLINV round per iteration, with iteration count depending on the key size. (camellia_decrypt128, camellia_decrypt256): Similarly unified as... (camellia_decrypt): ...New function, analogous to camellia_encrypt. 2010-07-06 Niels Möller * camellia.c, camellia.h: New files, copied from http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. * testsuite/camellia-test.c: New file. 2010-07-05 Niels Möller * nettle.texinfo: Document new conventions for weak key and des parity checks. Document des_check_parity. * testsuite/des-test.c (test_weak): Don't check the deleted status attribute. * des-compat.c (des_key_sched): Rewrote error checking logic for the case of non-zero des_check_key. * des3.c (des3_set_key): Changed weak key detection logic. Complete key setup also for weak keys, and don't set the status attribute. * des.c (des_set_key): New iteration logic, to keep key pointer unchanged. Moved weak key check to the end, and don't set the status attribute. (des_encrypt): Ignore status attribute. (des_decrypt): Likewise. * des.h (enum des_error): Deleted. (struct des_ctx): Deleted status attribute. (struct des3_ctx): Likewise. * blowfish.c (initial_ctx): Deleted status value. (blowfish_encrypt): Ignore status attribute. (blowfish_decrypt): Likewise. (blowfish_set_key): Return result from weak key check, without setting the status attribute. * blowfish.h (enum blowfish_error): Deleted. (struct blowfish_ctx): Deleted status attribute. * Makefile.in (des_headers): Deleted parity.h. 2010-06-30 Niels Möller * testsuite/des-test.c (test_des): New function. (test_weak): New function. (test_main): Use test_des and test_weak. Added tests for all the weak keys. Added some tests with invalid (to be ignored) parity bits. * des.c (parity_16): New smaller parity table. (des_check_parity): New function. (des_fix_parity): Use parity_16. (des_weak_p): New weak-key detection. Ignores parity bits, and uses a hash table. (des_set_key): Deleted parity checking code. Replaced old weak-key detection code by a call to des_weak_p. 2010-06-04 Niels Möller * testsuite/testutils.c (test_dsa_key): Updated for new name DSA_SHA1_MIN_P_BITS. * dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and DSA_SHA256_MIN_P_BITS. * dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to... (DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New names. * sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits. Renamed parameter limit to p_max_bits. (dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp. Updated to call dsa_keypair_from_sexp_alist with the new argument. (dsa_sha256_keypair_from_sexp): New function. (dsa_signature_from_sexp): New argument q_bits. * der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit on q. Renamed parameter limit to p_max_bits. (dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit on q and x. Renamed parameter limit to p_max_bits. 2010-06-03 Niels Möller * testsuite/dsa-test.c (test_main): Added test for dsa-sha256. 2010-06-02 Niels Möller * testsuite/dsa-test.c (test_main): Provide expected value of the signature. * testsuite/testutils.c (test_dsa160): Added argument for expected signature. (test_dsa256): Likewise. 2010-06-01 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures. * examples/random-prime.c (main): Updated for nettle_random_prime change. * testsuite/random-prime-test.c (test_main): Likewise. * rsa-keygen.c (bignum_random_prime): Deleted function. (rsa_generate_keypair): Use new nettle_random_prime. Generate secret factors p and q with the two most significant bits set. * dsa-keygen.c (dsa_generate_keypair): Updated for changes in nettle_random_prime and _nettle_generate_pocklington_prime. Invoke progress callback. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New argument top_bits_set, to optionally generate primes with the two most significant bits set. Reordered argument list. (nettle_random_prime): Likewise, added top_bits_set argument. Invoke progress callback when a prime is generated. 2010-05-26 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Use _nettle_generate_pocklington_prime. Deleted old key generation code. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Also return the used r. Updated caller. * examples/random-prime.c (main): Allow sizes down to 3 bits. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New function. Rely on mpz_probab_prime_p (for lack of a trial division function) for trial division. (nettle_random_prime): Rewritten. Uses the prime table for the smallest sizes, then trial division using a new set of tables, and then Maurer's algorithm, calling the new _nettle_generate_pocklington_prime for the final search. 2010-05-25 Niels Möller * testsuite/dsa-test.c (test_main): Updated for dsa testing changes. * testsuite/dsa-keygen-test.c (test_main): Test dsa256. * testsuite/testutils.h (struct nettle_mac): New struct, currently unused. * testsuite/testutils.c (test_mac): New function (currently not used). (test_dsa): Replaced by two new functions... (test_dsa160): New function. (test_dsa256): New function. (test_dsa_key): New argument q_size. (DSA_VERIFY): Generalized. * dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating primes using Pocklington's theorem. Takes both p_size and q_size as arguments. 2010-05-20 Niels Möller * bignum-random-prime.c (miller_rabin_pocklington): Fixed broken logic when Miller-rabin succeeds early. 2010-04-09 Niels Möller * bignum-next-prime.c: Include stdlib.h, needed for alloca on freebsd. * hmac.c: Likewise. * examples/Makefile.in (SOURCES): Added random-prime.c. * examples/random-prime.c: New program. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from TS_HOGWEED_SOURCES. (TS_HOGWEED_SOURCES): Added random-prime-test.c. * testsuite/random-prime-test.c: New test case. * examples/next-prime.c (main): With no command line arguments. exit after dislaying usage message. * examples/io.c (simple_random): Free buffer when done. * configure.ac: Changed message, say CC is the recommended way to configure the ABI. * bignum-random.c: Deleted test of HAVE_LIBGMP. * bignum.c: Likewise. * sexp2bignum.c: Likewise. * Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c. * bignum-random-prime.c (nettle_random_prime): New file, new function. 2010-03-31 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha224. 2010-03-30 Niels Möller * testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify rename. (test_dsa): Check return value from dsa_sha1_sign. * Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c, dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c. * dsa.h: Updated and added dsa declarations. * dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new function. (dsa_sha256_verify): New function. * dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new function. (dsa_sha256_sign): New function. * dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and renamed function, from dsa_verify_digest, rewrote to use _dsa_verify. (dsa_sha1_verify): Analogous change, renamed from dsa_verify. * dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and renamed function, from dsa_sign_digest, rewrote to use _dsa_sign, and added return value. (dsa_sha1_sign): Analogous change, renamed from dsa_sign. * dsa-verify.c (_dsa_verify): New general verification function, for any hash. * dsa-sign.c (_dsa_sign): New general signing function, for any hash. Returns success code, like the rsa signture functions. 2010-03-29 Niels Möller * configure.ac (ABI): Attempt to use a better, ABI-dependant, default value for libdir. * x86/md5-compress.asm: Fixed function name in epilogue. * asm.m4 (EPILOGUE): Use . to refer to current address. * configure.ac (ABI): Detect which ABI the compiler is using. On x86_64, also check for __arch64__. 2010-03-28 Niels Möller * configure.ac (asm_path): For x86_64, check if compiler is generating 32-bit code. 2010-03-27 Niels Möller * testsuite/hmac-test.c (test_main): Rewrote rest of tests to use HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from RFC 4231. * Makefile.in (nettle_SOURCES): Added hmac-sha224.c and hmac-sha384.c. * hmac.h: Added declarations of hmac-sha224 and hmac-sha384. * hmac-sha224.c: New file. 2010-03-26 Niels Möller * testsuite/hmac-test.c (HMAC_TEST): New macro. (test_main): Use HMAC_TEST for the md5 and sha1 tests, and add test vectors from Daniel Kahn Gillmor. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c. * Makefile.in (nettle_SOURCES): Added sha224-meta.c and write-be32.c. (DISTFILES): Added nettle-write.h. * sha.h: Added declarations for sha224. Some are aliases for the corresponding sha256 definition. * sha256.c (sha256_digest): Use _nettle_write_be32. (sha224_init): New function. (sha224_digest): New function. * sha1.c (sha1_digest): Use _nettle_write_be32. * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE) (NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into account. * nettle-write.h: New file. * write-be32.c (_nettle_write_be32): New file, new function. * sha224-meta.c: New file. 2010-03-25 Niels Möller * hmac-sha384.c: New file. * testsuite/sha224-test.c: New file. * testsuite/md4-test.c (test_main): More test vectors, provided by Daniel Kahn Gillmor. * testsuite/md5-test.c (test_main): Likewise. * testsuite/sha1-test.c (test_main): Likewise. * testsuite/sha256-test.c (test_main): Likewise. * testsuite/sha384-test.c (test_main): Likewise. * testsuite/sha512-test.c (test_main): Likewise. * configure.ac: Bumped version numbers. Package version nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0. * examples/nettle-benchmark.c (main): Benchmark sha384. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c. * testsuite/sha384-test.c: New file. * Makefile.in (nettle_SOURCES): Added sha384-meta.c. * sha384-meta.c: New file. * sha.h: Added declarations for sha384. Some are aliases for the corresponding sha512 definition. * sha512.c (sha512_write_digest): New function. (sha512_digest): Use it. (sha384_init): New function. (sha384_digest): New function. 2010-03-24 Niels Möller * sha512.c: (sha512_digest): Simplified handling of any final partial word of the digest. * sha512.c: Reorganized to use _nettle_sha512_compress. * sha512-compress.c (_nettle_sha512_compress): Compression function extracted from sha512.c to a new file. * Makefile.in (nettle_SOURCES): Added sha256-compress.c and sha512-compress.c. * sha256.c: Reorganized to use _nettle_sha256_compress. * sha256-compress.c (_nettle_sha256_compress): Compression function extracted from sha256.c to a new file. * examples/nettle-benchmark.c (main): Benchmark sha512. * rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e is less than bit size of n, and check for the unlikely case p = q. * rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to correspond to pkcs#1 encryption of single byte messagees. * pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value from rsa_sha1_sign. * rsa-compat.c (R_SignFinal): Likewise. * rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value from pkcs1_rsa_md5_encode. (rsa_md5_sign_digest): Check and propagate return value from pkcs1_rsa_md5_encode_digest. * rsa-md5-verify.c (rsa_md5_verify): Check return value from pkcs1_rsa_md5_encode. (rsa_md5_verify_digest): Check return value from pkcs1_rsa_md5_encode_digest. * rsa-sha1-sign.c: Analogous changes. * rsa-sha1-verify.c: Analogous changes. * rsa-sha256-sign.c: Analogous changes. * rsa-sha256-verify.c: Analogous changes. * rsa-sha512-sign.c: Analogous changes. * rsa-sha512-verify.c: Analogous changes. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Added return value. Check and propagate return value from pkcs1_signature_prefix. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1.c (pkcs1_signature_prefix): Interface change, take both the total size and digest size as arguments, and return a status code to say if the size was large enough. * testsuite/Makefile.in: Added hogweed dependency for the test programs. 2010-03-23 Niels Möller * testsuite/rsa-test.c (test_main): Test signing with sha512. * testsuite/testutils.c (test_rsa_sha512): New function. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c, rsa-sha512-sign.c and rsa-sha512-verify.c. * rsa.h: Added prototypes for sha512-related functions. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased. * pkcs1.h: Added prototypes for sha512-related functions. * rsa-sha512-verify.c: New file. * rsa-sha512-sign.c: New file. * pkcs1-rsa-sha512.c: New file. 2010-03-22 Niels Möller * Makefile.in (nettle_SOURCES): Added hmac-sha512.c. * testsuite/hmac-test.c (test_main): Added test cases for hmac-sha512. * hmac.h: Declare functions sha512-related functions. * hmac-sha512.c (hmac_sha512_set_key): New file. Basic sha512 support. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c. * testsuite/sha512-test.c: New file. * macros.h (READ_UINT64, WRITE_UINT64): New macros. * Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c. * sha.h: Added sha512-related declarations. * nettle-meta.h: Likewise. * sha512-meta.c: New file. * sha512.c: New file. 2010-03-06 Niels Möller * Makefile.in (distdir): Include x86_64 assembler files. 2010-01-20 Niels Möller * configure.ac: Check for mpz_powm_sec. 2010-01-13 Niels Möller * Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on $(LIBNETTLE_FORLINK). * configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the default case. Follows debian, and also makes dlopen of libhogweed.so work, without having to use RTLD_GLOBAL. (LIBHOGWEED_LINK): Added -L., to find our libnettle.so. 2009-10-21 Niels Möller * tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on ../libhogweed.a. 2009-10-19 Niels Möller * tools/pkcs1-conv.c: Updated for dsa/der interface change. * der2dsa.c (dsa_public_key_from_der_iterators): Split into two new functions... (dsa_params_from_der_iterator): New function. (dsa_public_key_from_der_iterator): New function. (dsa_openssl_private_key_from_der_iterator): Renamed, was dsa_private_key_from_der_iterator. (dsa_openssl_private_key_from_der): Likewise. * dsa.h: Corresponding changees to prototypes and #defines. 2009-10-12 Niels Möller * sexp-format.c: Removed conditioning on HAVE_LIBGMP. * tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus Holmgren. * Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c. * der2dsa.c: New file, contributed by Magnus Holmgren. * dsa2sexp.c: Likewise. * dsa.h: Added prototypes. * configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor version, now it's 1.1. * testsuite/rsa2sexp-test.c (test_main): Updated testcase for "rsa-pkcs1". 2009-10-11 Niels Möller * rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name to "rsa-pkcs1". 2009-09-20 Niels Möller * x86/sha1-compress.asm: Improved performance by 17% on AMD K7, by letting loopmix scramble the instruction order. 2009-09-15 Niels Möller * x86/sha1-compress.asm: Cleanup, removing old cruft. Slight improvement to ROUND_F1_NOEXP. Slight reduction of dependency-chains. 2009-08-25 Niels Möller * x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds. * examples/nettle-benchmark.c (bench_sha1_compress): New function, for precise benchmarking of the compression function. 2009-06-08 Niels Möller * Released nettle-2.0. 2009-06-04 Niels Möller * configure.ac: Set version to 2.0 2009-05-30 Niels Möller * Makefile.in (.texinfo.info): Don't use a temporary output file $@T, trust makeinfo to remove output file on errors. 2009-05-19 Niels Möller * nettle.texinfo: Changed license to public domain. 2009-05-11 Niels Möller * nettle.texinfo: Fixes from Karl Berry. Added some more index terms. 2009-03-06 Niels Möller * x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state in %eax--%edx only. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed. (AES_STORE): Reduced offsets. (AES_ROUND): Use HREG directly, not MOVE_HREG. * x86_64/aes-decrypt-internal.asm: Rearrange register allocation. Put SA--SD in %eax--%edx, so the second byte can be accessed as %ah-%dh. TD is not needed, SD can be reused. Use the register that is saved for the outer loop counter, getting it off the stack. * x86_64/aes-encrypt-internal.asm: Likewise. * x86_64/aes.m4 (HREG, MOVE_HREG): New macros. (XREG): Fixed bug in handling of %r8 and %r9. (AES_ROUND): Use MOVE_HREG. 2009-02-10 Niels Möller * base16-meta.c (base16_encode_update_wrapper): Mark ctx argument as UNUSED. * testsuite/sexp-conv-test: Updated testcases for improved handling of comments. * tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline to terminate comments, and modify indentation for the case that a list starts with a comment. * tools/output.c (sexp_output_init): Initialize soft_newline. (sexp_put_raw_char): Clear soft_newline. (sexp_put_newline): Check and reset soft_newline. (sexp_put_soft_newline): New function. * tools/output.h (struct sexp_output): Removed union with single element, and updated all users. New attribute soft_newline. 2008-12-22 Niels Möller * Makefile.in ($(des_headers)): Create files in $(srcdir). 2008-11-28 Niels Möller * testsuite/cxx-test.cxx: Include . 2008-11-22 Niels Möller * yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so that it is set if and only if the aes context has been initialized with aes_set_encrypt_key. (yarrow256_seed): No need to set ctx->seeded here. (yarrow256_update): Likewise. 2008-11-04 Niels Möller * examples/next-prime.c (main): Avoid using gmp_fprintf, to stay compatible with gmp-3.1. 2008-11-01 Niels Möller * nettle.texinfo: Updated for 2.0. New section on linking. * nettle-types.h, nettle-meta.h: Moved all typedefs for function types to nettle-types.h. Use non-pointer types, so that the types can be used to declare functions. Updated all users. 2008-10-31 Niels Möller * testsuite/yarrow-test.c (test_main): Updated for seed file changes. * sha-example.c (display_hex): Use %02x, not %2x. 2008-10-30 Niels Möller * tools/sexp-conv.c (main): Fixed file locking. 2008-10-25 Niels Möller * configure.ac: Set version to 2.0rc1. * examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to linker. 2008-10-24 Niels Möller * sha256.c (ROUND): Simplified macro. * yarrow256.c (yarrow256_fast_reseed): Renamed (was yarrow_fast_reseed) and made non-static. Don't generate seed file here, let the application use yarrow256_random instead. (yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made non-static. (yarrow256_force_reseed): Deleted function, use yarrow256_slow_reseed instead. For backwards compatibility, yarrow.h defines yarrow256_force_reseed as an alias for that function. * yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer. 2008-09-17 Niels Möller * x86/arcfour-crypt.asm: Improved loop logic, and unrolled loop twice. Gave a modest speedup. 2008-09-15 Niels Möller * yarrow256.c (yarrow256_seed): Disallow length == 0. * base64-decode.c (decode_table): Added vertical tab (VT) and form feed (FF) as white space characters. * x86_64/aes-decrypt-internal.asm: New file. 2008-09-13 Niels Möller * x86/aes-encrypt-internal.asm: Replaced pushl and popl in the loop with movl. Eliminated redundant movl. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4: New file. * x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only three times through the substitution loop. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes-encrypt-internal.asm: Likewise. * x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least significant byte here. * x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe decl for outer loop. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4 (LREG, HREG): New macros. (AES_SUBST_BYTE): Take state registers as argument. Use LREG to get the corresponding byte register. (AES_ROUND): Use movzbl together with LREG and HREG. (AES_SUBST_BYTE): Likewise. 2008-09-10 Niels Möller * x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp, which must be preserved. 2008-09-08 Niels Möller * Makefile.in (stamp-h.in): Use $(AUTOHEADER). * x86_64/sha1-compress.asm: New x86_64 assembler, based on the x86 version. * configure.ac (asm_path): Set up asm_path for x86_64. * x86_64/machine.m4: New file, new directory. 2008-08-28 Niels Möller * examples/eratosthenes.c (main): Rewrote block-wise sieving to use less memory. New options -s and -v. 2008-08-27 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): Use printf. Updated testcases with comments; comments are now preserved. * tools/sexp-conv.c (sexp_convert_item): Keep comments in advanced output. (parse_options): New --lock option. (main): Optionally lock output file. * tools/parse.c (sexp_check_token): Removed check for "any" token. All callers specify the token they expect. (sexp_parse): Pass on comment tokens. * tools/output.c (sexp_put_data): Made non-static. * tools/input.c (sexp_get_comment): New function. (sexp_get_token): Use sexp_get_comment. * tools/misc.h (enum sexp_token): Start enumeration with zero, zero is no longer used to mean any type. New type SEXP_COMMENT. * configure.ac: Check for fcntl file locking. 2008-08-26 Niels Möller * Makefile.in (tags-here): Put TAGS file in the source directory. * examples/Makefile.in (tags): Likewise. * testsuite/Makefile.in (tags): Likewise. * tools/Makefile.in (tags): Likewise. 2008-02-29 Niels Möller * examples/Makefile.in (SOURCES): Added next-prime.c. 2008-01-05 Niels Möller * examples/Makefile.in (TARGETS): Added eratosthenes and next-prime. (next-prime, eratosthenes): New rules. (nettle-benchmark): Don't rely on $@. * examples/eratosthenes.c (find_first_one): Optimized, using slightly larger table. (main): Use atol, rather than atoi. * testsuite/symbols-test: Check symbols also in libhogweed. * examples/next-prime.c: New file. Deleted code for detailed timing. * Makefile.in (hogweed_SOURCES): Added bignum-next-prime.c. (DISTFILES): Added prime-list.h. (hogweed_OBJS): Removed $(LIBOBJS). * bignum-next-prime.c (nettle_next_prime): Renamed function, for name space reasons. Was bignum_next_prime. Updated call in rsa-keygen.c. (primes): Use prime-list.h. (nettle_next_prime): Skip Fermat test. Use mpz_millerrabin directly, rather than mpz_probab_prime_p, when the former is available. * bignum.h (nettle_next_prime): New prototype. * rsa-keygen.c (bignum_next_prime): Deleted, moved to bignum-next-prime.c. Call with a larger prime limit, this improves the running time of lsh-keygen by roughly 25%. * prime-list.h: List of odd primes < 2^16. * configure.ac: Check for sizeof(long). 2008-01-03 Niels Möller * examples/nettle-benchmark.c (main): Removed incorrect UNUSED from declaration. * bignum-next-prime.c: Moved the bignum_next_prime function to a separate file. 2007-09-08 Niels Möller * sparc64/aes-encrypt-internal.asm: The directory with the aes.m4 include file was renamed from "sparc" to "sparc32". Updated include. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc32/aes-encrypt-internal.asm: Likewise. * sparc32/aes-decrypt-internal.asm: Likewise. 2007-09-07 Niels Möller * examples/read_rsa_key.c: Include stdlib.h. 2007-06-02 Niels Möller * Makefile.in: Typo fixes to install targets, spotted by Magnus Holmgren. 2007-05-14 Niels Möller * configure.ac: Fixed copy-and-paste errors in shared library name setup. * config.make.in (LIBNETTLE_SONAME, LIBHOGWEED_SONAME): Define. * Makefile.in (libnettle.so, libhogweed.so): Fixed rules. * Makefile.in: Split nettle library into two files, libnettle.a and libhogweed.a, and similarly for the shared libraries. * configure.ac: Bumped nettle so-versions to 3.0. Set hogweed so-versions to 1.0. New makefile conditionals IF_SHARED and IF_HOGWEED. Renamed WITH_PUBLIC_KEY to WITH_HOGWEED. Deleted SHLIBTARGET, SHLIBINSTALL, RSA_EXAMPLES and RSA_TOOLS. * config.make.in: Updated for hogweed split. * C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the Makefile sorts out which files should be compiled. * pgp.h: Include bignum.h, don't pretend to work without bignums. * pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key) (pgp_put_rsa_sha1_signature): Define unconditionally. Removed the checking of HAVE_LIBGMP and WITH_PUBLIC_KEY. * examples/io.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * examples/io.c (read_rsa_key): Deleted, moved to... * examples/read_rsa_key.c: New file, extracted from io.c. * examples/Makefile.in: Use IF_HOGWEED instead of RSA_EXAMPLES. Link appropriate programs with -lhogweed. (SOURCES): Added read_rsa_key.c. * tools/Makefile.in (pkcs1-conv): Use IF_HOGWEED, not @RSA_TOOLS@, for configuration. Link with -lhogweed. * testsuite/testutils.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * testsuite/testutils.c: Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES, TS_HOGWEED_SOURCES): Separate test cases using nettle and those also using hogweed. 2007-04-05 Niels Möller * Moved in CVS tree. Also renamed directory sparc to sparc32. 2007-02-24 Niels Möller * Makefile.in (clean-here): Remove .lib directory. (distclean-here): Remove machine.m4. 2006-12-05 Niels Möller * configure.ac: AC_PREREQ 2.61, for AC_PROG_MKDIR_P. * config.make.in (datarootdir): New directory variable (for autoconf-2.61). 2006-11-28 Niels Möller * configure.ac: Bumped version to 1.16. * Released nettle-1.15. 2006-11-27 Niels Möller * NEWS: New entry for nettle-1.15. * configure.ac (SHLIBMINOR): Bumped version. Library name is now libnettle.so.2.6. * sha256.c: Changed copyright notice to use the LGPL. * Makefile.in (DISTFILES): Added COPYING.LIB. * COPYING.LIB: New file (previously only the plain GPL was included in the distribution). * nettle.texinfo: Updated vor nettle-1.15. * testsuite/rsa-test.c (test_main): Use test_rsa_sha256. * testsuite/testutils.c (test_rsa_sha256): New function. * testsuite/Makefile.in (DISTFILES): Replaces rfc1750.txt by gold-bug.txt. * rsa.h (rsa_sha256_sign, rsa_sha256_verify) (rsa_sha256_sign_digest, rsa_sha256_verify_digest): New declarations. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased to 62 octets and 489 bits, respectively, for supporting sha256. * pkcs1.h (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): New declarations and name mangling symbols. * Makefile.in (nettle_SOURCES): Added pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c. * pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c: New files. * COPYING, INSTALL, install-sh, texinfo.tex: Updated files, from automake-1.10. 2006-11-27 Niels Möller * tools/Makefile.in (install): Use MKDIR_P to create installation directory. Install only one file at a time. * Makefile.in (MKDIR_P): Use MKDIR_P for creating installation directories. * configure.ac: Use AC_PROG_MKDIR_P. 2006-11-24 Niels Möller * testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input file, instead of rfc1750.txt. * testsuite/gold-bug.txt: New test input file for yarrow-test. The copyright on this short story by Edgar Allan Poe has expired. * testsuite/rfc1750.txt: Deleted file. Debian considers RFC:s non-free, and it was expired anyway. Replaced by gold-bug.txt. 2006-11-24 Niels Möller * Almost all header files: Added C++ guards. * configure.ac: Test if the system has any C++ compiler. * config.make.in (CXX, CXXFLAGS, COMPILE_CXX, LINK_CXX): New variables. * testsuite/Makefile.in: New variables TS_C and TS_CXX. Setup for compiling the C++ file cxx-test.cxx. * testsuite/cxx-test.cxx: New testcase, trying to use nettle from a C++ program. 2006-08-28 Niels Möller * index.html: Added section on language bindings. 2006-06-10 Niels Möller * configure.ac: Darwin shared library support, from Grant Robinsson. 2006-05-18 Niels Möller * src/nettle/x86/aes.asm: Deleted unused file. * aes-decrypt.c (_aes_decrypt_table): Deleted the indexing array, previously commented out. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * Makefile.in (.texinfo.info, .dvi.ps): Use more quotes with basename. (install-here, install-shared, install-info, install-headers): Use plain mkdir, not $(INSTALL) -d. 2006-05-16 Niels Möller Merged from the lsh experimental branch. 2006-04-26 Niels Möller * examples/rsa-decrypt.c: Don't include "getopt.h", since it's not used. * examples/nettle-benchmark.c: Include "getopt.h". * examples/Makefile.in (GETOPT_OBJS): New variable. (rsa-keygen, rsa-encrypt, nettle-benchmark): Depend on and link with $(GETOPT_OBJS). * x86/aes-decrypt-internal.asm: Use ALIGN. * x86/aes-encrypt-internal.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * x86/md5-compress.asm: Likewise. * x86/sha1-compress.asm: Likewise. * config.m4.in (ASM_ALIGN_LOG): Substitute. * configure.ac (ASM_ALIGN_LOG): Check if .align directive is logarithmic. * asm.m4 (ALIGN): New macro. Takes a logarithmic argument, and expands to a .align directive. 2006-04-21 Niels Möller * nettle.texinfo (Public-key algorithms): Say that the public key operations are undocumented, not unsupported. Reported by Jeronimo Pellegrini. 2006-04-08 Niels Möller * tools/pkcs1-conv.c (read_pem): Fixed c99-style declaration. Reported by Henrik Grubbström. 2006-01-31 Niels Möller * examples/rsa-verify.c: Fixed typo in usage message. 2005-12-05 Niels Möller * configure.ac: Bumped version to 1.15, * Released nettle-1.14. * NEWS: Updated for 1.14. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.5, soname still libnettle.so.2. 2005-11-28 Niels Möller * config.make.in (INSTALL): Don't substitute INSTALL, INSTALL_DATA and friends here, to get a correct a relative filename for install-sh when used in tools/Makefile. * tools/Makefile.in (INSTALL): Substitute INSTALL, INSTALL_DATA and friends here. * Makefile.in (INSTALL): Likewise. 2005-11-27 Niels Möller * Makefile.in (.texinfo.pdf): New rule. Avoid dependency on intermediate .dvi and .ps files. * testsuite/Makefile.in (clean): Delete sha1-huge-test. * Makefile.in (install-info, install-headers): Don't use $< and $?; Solaris make doesn't support them in explicit rules. 2005-11-26 Niels Möller * testsuite/Makefile.in: Include .test-rules.make, which contains the rules for all the test executables. (test-rules): New rule, to update this file. (DISTFILES): Added $(EXTRA_SOURCES). * testsuite/.test-rules.make: Automatically generated file for building the test programs. 2005-11-25 Niels Möller * configure.ac: Disable assembler when compiling with rntcl. * tools/Makefile.in (pkcs1_conv_SOURCES): New variable. (pkcs1-conv): Link with getopt.o and getopt1.o. * Makefile.in (aesdata, desdata, shadata): Use explicit rules for executables. * testsuite/Makefile.in: Use %-rules for building the -test executables, in addition to the suffix rules. Hopefully, this should make all of GNU make, BSD make and Solaris make happy. Use $(EXEEXT) and $(OBJEXT) more consistently. * examples/Makefile.in: Use explicit rules for all executable targets. Use $(EXEEXT) and $(OBJEXT) more consistently. 2005-11-25 Niels Möller * testsuite/Makefile.in: Avoid using single-suffix rule to build executables. 2005-11-24 Niels Möller * Makefile.in (distdir): Use [ -f, not [ -e, since the latter is less portable, and not supported by Solaris /bin/sh. 2005-11-23 Niels Möller * testsuite/Makefile.in (DISTFILES): Added teardown-env. * testsuite/teardown-env: New file. Delete files created by the testsuite. 2005-11-21 Niels Möller * testsuite/testutils.c (main): Fixed check for -v option. Spotted by Goran K. 2005-11-21 Niels Möller * ctr.h (CTR_CTX, CTR_CRYPT): Fixed bugs, spotted by Goran K. 2005-11-20 Niels Möller * Makefile.in (nettle_SOURCES): Added der2rsa.c. * testsuite/Makefile.in (TS_SH): Added pkcs1-conv-test. * tools/Makefile.in (TARGETS): Added @RSA_TOOLS@. (SOURCES): Added pkcs1-conv.c. (pkcs1-conv): New rule. * tools/pkcs1-conv.c: New program. * testsuite/pkcs1-conv-test: New file. * examples/rsa-verify-test: Use rsa-sign to create signature. * examples/io.c (read_file): Fixed spelling in error message. * rsa.h (rsa_public_key_from_der_iterator) (rsa_private_key_from_der_iterator, rsa_keypair_from_der): Declare functions. * der2rsa.c: New file. * der-iterator.c (asn1_der_iterator_init): Initialize length and data. (asn1_der_iterator_next): Support for lengths >= 0x80. (asn1_der_decode_constructed_last, asn1_der_decode_bitstring) (asn1_der_decode_bitstring_last): New functions. (asn1_der_get_bignum): Check for non-mininal encodings. * configure.ac (RSA_TOOLS): New substituted variable. Includes pkcs1-conv, when public-key support is enabled. * bignum.h (nettle_asn1_der_get_bignum): Include nettle_-prefix in declaration. * asn1.h: Added name mangling defines, and a few new declarations. 2005-11-13 Niels Möller * Makefile.in (nettle_SOURCES): Added der-iterator.c. (HEADERS): Added asn1.h. * bignum.h (asn1_der_get_bignum): Declare function. * der-iterator.c: New file. * asn1.h: New file. 2005-11-07 Niels Möller * examples/nettle-benchmark.c: Check HAVE_UNISTD_H. * examples/Makefile.in (TARGETS): Use $(EXEEXT). * tools/Makefile.in (TARGETS, sexp-conv, nettle-lfib-stream): Likewise. * configure.ac: Use $host_cpu, not $host, when setting up the assembler path. Use $host_os, not uname, when setting up shared library flags. * Makefile.in (des.$(OBJEXT)): Use OBJEXT. * config.guess, config.sub: In the CVS tree, moved files to the lsh top-level directory. 2005-10-23 Niels Möller * sparc64/arcfour-crypt.asm: New file, almost the same as sparc/arcfour-crypt.asm. * examples/nettle-benchmark.c (display): Use two decimal places. * sparc/arcfour-crypt.asm: Reorganized. Main loop unrolled four times. Uses aligned 32-bit write accesses at DST. Still uses 8-bit read accesses at SRC; could be improved int he case that SRC and DST have compatible alignment. 2005-10-19 Niels Möller * testsuite/arcfour-test.c (test_main): New testcase with 512 bytes of data. 2005-10-19 Niels Möller * sparc/arcfour-crypt.asm: Fixed bug, spotted by Mikael Kalms. We must order the store at [CTX+I] before the load of [CTX+SI+SJ]. 2005-10-18 Niels Möller * sparc/arcfour-crypt.asm: Special unrolled code if SRC and DST have compatible alignment. Improves performance by 20%, but I'm not sure it's worth the extra complexity. * bignum.c (nettle_mpz_from_octets): Removed sign argument. If mpz_import is available, define nettle_mpz_from_octets as a macro calling mpz_import. (nettle_mpz_from_octets): Start by setting x to zero; callers no longer need to do that. (nettle_mpz_set_str_256_s): New logic for the handling of negative numbers. Convert in the same way as for positive numbers, and then subtract the appropriate power of two. 2005-10-17 Niels Möller * bignum.c (nettle_mpz_from_octets): Improved loop. Removed the digit temporary (suggested by Torbjörn Granlund). * sparc/arcfour-crypt.asm: Improved instruction scheduling. * sparc/arcfour-crypt.asm: Bugfix, use lduh and stuh. * sparc/arcfour-crypt.asm: New file. * sparc64/aes.asm: Deleted unused file. * x86/arcfour-crypt.asm: Use ARCFOUR_I and ARCFOUR_J * asm.m4 (ARCFOUR): New struct. 2005-10-17 Niels Möller * aes-internal.h (struct aes_table): Deleted idx and sparc_idx arrays. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * aes-decrypt.c (_aes_decrypt_table): Likewise. * asm.m4 (AES): Likewise 2005-10-16 Niels Möller * tools/input.c (sexp_get_char): Use unsigned for the done flag. * sparc64/aes-encrypt-internal.asm: Include sparc/aes.m4. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc64/machine.m4: Use .register pseudo op to say that we use %g2 and %g3 as scratch registers. * sparc/aes-encrypt-internal.asm: Explicitly include sparc/aes.m4. * sparc/aes-decrypt-internal.asm: Likewise. * sparc/aes.m4: New file. Moved aes-related macros here... * sparc/machine.m4: ... removed aes macros. * x86/aes-encrypt-internal.asm: Explicitly include x86/aes.m4. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4: New file. Moved aes-related macros here, from... * x86/machine.m4: ... removed aes macros. * sparc64/aes-encrypt-internal.asm: New file. * sparc64/aes-decrypt-internal.asm: New file. * sparc64/machine.m4: Include the same aes macros used for sparc32. (BIAS): Define magic stack bias constant. * sparc/aes-encrypt-internal.asm, sparc/aes-decrypt-internal.asm: Reduced frame size to 104 bytes, since we no longer need wtxt and tmp on the stack. * sparc/aes.asm: Deleted old aes implementation. * sparc/aes-decrypt-internal.asm: New file. * sparc/machine.m4: Don't use m4 eval, instead rely on the assembler's arithmetic. * sparc/machine.m4 (AES_FINAL_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (TMP3): A third temporary register. (AES_FINAL_ROUND): Prepared for scheduling. * sparc/machine.m4 (AES_ROUND): Deleted unused argument T. Updated all calls in aes-encrypt-internal.asm. * sparc/machine.m4 (AES_ROUND): New loop invariants T0-T3, to avoid the additions of the AES_TABLEx constants in the inner loop. * sparc/machine.m4 (AES_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (AES_ROUND): Alternate between using TMP1 and TMP2, to prepare for scheduling. * sparc/aes-encrypt-internal.asm: Renamed Ti -> Xi. * sparc/aes-encrypt-internal.asm: Fixed bugs. Now passes the testsuite. * sparc/machine.m4 (AES_ROUND, AES_FINAL_ROUND): Bugfixes. Put NOPs in the load dely slots. * sparc/aes-encrypt-internal.asm: Implemented. Not yet working, and not optimized. * sparc/machine.m4: Use TMP1 and TMP2, so we don't need to pass them as arguments. (AES_FINAL_ROUND): New macro. 2005-10-15 Niels Möller * configure.ac (OBJDUMP): Substitute the program false if objdump is not found. * asm.m4 (PROLOGUE): Use TYPE_FUNCTION. * config.m4.in: Substitute ASM_TYPE_FUNCTION as TYPE_FUNCTION. * configure.ac (ASM_ELF_STYLE): Check for %function and #function, but not for @function. (ASM_TYPE_FUNCTION): New substituted variable. * configure.ac (ASM_ELF_STYLE): Fixed .type foo,@function statement used when checking for pseudo operations. * sparc/machine.m4 (AES_LOAD, AES_ROUND): Started writing new AES macros. * sparc/aes-encrypt-internal.asm: New file. 2005-10-14 Niels Möller * x86/aes-decrypt.asm, x86/aes-encrypt.asm: Deleted files. * x86/aes-decrypt-internal.asm: New file. * x86/machine.m4: Changed AES macros, to handle a table register. Also take more of the used registers as argument. * x86/aes-encrypt-internal.asm: Rewritten to match new interface, with the table pointer as an argument. Unlike the old code, this should really be position independent. * configure.ac: When looking for assembler files, link in aes-encrypt-internal.asm and aes-decrypt-internal.asm. Don't look for aes.asm, aes-encrypt.asm and aes-decrypt.asm. * configure.ac (OBJDUMP): Use AC_CHECK_TOOL to check for objdump. (ASM_MARK_NOEXEC_STACK): Use $OBJDUMP when examining the object file. * Makefile.in (nettle_SOURCES): Removed aes.c, aes-decrypt-table.c. Added aes-decrypt-internal.c and aes-encrypt-internal.c. * aes.c, aes-decrypt-table.c: Deleted files. * aes-decrypt.c (_aes_decrypt_table): Moved table here, and made static. * aes-internal.h (_aes_decrypt_table): Don't declare, it's no longer globally visible. * aes-decrypt-internal.c (_nettle_aes_decrypt): New AES decryption function, analogous to _nettle_aes_encrypt. 2005-10-14 Niels Möller * aes-internal.h (AES_ROUND, AES_FINAL_ROUND): New macros. * aes-encrypt-internal.c (_nettle_aes_encrypt): New AES encryption function, avoiding the table-based indexing. * sha1-compress.c: Added debugging code. * md5-compress.c: Likewise. 2005-10-13 Niels Möller * config.m4.in (ASM_MARK_NOEXEC_STACK): Use a diversion, to substitute the value of ASM_MARK_NOEXEC_STACK at the end of each assembler file. * configure.ac (ASM_MARK_NOEXEC_STACK): Check if the C compiler generates a .note.GNU-stack section. If so, we should do the same in our assembler files. * sparc64/aes.asm: New file. Copy of sparc/aes.asm, with minor changes to the stack frame layout. Patch contributed by Henrik Grubbström. Not yet tested. * x86/md5-compress.asm: Skip copying of input to the stack, and don't allocate space for it. (F1): Fixed bug. * testsuite/md5-test.c: Document intermediate values for first test case. * configure.ac (asm_path): Check for sparc64, and use sparc64 subdirectory. Link in md5-compress.asm, if it exists. 2005-10-13 Niels Möller * x86/md5-compress.asm (REF): Fixed calculation of offset. 2005-10-12 Niels Möller * x86/machine.m4 (OFFSET): Moved macro, used to be in... * x86/sha1-compress.asm (OFFSET): ... removed macro. * x86/md5-compress.asm: New file, with first attempt at md5 assembler. Not yet working. 2005-10-11 Niels Möller * Makefile.in (nettle_SOURCES): Added md5-compress.c. * md5.c: Reorganized to use _nettle_md5_compress, in analogy with sha1.c. * md5-compress.c (_nettle_md5_compress): New file and new function. 2005-10-10 Niels Möller * testsuite/Makefile.in (EXTRA_SOURCES, EXTRA_TARGETS): New variables, for test cases that are not run by default. * testsuite/sha1-huge-test.c (test_main): New test case, with a very large sha1 input. * testsuite/testutils.c (test_hash_large): New function. * sha1.c (sha1_block): Deleted function; inlined where used. (SHA1_INCR): New macro for incrementing the block count. 2005-10-06 Niels Möller * configure.ac: Bumped version to 1.14. * Released nettle-1.13. * configure.ac: Check for openssl/aes.h. * Makefile.in (distdir): Use a loop to pick up the contents of $(DISTFILES) from source and build directories. For some reason, $? failed to find stamp-h.in in the source directory. 2005-10-05 Niels Möller * x86/aes-decrypt.asm: Use C_NAME(_nettle_aes_decrypt_table) when using the AES_SUBST_BYTE macro. Use PROLOGUE and EPILOGUE. * x86/sha1-compress.asm: Use PROLOGUE and EPILOGUE. * x86/arcfour-crypt.asm: Likewise. * x86/aes-encrypt.asm: Likewise. * config.m4.in (ELF_STYLE): Substitute configure's ASM_ELF_STYLE. * asm.m4 (PROLOGUE, EPILOGUE): New macros, checking the value of ELF_STYLE. So far, used and tested only for the x86 assembler files, and needed to make the assembler happy both with ELF (linux, solaris) and COFF (windows). * configure.ac (NM): Use AC_CHECK_TOOL to check for nm. (ASM_SYMBOL_PREFIX): Use $NM when examining the object file. (ASM_ELF_STYLE): New variable. Set to 'yes' if assembling a file with ELF-style .type and .size pseudo ops works. * Makefile.in (TARGETS, DISTFILES): Added nettle.pdf. (.texinfo.dvi, .dvi.ps, .ps.pdf): New targets, to build nettle.pdf. (DOCTARGETS): New variable with targets that shouldn't be deleted by make clean. (maintainer-clean-here): New target. Deletes generated documentation files. * nettle.texinfo: Define AUTHOR with accents, when running in TeX mode, which doesn't handle latin-1 properly. Set UPDATED-FOR to 1.13. Updated copyright years, and introduced a COPYRIGHT-YEARS symbol. Updated copyright section, to mention assembler implementations. (Cipher modes): Transformed the Cipher Block Chaining to a section Cipher modes, describing both CBC and the new CTR mode. * src/nettle/x86/aes_tables.asm: Deleted unused file. * x86/aes.asm: Deleted contents. This file is needed just to override aes.c, which isn't needed for the x86 implementation. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.4, soname still libnettle.so.2. * examples/nettle-benchmark.c (main): Reordered hash benchmarks. * x86/sha1-compress.asm (EXPAND): Use % 16 instead of & 15 to compute offsets mod 16, since m4 on FreeBSD 49.RELEASE and NetBSD doesn't implement & correctly in eval. 2005-10-03 Niels Möller * x86/sha1-compress.asm (OFFSET): New macro. (F3): Eliminated a movl. (ROUND): New argument, for k. When using F3, it's TMP3, on the stack, otherwise, it is kept in TMP2, a register. 2005-10-03 Niels Möller * examples/nettle-openssl.c: Use correct block sizes for openssl ciphers. * examples/nettle-benchmark.c: Also display cycles per block. 2005-10-02 Niels Möller * sha1-compress.c (_nettle_sha1_compress): Updated to new interface. Now responsible for byte conversion. * x86/sha1-compress.asm (_nettle_sha1_compress): Do byte order conversion, and store the input data on the stack. This leaves one more register free for other uses. * examples/nettle-benchmark.c: Now display cycles/byte, if the -f option is used to say what the clock frequency is. * sha1.c (sha1_block): Don't convert data from uint8_t to uint32_t, that's now the responsibility of _nettle_sha1_compress. * sha.h (_nettle_sha1_compress): Changed interface. Second argument is now a pointer to the input data in unaligned, big-endian form. 2005-09-28 Niels Möller * sha1.c (sha1_final): Call sha1_block, don't call the compression function _nettle_sha1_compress directly. * nettle-internal.h (nettle_openssl_md5) (nettle_openssl_sha1): Declare. * examples/nettle-benchmark.c (main): Benchmark openssl md5 and sha1. * examples/nettle-openssl.c (nettle_openssl_md5) (nettle_openssl_sha1): Added glue for openssl hash functions. * nettle-internal.h (nettle_openssl_aes128, nettle_openssl_aes192) (nettle_openssl_aes256, nettle_openssl_arcfour128): Declare. * examples/nettle-benchmark.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. Benchmark openssl's aes and arcfour code. * examples/nettle-openssl.c: Updated openssl des glue to use the new openssl des interface. Added glue for arcfour and aes. 2005-09-27 Niels Möller * nettle.texinfo (RSA): Improved text about the RSA patent. Use @documentencoding ISO-8859-1. 2005-09-07 Niels Möller * tools/sexp-conv.c (parse_options): New option --raw-hash, for compatibility with lsh-1.x. Equivalent to --hash. 2005-09-06 Niels Möller * tools/sexp-conv.c (main): With --hash, output a newline after each hash. 2005-07-02 Niels Möller * testsuite/Makefile.in (TS_SOURCES): Added ctr-test.c. * testsuite/testutils.c (test_cipher_ctr): New function. * testsuite/ctr-test.c: New file. * testsuite/cbc-test.c (test_main): Use static const for msg. * Makefile.in (nettle_SOURCES): Added ctr.c. (HEADERS): Added ctr.h. (HEADERS): Added nettle-types.h. (INSTALL_HEADERS): Install nettle-stdint.h. (distclean-here): Delete nettle-stdint.h, not nettle-types.h. * ctr.c (ctr_crypt): New file, new function. * memxor.c (memxor3): New function, suggested by Adam Langley. * nettle-internal.h (NETTLE_MAX_CIPHER_BLOCK_SIZE): New constant. * nettle.texinfo (Cipher functions): Fixed typo in prototype for arctwo_encrypt (noticed by Adam Langley). * nettle-meta.h: No longer needs to include cbc.h. * cbc.h (nettle_crypt_func): Moved typedef to nettle-types.h. (CBC_ENCRYPT, CBC_DECRYPT): Deleted older #if:ed out versions. * configure.ac (AX_CREATE_STDINT_H): Use the file name nettle-stdint.h, not nettle-types.h. * nettle-types.h: New file. Automatically generated declarations are now in nettle-stdint.h. 2005-03-17 Niels Möller * config.guess: Support Solaris on x86_64. Fix by Henrik Grubbström. 2005-01-03 Niels Möller * examples/io.h: Include RSA declarations only when public key algorithms are enabled. Problem reported by Meilof Veeningen . 2004-12-07 Niels Möller * Makefile.in: Install directories, using $(INSTALL) -d, only if they don't exist already. 2004-12-05 Niels Möller * config.make.in (.PRECIOUS): Reverted earlier change. We need .PRECIOUS to stop GNU make from deleting object files for the test programs. 2004-12-02 Niels Möller * Makefile.in (.SUFFIXES): Moved from Makefile.in to... * config.make.in (.SUFFIXES): ... here. This helps compilation with BSD make. * testsuite/Makefile.in (.SUFFIXES): Deleted target. * config.make.in (.c): Disable default rule for BSD-make. * Makefile.in (all check install uninstall) (clean distclean mostlyclean maintainer-clean): Don't use the -C flag when invoking make, for compatibility with Solaris make. 2004-12-02 Niels Möller * Makefile.in (aesdata, desdata): Commented out the explicit targets. (shadata): Avoid using $< in non-pattern rule. 2004-12-01 Niels Möller * config.make.in: Added a default target. 2004-11-29 Niels Möller * testsuite/Makefile.in: Use .$(OBJEXT). Explicitly set .SUFFIXES. * Makefile.in: Use .$(OBJEXT). 2004-11-28 Niels Möller * tools/Makefile.in (nettle-lfib-stream): Avoid using $< in non-suffix rule. * Makefile.in (distdir): Handle absolute $distdir. Avoid using the GNU extension $^. * examples/Makefile.in: Avoid using the GNU extension $^. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2004-11-24 Niels Möller * configure.ac: Fixed typo, preventing the creation of dependency files. 2004-11-23 Niels Möller * Makefile.in: Use DEP_INCLUDE. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * examples/Makefile.in: Likewise. * configure.ac (dummy-dep-files): Generate only of dependency tracking is enabled. 2004-11-18 Niels Möller * Makefile.in (clean-here): The clean target should not delete the dependency files. Moved to the distclean target. * examples/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * configure.ac (ASM_SYMBOL_PREFIX): Fixed test. (dummy-dep-files): Added quotes to sed command. 2004-11-17 Niels Möller * testsuite/symbols-test: Try plain nm if nm -g doesn't work. * x86/sha1-compress.asm: Use C_NAME for global symbols. * x86/aes-encrypt.asm: Likewise. * x86/aes-decrypt.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * Makefile.in (config.m4): New rule. * config.m4.in (C_NAME): New macro. * configure.ac (ASM_SYMBOL_PREFIX): Check if global symbols have a leading underscore. 2004-11-16 Niels Möller * Deleted getopt.c, getopt.h and getopt1.c from the CVS tree. Link them from shared copies in lsh/misc instead. 2004-11-14 Niels Möller * Makefile.in (DEP_FILES): Try include with only one macro argument to be expanted. * configure.ac (dummy-dep-files): Create dummy dependency files, so that they can be included by the makefiles. 2004-11-13 Niels Möller * Makefile.in: Don't use -include, as it's GNU make specific. * examples/Makefile.in, tools/Makefile.in, testsuite/Makefile.in: Likewise. * examples/nettle-openssl.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. * configure.ac: Check for individual openssl headers blowfish.h, cast.h, des.h. Renamed symbol HAVE_LIBCRYPTO to WITH_OPENSSL. New configure option --disable-openssl. 2004-11-04 Niels Möller * configure.ac: Bumped version to 1.13. * Released nettle-1.12. 2004-11-04 Niels Möller * nettle.texinfo (UPDATED-FOR): Bumped to 1.12. 2004-11-02 Niels Möller * nettle.texinfo (Cipher functions): Updated AES documentation, for aes_set_encrypt_key and aes_set_decrypt_key. (UPDATED-FOR): Set to 1.11. I think the manual should be updated with all user-visible changes. * aclocal.m4 (LSH_DEPENDENCY_TRACKING): Need extra quoting in case pattern. (This file really lives in the lsh tree, as lsh/acinclude.m4. For a complete ChangeLog, see lsh/Changelog). 2004-10-26 Niels Möller * configure.ac: Bumped version to 1.12. * Released nettle-1.11. * Makefile.in (clean-here): Delete *.s files. (PRE_CPPFLAGS): Use this variable, not INCLUDES. Removed -I$(srcdir). * x86/arcfour-crypt.asm: Use movzbl when extending %cl to 32 bits. 2004-10-24 Niels Möller * x86/arcfour-crypt.asm: Reverted the latest two changes; update bost src and dst pointers in the loop, and use plain addb when updating j. These two previous changes slowed the code down on AMD Duron. 2004-10-21 Niels Möller * Makefile.in (install-shared): Use $(INSTALL_PROGRAM). * configure.ac (SHLIBMINOR): Updated, shared library version is now libnettle.so.2.3, soname still libnettle.so.2. * Makefile.in (DISTFILES): Added asm.m4. 2004-10-21 Niels Möller * examples/Makefile.in: Deleted all configure-related rules, except the one rebuilding this Makefile. One should run make at top level if other configure related files change. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * configure.ac: Replaced AC_OUTPUT(list...) with an AC_OUTPUT without arguments, and AC_CONFIG_FILES listing the files. * Makefile.in: Changed the assembler rules as suffix rules. Rewrote the configure-related rules, mostly based on the example in the autoconf manual. 2004-10-20 Niels Möller * examples/nettle-openssl.c (NCOMPAT): Disable openssl backwards compatibility. * config.make.in: Insert $(PRE_CPPFLAGS) and $(PRE_LDFLAGS) before $(CPPFLAGS) and $(LDFLAGS). This mechanism replaces $(INCLUDES). * examples/Makefile.in (PRE_CPPFLAGS, PRE_LDFLAGS): Use these flags to get -I.. and -L.. early on the command line. * testsuite/Makefile.in: Likewise * tools/Makefile.in: Likewise. 2004-10-20 Niels Möller * Makefile.in: In the assembler rules, there's no need to look in $(srcdir) for the input file. * x86/arcfour-crypt.asm: Reduced inner loop by one instruction, by precomputing the offset between src and dst. * tools/Makefile.in (.c.$(OBJEXT)): Removed redundant -I.. flag. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replaced addb -> addl + andl $0xff, improving speed on PPro by another 15%. 2004-10-20 Niels Möller * tools/Makefile.in (install): Support DESTDIR. (uninstall): New target. * testsuite/Makefile.in (uninstall): New dummy target. * config.sub: Copied from automake-1.8.5. * examples/Makefile.in (SOURCES): Added rsa-sign.c and rsa-verify.c. (DISTFILES): Added getopt.h. (install uninstall): New dummy targets. * config.make.in (.PHONY): Added more targets. * Makefile.in (.texinfo.info, .texinfo.html): New targets. Added support for uninstall and DESTDIR. Various fixes to install and distcheck. * examples/Makefile.in (INCLUDES): Added -I flags. (distdir): Use $^ to refer to the files. (distclean): New target. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * Makefile.in (INCLUDES): Need -I flags for VPATH build. (clean distclean mostlyclean maintainer-clean): Clean subdirectories first. (DISTFILES): Added a bunch of files. (des_headers): Added desCore rules. (install-here): Split off target install-headers, which uses $^ to refer to the files. (distdir): Use $^ to refer to the files. distcheck): Fixes. * config.make.in (COMPILE): Add $(INCLUDE) to the line. 2004-10-19 Niels Möller Stop using automake. Replaced each Makefile.am with a hand-written Makefile.in. * configure.ac: New output variable CCPIC_MAYBE. New output file config.make. Replaced automake constructions. * .bootstrap: Don't run aclocal and automake. * config.make.in: New file, with shared Makefile variables and rules. 2004-10-18 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replace incb -> incl + andl, to improve speed on PPro and PII. Suggested by Fredrik Olsson. 2004-10-08 Niels Möller * examples/rsa-encrypt-test: Avoid reading and executing a file at the same time. * examples/setup-env: Likewise. 2004-10-06 Niels Möller * testsuite/symbols-test: Ignore __i686.get_pc_thunk.bx and similar symbols. 2004-10-05 Niels Möller * twofish.c (q_table): Use a const pointer array. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Use a const pointer array for the keywords. (dsa_signature_from_sexp): Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): Likewise. (rsa_keypair_from_sexp): Likewise. * sexp.c (sexp_iterator_check_types): Use an argument of type "const uint8_t * const *" for the types list. (sexp_iterator_assoc): Likewise, for the keys list. * list-obj-sizes.awk: Fixes to handle multiple .data and .rodata sections. Also fixed to handle the last file correctly. 2004-09-23 Niels Möller * configure.ac (SHLIBLINK, SHLIBLIBS): On cygwin, linking needs -Wl,--whole-archive $(OBJECTS) -Wl,--no-whole-archive $(LIBS). 2004-09-22 Niels Möller * configure.ac: Setup SHLIBFORLINK and friends for cygwin. * list-obj-sizes.awk: Strip *_a-prefix from all file names. * Makefile.am (libnettle_a_SOURCES): List only .c files. Headers moved to noinst_HEADERS. (SHLIBOBJECTS): Substitute from libnettle_a_SOURCES, not am_libnettle_a_OBJECTS, since the latter includes libnettle_a-prefixes with some automake versions. (SHLIBSONAME): Check if this name is empty, which is the case on cygwin, before using it. 2004-08-31 Niels Möller * configure.ac: New command line option --disable-pic. Use LSH_CCPIC. * Makefile.am (libnettle_a_CFLAGS): Added $(CCPIC), to attempt to build also the static library as position independent code. 2004-08-24 Niels Möller * des-compat.c (des_cbc_cksum): Pad input with NUL's, if it's not an integral number of blocks. 2004-08-24 Niels Möller * testsuite/arctwo-test.c, arctwo.h, arctwo.c (arctwo_set_key_ekb): Fixed typo; it should be "ekb", not "ebk". Integrated arctwo patch from Simon Josefsson. * testsuite/Makefile.am (noinst_PROGRAMS): Added arctwo-test. * Makefile.am (libnettleinclude_HEADERS): Added arctwo.h. (libnettle_a_SOURCES): Added arctwo.c, arctwo.h and arctwo-meta.c. * nettle-meta.h (nettle_arctwo40, nettle_arctwo64) (nettle_arctwo64, nettle_arctwo_gutmann128): Declare ciphers. * arctwo-meta.c, arctwo.c, arctwo.h, testsuite/arctwo-test.c: New files. * macros.h (LE_READ_UINT16, LE_WRITE_UINT16): New macros. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added collision, found in 2004. (test_main): Added second collision. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added first half of a collision test case. * des-compat.c (des_cbc_cksum): Changed input argument to be of type const uint8_t * (was const des_cblock *). * des-compat.h (const_des_cblock): New bogus type. Disabled use of const, for compatibility with openssl. 2004-06-08 Niels Möller * aesdata.c: Renamed log and ilog to gf2_log and gf2_exp. 2004-04-07 Niels Möller * aes-set-encrypt-key.c (log, ilog): Deleted unused tables. * aes-set-decrypt-key.c (gf2_log, gf2_exp, mult): Renamed tables, were log and ilog. 2004-03-20 Niels Möller * configure.ac: Use AC_CONFIG_AUX_DIR([.]). 2004-03-18 Niels Möller * examples/io.c (read_file): Display a message if fopen fails. 2004-03-05 Niels Möller * Released nettle-1.10. * configure.ac (SHLIBMINOR): Shared library version is now 2.2. 2004-03-04 Niels Möller * testsuite/symbols-test: Pass -g flag to nm. 2004-03-02 Niels Möller * configure.ac: Fixed EXEEXT workaround. 2004-03-02 Niels Möller * configure.ac: Added workaround to get the correct $(EXEEXT)='' when compiling with rntcl. 2004-03-02 Niels Möller * testsuite/Makefile.am (noinst_PROGRAMS): Put test program list here, to let automake add $(EXEEXT). * configure.ac (RSA_EXAMPLES): Append $(EXEEXT) to the filenames. 2004-03-01 Niels Möller * examples/rsa-keygen.c, examples/rsa-encrypt.c, examples/rsa-decrypt.c: Include "getopt.h" instead of . * examples/Makefile.am (rsa_encrypt_SOURCES, rsa_decrypt_SOURCES) (rsa_keygen_SOURCES): Added getopt.h, getopt.c and getopt1.c. * examples/getopt.h, examples/getopt.c, examples/getopt1.c: New files. * testsuite/des-compat-test.c: Don't include . * testsuite/testutils.c (main): Don't use getopt. Then we don't need to include . 2004-03-01 Niels Möller * config.guess: Copied from automake-1.8.2. Hacked to recognize Windows_NT (and Windows_95 and Windows_98) running on "x86" and "686". * install-sh: Removed from CVS repository. Let automake supply it. 2004-02-26 Niels Möller * nettle-meta.h (nettle_crypt_func): Typedef moved to cbc.h. Include cbc.h instead. * des-compat.c: Reverted const change, now all the des_key_sched arguments are not const. This is also what openssl's interface looks like. (cbc_crypt_func): Deleted typedef, use nettle_crypt_func instead. * cbc.h (nettle_crypt_func): Moved typedef here. * cbc.c (cbc_encrypt, cbc_decrypt_internal, cbc_decrypt): Use it for typing the f argument. Reverted the const change, for compatibility with nettle_crypt_func. 2004-02-25 Niels Möller * testsuite/des-compat-test.c: Use des_cblock for typing more of the variables. Use const. Got rid of most of the explicit casts. Disabled the input/output alignment tests. * des.c (des_encrypt, des_decrypt): Use a const context pointer. * des3.c (des3_encrypt, des3_decrypt): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Use a _const_ void *ctx argument. * des-compat.c: Use const for all unchanged arguments. (des_key_sched): Use a copy of the key if we need to fix the parity. * testsuite/des-compat-test.c (C_Block, Key_schedule): Deleted defines. Deleted some of the explicit casts. * des-compat.c (des_cbc_cksum): Dereference DST pointer. 2004-02-25 Niels Möller * pgp.h: Include nettle-types.h. 2004-02-24 Niels Möller * testsuite/symbols-test: Allow symbols starting with double underscores, like on darwin. 2004-02-17 Niels Möller * Makefile.am: Protected %-rules used for building pure objects, and for assembler files, by automake conditionals. Needed for makes such as tru64's, which tries to understand %-patterns, but doesn't get it right. (SUFFIXES): Added .html. (.texinfo.html): Rewrote rule to use a traditional suffix target. * configure.ac (enable_assembler): Explicitly set enable_assembler=no, on architectures where we have no assembler files. (ENABLE_ASSEMBLER, ENABLE_SHARED): New automake conditionals. * testsuite/testutils.c (xalloc): xalloc(0) should work also on systems where malloc(0) returns NULL. 2004-02-16 Niels Möller * Makefile.am (%.o: %.asm): Added comment about OSF1 make problem. 2004-02-15 Niels Möller * testsuite/testutils.h: #include nettle-types.h instead of inttypes.h. 2004-02-12 Niels Möller * examples/rsa-encrypt-test: Use -r option when invoking rsa-encrypt. Needed for the test to work on systems with no /dev/urandom. 2004-02-12 Niels Möller * configure.ac (CPPFLAGS, LDFLAGS): No spaces after -I and -L, as some C compilers, in particular True64 cc, don't like that. 2004-02-08 Niels Möller * configure.ac: Bumped version number to 1.10. 2004-02-07 Niels Möller * Released nettle-1.9. * configure.ac (SHLIBMINOR): Bumped, library version is now 2.1. * testsuite/sexp-format-test.c: Include bignum.h only if HAVE_LIBGMP. * testsuite/rsa-encrypt-test.c: Include rsa.h only if WITH_PUBLIC_KEY. * testsuite/pkcs1-test.c: Include pkcs1.h only if WITH_PUBLIC_KEY. * pgp-encode.c [!HAVE_LIBGMP]: Kludge around the pgp.h's dependency on gmp.h. (pgp_put_mpi): Condition on HAVE_LIBGMP. * pgp.h: Don't include bignum.h, to make it possible to compile the non-bignum parts of pgp-encode.c without bignum support. Needs to be fixed properly before the pgp interface is advertised. * tools/sexp-conv.c (xalloc): New function. (main): Use xalloc. * tools/output.c (sexp_put_digest): Use TMP_DECL instead of alloca. * testsuite/testutils.c (xalloc): New function. Made all other functions use xalloc instead of alloca. * examples/rsa-keygen.c (main): Use xalloc for allocation. * examples/rsa-encrypt.c (write_bignum): Likewise. * examples/rsa-decrypt.c (read_bignum): Likewise. * testsuite/yarrow-test.c (open_file): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * testsuite/bignum-test.c (test_bignum): Likewise. * examples/nettle-openssl.c: When calling des_key_sched and des_ecb_encrypt, cst arguments to (void *). Openssl's typedefs des_cblock and const_des_cblock are too broken. * examples/nettle-benchmark.c (xalloc): New function. Use instead of alloca, for better portability. * examples/io.c (xalloc): New function. * Makefile.am (nodist_libnettleinclude_HEADERS): nettle-types.h should not be distributed. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Rename round -> ROUND. * x86/sha1-compress.asm: Store the magic constants on stack. Accessing them via %esp should be a little faster than using large immediate operands. * Makefile.am (EXTRA_DIST, DISTCLEANFILES): Handle sha1-compress.asm. * configure.ac: Use assembler file sha1-compress.asm if available. * x86/sha1-compress.asm (EXPAND): Fixed the rotation part of the data expansion. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Assembler implementation of sha1_compress. (Not yet working). * Makefile.am (libnettle_a_SOURCES): Added sha1-compress.c. * sha1.c (sha1_transform): Function renamed to sha1_compress, and moved to... * sha1-compress.c: ... New file. 2004-02-05 Niels Möller * examples/rsa-encrypt.c (process_file): Copy the leftover to the start of the buffer, when preparing for the final processing. * examples/nettle-benchmark.c (bench_hash, time_hash): New functions. (main): Benchmark hash functions too. (BENCH_BLOCK): Increased 10K. (BENCH_INTERVAL): Decreased to 0.25s. * examples/nettle-benchmark.c (time_function): Loop around calling f, until 1s has elapsed. Returns seconds per call. Updated bench functions to not loop themselves. (display): Updated MB/s calculation. * testsuite/arcfour-test.c (test_main): Use test_cipher_stream. * testsuite/testutils.c (test_cipher_stream): New function, that tries dividing the input into varying size blocks before processing. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Bug fix, half of the S array swap was forgotten. * arcfour.c (arcfour_stream): Likewise. * arcfour-crypt.c (arcfour_crypt): Likewise. 2004-02-05 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Must store the new i, j at the end of the loop. * Makefile.am (EXTRA_DIST): Make sure x86 assembler files are distributed. (DISTCLEANFILES): And that the symlinks and .s files are deleted. * x86/aes-encrypt.asm, x86/aes-decrypt.asm, x86/arcfour-crypt.asm: Fixed debug information. * x86/arcfour-crypt.asm: New file. About three times faster than the optimized C code. * configure.ac: Use assembler file arcfour-crypt.asm if available. * arcfour.c (arcfour_crypt): Moved function too... * arcfour-crypt.c (arcfour_crypt): New file. * arcfour.c (arcfour_crypt): Optimization suggested by Jonas Walldén. Makes arcfour up to 50% faster on x86 and ppc, and probably on other architectures as well. 2004-01-31 Niels Möller * configure.ac (AX_CREATE_STDINT_H): Also look for uint32_t and friends in sys/types.h. 2004-01-11 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added bignum.h, memxor.h, pkcs1.h and rsa-compat.h. * configure.ac: Bumped version to 1.9. 2004-01-10 Niels Möller * Released nettle-1.8. * examples/teardown-env: Delete more test files. * nettle.texinfo (Hash functions): Documented md2 and md4. * configure.ac (SHLIBMAJOR): Bumped to 2. 2004-01-09 Niels Möller * examples/rsa-encrypt-test: New testcase. * examples/rsa-encrypt.c, examples/rsa-session.h: Expanded the comment describing the file format, and moved to rsa-session.h. * examples/rsa-decrypt.c (process_file): Finished this function. (main): Initialize x. Check the size of the session key after rsa decryption. * examples/io.c (write_string): Treat short item count as an error. 2004-01-08 Niels Möller * index.html: Added instructions for CVS access. * dsa-keygen.c (dsa_nist_gen): Fixed declaration/statement order. * rsa-keygen.c (bignum_next_prime): Fixed off-by-one error when comparing input to the largest listed prime. General cleanup, as prime_limit > 0 always. Use TMP_DECL and TMP_ALLOC. * nettle-internal.h (TMP_DECL, TMP_ALLOC): New macros. When alloca is unavailable, they work by allocating a fix amount of stack and imposing a hard limit on what can be allocated. Updated all users of alloca. 2004-01-07 Niels Möller * nettle-types.h: New (generated) file, to be used instead of including directly. Updated all users of inttypes.h. * Makefile.am (DISTCLEANFILES, libnettleinclude_HEADERS): Added nettle-types.h. * configure.ac (AX_CREATE_STDINT_H): Create nettle-types.h. 2003-11-16 Niels Möller * yarrow256.c (yarrow256_seed): Use const for the seed_file input. 2003-11-12 Niels Möller * list-obj-sizes.awk: New function for decoding hex values, with a new function hex2int. Also implemented calculation of total storage, removed the dependence on the .comment section, and use the $FILTER environment variable as a regexp for restricting the object files that are considered. 2003-09-21 Niels Möller * testsuite/rsa-encrypt-test.c (test_main): Don't use gmp_printf, as it seems it's only available with the newer gmp. Use mpz_out_str instead. 2003-09-19 Niels Möller * examples/Makefile.am (EXTRA_DIST): Added rsa-session.h. * tools/nettle-lfib-stream.c: New tool, which outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. * examples/rsa-decrypt.c: Fixes to get the file to compile. It won't work yet. * examples/Makefile.am (EXTRA_PROGRAMS): Added rsa-encrypt and rsa-decrypt. * examples/io.c (write_file): New function. (write_string): Simplified error check, it's no real point in calling ferror unless we also call fflush. * examples/rsa-keygen.c (main): Check return value from simple_random. * examples/rsa-decrypt.c, examples/rsa-encrypt.c, examples/rsa-session.h: New files, demonstrating rsa encryption and decryption. * configure.ac (RSA_EXAMPLES): Added rsa-encrypt and rsa-decrypt. 2003-09-01 Niels Möller * testsuite/testutils.c (print_hex): Use const. 2003-08-30 Niels Möller * md2.c, md2.h: Added reference to RFC 1319. * md4.c, md4.h: Added reference to RFC 1320 2003-08-26 Niels Möller * Makefile.am: Added md2 and md5 files. Deleted the print-path hack. * configure.ac: Bumped version to 1.8. * testsuite/testutils.c (test_rsa_set_key_1): New function. * testsuite/rsa-test.c (test_main): Use it. * testsuite/dsa-keygen-test.c: Deleted definition of UNUSED, it's now in config.h. * testsuite/rsa-keygen-test.c: Likewise. * testsuite/Makefile.am (TS_PROGS): Added rsa-encrypt-test, md4-test, and md2-test. * testsuite/rsa-encrypt-test.c, testsuite/md4-test.c, testsuite/md2-test.c: New test cases. * nettle-meta.h: Declare nettle_md2 and nettle_md4. * md5.c: Reorderd functions, putting md5_final at the end. * md2.c, md2.h, md2-meta.c: New files, implemented md2. * md4.c, md4.h, md4-meta.c: New files, implemented md4. 2003-08-17 Niels Möller * desCode.h (des_keymap, des_bigmap): Deleted extern declarations, they conficted with the static definition in des.c. Reported by Simon Josefsson. * des.c (DesSmallFipsEncrypt, DesSmallFipsDecrypt): Moved definitions after the definition of the des_kemap array. 2003-08-11 Niels Möller * rsa-encrypt.c (rsa_encrypt): Bugfix contributed by leg@terra.com.br. 2003-06-10 Niels Möller * Makefile.am (EXTRA_DIST): Distribute sha-example.c. 2003-06-05 Niels Möller * Makefile.am (DISTCLEANFILES): Delete .s files. 2003-05-27 Niels Möller * testsuite/symbols-test: And allow symbols that start at the beginning of the line, as output by AIX nm. 2003-05-26 Niels Möller * testsuite/symbols-test: Allow symbols to start with a dot. 2003-05-14 Niels Möller * pgp.h (enum pgp_subpacket_tag): Copied values from RFC 2440. Renamed PGP_SUBPACKET_ISSUER to PGP_SUBPACKET_ISSUER_KEY_ID. 2003-05-13 Niels Möller * pgp.h: Do proper namemangling for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Fixed nettle_mpz_get_str_256 call. 2003-05-12 Niels Möller * rsa2openpgp.c (rsa_keypair_to_openpgp): Some bugfixes. * pgp.h (enum pgp_subpacket_tag): New enum. Definition is bogus and needs to be fixed. Added forward declarations of structs, and prototypes for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Take a const mpz_t argument. Gugfix, use nettle_mpz_get_str_256. (pgp_put_public_rsa_key, pgp_put_rsa_sha1_signature): Constification. Some bugfixes. * Use "config.h", not . * Reordered includes in most or all .c-files. All should now include config.h. 2003-05-12 Niels Möller * configure.ac: Use LSH_FUNC_ALLOCA. 2003-04-25 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added hmac-sha256.c. * testsuite/hmac-test.c (test_main): Added tests for hmac-sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt. * hmac-sha256.c (hmac_sha256_digest): New file. 2003-04-22 Niels Möller * sha-example.c (display_hex): Simplified by using printf better. * nettle.texinfo (Example): Use @verbatiminclude to include the example program. * sha-example.c: Example program, for inclusion in the manual. Fixed bugs reported by Mark Arking. 2003-04-14 Niels Möller * x86/aes-encrypt.asm (nettle_aes_encrypt): Fixed references to _nettle_aes_encrypt_table. * x86/aes-decrypt.asm (nettle_aes_decrypt): Fixed references to _nettle_aes_decrypt_table. 2003-04-12 Niels Möller * testsuite/Makefile.am (TS_SH): New test case symbols-test. (EXTRA_PROGRAMS): Added testutils, as a kludge to get automake to track dependencies for testutils.o. * x86/aes-encrypt.asm (nettle_aes_encrypt): Renamed function to use the nettle_ prefix. * x86/aes-decrypt.asm (nettle_aes_decrypt): Likewise. * sparc/aes.asm (_nettle_aes_crypt): Likewise. * examples/Makefile.am (EXTRA_PROGRAMS): Add "io", as a kludge to get automake to track dependencies for io.o. (LDADD): Added ../libnettle.a, for the dependency. * des-compat.c: Use names with the nettle_ prefix when using Nettle's des functions. * base16-meta.c (base16_encode_update): Need to undef before redefining. * New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle prefix when seen by the linker. For most functions, the header file that declares a function also use #define to provide a shorter more readable name without the prefix. 2003-03-11 Niels Möller * Released nettle-1.7. * configure.ac: Bumped version to 1.7. * nettle.texinfo (DSA): New section. (RSA): Updated documentation. 2003-03-02 Niels Möller * examples/nettle-benchmark.c (time_cipher): Don't use GNU C non-constant initializers. 2003-02-23 Niels Moller * configure.ac: Use LSH_GCC_ATTRIBUTES. 2003-02-19 Niels Möller * acinclude.m4: Deleted file from cvs, use a link to lsh's acinclude.m4 instead. 2003-02-16 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added macros.h. * tools/Makefile.am (EXTRA_DIST): Added getopt.h. 2003-02-14 Niels Möller * Makefile.am (print_path): Added target to print the used PATH, for debugging. (print-path): Moved dependency to all-local. 2003-02-11 Niels Möller * buffer.c (nettle_buffer_copy): Bug fix, it didn't return any value. 2003-02-11 Niels Möller * testsuite/sexp-format-test.c (test_main): Added test for %( and %). * sexp-format.c (sexp_vformat): Handle %( and %). * realloc.c (nettle_xrealloc): Fixed out-of-memory check. * configure.ac (SHLIBMAJOR): Bumped version number to 1. * buffer.c (nettle_buffer_init_realloc): New function. * buffer-init.c (nettle_buffer_init): Use nettle_buffer_init_realloc. 2003-02-10 Niels Möller * testsuite/sexp-format-test.c (test_main): New test with tokens in the format string. (test_main): Test space-searated literals too. * rsa2sexp.c (rsa_keypair_to_sexp): New argument ALGORITHM_NAME. * examples/rsa-keygen.c (main): Updated call to rsa_keypair_to_sexp. * testsuite/rsa2sexp-test.c (test_main): Likewise. * sexp-format.c (sexp_vformat): Allow whitespace in format string. * rsa2sexp.c (rsa_keypair_to_sexp): Use literals with sexp_format. * sexp-format.c (format_string): New function. (sexp_vformat): Implemented support for literals in the format string. 2003-02-06 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): New functions. The testfunctions use these instead of using echo directly. Use the test input '3:"\x' instead of '2:"\', to be friendlier to sysv echo. 2003-02-05 Niels Möller * des-compat.h (des_set_key): Different name mangling, if this file is included, des_set_key should refer to a function that behaves like openssl's. * des-compat.c (des_key_sched, des_is_weak_key): Use the name nettle_des_set_key for referring to Nettle's function. * des.h (des_set_key): Name mangling, linker symbols should use a "nettle_" prefix, and this one collided with openssl. Perhaps all symbols should be mangled in a similar way, but that's for later. * configure.ac (LDFLAGS): --with-lib-path should add to LDFLAGS, not replace it. 2003-01-30 Niels Möller * tools/output.c (sexp_put_string): Fixed handling of escapable characters. The code generated random escape sequences for characters in the 0x10-0x1f range. * testsuite/sexp-conv-test: More tests for hex and base64 input and output. 2003-01-30 Niels Möller * sexp2bignum.c (nettle_mpz_set_sexp): Call sexp_iterator_next on success. That means the iterator argument can't be const. 2003-01-29 Niels Möller * tools/Makefile.am (LDADD): Add libnettle.a, for the dependency. 2003-01-27 Niels Möller * sexp2dsa.c (dsa_signature_from_sexp): New function. RSA renaming. Updated all callers. * rsa-sign.c (rsa_private_key_init, rsa_private_key_clear) (rsa_private_key_prepare): Renamed functions. * rsa.c (rsa_public_key_init, rsa_public_key_clear) (rsa_public_key_prepare): Renamed functions. 2003-01-23 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added new rsa and pkcs1 files. Removed old rsa_md5.c and rsa_sha1.c. * testsuite/Makefile.am (TS_PROGS): Added pkcs1-test. * dsa-verify.c (dsa_verify_digest): New function. (dsa_verify): Most of the code moved to dsa_verify_digest, which is used here. * dsa-sign.c (dsa_sign_digest): New function. (dsa_sign): Most of the code moved to dsa_sign_digest, which is used here. * dsa.c (_dsa_hash): Deleted function. * rsa_md5.c, rsa_sha1.c: Deleted files, contents spread over several files for signing and verification. * rsa-sign.c, rsa-sha1-verify.c, rsa-sha1-sign.c, rsa-md5-verify.c, rsa-md5-sign.c: New files. * rsa-sha1-verify.c (rsa_sha1_verify_digest): New function. * rsa-sha1-sign.c (rsa_sha1_sign_digest): New function. * rsa-md5-verify.c (rsa_md5_verify_digest): New function. * rsa-md5-sign.c (rsa_md5_sign_digest): New function. * rsa-verify.c (_rsa_verify): New file, new function. * rsa.c (_rsa_check_size): Renamed from rsa_check_size, and made non-static. Private key functions moved to rsa-sign.c. * pkcs1.c, pkcs1.h, pkcs1-rsa-md5.c, pkcs1-rsa-sha1.c: New files. (pkcs1_signature_prefix): New function. * testsuite/pkcs1-test.c: New test. 2003-01-22 Niels Möller * examples/Makefile.am (nettle_benchmark_LDADD): Use OPENSSL_LIBFLAGS. * configure.ac (OPENSSL_LIBFLAGS): If libcrypto is found, add -lcrypto to OPENSSL_LIBFLAGS, not the plain LDFLAGS. 2003-01-20 Niels Möller * testsuite/Makefile.am (CLEANFILES): Delete test.in, test1.out and test2.out. 2003-01-17 Niels Möller * examples/Makefile.am (AM_CPPFLAGS): Use AM_CPPFLAGS instead of AM_CFLAGS. * testsuite/Makefile.am (AM_CPPFLAGS): Likewise. 2003-01-16 Niels Möller * testsuite/Makefile.am (check): Can't use quotes around $(srcdir). 2003-01-14 Niels Möller * testsuite/Makefile.am (check): Don't use "run-tests" as a target, as it's confused with the file with the same name. * .bootstrap: Added missing #! /bin/sh. 2003-01-12 Niels Möller * buffer.c (nettle_buffer_reset): New function. (nettle_buffer_copy): New function. * tools/input.c, tools/input.h, tools/output.c, tools/output.h, tools/parse.c, tools/parse.h, tools/misc.c, tools/misc.h: Moved parts ov sexp-conv.c to separate files * tools/sexp-conv.c (sexp_convert_list): Inlined into sexp_convert_item. * tools/sexp-conv.c (struct sexp_input): Deleted string attribute. Changed all related functions to take a struct nettle_buffer * argument instead. (struct sexp_compound_token): New struct. (sexp_compound_token_init, sexp_compound_token_clear): New functions. (struct sexp_parser): Added a struct sexp_compound_token attribute, as a temporary measure. (sexp_parse): Take a struct sexp_compound_token * as argument. Updated all callers. Simplified handling of display types and transport encoding. * tools/sexp-conv.c (struct sexp_parser): Renamed struct (was struct sexp_parse_state). Added input pointer. Updated users to not pass around both parser and input. (sexp_check_token): handle token == 0. (sexp_parse): Simplified a little by calling sexp_check_token unconditionally. * tools/sexp-conv.c (sexp_convert_string): Deleted function. (sexp_skip_token): Likewise. * tools/sexp-conv.c (enum sexp_token): New constant SEXP_DISPLAY. Start constants from 1, to keep 0 free for special uses. (struct sexp_parse_state): New struct for keeping track of parser state. (sexp_parse_init): New function. (sexp_check_token): New function, replacing sexp_skip_token. (sexp_parse): New function. (sexp_convert_item): Simplified by using sexp_parse. (sexp_convert_list): Use sexp_parse. (main): Likewise. 2003-01-08 Niels Möller * tools/sexp-conv.c (parse_options): Initialize prefer_hex. 2003-01-07 Niels Möller * Makefile.am (des_headers): Refer to the desdata binary using $(EXEEXT). 2003-01-01 Niels Möller * testsuite/sexp-conv-test: New tests for hex and base64 literal output. * tools/sexp-conv.c (sexp_put_string): Print binary strings using either hex or base 64 (in advanced mode). (parse_options): Implemented -s hex, for output using hex rather than base64. 2002-12-30 Niels Möller * testsuite/rsa2sexp-test.c: Don't include rsa.h (done by testutils.h, if enabled). * testsuite/sexp2rsa-test.c: Likewise. * rsa-decrypt.c: Make compilation conditional on WITH_PUBLIC_KEY. * rsa-encrypt.c: Likewise. * rsa-compat.c: Likewise. 2002-12-04 Niels Möller * testsuite/Makefile.am (LDADD): Added path to ../libnettle.a, which is redundant except for the dependency. 2002-12-04 Niels Möller * testsuite/sexp-format-test.c (test_main): Use %0s instead of %z. New test for %t. * sexp-format.c (format_length_string): Deleted function. (format_string): Deleted function. (sexp_vformat): New %t specifier, formatting an optional display type. Deleted %z specifier. Instead, introduced a new modifier "0" that can be used with %s, %l and %t, which says that the data is NUL-terminated. * rsa2sexp.c (rsa_keypair_to_sexp): Use %0s rather than %z, when formatting s-expressions. * buffer.c (nettle_buffer_grow): Fixed assertion. 2002-11-22 Niels Möller * buffer.c: Include assert.h. 2002-11-21 Niels Möller * testsuite/testutils.c (print_hex): Add line breaks. * Makefile.am (libnettleinclude_HEADERS): Added realloc.h. (libnettle_a_SOURCES): Added buffer-init.c and realloc.c. * sexp.c (sexp_iterator_exit_lists): New function, #if:ed out for now. * desdata.c: Include config.h, to get definition of UNUSED. * shadata.c: Likewise. * buffer.c (nettle_buffer_grow): New function, replacing grow_realloc. (nettle_buffer_clear): Rewritten to use buffer->realloc. * buffer.h (struct nettle_buffer): Replaced the GROW function pointer with a nettle_realloc_func pointer and a void *realloc_ctx. (NETTLE_BUFFER_GROW): Deleted macro, use function instead. * buffer-init.c (nettle_buffer_init): Moved to a separate file. * realloc.c (nettle_realloc): New function. (nettle_xrealloc): New function. * realloc.h (nettle_realloc_func): New typedef. * configure.ac: Check for gcc:s __attribute__. 2002-11-16 Niels Möller * sexp2dsa.c, sexp2rsa.c: (macro GET): Check sign of parsed numbers. * sexp2bignum.c (nettle_mpz_set_sexp): In the first check against limit, added some margin to allow for sign octets. 2002-11-15 Niels Möller * testsuite/testutils.h (LDATA): Use sizeof instead of strlen. Now handles strings including NUL-characters. But works only with literals and character arrays, no char pointers. (LLENGTH): New macro, computing length the same way as LDATA. * testsuite/sexp-test.c (test_main): Test sexp_iterator_get_uint32. * testsuite/sexp-format-test.c (test_main): Check that %i and %b generate leading zeroes when needed. Check that %b handles negative numbers. * testsuite/rsa2sexp-test.c (test_main): Updated test, one leading zero is needed in the private key expression. In verbose mode, print the generated keys. * testsuite/sexp2rsa-test.c (test_main): Added a leading zero in the private key expression. * testsuite/bignum-test.c (test_bignum): Use nettle_mpz_init_set_str_256_s. (test_size): New function. (test_main): Test size computation and formatting of negative numbers. * sexp2bignum.c (nettle_mpz_set_sexp): Use nettle_mpz_set_str_256_s, to handle negative numbers correctly. * sexp-format.c (sexp_vformat): For %i, output a leading zero when needed to get a correct, positive, sign. For %b, use nettle_mpz_sizeinbase_256_s, to handle negative numbers properly. * bignum.c (nettle_mpz_sizeinbase_256_s): New function. (nettle_mpz_sizeinbase_256_u): New name, was nettle_mpz_sizeinbase_256. Updated all callers. (nettle_mpz_to_octets): New function. (nettle_mpz_get_str_256): Handle negative numbers. (nettle_mpz_from_octets): New function. (nettle_mpz_set_str_256_u): New name, was nettle_mpz_set_str_256. (nettle_mpz_init_set_str_256_u): New name, was nettle_mpz_init_set_str_256. (nettle_mpz_set_str_256_s): New function, handling negative two's complement numbers. (nettle_mpz_init_set_str_256_s): And an init variant. * sexp.c (sexp_iterator_get_uint32): New function. 2002-11-10 Niels Möller * testsuite/sexp-conv-test: Use input files without any trailing newline character, in order to stress the end of file handling. * tools/sexp-conv.c (sexp_get_token_string): Fixed end of file handling. (sexp_get_string): Fixed end of encoding/end of file handling. (parse_options): Check for negative width and complain. * tools/sexp-conv.c: Use supplied getopt. (werror): New function. (sexp_output_hash_init): New function. (sexp_put_char): Made base64 linebreaking configurable. Implemented hashing. (sexp_put_code_start, sexp_put_code_end): Don't output any delimiters here. (sexp_put_string): Output base64 delimiters. (sexp_put_digest): New function. (sexp_convert_item): Output transport delimiters. (sexp_convert_file): Deleted function, folded with main. (parse_options): New function. (main): Implemented --hash and --once, needed by lsh-authorize. * sexp.h (struct sexp_iterator): New field start. * sexp.c (sexp_iterator_subexpr): New function. (sexp_iterator_parse): Initialize ITERATOR->start. * sexp-format.c (sexp_vformat): Abort if format string contains unhandled characters. 2002-11-08 Niels Möller * des-compat.c (des_ecb3_encrypt): Don't use struct initialization (c89 doesn't allow non-constant initializers). Reported by James Ralston. (des_ede3_cbc_encrypt): Likewise. * examples/nettle-openssl.c: Moved from the top-level directory. Should *not* be included in the nettle library. 2002-11-08 Niels Möller * testsuite/testutils.c (test_dsa_key): Bugfix for renamed DSA constant (noted by James Ralston). 2002-11-07 Niels Möller * testsuite/run-tests: Copied new version rom lsh/src/testsuite. This version handles test scripts located in $srcdir. * examples/Makefile.am (AM_CFLAGS): We need -I$(top_srcdir). * tools/Makefile.am (AM_CFLAGS): Likewise. * testsuite/Makefile.am (AM_CFLAGS): Likewise. 2002-11-07 Niels Möller * Makefile.am (SUBDIRS): Added tools. (libnettle_a_SOURCES): Added sexp-transport-format.c, sexp2bignum.c, sexp2dsa.c. * sexp2dsa.c (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New file, new functions. * rsa2sexp.c (rsa_keypair_to_sexp): %s -> %z renaming. * sexp-transport.c (sexp_transport_iterator_first): Fixed bug, length was mishandled. * sexp-transport-format.c (sexp_transport_format, sexp_transport_vformat): New file, new functions. * sexp-format.c (sexp_format): Return length of output. Allow buffer == NULL, and only compute the needed length in this case. Renamed %s to %z. New format specifiers %s, %i, and %l. (sexp_vformat): New function. (format_prefix): Rewrote to not use snprintf. * sexp2rsa.c (rsa_keypair_from_sexp): New limit argument. Use nettle_mpz_set_sexp. * dsa-keygen.c (dsa_generate_keypair): Added some newlines to progress display. Use DSA_P_MIN_BITS. * dsa.h (DSA_MIN_P_BITS): New constant (was DSA_MINIMUM_BITS). (DSA_Q_OCTETS, DSA_Q_BITS): New constants. (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New prototypes. * configure.ac: Output tools/Makefile. * sexp2bignum.c (nettle_mpz_set_sexp): New file, and new function. Moved from sexp2rsa.c:get_value. * examples/io.c (read_rsa_key): New limit argument in call of rsa_keypair_from_sexp_alist. * examples/Makefile.am (noinst_PROGRAMS): Removed sexp-conv. * tools/sexp-conv.c: Moved file from examples directory. * testsuite/Makefile.am (TS_SH): New variable. Added sexp-conv-test. * testsuite/testutils.h (LDUP): New macro. * testsuite/sexp2rsa-test.c (test_main): New limit argument in call of rsa_keypair_from_sexp_alist. * testsuite/sexp-test.c (test_main): Added test for lengths with more than one digit. Added tests for transport mode decoding. * testsuite/sexp-format-test.c (test_main): Added tests for %i and %l. * testsuite/sexp-conv-test: Moved test from examples directory. Updated path to sexp-conv, now in ../tools/sexp-conv. 2002-11-03 Niels Möller * sexp-format.c, sexp_format.c: Renamed sexp_format.c to sexp-format.c. * Makefile.am (libnettle_a_SOURCES): Renamed sexp_format.c to sexp-format.c. * examples/Makefile.am: Don't set CFLAGS or CPPFLAGS explicitly, let automake handle that. * testsuite/Makefile.am: Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): New function. (rsa_keypair_from_sexp): Use it. 2002-11-01 Niels Möller * examples/Makefile.am (LDADD): Use -lnettle, instead of an explicit filename libnettle.a, so that we will use the shared library, if it exists. (AM_LDFLAGS): Added -L.., so we can find -lnettle. (run-tests): Set LD_LIBRARY_PATH to ../.lib, when running the testsuite. * testsuite/Makefile.am: Similar changes. * Makefile.am (LIBOBJS): Put @LIBOBJS@ into the make variable LIBOBJS. (CLEANFILES): Delete libnettle.so. (clean-local): Delete the .lib linkfarm. ($(SHLIBFORLINK)): When building libnettle.so, create a link from .lib/$SHLIBSONAME. Needed at runtime, for the testsuite. 2002-11-01 Niels Möller * configure.ac: Fixed definitions using SHLIBMAJOR and SHLIBMINOR. Also AC_SUBST SHLIBMAJOR and SHLIBMINOR. Reported by James Ralston. 2002-10-31 Niels Möller * examples/sexp-conv.c(sexp_put_list_start): Deleted function. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_puts): Likewise. * examples/sexp-conv.c (sexp_get_quoted_string): Deleted function. Merged with sexp_get_String. (sexp_get_hex_string): Likewise. (sexp_get_base64_string): Likewise. (sexp_get_string): Do hex and base64 decoding. * examples/sexp-conv.c (enum sexp_char_type): New enum, for end markers in the input strem. (struct sexp_input): Deleted LEVEL attribute. Deleted all usage of it. (sexp_get_raw_char): Use INPUT->c and INPUT->ctype to store results. Deleted OUT argument. (sexp_get_char): Likewise. Also removed the INPUT->coding->decode_final call, for symmetry. (sexp_input_end_coding): Call INPUT->coding->decode_final. (sexp_next_char): New function. (sexp_push_char): New function. (sexp_get_token_char): Deleted function. (sexp_get_quoted_char): Simplified. Deleted output argument. (sexp_get_quoted_string): Simplified. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string_length): Skip the character that terminates the string. (sexp_get_token): Cleared upp calling conventions. Always consume the final character of the token. (sexp_convert_list): Take responsibility for converting the start and end of the list. (sexp_convert_file): Call sexp_get_char first, to get the token reading started. (sexp_convert_item): Cleared up calling conventions. Should be called with INPUT->token being the first token of the expression, and returns with INPUT->token being the final token of the expression. Return value changed to void.. * examples/sexp-conv-test: Added test for transport mode input. * examples/sexp-conv.c (sexp_get_char): Use the nettle_armor interface for decoding. (sexp_input_start_coding): New function. (sexp_input_end_coding): New function. (sexp_get_base64_string): Rewrote to use sexp_input_start_coding and sexp_input_end_coding. (sexp_get_token): Generate SEXP_TRANSPORT_START tokens. (sexp_convert_list): Lists are ended only by SEXP_LIST_END. (sexp_convert_item): Implemented transport mode, using sexp_input_start_coding and sexp_input_end_coding. 2002-10-30 Niels Möller * Makefile.am: Added base16 files. * examples/sexp-conv-test: New tests for transport output. * examples/sexp-conv.c: Deleted hex functions, moved to Nettle's base16 files. (struct sexp_output): Represent the current encoding as a nettle_armor pointer and a state struct. (sexp_output_init): Deleted MODE argument. Now passed to functions that need it. (sexp_get_char): Updated to new base64 conventions. (sexp_get_base64_string): Likewise. (sexp_put_raw_char): New function. (sexp_put_newline): Use sexp_put_raw_char. (sexp_put_char): Use nettle_armor interface for encoding data. Use OUTPUT->coding_indent for line breaking, so the INDENT argument was deleted. (sexp_put_code_start): New function, replacing sexp_put_base64_start. (sexp_put_code_end): New function, replacing sexp_put_base64_end. (sexp_put_data): Deleted argument INDENT. (sexp_puts): Likewise. (sexp_put_length): Likewise. (sexp_put_list_start): Likewise. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_put_string): Likewise. Also changed base64 handling. (sexp_convert_string): Deleted argument INDENT. New argument MODE_OUT. (sexp_convert_list): New argument MODE_OUT. (sexp_convert_file): Likewise. (sexp_convert_item): Likewise. Also handle output in transport mode. (match_argument): Simple string comparison. (main): Adapted to above changes. * testsuite/testutils.c (test_armor): Allocate a larger buffer CHECK, to make decode_update happy. Updated to new base64 conventions. * testsuite/base64-test.c (test_main): Fixed overlap test to not change the base64 before decoding. Updated to new base64 conventions. * testsuite/Makefile.am (TS_PROGS): Added base16-test. * testsuite/base16-test.c: New test. * sexp-transport.c (sexp_transport_iterator_first): Updated to new conventions for base64_decode_update and base64_decode_final. * nettle-meta.h: Updated ascii armor declarations. New declaration for nettle_base16. * base64-decode.c (base64_decode_single): Return -1 on error. Also keep track of the number of padding characters ('=') seen. (base64_decode_update): New argument dst_length. Return -1 on error. (base64_decode_status): Renamed function... (base64_decode_final): ... to this. * base64.h (struct base64_decode_ctx): Deleted STATUS attribute. Added PADDING attribute. * base16.h, base16-encode.c, base16-decode.c, base16-meta.c: New files. 2002-10-28 Niels Möller * examples/sexp-conv.c (struct hex_decode_ctx): New hex decoding functions. (sexp_get_raw_char): New function. (sexp_get_char): Use sexp_get_raw_char. 2002-10-26 Niels Möller * examples/sexp-conv.c (sexp_put_length): Bugfix, don't output any leading zero. (main): Implemented -s option. * examples/sexp-conv-test: Test for echo -n vs echo '\c'. Added a few tests for canonical output. 2002-10-25 Niels Möller * examples/sexp-conv.c (struct sexp_input): Deleted the mode from the state, that should be passed as argument to relevant functions. Instead, introduces enum sexp_coding, to say if base64 coding is in effect. (struct sexp_output): Added coding attribute. (sexp_put_char): Use output->coding. (sexp_put_base64_start): Likewise. (sexp_put_base64_end): Likewise. * base64-decode.c (base64_decode_single): Simplified, got rid of the done variable. 2002-10-25 Niels Möller * examples/sexp-conv.c (sexp_put_newline): Return void, die on error. (sexp_put_char, sexp_put_data, sexp_puts, sexp_put_length, sexp_put_base64_start, sexp_put_base64_end, sexp_put_string, sexp_put_list_start, sexp_put_list_end, sexp_put_display_start, sexp_put_display_end, sexp_convert_string, sexp_convert_list, sexp_skip_token): Likewise. (sexp_convert_item): Die on error. 2002-10-24 Niels Möller * examples/sexp-conv-test: Doesn't need echo -n anymore. * examples/sexp-conv.c (die): New function. (struct sexp_input): Deleted field ITEM. (sexp_get_char): Die on failure, never return -1. (sexp_get_quoted_char): Likewise. (sexp_get_quoted_string): Die on failure, no returned value. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string): Likewise. (sexp_get_string_length): Likewise. (sexp_get_token): Likewise. (sexp_convert_string): Adapted to sexp_get_token. (sexp_convert_list): Likewise. (sexp_convert_file): New function. (main): Use sexp_convert_file. 2002-10-23 Niels Möller * examples/Makefile.am (TS_PROGS): Added sexp-conv-test. * examples/sexp-conv.c (sexp_input_init): Initialize input->string properly. (sexp_get_char): Fixed non-transport case. (sexp_get_quoted_char): Fixed default case. (sexp_get_token): Loop over sexp_get_char (needed for handling of white space). Don't modify input->level. Fixed the code that skips comments. (sexp_put_char): Fixed off-by-one bug in assertion. (sexp_put_string): Fixed escape handling for output of quoted strings. (sexp_convert_list): Prettier output, hanging indent after the first list element. (sexp_skip_token): New function. (sexp_convert_item): Use sexp_skip_token to skip the end of a "[display-type]". 2002-10-22 Niels Möller * examples/sexp-conv-test: New test program. * examples/Makefile.am (noinst_PROGRAMS): Added sexp-conv. * examples/sexp-conv.c (sexp_convert_list): New function. (sexp_convert_item): New function. (main): New function. Compiles and runs now, but doesn't work. * base64-decode.c (base64_decode_single): New function. (base64_decode_update): Use base64_decode_single. * examples/sexp-conv.c: Added output functions. 2002-10-21 Pontus Sköld * base64-encode.c (base64_encode_raw): Fixed null statement amongst variable declarations, broke compilation for non C99 compilers. 2002-10-21 Niels Möller * examples/sexp-conv.c: New sexp conversion program. 2002-10-21 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added sexp-format-transport.c. * sexp-transport.c (sexp_transport_iterator_first): New file and function. * sexp.h (sexp_transport_iterator_first): Added protoype. * sexp.c (sexp_iterator_next): Abort if iterator type is boogus. 2002-10-19 Niels Möller * testsuite/testutils.c (test_armor): Updated to new armor conventions. * testsuite/base64-test.c (test_main): Test BASE64_ENCODE_LENGTH and BASE64_DECODE_LENGTH. Updated test of base64_encode_raw (used to be base64_encode). * base64.h (BASE64_ENCODE_LENGTH, BASE64_DECODE_LENGTH): Fixed and documented macros. * base64-meta.c (base64_encode_length, base64_decode_length): New functions, corresponding to the macros with the same name. * Makefile.am (libnettle_a_SOURCES): base64.c replaced by base64-encode.c and base64-decode.c. * pgp-encode.c (pgp_armor): Use new base64 conventions. * nettle-meta.h: Updated nettle_armor definitions. * base64.h: Major reorganization. * base64.c: Deleted file, contents moved to base64-encode.c or base64-decode.c. * base64-encode.c: New file. New supporting both encode-at-once and streamed operation. * base64-decode.c: New file. 2002-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added dsa-keygen-test. * dsa-keygen.c: Call the progress callback only if it's non-NULL. * Makefile.am (libnettle_a_SOURCES): Added bignum-random.c and dsa-keygen.c. * testsuite/testutils.c (test_dsa_key): New function to sanity check a dsa keypair. * testsuite/dsa-test.c (test_main): Call dsa_test_key. * testsuite/dsa-keygen-test.c: New test case. * dsa.h (DSA_MINIMUM_BITS): New constant. * bignum.h (nettle_mpz_random, nettle_mpz_random_size): Added prototypes. * dsa-keygen.c: New file. * bignum-random.c: New file. (nettle_mpz_random): New function, moved from... * dsa-sign.c (nettle_mpz_random): ... here. Also changed argument ordering and updated callers. * bignum-random.c: (nettle_mpz_random_size): New function, renamed and moved here from... * rsa-keygen.c (bignum_random_size): ... here. Updated all callers. * testsuite/testutils.c (test_dsa): Needs both public and private key as arguments. * testsuite/dsa-test.c (test_main): Updated to changes of the private key struct. * testsuite/Makefile.am (TS_PROGS): Added dsa-test. * rsa-decrypt.c (rsa_decrypt): Constification. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa.c (rsa_compute_root): Likewise. * rsa_md5.c (rsa_md5_sign): Likewise. (rsa_md5_verify): Likewise. * rsa_sha1.c (rsa_sha1_sign): Likewise. (rsa_sha1_verify): Likewise. * dsa-verify.c (dsa_verify): Use const for the public key argument. * dsa-sign.c (dsa_sign): Needs the public key as argument, in addition to the private key. Use const. * dsa.h (struct dsa_private_key): Don't include the public information here. * dsa.c (dsa_private_key_init, dsa_private_key_clear): Updated to new struct dsa_private_key. * dsa-sign.c (dsa_sign): Bugfix, added missing mpz_init call. * Makefile.am (libnettle_a_SOURCES): Added dsa files. (libnettleinclude_HEADERS): Added dsa.h. * testsuite/testutils.c (test_dsa): New function. * testsuite/dsa-test.c: New test. * dsa.h, dsa.c, dsa-sign.c, dsa-verify.c: New files. * nettle-meta.h: Moved the nettle_random_func and nettle_progress_func typedefs here... * rsa.h: ... from here. 2002-10-07 Niels Möller * sexp.h (enum sexp_type): Deleted SEXP_START. * sexp.c (sexp_iterator_parse): New function, similar to the old sexp_iterator_next, but independent of the previous value of the iterator->type. (sexp_iterator_first): Use sexp_iterator_parse. (sexp_iterator_next): Likewise. (sexp_iterator_enter_list): Use sexp_iterator_parse. SEXP_START not needed anymore. (sexp_iterator_exit_list): Likewise. 2002-10-06 Niels Möller * sexp2rsa.c (get_value): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_assoc): Advance the iterator to the element after a matching tag, before recording it. * testsuite/sexp-test.c (test_main): Updated test. * testsuite/sexp-test.c (test_main): No need to call sexp_iterator_next after sexp_iterator_exit_list. * sexp2rsa.c (rsa_keypair_from_sexp): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_next): Updated to new sexp_iterator_exit_list. (sexp_iterator_exit_list): Return with iterator pointing to the element after the list. (sexp_iterator_check_type): Call sexp_iterator_next before returning. (sexp_iterator_check_types): Likewise. (sexp_iterator_assoc): Rearranged calls of sexp_iterator_next. * sexp.c (sexp_iterator_enter_list): Call sexp_iterator_next to get to the first element of the list. Updated callers. * base64.c (base64_encode_group): New function, used by openpgp armoring code. * Makefile.am: Added openpgp files. * sexp2rsa.c (rsa_keypair_from_sexp): Use sexp_iterator_first. * testsuite/sexp-test.c (test_main): Likewise. * sexp.c (sexp_iterator_init): Made this function static. (sexp_iterator_first): New, friendlier, initialization function. * pgp-encode.c: New file. Functions for writing openpgp data packets. * pgp.h: New file, with pgp related declarations. * rsa2openpgp.c (rsa_keypair_to_openpgp): New file, new function. 2002-10-04 Niels Möller * examples/rsa-keygen.c: Use malloc, instead of asprintf. 2002-10-03 Niels Möller * Released nettle-1.6. * NEWS: Note the aes api change. * examples/Makefile.am (EXTRA_DIST): Distribute setup-env and teardown-env. 2002-10-02 Niels Möller * examples/rsa-keygen.c (main): Comment on the lax security of the private key file. * index.html: Added link to mailing list. 2002-10-02 Niels Möller * Makefile.am: Fixed assembler rules, and shared libraries. * configure.ac: Fixed the enable-shared option. 2002-10-01 Niels Möller * configure.ac: New option --enable-shared, and a first attempt at building a shared library (*without* using libtool). * Makefile.am: A first attempt at rules for building a shared libnettle.so. 2002-10-01 Niels Möller * examples/run-tests (test_program): Use basename. * examples/teardown-env: Delete some more files. * examples/run-tests (test_program): Strip directory part of displayed name. * examples/Makefile.am (TS_PROGS): New variable. Run tests. * examples/io.c (read_file): Bug fix, used to overwrite pointer. * examples/rsa-keygen.c (main): Bug fix, private key wasn't written properly. * testsuite/Makefile.am: Some cleanup of make check. * examples/setup-env, examples/teardown-env: Test environment scripts. * examples/rsa-verify-test, examples/rsa-sign-test: New test cases. * examples/run-tests: New file (copied from lsh testsuite). * examples/Makefile.am: Use EXTRA_PROGRAMS and @RSA_EXAMPLES@. * examples/rsa-sign.c: No need to include config.h. Use werror instead of fprintf. * examples/rsa-verify.c: Likewise. * examples/rsa-keygen.c: Likewise. * examples/io.h: Forward declare struct rsa_public_key and struct rsa_private_key, to avoid dependences on config.h. * configure.ac (RSA_EXAMPLES): New substituted variable, controlling which example programs to build. * examples/rsa-verify.c: New example program. * examples/rsa-keygen.c: Use functions from io.c. * examples/rsa-sign.c: Likewise. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-verify. (LDADD): Added io.o. * configure.ac: New define WITH_PUBLIC_KEY, and new configure flag --disable-public-key. Updated rsa-files to check for that, rather than for HAVE_LIBGMP. * examples/io.c, examples/io.c: New files. Miscellaneous functions used by the example programs. * base64.h (BASE64_DECODE_LENGTH): Comment fix. 2002-09-30 Niels Möller * sexp2rsa.c (rsa_keypair_from_sexp): Bugfix: Call rsa_prepare_public_key and rsa_prepare_private_key. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-sign. * examples/rsa-sign.c: New example program. * testsuite/base64-test.c (test_main): Test encoding and decoding in place. * base64.c (base64_encode): Encode from the end of the data towards the start, in order to support overlapping areas. (base64_encode): Broke out some common code from the switch.. 2002-09-30 Niels Möller * sexp_format.c (sexp_format): Don't mix code and declarations. 2002-09-29 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added buffer-test sexp-format-test rsa2sexp-test sexp2rsa-test. * testsuite/sexp-test.c (test_main): Updated calls to sexp_iterator_assoc. * testsuite/testutils.h (MEMEQH): New macro. * testsuite/sexp2rsa-test.c: New test. * testsuite/sexp-format-test.c: New test. * testsuite/rsa2sexp-test.c: New test. * testsuite/buffer-test.c: New test. * testsuite/testutils.c (test_rsa_key): Copied this function from... testsuite/rsa-keygen-test.c: ... here. * examples/rsa-keygen.c: New file. * Makefile.am: Added new source files and headers buffer.h, buffer.c, sexp_format.c, sexp2rsa.c, rsa2sexp.c. * rsa.h (rsa_keypair_to_sexp, rsa_keypair_from_sexp): New prototypes. * rsa2sexp.c, sexp2rsa.c: New files. * sexp.c (sexp_iterator_assoc): Don't enter the list, associate keys within the current list. Still exit the list when done. (sexp_iterator_assoc): Represent keys as plain NUL-terminated strings. (sexp_iterator_check_type, sexp_iterator_check_types): New functions. * sexp_format.c: New file, implementing an sexp canonical syntax formatter. * buffer.c, buffer.h: New files, implementing a bare-bones string stream. * bignum.c (nettle_mpz_sizeinbase_256): New function. 2002-09-28 Niels Möller * sexp.c (sexp_iterator_assoc): Return 0 for missing or duplicate keys. Now passes all the tests. * sexp.c (sexp_iterator_simple): Bugfixes. Check earlier that length doesn't grow too large. (sexp_iterator_next): Skip the current list only if type is SEXP_LIST. Handle ')'. (sexp_iterator_enter_list): Set type to SEXP_START. (sexp_iterator_exit_list): Likewise. Don't skip the ')' here. (sexp_iterator_assoc): Bug fix. * testsuite/sexp-test.c (test_main): Reordered sexp_iterator_assoc tests. * nettle.texinfo (Randomness): Documented that yarrow256_init can be called with a zero number of sources. * testsuite/testutils.h (ASSERT): New macro. * testsuite/sexp-test.c: Test sexp parser. * Makefile.am (SUBDIRS): Added sexp files. * sexp.c, sexp.h: New files, implementing an sexp-parser. 2002-08-27 Niels Möller * Makefile.am (DISTCLEANFILES): make distclean should delete the assembler-related symlinks. 2002-08-26 Niels Möller * Makefile.am (%.o: %.asm): Create an empty (and unused) dependency file, to make the make/automake dependency tracking happier. 2002-07-18 Niels Möller * examples/nettle-benchmark.c (main): Try openssl's ciphers as well, if available. * Makefile.am (libnettle_a_SOURCES): Added nettle-openssl.c. * nettle-openssl.c: New file. * nettle-internal.h: Declare openssl glue ciphers. * des-compat.h: Extra name-mangling, to avoid collisions in case a program links with both nettle and libcrypto (the nettle-benchmark program does). * configure.ac: Don't use -ggdb3 with gcc-2.96. Check for openssl's libcrypto (for benchmarking). 2002-05-16 Niels Möller * sparc/aes.asm: Deleted registers i and t3. (_aes_crypt): Moved some registers around. We now use input registers only for arguments, local registers for loop invariants, output registers for temporaries and loop variables, and no global registers at all. * sparc/aes.asm (AES_FINAL_ROUND): New macro. (_aes_crypt): Use AES_FINAL_ROUND for the first word of the final round. (_aes_crypt): And for the rest of the final round. (AES_FINAL_ROUND): Don't update dst, just access it offseted by i. (_aes_crypt): Add 16 to dst at the end of the final round. (AES_ROUND): Use ldub, not ld + and, to get the third byte of wtxt. (AES_ROUND): Use ldub, not lduh + and, to get the second byte of a word. (AES_ROUND): Reordered instructions, so that we can save one register. (AES_ROUND): Eliminated use of t3. (AES_FINAL_ROUND): Eliminated ands. (AES_FINAL_ROUND): Reordered, so that we can save one register. (AES_FINAL_ROUND): Eliminated t3. (AES_LOAD): New macro. (_aes_crypt): Unrolled source loop. (_aes_crypt): Use AES_LOAD macro. (_aes_crypt): Deleted cruft from the old source loop. (AES_LOAD): Eliminated t3. 2002-05-15 Niels Möller * sparc/aes.asm (AES_ROUND): New macro. (_aes_crypt): Use AES_ROUND for first word of the round function. (_aes_crypt): And for the rest of the round function. * sparc/aes.asm (_aes_crypt): Deleted a bunch of additions, after accessing IDX1. * aes-internal.h (struct aes_table): sparc_idx[0] should now contain index values shifted by the size of a word, and with 2 added. This saves some additions in the sparc assembler code. Updates aes-encrypt-table.c and aes-decrypt-table.c. * sparc/aes.asm (_aes_crypt): Unrolled final loop, preparing for optimizations. (_aes_crypt): Eliminated i from forst copy of the loop. Some cleanup. (_aes_crypt): And from second copy. (_aes_crypt): And from third. (_aes_crypt): And fourth. (_aes_crypt): Eliminated updates of i from the loop. (_aes_crypt): Access IDX1 and IDX3 through the T pointer, saving two registers. * aes-internal.h (struct aes_table): Renamed the shift_idx field to sparc_idx, as it will be tweaked to improve the sparc code. Also reduced its size to [2][4]. (IDX_FACTOR): Deleted constant. * aes-encrypt-table.c (_aes_encrypt_table): Adapted initializer of sparc_idx. * aes-decrypt-table.c (_aes_decrypt_table): Likewise. * asm.m4: Deleted AES_SIDX2, to match struct aes_table. * sparc/aes.asm (_aes_crypt): Unrolled the inner loop, preparing for optimizations suggested by Marcus Comstedt. (_aes_crypt): Eliminated i from the first copy of the inner loop. (_aes_crypt): And from the second copy. (_aes_crypt): And from the third copy. (_aes_crypt): And from the fourth copy. (_aes_crypt): Renamed .Linner_loop to .Lround_loop. (_aes_crypt): Eliminated the loop variable i from the unrolled loop. (_aes_crypt): Deleted moves of constants into t2. 2002-05-15 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Use AES_SUBST_BYTE. * x86/aes-decrypt.asm (aes_decrypt): Likewise. (aes_decrypt): Use AES_STORE. (aes_decrypt): Deleted first xchgl instruction into, permuting the AES_ROUND calls instead. (aes_decrypt): Likewise for the final round. (aes_decrypt): Got rid if the xchgl instruction after the final round, folding it into the final round. * x86/machine.m4: Renamed AES_LAST_ROUND to AES_FINAL_ROUND. Updated users. * x86/aes-decrypt.asm (aes_decrypt): Use the AES_LOAD macro. (aes_decrypt): Start using AES_ROUND. (aes_decrypt): Use AES_LAST_ROUND. * x86/aes-decrypt.asm (aes_decrypt): Moved function to a separate file... * x86/aes.asm: ... from here. * x86/aes.asm (aes_decrypt): Use _aes_decrypt_table instead of itbl1-4. Commented out the inclusion of aes_tables.asm. (aes_decrypt): Use _aes_decrypt_table instead of isbox. * x86/aes-decrypt.asm: New file, empty at the start. * Makefile.am (libnettle_a_SOURCES): Added aes-decrypt-table.c. * aes-decrypt.c (_aes_decrypt_table): Moved from this file... * aes-decrypt-table.c (_aes_decrypt_table): ... to a new file. * testsuite/aes-test.out: New file, with the output of testsuite/aes-test, when aes.c has been compiled with debugging printouts of intermediate state. 2002-05-15 Niels Möller * sparc/aes.asm: (_aes_crypt): Restore %fp at end of function, to make %fp available for other uses. * sparc/aes.asm: The frame setup was broken. Tried to fix it. Reverted to revision 1.70 + minor changes from the head revision. * x86/aes-encrypt.asm (aes_encrypt): Use test instead of cmpl $0,. * x86/machine.m4 (AES_SUBST_BYTE): New macro. * sparc/aes.asm: wtxt needs no register of it's own, as its pointed to by %sp. %g5 moved to %l0, the register previously allocated for wtxt, so that we stay clean of the reserved %g registers. 2002-05-14 Niels Möller * sparc/aes.asm: Avoid using %g6 and %g7, as they are reserved for operating sytem use. Use %i5 and %o7 instead. Also moved %g4 to %g1. (_aes_crypt): Allocate only 32 bytes local storage on the stack. Calculate wtxt and tmp using offsets from %sp, not %fp. 2002-05-14 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Replaced first quarter of the round function with an invocation of AES_ROUND. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the rest of the round function. * x86/machine.m4 (AES_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_LOAD macro. * x86/machine.m4 (AES_LOAD): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_STORE. * x86/machine.m4 (AES_STORE): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use the AES_LAST_ROUND macro for the first column of the final round. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the third and fourth column. (aes_encrypt): Deleted xchgl instruction in final round, by reordering the second and fourth round. * x86/machine.m4 (AES_LAST_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Move code here... * x86/aes.asm: ...from here. * x86/aes.asm: Use addl and subl, not add and sub. Replaced references to dtbl1-4 with references to _aes_encrypt_table. * configure.ac (asm_path): Enable x86 assembler. * x86/aes.asm (aes_decrypt): Adapted to the current interface. Notably, the order of the subkeys was reversed. Single block encrypt/decrypt works now. (aes_encrypt, aes_decrypt): Added an outer loop, so that we can encrypt more than one block at a time. 2002-05-07 Niels Möller * configure.ac: Generate config.m4. * x86/aes.asm: Use C for comments, include the tables using include_src, and commented out the key setup functions. Fixed the processing of the first handling of the round function. Now, encryption of a single block works! Multiple blocks, and decryption, is still broken. * x86/machine.m4: New file (empty). * x86/aes-encrypt.asm: New file, empty for now. * Makefile.am (%.asm): Added asm.m4, machine.m4 and config.m4 to the m4 command line. (libnettle_a_SOURCES): Added aes-encrypt-table.c. * sparc/aes.asm: No need to include asm.m4, that is taken care of by the Makefile. * config.m4.in: New file, configuration for asm.m4. * asm.m4 (C, include_src): New macros. * aes-encrypt-table.c: New file, table moved out from aes-encrypt.c. 2002-05-06 Niels Möller * configure.ac (CFLAGS): Don't enable -Waggregate-return. 2002-05-05 Niels Möller * configure.ac: Pass no arguments to AM_INIT_AUTOMAKE. 2002-05-05 Niels Möller * configure.ac: Update for automake-1.6. * configure.ac: Renamed file, used to be configure.in. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Added missing single quote. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Test the exit status of the right process. 2002-03-19 Pontus Sköld * testsuite/run-tests: Removed /bin/bashisms to use with /bin/sh. 2002-03-18 Niels Möller * rsa-keygen.c (rsa_generate_keypair): Output a newline after a non-empty line of 'e':s (bad e was chosen, try again). 2002-03-16 Niels Möller * configure.in (asm_path): AC_CONFIG_LINKS adds $srcdir automatically. 2002-03-14 Niels Möller * sparc/aes.asm, x86/aes.asm: Added copyright notice. * Makefile.am (libnettle_a_SOURCES): Added aes-internal.h. (EXTRA_DIST): Added assembler files. * configure.in (asm_path): Use $srcdir when looking for the files. * configure.in (asm_path): For now, disable x86 assembler code. Bumped version to 1.6. 2002-02-25 Niels Möller * sparc/aes.asm (_aes_crypt): Moved increment of src into the source_loop. Also fixed stop condition, the loop was run 5 times, not 4, as it should. (_aes_crypt): Use src directly when accessing the source data, don't use %o5. (_aes_crypt): Renamed variables in source_loop. (_aes_crypt): Changed stop condition in source_loop to not depend on i. Finally reduced the source_loop to 16 instructions. Also increased the alignment of the code to 16. (_aes_crypt): In final_loop, use preshifted indices. (_aes_crypt): In final_loop, construct the result in t0. Use t0-t3 for intermediate values. (_aes_crypt): In final_loop, use the register idx. (_aes_crypt): In final_loop, keep i multiplied by 4. Use key to get to the current roundkey. (_aes_crypt): In final_loop, use i for indexing. (_aes_crypt): Update dst in the output loop. This yields a delay slot that isn't filled yet. (_aes_crypt): Decrement round when looping, saving yet some instructions. (_aes_crypt): Reformatted code as blocks of four instructions each. (_aes_crypt): Copy the addresses of the indexing tables into registers at the start. No more need for the idx register. (_aes_crypt): Deleted idx register. (_aes_crypt): Some peep hole optimizations, duplicating some instructions to fill nop:s, and put branch instructions on even word addresses. 2002-02-22 Niels Möller * sparc/aes.asm (_aes_crypt): Moved some more additions out of the inner loop, using additional registers. (_aes_crypt): Deleted one more addition from the inner loop, by using the subkey pointer. 2002-02-19 Niels Möller * configure.in (asm_path): Renamed "path" to "asm_path". Also look for a machine.m4. 2002-02-16 Niels Möller * sparc/aes.asm: Use that IDX2(j) == j ^ 2 * Makefile.am (libnettle_a_SOURCES): Reordered aes-decrypt.c and aes-encrypt.c. For some strange reason it makes the benchmark go faster... * sparc/aes.asm (_aes_crypt): Use double-buffering, and no separate loop for adding the round key. (round): Keep round index muliplied by 16, so it can be used directly for indexing the subkeys. (_aes_crypt): In the final loop, use ctx+round to access the subkeys, no need for an extra register. 2002-02-15 Niels Möller * sparc/aes.asm (_aes_crypt): Renaming variables, allocating locals starting from %l0. (_aes_crypt): Consistently use %l4, aka i, as the variable for the innermost loops. (_aes_crypt): Moved reading of ctx->nrounds out of the loop. (_aes_crypt): In final_loop, deleted a redundant mov, and use i as loop variable. (_aes_crypt): Started renumbering registers in the inner loop. The computation for the table[j] sub-expression should be kept in register %o[j]. (_aes_crypt): Renamed more variables in the inner loop. Now the primary variables are t0, t1, t2, t3. * sparc/aes.asm (_aes_crypt): Swapped register %i0 and %o5, %i1 and %o0, %i2 and %o4, %i3 and %o3, %i4 and %o2. (_aes_crypt): wtxt was stored in both %l1 and %l2 for the entire function. Freed %l2 for other uses. (_aes_crypt): Likewise for tmp, freeing register %o1. * sparc/machine.m4: New file, for sparc-specific macros. * sparc/aes.asm (_aes_crypt): Hacked the source_loop, to get rid of yet another redundant loop variable, and one instruction. (_aes_crypt): Strength reduce loop variable in the inner loop, getting rid of one register. (_aes_crypt): Use pre-shifted indices (aes_table.idx_shift), to avoid some shifts in the inner loop. (_aes_crypt): Don't check for nrounds==0 at the start of the loop. * asm.m4: Define and use structure-defining macros. * Makefile.am (%.asm): Use a GNU pattern rule, to make %.o depend on both %.asm and asm.m4. * aes-internal.h (struct aes_table): New subtable idx_shift. Updated tables in aes_encrypt.c and aes_decrypt.c. * asm.m4: Use eval to compute values. * sparc/aes.asm (_aes_crypt): Deleted commented out old version of the code. * asm.m4: Added constants for individual rows of the aes table. * aes.c (IDX0, IDX1, IDX2, IDX3): New macros, encapsualting the structure of the idx table. * asm.m4: Define various aes struct offsets. * testsuite/cbc-test.c (test_cbc_bulk): Use aes_set_encrypt_key and aes_set_decrypt_key. * sparc/aes.asm (_aes_crypt): Use symbolic names for the function arguments. 2002-02-14 Niels Möller * sparc/aes.asm: Copied gcc assembler code for _aes_crypt. * aesdata.c: New program for generating AES-related tables. * testsuite/testutils.c (print_hex): New function (moved from yarrow-test.c). * testsuite/rsa-keygen-test.c (progress): Declare the ctx argument as UNUSED. * testsuite/cbc-test.c (test_cbc_bulk): New function, testing CBC with larger blocks. * yarrow256.c: Replaced uses of aes_set_key with aes_set_encrypt_key. * nettle-meta.h (_NETTLE_CIPHER_SEP): New macro, useful for algorithms with separate encyption and decryption key setup. * aes-internal.h (struct aes_table): New structure, including all constant tables needed by the unified encryption or decryption function _aes_crypt. * aes.c (_aes_crypt): New function, which unifies encryption and decryption. AES key setup now uses two separate functions for setting encryption and decryption keys. Applications that don't do decryption need no inverted subkeys and no code to generate them. Similarly, the tables (about 4K each for encryption and decryption), are put into separate files. * aes.h (struct aes_ctx): Deleted space for inverse subkeys. For decryption, the inverse subkeys replace the normal subkeys, and they are stored _in the order they are used_. * aes-set-key.c (aes_set_key): Deleted file, code moved... * aes-set-decrypt-key.c, aes-set-encrypt-key.c: New files, separated normal and inverse key setup. * aes-tables.c: Deleted, tables moved elsewhere... * aes-encrypt.c, aes-decrypt.c: New files; moved encryption and decryption funktions, and needed tables, into separate files. 2002-02-13 Niels Möller * aes.c (aes_encrypt): Don't unroll the innerloop. (aes_encrypt): Don't unroll the loop for the final round. (aes_decrypt): Likewise, no loop unrolling. * aes-set-key.c (aes_set_key): Reversed the order of the inverted subkeys. They are now stored in the same order as they are used. * aes-tables.c (itable): New bigger table, generated by aesdata.c. * aes.c (aes_decrypt): Rewrote to use the bigger tables. 2002-02-12 Niels Möller * aes.c (aes_encrypt): Interleave computation and output in the final round. * aes-internal.h (AES_SMALL): New macro. * aes.c (aes_encrypt): Optionally use smaller rotating inner loop. * aes-tables.c (dtbl): Replaced with table generated by aesdata. * aes.c (aes_encrypt): Rewrite, now uses larger tables in order to avoid rotates. * sparc/aes.asm (aes_encrypt): Strength reduced on j, getting rid of one register and one instruction in the inner loop. * sparc/aes.asm (idx, aes_encrypt): Multiplied tabled values by 4, making it possible to get rid of some shifts in the inner loop. * configure.in: Fixed spelling of --enable-assembler. Commented out debug echo:s. * asm.m4: New file. For now, only doing changequote and changecom. * sparc/aes.asm (aes_encrypt): Added comments. (aes_encrypt): Cut off redundant instruction per block, also saving one redundant register pointing to idx. (idx_row): New macro. Include asm.m4. 2002-02-11 Niels Möller * sparc/aes.asm (key_addition_8to32): Cleaned up. Deleted gcc-generated debugging information. * sparc/aes.asm (key_addition32): First attempt at optimization. Made it slower ;-) * sparc/aes.asm (key_addition32): Unrolled loop, gained 4% speed, payed four instructions compared to gcc generated code. * Makefile.am (.asm.o): New rule for assembling via m4. (libnettle_a_SOURCES): Added new rsa and aes files. * configure.in: New command line option --enable-assembler. Selects assembler code depending on the host system. * rsa-decrypt.c, rsa-encrypt.c: New files for rsa pkcs#1 encryption. * aes-set-key.c, aes-tables.c: New files, split off from aes.c. Tables are now not static, but use a _aes_ prefix on their names. * aes-internal.h: New file. * cast128-meta.c (_NETTLE_CIPHER_FIX): Use _NETTLE_CIPHER_FIX. * cbc.c (cbc_decrypt_internal): New function, doing the real CBC procesing and requiring that src != dst. (cbc_decrypt): Use cbc_decrypt_internal. If src == dst, use a buffer of limited size to copy the ciphertext. * nettle-internal.c (nettle_blowfish128): Fixed definition, with key size in bits. * nettle-meta.h (_NETTLE_CIPHER_FIX): New macro, suitable for ciphers with a fixed key size. * examples/nettle-benchmark.c (display): New function for displaying the results, including MB/s figures. * sparc/aes.asm: New file. Not yet tuned in any way (it's just the code generated by gcc). 2002-02-11 Niels Möller * x86/aes.asm, x86/aes_tables.asm: New assembler implementation by Rafael Sevilla. 2002-02-06 Niels Möller Applied patch from Dan Egnor improving the base64 code. * base64.h (BASE64_ENCODE_LENGTH): New macro. (struct base64_ctx): New context struct, for decoding. (BASE64_DECODE_LENGTH): New macro. * base64.c (base64_decode_init): New function. (base64_decode_update): New function, replacing base64_decode. Takes a struct base64_ctx argument. * nettle-meta.h: Updated nettle_armor, and related typedefs and macros. * testsuite/testutils.c (test_armor): Updated. * configure.in: Use AC_PREREQ(2.50). 2002-02-01 Niels Möller * Released nettle-1.5. 2002-01-31 Niels Möller * acinclude.m4: Commented out gmp-related macros, they're probably not needed anymore. 2002-01-31 Niels Möller * configure.in: Added command line options --with-lib-path and --with-include-path. Use the RPATH-macros to get correct flags for linking the test programs with gmp. * acinclude.m4: New file. 2002-01-31 Niels Möller * nettle.texinfo (Randomness): New subsection on Yarrow. 2002-01-30 Niels Möller * nettle.texinfo (Randomness): New chapter. Spell checking and ispell configuration. * md5.c: Added reference to RFC 1321. 2002-01-24 Niels Möller * nettle.texinfo (Public-key algorithms): Minor fixes. 2002-01-22 Niels Möller * nettle.texinfo (Nettle soup): New chapter. (Hash functions): New subsection on struct nettle_hash. (Hash functions): New subsection on struct nettle_cipher. (Keyed hash functions): New section, describing MAC:s and HMAC. (Public-key algorithms): New chapter. * testsuite/testutils.c (test_armor): New function. * testsuite/base64-test.c: New testcase. * testsuite/Makefile.am (TS_PROGS): Added base64-test. * nettle-meta.h (struct nettle_armor): New struct. * configure.in: Bumped version to 1.5. * Makefile.am (libnettle_a_SOURCES): Added base64 files, and some missing header files. * base64.c, base64.h, base64-meta.c: New files, hacked by Dan Egnor. 2002-01-16 Niels Möller * testsuite/yarrow-test.c: Deleted ran_array code, use knuth-lfib.h instead. * testsuite/testutils.c (test_rsa_md5, test_rsa_sha1): Moved functions here... * testsuite/rsa-test.c: ...from here. * testsuite/rsa-keygen-test.c: New file. * testsuite/knuth-lfib-test.c: New file. * Makefile.am (libnettle_a_SOURCES): Added knuth-lfib.c and rsa-keygen.c. * rsa-keygen.c: New file. * rsa.h (RSA_MINIMUM_N_OCTETS): New constant. (RSA_MINIMUM_N_BITS): New constant. (nettle_random_func, nettle_progress_func): New typedefs. Perhaps they don't really belong in this file. (rsa_generate_keypair): Added progress-callback argument. * macros.h (READ_UINT24, WRITE_UINT24, READ_UINT16, WRITE_UINT16): New macros. * knuth-lfib.c, knuth-lfib.h: New files, implementing a non-cryptographic prng. 2002-01-15 Niels Möller * hmac-sha1.c: New file. 2002-01-14 Niels Möller * configure.in: Bumped version to 1.1. * testsuite/hmac-test.c (test_main): Added hmac-sha1 test cases. * rsa.c (rsa_init_private_key, rsa_clear_private_key): Handle d. * rsa.h (struct rsa_private_key): Reintroduced d attribute, to be used only for key generation output. (rsa_generate_keypair): Wrote a prototype. * Makefile.am (libnettle_a_SOURCES): Added hmac-sha1.c and nettle-internal.h. * des.c: Use static const for all tables. (des_set_key): Use a new const * variable for the parity procesing, for constness reasons. * list-obj-sizes.awk: New file. * nettle-internal.c, nettle-internal.h: New files. * testsuite/Makefile.am (TS_PROGS): Added hmac-test. Deleted old m4-stuff. * testsuite/testutils.h (LDATA): Moved this macro here,... * testsuite/rsa-test.c: ... from here. * testsuite/hmac-test.c: New file. * hmac.h: General cleanup. Added declarations of hmac-md5, hmac-sha1 and hmac-sha256. * hmac.c: Bug fixes. * hmac-md5.c: First working version. * Makefile.am (libnettle_a_SOURCES): Added hmac.c and hmac-md5.c. (libnettleinclude_HEADERS): Added hmac.h. * testsuite/rsa-test.c: Also test a 777-bit key. * rsa.c (rsa_check_size): Changed argument to an mpz_t. Updated callers. (rsa_prepare_private_key): Compute the size of the key by computing n = p * q. * rsa-compat.c: Adapted to new private key struct. * rsa_md5.c: Likewise. * rsa_sha1.c: Likewise. * rsa.c (rsa_check_size): New function, for computing and checking the size of the modulo in octets. (rsa_prepare_public_key): Usa rsa_check_size. (rsa_init_private_key): Removed code handling n, e and d. (rsa_clear_private_key): Likewise. (rsa_compute_root): Always use CRT. * rsa.h (struct rsa_private_key): Deleted public key and d from the struct, as they are not needed. Added size attribute. 2002-01-12 Niels Möller * Makefile.am: Added *-meta files. * rsa.c (rsa_init_public_key): New function. (rsa_clear_public_key): Likewise. (rsa_init_private_key): Likewise. (rsa_clear_private_key): Likewise. * aes-meta.c: New file. * arcfour-meta.c: New file. * cast128-meta.c: New file. * serpent-meta.c: New file. * twofish-meta.c: New file. * examples/nettle-benchmark.c: Use the interface in nettle-meta.h. 2002-01-11 Niels Möller Don't use m4 for generating test programs, it's way overkill. Use the C preprocessor instead. * testsuite/*-test.c: New file. * hmac.c, hmac.h, hmac-md5.c: New files. Defined structures describing the algoriths. Useful for code that wants to treat an algorithm as a black box. * nettle-meta.h, md5-meta.c, sha1-meta.c, sha256-meta.c: New files. 2002-01-09 Niels Möller * rsa-compat.c: Updated for new md5 and rsa conventions. * rsa_md5.c: Represent a signature as an mpz_t, not a string. Updated calls of md5 functions. * rsa_sha1.c: Likewise. * rsa.c (rsa_prepare_public_key): Renamed function, was rsa_init_public_key. (rsa_prepare_private_key): Renamed function, was rsa_init_private_key. * nettle.texinfo (Hash functions): Update for the changed interface without *_final. Document sha256. * testsuite/md5-test.m4, testsuite/sha1-test.m4, testsuite/sha256-test.m4, testsuite/yarrow-test.c: Updated for new hash function interface. * yarrow256.c: Removed calls of sha256_final and and some calls of sha256_init. * md5-compat.c (MD5Final): Call only md5_digest. * md5.c (md5_digest): Call md5_final and md5_init. (md5_final): Declared static. sha1.c, sha256.c: Analogous changes. * bignum.c (nettle_mpz_get_str_256): Declare the input argument const. 2001-12-14 Niels Möller * Makefile.am (EXTRA_DIST): Added $(des_headers). Changed dependencies for $(des_headers) to depend only on the source file desdata.c, not on the executable. 2001-12-12 Niels Möller * testsuite/yarrow-test.c (main): Updated testcase to match fixed generator. Send verbose output to stdout, not stderr. * yarrow256.c (yarrow_slow_reseed): Bug fix, update the fast pool with the digest of the slow pool. (yarrow256_init): Initialize seed_file and counter to zero, to ease debugging. 2001-12-07 Niels Möller * bignum.c (nettle_mpz_get_str_256): Fixed handling of leading zeroes. 2001-12-05 Niels Möller * testsuite/yarrow-test.c (main): Updated test to match the fixed key event estimator. * yarrow_key_event.c (yarrow_key_event_estimate): Fixed handling of timing info. * nettle.texinfo (Copyright): Say that under certain circumstances, Nettle can be used as if under the LGPL. * README: Added a paragraph on copyright. 2001-11-15 Niels Möller * yarrow256.c (yarrow256_force_reseed): New function. 2001-11-14 Niels Möller * testsuite/yarrow-test.c (main): Use yarrow256_is_seeded. * yarrow256.c (yarrow256_needed_sources): New function. (yarrow256_is_seeded): New function. (yarrow256_update): Use yarrow256_needed_sources. 2001-11-14 Niels Möller * testsuite/yarrow-test.out: Updated, to match the seed-file aware generator. * testsuite/yarrow-test.c: Updated expected_output. Check the seed file contents at the end. * yarrow256.c (yarrow256_seed): New function. (yarrow_fast_reseed): Create new seed file contents. 2001-11-13 Niels Möller * yarrow.h: Deleted yarrow160 declarations. 2001-11-02 Niels Möller * yarrow256.c (yarrow256_init): Fixed order of code and declarations. 2001-10-30 Niels Möller * rsa-compat.h: Added real prototypes and declarations. * Makefile.am (libnettle_a_SOURCES): Added rsa-compat.h and rsa-compat.c. * rsa-compat.c: New file, implementing RSA ref signature and verification functions. * configure.in: Check for libgmp. Deleted tests for SIZEOF_INT and friends. * rsa_sha1.c: New file, PKCS#1 rsa-sha1 signatures. * rsa_md5.c: New file, PKCS#1 rsa-md5 signatures. * rsa.c: New file with general rsa functions. * Makefile.am (libnettle_a_SOURCES): Added rsa and bignum files. * bignum.c, bignum.h: New file, with base256 functions missing in gmp. * testsuite/Makefile.am: Added bignum-test. * testsuite/run-tests (test_program): Check the exit code more carefully, and treat 77 as skip. This convention was borrowed from autotest. * testsuite/macros.m4: New macro SKIP which exits with code 77. * testsuite/bignum-test.m4: New file. 2001-10-15 Niels Möller * testsuite/Makefile.am (EXTRA_DIST): Include rfc1750.txt in the distribution. 2001-10-14 Niels Möller * testsuite/des-test.m4: Added testcase taken from applied cryptography. * testsuite/yarrow-test.c: Use sha256 instead of sha1 for checking input and output. Updated the expected values. * yarrow256.c (YARROW_RESEED_ITERATIONS): New constant. (yarrow_iterate): New function. (yarrow_fast_reseed): Call yarrow_iterate. * testsuite/yarrow-test.c: Added verbose flag, disabled by default. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: Added more ciphers. * Makefile.am (SUBDIRS): Added the examples subdir. * configure.in: Output examples/Makefile. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: New benchmarking program. 2001-10-10 Niels Möller * testsuite/yarrow-test.c: Open rfc1750.txt. Hash input and output, and compare to expected values. * testsuite/Makefile.am (CFLAGS): Don't disable optimization. (run-tests): Set srcdir in the environment when running run-tests. * testsuite/rfc1750.txt: Added this rfc as test input for yarrow. * yarrow_key_event.c (yarrow_key_event_estimate): Check if previous is zero. (yarrow_key_event_init): Initialize previous to zero. * yarrow256.c: Added debug some output. * testsuite/yarrow-test.c (main): Better output of entropy estimates at the end. 2001-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added yarrow-test. * testsuite/yarrow-test.c: New file. * yarrow256.c (yarrow256_init): Initialize the sources. (yarrow256_random): Fixed loop condition. * yarrow.h (YARROW_KEY_EVENT_BUFFER): New constant. * yarrow_key_event.c: New file. * Makefile.am (libnettle_a_SOURCES): Added yarrow_key_event.c. 2001-10-08 Niels Möller * yarrow.h (struct yarrow_key_event_ctx): New struct. * yarrow256.c (yarrow_fast_reseed): Generate two block of output using the old key and feed into the pool. * yarrow.h (struct yarrow256_ctx): Deleted buffer, index and block_count. * yarrow256.c (yarrow_fast_reseed): New function. (yarrow_slow_reseed): New function. (yarrow256_update): Check seed/reseed thresholds. (yarrow_gate): New function, extracted from yarrow_generate_block_with_gate which was deleted. (yarrow_generate_block_with_gate): Deleted function. (yarrow256_random): Don't buffer any output, instead gate after each request. (YARROW_GATE_THRESHOLD): Deleted constant. 2001-10-07 Niels Möller * Makefile.am: Added yarrow files. * yarrow256.c: New file, implementing Yarrow. Work in progress. * sha256.c: New file, implementing sha256. * testsuite/Makefile.am (CFLAGS): Added sha256-test. * testsuite/sha256-test.m4: New testcases for sha256. * shadata.c: New file, for generating sha256 constants. * sha.h: Renamed sha1.h to sha.h, and added declarations for sha256. 2001-10-05 Niels Möller * testsuite/aes-test.m4: Added a comment with NIST test vectors. 2001-10-04 Niels Möller * rsa.h, rsa-compat.h, yarrow.h: New files. 2001-09-25 Niels Möller * Released version 1.0. 2001-09-25 Niels Möller * sha1.c: Include stdlib.h, for abort. * md5.c: Include string.h, for memcpy. * testsuite/Makefile.am (M4_FILES): New variable. Explicitly list those C source files that should be generated by m4. * configure.in: Changed package name from "libnettle" to "nettle". * Makefile.am (EXTRA_DIST): Added .bootstrap. * AUTHORS: Added a reference to the manual. 2001-09-25 Niels Möller * des-compat.c (des_cbc_cksum): Bug fix, local variable was declared in the middle of a block. 2001-09-19 Niels Möller * nettle.texinfo (Compatibility functions): New section, mentioning md5-compat.h and des-compat.h. 2001-09-18 Niels Möller * index.html: New file. 2001-09-16 Niels Möller * nettle.texinfo: Added description of des3. Minor fixes. * testsuite/des-compat-test.c (cbc_data): Shorten to 32 bytes (4 blocks), the last block of zeroes wasn't used anyway. * des-compat.c (des_compat_des3_decrypt): Decrypt in the right order. (des_ncbc_encrypt): Bug fixed. (des_cbc_encrypt): Rewritten as a wrapper around des_ncbc_encrypt. 2001-09-14 Niels Möller * testsuite/des-compat-test.c: New file, copied from libdes (freeswan). All implemented functions but des_cbc_cksum seems to work now. * testsuite/Makefile.am (TS_PROGS): Added des-compat-test. * des-compat.c: Added libdes typedef:s. Had to remove all use of const in the process. (des_check_key): New global variable, checked by des_set_key. * des.c (des_set_key): Go on and expand the key even if it is weak. * des-compat.c (des_cbc_cksum): Implemented. (des_key_sched): Fixed return values. 2001-09-11 Niels Möller * Makefile.am: Added des-compat.c and des-compat.h * des-compat.c: Bugfixes, more functions implemented. * des-compat.h: Define DES_ENCRYPT and DES_DECRYPT. Bugfixes. 2001-09-10 Niels Möller * nettle.texinfo (Copyright): Added copyright information for serpent. (Miscellaneous functions): Started writing documentation on the CBC functions. (Cipher Block Chaining): This section more or less complete now. 2001-09-09 Niels Möller * testsuite/cbc-test.m4: Record intermediate values in a comment. * testsuite/des3-test.m4: Likewise. * testsuite/aes-test.m4: Added test case that appeared broken in the cbc test. * cbc.c (cbc_encrypt): Bug fix, encrypt block *after* XOR:ing the iv. * Makefile.am (libnettleinclude_HEADERS): Added cbc.h. Deleted des3.h. (libnettle_a_SOURCES): Added des3.c. * testsuite/Makefile.am (TS_PROGS): Added des3-test and cbc-test. * testsuite/cbc-test.m4: New testcase. * testsuite/des3-test.m4: New testcase. * cbc.h (CBC_CTX): New macro. (CBC_ENCRYPT): New macro. (CBC_DECRYPT): New macro. * des.c (des_fix_parity): New function. * des3.c: New file, implementing triple des. 2001-09-06 Niels Möller * cbc.c, cbc.h: New files, for general CBC encryption. * des-compat.h: Added some prototypes. 2001-09-05 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added md5-compat-test. * README: Copied introduction from the manual. * configure.in: Bumped version to 1.0. * Makefile.am (libnettleinclude_HEADERS): Added missing includes. (libnettle_a_SOURCES): Added md5-compat.c and md5-compat.h. * md5-compat.c, md5-compat.h: New files, implementing an RFC 1321-style interface. 2001-09-02 Niels Möller * twofish.c (twofish_decrypt): Fixed for();-bug in the block-loop. Spotted by Jean-Pierre. (twofish_encrypt): Likewise. 2001-07-03 Niels Möller * testsuite/testutils.c: Include string.h. * twofish.c: Include string.h. 2001-06-17 Niels Möller * Makefile.am (des_headers): Dont use $(srcdir)/-prefixes as that seems to break with GNU make 3.79.1. * testsuite/testutils.c, testsuite/testutils.h: Use , not . Include . 2001-06-17 Niels Möller * Use , not . * blowfish.h (BLOWFISH_MAX_KEY_SIZE): Fixed, should be 56. * Fixed copyright notices. * Makefile.am (libnettle_a_SOURCES): Added desinfo.h and desCode.h. (info_TEXINFOS): Added manual. (EXTRA_DIST): Added nettle.html. (%.html): Added rule for building nettle.html. * nettle.texinfo: New manual. * configure.in: Bumped version to 0.2. * testsuite/Makefile.am (TS_PROGS): Added cast128 test. * Added CAST128. * testsuite/serpent-test.m4: Added a few rudimentary tests extracted from the serpent package. * twofish.c: Adapted to nettle. Made constant tables const. Deleted bytes_to_word and word_to_bytes; use LE_READ_UINT32 and LE_WRITE_UINT32 instead. (twofish_selftest): Deleted. Moved the tests to the external testsuite. (twofish_set_key): Don't silently truncate too large keys. * sha1.c (sha1_update): Use unsigned for length. * serpent.c (serpent_set_key): Read the key backwards. Fixed padding (but there are no test vectors for key_size not a multiple of 4). (serpent_encrypt): Read and write data in the strange order used by the reference implementation. (serpent_decrypt): Likewise. * macros.h (FOR_BLOCKS): New macro, taken from lsh. * blowfish.h (struct blowfish_ctx): Use a two-dimensional array for s. * blowfish.c (initial_ctx): Arrange constants into a struct, to simplify key setup. (F): Deleted all but one definitions of the F function/macro. Added a context argument, and use that to find the subkeys. (R): Added context argument, and use that to find the subkeys. (blowfish_set_key): Some simplification. (encrypt): Deleted code for non-standard number of rounds. Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. * Makefile.am (libnettle_a_SOURCES): Added twofish. 2001-06-16 Niels Möller * testsuite/blowfish-test.m4: Fixed test. * Added twofish implementation. * blowfish.h (struct blowfish_ctx): Use the correct size for the p array. 2001-06-15 Niels Möller * testsuite/blowfish-test.m4: Fixed testcase, use correct key length. * Makefile.am (libnettle_a_SOURCES): Added blowfish files. ($(des_headers)): Strip directory part when passing file name to desdata. * testsuite/blowfish-test.m4: Added one test, from GNUPG. * Created blowfish.c and blowfish.h (from GNUPG via LSH). Needs more work. * aes.h: Fixed copyright notice to not mention GNU MP. XXX: Review all nettle copyrights. * testsuite/Makefile.am (TS_PROGS): Added tests for twofish and blowfish. 2001-06-13 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added serpent files. 2001-06-12 Niels Möller * des.c (des_encrypt, des_decrypt): Assert that the key setup was successful. * testsuite/Makefile.am (TS_PROGS): Added tests for des and sha1. * testsuite/sha1-test.m4: New file. * testsuite/des-test.m4: New file. * Added sha1 files. * Added desCore files. * Makefile.am: Added desCore and sha1. 2001-04-17 Niels Möller * install-sh: Copied the standard install script. * testsuite/Makefile.am (CFLAGS): Disable optimization. Add $(top_srcdir) to the include path. (EXTRA_DIST): Added testutils.h, testutils.c and run-tests. (run-tests): Fixed path to run-tests. * Makefile.am (EXTRA_DIST): Added memxor.h. (libnettleinclude_HEADERS): Install headers in $(libnettleincludedir). 2001-04-13 Niels Möller * Initial checkin. nettle-4.0/INSTALL0000644000000000000000000002231015141166424010631 0ustar00Installation Instructions ************************* Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf bug. Until the bug is fixed you can use this workaround: CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of the options to `configure', and exit. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. nettle-4.0/Makefile.in0000644000000000000000000006364515141166424011665 0ustar00# Nettle Makefile @SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ OPT_NETTLE_OBJS = @OPT_NETTLE_OBJS@ OPT_HOGWEED_OBJS = @OPT_HOGWEED_OBJS@ OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@ FAT_OVERRIDE_LIST = @FAT_OVERRIDE_LIST@ FAT_EMULATE_LIST = @FAT_EMULATE_LIST@ SUBDIRS = testsuite tools examples include config.make PRE_CPPFLAGS = -I. -I$(srcdir) EXTRA_CFLAGS = $(CCPIC) LIBTARGETS = @IF_STATIC@ libnettle.a @IF_HOGWEED@ libhogweed.a SHLIBTARGETS = @IF_SHARED@ $(LIBNETTLE_FORLINK) @IF_HOGWEED@ $(LIBHOGWEED_FORLINK) gnulib_FILES = lib/getopt-core.h lib/getopt-ext.h \ lib/getopt.c lib/getopt1.c lib/getopt_int.h getopt_SOURCES = getopt.c getopt1.c getopt_TARGETS = $(getopt_SOURCES:.c=.$(OBJEXT)) internal_SOURCES = non-nettle.c internal_TARGETS = $(internal_SOURCES:.c=.$(OBJEXT)) TARGETS = $(getopt_TARGETS) $(internal_TARGETS) \ $(LIBTARGETS) $(SHLIBTARGETS) DOCTARGETS = @IF_DOCUMENTATION@ nettle.info nettle.html nettle.pdf PKGCONFIG_FILES = nettle.pc @IF_HOGWEED@ hogweed.pc pkgconfigdir = $(libdir)/pkgconfig all check install uninstall: $(MAKE) $@-here set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done clean distclean mostlyclean maintainer-clean tags: set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done $(MAKE) $@-here check-here: true # Tries different settings of NETTLE_FAT_OVERRIDE. Note that this # requires that corresponding processor features are available on the # test machine. check-fat-override: [ -z "$(FAT_OVERRIDE_LIST)" ] || \ set -e; cd testsuite && for f in $(FAT_OVERRIDE_LIST) ; do \ echo NETTLE_FAT_OVERRIDE=$$f ; \ NETTLE_FAT_OVERRIDE=$$f $(MAKE) check TS_ALL='$$(TS_FAT)' ; \ done # Emulate for multiple cpu flavors; -cpu is the right flag for qemu. EMULATOR_CPU_FLAG = -cpu check-fat-emulate: [ -z "$(FAT_EMULATE_LIST)" ] || [ -z "$(EMULATOR)" ] || \ set -e; cd testsuite && for f in $(FAT_EMULATE_LIST) ; do \ echo Emulating: $$f ; \ $(MAKE) check EMULATOR="$(EMULATOR) $(EMULATOR_CPU_FLAG) $$f" TS_ALL='$$(TS_FAT)' ; \ done all-here: $(TARGETS) $(DOCTARGETS) nettle_SOURCES = aes-decrypt-internal.c aes-decrypt-table.c \ aes128-decrypt.c aes192-decrypt.c aes256-decrypt.c \ aes-encrypt-internal.c aes-encrypt-table.c \ aes128-encrypt.c aes192-encrypt.c aes256-encrypt.c \ aes-invert-internal.c aes-set-key-internal.c \ aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ aes128-meta.c \ aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ aes192-meta.c \ aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ aes256-meta.c \ nist-keywrap.c \ arcfour.c \ arctwo.c arctwo-meta.c blowfish.c blowfish-bcrypt.c \ balloon.c balloon-sha1.c balloon-sha256.c \ balloon-sha384.c balloon-sha512.c \ base16-encode.c base16-decode.c \ base64-encode.c base64-decode.c \ base64url-encode.c base64url-decode.c \ buffer.c buffer-init.c \ camellia-crypt-internal.c camellia-table.c \ camellia-absorb.c camellia-invert-key.c \ camellia128-set-encrypt-key.c camellia128-crypt.c \ camellia128-set-decrypt-key.c \ camellia128-meta.c \ camellia192-meta.c \ camellia256-set-encrypt-key.c camellia256-crypt.c \ camellia256-set-decrypt-key.c \ camellia256-meta.c \ cast128.c cast128-meta.c \ cbc.c cbc-aes128-encrypt.c cbc-aes192-encrypt.c cbc-aes256-encrypt.c \ ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c cfb.c \ siv-cmac.c siv-cmac-aes128.c siv-cmac-aes256.c \ siv-gcm.c siv-gcm-aes128.c siv-gcm-aes256.c \ cnd-memcpy.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ ctr.c ctr16.c des.c des3.c \ eax.c eax-aes128.c eax-aes128-meta.c \ ghash-set-key.c ghash-update.c \ siv-ghash-set-key.c siv-ghash-update.c \ gcm.c \ gcm-aes128.c gcm-aes128-meta.c \ gcm-aes192.c gcm-aes192-meta.c \ gcm-aes256.c gcm-aes256-meta.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ gcm-sm4.c gcm-sm4-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ gost28147.c gosthash94.c gosthash94-meta.c \ hmac-internal.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ hmac-sha512.c hmac-streebog.c hmac-sm3.c \ hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \ hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \ hmac-sha512-meta.c hmac-gosthash94-meta.c \ hmac-streebog-meta.c hmac-sm3-meta.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ nettle-lookup-hash.c \ nettle-meta-aeads.c \ nettle-meta-ciphers.c nettle-meta-hashes.c nettle-meta-macs.c \ ocb.c ocb-aes128.c \ pbkdf2.c pbkdf2-hmac-gosthash94.c pbkdf2-hmac-sha1.c \ pbkdf2-hmac-sha256.c pbkdf2-hmac-sha384.c pbkdf2-hmac-sha512.c \ poly1305-aes.c poly1305-internal.c poly1305-update.c \ realloc.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ salsa20-core-internal.c salsa20-crypt-internal.c \ salsa20-crypt.c salsa20r12-crypt.c salsa20-set-key.c \ salsa20-set-nonce.c \ salsa20-128-set-key.c salsa20-256-set-key.c \ sha1.c sha1-compress.c sha1-meta.c \ sha256.c sha256-compress-n.c sha224-meta.c sha256-meta.c \ sha512.c sha512-compress.c sha384-meta.c sha512-meta.c \ sha512-224-meta.c sha512-256-meta.c \ sha3.c sha3-permute.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \ sha3-shake.c shake128.c shake256.c \ sm3.c sm3-meta.c \ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-meta.c \ streebog.c streebog-meta.c \ twofish.c twofish-meta.c \ sm4.c sm4-meta.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ version.c \ write-be32.c write-le32.c write-le64.c \ yarrow256.c yarrow_key_event.c \ xts.c xts-aes128.c xts-aes256.c \ drbg-ctr-aes256.c \ slh-shake.c slh-sha256.c \ slh-fors.c slh-merkle.c slh-wots.c slh-xmss.c \ slh-dsa.c slh-dsa-128s.c slh-dsa-128f.c \ slh-dsa-shake-128s.c slh-dsa-shake-128f.c slh-dsa-sha2-128s.c slh-dsa-sha2-128f.c hogweed_SOURCES = sexp.c sexp-format.c \ sexp-transport.c sexp-transport-format.c \ bignum.c bignum-random.c bignum-random-prime.c \ sexp2bignum.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ oaep.c \ pkcs1-sec-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ pss.c pss-mgf1.c \ rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ rsa-sec-compute-root.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \ rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \ rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c \ rsa-oaep-encrypt.c rsa-oaep-decrypt.c \ rsa-sec-decrypt.c rsa-decrypt-tr.c \ rsa-keygen.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-gen-params.c \ dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ dsa2sexp.c sexp2dsa.c \ der-iterator.c der2rsa.c der2dsa.c \ sec-add-1.c sec-sub-1.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ ecc-gost-gc256b.c ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c ecc-nonsec-add-jjj.c \ ecc-eh-to-a.c \ ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \ ecc-dup-th.c ecc-add-th.c ecc-add-thh.c \ ecc-mul-g-eh.c ecc-mul-a-eh.c ecc-mul-m.c \ ecc-mul-g.c ecc-mul-a.c ecc-random.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ ed25519-sha512.c ed25519-sha512-pubkey.c \ ed25519-sha512-sign.c ed25519-sha512-verify.c \ ed448-shake256.c ed448-shake256-pubkey.c \ ed448-shake256-sign.c ed448-shake256-verify.c OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h balloon.h \ base16.h base64.h bignum.h buffer.h camellia.h cast128.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ gcm.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h siv-gcm.h \ md2.h md4.h md5.h \ memops.h memxor.h \ nettle-meta.h nettle-types.h \ ocb.h pbkdf2.h \ pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h serpent.h \ sha1.h sha2.h sha3.h slh-dsa.h sm3.h sm4.h streebog.h twofish.h \ umac.h yarrow.h xts.h poly1305.h nist-keywrap.h \ drbg-ctr.h INSTALL_HEADERS = $(HEADERS) version.h @IF_MINI_GMP@ mini-gmp.h SOURCES = $(nettle_SOURCES) $(hogweed_SOURCES) \ $(getopt_SOURCES) $(internal_SOURCES) \ $(OPT_SOURCES) \ aesdata.c desdata.c twofishdata.c shadata.c eccdata.c # NOTE: This list must include all source files, with no duplicates, # independently of which source files are included in the build. DISTFILES = $(SOURCES) $(HEADERS) getopt.h \ .bootstrap run-tests \ aclocal.m4 configure.ac \ configure stamp-h.in version.h.in \ libnettle.map.in libhogweed.map.in \ config.guess config.sub install-sh \ config.h.in config.m4.in config.make.in Makefile.in \ README CONTRIBUTING.md AUTHORS COPYING.LESSERv3 COPYINGv2 COPYINGv3 \ INSTALL NEWS ChangeLog \ nettle.pc.in hogweed.pc.in \ desdata.stamp $(des_headers) descore.README \ aes-internal.h block-internal.h blowfish-internal.h bswap-internal.h \ camellia-internal.h gcm-internal.h \ ghash-internal.h gost28147-internal.h poly1305-internal.h \ serpent-internal.h cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h md-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h non-nettle.h nettle-write.h \ ctr-internal.h chacha-internal.h hmac-internal.h sha3-internal.h \ salsa20-internal.h umac-internal.h hogweed-internal.h \ rsa-internal.h pkcs1-internal.h dsa-internal.h eddsa-internal.h \ slh-dsa-internal.h \ gmp-glue.h ecc-internal.h fat-setup.h oaep.h \ mini-gmp.h asm.m4 m4-utils.m4 \ nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c # Rules building static libraries nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) \ $(OPT_NETTLE_SOURCES:.c=.$(OBJEXT)) $(OPT_NETTLE_OBJS) hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) \ $(OPT_HOGWEED_OBJS) @IF_MINI_GMP@ mini-gmp.$(OBJEXT) libnettle.a: $(nettle_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(nettle_OBJS) $(RANLIB) $@ echo nettle > libnettle.stamp libhogweed.a: $(hogweed_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(hogweed_OBJS) $(RANLIB) $@ echo hogweed > libhogweed.stamp %.$(OBJEXT): %.asm $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $(M4) $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $< >$*.s $(COMPILE) $(ASM_FLAGS) -c $*.s %.$(OBJEXT): %.c $(COMPILE) -c $< \ && $(DEP_PROCESS) # Rules building shared libraries. $(LIBNETTLE_FORLINK): $(nettle_OBJS) $(LIBNETTLE_LINK) $(nettle_OBJS) @EXTRA_LINKER_FLAGS@ -o $@ $(LIBNETTLE_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBNETTLE_FORLINK) \ && $(LN_S) ../$(LIBNETTLE_FORLINK) $(LIBNETTLE_FORLINK) \ && [ -z "$(LIBNETTLE_SONAME)" ] \ || { rm -f $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FORLINK) $(LIBNETTLE_SONAME) ; } ) echo nettle > libnettle.stamp $(LIBHOGWEED_FORLINK): $(hogweed_OBJS) $(LIBNETTLE_FORLINK) $(LIBHOGWEED_LINK) $(hogweed_OBJS) @EXTRA_HOGWEED_LINKER_FLAGS@ -o $@ $(LIBHOGWEED_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBHOGWEED_FORLINK) \ && $(LN_S) ../$(LIBHOGWEED_FORLINK) $(LIBHOGWEED_FORLINK) \ && [ -z "$(LIBHOGWEED_SONAME)" ] \ || { rm -f $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FORLINK) $(LIBHOGWEED_SONAME) ; } ) echo hogweed > libhogweed.stamp # For building the various *data.c programs. -lm needed for shadata. %$(EXEEXT_FOR_BUILD): %.c $(CC_FOR_BUILD) $< -lm -o $@ # Explicit dependency. eccdata$(EXEEXT_FOR_BUILD): mini-gmp.c mini-gmp.h # desCore rules # It seems using $(srcdir)/ doesn't work with GNU make 3.79.1 # des_headers = $(srcdir)/rotors.h $(srcdir)/keymap.h des_headers = rotors.h keymap.h # Generate DES headers. $(des_headers): desdata.stamp f="$(srcdir)/`basename $@`"; \ ./desdata$(EXEEXT_FOR_BUILD) $(@F) > $${f}T; \ test -s $${f}T && mv -f $${f}T $$f desdata.stamp: desdata.c $(MAKE) desdata$(EXEEXT_FOR_BUILD) echo stamp > desdata.stamp des.$(OBJEXT): des.c des.h $(des_headers) # Generate ECC files, with roughly 16 KB of tables per curve. # Some reasonable choices for 192: # k = 8, c = 6, S = 256, T = 40 ( 32 A + 8 D) 12 KB # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB ecc-secp192r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB ecc-secp224r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB ecc-secp256r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 384: # k = 16, c = 6, S = 256, T = 80 ( 64 A + 16 D) 24 KB # k = 28, c = 7, S = 256, T = 84 ( 56 A + 28 D) 24 KB # k = 11, c = 5, S = 224, T = 88 ( 77 A + 11 D) 21 KB # k = 22, c = 6, S = 192, T = 88 ( 66 A + 22 D) 18 KB # k = 13, c = 5, S = 192, T = 91 ( 78 A + 13 D) 18 KB # k = 16, c = 5, S = 160, T = 96 ( 80 A + 16 D) 15 KB # k = 32, c = 6, S = 128, T = 96 ( 64 A + 32 D) 12 KB ecc-secp384r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp384r1 32 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 521: # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) ~27 KB # k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) ~23 KB # k = 44, c = 6, S = 128, T = 132 ( 88 A + 44 D) ~18 KB # k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) ~14 KB ecc-secp521r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp521r1 44 6 $(NUMB_BITS) > $@T && mv $@T $@ # Parameter choices mostly the same as for ecc-secp256r1.h. ecc-curve25519.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve25519 11 6 $(NUMB_BITS) > $@T && mv $@T $@ ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 512: # k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB # k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB # k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB # k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB ecc-gost-gc512a.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h ecc-secp384r1.$(OBJEXT): ecc-secp384r1.h ecc-secp521r1.$(OBJEXT): ecc-secp521r1.h # Texinfo rules %.info: %.texinfo cd $(srcdir) && $(MAKEINFO) --output $@ `basename "$<"` %.html: %.texinfo cd $(srcdir) && $(MAKEINFO) --html --no-split \ --output $@T `basename "$<"` \ && test -s $@T && mv -f $@T $@ %.pdf: %.texinfo cd $(srcdir) && texi2pdf `basename "$<"` # Configure-related rules, mostly copied from the autoconf manual. No # $(srcdir) prefixes on the targets, though. configure: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOCONF) # autoheader might not change config.h.in, so touch a stamp file. config.h.in: stamp-h.in stamp-h.in: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOHEADER) echo timestamp > $(srcdir)/stamp-h.in config.status: configure ./config.status --recheck config.h: stamp-h stamp-h: config.h.in config.status ./config.status config.h echo timestamp > stamp-h Makefile: Makefile.in config.status ./config.status $@ config.make: config.make.in config.status ./config.status $@ config.m4: config.m4.in config.status ./config.status $@ nettle.pc: nettle.pc.in config.status ./config.status $@ hogweed.pc: hogweed.pc.in config.status ./config.status $@ version.h: version.h.in config.status ./config.status $@ # Installation install-doc: @IF_DOCUMENTATION@ install-info install-here: install-doc install-headers install-static install-pkgconfig \ @IF_SHARED@ install-shared-nettle @IF_HOGWEED@ install-shared-hogweed install-static: $(LIBTARGETS) $(MKDIR_P) $(DESTDIR)$(libdir) for f in $(LIBTARGETS); do \ $(INSTALL_DATA) $$f $(DESTDIR)$(libdir) ; \ done install-dll-nettle: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBNETTLE_FORLINK) $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) install-shared-nettle: $(LIBNETTLE_FORLINK) @IF_DLL@ install-dll-nettle $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBNETTLE_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_FORLINK)) install-dll-hogweed: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBHOGWEED_FORLINK) $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) install-shared-hogweed: $(LIBHOGWEED_FORLINK) @IF_DLL@ install-dll-hogweed $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBHOGWEED_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_FORLINK)) # I'd like to use makes VPATH search to locate the files to be # installed. But it seems most make programs don't set $<, $^, $? and # friends for ordinary explicit rules. install-info: nettle.info $(MKDIR_P) $(DESTDIR)$(infodir) f=nettle.info ; \ [ -f $$f ] || f="$(srcdir)/$$f" ; \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(infodir) ; \ if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" "$$f" ; \ else : ; fi # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, and equivalent for phony targets. install-headers: $(INSTALL_HEADERS) $(MKDIR_P) $(DESTDIR)$(includedir)/nettle for f in $(INSTALL_HEADERS) ; do \ if [ -f "$$f" ] ; then \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(includedir)/nettle ; \ else \ $(INSTALL_DATA) "$(srcdir)/$$f" $(DESTDIR)$(includedir)/nettle ; \ fi ; done install-pkgconfig: $(PKGCONFIG_FILES) $(MKDIR_P) $(DESTDIR)$(pkgconfigdir) for f in $(PKGCONFIG_FILES) ; do \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(pkgconfigdir) ; \ done # Uninstall uninstall-here: uninstall-info uninstall-headers uninstall-static \ uninstall-pkgconfig @IF_SHARED@ uninstall-shared uninstall-static: for f in $(LIBTARGETS) ; do \ rm -f $(DESTDIR)$(libdir)/$$f ; \ done uninstall-headers: for f in $(INSTALL_HEADERS) ; do \ rm -f $(DESTDIR)$(includedir)/nettle/$$f ; \ done uninstall-info: if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)"/nettle.info ; \ else : ; fi -rm -f $(DESTDIR)$(infodir)/nettle.info # FIXME: Leaves the links around uninstall-shared: uninstall-shared-nettle @IF_HOGWEED@ uninstall-shared-hogweed uninstall-dll-nettle: rm -f $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) uninstall-shared-nettle: @IF_DLL@ uninstall-dll-nettle rm -f $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) uninstall-dll-hogweed: rm -f $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) uninstall-shared-hogweed: @IF_DLL@ uninstall-dll-hogweed rm -f $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) uninstall-pkgconfig: for f in $(PKGCONFIG_FILES) ; do \ rm -f $(DESTDIR)$(pkgconfigdir)/$$f ; \ done # Distribution distdir = $(PACKAGE_NAME)-$(PACKAGE_VERSION) top_distdir = $(distdir) # NOTE: We should handle both absolute and relative $destdir. distdir: $(DISTFILES) rm -rf "$(distdir)" mkdir "$(distdir)" set -e; for f in $(DISTFILES) ; do \ if [ -f "$$f" ] ; then cp "$$f" "$(distdir)" ; \ else cp "$(srcdir)/$$f" "$(distdir)" ; \ fi ; \ done mkdir "$(distdir)/lib" set -e; for f in $(gnulib_FILES) ; do \ cp "$(srcdir)/$$f" "$(distdir)/lib" ; \ done set -e; for d in sparc64 x86 \ x86_64 x86_64/aesni x86_64/sha_ni x86_64/pclmul x86_64/fat \ arm arm/neon arm/v6 arm/fat \ arm64 arm64/crypto arm64/fat \ powerpc64 powerpc64/p7 powerpc64/p8 powerpc64/p9 powerpc64/fat \ s390x s390x/vf s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 s390x/fat ; do \ mkdir "$(distdir)/$$d" ; \ find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' -o -name README ')' \ -exec cp '{}' "$(distdir)/$$d" ';' ; \ done set -e; for d in $(SUBDIRS); do \ sd="$(distdir)/$$d" ; \ mkdir "$$sd" && $(MAKE) -C $$d distdir="`cd $$sd && pwd`" $@ ; \ done TAR_OPTIONS = --owner=0 --group=0 --numeric-owner --sort=name --mode=go+u,go-w --format=ustar dist: distdir TAR_OPTIONS="$(TAR_OPTIONS)" tar cf - $(distdir) | gzip -c >$(distdir).tar.gz rm -rf $(distdir) rm_distcheck = test ! -d distcheck-tmp \ || { find distcheck-tmp -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -fr distcheck-tmp; }; distcheck: dist $(rm_distcheck) mkdir distcheck-tmp gzip -d < $(distdir).tar.gz \ | { cd distcheck-tmp && tar xf - && chmod -R a-w $(distdir) ; } mkdir distcheck-tmp/build mkdir distcheck-tmp/install cd distcheck-tmp/build && ../$(distdir)/configure --prefix="`cd ../install && pwd`" cd distcheck-tmp/build && $(MAKE) cd distcheck-tmp/build && $(MAKE) check cd distcheck-tmp/build && $(MAKE) install cd distcheck-tmp/build && $(MAKE) uninstall cd distcheck-tmp && find install -type f -print > leftover-install-files @test `cat distcheck-tmp/leftover-install-files | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ cat distcheck-tmp/leftover-install-files ; \ exit 1; } chmod -R a-w distcheck-tmp/install mkdir distcheck-tmp/destdir destdir="`cd distcheck-tmp/destdir && pwd`" \ && cd distcheck-tmp/build \ && $(MAKE) install DESTDIR="$$destdir" \ && $(MAKE) uninstall DESTDIR="$$destdir" cd distcheck-tmp && find destdir -type f -print > leftover-destdir-files @test `cat distcheck-tmp/leftover-destdir-files | wc -l` -le 1 \ || { echo "ERROR: destdir files left after uninstall:" ; \ cat distcheck-tmp/leftover-destdir-files ; \ exit 1; } cd distcheck-tmp/build && $(MAKE) dist cd distcheck-tmp/build && rm *.gz cd distcheck-tmp/build && $(MAKE) distclean cd distcheck-tmp && find build -type f -print > leftover-build-files @test `cat distcheck-tmp/leftover-build-files | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ cat distcheck-tmp/leftover-build-files ; \ exit 1; } $(rm_distcheck) clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ ecc-gost-gc256b.h ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ desdata$(EXEEXT_FOR_BUILD) \ twofishdata$(EXEEXT_FOR_BUILD) \ shadata$(EXEEXT_FOR_BUILD) \ eccdata$(EXEEXT_FOR_BUILD) eccdata.stamp -rm -rf .lib libnettle.stamp libhogweed.stamp distclean-here: clean-here -rm -f config.h stamp-h config.log config.status machine.m4 \ config.make config.m4 Makefile version.h \ nettle.pc hogweed.pc libnettle.map libhogweed.map \ *.asm *.d maintainer-clean-here: -rm -f $(DOCTARGETS) *.dvi *.ps tags-here: etags -o $(srcdir)/TAGS $(srcdir)/*.c $(srcdir)/*.h DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) -include $(DEP_FILES) nettle-4.0/NEWS0000644000000000000000000023114115141166424010303 0ustar00NEWS for the Nettle 4.0 release This is a new major release. It includes one new feature, support for SLH-DSA. There are several changes to Nettle's API, as well as deletion of obsolete features. There are also several improvements to the ABI that leaves the API mostly unchanged, in particular, smaller context structs for several algorithms. The most disruptive API change is that the *_digest functions no longer takes the desired digest size as argument. Truncated hashes appeared to be an important use case decades ago when the previous interface was designed, but that is now rather obscure. Feedback on the new interfaces is appreciated, e.g., if the variable tag length for OCB and CCM should be supported differently, if additional types would benefit from larger alignment, or if there are remaining interface bugs or inconsistencies. Smaller additional API or ABI changes may be considered for the next release, Nettle-4.1, but after that, the intention is that both ABI and API should stay backwards compatible for a longer time. The shared library names are libnettle.so.9.0 and libhogweed.so.7.0, with new sonames libnettle.so.9 and libhogweed.so.7. Interface changes: * The _digest functions for hash algorithms, MACs and AEADs no longer take the desired digest size as argument, instead, they always produce the full-size digest. The typedef nettle_hash_digest_func has also been changed accordingly. There are two exceptions: CCM and OCB. These AEAD algorithms are specified with a variable tag length, which is not a mere truncation of the output. Their _digest functions (ccm_digest, ocb_digest, ccm_ae128_digest, ...) also have their length argument deleted, but they still produce a variable size digest. The number of octets to write (at most 16) is stored into the context struct by the corresponding _set_nonce function. * The functions to process complete messages using CCM AES now take a const cipher context as the first argument, e.g, first argument to ccm_aes128_encrypt_message is now a const struct aes128_ctx *. It used to be a struct ccm_aes128_ctx *, where everything but the underlying cipher context was ignored. * The SHA3 functions now use the same struct sha3_ctx for all flavors, and the same function sha3_init. Old names, e.g., sha3_256_ctx and sha3_256_init, are defined as preprocessor aliases, for backwards compatibility. * The dst_length argument to base16_decode_update and base64_decode_update is now both an input and output argument. On input it must now hold the size of the destination buffer, and decoding fails if that is not sufficient. Previously, dst_length was an output only, and it was required that the destination buffer was large enough for any input of the given src_length. Interface deletions: * Deleted the old struct aes_ctx, and all functions operating on it. Use the fixed key size interfaces instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * Deleted dsa-compat.h, and everything declared therein. Use the interface in dsa.h, introduced in Nettle-3.0. * Deleted old header sha.h. Use sha1.h or sha2.h instead, as appropriate. * Deleted the general HMAC interface, with functions like hmac_set_key that work with an arbitrary underlying hash function. Use the specific hmac functions instead, e.g., hmac_sha256_set_key, or the mac abstraction defined in nettle-meta.h, e.g, the nettle_hmac_sha256 instance. * Deleted the undocumented struct nettle_armor abstraction. * Deleted the undocumented function base64_encode_group. * Deleted md5-compat.h, and everything declared therein. Use the interface in md5.h instead (or even better, stop using md5). * Deleted pgp.h, and everything declared therein. This attempt to support openpgp formats was incomplete, undocumented, and mostly obsolete. * Delete all the *_DATA_SIZE compatibility aliases. Use corresponding *_BLOCK_SIZE constants instead, introduced in Nettle-3.0. * Deleted the obsolete functions _rsa_blind and _rsa_unblind. (Current RSA blinding in Nettle uses internal functions with a different interface). * Delete compatibility aliases salsa20_set_iv, SALSA20_IV_SIZE. These were renamed to salsa20_set_nonce and SALSA20_NONCE_SIZE in Nettle-3.0. * Deleted compatibility aliases _nettle_md5_compress, _nettle_sha1_compress. These internal functions were promoted to documented and supported functions in Nettle-3.9, with new names md5_compress and sha1_compress. * Deleted compatibility alias yarrow_force_reseed. Renamed to yarrow_slow_reseed in Nettle-2.0. ABI changes and improvements. * Introduce 16-byte alignment on certain types. Applied to union nettle_block16, and subkey arrays of AES and UMAC. This is intended to improve performance for SIMD load and store instructions, which on some platforms may be faster with proper alignment. The larger alignment is enabled only for platforms where the alignment of the uint64_t type is 8. * Size of struct gcm_key is reduced from 4096 bytes to 2048. * Size of the new sha3_ctx is considerable smaller, 216 bytes, than the previous types that included a buffer for a complete block. E.g., the largest one, for sha3_128_ctx (shake128), used to be 376 bytes. * Size of HMAC contexts have been reduced, by not including multiple block buffers. E.g, size of struct hmac_sha256_ctx reduced from 336 bytes to 192. This change has been discussed for a long time, with first attempt made by Dmitry Baryshkov years ago, but delayed, since it implies an ABI break. * For OCB block counters, use type uint32_t for blocks of associated data, and uint64_t for message blocks, instead of size_t. This makes the implementation limits the same for 32-bit and 64-bit platforms. Bug fixes: * Fix off-by-one bug in sexp parser, which could result in a one byte overread on invalid input. Also fix excessive recursion and stack usage for some inputs. Both problems reported via oss-fuzz. * Fix ed448_shake256_verify to check that the final signature octet is zero (previous versions completely ignored this somewhat redundant octet). Reported by Oren Yomtov. New features: * Support for SLH-DSA signatures (stateless hash-based digital signature algorithm). See the Nettle manual for details. * New public function drbg_ctr_aes256_update, to enable FIPS-compliant reseeding. Contributed by Daiki Ueno. Configure and build changes: * Support for at least C99 is required when building Nettle. In addition, support for alignof and alignas is required; these are part of C11, but intention is that this is the only required C11 feature. * The unusual configure options --with-lib-path and --with-include-path has been deleted. Use CFLAGS and LDFLAGS instead. This implies that Nettle's configure script no longer attempts to add rpath-related linker flags automagically; if any are needed, they must be passed in LDFLAGS. * The logic to sometimes change the default libdir has been deleted. Previously, configure tried to be helpful and change the default, e.g., to ${exec_prefix}/lib32 when you build 32-bit libraries on a system where ${exec_prefix}/lib is for 64-bit libraries. If you relied on this behavior, you now have to use the --libdir configure option. * Rearranged getopt files, now based on gnulib copies. NEWS for the Nettle 3.10.2 release This is a maintenance release, with only a few bugfixes and portability improvements. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.11 and libhogweed.so.6.11, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix missing prototypes in getopt.h and getopt.c, affecting non-glibc systems, and causing compile errors with C23 compilers that require prototypes, e.g., gcc-15. * For powerpc64, avoid using v9 (ISA v3.0) instructions lxvb16x, lxv and stxv in powerpc64/p8/ files. * For powerpc64, add configure check for __VSX__, and disable use of assembly if not defined. Nettle's powerpc64 assembly requires at least v7 (ISA v2.06). NEWS for the Nettle 3.10.1 release This is a maintenance release, with only a few bugfixes and portability improvements. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.10 and libhogweed.so.6.10, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix buffer overread in the new sha256 assembly for powerpc64, as well as a stack alignment issue. * Added missing nettle_mac structs for hmac-gosthash. * Fix configure test for valgrind, to not attempt to run valgrind on executables built using memory sanitizers. Optimizations: * Improved runtime detection of cpu features for OpenBSD and FreeBSD, using elf_aux_info when available. This also adds runtime detection for FreeBSD on arm64. Contributed by Brad Smith. NEWS for the Nettle 3.10 release This is a maintenance release, including a few each of bug fixes, new features and optimizations. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.9 and libhogweed.so.6.9, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Add missing hash functions sha512_224 and sha512_256 to the nettle_get_hashes() list. The name values in the corresponding nettle_hash structs also changed to use underscore instead of dash, for consistency. * Fix a few cases of formally undefined calls to memcpy(dst, NULL, 0), resulting from valid calls to, e.g., sha256_update(ctx, 0, NULL). New features: * Support RSA-OAEP encryption. Contributed by Nicolas Mora and Daiki Ueno. * New function sha3_256_shake_output, new functions sha3_128_init, sha3_128_update, sha3_128_shake, sha3_128_shake_output. Contributed by Daiki Ueno. * Added DRBG-CTR with AES256, contributed by Simon Josefsson. Optimizations: * New combined gcm-aes assembly for powerpc64, contributed by Danny Tsen. * New sha256 assembly for powerpc64, contributed by Eric Richter. * Improved performance for powerpc64 AES decrypt, by skipping subkey transformations that don't suit the vncipher instructions. * Add arm64 CPU feature detection for Android and for Apple systems, contributed by Foolbar and Tim Kosse, respectively. Miscellaneous: * New tests for side-channel silence, based on valgrind. * Delete all md5 assembly code. Delete all sparc32 assembly code. NEWS for the Nettle 3.9.1 release This is a bugfix release, fixing a few bugs reported for Nettle-3.9. The bug in the new OCB code may be exploitable for denial of service or worse, since triggering it leads to memory corruption. Upgrading from Nettle-3.9 to the new version is strongly recommended. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.8 and libhogweed.so.6.8, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix OCB loop for processing messages of size 272 bytes or larger. Reported and fixed by Jussi Kivilinna. * Fix alignment bug in the new x86_64 non-pclmul assembly implementation of ghash. Reported by Henrik Grubbström. * Fix build-time memory leak in eccdata. Reported by Noah Watkins. NEWS for the Nettle 3.9 release This release includes bug fixes, several new features, a few performance improvements, and one performance regression affecting GCM on certain platforms. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.7 and libhogweed.so.6.7, with sonames libnettle.so.8 and libhogweed.so.6. This release includes a rewrite of the C implementation of GHASH (dating from 2011), as well as the plain x86_64 assembly version, to use precomputed tables in a different way, with tables always accessed in the same sequential manner. This should make Nettle's GHASH implementation side-channel silent on all platforms, but considerably slower on platforms without carry-less mul instructions. E.g., benchmarks of the C implementation on x86_64 showed a slowdown of 3 times. Bug fixes: * Fix bug in ecdsa and gostdsa signature verify operation, for the unlikely corner case that point addition really is point duplication. * Fix for chacha on Power7, nettle's assembly used an instruction only available on later processors. Fixed by Mamone Tarsha. * GHASH implementation should now be side-channel silent on all architectures. * A few portability fixes for *BSD. New features: * Support for the SM4 block cipher, contributed by Tianjia Zhang. * Support for the Balloon password hash, contributed by Zoltan Fridrich. * Support for SIV-GCM authenticated encryption mode, contributed by Daiki Ueno. * Support for OCB authenticated encryption mode. * New exported functions md5_compress, sha1_compress, sha256_compress, sha512_compress, based on patches from Corentin Labbe. Optimizations: * Improved sha256 performance, in particular for x86_64 and s390x. * Use GMP's mpn_sec_tabselect, which is implemented in assembly on many platforms, and delete the similar nettle function. Gives a modest speedup to all ecc operations. * Faster poly1305 for x86_64 and ppc64. New ppc code contributed by Mamone Tarsha. Miscellaneous: * New ASM_FLAGS variable recognized by configure. * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit and 64-bit sparc. Known issues: * Version 6.2.1 of GNU GMP (the most recent GMP release as of this writing) has a known issue for MacOS on 64-bit ARM: GMP assembly files use the reserved x18 register. On this platform it is recommended to use a GMP snapshot where this bug is fixed, and upgrade to a later GMP release when one becomes available. * Also on MacOS, Nettle's testsuite may still break due to DYLD_LIBRARY_PATH being discarded under some circumstances. As a workaround, use make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)' NEWS for the Nettle 3.8.1 release This is a bugfix release, fixing a few portability issues reported for Nettle-3.8. Bug fixes: * Avoid non-posix m4 argument references in the chacha implementation for arm64, powerpc64 and s390x. Reported by Christian Weisgerber, fix contributed by Mamone Tarsha. * Use explicit .machine pseudo-ops where needed in s390x assembly files. Bug report by Andreas K. Huettel, fix contributed by Mamone Tarsha. Optimizations: * Implemented runtime detection of cpu features for OpenBSD on arm64. Contributed by Christian Weisgerber. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.6 and libhogweed.so.6.6, with sonames libnettle.so.8 and libhogweed.so.6. NEWS for the Nettle 3.8 release This release includes a couple of new features, and many performance improvements. It adds assembly code for two more architectures: ARM64 and S390x. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.5 and libhogweed.so.6.5, with sonames libnettle.so.8 and libhogweed.so.6. New features: * AES keywrap (RFC 3394), contributed by Nicolas Mora. * SM3 hash function, contributed by Tianjia Zhang. * New functions cbc_aes128_encrypt, cbc_aes192_encrypt, cbc_aes256_encrypt. On processors where AES is fast enough, e.g., x86_64 with aesni instructions, the overhead of using Nettle's general cbc_encrypt can be significant. The new functions can be implemented in assembly, to do multiple blocks with reduced per-block overhead. Note that there's no corresponding new decrypt functions, since the general cbc_decrypt doesn't suffer from the same performance problem. Bug fixes: * Fix fat builds for x86_64 windows, these appear to never have worked. Optimizations: * New ARM64 implementation of AES, GCM, Chacha, SHA1 and SHA256, for processors supporting crypto extensions. Great speedups, and fat builds are supported. Contributed by Mamone Tarsha. * New s390x implementation of AES, GCM, Chacha, memxor, SHA1, SHA256, SHA512 and SHA3. Great speedups, and fat builds are supported. Contributed by Mamone Tarsha. * New PPC64 assembly for ecc modulo/redc operations, contributed by Amitay Isaacs, Martin Schwenke and Alastair D´Silva. * The x86_64 AES implementation using aesni instructions has been reorganized with one separate function per key size, each interleaving the processing of two blocks at a time (when the caller processes multiple blocks with each call). This gives a modest performance improvement on some processors. * Rewritten and faster x86_64 poly1305 assembly. Known issues: * Nettle's testsuite doesn't work out-of-the-box on recent MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH environment variable. Nettle's test scripts handle this in some cases, but currently fails the test cases that are themselves written as /bin/sh scripts. As a workaround, use make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)' Miscellaneous: * Updated manual to current makeinfo conventions, with no explicit node pointers. Generate pdf version with texi2pdf, to get working hyper links. * Added square root functions for NIST ecc curves, as a preparation for supporting compact point representation. * Reworked internal GCM/ghash interfaces, simplifying assembly implementations. Deleted unused GCM C implementation variants with less than 8-bit lookup table. NEWS for the Nettle 3.7.3 release This is bugfix release, fixing bugs that could make the RSA decryption functions crash on invalid inputs. Upgrading to the new version is strongly recommended. For applications that want to support older versions of Nettle, the bug can be worked around by adding a check that the RSA ciphertext is in the range 0 < ciphertext < n, before attempting to decrypt it. Thanks to Paul Schaub and Justus Winter for reporting these problems. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.4 and libhogweed.so.6.4, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix crash for zero input to rsa_sec_decrypt and rsa_decrypt_tr. Potential denial of service vector. * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return failure for out of range inputs, instead of either crashing, or silently reducing input modulo n. Potential denial of service vector. * Ensure that rsa_decrypt returns failure for out of range inputs, instead of silently reducing input modulo n. * Ensure that rsa_sec_decrypt returns failure if the message size is too large for the given key. Unlike the other bugs, this would typically be triggered by invalid local configuration, rather than by processing untrusted remote data. NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.3 and libhogweed.so.6.3, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fixed bug in ecdsa_verify, and added a corresponding test case. * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. * Similar fixes to eddsa signatures. The problem is less severe for these curves, because (i) the potentially out or range value is derived from output of a hash function, making it harder for the attacker to to hit the narrow range of problematic values, and (ii) the ecc operations are inherently more robust, and my current understanding is that unless the corresponding assert is hit, the verify operation should complete with a correct result. * Fix to ecdsa_sign, which with a very low probability could return out of range signature values, which would be rejected immediately by a verifier. NEWS for the Nettle 3.7.1 release This is primarily a bug fix release, fixing a couple of problems found in Nettle-3.7. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.2 and libhogweed.so.6.2, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix bug in chacha counter update logic. The problem affected ppc64 and ppc64el, with the new altivec assembly code enabled. Reported by Andreas Metzler, after breakage in GnuTLS tests on ppc64. * Support for big-endian ARM platforms has been restored. Fixes contributed by Michael Weiser. * Fix build problem on OpenBSD/powerpc64, reported by Jasper Lievisse Adriaanse. * Fix corner case bug in ECDSA verify, it would produce incorrect result in the unlikely case of an all-zero message hash. Reported by Guido Vranken. New features: * Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512, contributed by Nicolas Mora. Miscellaneous: * Poorly performing ARM Neon code for doing single-block Salsa20 and Chacha has been deleted. The code to do two or three blocks in parallel, introduced in Nettle-3.7, is unchanged. NEWS for the Nettle 3.7 release This release adds one new feature, the bcrypt password hashing function, and lots of optimizations. There's also one important change to how Nettle is configured: Fat builds are now on by default. The release adds PowerPC64 assembly for a few algorithms, resulting in great speedups. Benchmarked on a Power9 machine, speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5 times for Chacha. For fat builds (now the default), the new code is used automatically, on processors supporting the needed instruction set extensions. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.1 and libhogweed.so.6.1, with sonames libnettle.so.8 and libhogweed.so.6. New features: * Support for bcrypt, contributed by Stephen R. van den Berg. Optimizations: * Much faster AES and GCM on PowerPC64 processors supporting the corresponding crypto extensions. Contributed by Mamone Tarsha. * Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon. * Speed of Salsa20 improved on x86_64 and ARM Neon. * Overhaul of some elliptic curve primitives, improving ECDSA signature speed. Configure: * Fat builds are enabled by default on the architectures where it is supported (x86_64, arm and powerpc64). To disable runtime selection, and instead specify the processor flavor at configure time, you need to pass --disable-fat to the configure script. Known issues: * The ARM assembly code in this release doesn't work correctly on big-endian ARM systems. This will hopefully be fixed in a later release. Miscellaneous: * Use a few more gmp-6.1 functions: mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal Nettle functions. * Convert all assembly files to use the default m4 quote characters. NEWS for the Nettle 3.6 release This release adds a couple of new features, most notable being support for ED448 signatures. It is not binary compatible with earlier releases. The shared library names are libnettle.so.8.0 and libhogweed.so.6.0, with sonames libnettle.so.8 and libhogweed.so.6. The changed sonames are mainly to avoid upgrade problems with recent GnuTLS versions, that depend on Nettle internals outside of the advertised ABI. But also because of the removal of internal poly1305 functions which were undocumented but declared in an installed header file, see Interface changes below. New features: * Support for Curve448 and ED448 signatures. Contributed by Daiki Ueno. * Support for SHAKE256 (SHA3 variant with arbitrary output size). Contributed by Daiki Ueno. * Support for SIV-CMAC (Synthetic Initialization Vector) mode, contributed by Nikos Mavrogiannopoulos. * Support for CMAC64, contributed by Dmitry Baryshkov. * Support for the "CryptoPro" variant of the GOST hash function, as gosthash94cp. Contributed by Dmitry Baryshkov. * Support for GOST DSA signatures, including GOST curves gc256b and gc512a. Contributed by Dmitry Baryshkov. * Support for Intel CET in x86 and x86_64 assembly files, if enabled via CFLAGS (gcc --fcf-protection=full). Contributed by H.J. Lu and Simo Sorce. * A few new functions to improve support for the Chacha variant with 96-bit nonce and 32-bit block counter (the existing functions use nonce and counter of 64-bit each), and functions to set the counter. Contributed by Daiki Ueno. * New interface, struct nettle_mac, for MAC (message authentication code) algorithms. This abstraction is only for MACs that don't require a per-message nonce. For HMAC, the key size is fixed, and equal the digest size of the underlying hash function. Bug fixes: * Fix bug in cfb8_decrypt. Previously, the IV was not updated correctly in the case of input data shorter than the block size. Reported by Stephan Mueller, fixed by Daiki Ueno. * Fix configure check for __builtin_bswap64, the incorrect check would result in link errors on platforms missing this function. Patch contributed by George Koehler. * All use of old-fashioned suffix rules in the Makefiles have been replaced with %-pattern rules. Nettle's use of suffix rules in earlier versions depended on undocumented GNU make behavior, which is being deprecated in GNU make 4.3. Building with other make programs than GNU make is untested and unsupported. (Building with BSD make or Solaris make used to work years ago, but has not been tested recently). Interface changes: * Declarations of internal poly1305.h functions have been removed from the header file poly1305.h, to make it clear that they are not part of the advertised API or ABI. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.1.0 or later (unless --enable-mini-gmp is used). * A fair amount of changes to ECC internals, with a few deleted and a few new fields in the internal struct ecc_curve. Files and functions have been renamed to more consistently match the curve name, e.g., ecc-256.c has been renamed to ecc-secp256r1.c. * Documentation for chacha-poly1305 updated. It is no longer experimental. The implementation was updated to follow RFC 8439 in Nettle-3.1, but that was not documented or announced at the time. NEWS for the Nettle 3.5.1 release The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5. The new directory x86_64/sha_ni were missing in the tar file, breaking x86_64 builds with --enable-fat, and producing worse performance than promised for builds with --enable-x86-sha-ni. Also a few unused in-progress assembly files were accidentally included in the tar file. These problems are corrected in Nettle-3.5.1. There are no other changes, and also the library version numbers are unchanged. NEWS for the Nettle 3.5 release This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides . Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0. NEWS for the Nettle 3.4.1 release This release fixes a few bugs, and makes the RSA private key operations side channel silent. The RSA improvements are contributed by Simo Sorce and Red Hat, and include one new public function, rsa_sec_decrypt, see below. All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. Nettle's ECC functions were already side-channel silent, while the DSA functions still aren't. There's also one caveat regarding the improved RSA functions: due to small table lookups in relevant mpn_sec_* functions in GMP-6.1.2, the lowest and highest few bits of the secret factors p and q may still leak. I'm not aware of any attacks on RSA where knowing a few bits of the factors makes a significant difference. This leak will likely be plugged in later GMP versions. Changes in behavior: * The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. New features: * A new function rsa_sec_decrypt. It differs from rsa_decrypt_tr in that the length of the decrypted message is given a priori, and PKCS#1 padding indicating a different length is treated as an error. For applications that may be subject to chosen ciphertext attacks, it is recommended to initialize the message area with random data, call this function, and ignore the return value. This applies in particular to RSA-based key exchange in the TLS protocol. Bug fixes: * Fix bug in pkcs1-conv, missing break statements in the parsing of PEM input files. * Fix link error on the pss-mgf1-test test, affecting builds without public key support. Performance regression: * All RSA private key operations employing RSA blinding, i.e., rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and rsa_compute_root_tr, are significantly slower. This is because (i) RSA blinding now use side-channel silent operations, (ii) blinding includes a modular inversion, and (iii) side-channel silent modular inversion, implemented as mpn_sec_invert, is very expensive. A 60% slowdown for 2048-bit RSA keys have been measured. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.0 or later (unless --enable-mini-gmp is used). The shared library names are libnettle.so.6.5 and libhogweed.so.4.5, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.4 release This release fixes bugs and adds a few new features. It also addresses an ABI compatibility issue affecting Nettle-3.1 and later, see below. Bug fixes: * Fixed an improper use of GMP mpn_mul, breaking curve2559 and eddsa on certain platforms. Reported by Sergei Trofimovich. * Fixed memory leak when handling invalid signatures in ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos. * Fix compilation error with --enable-fat om ARM. Fix contributed by Andreas Schneider. * Reorganized the way certain data items are made available. Short version: Nettle header files now define the symbols nettle_hashes, nettle_ciphers, and nettle_aeads, as preprocessor macros invoking a corresponding accessor function. For backwards ABI compatibility, the symbols are still present in the compiled libraries, and with the same sizes as in nettle-3.3. New features: * Support for RSA-PSS signatures, contributed by Daiki Ueno. * Support for the HKDF key derivation function, defined by RFC 5869. Contributed by Nikos Mavrogiannopoulos. * Support for the Cipher Feedback Mode (CFB), contributed by Dmitry Eremin-Solenikov. * New accessor functions: nettle_get_hashes, nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1, nettle_get_secp_224r1, nettle_get_secp_256r1, nettle_get_secp_384r1, nettle_get_secp_521r1. For source-level compatibility with future versions, applications are encouraged to migrate to using these functions instead of referring to the corresponding data items directly. Miscellaneous: * The base16 and base64 functions now use the type char * for ascii data, rather than uint8_t *. This eliminates the last pointer-signedness warnings when building Nettle. This is a minor API change, and applications may need to be adjusted, but the ABI is unaffected on all platforms I'm aware of. * The contents of the header file nettle/version.h is now architecture independent, except in --enable-mini-gmp configurations. ABI issue: Since the breakage was a bit subtle, let me document it here. The nettle and hogweed libraries export a couple of data symbols, and for some of these, the size was never intended to be part of the ABI. E.g., extern const struct nettle_hash * const nettle_hashes[]; which is an NULL-terminated array. It turns out the sizes nevertheless may leak into the ABI, and that increasing the sizes can break old executables linked with a newer version of the library. When linking a classic non-PIE executable with a shared library, we get ELF relocations of type R_X86_64_COPY for references to data items. These mean that the linker allocates space for the data item in the data segment of executable, at a fixed address determined at link-time, and with size extracted from the version of the .so-file seen when linking. At load time, the run time linker then copies the contents of the symbol from the .so file to that location, and uses the copy instead of the version loaded with the .so-file. And if the data item in the .so file used at load time is larger than the data item seen at link time, it is silently truncated in the process. So when SHA3 hashes were was added to the nettle_hashes array in the nettle-3.3 release, this way of linking produces a truncated array at load time, no longer NULL-terminated. We will get similar problems for planned extensions of the internal struct ecc_curve, and exported data items like extern const struct ecc_curve nettle_secp_256r1; where the ecc_curve struct is only forward declared in the public headers. To prepare, applications should migrate to using the new function nettle_get_secp_256r1, and similarly for the other curves. In some future version, the plan is to add a leading underscore to the name of the actual data items. E.g., nettle_hashes --> _nettle_hashes, breaking the ABI, while keeping the nettle_get_hashes function and the nettle_hashes macro as the supported ways to access it. We will also rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking both ABI and API. Note that data items like nettle_sha256 are *not* affected, since the size and layout of this struct is considered part of the ABI, and R_X86_64_COPY-relocations then work fine. The shared library names are libnettle.so.6.4 and libhogweed.so.4.4, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.3 release This release fixes a couple of bugs, and improves resistance to side-channel attacks on RSA and DSA private key operations. Changes in behavior: * Invalid private RSA keys, with an even modulo, are now rejected by rsa_private_key_prepare. (Earlier versions allowed such keys, even if results of using them were bogus). Nettle applications are required to call rsa_private_key_prepare and check the return value, before using any other RSA private key functions; failing to do so may result in crashes for invalid private keys. As a workaround for versions of Gnutls which don't use rsa_private_key_prepare, additional checks for even moduli are added to the rsa_*_tr functions which are used by all recent versions of Gnutls. * Ignore bit 255 of the x coordinate of the input point to curve25519_mul, as required by RFC 7748. To differentiate at compile time, curve25519.h defines the constant NETTLE_CURVE25519_RFC7748. Security: * RSA and DSA now use side-channel silent modular exponentiation, to defend against attacks on the private key from evil processes sharing the same processor cache. This attack scenario is of particular relevance when running an HTTPS server on a virtual machine, where you don't know who you share the cache hardware with. (Private key operations on elliptic curves were already side-channel silent). Bug fixes: * Fix sexp-conv crashes on invalid input. Reported by Hanno Böck. * Fix out-of-bounds read in des_weak_p. Fixed by Nikos Mavrogiannopoulos. * Fix a couple of formally undefined shift operations, reported by Nikos Mavrogiannopoulos. * Fix compilation with c89. Reported by Henrik Grubbström. New features: * New function memeql_sec, for side-channel silent comparison of two memory areas. Miscellaneous: * Building the public key support of nettle now requires GMP version 5.0 or later (unless --enable-mini-gmp is used). * Filenames of windows DLL libraries now include major number only. So the dll names change at the same time as the corresponding soname on ELF platforms. Fixed by Nikos Mavrogiannopoulos. * Eliminate most pointer-signedness warnings. In the process, the strings representing expression type for sexp_interator functions were changed from const uint8_t * to const char *. These functions are undocumented, and it doesn't change the ABI on any platform I'm aware of. The shared library names are libnettle.so.6.3 and libhogweed.so.4.3, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.2 release Bug fixes: * The SHA3 implementation is updated according to the FIPS 202 standard. It is not interoperable with earlier versions of Nettle. Thanks to Nikos Mavrogiannopoulos. To easily differentiate at compile time, sha3.h defines the constant NETTLE_SHA3_FIPS202. * Fix corner-case carry propagation bugs affecting elliptic curve operations on the curves secp_256r1 and secp_384r1 on certain platforms, including x86_64. Reported by Hanno Böck. New features: * New functions for RSA private key operations, identified by the "_tr" suffix, with better resistance to side channel attacks and to hardware or software failures which could break the CRT optimization. See the Nettle manual for details. Initial patch by Nikos Mavrogiannopoulos. * New functions nettle_version_major, nettle_version_minor, as a run-time variant of the compile-time constants NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR. Optimizations: * New ARM Neon implementation of the chacha stream cipher. Miscellaneous: * ABI detection on mips, with improved default libdir location. Contributed by Klaus Ziegler. * Fixes for ARM assembly syntax, to work better with the clang assembler. Thanks to Jukka Ukkonen. * Disabled use of ifunc relocations for fat builds, to fix problems most easily triggered by using dlopen RTLD_NOW. The shared library names are libnettle.so.6.2 and libhogweed.so.4.2, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1.1 release This release fixes a couple of non-critical bugs. Bug fixes: * By accident, nettle-3.1 disabled the assembly code for the secp_224r1 and secp_521r1 elliptic curves on all x86_64 configurations, making signature operations on those curves 10%-30% slower. This code is now re-enabled. * The x86_64 assembly implementation of gcm hashing has been fixed to work with the Sun/Oracle assembler. The shared library names are libnettle.so.6.1 and libhogweed.so.4.1, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1 release This release adds a couple of new features. The library is mostly source-level compatible with nettle-3.0. It is however not binary compatible, due to the introduction of versioned symbols, and extensions to the base64 context structs. The shared library names are libnettle.so.6.0 and libhogweed.so.4.0, with sonames libnettle.so.6 and libhogweed.so.4. Bug fixes: * Fixed a missing include of , which made the camellia implementation fail on all 64-bit non-x86 platforms. * Eliminate out-of-bounds reads in the C implementation of memxor (related to valgrind's --partial-loads-ok flag). Interface changes: * Declarations of many internal functions are moved from ecc.h to ecc-internal.h. The functions are undocumented, and luckily they're apparently also unused by applications, so I don't expect any problems from this change. New features: * Support for curve25519 and for EdDSA25519 signatures. * Support for "fat builds" on x86_64 and arm, where the implementation of certain functions is selected at run-time depending on available cpu features. Configure with --enable-fat to try this out. If it turns out to work well enough, it will likely be enabled by default in later releases. * Support for building the hogweed library (public key support) using "mini-gmp", a small but slower implementation of a subset of the GMP interfaces. Note that builds using mini-gmp are *not* binary compatible with regular builds, and more likely to leak side-channel information. One intended use-case is for small embedded applications which need to verify digital signatures. * The shared libraries are now built with versioned symbols. Should reduce problems in case a program links explicitly to nettle and/or hogweed, and to gnutls, and the program and gnutls expect different versions. * Support for "URL-safe" base64 encoding and decoding, as specified in RFC 4648. Contributed by Amos Jeffries. Optimizations: * New x86_64 implementation of AES, using the "aesni" instructions. Autodetected in fat builds. In non-fat builds, it has to be enabled explicitly with --enable-x86-aesni. Build system: * Use the same object files for both static and shared libraries. This eliminates the *.po object files which were confusing to some tools (as well as humans). Like before, PIC code is used by default; to build a non-pic static library, configure with --disable-pic --disable-shared. Miscellaneous: * Made type-checking hack in CBC_ENCRYPT and similar macros stricter, to generate warnings if they are used with functions which have a length argument smaller than size_t. NEWS for the Nettle 3.0 release This is a major release, including several interface changes, and new features, some of which are a bit experimental. Feedback is highly appreciated. It is *not* binary (ABI) compatible with earlier versions. It is mostly source-level (API) compatible, with a couple of incompatibilities noted below. The shared library names are libnettle.so.5.0 and libhogweed.so.3.0, with sonames libnettle.so.5 and libhogweed.so.3. There may be some problems in the new interfaces and new features which really need incompatible fixes. It is likely that there will be an update in the form of a 3.1 release in the not too distant future, with small but incompatible changes, and if that happens, bugfix-only releases 3.0.x are unlikely. Users and applications which desire better API and ABI stability are advised to stay with nettle-2.7.x (latest version is now 2.7.1) until the dust settles. Interface changes: * For the many _set_key functions, it is now consider the normal case to have a fixed key size, with no key_size arguments. _set_key functions with a length parameter are provided only for algorithms with a truly variable keysize, and where it makes sense for backwards compatibility. INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key size argument. The old function is available under a new name, cast5_set_key. INCOMPATIBLE CHANGE: The function typedef nettle_set_key_func no longer accepts a key size argument. In particular, this affects users of struct nettle_cipher. * The nettle_cipher abstraction (in nettle-meta.h) is restricted to block ciphers only. The encrypt and decrypt functions now take a const argument for the context. INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher abstraction for the arcfour stream cipher, is deleted. INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the encrypt and decrypt fields of struct nettle_cipher. * New DSA interface, with a separate struct dsa_param to represent the underlying group, and generalized dsa_sign and dsa_verify functions which don't care about the hash function used. Limited backwards compatibility provided in dsa-compat.h. INCOMPATIBLE CHANGE: Declarations of the old interface, e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to dsa-compat.h. INCOMPATIBLE CHANGE: The various key conversion functions, e.g., dsa_keypair_to_sexp, all use the new DSA interface, with no backwards compatible functions. INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new interface. dsa-compat.h declares a function dsa_compat_generate_keypair, implementing the old interface, and #defines dsa_generate_keypair to refer to this backwards compatible function. * New AES and Camellia interfaces. There are now separate context structs for each key size, e.g., aes128_ctx and camellia256_ctx, and corresponding new functions. The old interface, with struct aes_ctx and struct camellia_ctx, is kept for backwards compatibility, but might be removed in later versions. * The type of most length arguments is changed from unsigned to size_t. The memxor functions have their pointer arguments changed from uint8_t * to void *, for consistency with related libc functions. * For hash functions, the constants *_DATA_SIZE have been renamed to *_BLOCK_SIZE. Old names kept for backwards compatibility. Removed features: * The nettle_next_prime function has been deleted. Applications should use GMP's mpz_nextprime instead. * Deleted the RSAREF compatibility, including the header file rsa-compat.h and everything declared therein. * Also under consideration for removal is des-compat.h and everything declared therein. This implements a subset of the old libdes/ssleay/openssl interface for DES and triple-DES, and it is poorly tested. If anyone uses this interface, please speak up! Otherwise, it will likely be removed in the next release. Bug fixes: * Building with ./configure --disable-static now works. * Use GMP's allocation functions for temporary storage related to bignums, to avoid potentially large stack allocations. * Fixes for shared libraries on M$ Windows. New features: * Support for Poly1305-AES MAC. * Support for the ChaCha stream cipher and EXPERIMENTAL support for the ChaCha-Poly1305 AEAD mode. Specifications are still in flux, and future releases may do incompatible changes to track standardization. Currently uses 256-bit key and 64-bit nonce. * Support for EAX mode. * Support for CCM mode. Contributed by Owen Kirby. * Additional variants of SHA512 with output size of 224 and 256 bits. Contributed by Joachim Strömbergson. * New interface, struct nettle_aead, for mechanisms providing authenticated encryption with associated data (AEAD). * DSA: Support a wider range for the size of q and a wider range for the digest size. Optimizations: * New x86_64 assembly for GCM and MD5. Modest speedups on the order of 10%-20%. Miscellaneous: * SHA3 is now documented as EXPERIMENTAL. Nettle currently implements SHA3 as specified at the time Keccak won the SHA3 competition. However, the final standard specified by NIST is likely to be incompatible, in which case future releases may do incompatible changes to track standardization. * The portability fix for the rotation macros, mentioned in NEWS for 2.7.1, actually didn't make it into that release. It is included now. * cast128_set_key rewritten for clarity, also eliminating a couple of compiler warnings. * New command line tool nettle-pbkdf2. NEWS for the 2.7.1 release This is a bugfix release. Bug fixes: * Fixed a bug in the new ECC code. The ecc_j_to_a function called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping input and output arguments, which is not supported. * The assembly files for SHA1, SHA256 and AES depend on ARMv6 instructions, breaking nettle-2.7 for pre-v6 ARM processors. The configure script now enables those assembly files only when building for ARMv6 or later. * Use a more portable C expression for rotations. The previous version used the following "standard" expression for 32-bit rotation: (x << n) | (x >> (32 - n)) But this gives undefined behavior (according to the C specification) for n = 0. The rotate expression is replaced by the more portable: (x << n) | (x >> ((-n)&31)) This change affects only CAST128, which uses non-constant rotation counts. Unfortunately, the new expression is poorly optimized by released versions of gcc, making CAST128 a bit slower. This is being fixed by the gcc hackers, see http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157. The following problems have been reported, but are *not* fixed in this release: * ARM assembly files use instruction syntax which is not supported by all assemblers. Workaround: Use a current version of GNU as, or configure with --disable-assembler. * Configuring with --disable-static doesn't work on windows. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.7 and libhogweed.so.2.5, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.7 release This release includes an implementation of elliptic curve cryptography (ECC) and optimizations for the ARM architecture. This work was done at the offices of South Pole AB, and generously funded by the .SE Internet Fund. Bug fixes: * Fixed a bug in the buffer handling for incremental SHA3 hashing, with a possible buffer overflow. Patch by Edgar E. Iglesias. New features: * Support for ECDSA signatures. Elliptic curve operations over the following curves: secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1, including x86_64 and ARM assembly for the most important primitives. * Support for UMAC, including x86_64 and ARM assembly. * Support for 12-round salsa20, "salsa20r12", as specified by eSTREAM. Contributed by Nikos Mavrogiannopoulos. Optimizations: * ARM assembly code for several additional algorithms, including AES, Salsa20, and the SHA family of hash functions. * x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly was included in the 2.6 release, but disabled due to poor performance on some AMD processors. Hopefully, that performance problem is fixed now). The ARM code was tested and benchmarked on Cortex-A9. Some of the functions use "neon" instructions. The configure script decides if neon instructions can be used, and the command line options --enable-arm-neon and --disable-arm-neon can be used to override its choice. Feedback appreciated. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.6 and libhogweed.so.2.4, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.6 release Bug fixes: * Fixed a bug in ctr_crypt. For zero length (which should be a NOP), it sometimes incremented the counter. Reported by Tim Kosse. * Fixed a small memory leak in nettle_realloc and nettle_xrealloc. New features: * Support for PKCS #5 PBKDF2, to generate a key from a password or passphrase. Contributed by Simon Josefsson. Specification in RFC 2898 and test vectors in RFC 6070. * Support for SHA3. * Support for the GOST R 34.11-94 hash algorithm. Ported from librhash by Nikos Mavrogiannopoulos. Written by Aleksey Kravchenko. More information in RFC4357. Test vectors taken from the GOST hash wikipedia page. Miscellaneous: * The include file has been split into and . For now, sha.h is kept for backwards compatibility and it simply includes both files, but applications are encouraged to use the new names. The new SHA3 functions are declared in . * Testsuite can be run under valgrind, using make check EMULATOR='$(VALGRIND)' For this to work, test programs and other executables now deallocate storage. * New configure options --disable-documentation and --disable-static. Contributed by Sam Thursfield and Alon Bar-Lev, respectively. * The section on hash functions in the manual is split into separate nodes for recommended hash functions and legacy hash functions. * Various smaller improvements, most of them portability fixes. Credits go to David Woodhouse, Tim Rühsen, Martin Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis Clarke. Finally, a note on the naming of the various "SHA" hash functions. Naming is a bit inconsistent; we have, e.g., SHA1: sha1_digest SHA2: sha256_digest (not sha2_256_digest) SHA3: sha3_256_digest Renaming the SHA2 functions to make Nettle's naming more consistent has been considered, but the current naming follows common usage. Most documents (including the specification for SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather than "SHA2-256". The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.5 and libhogweed.so.2.3, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.5 release This release includes important portability fixes for Windows and MacOS. There are also a few new features. First a *warning*: Some internal functions have been removed from the library. Since the functions in question are internal and not documented, this is not considered a change of ABI or API. Programs explicitly using any of these functions will break. * The function pkcs1_signature_prefix has been renamed to _pkcs1_signature_prefix, and with slightly different behavior. * The file nettle-internal.c is no longer included in the library (the features defined there are used by the benchmark and test programs, and were never intended for public use). New features: * Support for the salsa20 stream cipher, including x86_64 assembler. Originally contributed by Simon Josefsson, based on the reference implementation, then further optimized. * Tentative interface for timing-resistant RSA functions, contributed by Nikos Mavrogiannopoulos. * A more general interface for PKCS#1 signatures, taking the input in the form of a "DigestInfo". Suggested by Nikos Mavrogiannopoulos. Configuration: * Building of shared libraries (./configure --enable-shared) is now enabled by default. * Various portability fixes for MacOS and M$ Windows. A lot of this work done by Martin Storsjö. * In particular, Nettle now hopefully works on 64-bit Windows builds, "W64", including the x86_64 assembly code. Miscellaneous: * Documentation and example programs for the base16 and base64 functions. Was contributed by Jeronimo Pellegrini back in 2006, but unfortunately forgotten until now. * Use an additional table to avoid GF2^8 multiplications in aes_invert_key (mainly used by aes_set_decrypt_key). Also tabulate round constants in aes_set_encrypt_key. * The nettle repository has been migrated from cvs to git, with a public repository at http://git.lysator.liu.se/nettle. To make it independent of the LSH repository, a few files have been moved around. While at it, files have also been converted from latin-1 to utf-8. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.4 and libhogweed.so.2.2, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.4 release This is a bugfix release only. It turned out ripemd160 in the 2.3 release was broken on all big-endian systems, due to a missing include of config.h. nettle-2.4 fixes this. The library is intended to be binary compatible with nettle-2.2 and nettle-2.3. The shared library names are libnettle.so.4.3 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.3 release * Support for the ripemd-160 hash function. * Generates and installs nettle.pc and hogweed.pc files, for use with pkg-config. Feedback appreciated. For projects using autoconf, the traditional non-pkg-config ways of detecting libraries, and setting LIBS and LDFLAGS, is still recommended. * Fixed a bug which made the testsuite fail in the GCM test on certain platforms. Should not affect any documented features of the library. * Reorganization of the code for the various Merkle-Damgård hash functions. Some fields in the context structs for md4, md5 and sha1 have been renamed, for consistency. Applications should not peek inside these structs, and the ABI is unchanged. * In the manual, fixed mis-placed const in certain function prototypes. The library is intended to be binary compatible with nettle-2.2. The shared library names are libnettle.so.4.2 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.2 release Licensing change: * Relicensed as LGPL v2.1 or later (user's option). * Replaced blowfish and serpent implementation. New code is based on the LGPLed code in libgcrypt. New features: * Support for Galois/Counter Mode (GCM). * New interface for enumerating (most) available algorithms, contributed by Daniel Kahn Gillmor. * New tool nettle-hash. Can generate hash digests using any supported hash function, with output compatible with md5sum and friends from GNU coreutils. Checking (like md5sum -c) not yet implemented. Bug fixes: * The old serpent code had a byte order bug (introduced by yours truly about ten years ago). New serpent implementation does not interoperate with earlier versions of nettle. * Fixed ABI-dependent libdir default for Linux-based systems which do not follow the Linux File Hierarchy Standard, e.g., Debian GNU/Linux. Optimizations: * x86_64 implemention of serpent. * x86_64 implemention of camellia. * Optimized memxor using word rather than byte operations. Both generic C and x86_64 assembler. * Eliminated a memcpy for in-place CBC decrypt. Miscellaneous: * In command line tools, no longer support -? for requesting help, since using it without shell quoting is a dangerous habit. Use long option --help instead. The shared library names are libnettle.so.4.1 and libhogweed.so.2.1, with sonames libnettle.so.4 and libhogweed.so.2. NEWS for the 2.1 release *Important*: this release breaks source and binary compatibility for the digital signature functions, and for the DES and BLOWFISH ciphers which have weak keys. Incompatible changes: * The functions rsa_md5_sign, rsa_sha1_sign and rsa_sha256_sign, and the corresponding _digest variants, now have a return value which callers should check. The functions return failure if the key is too small for the type of signature. * The functions dsa_sign and dsa_verify are renamed to dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are renamed similarly. These functions now have a return value which callers should check, and they return failure if the number q is not of the appropriate size. * The return value from des_set_key, des3_set_key and blowfish_set_key now indicates whether or not the given key is weak. But in either case, the key setup is done, and applications that don't care about weak keys can ignore the return value. The incompatible part of this change is that enum des_error and enum blowfish_error has been deleted, and so has the status attribute in struct des_ctx, struct des3_ctx, and struct blowfish_ctx. The shared library names are libnettle.so.4.0 and libhogweed.so.2.0, with sonames libnettle.so.4 and libhogweed.so.2. Other changes: * Support for the Camellia block cipher, including an assembler implementation for x86_32. * New function aes_invert_key, useful for applications that need both encryption and decryption using the same AES key. * des_set_key and des3_set_key no longer check the key parity bits. Parity bits are silently ignored. A new function des_check_parity is provided, for applications that care about the DES parity bits. * Support for sha224, sha384 and sha512. * Support for digital signatures using rsa-sha512 and dsa-sha256. Due to lack of official test vectors and interop testing, this support should be considered somewhat experimental. * Key generation for RSA and DSA changed to use Maurer's algorithm to generate provably prime numbers (as usual, the mathematical proof does not guaranteee that the implementation is bug free). * x86_64 assembler implementation actually included in the distribution (was accidentally left out in nettle-2.0). * Configure script now detects if the compiler uses a 32-bit or 64-bit ABI on x86_64 (prevously did this for sparc only). Also sets the default location for installing libraries (libdir) depending on system type and the ABI used. * Added the nettle and gmp libraries as dependencies when linking shared library libhogweed.so. On systems using shared libraries where such dependencies work (in particular, ELF systems), it is sufficient to link applications with -lhogweed. For static linking -lhogweed -lnettle -lgmp is still required. * The program pkcs1-conv is extended to also handle dsa keys. Contributed by Magnus Holmgren. * Slightly improved sha1 performance on x86. NEWS for the 2.0 release This release breaks binary compatibility by splitting the library into two. Some other smaller changes that are not backwards compatible are also done at the same time. * The nettle library is split into two libraries, libnettle and libhogweed. libnettle contains the symmetric crypto algorithms that don't depend on GMP, while libhogweed contains the public key algorithms that depend on GMP. Using a single library worked fine with static linking, but not with dynamic linking. Consider an application that uses nettle and which doesn't use any public key cryptography. If this application is linked dynamically to nettle, it would have to be linked also with GMP if and only if public key support was enabled when the nettle library was installed. The library names are libnettle.so.3.0 and libhogweed.so.1.0, with sonames libnettle.so.3 and libhogweed.so.1. * Function typedefs have been changed to non-pointer types. E.g, the typedef void (nettle_hash_init_func *)(void *ctx); of previous versions is replaced by typedef void (nettle_hash_init_func)(void *ctx); This makes it possible to use the type when declaring functions, like nettle_hash_init_func foo_hash_init; void foo_hash_init(void *ctx) { ... } * Changes to the yarrow256 interface. The automatic seed file generation, and the seed_file member in struct yarrow256_ctx, has been removed. To generate a new seed file, use yarrow256_random. The function yarrow256_force_reseed has been replaced by the two functions yarrow256_fast_reseed and yarrow256_slow_reseed, which were previously static. This interface change makes it easier to mix in the current content of the seed file before overwriting it with newly generated data. Other changes: * Nettle manual now contributed to the public domain, to enable remixing into documentation of programs that use Nettle. * The sexp-conv program preserves comments when using the advanced syntax for output. Optionally locks the output file. * The base64 decoder recognizes ASCII FF (form feed) and VT (vertical tab) as white space. * New x86_64 implementations of AES and SHA1. On a 2.2 GHz opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at 110 MByte/s. * Performance of AES increased by 20-30% on x86. * New programs in the examples directory: erathostenes and next-prime. NEWS for the 1.15 release Added support for PKCS#1 style RSA signatures using SHA256, according to RFC 3447. Currently lacks interoperability testing. Header files are now C++ aware, so C++ programs using Nettle should now use plain #include rather than #extern "C" { #include } as was the recommendation for the previous version. This breaks source-level compatibility with C++, even though there's full binary compatibility. The file rfc1750.txt (which is considered non-free by debian) has been removed from the distribution. The file was used as input for the Yarrow testcase, and has been replaced by the short story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is obsoleted by RFC 4086. Fixes for Darwin shared library support, contributed by Grant Robinsson. Example programs now use a supplied getopt.c. Configure tests for assemblers with a logarithmic .align directive. The library is intended to be upwards binary compatible with earlier versions. The library name is libnettle.so.2.6, soname is still libnettle.so.2. NEWS for the 1.14 release Experimental support for reading keys in PKCS#1 ASN1/DER format, and a new command line tool pkcs1-conv. Improved MD5 performance on x86. Fixed support for sparc64. Reorganized AES code. Better performance for all three implementations (C, x86 assembler, sparc assembler). New sparc assembler for arcfour. Compared to the code generated by gcc, the new code is about 25% faster on old sparcs, and 6 times faster on ultrasparc. Replaced the internal function nettle_mpz_from_octets with a call to mpz_import, if available in the installed GMP library. More Makefile fixes; it now seems to work to build with the the make programs on Solaris and FreeBSD (although --disable-dependency-tracking is required for the latter). The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.5, soname is still libnettle.so.2. NEWS for the 1.13 release Fixed problem with broken m4 on bsd, which resulted in corrupted x86 assembler for sha1. Nettle probably works on windows: I've been able to cross compile it with ./configure --host=i586-mingw32msvc (without public-key support), and the testsuite binaries seem to run fine in Wine. Implemented CTR mode. Improved sha1 performance on x86. Configure check to figure out if symbols in assembler files need a leading underscore. Improved benchmark program. Displays cycles per byte and block, and compares with openssl (if openssl is installed). Terminating newline in output from sexp-conv --hash. The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.4. However, the interface for the internal function _nettle_sha1_compress has changed; any program that calls this function directly will break. NEWS for the 1.12 release Fixed a bug in the configure script. Updated the description of aes_set_encrypt_key and aes_set_decrypt_key in the manual. NEWS for the 1.11 release Nettle no longer uses automake. Side effects: * Dependency tracking is enabled only for gcc-3 (help with supporting dependency tracking with other compilers is appreciated). * Makefile compatibility with make programs other than GNU make is mostly unknown, please report any problems. Support for arctwo. Fixes to the libdes compatibility code. Declarations should now match openssl/libdes better. des_cbc_cksum pads input with NUL's, if it's not an integral number of blocks (in general, such unreversible padding is a bad idea). By default, also the static library is compiled as position independent code. This is needed on some systems to make it possible to link nettle into a dynamically loaded module. Use the configure flag --disable-pic if this is not desired. Stricter constness typing for the sexp_iterator_assoc and sexp_iterator_check_types arguments. Minor tweaks of arcfour on x86 cpu:s, to speed it up on older x86 variants such as PII and PPro. The shared library is intended to be binary compatible with nettle-1.8 - nettle-1.10. Only the minor version number of the shared library is increased. The soname is still libnettle.so.2. NEWS for the 1.10 release Nettle should now compile also on Tru64, Darwin, FreeBSD and Windows. (The only tested windows build uses the rntcl rsh wrapper to run the command line M$ C compiler "cl". See http://pike.ida.liu.se for those tools, I don't know all details about the Pike team's windows setup). There are some known testsuite failures, on Windows and on one of the xenofarm HPUX machines, see http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help tracking these down is appreciated. There are no new features. This release is intended to be binary compatible with nettle-1.8 and nettle-1.9. NEWS for the 1.9 release Optimized C implementation of arcfour. Optimized x86 implementations of arcfour and sha1. Improved benchmark program. Fixed bug in the rsa-encrypt example program. Fixed bug in make install, some of the header files were forgotten. Portability fixes. Fixes to make Nettle compile on systems without gmp. This version has been tested on GNU/Linux, Solaris, HPUX and AIX. The shared library is intended to be binary compatible with nettle-1.8. Only the minor version number of the shared library is increased. NEWS for the 1.8 release New example programs, demonstrating encrypting and decrypting files using RSA, and random sessions keys for bulk encryption and message authentication. Support for systems that don't have alloca. On such systems, some of Nettle's functions have arbitrary limits applied to their input. Uses AX_CREATE_STDINT_H, to support systems without inttypes.h. Support for the md2 and md4 hash functions. New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle_ prefix when seen by the linker. For most functions, the header file that declares a function also uses #define to provide a shorter more readable name without the prefix. The shared library soname for this version is libnettle.so.2. NEWS for the 1.7 release Implemented DSA. Renamed RSA functions for consistency. Now it's rsa_public_key_init, not rsa_init_public_key, etc. Both RSA and DSA now have sign/verify functions that take the hash digest as argument. A rewritten and much more powerful sexp-conv program. Other changes to the sexp code, in particular updating it to the latest SPKI draft. Building nettle as a shared library (ELF only) seems to work. The version number is increased, so the library "soname" for this release is "libnettle.so.1". Bugfixes. Fixes for build and portability problems. NEWS for the 1.6 release Optimized assembler implementations of aes, for sparc and x86. The aes interface has changed slightly. The function aes_set_key is no more. Instead one has to use aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that. New example programs, rsa-keygen, rsa-sign and rsa-verify, located in the examples directory. New configure option --enable-shared, which builds a shared library. Not tested. New experimental features, including sexp parsing and formatting, and changes to base64 encoding and decoding. The interfaces to these functions are subject to change, and are documented only in the source code. NEWS for the 1.5 release RSA support. Key generation and signatures. Support for HMAC (RFC-2104). An implementation of the Yarrow-256 PRNG. New sections in the manual. Changed the interface for hash functions. The md5_digest function is now equivalent to the old sequence of md5_final, md5_digest, md5_init, and similarly for the other hashing algorithms. This makes the interface simpler. NEWS for the 1.0 release Fixed twofish bug spotted by Jean-Pierre Stierlin. Added des3 and cbc. New RFC-1321-like interface in nettle/md5-compat.h, suggested by Assar Westerlund. New libdes-style compatibility interface in nettle/des-compat.h. nettle-4.0/README0000644000000000000000000000457415141166424010474 0ustar00What is GNU Nettle? A quote from the introduction in the Nettle Manual: Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. GNU Nettle is free software; you can redistribute it and/or modify it under the terms contained in the files COPYING* (see the manual for information on how these licenses apply). If you have downloaded a Nettle release, build it with the usual ./configure && make && make check && make install (see the INSTALL file for further instructions). Using GNU make is strongly recommended. Nettle's support for public key algorithms, such as RSA and ECDSA, depends on the GNU GMP library. You can also get Nettle from git, see http://www.lysator.liu.se/~nisse/nettle/ for current instructions. In particular, you need to run the ./.bootstrap script after checkout and before running ./configure. Read the manual. Mail me if you have any questions or suggestions. You may want to subscribe to the nettle-bugs mailing list. See https://lists.lysator.liu.se/mailman/postorius/lists/nettle-bugs.lists.lysator.liu.se/. See CONTRIBUTING.md for information on contibuting patches. Happy hacking, /Niels Möller nettle-4.0/aclocal.m40000644000000000000000000003235215141166424011447 0ustar00dnl Choose cc flags for compiling position independent code AC_DEFUN([LSH_CCPIC], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_MSG_CHECKING(CCPIC) AC_CACHE_VAL(lsh_cv_sys_ccpic,[ if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])], [lsh_cv_sys_ccpic="$CCPIC"], [lsh_cv_sys_ccpic='']) CFLAGS="$OLD_CFLAGS" ]) CCPIC="$lsh_cv_sys_ccpic" AC_MSG_RESULT($CCPIC)]) dnl LSH_GCC_ATTRIBUTES dnl Check for gcc's __attribute__ construction AC_DEFUN([LSH_GCC_ATTRIBUTES], [AC_CACHE_CHECK(for __attribute__, lsh_cv_c_attribute, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } ]], [[]])], [lsh_cv_c_attribute=yes], [lsh_cv_c_attribute=no])]) AH_TEMPLATE([HAVE_GCC_ATTRIBUTE], [Define if the compiler understands __attribute__]) if test "x$lsh_cv_c_attribute" = "xyes"; then AC_DEFINE(HAVE_GCC_ATTRIBUTE) fi AH_BOTTOM( [#if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif ])]) # Check for alloca, and include the standard blurb in config.h AC_DEFUN([LSH_FUNC_ALLOCA], [AC_FUNC_ALLOCA AC_CHECK_HEADERS([malloc.h]) AH_BOTTOM( [/* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif ])]) dnl LSH_DEPENDENCY_TRACKING dnl Defines compiler flags DEP_FLAGS to generate dependency dnl information, and DEP_PROCESS that is any shell commands needed for dnl massaging the dependency information further. Dependencies are dnl generated as a side effect of compilation. Dependency files dnl themselves are not treated as targets. AC_DEFUN([LSH_DEPENDENCY_TRACKING], [AC_ARG_ENABLE(dependency_tracking, AS_HELP_STRING([--disable-dependency-tracking], [Disable dependency tracking. Dependency tracking doesn't work with BSD make]),, [enable_dependency_tracking=yes]) DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[[!0-9.]]2.*) enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled, gcc-3.x is needed]) ;; *) DEP_FLAGS='-MT $[]@ -MD -MP -MF $[]@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled]) fi fi AC_SUBST([DEP_FLAGS]) AC_SUBST([DEP_PROCESS])]) dnl GMP_TRY_ASSEMBLE(asm-code,[action-success][,action-fail]) dnl ---------------------------------------------------------- dnl Attempt to assemble the given code. dnl Do "action-success" if this succeeds, "action-fail" if not. dnl dnl conftest.o and conftest.out are available for inspection in dnl "action-success". If either action does a "break" out of a loop then dnl an explicit "rm -f conftest*" will be necessary. dnl dnl This is not unlike AC_COMPILE_IFELSE, but there's no default includes or dnl anything in "asm-code", everything wanted must be given explicitly. AC_DEFUN([GMP_TRY_ASSEMBLE], [cat >conftest.s <&AS_MESSAGE_LOG_FD ifelse([$2],,:,[$2]) else cat conftest.out >&AS_MESSAGE_LOG_FD echo "configure: failed program was:" >&AS_MESSAGE_LOG_FD cat conftest.s >&AS_MESSAGE_LOG_FD ifelse([$3],,:,[$3]) fi rm -f conftest* ]) dnl GMP_PROG_CC_FOR_BUILD dnl --------------------- dnl Establish CC_FOR_BUILD, a C compiler for the build system. dnl dnl If CC_FOR_BUILD is set then it's expected to work, likewise the old dnl style HOST_CC, otherwise some likely candidates are tried, the same as dnl configfsf.guess. AC_DEFUN([GMP_PROG_CC_FOR_BUILD], [AC_REQUIRE([AC_PROG_CC]) if test -n "$CC_FOR_BUILD"; then GMP_PROG_CC_FOR_BUILD_WORKS($CC_FOR_BUILD,, [AC_MSG_ERROR([Specified CC_FOR_BUILD doesn't seem to work])]) elif test -n "$HOST_CC"; then GMP_PROG_CC_FOR_BUILD_WORKS($HOST_CC, [CC_FOR_BUILD=$HOST_CC], [AC_MSG_ERROR([Specified HOST_CC doesn't seem to work])]) else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do GMP_PROG_CC_FOR_BUILD_WORKS($i, [CC_FOR_BUILD=$i break]) done if test -z "$CC_FOR_BUILD"; then AC_MSG_ERROR([Cannot find a build system compiler]) fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi AC_ARG_VAR(CC_FOR_BUILD,[build system C compiler]) AC_SUBST(CC_FOR_BUILD) ]) dnl GMP_PROG_CC_FOR_BUILD_WORKS(cc/cflags[,[action-if-good][,action-if-bad]]) dnl ------------------------------------------------------------------------- dnl See if the given cc/cflags works on the build system. dnl dnl It seems easiest to just use the default compiler output, rather than dnl figuring out the .exe or whatever at this stage. AC_DEFUN([GMP_PROG_CC_FOR_BUILD_WORKS], [AC_MSG_CHECKING([build system compiler $1]) # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&AS_MESSAGE_LOG_FD 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe AC_MSG_RESULT($cc_for_build_works) if test "$cc_for_build_works" = yes; then ifelse([$2],,:,[$2]) else ifelse([$3],,:,[$3]) fi ]) dnl GMP_PROG_EXEEXT_FOR_BUILD dnl ------------------------- dnl Determine EXEEXT_FOR_BUILD, the build system executable suffix. dnl dnl The idea is to find what "-o conftest$foo" will make it possible to run dnl the program with ./conftest. On Unix-like systems this is of course dnl nothing, for DOS it's ".exe", or for a strange RISC OS foreign file dnl system cross compile it can be ",ff8" apparently. Not sure if the dnl latter actually applies to a build-system executable, maybe it doesn't, dnl but it won't hurt to try. AC_DEFUN([GMP_PROG_EXEEXT_FOR_BUILD], [AC_REQUIRE([GMP_PROG_CC_FOR_BUILD]) AC_CACHE_CHECK([for build system executable suffix], gmp_cv_prog_exeext_for_build, [if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&AS_MESSAGE_LOG_FD; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then AC_MSG_ERROR([Cannot determine executable suffix]) fi fi ]) AC_SUBST(EXEEXT_FOR_BUILD,$gmp_cv_prog_exeext_for_build) ]) dnl NETTLE_CHECK_ARM_NEON dnl --------------------- dnl Check if ARM Neon instructions should be used. dnl Obeys enable_arm_neon, which should be set earlier. AC_DEFUN([NETTLE_CHECK_ARM_NEON], [if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then dnl Check if compiler/assembler accepts it, dnl without an explicit .fpu neon directive. AC_CACHE_CHECK([if assembler accepts Neon instructions], nettle_cv_asm_arm_neon, [GMP_TRY_ASSEMBLE([ .text foo: vmlal.u32 q1, d0, d1 ], [nettle_cv_asm_arm_neon=yes], [nettle_cv_asm_arm_neon=no])]) enable_arm_neon="$nettle_cv_asm_arm_neon" else AC_MSG_CHECKING([if /proc/cpuinfo claims neon support]) if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi AC_MSG_RESULT($enable_arm_neon) fi fi ]) dnl NETTLE_CHECK_IFUNC dnl ------------------ dnl Check if __attribute__ ((ifunc(...))) works AC_DEFUN([NETTLE_CHECK_IFUNC], [AC_REQUIRE([AC_PROG_CC]) AC_CACHE_CHECK([for ifunc support], nettle_cv_link_ifunc, [AC_LINK_IFELSE([AC_LANG_PROGRAM([ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); ],[ return foo(0); ])], [nettle_cv_link_ifunc=yes], [nettle_cv_link_ifunc=no])]) AH_TEMPLATE([HAVE_LINK_IFUNC], [Define if compiler and linker supports __attribute__ ifunc]) if test "x$nettle_cv_link_ifunc" = xyes ; then AC_DEFINE(HAVE_LINK_IFUNC) fi ]) # ld-version-script.m4 serial 3 dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. dnl From Simon Josefsson # FIXME: The test below returns a false positive for mingw # cross-compiles, 'local:' statements does not reduce number of # exported symbols in a DLL. Use --disable-ld-version-script to work # around the problem. # gl_LD_VERSION_SCRIPT # -------------------- # Check if LD supports linker scripts, and define automake conditional # HAVE_LD_VERSION_SCRIPT if so. AC_DEFUN([LD_VERSION_SCRIPT], [ AC_ARG_ENABLE([ld-version-script], AS_HELP_STRING([--enable-ld-version-script], [enable linker version script (default is enabled when possible)]), [have_ld_version_script=$enableval], []) if test -z "$have_ld_version_script"; then AC_MSG_CHECKING([if LD -Wl,--version-script works]) save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map < conftest.map <&AS_MESSAGE_LOG_FD | grep '_lsan_\|_msan_\|_asan_' >/dev/null; then nettle_cv_prog_valgrind=no elif valgrind -q ./conftest$EXEEXT 2>&AS_MESSAGE_LOG_FD; then nettle_cv_prog_valgrind=yes else nettle_cv_prog_valgrind=no fi], [nettle_cv_prog_valgrind=no])]) if test "$nettle_cv_prog_valgrind" = yes ; then IF_VALGRIND='' else IF_VALGRIND='#' fi AC_SUBST(IF_VALGRIND) ]) nettle-4.0/aes-decrypt-internal.c0000644000000000000000000000557615141166423014014 0ustar00/* aes-decrypt-internal.c Decryption function for the aes/rijndael block cipher. Copyright 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_decrypt void _nettle_aes_decrypt_c(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); #define _nettle_aes_decrypt _nettle_aes_decrypt_c #endif void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; const uint32_t *p; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1, p = keys - 4; i < rounds; i++, p -= 4) { t0 = AES_ROUND(T, w0, w3, w2, w1, p[0]); t1 = AES_ROUND(T, w1, w0, w3, w2, p[1]); t2 = AES_ROUND(T, w2, w1, w0, w3, p[2]); t3 = AES_ROUND(T, w3, w2, w1, w0, p[3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, p[0]); t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, p[1]); t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, p[2]); t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, p[3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } nettle-4.0/aes-decrypt-table.c0000644000000000000000000003462115141166423013260 0ustar00/* aes-decrypt-table.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" const struct aes_table _nettle_aes_decrypt_table = { /* isbox */ { 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38, 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb, 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87, 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb, 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d, 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e, 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2, 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25, 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16, 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92, 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda, 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84, 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a, 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06, 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02, 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b, 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea, 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73, 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85, 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e, 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89, 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b, 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20, 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4, 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31, 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f, 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d, 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef, 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0, 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d, }, { /* itable */ { 0x50a7f451,0x5365417e,0xc3a4171a,0x965e273a, 0xcb6bab3b,0xf1459d1f,0xab58faac,0x9303e34b, 0x55fa3020,0xf66d76ad,0x9176cc88,0x254c02f5, 0xfcd7e54f,0xd7cb2ac5,0x80443526,0x8fa362b5, 0x495ab1de,0x671bba25,0x980eea45,0xe1c0fe5d, 0x02752fc3,0x12f04c81,0xa397468d,0xc6f9d36b, 0xe75f8f03,0x959c9215,0xeb7a6dbf,0xda595295, 0x2d83bed4,0xd3217458,0x2969e049,0x44c8c98e, 0x6a89c275,0x78798ef4,0x6b3e5899,0xdd71b927, 0xb64fe1be,0x17ad88f0,0x66ac20c9,0xb43ace7d, 0x184adf63,0x82311ae5,0x60335197,0x457f5362, 0xe07764b1,0x84ae6bbb,0x1ca081fe,0x942b08f9, 0x58684870,0x19fd458f,0x876cde94,0xb7f87b52, 0x23d373ab,0xe2024b72,0x578f1fe3,0x2aab5566, 0x0728ebb2,0x03c2b52f,0x9a7bc586,0xa50837d3, 0xf2872830,0xb2a5bf23,0xba6a0302,0x5c8216ed, 0x2b1ccf8a,0x92b479a7,0xf0f207f3,0xa1e2694e, 0xcdf4da65,0xd5be0506,0x1f6234d1,0x8afea6c4, 0x9d532e34,0xa055f3a2,0x32e18a05,0x75ebf6a4, 0x39ec830b,0xaaef6040,0x069f715e,0x51106ebd, 0xf98a213e,0x3d06dd96,0xae053edd,0x46bde64d, 0xb58d5491,0x055dc471,0x6fd40604,0xff155060, 0x24fb9819,0x97e9bdd6,0xcc434089,0x779ed967, 0xbd42e8b0,0x888b8907,0x385b19e7,0xdbeec879, 0x470a7ca1,0xe90f427c,0xc91e84f8,0x00000000, 0x83868009,0x48ed2b32,0xac70111e,0x4e725a6c, 0xfbff0efd,0x5638850f,0x1ed5ae3d,0x27392d36, 0x64d90f0a,0x21a65c68,0xd1545b9b,0x3a2e3624, 0xb1670a0c,0x0fe75793,0xd296eeb4,0x9e919b1b, 0x4fc5c080,0xa220dc61,0x694b775a,0x161a121c, 0x0aba93e2,0xe52aa0c0,0x43e0223c,0x1d171b12, 0x0b0d090e,0xadc78bf2,0xb9a8b62d,0xc8a91e14, 0x8519f157,0x4c0775af,0xbbdd99ee,0xfd607fa3, 0x9f2601f7,0xbcf5725c,0xc53b6644,0x347efb5b, 0x7629438b,0xdcc623cb,0x68fcedb6,0x63f1e4b8, 0xcadc31d7,0x10856342,0x40229713,0x2011c684, 0x7d244a85,0xf83dbbd2,0x1132f9ae,0x6da129c7, 0x4b2f9e1d,0xf330b2dc,0xec52860d,0xd0e3c177, 0x6c16b32b,0x99b970a9,0xfa489411,0x2264e947, 0xc48cfca8,0x1a3ff0a0,0xd82c7d56,0xef903322, 0xc74e4987,0xc1d138d9,0xfea2ca8c,0x360bd498, 0xcf81f5a6,0x28de7aa5,0x268eb7da,0xa4bfad3f, 0xe49d3a2c,0x0d927850,0x9bcc5f6a,0x62467e54, 0xc2138df6,0xe8b8d890,0x5ef7392e,0xf5afc382, 0xbe805d9f,0x7c93d069,0xa92dd56f,0xb31225cf, 0x3b99acc8,0xa77d1810,0x6e639ce8,0x7bbb3bdb, 0x097826cd,0xf418596e,0x01b79aec,0xa89a4f83, 0x656e95e6,0x7ee6ffaa,0x08cfbc21,0xe6e815ef, 0xd99be7ba,0xce366f4a,0xd4099fea,0xd67cb029, 0xafb2a431,0x31233f2a,0x3094a5c6,0xc066a235, 0x37bc4e74,0xa6ca82fc,0xb0d090e0,0x15d8a733, 0x4a9804f1,0xf7daec41,0x0e50cd7f,0x2ff69117, 0x8dd64d76,0x4db0ef43,0x544daacc,0xdf0496e4, 0xe3b5d19e,0x1b886a4c,0xb81f2cc1,0x7f516546, 0x04ea5e9d,0x5d358c01,0x737487fa,0x2e410bfb, 0x5a1d67b3,0x52d2db92,0x335610e9,0x1347d66d, 0x8c61d79a,0x7a0ca137,0x8e14f859,0x893c13eb, 0xee27a9ce,0x35c961b7,0xede51ce1,0x3cb1477a, 0x59dfd29c,0x3f73f255,0x79ce1418,0xbf37c773, 0xeacdf753,0x5baafd5f,0x146f3ddf,0x86db4478, 0x81f3afca,0x3ec468b9,0x2c342438,0x5f40a3c2, 0x72c31d16,0x0c25e2bc,0x8b493c28,0x41950dff, 0x7101a839,0xdeb30c08,0x9ce4b4d8,0x90c15664, 0x6184cb7b,0x70b632d5,0x745c6c48,0x4257b8d0, }, #if !AES_SMALL { /* Before: itable[1] */ 0xa7f45150,0x65417e53,0xa4171ac3,0x5e273a96, 0x6bab3bcb,0x459d1ff1,0x58faacab,0x03e34b93, 0xfa302055,0x6d76adf6,0x76cc8891,0x4c02f525, 0xd7e54ffc,0xcb2ac5d7,0x44352680,0xa362b58f, 0x5ab1de49,0x1bba2567,0x0eea4598,0xc0fe5de1, 0x752fc302,0xf04c8112,0x97468da3,0xf9d36bc6, 0x5f8f03e7,0x9c921595,0x7a6dbfeb,0x595295da, 0x83bed42d,0x217458d3,0x69e04929,0xc8c98e44, 0x89c2756a,0x798ef478,0x3e58996b,0x71b927dd, 0x4fe1beb6,0xad88f017,0xac20c966,0x3ace7db4, 0x4adf6318,0x311ae582,0x33519760,0x7f536245, 0x7764b1e0,0xae6bbb84,0xa081fe1c,0x2b08f994, 0x68487058,0xfd458f19,0x6cde9487,0xf87b52b7, 0xd373ab23,0x024b72e2,0x8f1fe357,0xab55662a, 0x28ebb207,0xc2b52f03,0x7bc5869a,0x0837d3a5, 0x872830f2,0xa5bf23b2,0x6a0302ba,0x8216ed5c, 0x1ccf8a2b,0xb479a792,0xf207f3f0,0xe2694ea1, 0xf4da65cd,0xbe0506d5,0x6234d11f,0xfea6c48a, 0x532e349d,0x55f3a2a0,0xe18a0532,0xebf6a475, 0xec830b39,0xef6040aa,0x9f715e06,0x106ebd51, 0x8a213ef9,0x06dd963d,0x053eddae,0xbde64d46, 0x8d5491b5,0x5dc47105,0xd406046f,0x155060ff, 0xfb981924,0xe9bdd697,0x434089cc,0x9ed96777, 0x42e8b0bd,0x8b890788,0x5b19e738,0xeec879db, 0x0a7ca147,0x0f427ce9,0x1e84f8c9,0x00000000, 0x86800983,0xed2b3248,0x70111eac,0x725a6c4e, 0xff0efdfb,0x38850f56,0xd5ae3d1e,0x392d3627, 0xd90f0a64,0xa65c6821,0x545b9bd1,0x2e36243a, 0x670a0cb1,0xe757930f,0x96eeb4d2,0x919b1b9e, 0xc5c0804f,0x20dc61a2,0x4b775a69,0x1a121c16, 0xba93e20a,0x2aa0c0e5,0xe0223c43,0x171b121d, 0x0d090e0b,0xc78bf2ad,0xa8b62db9,0xa91e14c8, 0x19f15785,0x0775af4c,0xdd99eebb,0x607fa3fd, 0x2601f79f,0xf5725cbc,0x3b6644c5,0x7efb5b34, 0x29438b76,0xc623cbdc,0xfcedb668,0xf1e4b863, 0xdc31d7ca,0x85634210,0x22971340,0x11c68420, 0x244a857d,0x3dbbd2f8,0x32f9ae11,0xa129c76d, 0x2f9e1d4b,0x30b2dcf3,0x52860dec,0xe3c177d0, 0x16b32b6c,0xb970a999,0x489411fa,0x64e94722, 0x8cfca8c4,0x3ff0a01a,0x2c7d56d8,0x903322ef, 0x4e4987c7,0xd138d9c1,0xa2ca8cfe,0x0bd49836, 0x81f5a6cf,0xde7aa528,0x8eb7da26,0xbfad3fa4, 0x9d3a2ce4,0x9278500d,0xcc5f6a9b,0x467e5462, 0x138df6c2,0xb8d890e8,0xf7392e5e,0xafc382f5, 0x805d9fbe,0x93d0697c,0x2dd56fa9,0x1225cfb3, 0x99acc83b,0x7d1810a7,0x639ce86e,0xbb3bdb7b, 0x7826cd09,0x18596ef4,0xb79aec01,0x9a4f83a8, 0x6e95e665,0xe6ffaa7e,0xcfbc2108,0xe815efe6, 0x9be7bad9,0x366f4ace,0x099fead4,0x7cb029d6, 0xb2a431af,0x233f2a31,0x94a5c630,0x66a235c0, 0xbc4e7437,0xca82fca6,0xd090e0b0,0xd8a73315, 0x9804f14a,0xdaec41f7,0x50cd7f0e,0xf691172f, 0xd64d768d,0xb0ef434d,0x4daacc54,0x0496e4df, 0xb5d19ee3,0x886a4c1b,0x1f2cc1b8,0x5165467f, 0xea5e9d04,0x358c015d,0x7487fa73,0x410bfb2e, 0x1d67b35a,0xd2db9252,0x5610e933,0x47d66d13, 0x61d79a8c,0x0ca1377a,0x14f8598e,0x3c13eb89, 0x27a9ceee,0xc961b735,0xe51ce1ed,0xb1477a3c, 0xdfd29c59,0x73f2553f,0xce141879,0x37c773bf, 0xcdf753ea,0xaafd5f5b,0x6f3ddf14,0xdb447886, 0xf3afca81,0xc468b93e,0x3424382c,0x40a3c25f, 0xc31d1672,0x25e2bc0c,0x493c288b,0x950dff41, 0x01a83971,0xb30c08de,0xe4b4d89c,0xc1566490, 0x84cb7b61,0xb632d570,0x5c6c4874,0x57b8d042, },{ /* Before: itable[2] */ 0xf45150a7,0x417e5365,0x171ac3a4,0x273a965e, 0xab3bcb6b,0x9d1ff145,0xfaacab58,0xe34b9303, 0x302055fa,0x76adf66d,0xcc889176,0x02f5254c, 0xe54ffcd7,0x2ac5d7cb,0x35268044,0x62b58fa3, 0xb1de495a,0xba25671b,0xea45980e,0xfe5de1c0, 0x2fc30275,0x4c8112f0,0x468da397,0xd36bc6f9, 0x8f03e75f,0x9215959c,0x6dbfeb7a,0x5295da59, 0xbed42d83,0x7458d321,0xe0492969,0xc98e44c8, 0xc2756a89,0x8ef47879,0x58996b3e,0xb927dd71, 0xe1beb64f,0x88f017ad,0x20c966ac,0xce7db43a, 0xdf63184a,0x1ae58231,0x51976033,0x5362457f, 0x64b1e077,0x6bbb84ae,0x81fe1ca0,0x08f9942b, 0x48705868,0x458f19fd,0xde94876c,0x7b52b7f8, 0x73ab23d3,0x4b72e202,0x1fe3578f,0x55662aab, 0xebb20728,0xb52f03c2,0xc5869a7b,0x37d3a508, 0x2830f287,0xbf23b2a5,0x0302ba6a,0x16ed5c82, 0xcf8a2b1c,0x79a792b4,0x07f3f0f2,0x694ea1e2, 0xda65cdf4,0x0506d5be,0x34d11f62,0xa6c48afe, 0x2e349d53,0xf3a2a055,0x8a0532e1,0xf6a475eb, 0x830b39ec,0x6040aaef,0x715e069f,0x6ebd5110, 0x213ef98a,0xdd963d06,0x3eddae05,0xe64d46bd, 0x5491b58d,0xc471055d,0x06046fd4,0x5060ff15, 0x981924fb,0xbdd697e9,0x4089cc43,0xd967779e, 0xe8b0bd42,0x8907888b,0x19e7385b,0xc879dbee, 0x7ca1470a,0x427ce90f,0x84f8c91e,0x00000000, 0x80098386,0x2b3248ed,0x111eac70,0x5a6c4e72, 0x0efdfbff,0x850f5638,0xae3d1ed5,0x2d362739, 0x0f0a64d9,0x5c6821a6,0x5b9bd154,0x36243a2e, 0x0a0cb167,0x57930fe7,0xeeb4d296,0x9b1b9e91, 0xc0804fc5,0xdc61a220,0x775a694b,0x121c161a, 0x93e20aba,0xa0c0e52a,0x223c43e0,0x1b121d17, 0x090e0b0d,0x8bf2adc7,0xb62db9a8,0x1e14c8a9, 0xf1578519,0x75af4c07,0x99eebbdd,0x7fa3fd60, 0x01f79f26,0x725cbcf5,0x6644c53b,0xfb5b347e, 0x438b7629,0x23cbdcc6,0xedb668fc,0xe4b863f1, 0x31d7cadc,0x63421085,0x97134022,0xc6842011, 0x4a857d24,0xbbd2f83d,0xf9ae1132,0x29c76da1, 0x9e1d4b2f,0xb2dcf330,0x860dec52,0xc177d0e3, 0xb32b6c16,0x70a999b9,0x9411fa48,0xe9472264, 0xfca8c48c,0xf0a01a3f,0x7d56d82c,0x3322ef90, 0x4987c74e,0x38d9c1d1,0xca8cfea2,0xd498360b, 0xf5a6cf81,0x7aa528de,0xb7da268e,0xad3fa4bf, 0x3a2ce49d,0x78500d92,0x5f6a9bcc,0x7e546246, 0x8df6c213,0xd890e8b8,0x392e5ef7,0xc382f5af, 0x5d9fbe80,0xd0697c93,0xd56fa92d,0x25cfb312, 0xacc83b99,0x1810a77d,0x9ce86e63,0x3bdb7bbb, 0x26cd0978,0x596ef418,0x9aec01b7,0x4f83a89a, 0x95e6656e,0xffaa7ee6,0xbc2108cf,0x15efe6e8, 0xe7bad99b,0x6f4ace36,0x9fead409,0xb029d67c, 0xa431afb2,0x3f2a3123,0xa5c63094,0xa235c066, 0x4e7437bc,0x82fca6ca,0x90e0b0d0,0xa73315d8, 0x04f14a98,0xec41f7da,0xcd7f0e50,0x91172ff6, 0x4d768dd6,0xef434db0,0xaacc544d,0x96e4df04, 0xd19ee3b5,0x6a4c1b88,0x2cc1b81f,0x65467f51, 0x5e9d04ea,0x8c015d35,0x87fa7374,0x0bfb2e41, 0x67b35a1d,0xdb9252d2,0x10e93356,0xd66d1347, 0xd79a8c61,0xa1377a0c,0xf8598e14,0x13eb893c, 0xa9ceee27,0x61b735c9,0x1ce1ede5,0x477a3cb1, 0xd29c59df,0xf2553f73,0x141879ce,0xc773bf37, 0xf753eacd,0xfd5f5baa,0x3ddf146f,0x447886db, 0xafca81f3,0x68b93ec4,0x24382c34,0xa3c25f40, 0x1d1672c3,0xe2bc0c25,0x3c288b49,0x0dff4195, 0xa8397101,0x0c08deb3,0xb4d89ce4,0x566490c1, 0xcb7b6184,0x32d570b6,0x6c48745c,0xb8d04257, },{ /* Before: itable[3] */ 0x5150a7f4,0x7e536541,0x1ac3a417,0x3a965e27, 0x3bcb6bab,0x1ff1459d,0xacab58fa,0x4b9303e3, 0x2055fa30,0xadf66d76,0x889176cc,0xf5254c02, 0x4ffcd7e5,0xc5d7cb2a,0x26804435,0xb58fa362, 0xde495ab1,0x25671bba,0x45980eea,0x5de1c0fe, 0xc302752f,0x8112f04c,0x8da39746,0x6bc6f9d3, 0x03e75f8f,0x15959c92,0xbfeb7a6d,0x95da5952, 0xd42d83be,0x58d32174,0x492969e0,0x8e44c8c9, 0x756a89c2,0xf478798e,0x996b3e58,0x27dd71b9, 0xbeb64fe1,0xf017ad88,0xc966ac20,0x7db43ace, 0x63184adf,0xe582311a,0x97603351,0x62457f53, 0xb1e07764,0xbb84ae6b,0xfe1ca081,0xf9942b08, 0x70586848,0x8f19fd45,0x94876cde,0x52b7f87b, 0xab23d373,0x72e2024b,0xe3578f1f,0x662aab55, 0xb20728eb,0x2f03c2b5,0x869a7bc5,0xd3a50837, 0x30f28728,0x23b2a5bf,0x02ba6a03,0xed5c8216, 0x8a2b1ccf,0xa792b479,0xf3f0f207,0x4ea1e269, 0x65cdf4da,0x06d5be05,0xd11f6234,0xc48afea6, 0x349d532e,0xa2a055f3,0x0532e18a,0xa475ebf6, 0x0b39ec83,0x40aaef60,0x5e069f71,0xbd51106e, 0x3ef98a21,0x963d06dd,0xddae053e,0x4d46bde6, 0x91b58d54,0x71055dc4,0x046fd406,0x60ff1550, 0x1924fb98,0xd697e9bd,0x89cc4340,0x67779ed9, 0xb0bd42e8,0x07888b89,0xe7385b19,0x79dbeec8, 0xa1470a7c,0x7ce90f42,0xf8c91e84,0x00000000, 0x09838680,0x3248ed2b,0x1eac7011,0x6c4e725a, 0xfdfbff0e,0x0f563885,0x3d1ed5ae,0x3627392d, 0x0a64d90f,0x6821a65c,0x9bd1545b,0x243a2e36, 0x0cb1670a,0x930fe757,0xb4d296ee,0x1b9e919b, 0x804fc5c0,0x61a220dc,0x5a694b77,0x1c161a12, 0xe20aba93,0xc0e52aa0,0x3c43e022,0x121d171b, 0x0e0b0d09,0xf2adc78b,0x2db9a8b6,0x14c8a91e, 0x578519f1,0xaf4c0775,0xeebbdd99,0xa3fd607f, 0xf79f2601,0x5cbcf572,0x44c53b66,0x5b347efb, 0x8b762943,0xcbdcc623,0xb668fced,0xb863f1e4, 0xd7cadc31,0x42108563,0x13402297,0x842011c6, 0x857d244a,0xd2f83dbb,0xae1132f9,0xc76da129, 0x1d4b2f9e,0xdcf330b2,0x0dec5286,0x77d0e3c1, 0x2b6c16b3,0xa999b970,0x11fa4894,0x472264e9, 0xa8c48cfc,0xa01a3ff0,0x56d82c7d,0x22ef9033, 0x87c74e49,0xd9c1d138,0x8cfea2ca,0x98360bd4, 0xa6cf81f5,0xa528de7a,0xda268eb7,0x3fa4bfad, 0x2ce49d3a,0x500d9278,0x6a9bcc5f,0x5462467e, 0xf6c2138d,0x90e8b8d8,0x2e5ef739,0x82f5afc3, 0x9fbe805d,0x697c93d0,0x6fa92dd5,0xcfb31225, 0xc83b99ac,0x10a77d18,0xe86e639c,0xdb7bbb3b, 0xcd097826,0x6ef41859,0xec01b79a,0x83a89a4f, 0xe6656e95,0xaa7ee6ff,0x2108cfbc,0xefe6e815, 0xbad99be7,0x4ace366f,0xead4099f,0x29d67cb0, 0x31afb2a4,0x2a31233f,0xc63094a5,0x35c066a2, 0x7437bc4e,0xfca6ca82,0xe0b0d090,0x3315d8a7, 0xf14a9804,0x41f7daec,0x7f0e50cd,0x172ff691, 0x768dd64d,0x434db0ef,0xcc544daa,0xe4df0496, 0x9ee3b5d1,0x4c1b886a,0xc1b81f2c,0x467f5165, 0x9d04ea5e,0x015d358c,0xfa737487,0xfb2e410b, 0xb35a1d67,0x9252d2db,0xe9335610,0x6d1347d6, 0x9a8c61d7,0x377a0ca1,0x598e14f8,0xeb893c13, 0xceee27a9,0xb735c961,0xe1ede51c,0x7a3cb147, 0x9c59dfd2,0x553f73f2,0x1879ce14,0x73bf37c7, 0x53eacdf7,0x5f5baafd,0xdf146f3d,0x7886db44, 0xca81f3af,0xb93ec468,0x382c3424,0xc25f40a3, 0x1672c31d,0xbc0c25e2,0x288b493c,0xff41950d, 0x397101a8,0x08deb30c,0xd89ce4b4,0x6490c156, 0x7b6184cb,0xd570b632,0x48745c6c,0xd04257b8, }, #endif /* !AES_SMALL */ } }; nettle-4.0/aes-encrypt-internal.c0000644000000000000000000000660315141166423014016 0ustar00/* aes-encrypt-internal.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_encrypt void _nettle_aes_encrypt_c(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); #define _nettle_aes_encrypt _nettle_aes_encrypt_c #endif void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1; i < rounds; i++) { t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } /* Some stats, all for AES 128: A. Table-driven indexing (the approach of the old unified _aes_crypt function). B. Unrolling the j-loop. C. Eliminated the use of IDXk(j) in the main loop. D. Put wtxt in four scalar variables. E. Also put t in four scalar variables. P4 2.2 GHz AMD Duron 1.4GHz MB/s code size A 35.9 0x202 17 MB/s B 37.3 0x334 C 33.0 0x2a7 D 40.7 0x3f9 E 42.9 0x44a 26 MB/s */ nettle-4.0/aes-encrypt-table.c0000644000000000000000000003537115141166423013275 0ustar00/* aes-encrypt-table.c Encryption table for the aes/rijndael block cipher. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" /* Tables are assembled using little-endian byte order, including the * pre-rotated variants. Generated by aesdata.c. * * Note that AES is byte order agnostic, we only need to be consistent * and use the same byteorder when processing key, cleartext and * ciphertext bytes. * * Little-endian means that the first row of the AES state arrays * occupy the least significant byte of the words, which is also * consistent with the row numbering. */ const struct aes_table _nettle_aes_encrypt_table = { /* sbox */ { 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5, 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0, 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc, 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a, 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0, 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b, 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85, 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5, 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17, 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88, 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c, 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9, 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6, 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e, 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94, 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68, 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16, }, { /* dtable */ { 0xa56363c6,0x847c7cf8,0x997777ee,0x8d7b7bf6, 0x0df2f2ff,0xbd6b6bd6,0xb16f6fde,0x54c5c591, 0x50303060,0x03010102,0xa96767ce,0x7d2b2b56, 0x19fefee7,0x62d7d7b5,0xe6abab4d,0x9a7676ec, 0x45caca8f,0x9d82821f,0x40c9c989,0x877d7dfa, 0x15fafaef,0xeb5959b2,0xc947478e,0x0bf0f0fb, 0xecadad41,0x67d4d4b3,0xfda2a25f,0xeaafaf45, 0xbf9c9c23,0xf7a4a453,0x967272e4,0x5bc0c09b, 0xc2b7b775,0x1cfdfde1,0xae93933d,0x6a26264c, 0x5a36366c,0x413f3f7e,0x02f7f7f5,0x4fcccc83, 0x5c343468,0xf4a5a551,0x34e5e5d1,0x08f1f1f9, 0x937171e2,0x73d8d8ab,0x53313162,0x3f15152a, 0x0c040408,0x52c7c795,0x65232346,0x5ec3c39d, 0x28181830,0xa1969637,0x0f05050a,0xb59a9a2f, 0x0907070e,0x36121224,0x9b80801b,0x3de2e2df, 0x26ebebcd,0x6927274e,0xcdb2b27f,0x9f7575ea, 0x1b090912,0x9e83831d,0x742c2c58,0x2e1a1a34, 0x2d1b1b36,0xb26e6edc,0xee5a5ab4,0xfba0a05b, 0xf65252a4,0x4d3b3b76,0x61d6d6b7,0xceb3b37d, 0x7b292952,0x3ee3e3dd,0x712f2f5e,0x97848413, 0xf55353a6,0x68d1d1b9,0x00000000,0x2cededc1, 0x60202040,0x1ffcfce3,0xc8b1b179,0xed5b5bb6, 0xbe6a6ad4,0x46cbcb8d,0xd9bebe67,0x4b393972, 0xde4a4a94,0xd44c4c98,0xe85858b0,0x4acfcf85, 0x6bd0d0bb,0x2aefefc5,0xe5aaaa4f,0x16fbfbed, 0xc5434386,0xd74d4d9a,0x55333366,0x94858511, 0xcf45458a,0x10f9f9e9,0x06020204,0x817f7ffe, 0xf05050a0,0x443c3c78,0xba9f9f25,0xe3a8a84b, 0xf35151a2,0xfea3a35d,0xc0404080,0x8a8f8f05, 0xad92923f,0xbc9d9d21,0x48383870,0x04f5f5f1, 0xdfbcbc63,0xc1b6b677,0x75dadaaf,0x63212142, 0x30101020,0x1affffe5,0x0ef3f3fd,0x6dd2d2bf, 0x4ccdcd81,0x140c0c18,0x35131326,0x2fececc3, 0xe15f5fbe,0xa2979735,0xcc444488,0x3917172e, 0x57c4c493,0xf2a7a755,0x827e7efc,0x473d3d7a, 0xac6464c8,0xe75d5dba,0x2b191932,0x957373e6, 0xa06060c0,0x98818119,0xd14f4f9e,0x7fdcdca3, 0x66222244,0x7e2a2a54,0xab90903b,0x8388880b, 0xca46468c,0x29eeeec7,0xd3b8b86b,0x3c141428, 0x79dedea7,0xe25e5ebc,0x1d0b0b16,0x76dbdbad, 0x3be0e0db,0x56323264,0x4e3a3a74,0x1e0a0a14, 0xdb494992,0x0a06060c,0x6c242448,0xe45c5cb8, 0x5dc2c29f,0x6ed3d3bd,0xefacac43,0xa66262c4, 0xa8919139,0xa4959531,0x37e4e4d3,0x8b7979f2, 0x32e7e7d5,0x43c8c88b,0x5937376e,0xb76d6dda, 0x8c8d8d01,0x64d5d5b1,0xd24e4e9c,0xe0a9a949, 0xb46c6cd8,0xfa5656ac,0x07f4f4f3,0x25eaeacf, 0xaf6565ca,0x8e7a7af4,0xe9aeae47,0x18080810, 0xd5baba6f,0x887878f0,0x6f25254a,0x722e2e5c, 0x241c1c38,0xf1a6a657,0xc7b4b473,0x51c6c697, 0x23e8e8cb,0x7cdddda1,0x9c7474e8,0x211f1f3e, 0xdd4b4b96,0xdcbdbd61,0x868b8b0d,0x858a8a0f, 0x907070e0,0x423e3e7c,0xc4b5b571,0xaa6666cc, 0xd8484890,0x05030306,0x01f6f6f7,0x120e0e1c, 0xa36161c2,0x5f35356a,0xf95757ae,0xd0b9b969, 0x91868617,0x58c1c199,0x271d1d3a,0xb99e9e27, 0x38e1e1d9,0x13f8f8eb,0xb398982b,0x33111122, 0xbb6969d2,0x70d9d9a9,0x898e8e07,0xa7949433, 0xb69b9b2d,0x221e1e3c,0x92878715,0x20e9e9c9, 0x49cece87,0xff5555aa,0x78282850,0x7adfdfa5, 0x8f8c8c03,0xf8a1a159,0x80898909,0x170d0d1a, 0xdabfbf65,0x31e6e6d7,0xc6424284,0xb86868d0, 0xc3414182,0xb0999929,0x772d2d5a,0x110f0f1e, 0xcbb0b07b,0xfc5454a8,0xd6bbbb6d,0x3a16162c, }, #if !AES_SMALL { 0x6363c6a5,0x7c7cf884,0x7777ee99,0x7b7bf68d, 0xf2f2ff0d,0x6b6bd6bd,0x6f6fdeb1,0xc5c59154, 0x30306050,0x01010203,0x6767cea9,0x2b2b567d, 0xfefee719,0xd7d7b562,0xabab4de6,0x7676ec9a, 0xcaca8f45,0x82821f9d,0xc9c98940,0x7d7dfa87, 0xfafaef15,0x5959b2eb,0x47478ec9,0xf0f0fb0b, 0xadad41ec,0xd4d4b367,0xa2a25ffd,0xafaf45ea, 0x9c9c23bf,0xa4a453f7,0x7272e496,0xc0c09b5b, 0xb7b775c2,0xfdfde11c,0x93933dae,0x26264c6a, 0x36366c5a,0x3f3f7e41,0xf7f7f502,0xcccc834f, 0x3434685c,0xa5a551f4,0xe5e5d134,0xf1f1f908, 0x7171e293,0xd8d8ab73,0x31316253,0x15152a3f, 0x0404080c,0xc7c79552,0x23234665,0xc3c39d5e, 0x18183028,0x969637a1,0x05050a0f,0x9a9a2fb5, 0x07070e09,0x12122436,0x80801b9b,0xe2e2df3d, 0xebebcd26,0x27274e69,0xb2b27fcd,0x7575ea9f, 0x0909121b,0x83831d9e,0x2c2c5874,0x1a1a342e, 0x1b1b362d,0x6e6edcb2,0x5a5ab4ee,0xa0a05bfb, 0x5252a4f6,0x3b3b764d,0xd6d6b761,0xb3b37dce, 0x2929527b,0xe3e3dd3e,0x2f2f5e71,0x84841397, 0x5353a6f5,0xd1d1b968,0x00000000,0xededc12c, 0x20204060,0xfcfce31f,0xb1b179c8,0x5b5bb6ed, 0x6a6ad4be,0xcbcb8d46,0xbebe67d9,0x3939724b, 0x4a4a94de,0x4c4c98d4,0x5858b0e8,0xcfcf854a, 0xd0d0bb6b,0xefefc52a,0xaaaa4fe5,0xfbfbed16, 0x434386c5,0x4d4d9ad7,0x33336655,0x85851194, 0x45458acf,0xf9f9e910,0x02020406,0x7f7ffe81, 0x5050a0f0,0x3c3c7844,0x9f9f25ba,0xa8a84be3, 0x5151a2f3,0xa3a35dfe,0x404080c0,0x8f8f058a, 0x92923fad,0x9d9d21bc,0x38387048,0xf5f5f104, 0xbcbc63df,0xb6b677c1,0xdadaaf75,0x21214263, 0x10102030,0xffffe51a,0xf3f3fd0e,0xd2d2bf6d, 0xcdcd814c,0x0c0c1814,0x13132635,0xececc32f, 0x5f5fbee1,0x979735a2,0x444488cc,0x17172e39, 0xc4c49357,0xa7a755f2,0x7e7efc82,0x3d3d7a47, 0x6464c8ac,0x5d5dbae7,0x1919322b,0x7373e695, 0x6060c0a0,0x81811998,0x4f4f9ed1,0xdcdca37f, 0x22224466,0x2a2a547e,0x90903bab,0x88880b83, 0x46468cca,0xeeeec729,0xb8b86bd3,0x1414283c, 0xdedea779,0x5e5ebce2,0x0b0b161d,0xdbdbad76, 0xe0e0db3b,0x32326456,0x3a3a744e,0x0a0a141e, 0x494992db,0x06060c0a,0x2424486c,0x5c5cb8e4, 0xc2c29f5d,0xd3d3bd6e,0xacac43ef,0x6262c4a6, 0x919139a8,0x959531a4,0xe4e4d337,0x7979f28b, 0xe7e7d532,0xc8c88b43,0x37376e59,0x6d6ddab7, 0x8d8d018c,0xd5d5b164,0x4e4e9cd2,0xa9a949e0, 0x6c6cd8b4,0x5656acfa,0xf4f4f307,0xeaeacf25, 0x6565caaf,0x7a7af48e,0xaeae47e9,0x08081018, 0xbaba6fd5,0x7878f088,0x25254a6f,0x2e2e5c72, 0x1c1c3824,0xa6a657f1,0xb4b473c7,0xc6c69751, 0xe8e8cb23,0xdddda17c,0x7474e89c,0x1f1f3e21, 0x4b4b96dd,0xbdbd61dc,0x8b8b0d86,0x8a8a0f85, 0x7070e090,0x3e3e7c42,0xb5b571c4,0x6666ccaa, 0x484890d8,0x03030605,0xf6f6f701,0x0e0e1c12, 0x6161c2a3,0x35356a5f,0x5757aef9,0xb9b969d0, 0x86861791,0xc1c19958,0x1d1d3a27,0x9e9e27b9, 0xe1e1d938,0xf8f8eb13,0x98982bb3,0x11112233, 0x6969d2bb,0xd9d9a970,0x8e8e0789,0x949433a7, 0x9b9b2db6,0x1e1e3c22,0x87871592,0xe9e9c920, 0xcece8749,0x5555aaff,0x28285078,0xdfdfa57a, 0x8c8c038f,0xa1a159f8,0x89890980,0x0d0d1a17, 0xbfbf65da,0xe6e6d731,0x424284c6,0x6868d0b8, 0x414182c3,0x999929b0,0x2d2d5a77,0x0f0f1e11, 0xb0b07bcb,0x5454a8fc,0xbbbb6dd6,0x16162c3a, },{ 0x63c6a563,0x7cf8847c,0x77ee9977,0x7bf68d7b, 0xf2ff0df2,0x6bd6bd6b,0x6fdeb16f,0xc59154c5, 0x30605030,0x01020301,0x67cea967,0x2b567d2b, 0xfee719fe,0xd7b562d7,0xab4de6ab,0x76ec9a76, 0xca8f45ca,0x821f9d82,0xc98940c9,0x7dfa877d, 0xfaef15fa,0x59b2eb59,0x478ec947,0xf0fb0bf0, 0xad41ecad,0xd4b367d4,0xa25ffda2,0xaf45eaaf, 0x9c23bf9c,0xa453f7a4,0x72e49672,0xc09b5bc0, 0xb775c2b7,0xfde11cfd,0x933dae93,0x264c6a26, 0x366c5a36,0x3f7e413f,0xf7f502f7,0xcc834fcc, 0x34685c34,0xa551f4a5,0xe5d134e5,0xf1f908f1, 0x71e29371,0xd8ab73d8,0x31625331,0x152a3f15, 0x04080c04,0xc79552c7,0x23466523,0xc39d5ec3, 0x18302818,0x9637a196,0x050a0f05,0x9a2fb59a, 0x070e0907,0x12243612,0x801b9b80,0xe2df3de2, 0xebcd26eb,0x274e6927,0xb27fcdb2,0x75ea9f75, 0x09121b09,0x831d9e83,0x2c58742c,0x1a342e1a, 0x1b362d1b,0x6edcb26e,0x5ab4ee5a,0xa05bfba0, 0x52a4f652,0x3b764d3b,0xd6b761d6,0xb37dceb3, 0x29527b29,0xe3dd3ee3,0x2f5e712f,0x84139784, 0x53a6f553,0xd1b968d1,0x00000000,0xedc12ced, 0x20406020,0xfce31ffc,0xb179c8b1,0x5bb6ed5b, 0x6ad4be6a,0xcb8d46cb,0xbe67d9be,0x39724b39, 0x4a94de4a,0x4c98d44c,0x58b0e858,0xcf854acf, 0xd0bb6bd0,0xefc52aef,0xaa4fe5aa,0xfbed16fb, 0x4386c543,0x4d9ad74d,0x33665533,0x85119485, 0x458acf45,0xf9e910f9,0x02040602,0x7ffe817f, 0x50a0f050,0x3c78443c,0x9f25ba9f,0xa84be3a8, 0x51a2f351,0xa35dfea3,0x4080c040,0x8f058a8f, 0x923fad92,0x9d21bc9d,0x38704838,0xf5f104f5, 0xbc63dfbc,0xb677c1b6,0xdaaf75da,0x21426321, 0x10203010,0xffe51aff,0xf3fd0ef3,0xd2bf6dd2, 0xcd814ccd,0x0c18140c,0x13263513,0xecc32fec, 0x5fbee15f,0x9735a297,0x4488cc44,0x172e3917, 0xc49357c4,0xa755f2a7,0x7efc827e,0x3d7a473d, 0x64c8ac64,0x5dbae75d,0x19322b19,0x73e69573, 0x60c0a060,0x81199881,0x4f9ed14f,0xdca37fdc, 0x22446622,0x2a547e2a,0x903bab90,0x880b8388, 0x468cca46,0xeec729ee,0xb86bd3b8,0x14283c14, 0xdea779de,0x5ebce25e,0x0b161d0b,0xdbad76db, 0xe0db3be0,0x32645632,0x3a744e3a,0x0a141e0a, 0x4992db49,0x060c0a06,0x24486c24,0x5cb8e45c, 0xc29f5dc2,0xd3bd6ed3,0xac43efac,0x62c4a662, 0x9139a891,0x9531a495,0xe4d337e4,0x79f28b79, 0xe7d532e7,0xc88b43c8,0x376e5937,0x6ddab76d, 0x8d018c8d,0xd5b164d5,0x4e9cd24e,0xa949e0a9, 0x6cd8b46c,0x56acfa56,0xf4f307f4,0xeacf25ea, 0x65caaf65,0x7af48e7a,0xae47e9ae,0x08101808, 0xba6fd5ba,0x78f08878,0x254a6f25,0x2e5c722e, 0x1c38241c,0xa657f1a6,0xb473c7b4,0xc69751c6, 0xe8cb23e8,0xdda17cdd,0x74e89c74,0x1f3e211f, 0x4b96dd4b,0xbd61dcbd,0x8b0d868b,0x8a0f858a, 0x70e09070,0x3e7c423e,0xb571c4b5,0x66ccaa66, 0x4890d848,0x03060503,0xf6f701f6,0x0e1c120e, 0x61c2a361,0x356a5f35,0x57aef957,0xb969d0b9, 0x86179186,0xc19958c1,0x1d3a271d,0x9e27b99e, 0xe1d938e1,0xf8eb13f8,0x982bb398,0x11223311, 0x69d2bb69,0xd9a970d9,0x8e07898e,0x9433a794, 0x9b2db69b,0x1e3c221e,0x87159287,0xe9c920e9, 0xce8749ce,0x55aaff55,0x28507828,0xdfa57adf, 0x8c038f8c,0xa159f8a1,0x89098089,0x0d1a170d, 0xbf65dabf,0xe6d731e6,0x4284c642,0x68d0b868, 0x4182c341,0x9929b099,0x2d5a772d,0x0f1e110f, 0xb07bcbb0,0x54a8fc54,0xbb6dd6bb,0x162c3a16, },{ 0xc6a56363,0xf8847c7c,0xee997777,0xf68d7b7b, 0xff0df2f2,0xd6bd6b6b,0xdeb16f6f,0x9154c5c5, 0x60503030,0x02030101,0xcea96767,0x567d2b2b, 0xe719fefe,0xb562d7d7,0x4de6abab,0xec9a7676, 0x8f45caca,0x1f9d8282,0x8940c9c9,0xfa877d7d, 0xef15fafa,0xb2eb5959,0x8ec94747,0xfb0bf0f0, 0x41ecadad,0xb367d4d4,0x5ffda2a2,0x45eaafaf, 0x23bf9c9c,0x53f7a4a4,0xe4967272,0x9b5bc0c0, 0x75c2b7b7,0xe11cfdfd,0x3dae9393,0x4c6a2626, 0x6c5a3636,0x7e413f3f,0xf502f7f7,0x834fcccc, 0x685c3434,0x51f4a5a5,0xd134e5e5,0xf908f1f1, 0xe2937171,0xab73d8d8,0x62533131,0x2a3f1515, 0x080c0404,0x9552c7c7,0x46652323,0x9d5ec3c3, 0x30281818,0x37a19696,0x0a0f0505,0x2fb59a9a, 0x0e090707,0x24361212,0x1b9b8080,0xdf3de2e2, 0xcd26ebeb,0x4e692727,0x7fcdb2b2,0xea9f7575, 0x121b0909,0x1d9e8383,0x58742c2c,0x342e1a1a, 0x362d1b1b,0xdcb26e6e,0xb4ee5a5a,0x5bfba0a0, 0xa4f65252,0x764d3b3b,0xb761d6d6,0x7dceb3b3, 0x527b2929,0xdd3ee3e3,0x5e712f2f,0x13978484, 0xa6f55353,0xb968d1d1,0x00000000,0xc12ceded, 0x40602020,0xe31ffcfc,0x79c8b1b1,0xb6ed5b5b, 0xd4be6a6a,0x8d46cbcb,0x67d9bebe,0x724b3939, 0x94de4a4a,0x98d44c4c,0xb0e85858,0x854acfcf, 0xbb6bd0d0,0xc52aefef,0x4fe5aaaa,0xed16fbfb, 0x86c54343,0x9ad74d4d,0x66553333,0x11948585, 0x8acf4545,0xe910f9f9,0x04060202,0xfe817f7f, 0xa0f05050,0x78443c3c,0x25ba9f9f,0x4be3a8a8, 0xa2f35151,0x5dfea3a3,0x80c04040,0x058a8f8f, 0x3fad9292,0x21bc9d9d,0x70483838,0xf104f5f5, 0x63dfbcbc,0x77c1b6b6,0xaf75dada,0x42632121, 0x20301010,0xe51affff,0xfd0ef3f3,0xbf6dd2d2, 0x814ccdcd,0x18140c0c,0x26351313,0xc32fecec, 0xbee15f5f,0x35a29797,0x88cc4444,0x2e391717, 0x9357c4c4,0x55f2a7a7,0xfc827e7e,0x7a473d3d, 0xc8ac6464,0xbae75d5d,0x322b1919,0xe6957373, 0xc0a06060,0x19988181,0x9ed14f4f,0xa37fdcdc, 0x44662222,0x547e2a2a,0x3bab9090,0x0b838888, 0x8cca4646,0xc729eeee,0x6bd3b8b8,0x283c1414, 0xa779dede,0xbce25e5e,0x161d0b0b,0xad76dbdb, 0xdb3be0e0,0x64563232,0x744e3a3a,0x141e0a0a, 0x92db4949,0x0c0a0606,0x486c2424,0xb8e45c5c, 0x9f5dc2c2,0xbd6ed3d3,0x43efacac,0xc4a66262, 0x39a89191,0x31a49595,0xd337e4e4,0xf28b7979, 0xd532e7e7,0x8b43c8c8,0x6e593737,0xdab76d6d, 0x018c8d8d,0xb164d5d5,0x9cd24e4e,0x49e0a9a9, 0xd8b46c6c,0xacfa5656,0xf307f4f4,0xcf25eaea, 0xcaaf6565,0xf48e7a7a,0x47e9aeae,0x10180808, 0x6fd5baba,0xf0887878,0x4a6f2525,0x5c722e2e, 0x38241c1c,0x57f1a6a6,0x73c7b4b4,0x9751c6c6, 0xcb23e8e8,0xa17cdddd,0xe89c7474,0x3e211f1f, 0x96dd4b4b,0x61dcbdbd,0x0d868b8b,0x0f858a8a, 0xe0907070,0x7c423e3e,0x71c4b5b5,0xccaa6666, 0x90d84848,0x06050303,0xf701f6f6,0x1c120e0e, 0xc2a36161,0x6a5f3535,0xaef95757,0x69d0b9b9, 0x17918686,0x9958c1c1,0x3a271d1d,0x27b99e9e, 0xd938e1e1,0xeb13f8f8,0x2bb39898,0x22331111, 0xd2bb6969,0xa970d9d9,0x07898e8e,0x33a79494, 0x2db69b9b,0x3c221e1e,0x15928787,0xc920e9e9, 0x8749cece,0xaaff5555,0x50782828,0xa57adfdf, 0x038f8c8c,0x59f8a1a1,0x09808989,0x1a170d0d, 0x65dabfbf,0xd731e6e6,0x84c64242,0xd0b86868, 0x82c34141,0x29b09999,0x5a772d2d,0x1e110f0f, 0x7bcbb0b0,0xa8fc5454,0x6dd6bbbb,0x2c3a1616, }, #endif /* !AES_SMALL */ } }; nettle-4.0/aes-internal.h0000644000000000000000000000566215141166424012346 0ustar00/* aes-internal.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_INTERNAL_H_INCLUDED #define NETTLE_AES_INTERNAL_H_INCLUDED #include "aes.h" /* Define to use only small tables. */ #ifndef AES_SMALL # define AES_SMALL 0 #endif #if AES_SMALL # define AES_TABLE_SIZE 1 #else # define AES_TABLE_SIZE 4 #endif struct aes_table { uint8_t sbox[0x100]; uint32_t table[AES_TABLE_SIZE][0x100]; }; void _nettle_aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key); void _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* The keys pointer points at the subkeys for the first decrypt round, located at the end of the array. */ void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* Macros */ /* Get the byte with index 0, 1, 2 and 3 */ #define B0(x) ((x) & 0xff) #define B1(x) (((x) >> 8) & 0xff) #define B2(x) (((x) >> 16) & 0xff) #define B3(x) (((x) >> 24) & 0xff) #define SUBBYTE(x, box) ((uint32_t)(box)[B0(x)] \ | ((uint32_t)(box)[B1(x)] << 8) \ | ((uint32_t)(box)[B2(x)] << 16) \ | ((uint32_t)(box)[B3(x)] << 24)) #define AES_ROUND(T, w0, w1, w2, w3, k) \ (( T->table[0][ B0(w0) ] \ ^ T->table[1][ B1(w1) ] \ ^ T->table[2][ B2(w2) ] \ ^ T->table[3][ B3(w3) ]) ^ (k)) #define AES_FINAL_ROUND(T, w0, w1, w2, w3, k) \ (( (uint32_t) T->sbox[ B0(w0) ] \ | ((uint32_t) T->sbox[ B1(w1) ] << 8) \ | ((uint32_t) T->sbox[ B2(w2) ] << 16) \ | ((uint32_t) T->sbox[ B3(w3) ] << 24)) ^ (k)) extern const struct aes_table _nettle_aes_encrypt_table; #define aes_sbox (_nettle_aes_encrypt_table.sbox) extern const struct aes_table _nettle_aes_decrypt_table; #endif /* NETTLE_AES_INTERNAL_H_INCLUDED */ nettle-4.0/aes-invert-internal.c0000644000000000000000000001255315141166423013642 0ustar00/* aes-invert-internal.c Inverse key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_invert void _nettle_aes_invert_c(unsigned rounds, uint32_t *dst, const uint32_t *src); #define _nettle_aes_invert _nettle_aes_invert_c #endif /* NOTE: We don't include rotated versions of the table. */ static const uint32_t mtable[0x100] = { 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, }; #define MIX_COLUMN(T, out, in) do { \ uint32_t _k, _nk, _t; \ _k = (in); \ _nk = T[_k & 0xff]; \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(8, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(16, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(24, _t); \ (out) = _nk; \ } while(0) #define SWAP(a, b) \ do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) { unsigned i; /* Transform all subkeys but the first and last. */ for (i = 4; i < 4 * rounds; i++) MIX_COLUMN (mtable, dst[i], src[i]); if (src != dst) { dst[0] = src[0]; dst[1] = src[1]; dst[2] = src[2]; dst[3] = src[3]; dst[i] = src[i]; dst[i+1] = src[i+1]; dst[i+2] = src[i+2]; dst[i+3] = src[i+3]; } } nettle-4.0/aes-set-key-internal.c0000644000000000000000000000366215141166423013715 0ustar00/* aes-set-key-internal.c Key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include #include "macros.h" void _nettle_aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key) { static const uint8_t rcon[10] = { 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, }; const uint8_t *rp; unsigned lastkey, i; uint32_t t; assert(nk != 0); lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); for (i=0, rp = rcon; i 6 && (i%nk) == 4) t = SUBBYTE(t, aes_sbox); subkeys[i] = subkeys[i-nk] ^ t; } } nettle-4.0/aes.h0000644000000000000000000000744315141166424010533 0ustar00/* aes.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_H_INCLUDED #define NETTLE_AES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define aes128_set_encrypt_key nettle_aes128_set_encrypt_key #define aes128_set_decrypt_key nettle_aes128_set_decrypt_key #define aes128_invert_key nettle_aes128_invert_key #define aes128_encrypt nettle_aes128_encrypt #define aes128_decrypt nettle_aes128_decrypt #define aes192_set_encrypt_key nettle_aes192_set_encrypt_key #define aes192_set_decrypt_key nettle_aes192_set_decrypt_key #define aes192_invert_key nettle_aes192_invert_key #define aes192_encrypt nettle_aes192_encrypt #define aes192_decrypt nettle_aes192_decrypt #define aes256_set_encrypt_key nettle_aes256_set_encrypt_key #define aes256_set_decrypt_key nettle_aes256_set_decrypt_key #define aes256_invert_key nettle_aes256_invert_key #define aes256_encrypt nettle_aes256_encrypt #define aes256_decrypt nettle_aes256_decrypt #define AES_BLOCK_SIZE 16 #define AES128_KEY_SIZE 16 #define AES192_KEY_SIZE 24 #define AES256_KEY_SIZE 32 #define _AES128_ROUNDS 10 #define _AES192_ROUNDS 12 #define _AES256_ROUNDS 14 struct aes128_ctx { _NETTLE_ALIGN16 uint32_t keys[4 * (_AES128_ROUNDS + 1)]; }; void aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_invert_key(struct aes128_ctx *dst, const struct aes128_ctx *src); void aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes192_ctx { _NETTLE_ALIGN16 uint32_t keys[4 * (_AES192_ROUNDS + 1)]; }; void aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_invert_key(struct aes192_ctx *dst, const struct aes192_ctx *src); void aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes256_ctx { _NETTLE_ALIGN16 uint32_t keys[4 * (_AES256_ROUNDS + 1)]; }; void aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_invert_key(struct aes256_ctx *dst, const struct aes256_ctx *src); void aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_AES_H_INCLUDED */ nettle-4.0/aes128-decrypt.c0000644000000000000000000000325515141166423012425 0ustar00/* aes128-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_decrypt void _nettle_aes128_decrypt_c(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes128_decrypt _nettle_aes128_decrypt_c #endif void nettle_aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys + 4*_AES128_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-4.0/aes128-encrypt.c0000644000000000000000000000323615141166423012436 0ustar00/* aes128-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_encrypt void _nettle_aes128_encrypt_c(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes128_encrypt _nettle_aes128_encrypt_c #endif void nettle_aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES128_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-4.0/aes128-meta.c0000644000000000000000000000265515141166423011704 0ustar00/* aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes128 = { "aes128", sizeof(struct aes128_ctx), AES_BLOCK_SIZE, AES128_KEY_SIZE, (nettle_set_key_func *) aes128_set_encrypt_key, (nettle_set_key_func *) aes128_set_decrypt_key, (nettle_cipher_func *) aes128_encrypt, (nettle_cipher_func *) aes128_decrypt }; nettle-4.0/aes128-set-decrypt-key.c0000644000000000000000000000357615141166423014012 0ustar00/* aes128-set-decrypt-key.c Key setup for the aes/rijndael block cipher. Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes128_invert_key void _nettle_aes128_invert_key_c(struct aes128_ctx *dst, const struct aes128_ctx *src); # define nettle_aes128_invert_key _nettle_aes128_invert_key_c #endif #if HAVE_NATIVE_aes128_set_decrypt_key void _nettle_aes128_set_decrypt_key_c(struct aes128_ctx *ctx, const uint8_t *key); # define nettle_aes128_set_decrypt_key _nettle_aes128_set_decrypt_key_c #endif void nettle_aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) { _nettle_aes_invert (_AES128_ROUNDS, dst->keys, src->keys); } void nettle_aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key (ctx, key); aes128_invert_key (ctx, ctx); } nettle-4.0/aes128-set-encrypt-key.c0000644000000000000000000000274615141166423014022 0ustar00/* aes128-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_set_encrypt_key void _nettle_aes128_set_encrypt_key_c(struct aes128_ctx *ctx, const uint8_t *key); # define nettle_aes128_set_encrypt_key _nettle_aes128_set_encrypt_key_c #endif void nettle_aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); } nettle-4.0/aes192-decrypt.c0000644000000000000000000000325715141166423012430 0ustar00/* aes192-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_decrypt void _nettle_aes192_decrypt_c(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes192_decrypt _nettle_aes192_decrypt_c #endif void nettle_aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys + 4 * _AES192_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-4.0/aes192-encrypt.c0000644000000000000000000000323615141166423012437 0ustar00/* aes192-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_encrypt void _nettle_aes192_encrypt_c(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes192_encrypt _nettle_aes192_encrypt_c #endif void nettle_aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES192_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-4.0/aes192-meta.c0000644000000000000000000000265515141166423011705 0ustar00/* aes192-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes192 = { "aes192", sizeof(struct aes192_ctx), AES_BLOCK_SIZE, AES192_KEY_SIZE, (nettle_set_key_func *) aes192_set_encrypt_key, (nettle_set_key_func *) aes192_set_decrypt_key, (nettle_cipher_func *) aes192_encrypt, (nettle_cipher_func *) aes192_decrypt }; nettle-4.0/aes192-set-decrypt-key.c0000644000000000000000000000351515141166423014004 0ustar00/* aes192-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes192_invert_key void _nettle_aes192_invert_key_c(struct aes192_ctx *dst, const struct aes192_ctx *src); # define nettle_aes192_invert_key _nettle_aes192_invert_key_c #endif #if HAVE_NATIVE_aes192_set_decrypt_key void _nettle_aes192_set_decrypt_key_c(struct aes192_ctx *ctx, const uint8_t *key); # define nettle_aes192_set_decrypt_key _nettle_aes192_set_decrypt_key_c #endif void nettle_aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) { _nettle_aes_invert (_AES192_ROUNDS, dst->keys, src->keys); } void nettle_aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key (ctx, key); aes192_invert_key (ctx, ctx); } nettle-4.0/aes192-set-encrypt-key.c0000644000000000000000000000274615141166423014023 0ustar00/* aes192-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_set_encrypt_key void _nettle_aes192_set_encrypt_key_c(struct aes192_ctx *ctx, const uint8_t *key); # define nettle_aes192_set_encrypt_key _nettle_aes192_set_encrypt_key_c #endif void nettle_aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); } nettle-4.0/aes256-decrypt.c0000644000000000000000000000325715141166423012431 0ustar00/* aes256-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_decrypt void _nettle_aes256_decrypt_c(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes256_decrypt _nettle_aes256_decrypt_c #endif void nettle_aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES256_ROUNDS, ctx->keys + 4 * _AES256_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-4.0/aes256-encrypt.c0000644000000000000000000000323615141166423012440 0ustar00/* aes256-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_encrypt void _nettle_aes256_encrypt_c(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes256_encrypt _nettle_aes256_encrypt_c #endif void nettle_aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES256_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-4.0/aes256-meta.c0000644000000000000000000000265515141166423011706 0ustar00/* aes256-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes256 = { "aes256", sizeof(struct aes256_ctx), AES_BLOCK_SIZE, AES256_KEY_SIZE, (nettle_set_key_func *) aes256_set_encrypt_key, (nettle_set_key_func *) aes256_set_decrypt_key, (nettle_cipher_func *) aes256_encrypt, (nettle_cipher_func *) aes256_decrypt }; nettle-4.0/aes256-set-decrypt-key.c0000644000000000000000000000351515141166423014005 0ustar00/* aes256-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes256_invert_key void _nettle_aes256_invert_key_c(struct aes256_ctx *dst, const struct aes256_ctx *src); # define nettle_aes256_invert_key _nettle_aes256_invert_key_c #endif #if HAVE_NATIVE_aes256_set_decrypt_key void _nettle_aes256_set_decrypt_key_c(struct aes256_ctx *ctx, const uint8_t *key); # define nettle_aes256_set_decrypt_key _nettle_aes256_set_decrypt_key_c #endif void nettle_aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) { _nettle_aes_invert (_AES256_ROUNDS, dst->keys, src->keys); } void nettle_aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key (ctx, key); aes256_invert_key (ctx, ctx); } nettle-4.0/aes256-set-encrypt-key.c0000644000000000000000000000274615141166423014024 0ustar00/* aes256-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_set_encrypt_key void _nettle_aes256_set_encrypt_key_c(struct aes256_ctx *ctx, const uint8_t *key); # define nettle_aes256_set_encrypt_key _nettle_aes256_set_encrypt_key_c #endif void nettle_aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); } nettle-4.0/aesdata.c0000644000000000000000000001434615141166424011360 0ustar00#include #include #include #include #if 1 # define BYTE_FORMAT "0x%02x" # define BYTE_COLUMNS 8 #else # define BYTE_FORMAT "%3d" # define BYTE_COLUMNS 0x10 #endif #define WORD_FORMAT "0x%08lx" #define WORD_COLUMNS 4 unsigned char sbox[0x100]; unsigned char isbox[0x100]; unsigned char gf2_log[0x100]; unsigned char gf2_exp[0x100]; unsigned long dtable[4][0x100]; unsigned long itable[4][0x100]; unsigned long mtable[4][0x100]; static unsigned xtime(unsigned x) { assert (x < 0x100); x <<= 1; if (x & 0x100) x ^= 0x11b; assert (x < 0x100); return x; } /* Computes the exponentiatiom and logarithm tables for GF_2, to the * base x+1 (0x03). The unit element is 1 (0x01).*/ static void compute_log(void) { unsigned i = 0; unsigned x = 1; memset(gf2_log, 0, 0x100); for (i = 0; i < 0x100; i++, x = x ^ xtime(x)) { gf2_exp[i] = x; gf2_log[x] = i; } /* Invalid. */ gf2_log[0] = 0; /* The loop above sets gf2_log[1] = 0xff, which is correct, * but gf2_log[1] = 0 is nicer. */ gf2_log[1] = 0; } static unsigned mult(unsigned a, unsigned b) { return (a && b) ? gf2_exp[ (gf2_log[a] + gf2_log[b]) % 255] : 0; } static unsigned invert(unsigned x) { return x ? gf2_exp[0xff - gf2_log[x]] : 0; } static unsigned affine(unsigned x) { return 0xff & (0x63^x^(x>>4)^(x<<4)^(x>>5)^(x<<3)^(x>>6)^(x<<2)^(x>>7)^(x<<1)); } static void compute_sbox(void) { unsigned i; for (i = 0; i<0x100; i++) { sbox[i] = affine(invert(i)); isbox[sbox[i]] = i; } } /* Generate little endian tables, i.e. the first row of the AES state * arrays occupies the least significant byte of the words. * * The sbox values are multiplied with the column of GF2 coefficients * of the polynomial 03 x^3 + x^2 + x + 02. */ static void compute_dtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = sbox[i]; unsigned j; unsigned long t =( ( (s ^ xtime(s)) << 24) | (s << 16) | (s << 8) | xtime(s) ); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) dtable[j][i] = t; } } /* The inverse sbox values are multiplied with the column of GF2 coefficients * of the polynomial inverse 0b x^3 + 0d x^2 + 09 x + 0e. */ static void compute_itable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = isbox[i]; unsigned j; unsigned long t = ( (mult(s, 0xb) << 24) | (mult(s, 0xd) << 16) | (mult(s, 0x9) << 8) | (mult(s, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) itable[j][i] = t; } } /* Used for key inversion, inverse mix column. No sbox. */ static void compute_mtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned j; unsigned long t = ( (mult(i, 0xb) << 24) | (mult(i, 0xd) << 16) | (mult(i, 0x9) << 8) | (mult(i, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) mtable[j][i] = t; } } static void display_byte_table(const char *name, unsigned char *table) { unsigned i, j; printf("uint8_t %s[0x100] =\n{", name); for (i = 0; i<0x100; i+= BYTE_COLUMNS) { printf("\n "); for (j = 0; j #include "arcfour.h" #define SWAP(a,b) do { int _t = a; a = b; b = _t; } while(0) void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { unsigned i, j, k; assert(length >= ARCFOUR_MIN_KEY_SIZE); assert(length <= ARCFOUR_MAX_KEY_SIZE); /* Initialize context */ for (i = 0; i<256; i++) ctx->S[i] = i; for (i = j = k = 0; i<256; i++) { j += ctx->S[i] + key[k]; j &= 0xff; SWAP(ctx->S[i], ctx->S[j]); /* Repeat key as needed */ k = (k + 1) % length; } ctx->i = ctx->j = 0; } void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key) { arcfour_set_key (ctx, ARCFOUR128_KEY_SIZE, key); } void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { register uint8_t i, j; register int si, sj; i = ctx->i; j = ctx->j; while(length--) { i++; i &= 0xff; si = ctx->S[i]; j += si; j &= 0xff; sj = ctx->S[i] = ctx->S[j]; ctx->S[j] = si; *dst++ = *src++ ^ ctx->S[ (si + sj) & 0xff ]; } ctx->i = i; ctx->j = j; } nettle-4.0/arcfour.h0000644000000000000000000000365015141166424011420 0ustar00/* arcfour.h The arcfour/rc4 stream cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCFOUR_H_INCLUDED #define NETTLE_ARCFOUR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arcfour128_set_key nettle_arcfour128_set_key #define arcfour_set_key nettle_arcfour_set_key #define arcfour_crypt nettle_arcfour_crypt /* Minimum and maximum keysizes, and a reasonable default. In * octets.*/ #define ARCFOUR_MIN_KEY_SIZE 1 #define ARCFOUR_MAX_KEY_SIZE 256 #define ARCFOUR_KEY_SIZE 16 #define ARCFOUR128_KEY_SIZE 16 struct arcfour_ctx { uint8_t S[256]; uint8_t i; uint8_t j; }; void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key); void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key); void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCFOUR_H_INCLUDED */ nettle-4.0/arctwo-meta.c0000644000000000000000000000372415141166423012176 0ustar00/* arctwo-meta.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "arctwo.h" #define ARCTWO(bits) { \ "arctwo" #bits, sizeof (struct arctwo_ctx), \ ARCTWO_BLOCK_SIZE, bits/8, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_cipher_func *) arctwo_encrypt, \ (nettle_cipher_func *) arctwo_decrypt, \ } const struct nettle_cipher nettle_arctwo40 = ARCTWO(40); const struct nettle_cipher nettle_arctwo64 = ARCTWO(64); const struct nettle_cipher nettle_arctwo128 = ARCTWO(128); /* Gutmann variant. */ const struct nettle_cipher nettle_arctwo_gutmann128 = { "arctwo_gutmann128", sizeof (struct arctwo_ctx), ARCTWO_BLOCK_SIZE, 16, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_cipher_func *) arctwo_encrypt, (nettle_cipher_func *) arctwo_decrypt, }; nettle-4.0/arctwo.c0000644000000000000000000001612315141166423011247 0ustar00/* arctwo.c The cipher described in rfc2268; aka Ron's Cipher 2. Copyright (C) 2004 Simon Josefsson Copyright (C) 2003 Nikos Mavroyanopoulos Copyright (C) 2004 Free Software Foundation, Inc. Copyright (C) 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implementation was written by Nikos Mavroyanopoulos for GNUTLS * as a Libgcrypt module (gnutls/lib/x509/rc2.c) and later adapted for * direct use by Libgcrypt by Werner Koch and later adapted for direct * use by Nettle by Simon Josefsson and Niels Möller. * * The implementation here is based on Peter Gutmann's RRC.2 paper and * RFC 2268. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arctwo.h" #include "macros.h" static const uint8_t arctwo_sbox[] = { 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad }; #define rotl16(x,n) (((x) << ((uint16_t)(n))) | ((x) >> (16 - (uint16_t)(n)))) #define rotr16(x,n) (((x) >> ((uint16_t)(n))) | ((x) << (16 - (uint16_t)(n)))) void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 0; i < 16; i++) { register unsigned j = i * 4; /* For some reason I cannot combine those steps. */ w0 += (w1 & ~w3) + (w2 & w3) + ctx->S[j]; w0 = rotl16 (w0, 1); w1 += (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w1 = rotl16 (w1, 2); w2 += (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w2 = rotl16 (w2, 3); w3 += (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w3 = rotl16 (w3, 5); if (i == 4 || i == 10) { w0 += ctx->S[w3 & 63]; w1 += ctx->S[w0 & 63]; w2 += ctx->S[w1 & 63]; w3 += ctx->S[w2 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 16; i-- > 0; ) { register unsigned j = i * 4; w3 = rotr16 (w3, 5); w3 -= (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w2 = rotr16 (w2, 3); w2 -= (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w1 = rotr16 (w1, 2); w1 -= (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w0 = rotr16 (w0, 1); w0 -= (w1 & ~w3) + (w2 & w3) + ctx->S[j]; if (i == 5 || i == 11) { w3 = w3 - ctx->S[w2 & 63]; w2 = w2 - ctx->S[w1 & 63]; w1 = w1 - ctx->S[w0 & 63]; w0 = w0 - ctx->S[w3 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb) { size_t i; /* Expanded key, treated as octets */ uint8_t S[128]; uint8_t x; assert (length >= ARCTWO_MIN_KEY_SIZE); assert (length <= ARCTWO_MAX_KEY_SIZE); assert (ekb <= 1024); for (i = 0; i < length; i++) S[i] = key[i]; /* Phase 1: Expand input key to 128 bytes */ for (i = length; i < ARCTWO_MAX_KEY_SIZE; i++) S[i] = arctwo_sbox[(S[i - length] + S[i - 1]) & 255]; S[0] = arctwo_sbox[S[0]]; /* Reduce effective key size to ekb bits, if requested by caller. */ if (ekb > 0 && ekb < 1024) { int len = (ekb + 7) >> 3; i = 128 - len; x = arctwo_sbox[S[i] & (255 >> (7 & -ekb))]; S[i] = x; while (i--) { x = arctwo_sbox[x ^ S[i + len]]; S[i] = x; } } /* Make the expanded key endian independent. */ for (i = 0; i < 64; i++) ctx->S[i] = LE_READ_UINT16(S + i * 2); } void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 8 * length); } void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 0); } void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 5, key, 40); } void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 8, key, 64); } void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 128); } void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 1024); } nettle-4.0/arctwo.h0000644000000000000000000000570515141166424011261 0ustar00/* arctwo.h The arctwo/rfc2268 block cipher. Copyright (C) 2004 Simon Josefsson Copyright (C) 2002, 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCTWO_H_INCLUDED #define NETTLE_ARCTWO_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arctwo_set_key nettle_arctwo_set_key #define arctwo_set_key_ekb nettle_arctwo_set_key_ekb #define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann #define arctwo40_set_key nettle_arctwo40_set_key #define arctwo64_set_key nettle_arctwo64_set_key #define arctwo128_set_key nettle_arctwo128_set_key #define arctwo128_set_key_gutmann nettle_arctwo128_set_key_gutmann #define arctwo_encrypt nettle_arctwo_encrypt #define arctwo_decrypt nettle_arctwo_decrypt #define ARCTWO_BLOCK_SIZE 8 /* Variable key size from 1 byte to 128 bytes. */ #define ARCTWO_MIN_KEY_SIZE 1 #define ARCTWO_MAX_KEY_SIZE 128 #define ARCTWO_KEY_SIZE 8 struct arctwo_ctx { uint16_t S[64]; }; /* Key expansion function that takes the "effective key bits", 1-1024, as an explicit argument. 0 means maximum key bits. */ void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t * key, unsigned ekb); /* Equvivalent to arctwo_set_key_ekb, with ekb = 8 * length */ void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key); /* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */ void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCTWO_H_INCLUDED */ nettle-4.0/arm/0000755000000000000000000000000015141166424010361 5ustar00nettle-4.0/arm/README0000644000000000000000000001044315141166424011243 0ustar00Currently, code in this directory is written for arm cortex-a9. For efficient loads and stores, use ldmia, stmia and friends. Can do two loads or stores per cycle with 8-byte aligned addresses, or three loads or stores in two cycles, regardless of alignment. 12 usable registers (if we exclude r9). ABI gnueabi(hf) (not depending on the floating point conventions) Registers May be Argument clobbered number r0 Y 1 r1 Y 2 r2 Y 3 r3 Y 4 r4 N r5 N r6 N r7 N r8 N r9 (sl) r10 N r11 N r12 (ip) Y r13 (sp) r14 (lr) N r15 (pc) q0 (d0, d1) Y 1 (for "hf" abi) q1 (d2, d3) Y 2 q2 (d4, d5) Y 3 q3 (d6, d7) Y 4 q4 (d8, d9) N q5 (d10, d11) N q6 (d12, d13) N q7 (d14, d15) N q8 (d16, d17) Y q9 (d18, d19) Y q10 (d20, d21) Y q11 (d22, d23) Y q12 (d24, d25) Y q13 (d26, d27) Y q14 (d28, d29) Y q15 (d30, d31) Y Endianness ARM supports big- and little-endian memory access modes. Representation in registers stays the same but loads and stores switch bytes. This has to be taken into account in various cases. Two m4 macros are provided to handle these special cases in assembly source: IF_LE(,) IF_BE(,) respectively expand to if the target system's endianness is little-endian or big-endian. Otherwise they expand to . 1. ldr/str Loading and storing 32-bit words will reverse the words' bytes in little-endian mode. If the handled data is actually a byte sequence or data in network byte order (big-endian), the loaded word needs to be reversed after load to get it back into correct sequence. See v6/sha1-compress.asm LOAD macro for example. 2. shifts If data is to be processed with bit operations only, endianness can be ignored because byte-swapping on load and store will cancel each other out. Shifts however have to be inverted. See arm/memxor.asm for an example. 3. v{ld,st}1.{8,32} NEON's vld instruction can be used to produce endianness-neutral code. vld1.8 will load a byte sequence into a register regardless of memory endianness. This can be used to process byte sequences. See arm/neon/umac-nh.asm for example. In the same fashion, vst1.8 can be used do a little-endian store. See arm/neon/salsa and chacha routines for examples. NOTE: vst1.x (at least on the Allwinner A20 Cortex-A7 implementation) seems to interfer with itself on subsequent calls, slowing it down. This can be avoided by putting calculcations or loads inbetween two vld1.x stores. Similarly, vld1.32 is used in chacha and salsa routines where 32-bit operands are stored in host-endianness in RAM but need to be loaded sequentially without the distortion introduced by vldm/vstm. Consecutive vld1.x instructions do not seem to suffer from slowdown similar to vst1.x. 4. vldm/vstm Care has to be taken when using vldm/vstm because they have two non-obvious characteristics: a. vldm/vstm do normal byte-swapping on each value they load. When loading into d (doubleword) registers, this means that bytes, halfwords and words of the doubleword get swapped. When the data loaded actually represents e.g. vectors of 32-bit words this will swap columns. a. vldm/vstm on q (quadword) registers get translated into lvdm/vstm on the equivalent number of d (doubleword) registers. Instead of a 128-bit load it does two 64-bit loads. When again handling vectors of 32-bit words this will still swap adjacent columns but will not reverse all four columns. memory adr0: w0 w1 w2 w3 register q0: w1 w0 w3 w2 See arm/neon/chacha-core-internal.asm for an example. 5. simple byte store Sometimes it is necessary to store remaining single bytes to memory. A simple logic will store the lowest byte from a register, then do a right shift and start over until all bytes are stored. Since this constitutes a least-significant-byte-first store, the data to be stored needs to be reversed first on a big-endian system. See arm/memxor.asm Lmemxor_leftover for an example. 6. Function parameters/return values AAPCS requires 64-bit parameters to be passed to and returned from functions "in two consecutive registers [...] as if the value had been loaded from memory representation with a single LDM instruction." Since loading a big-endian doubleword using ldm transposes its words, the same has to be done when e.g. returning a 64-bit value from an assembler routine. See arm/neon/umac-nh.asm for an example. nettle-4.0/arm/aes-decrypt-internal.asm0000644000000000000000000001034215141166424015115 0ustar00C arm/aes-decrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`arm/aes.m4') define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`PARAM_LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`MASK', `r0') C Overlaps inputs, except TABLE define(`X0', `r1') define(`X1', `r3') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers define(`FRAME_DST', `[sp, #+44]') define(`FRAME_SRC', `[sp, #+48]') define(`AES_DECRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $4, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $2, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] ldm $9, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 sub $9, $9, #16 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD_INCR(X0,KEY,W3, -28) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-4.0/arm/aes-encrypt-internal.asm0000644000000000000000000001075115141166424015133 0ustar00C arm/aes-encrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`arm/aes.m4') C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`PARAM_LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`MASK', `r0') C Overlaps inputs, except TABLE define(`X0', `r1') define(`X1', `r3') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers define(`FRAME_DST', `[sp, #+44]') define(`FRAME_SRC', `[sp, #+48]') C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) C MASK should hold the constant 0x3fc. define(`AES_ENCRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $2, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $4, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD(X0,KEY,W3) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-4.0/arm/aes.m40000644000000000000000000000260115141166424011372 0ustar00C Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG, INCR) define(`AES_LOAD_INCR', ` ldrb $3, [$1], #+1 ldrb T0, [$1], #+1 orr $3, T0, lsl #8 ldrb T0, [$1], #+1 orr $3, T0, lsl #16 ldrb T0, [$1], #+1 orr $3, T0, lsl #24 ldr T0, [$2], #$4 eor $3, T0 ') C Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG) define(`AES_LOAD', `AES_LOAD_INCR($1, $2, $3, +4)') C Stores one word. Destroys input. C AES_STORE(DST, X) define(`AES_STORE', ` strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ') C AES_FINAL_ROUND_V6(a,b,c,d,key,res) define(`AES_FINAL_ROUND_V6', ` uxtb T0, $1 ldrb $6, [TABLE, T0] uxtb T0, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 uxtb T0, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, $6, T0 ') C AES_FINAL_ROUND_V5(a,b,c,d,key,res,mask) C Avoids the uxtb instruction, introduced in ARMv6. C The mask argument should hold the constant 0xff define(`AES_FINAL_ROUND_V5', ` and T0, $7, $1 ldrb $6, [TABLE, T0] and T0, $7, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 and T0, $7, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, T0 ') nettle-4.0/arm/ecc-secp192r1-modp.asm0000644000000000000000000000457515141166424014214 0ustar00C arm/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" .arm define(`HP', `r0') C Overlaps unused modulo argument define(`RP', `r1') define(`XP', `r2') define(`T0', `r3') define(`T1', `r4') define(`T2', `r5') define(`T3', `r6') define(`T4', `r7') define(`T5', `r8') define(`T6', `r10') define(`T7', `r11') define(`H0', `T0') C Overlaps T0 and T1 define(`H1', `T1') define(`C2', `HP') define(`C4', `r12') C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp192r1_modp) push {r4,r5,r6,r7,r8,r10,r11} C Reduce two words at a time add HP, XP, #48 add XP, XP, #8 ldmdb HP!, {H0,H1} ldm XP, {T2,T3,T4,T5,T6,T7} mov C4, #0 adds T4, T4, H0 adcs T5, T5, H1 adcs T6, T6, H0 adcs T7, T7, H1 C Need to add carry to T2 and T4, do T4 later. adc C4, C4, #0 ldmdb HP!, {H0,H1} mov C2, #0 adcs T2, T2, H0 adcs T3, T3, H1 adcs T4, T4, H0 adcs T5, T5, H1 C Need to add carry to T0 and T2, do T2 later adc C2, C2, #0 ldmdb XP!, {T0, T1} adcs T0, T0, T6 adcs T1, T1, T7 adcs T2, T2, T6 adcs T3, T3, T7 adc C4, C4, #0 adds T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, C4 adcs T5, T5, #0 mov C2, #0 adc C2, C2, #0 C Add in final carry adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, #0 adc T5, T5, #0 stm RP, {T0,T1,T2,T3,T4,T5} pop {r4,r5,r6,r7,r8,r10,r11} bx lr EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-4.0/arm/ecc-secp224r1-modp.asm0000644000000000000000000000563615141166424014207 0ustar00C arm/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" .arm define(`RP', `r1') C Overlaps T0 define(`XP', `r2') define(`H', `r0') C Overlaps unused modulo argument define(`T0', `r1') define(`T1', `r3') define(`T2', `r4') define(`T3', `r5') define(`T4', `r6') define(`T5', `r7') define(`T6', `r8') define(`N3', `r10') define(`L0', `r11') define(`L1', `r12') define(`L2', `lr') C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp224r1_modp) C Pushes RP last push {r1,r4,r5,r6,r7,r8,r10,r11,lr} add L2, XP, #28 ldm L2, {T0,T1,T2,T3,T4,T5,T6} mov H, #0 adds T0, T0, T4 adcs T1, T1, T5 adcs T2, T2, T6 adc H, H, #0 C This switch from adcs to sbcs takes carry into account with C correct sign, but it always subtracts 1 too much. We arrange C to also add B^7 + 1 below, so the effect is adding p. This C addition of p also ensures that the result never is C negative. sbcs N3, T3, T0 sbcs T4, T4, T1 sbcs T5, T5, T2 sbcs T6, T6, H mov H, #1 C This is the B^7 sbc H, #0 subs T6, T6, T3 sbc H, #0 C Now subtract from low half ldm XP!, {L0,L1,L2} C Clear carry, with the sbcs, this is the 1. adds XP, #0 sbcs T0, L0, T0 sbcs T1, L1, T1 sbcs T2, L2, T2 ldm XP!, {T3,L0,L1,L2} sbcs T3, T3, N3 sbcs T4, L0, T4 sbcs T5, L1, T5 sbcs T6, L2, T6 rsc H, H, #0 C Now -2 <= H <= 0 is the borrow, so subtract (B^3 - 1) |H| C Use (B^3 - 1) H = if -1 <=H <= 0, and C (B^3 - 1) H = <1,B-1, B-1, B-2> if H = -2 subs T0, T0, H asr L1, H, #1 sbcs T1, T1, L1 eor H, H, L1 sbcs T2, T2, L1 sbcs T3, T3, H sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 sbcs H, H, H pop {XP} C Original RP C Final borrow, subtract (B^3 - 1) |H| subs T0, T0, H sbcs T1, T1, H sbcs T2, T2, H sbcs T3, T3, #0 sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 stm XP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-4.0/arm/ecc-secp256r1-redc.asm0000644000000000000000000000720315141166424014162 0ustar00C arm/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp256r1-redc.asm" .arm define(`RP', `r1') C Overlaps T1 below define(`XP', `r2') define(`T0', `r0') C Overlaps unused modulo argument define(`T1', `r1') define(`T2', `r3') define(`T3', `r4') define(`T4', `r5') define(`T5', `r6') define(`T6', `r7') define(`T7', `r8') define(`F0', `r10') define(`F1', `r11') define(`F2', `r12') define(`F3', `lr') C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp256r1_redc) C Pushes RP last push {r1, r4,r5,r6,r7,r8,r10,r11,lr} ldm XP!, {T0,T1,T2,T3,T4,T5,T6,T7} C Set to the high 4 limbs of (B^2-B+1) C T2 T1 C T2 T1 T0 C - T2 T1 T0 C ------------- C F3 F2 F1 F0 adds F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Add: C T10 T9 T8 T7 T6 T5 T4 T3 C + F3 F2 F1 F0 T0 T2 T1 T0 C -------------------------- C T7 T6 T5 T4 T3 T2 T1 T0 adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm XP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C New F3, F2, F1, F0, also adding in carry adcs F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Start adding adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm XP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C Final iteration, eliminate only T0, T1 C Set to the high 3 limbs of (B^2-B+1) C T1 T0 T1 C - T1 T0 C ------------- C F2 F1 F0 C First add in carry adcs F1, T0, #0 adcs F2, T1, #0 subs F0, T1, T0 sbcs F1, F1, T1 sbc F2, F2, #0 C Add: C T9 T8 T7 T6 T5 T4 T3 T2 C + F2 F1 F0 T0 0 T1 T0 0 C -------------------------- C F2 F1 T7 T6 T5 T4 T3 T2 adds T3, T3, T0 adcs T4, T4, T1 adcs T5, T5, #0 adcs T6, T6, T0 adcs T7, T7, F0 ldm XP!, {T0, T1} mov F3, #0 adcs F1, F1, T0 adcs F2, F2, T1 C Sum is < B^8 + p, so it's enough to fold carry once, C If carry, add in C B^7 - B^6 - B^3 + 1 = <0, B-2, B-1, B-1, B-1, 0, 0, 1> C Mask from carry flag, leaving carry intact adc F3, F3, #0 rsb F3, F3, #0 pop {XP} C Original RP adcs T0, T2, #0 adcs T1, T3, #0 adcs T2, T4, #0 adcs T3, T5, F3 adcs T4, T6, F3 adcs T5, T7, F3 and F3, F3, #-2 adcs T6, F1, F3 adcs T7, F2, #0 stm XP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-4.0/arm/ecc-secp384r1-modp.asm0000644000000000000000000001201015141166424014176 0ustar00C arm/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" .arm define(`RP', `r1') define(`XP', `r2') define(`T0', `r0') define(`T1', `r3') define(`T2', `r4') define(`T3', `r5') define(`F0', `r6') define(`F1', `r7') define(`F2', `r8') define(`F3', `r10') define(`F4', `r11') define(`N', `r12') define(`H', `lr') C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp384r1_modp) push {r4,r5,r6,r7,r8,r10,r11,lr} add XP, XP, #80 ldm XP, {T0, T1, T2, T3} C 20-23 C First get top 4 limbs, which need folding twice, as C C T3 T2 T1 T0 C T3 T2 T1 C -T3 C ---------------- C F4 F3 F2 F1 F0 C C Start with C C T3 T1 T0 C T1 C -T3 C ----------- C F2 F1 F0 Always fits adds F0, T0, T1 adcs F1, T1, #0 adcs F2, T3, #0 subs F0, F0, T3 sbcs F1, F1, #0 sbcs F2, F2, #0 C T3 T2 T2 0 C F2 F1 F0 C ---------------- C F4 F3 F2 F1 F0 mov F4, #0 adds F1, F1, T2 adcs F2, F2, T2 adcs F3, T3, #0 adcs F4, F4, #0 C Add in to high part sub XP, XP, #32 ldm XP, {T0, T1, T2, T3} C 12-15 mov H, #0 adds F0, T0, F0 adcs F1, T1, F1 adcs F2, T2, F2 adcs F3, T3, F3 adcs F4, F4, #0 C Do F4 later C Add to low part, keeping carry (positive or negative) in H sub XP, XP, #48 ldm XP, {T0, T1, T2, T3} C 0-3 mov H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbc H, H, #0 adds T3, T3, F0 adc H, H, #0 stm XP!, {T0,T1,T2,T3} C 0-3 mov N, #2 .Loop: ldm XP, {T0,T1,T2,T3} C 4-7 C First, propagate carry adds T0, T0, H asr H, #31 C Sign extend adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 C +B^4 term adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 C +B^3 terms ldr F0, [XP, #+48] C 16 adds T0, T0, F1 adcs T1, T1, F2 adcs T2, T2, F3 adcs T3, T3, F0 adc H, H, #0 C -B ldr F1, [XP, #+52] C 17-18 ldr F2, [XP, #+56] subs T0, T0, F3 sbcs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbcs H, H, #0 C +1 ldr F3, [XP, #+60] C 19 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs N, N, #1 stm XP!, {T0,T1,T2,T3} bne .Loop C Fold high limbs, we need to add in C C F4 F4 0 -F4 F4 H H 0 -H H C C We always have F4 >= 0, but we can have H < 0. C Sign extension gets tricky when F4 = 0 and H < 0. sub XP, XP, #48 ldm XP, {T0,T1,T2,T3} C 0-3 C H H 0 -H H C ---------------- C S H F3 F2 F1 F0 C C Define S = H >> 31 (asr), we then have C C F0 = H C F1 = S - H C F2 = - [H > 0] C F3 = H - [H > 0] C H = H + S C C And we get underflow in S - H iff H > 0 C H = 0 H > 0 H = -1 mov F0, H C 0 H -1 asr H, #31 subs F1, H, F0 C 0,C=1 -H,C=0 0,C=1 sbc F2, F2, F2 C 0 -1 0 sbc F3, F0, #0 C 0 H-1 -1 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, F0 C 0+cy H+cy -2+cy stm XP!, {T0,T1,T2,T3} C 0-3 ldm XP, {T0,T1,T2,T3} C 4-7 C F4 0 -F4 C --------- C F3 F2 F1 rsbs F1, F4, #0 sbc F2, F2, F2 sbc F3, F4, #0 C Sign extend H adds F0, F4, H asr H, H, #31 adcs F1, F1, H adcs F2, F2, H adcs F3, F3, H adcs F4, F4, H adc H, H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm XP!, {T0,T1,T2,T3} C 4-7 ldm XP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 stm XP, {T0,T1,T2,T3} C 8-11 C Final (unlikely) carry sub XP, XP, #32 ldm XP!, {T0,T1,T2,T3} C 0-3 C Fold H into F0-F4 mov F0, H asr H, #31 subs F1, H, F0 sbc F2, F2, F2 sbc F3, F0, #0 add F4, F0, H adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm RP!, {T0,T1,T2,T3} C 0-3 ldm XP!, {T0,T1,T2,T3} C 4-7 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP!, {T0,T1,T2,T3} C 4-7 ldm XP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, H adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-4.0/arm/ecc-secp521r1-modp.asm0000644000000000000000000000570115141166424014200 0ustar00C arm/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" .arm define(`HP', `r0') define(`RP', `r1') define(`XP', `r2') define(`T0', `r3') define(`T1', `r4') define(`T2', `r5') define(`F0', `r6') define(`F1', `r7') define(`F2', `r8') define(`F3', `r10') define(`H', `r12') define(`N', `lr') C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 PROLOGUE(_nettle_ecc_secp521r1_modp) push {r4,r5,r6,r7,r8,r10,lr} C Use that B^17 = 2^23 (mod p) ldr F3, [XP, #+68] C 17 add HP, XP, #72 C 18 ldr T0, [XP] C 0 adds T0, T0, F3, lsl #23 str T0, [XP], #+4 mov N, #5 C 5 iterations, reading limbs 18-20, 21-23, 24-26, 27-29, 30-32 C and adding to limbs 1-3, 4-6, 7-9, 19-12, 13-15 .Loop: ldm XP, {T0,T1,T2} C 1+3*k -- 3+3*k lsr F0, F3, #9 ldm HP!, {F1,F2,F3} C 18+3*k -- 20+3*k orr F0, F0, F1, lsl #23 lsr F1, F1, #9 orr F1, F1, F2, lsl #23 lsr F2, F2, #9 orr F2, F2, F3, lsl #23 adcs T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 sub N, N, #1 stm XP!,{T0,T1,T2} teq N, #0 bne .Loop ldr F0, [XP], #-64 C 16 ldr F1, [HP] C 33 ldr T0, .Lc511 C Handling of high limbs C F0 = rp[16] + carry in + F3 >> 9 adcs F0, F0, F3, lsr #9 C Copy low 9 bits to H, then shift right including carry and H, F0, T0 mov F0, F0, rrx lsr F0, F0, #8 C Add in F1 = rp[33], with weight 2^1056 = 2^14 adds F0, F0, F1, lsl #14 lsr F1, F1, #18 adc F1, F1, #0 ldm XP!, {T0, T1} C 0-1 adds T0, T0, F0 adcs T1, T1, F1 stm RP!, {T0, T1} ldm XP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 stm RP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 ldm XP, {T0,T1,T2,F0,F1,F2,F3} C 9-15 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 adcs H, H, #0 stm RP, {T0,T1,T2,F0,F1,F2,F3,H} C 9-16 pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-4.0/arm/fat/0000755000000000000000000000000015141166424011133 5ustar00nettle-4.0/arm/fat/aes-decrypt-internal-2.asm0000644000000000000000000000215515141166424016031 0ustar00C arm/fat/aes-decrypt-internal-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_armv6') include_src(`arm/v6/aes-decrypt-internal.asm') nettle-4.0/arm/fat/aes-decrypt-internal.asm0000644000000000000000000000214615141166424015672 0ustar00C arm/fat/aes-decrypt-internal.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_arm') include_src(`arm/aes-decrypt-internal.asm') nettle-4.0/arm/fat/aes-encrypt-internal-2.asm0000644000000000000000000000215515141166424016043 0ustar00C arm/fat/aes-encrypt-internal-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_armv6') include_src(`arm/v6/aes-encrypt-internal.asm') nettle-4.0/arm/fat/aes-encrypt-internal.asm0000644000000000000000000000214615141166424015704 0ustar00C arm/fat/aes-encrypt-internal.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_arm') include_src(`arm/aes-encrypt-internal.asm') nettle-4.0/arm/fat/chacha-3core.asm0000644000000000000000000000217015141166424014055 0ustar00C arm/fat/chacha-3core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_3core) picked up by configure include_src(`arm/neon/chacha-3core.asm') nettle-4.0/arm/fat/salsa20-2core.asm0000644000000000000000000000217315141166424014115 0ustar00C arm/fat/salsa20-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_salsa20_2core) picked up by configure include_src(`arm/neon/salsa20-2core.asm') nettle-4.0/arm/fat/sha1-compress-2.asm0000644000000000000000000000223315141166424014461 0ustar00C arm/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_armv6') include_src(`arm/v6/sha1-compress.asm') nettle-4.0/arm/fat/sha256-compress-n-2.asm0000644000000000000000000000224715141166424015075 0ustar00C arm/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_armv6') include_src(`arm/v6/sha256-compress-n.asm') nettle-4.0/arm/fat/sha3-permute-2.asm0000644000000000000000000000223215141166424014310 0ustar00C arm/fat/sha3-permute-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha3_permute) picked up by configure define(`fat_transform', `_$1_neon') include_src(`arm/neon/sha3-permute.asm') nettle-4.0/arm/fat/sha512-compress-2.asm0000644000000000000000000000224015141166424014626 0ustar00C arm/fat/sha3-compress-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha512_compress) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/sha512-compress.asm') nettle-4.0/arm/fat/umac-nh-2.asm0000644000000000000000000000221215141166424013321 0ustar00C arm/fat/umac-nh-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_umac_nh) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/umac-nh.asm') nettle-4.0/arm/fat/umac-nh-n-2.asm0000644000000000000000000000222015141166424013553 0ustar00C arm/fat/umac-nh-n-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_umac_nh_n) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/umac-nh-n.asm') nettle-4.0/arm/machine.m40000644000000000000000000000145615141166424012235 0ustar00define(`QREG', `ifelse( $1, d0, q0, $1, d2, q1, $1, d4, q2, $1, d6, q3, $1, d8, q4, $1, d10, q5, $1, d12, q6, $1, d14, q7, $1, d16, q8, $1, d18, q9, $1, d20, q10, $1, d22, q11, $1, d24, q12, $1, d26, q13, $1, d28, q14, $1, d30, q15, `NO REGISTER')')dnl define(`D0REG', `ifelse( $1, q0, d0, $1, q1, d2, $1, q2, d4, $1, q3, d6, $1, q4, d8, $1, q5, d10, $1, q6, d12, $1, q7, d14, $1, q8, d16, $1, q9, d18, $1, q10, d20, $1, q11, d22, $1, q12, d24, $1, q13, d26, $1, q14, d28, $1, q15, d30, `NO REGISTER')')dnl define(`D1REG', `ifelse( $1, q0, d1, $1, q1, d3, $1, q2, d5, $1, q3, d7, $1, q4, d9, $1, q5, d11, $1, q6, d13, $1, q7, d15, $1, q8, d17, $1, q9, d19, $1, q10, d21, $1, q11, d23, $1, q12, d25, $1, q13, d27, $1, q14, d29, $1, q15, d31, `NO REGISTER')')dnl nettle-4.0/arm/memxor.asm0000644000000000000000000001200415141166424012367 0ustar00C arm/memxor.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(`DST', `r0') define(`SRC', `r1') define(`N', `r2') define(`CNT', `r6') define(`TNC', `r12') C little-endian and big-endian need to shift in different directions for C alignment correction define(`S0ADJ', IF_LE(`lsr', `lsl')) define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified .file "memxor.asm" .text .arm C memxor(void *dst, const void *src, size_t n) .align 4 PROLOGUE(nettle_memxor) cmp N, #0 beq .Lmemxor_done cmp N, #7 bcs .Lmemxor_large C Simple byte loop .Lmemxor_bytes: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 subs N, #1 bne .Lmemxor_bytes .Lmemxor_done: bx lr .Lmemxor_align_loop: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 sub N, #1 .Lmemxor_large: tst DST, #3 bne .Lmemxor_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands r3, SRC, #3 beq .Lmemxor_same C Different alignment case. C v original SRC C +-------+------+ C |SRC |SRC+4 | C +---+---+------+ C |DST | C +-------+ C C With little-endian, we need to do C DST[i] ^= (SRC[i] >> CNT) ^ (SRC[i+1] << TNC) C With big-endian, we need to do C DST[i] ^= (SRC[i] << CNT) ^ (SRC[i+1] >> TNC) push {r4,r5,r6} lsl CNT, r3, #3 bic SRC, #3 rsb TNC, CNT, #32 ldr r4, [SRC], #+4 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor_odd .Lmemxor_word_loop: ldr r5, [SRC], #+4 ldr r3, [DST] eor r3, r3, r4, S0ADJ CNT eor r3, r3, r5, S1ADJ TNC str r3, [DST], #+4 .Lmemxor_odd: ldr r4, [SRC], #+4 ldr r3, [DST] eor r3, r3, r5, S0ADJ CNT eor r3, r3, r4, S1ADJ TNC str r3, [DST], #+4 subs N, #8 bcs .Lmemxor_word_loop adds N, #8 beq .Lmemxor_odd_done C We have TNC/8 left-over bytes in r4, high end on LE and low end on C BE, excess bits to be discarded by alignment adjustment at the other S0ADJ r4, CNT C now byte-aligned at low end on LE and high end on BE ldr r3, [DST] eor r3, r4 pop {r4,r5,r6} C Store bytes, one by one. .Lmemxor_leftover: C bring uppermost byte down for saving while preserving lower ones IF_BE(` ror r3, #24') strb r3, [DST], #+1 subs N, #1 beq .Lmemxor_done subs TNC, #8 C bring down next byte, no need to preserve IF_LE(` lsr r3, #8') bne .Lmemxor_leftover b .Lmemxor_bytes .Lmemxor_odd_done: pop {r4,r5,r6} bx lr .Lmemxor_same: push {r4,r5,r6,r7,r8,r10,r11,r14} C lr is the link register subs N, #8 bcc .Lmemxor_same_end ldmia SRC!, {r3, r4, r5} C Keep address for loads in r14 mov r14, DST ldmia r14!, {r6, r7, r8} subs N, #12 eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 bcc .Lmemxor_same_final_store subs N, #12 ldmia r14!, {r6, r7, r8} bcc .Lmemxor_same_wind_down C 6 cycles per iteration, 0.50 cycles/byte. For this speed, C loop starts at offset 0x11c in the object file. .Lmemxor_same_loop: C r10-r12 contains values to be stored at DST C r6-r8 contains values read from r14, in advance ldmia SRC!, {r3, r4, r5} subs N, #12 stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 ldmia r14!, {r6, r7, r8} bcs .Lmemxor_same_loop .Lmemxor_same_wind_down: C Wind down code ldmia SRC!, {r3, r4, r5} stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 .Lmemxor_same_final_store: stmia DST!, {r10, r11, r12} .Lmemxor_same_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor_same_lt_8 C Do 8 bytes more, leftover is in N ldmia SRC!, {r3, r4} ldmia DST, {r6, r7} eor r3, r6 eor r4, r7 stmia DST!, {r3, r4} pop {r4,r5,r6,r7,r8,r10,r11,r14} beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_8: pop {r4,r5,r6,r7,r8,r10,r11,r14} adds N, #4 bcc .Lmemxor_same_lt_4 ldr r3, [SRC], #+4 ldr r12, [DST] eor r3, r12 str r3, [DST], #+4 beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_4: adds N, #4 beq .Lmemxor_done b .Lmemxor_bytes EPILOGUE(nettle_memxor) nettle-4.0/arm/memxor3.asm0000644000000000000000000001562415141166424012465 0ustar00C arm/memxor3.asm ifelse(` Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(`DST', `r0') define(`AP', `r1') define(`BP', `r2') define(`N', `r3') C Temporaries r4-r7 define(`ACNT', `r8') define(`ATNC', `r10') define(`BCNT', `r11') define(`BTNC', `r12') C little-endian and big-endian need to shift in different directions for C alignment correction define(`S0ADJ', IF_LE(`lsr', `lsl')) define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified .file "memxor3.asm" .text .arm C memxor3(void *dst, const void *a, const void *b, size_t n) .align 2 PROLOGUE(nettle_memxor3) cmp N, #0 beq .Lmemxor3_ret push {r4,r5,r6,r7,r8,r10,r11} cmp N, #7 add AP, N add BP, N add DST, N bcs .Lmemxor3_large C Simple byte loop .Lmemxor3_bytes: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r4, r5 strb r4, [DST, #-1]! subs N, #1 bne .Lmemxor3_bytes .Lmemxor3_done: pop {r4,r5,r6,r7,r8,r10,r11} .Lmemxor3_ret: bx lr .Lmemxor3_align_loop: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r5, r4 strb r5, [DST, #-1]! sub N, #1 .Lmemxor3_large: tst DST, #3 bne .Lmemxor3_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands ACNT, AP, #3 lsl ACNT, #3 beq .Lmemxor3_a_aligned ands BCNT, BP, #3 lsl BCNT, #3 bne .Lmemxor3_uu C Swap mov r4, AP mov AP, BP mov BP, r4 .Lmemxor3_au: C NOTE: We have the relevant shift count in ACNT, not BCNT C AP is aligned, BP is not C v original SRC C +-------+------+ C |SRC-4 |SRC | C +---+---+------+ C |DST-4 | C +-------+ C C With little-endian, we need to do C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) C With big-endian, we need to do C DST[i-i] ^= (SRC[i-i] << CNT) ^ (SRC[i] >> TNC) rsb ATNC, ACNT, #32 bic BP, #3 ldr r4, [BP] tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_au_odd .Lmemxor3_au_loop: ldr r5, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r4, S1ADJ ATNC eor r6, r6, r5, S0ADJ ACNT str r6, [DST, #-4]! .Lmemxor3_au_odd: ldr r4, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r5, S1ADJ ATNC eor r6, r6, r4, S0ADJ ACNT str r6, [DST, #-4]! subs N, #8 bcs .Lmemxor3_au_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in r4, low end on LE and high end on BE before C preparatory alignment correction ldr r5, [AP, #-4] eor r4, r5, r4, S1ADJ ATNC C now byte-aligned in high end on LE and low end on BE because we're C working downwards in saving the very first bytes of the buffer .Lmemxor3_au_leftover: C Store a byte at a time C bring uppermost byte down for saving while preserving lower ones IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 C bring down next byte, no need to preserve IF_BE(` lsr r4, #8') sub AP, #1 bne .Lmemxor3_au_leftover b .Lmemxor3_bytes .Lmemxor3_a_aligned: ands ACNT, BP, #3 lsl ACNT, #3 bne .Lmemxor3_au ; C a, b and dst all have the same alignment. subs N, #8 bcc .Lmemxor3_aligned_word_end C This loop runs at 8 cycles per iteration. It has been C observed running at only 7 cycles, for this speed, the loop C started at offset 0x2ac in the object file. C FIXME: consider software pipelining, similarly to the memxor C loop. .Lmemxor3_aligned_word_loop: ldmdb AP!, {r4,r5,r6} ldmdb BP!, {r7,r8,r10} subs N, #12 eor r4, r7 eor r5, r8 eor r6, r10 stmdb DST!, {r4, r5,r6} bcs .Lmemxor3_aligned_word_loop .Lmemxor3_aligned_word_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor3_aligned_lt_8 C Do 8 bytes more, leftover is in N ldmdb AP!, {r4, r5} ldmdb BP!, {r6, r7} eor r4, r6 eor r5, r7 stmdb DST!, {r4,r5} beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_8: adds N, #4 bcc .Lmemxor3_aligned_lt_4 ldr r4, [AP,#-4]! ldr r5, [BP,#-4]! eor r4, r5 str r4, [DST,#-4]! beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_4: adds N, #4 beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_uu: cmp ACNT, BCNT bic AP, #3 bic BP, #3 rsb ATNC, ACNT, #32 bne .Lmemxor3_uud C AP and BP are unaligned in the same way ldr r4, [AP] ldr r6, [BP] eor r4, r6 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_uu_odd .Lmemxor3_uu_loop: ldr r5, [AP, #-4]! ldr r6, [BP, #-4]! eor r5, r6 S1ADJ r4, ATNC eor r4, r4, r5, S0ADJ ACNT str r4, [DST, #-4]! .Lmemxor3_uu_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! eor r4, r6 S1ADJ r5, ATNC eor r5, r5, r4, S0ADJ ACNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uu_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in r4, low end on LE and high end on BE before C preparatory alignment correction IF_LE(` ror r4, ACNT') IF_BE(` ror r4, ATNC') C now byte-aligned in high end on LE and low end on BE because we're C working downwards in saving the very first bytes of the buffer .Lmemxor3_uu_leftover: C bring uppermost byte down for saving while preserving lower ones IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 C bring down next byte, no need to preserve IF_BE(` lsr r4, #8') bne .Lmemxor3_uu_leftover b .Lmemxor3_bytes .Lmemxor3_uud: C Both AP and BP unaligned, and in different ways rsb BTNC, BCNT, #32 ldr r4, [AP] ldr r6, [BP] tst N, #4 ittet eq moveq r5, r4 moveq r7, r6 subne N, #4 beq .Lmemxor3_uud_odd .Lmemxor3_uud_loop: ldr r5, [AP, #-4]! ldr r7, [BP, #-4]! S1ADJ r4, ATNC eor r4, r4, r6, S1ADJ BTNC eor r4, r4, r5, S0ADJ ACNT eor r4, r4, r7, S0ADJ BCNT str r4, [DST, #-4]! .Lmemxor3_uud_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! S1ADJ r5, ATNC eor r5, r5, r7, S1ADJ BTNC eor r5, r5, r4, S0ADJ ACNT eor r5, r5, r6, S0ADJ BCNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uud_loop adds N, #8 beq .Lmemxor3_done C FIXME: More clever left-over handling? For now, just adjust pointers. add AP, AP, ACNT, lsr #3 add BP, BP, BCNT, lsr #3 b .Lmemxor3_bytes EPILOGUE(nettle_memxor3) nettle-4.0/arm/neon/0000755000000000000000000000000015141166424011320 5ustar00nettle-4.0/arm/neon/chacha-3core.asm0000644000000000000000000001350215141166424014243 0ustar00C arm/neon/chacha-3core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "chacha-3core.asm" .fpu neon define(`DST', `r0') define(`SRC', `r1') define(`ROUNDS', `r2') define(`SRCp32', `r3') C State, X, Y and Z representing consecutive blocks define(`X0', `q0') define(`X1', `q1') define(`X2', `q2') define(`X3', `q3') define(`Y0', `q8') define(`Y1', `q9') define(`Y2', `q10') define(`Y3', `q11') define(`Z0', `q12') define(`Z1', `q13') define(`Z2', `q14') define(`Z3', `q15') define(`T0', `q4') define(`T1', `q5') define(`T2', `q6') define(`T3', `q7') .text .align 4 .Lcount1: .int 1,0,0,0 C _chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_3core) C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] vpush {q4,q5,q6,q7} adr r12, .Lcount1 vld1.32 {Z3}, [r12] vadd.i64 Y3, X3, Z3 C Increment 64-bit counter vadd.i64 Z3, Y3, Z3 .Lshared_entry: vmov Y0, X0 vmov Z0, X0 vmov Y1, X1 vmov Z1, X1 vmov Y2, X2 vmov Z2, X2 C Save initial values for the words including the counters. vmov T2, Y3 vmov T3, Z3 .Loop: C Interleave three blocks. Note that with this scheduling, C only two temporaries, T0 and T1, are needed. vadd.i32 X0, X0, X1 veor X3, X3, X0 vadd.i32 Y0, Y0, Y1 vrev32.16 X3, X3 C lrot 16 veor Y3, Y3, Y0 vadd.i32 Z0, Z0, Z1 vadd.i32 X2, X2, X3 vrev32.16 Y3, Y3 C lrot 16 veor Z3, Z3, Z0 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vrev32.16 Z3, Z3 C lrot 16 vshl.i32 X1, T0, #12 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #20 vshl.i32 Y1, T1, #12 veor T0, Z1, Z2 vadd.i32 X0, X0, X1 vsri.u32 Y1, T1, #20 vshl.i32 Z1, T0, #12 veor T1, X3, X0 vadd.i32 Y0, Y0, Y1 vsri.u32 Z1, T0, #20 vshl.i32 X3, T1, #8 veor T0, Y3, Y0 vadd.i32 Z0, Z0, Z1 vsri.u32 X3, T1, #24 vshl.i32 Y3, T0, #8 veor T1, Z3, Z0 vadd.i32 X2, X2, X3 vsri.u32 Y3, T0, #24 vext.32 X3, X3, X3, #3 vshl.i32 Z3, T1, #8 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vsri.u32 Z3, T1, #24 vext.32 Y3, Y3, Y3, #3 vshl.i32 X1, T0, #7 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #25 vshl.i32 Y1, T1, #7 veor T0, Z1, Z2 vext.32 X1, X1, X1, #1 vsri.u32 Y1, T1, #25 vshl.i32 Z1, T0, #7 vext.32 Y2, Y2, Y2, #2 vext.32 Y1, Y1, Y1, #1 vsri.u32 Z1, T0, #25 vext.32 X2, X2, X2, #2 C Second QROUND vadd.i32 X0, X0, X1 vext.32 Z2, Z2, Z2, #2 vext.32 Z1, Z1, Z1, #1 veor X3, X3, X0 vadd.i32 Y0, Y0, Y1 vext.32 Z3, Z3, Z3, #3 vrev32.16 X3, X3 C lrot 16 veor Y3, Y3, Y0 vadd.i32 Z0, Z0, Z1 vadd.i32 X2, X2, X3 vrev32.16 Y3, Y3 C lrot 16 veor Z3, Z3, Z0 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vrev32.16 Z3, Z3 C lrot 16 vshl.i32 X1, T0, #12 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #20 vshl.i32 Y1, T1, #12 veor T0, Z1, Z2 vadd.i32 X0, X0, X1 vsri.u32 Y1, T1, #20 vshl.i32 Z1, T0, #12 veor T1, X3, X0 vadd.i32 Y0, Y0, Y1 vsri.u32 Z1, T0, #20 vshl.i32 X3, T1, #8 veor T0, Y3, Y0 vadd.i32 Z0, Z0, Z1 vsri.u32 X3, T1, #24 vshl.i32 Y3, T0, #8 veor T1, Z3, Z0 vadd.i32 X2, X2, X3 vsri.u32 Y3, T0, #24 vext.32 X3, X3, X3, #1 vshl.i32 Z3, T1, #8 veor T0, X1, X2 vext.32 X2, X2, X2, #2 vadd.i32 Y2, Y2, Y3 vext.32 Y3, Y3, Y3, #1 vsri.u32 Z3, T1, #24 vshl.i32 X1, T0, #7 veor T1, Y1, Y2 vext.32 Y2, Y2, Y2, #2 vadd.i32 Z2, Z2, Z3 vext.32 Z3, Z3, Z3, #1 vsri.u32 X1, T0, #25 vshl.i32 Y1, T1, #7 veor T0, Z1, Z2 vext.32 Z2, Z2, Z2, #2 vext.32 X1, X1, X1, #3 vsri.u32 Y1, T1, #25 vshl.i32 Z1, T0, #7 vext.32 Y1, Y1, Y1, #3 vsri.u32 Z1, T0, #25 subs ROUNDS, ROUNDS, #2 vext.32 Z1, Z1, Z1, #3 bhi .Loop C Add updated counters vadd.i32 Y3, Y3, T2 vadd.i32 Z3, Z3, T3 vld1.32 {T0,T1}, [SRC] vadd.i32 X0, X0, T0 vadd.i32 X1, X1, T1 C vst1.8 because caller expects results little-endian C interleave loads, calculations and stores to save cycles on stores C use vstm when little-endian for some additional speedup IF_BE(` vst1.8 {X0,X1}, [DST]!') vld1.32 {T2,T3}, [SRCp32] vadd.i32 X2, X2, T2 vadd.i32 X3, X3, T3 IF_BE(` vst1.8 {X2,X3}, [DST]!') IF_LE(` vstmia DST!, {X0,X1,X2,X3}') vadd.i32 Y0, Y0, T0 vadd.i32 Y1, Y1, T1 IF_BE(` vst1.8 {Y0,Y1}, [DST]!') vadd.i32 Y2, Y2, T2 IF_BE(` vst1.8 {Y2,Y3}, [DST]!') IF_LE(` vstmia DST!, {Y0,Y1,Y2,Y3}') vadd.i32 Z0, Z0, T0 vadd.i32 Z1, Z1, T1 IF_BE(` vst1.8 {Z0,Z1}, [DST]!') vadd.i32 Z2, Z2, T2 vpop {q4,q5,q6,q7} IF_BE(` vst1.8 {Z2,Z3}, [DST]') IF_LE(` vstm DST, {Z0,Z1,Z2,Z3}') bx lr EPILOGUE(_nettle_chacha_3core) PROLOGUE(_nettle_chacha_3core32) add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] vpush {q4,q5,q6,q7} adr r12, .Lcount1 vld1.32 {Z3}, [r12] vadd.i32 Y3, X3, Z3 C Increment 32-bit counter vadd.i32 Z3, Y3, Z3 b .Lshared_entry EPILOGUE(_nettle_chacha_3core32) nettle-4.0/arm/neon/salsa20-2core.asm0000644000000000000000000001226315141166424014303 0ustar00C arm/neon/salsa20-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "salsa20-2core.asm" .fpu neon define(`DST', `r0') define(`SRC', `r1') define(`ROUNDS', `r2') define(`SRCp32', `r3') C State, even elements in X, odd elements in Y define(`X0', `q0') define(`X1', `q1') define(`X2', `q2') define(`X3', `q3') define(`Y0', `q8') define(`Y1', `q9') define(`Y2', `q10') define(`Y3', `q11') define(`T0', `q12') define(`T1', `q13') define(`T2', `q14') define(`T3', `q15') .text .align 4 .Lcount1: .int 1,0,0,0 C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_salsa20_2core) C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] adr r12, .Lcount1 vmov Y3, X0 vld1.32 {Y1}, [r12] vmov Y0, X1 vadd.i64 Y1, Y1, X2 C Increment counter vmov Y2, X3 vtrn.32 X0, Y3 C X0: 0 0 2 2 Y3: 1 1 3 3 vtrn.32 X1, Y0 C X1: 4 4 6 6 Y0: 5 5 7 7 vtrn.32 X2, Y1 C X2: 8 8 10 10 Y1: 9 9 11 11 vtrn.32 X3, Y2 C X3: 12 12 14 14 Y2: 13 13 15 15 C Swap, to get C X0: 0 10 Y0: 5 15 C X1: 4 14 Y1: 9 3 C X2: 8 2 Y2: 13 7 C X3: 12 6 Y3: 1 11 vswp D1REG(X0), D1REG(X2) vswp D1REG(X1), D1REG(X3) vswp D1REG(Y0), D1REG(Y2) vswp D1REG(Y1), D1REG(Y3) .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 vadd.i32 T0, X0, X3 vshl.i32 T1, T0, #7 vadd.i32 T2, Y0, Y3 vsri.u32 T1, T0, #25 vshl.i32 T3, T2, #7 veor X1, X1, T1 vsri.u32 T3, T2, #25 vadd.i32 T0, X1, X0 veor Y1, Y1, T3 vshl.i32 T1, T0, #9 vadd.i32 T2, Y1, Y0 vsri.u32 T1, T0, #23 vshl.i32 T3, T2, #9 veor X2, X2, T1 vsri.u32 T3, T2, #23 vadd.i32 T0, X2, X1 veor Y2, Y2, T3 vshl.i32 T1, T0, #13 vadd.i32 T2, Y2, Y1 vsri.u32 T1, T0, #19 vshl.i32 T3, T2, #13 veor X3, X3, T1 vsri.u32 T3, T2, #19 vadd.i32 T0, X3, X2 veor Y3, Y3, T3 vshl.i32 T1, T0, #18 vadd.i32 T2, Y3, Y2 vext.32 Y1, Y1, Y1, #2 vsri.u32 T1, T0, #14 vshl.i32 T3, T2, #18 vext.32 Y2, Y2, Y2, #2 veor X0, X0, T1 vsri.u32 T3, T2, #14 vext.32 X3, X3, X3, #2 veor Y0, Y0, T3 C Register layout: C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) vadd.i32 T0, X0, Y1 vext.32 X2, X2, X2, #2 vshl.i32 T1, T0, #7 vadd.i32 T2, Y0, X1 vsri.u32 T1, T0, #25 vshl.i32 T3, T2, #7 veor Y3, Y3, T1 vsri.u32 T3, T2, #25 vadd.i32 T0, Y3, X0 veor X3, X3, T3 vshl.i32 T1, T0, #9 vadd.i32 T2, X3, Y0 vsri.u32 T1, T0, #23 vshl.i32 T3, T2, #9 veor X2, X2, T1 vsri.u32 T3, T2, #23 vadd.i32 T0, X2, Y3 veor Y2, Y2, T3 vshl.i32 T1, T0, #13 vadd.i32 T2, Y2, X3 vsri.u32 T1, T0, #19 vshl.i32 T3, T2, #13 veor Y1, Y1, T1 vsri.u32 T3, T2, #19 vadd.i32 T0, Y1, X2 veor X1, X1, T3 vext.32 X2, X2, X2, #2 vshl.i32 T1, T0, #18 vadd.i32 T2, X1, Y2 vext.32 Y1, Y1, Y1, #2 vsri.u32 T1, T0, #14 subs ROUNDS, ROUNDS, #2 vshl.i32 T3, T2, #18 vext.32 X3, X3, X3, #2 veor X0, X0, T1 vsri.u32 T3, T2, #14 vext.32 Y2, Y2, Y2, #2 veor Y0, Y0, T3 bhi .Loop C Inverse swaps and transpositions vswp D1REG(X0), D1REG(X2) vswp D1REG(X1), D1REG(X3) vswp D1REG(Y0), D1REG(Y2) vswp D1REG(Y1), D1REG(Y3) vld1.32 {T0,T1}, [SRC] vld1.32 {T2,T3}, [SRCp32] vtrn.32 X0, Y3 vtrn.32 X1, Y0 vtrn.32 X2, Y1 vtrn.32 X3, Y2 C Add in the original context vadd.i32 X0, X0, T0 vadd.i32 X1, X1, T1 C vst1.8 because caller expects results little-endian C interleave loads, calculations and stores to save cycles on stores C use vstm when little-endian for some additional speedup IF_BE(` vst1.8 {X0,X1}, [DST]!') vadd.i32 X2, X2, T2 vadd.i32 X3, X3, T3 IF_BE(` vst1.8 {X2,X3}, [DST]!') IF_LE(` vstmia DST!, {X0,X1,X2,X3}') vld1.32 {X0}, [r12] vadd.i32 T0, T0, Y3 vadd.i64 T2, T2, X0 vadd.i32 T1, T1, Y0 IF_BE(` vst1.8 {T0,T1}, [DST]!') vadd.i32 T2, T2, Y1 vadd.i32 T3, T3, Y2 IF_BE(` vst1.8 {T2,T3}, [DST]') IF_LE(` vstm DST, {T0,T1,T2,T3}') bx lr EPILOGUE(_nettle_salsa20_2core) nettle-4.0/arm/neon/sha3-permute.asm0000644000000000000000000001354415141166424014346 0ustar00C arm/neon/sha3-permute.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha3-permute.asm" .fpu neon define(`CTX', `r0') define(`COUNT', `r1') define(`RC', `r2') C First column define(`A0', `d0') define(`A5', `d2') define(`A10', `d3') define(`A15', `d4') define(`A20', `d5') define(`A1', `d6') define(`A2', `d7') define(`A3', `d8') define(`A4', `d9') define(`A6', `d16') define(`A7', `d17') define(`A8', `d18') define(`A9', `d19') define(`A11', `d20') define(`A12', `d21') define(`A13', `d22') define(`A14', `d23') define(`A16', `d24') define(`A17', `d25') define(`A18', `d26') define(`A19', `d27') define(`A21', `d28') define(`A22', `d29') define(`A23', `d30') define(`A24', `d31') define(`T0', `d10') define(`T1', `d11') define(`C0', `d1') define(`C1', `d12') define(`C2', `d13') define(`C3', `d14') define(`C4', `d15') C ROL(DST, SRC, COUNT) C Must have SRC != DST define(`ROL', ` vshr.u64 $1, $2, #eval(64-$3) vsli.i64 $1, $2, #$3 ') C sha3_permute(struct sha3_ctx *ctx) .text .align 3 .Lrc: .quad 0x0000000000000001 .quad 0x0000000000008082 .quad 0x800000000000808A .quad 0x8000000080008000 .quad 0x000000000000808B .quad 0x0000000080000001 .quad 0x8000000080008081 .quad 0x8000000000008009 .quad 0x000000000000008A .quad 0x0000000000000088 .quad 0x0000000080008009 .quad 0x000000008000000A .quad 0x000000008000808B .quad 0x800000000000008B .quad 0x8000000000008089 .quad 0x8000000000008003 .quad 0x8000000000008002 .quad 0x8000000000000080 .quad 0x000000000000800A .quad 0x800000008000000A .quad 0x8000000080008081 .quad 0x8000000000008080 .quad 0x0000000080000001 .quad 0x8000000080008008 PROLOGUE(nettle_sha3_permute) vpush {d8-d15} vld1.64 {A0}, [CTX]! vldm CTX!, {A1,A2,A3,A4} vld1.64 {A5}, [CTX]! vldm CTX!, {A6,A7,A8,A9} vld1.64 {A10}, [CTX]! vldm CTX!, {A11,A12,A13,A14} vld1.64 {A15}, [CTX]! vldm CTX!, {A16,A17,A18,A19} vld1.64 {A20}, [CTX]! vldm CTX, {A21,A22,A23,A24} sub CTX, CTX, #168 mov COUNT, #24 adr RC, .Lrc .align 3 .Loop: veor QREG(T0), QREG(A5), QREG(A15) veor C0, A0, T0 veor C0, C0, T1 veor QREG(C1), QREG(A1), QREG(A6) veor QREG(C1), QREG(C1), QREG(A11) veor QREG(C1), QREG(C1), QREG(A16) veor QREG(C1), QREG(C1), QREG(A21) veor QREG(C3), QREG(A3), QREG(A8) veor QREG(C3), QREG(C3), QREG(A13) veor QREG(C3), QREG(C3), QREG(A18) veor QREG(C3), QREG(C3), QREG(A23) C D0 = C4 ^ (C1 <<< 1) C NOTE: Using ROL macro (and vsli) is slightly slower. vshl.i64 T0, C1, #1 vshr.u64 T1, C1, #63 veor T0, T0, C4 veor T0, T0, T1 vmov T1, T0 veor A0, A0, T0 veor QREG(A5), QREG(A5), QREG(T0) veor QREG(A15), QREG(A15), QREG(T0) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) ROL(T0, C2, 1) ROL(T1, C3, 1) veor T0, T0, C0 veor T1, T1, C1 veor QREG(A1), QREG(A1), QREG(T0) veor QREG(A6), QREG(A6), QREG(T0) veor QREG(A11), QREG(A11), QREG(T0) veor QREG(A16), QREG(A16), QREG(T0) veor QREG(A21), QREG(A21), QREG(T0) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) ROL(T0, C4, 1) ROL(T1, C0, 1) veor T0, T0, C2 veor T1, T1, C3 veor QREG(A3), QREG(A3), QREG(T0) veor QREG(A8), QREG(A8), QREG(T0) veor QREG(A13), QREG(A13), QREG(T0) veor QREG(A18), QREG(A18), QREG(T0) veor QREG(A23), QREG(A23), QREG(T0) ROL( T0, A1, 1) ROL( A1, A6, 44) ROL( A6, A9, 20) ROL( A9, A22, 61) ROL(A22, A14, 39) ROL(A14, A20, 18) ROL(A20, A2, 62) ROL( A2, A12, 43) ROL(A12, A13, 25) ROL(A13, A19, 8) ROL(A19, A23, 56) ROL(A23, A15, 41) ROL(A15, A4, 27) ROL( A4, A24, 14) ROL(A24, A21, 2) ROL(A21, A8, 55) ROL( A8, A16, 45) ROL(A16, A5, 36) ROL( A5, A3, 28) ROL( A3, A18, 21) ROL(A18, A17, 15) ROL(A17, A11, 10) ROL(A11, A7, 6) ROL( A7, A10, 3) C New A10 value left in T0 vbic C0, A2, A1 vbic C1, A3, A2 vbic C2, A4, A3 vbic C3, A0, A4 vbic C4, A1, A0 veor A0, A0, C0 vld1.64 {C0}, [RC :64]! veor QREG(A1), QREG(A1), QREG(C1) veor QREG(A3), QREG(A3), QREG(C3) veor A0, A0, C0 vbic C0, A7, A6 vbic C1, A8, A7 vbic C2, A9, A8 vbic C3, A5, A9 vbic C4, A6, A5 veor A5, A5, C0 veor QREG(A6), QREG(A6), QREG(C1) veor QREG(A8), QREG(A8), QREG(C3) vbic C0, A12, A11 vbic C1, A13, A12 vbic C2, A14, A13 vbic C3, T0, A14 vbic C4, A11, T0 veor A10, T0, C0 veor QREG(A11), QREG(A11), QREG(C1) veor QREG(A13), QREG(A13), QREG(C3) vbic C0, A17, A16 vbic C1, A18, A17 vbic C2, A19, A18 vbic C3, A15, A19 vbic C4, A16, A15 veor A15, A15, C0 veor QREG(A16), QREG(A16), QREG(C1) veor QREG(A18), QREG(A18), QREG(C3) vbic C0, A22, A21 vbic C1, A23, A22 vbic C2, A24, A23 vbic C3, A20, A24 vbic C4, A21, A20 subs COUNT, COUNT, #1 veor A20, A20, C0 veor QREG(A21), QREG(A21), QREG(C1) veor QREG(A23), QREG(A23), QREG(C3) bne .Loop vst1.64 {A0}, [CTX]! vstm CTX!, {A1,A2,A3,A4} vst1.64 {A5}, [CTX]! vstm CTX!, {A6,A7,A8,A9} vst1.64 {A10}, [CTX]! vstm CTX!, {A11,A12,A13,A14} vst1.64 {A15}, [CTX]! vstm CTX!, {A16,A17,A18,A19} vst1.64 {A20}, [CTX]! vstm CTX, {A21,A22,A23,A24} vpop {d8-d15} bx lr EPILOGUE(nettle_sha3_permute) nettle-4.0/arm/neon/sha512-compress.asm0000644000000000000000000002005615141166424014661 0ustar00C arm/neon/sha512-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha512-compress.asm" .fpu neon define(`STATE', `r0') define(`INPUT', `r1') define(`K', `r2') define(`COUNT', `r3') define(`SHIFT', `r12') define(`SA', `d0') define(`SB', `d1') define(`SC', `d2') define(`SD', `d3') define(`SE', `d4') define(`SF', `d5') define(`SG', `d6') define(`SH', `d7') define(`QSAB', `q0') define(`QSCD', `q1') define(`QSEF', `q2') define(`QSGH', `q3') C d8-d15 are callee-save define(`DT0', `d8') define(`DT1', `d9') define(`QT01', `q4') define(`DT2', `d10') define(`DT3', `d11') define(`QT23', `q5') define(`DT4', `d12') define(`DT5', `d13') define(`QT45', `q6') C Used only when reading the input, can overlap with state define(`DT6', `d0') define(`DT7', `d1') define(`QT67', `q0') define(`DW0', `d16') define(`DW1', `d17') define(`DW2', `d18') define(`DW3', `d19') define(`DW4', `d20') define(`DW5', `d21') define(`DW6', `d22') define(`DW7', `d23') define(`DW8', `d24') define(`DW9', `d25') define(`DW10', `d26') define(`DW11', `d27') define(`DW12', `d28') define(`DW13', `d29') define(`DW14', `d30') define(`DW15', `d31') define(`QW0001', `q8') define(`QW0203', `q9') define(`QW0405', `q10') define(`QW0607', `q11') define(`QW0809', `q12') define(`QW1011', `q13') define(`QW1213', `q14') define(`QW1415', `q15') define(`EXPAND_ME', `$1') define(`W', `EXPAND_ME(`DW'eval(($1) % 16))') C If x = W(i+14), y = w(i+1), we xor in parallel C C x << 45 y << 63 C x >> 19 y >> 1 C x << 3 y << 56 C x >> 61 y >> 8 C xor x >> 6 y >> 7 C ----------------------------- C DT0 DT1 define(`EXPN', ` vshl.i64 DT0, W($1+14), #45 vshl.i64 DT1, W($1 + 1), #63 vshr.u64 DT2, W($1+14), #19 vshr.u64 DT3, W($1 + 1), #1 vshl.i64 DT4, W($1+14), #3 vshl.i64 DT5, W($1 + 1), #56 veor.i64 QT01, QT01, QT23 vshr.u64 DT2, W($1+14), #61 vshr.u64 DT3, W($1 + 1), #8 veor.i64 QT01, QT01, QT45 vshr.u64 DT4, W($1+14), #6 vshr.u64 DT5, W($1 + 1), #7 veor.i64 QT01, QT01, QT23 vadd.i64 W($1), W($1), W($1 + 9) veor.i64 QT01, QT01, QT45 vadd.i64 W($1), W($1), DT0 vadd.i64 W($1), W($1), DT1 ') C ROUND(A,B,C,D,E,F,G,H,i) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) C Do S1 and S0 in parallel C C e << 50 a << 36 C e >> 14 a >> 28 C e << 46 a << 30 C e >> 18 a >> 34 C e << 23 a << 25 C xor e >> 41 a >> 39 C ---------------------------- C DT0 DT1 define(`ROUND', ` vshl.i64 DT0, $5, #50 vshl.i64 DT1, $1, #36 vshr.u64 DT2, $5, #14 vshr.u64 DT3, $1, #28 vshl.i64 DT4, $5, #46 vshl.i64 DT5, $1, #30 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #18 vshr.u64 DT3, $1, #34 veor QT01, QT01, QT45 vshl.i64 DT4, $5, #23 vshl.i64 DT5, $1, #25 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #41 vshr.u64 DT3, $1, #39 veor QT01, QT01, QT45 veor DT4, $6, $7 veor DT5, $1, $2 vand DT4, DT4, $5 vand DT5, DT5, $3 veor DT4, DT4, $7 veor QT01, QT01, QT23 vand DT2, $1, $2 vldr DT3, [K,#eval(8*$9)] vadd.i64 $8, $8, W($9) vadd.i64 QT01, QT01, QT45 vadd.i64 $8, $8, DT3 vadd.i64 $8, $8, DT0 vadd.i64 DT1, DT1, DT2 vadd.i64 $4, $4, $8 vadd.i64 $8, $8, DT1 ') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text .align 2 PROLOGUE(_nettle_sha512_compress) vpush {d8,d9,d10,d11,d12,d13} ands SHIFT, INPUT, #7 and INPUT, INPUT, #-8 vld1.8 {DT5}, [INPUT :64] addne INPUT, INPUT, #8 addeq SHIFT, SHIFT, #8 lsl SHIFT, SHIFT, #3 C Put right shift in DT0 and DT1, aka QT01 neg SHIFT, SHIFT vmov.i32 DT0, #0 vmov.32 DT0[0], SHIFT vmov DT1, DT0 C Put left shift in DT2 and DT3, aka QT23 add SHIFT, SHIFT, #64 vmov.i32 DT2, #0 vmov.32 DT2[0], SHIFT vmov DT3, DT2 vshl.u64 DT5, DT5, DT0 C Set w[i] <-- w[i-1] >> RSHIFT + w[i] << LSHIFT vld1.8 {W(0),W(1),W(2),W(3)}, [INPUT :64]! vshl.u64 QT67, QW0001, QT01 C Right shift vshl.u64 QW0001, QW0001, QT23 C Left shift veor W(0), W(0), DT5 veor W(1), W(1), DT6 vrev64.8 QW0001, QW0001 vshl.u64 QT45, QW0203, QT01 C Right shift vshl.u64 QW0203, QW0203, QT23 C Left shift veor W(2), W(2), DT7 veor W(3), W(3), DT4 vrev64.8 QW0203, QW0203 vld1.8 {W(4),W(5),W(6),W(7)}, [INPUT :64]! vshl.u64 QT67, QW0405, QT01 C Right shift vshl.u64 QW0405, QW0405, QT23 C Left shift veor W(4), W(4), DT5 veor W(5), W(5), DT6 vrev64.8 QW0405, QW0405 vshl.u64 QT45, QW0607, QT01 C Right shift vshl.u64 QW0607, QW0607, QT23 C Left shift veor W(6), W(6), DT7 veor W(7), W(7), DT4 vrev64.8 QW0607, QW0607 vld1.8 {W(8),W(9),W(10),W(11)}, [INPUT :64]! vshl.u64 QT67, QW0809, QT01 C Right shift vshl.u64 QW0809, QW0809, QT23 C Left shift veor W(8), W(8), DT5 veor W(9), W(9), DT6 vrev64.8 QW0809, QW0809 vshl.u64 QT45, QW1011, QT01 C Right shift vshl.u64 QW1011, QW1011, QT23 C Left shift veor W(10), W(10), DT7 veor W(11), W(11), DT4 vrev64.8 QW1011, QW1011 vld1.8 {W(12),W(13),W(14),W(15)}, [INPUT :64]! vshl.u64 QT67, QW1213, QT01 C Right shift vshl.u64 QW1213, QW1213, QT23 C Left shift veor W(12), W(12), DT5 veor W(13), W(13), DT6 vrev64.8 QW1213, QW1213 vshl.u64 QT45, QW1415, QT01 C Right shift vshl.u64 QW1415, QW1415, QT23 C Left shift veor W(14), W(14), DT7 veor W(15), W(15), DT4 vrev64.8 QW1415, QW1415 vldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 mov COUNT, #4 .Loop: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 bne .Loop vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSAB, QSAB, QW0001 vadd.i64 QSCD, QSCD, QW0203 vst1.64 {SA,SB,SC,SD}, [STATE]! vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSEF, QSEF, QW0001 vadd.i64 QSGH, QSGH, QW0203 vst1.64 {SE,SF,SG,SH}, [STATE]! vpop {d8,d9,d10,d11,d12,d13} bx lr EPILOGUE(_nettle_sha512_compress) divert(-1) define shastate p/x $d0.u64 p/x $d1.u64 p/x $d2.u64 p/x $d3.u64 p/x $d4.u64 p/x $d5.u64 p/x $d6.u64 p/x $d7.u64 end nettle-4.0/arm/neon/umac-nh-n.asm0000644000000000000000000002067215141166424013614 0ustar00C arm/neon/umac-nh-n.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "umac-nh.asm" .fpu neon define(`OUT', `r0') define(`ITERS', `r1') define(`KEY', `r2') define(`LENGTH', `r3') define(`MSG', `r12') define(`SHIFT', `r14') define(`QA', `q0') define(`QB', `q1') define(`QY0', `q3') C Accumulates for the first two operations. define(`DM', `d4') define(`QY1', `q4') C Used for 3 and 4 iterations. define(`QC', `q5') define(`QD', `q6') define(`QLEFT', `q8') define(`QRIGHT', `q9') define(`QT0', `q10') define(`QT1', `q11') define(`QT2', `q12') define(`QK0', `q13') define(`QK1', `q14') define(`QK2', `q15') C FIXME: Try permuting subkeys using vld4, vzip or similar. .text .align 3 PROLOGUE(_nettle_umac_nh_n) ldr MSG, [sp] str lr, [sp, #-4]! C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) cmp r1, #3 vmov.i64 QY0, #0 vshl.u64 DM, DM, D0REG(QRIGHT) bcc .Lnh2 beq .Lnh3 .Lnh4: C Permute key words, so we in each iteration have them in order C C P0: [0, 4,1, 5] P1: [ 2, 6, 3, 7] P2: [ 4, 8, 5, 9] P3: [ 6,10, 7,11] C P4: [8,12,9,13] P5: [10,14,11,15] P6: [12,16,13,17] P7: [14,18,15,19] C C Also arrange the message words, so we get them as C M0: [0,0,1,1] M1: [ 2, 2, 3, 3] M2: [ 4, 4, 5, 5] M3: [ 6, 6, 7, 7] C M4: [8,8,9,9] M5: [10,10,11,11] M6: [12,12,13,13] M7: [14,14,15,15] C C Then, accumulate Y0 (first two "iters") using C C Y0 += (M0+P0) * (M2+P2) + (M1+P1) * (M3+P3) C Y1 += (M0+P4) * (M2+P6) + (M1+P5) * (M3+P7) C C Next iteration is then C C Y0 += (M4+P4) * (M6+P6) + (M5+P5) * (M7 + P7) C Y1 += (M4+P6) * (M6+P8) + (M5+P7) * (M7 + P11) C C So we can reuse P4, P5, P6, P7 from the previous iteration. C How to for in registers? We need 4 Q regs for P0-P3, and one C more for the last read key. We need at least two regiters C for the message (QA and QB, more if we want to expand only C once). For the Y0 update, we can let the factors overwrite C P0-P3, and for the Y1 update, we can overwrite M0-M3. vpush {q4,q5,q6} vld1.32 {QK0,QK1}, [KEY]! vld1.32 {QK2}, [KEY]! vmov QT0, QK1 vmov QT1, QK2 C Permute keys. QK2 us untouched, permuted subkeys put in QK0,QK1,QT0,QT1 vtrn.32 QK0, QK1 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QK1) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vtrn.32 QT0, QT1 C Gives us [4,8,6,10] and [5 ,9,7,11] vswp D1REG(QT0), D0REG(QT1) C Gives us [4,8,5, 9] and [6,10,7,11] vmov.i64 QY1, #0 .Loop4: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QC, QA, QRIGHT vshl.u64 QD, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QC) veor D0REG(QB), D0REG(QB), D1REG(QC) veor D1REG(QB), D1REG(QB), D0REG(QD) vmov DM, D1REG(QD) C Explode message (too bad there's no vadd with scalar) vdup.32 D1REG(QD), D1REG(QB)[1] vdup.32 D0REG(QD), D1REG(QB)[0] vdup.32 D1REG(QC), D0REG(QB)[1] vdup.32 D0REG(QC), D0REG(QB)[0] vdup.32 D1REG(QB), D1REG(QA)[1] vdup.32 D0REG(QB), D1REG(QA)[0] vdup.32 D1REG(QA), D0REG(QA)[1] vdup.32 D0REG(QA), D0REG(QA)[0] vadd.i32 QK0, QK0, QA vadd.i32 QK1, QK1, QB vadd.i32 QT0, QT0, QC vadd.i32 QT1, QT1, QD vmlal.u32 QY0, D0REG(QK0), D0REG(QT0) vmlal.u32 QY0, D1REG(QK0), D1REG(QT0) vmlal.u32 QY0, D0REG(QK1), D0REG(QT1) vmlal.u32 QY0, D1REG(QK1), D1REG(QT1) C Next 4 subkeys vld1.32 {QT0,QT1}, [KEY]! vmov QK0, QK2 vmov QK1, QT0 vmov QK2, QT1 C Save vtrn.32 QK0, QK1 C Gives us [8,12,10,14] and [9,13,11,15] vswp D1REG(QK0), D0REG(QK1) C Gives us [8,12,9,13] and [10,14,11,15] vtrn.32 QT0, QT1 C Gives us [12,16,14,18] and [13,17,15,19] vswp D1REG(QT0), D0REG(QT1) C Gives us [12,16,13,17] and [14,18,15,19] vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 vadd.i32 QC, QC, QT0 vadd.i32 QD, QD, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QC) vmlal.u32 QY1, D1REG(QA), D1REG(QC) vmlal.u32 QY1, D0REG(QB), D0REG(QD) vmlal.u32 QY1, D1REG(QB), D1REG(QD) bhi .Loop4 vst1.64 {QY0, QY1}, [OUT] vpop {q4,q5,q6} ldr pc, [sp], #+4 .Lnh3: vpush {q4} vld1.32 {QK0,QK1}, [KEY]! vmov.i64 QY1, #0 .Loop3: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 2, 1] and [1, 5, 3, 7] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 1, 5] and [2, 1, 3, 7] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) vld1.32 {QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QB) vmlal.u32 QY1, D1REG(QA), D1REG(QB) bhi .Loop3 vadd.i64 D0REG(QY1), D0REG(QY1), D1REG(QY1) vst1.64 {D0REG(QY0), D1REG(QY0), D0REG(QY1)}, [OUT] vpop {q4} ldr pc, [sp], #+4 .Lnh2: vld1.32 {QK0}, [KEY]! .Loop2: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK1,QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 6, 10] and [5, 9, 7, 11] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 5, 9] and [6, 10, 7, 11] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) bhi .Loop2 vst1.64 {QY0}, [OUT] .Lend: ldr pc, [sp], #+4 EPILOGUE(_nettle_umac_nh_n) nettle-4.0/arm/neon/umac-nh.asm0000644000000000000000000000507315141166424013357 0ustar00C arm/neon/umac-nh.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "umac-nh.asm" .fpu neon define(`KEY', `r0') define(`LENGTH', `r1') define(`MSG', `r2') define(`SHIFT', `r3') define(`QA', `q0') define(`QB', `q1') define(`DM', `d16') define(`QLEFT', `q9') define(`QRIGHT', `q10') define(`QY', `q11') define(`QT0', `q12') define(`QT1', `q13') define(`QK0', `q14') define(`QK1', `q15') .text .align 3 PROLOGUE(_nettle_umac_nh) C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) vmov.i64 QY, #0 vshl.u64 DM, DM, D0REG(QRIGHT) .Loop: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.i32 {QK0, QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY, D0REG(QA), D0REG(QB) vmlal.u32 QY, D1REG(QA), D1REG(QB) bhi .Loop vadd.i64 D0REG(QY), D0REG(QY), D1REG(QY) C return value needs to respect word order mandated by AAPCS IF_LE(` vmov r0, r1, D0REG(QY)') IF_BE(` vmov r1, r0, D0REG(QY)') bx lr EPILOGUE(_nettle_umac_nh) nettle-4.0/arm/v6/0000755000000000000000000000000015141166424010714 5ustar00nettle-4.0/arm/v6/aes-decrypt-internal.asm0000644000000000000000000001026115141166424015450 0ustar00C arm/v6/aes-decrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .arch armv6 include_src(`arm/aes.m4') define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS define(`X1', `r1') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers define(`FRAME_DST', `[sp, #+40]') define(`FRAME_SRC', `[sp, #+44]') define(`SRC', `r12') C Overlap registers used in inner loop. define(`DST', `COUNT') C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(`AES_DECRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $4, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $2, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 sub $9, $9, #16 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD_INCR(SRC,KEY,W3, -28) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X3, X2, X1, KEY, W0) AES_FINAL_ROUND_V6(X1, X0, X3, X2, KEY, W1) AES_FINAL_ROUND_V6(X2, X1, X0, X3, KEY, W2) AES_FINAL_ROUND_V6(X3, X2, X1, X0, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-4.0/arm/v6/aes-encrypt-internal.asm0000644000000000000000000001065115141166424015465 0ustar00C arm/v6/aes-encrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .arch armv6 include_src(`arm/aes.m4') C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS define(`X1', `r1') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers define(`FRAME_DST', `[sp, #+40]') define(`FRAME_SRC', `[sp, #+44]') define(`SRC', `r12') C Overlap registers used in inner loop. define(`DST', `COUNT') C 53 instr. C It's tempting to use eor with rotation, but that's slower. C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(`AES_ENCRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $2, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $4, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X1, X2, X3, KEY, W0) AES_FINAL_ROUND_V6(X1, X2, X3, X0, KEY, W1) AES_FINAL_ROUND_V6(X2, X3, X0, X1, KEY, W2) AES_FINAL_ROUND_V6(X3, X0, X1, X2, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-4.0/arm/v6/sha1-compress.asm0000644000000000000000000001452215141166424014107 0ustar00C arm/v6/sha1-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha1-compress.asm" .arch armv6 define(`STATE', `r0') define(`INPUT', `r1') define(`SA', `r2') define(`SB', `r3') define(`SC', `r4') define(`SD', `r5') define(`SE', `r6') define(`T0', `r7') define(`SHIFT', `r8') define(`WPREV', `r10') define(`W', `r12') define(`K', `lr') C FIXME: Could avoid a mov with even and odd variants. define(`LOAD', ` ldr T0, [INPUT], #+4 sel W, WPREV, T0 ror W, W, SHIFT mov WPREV, T0 IF_LE(` rev W, W') str W, [SP,#eval(4*$1)] ') define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 2) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 8) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 13) % 16))] eor W, W, T0 ror W, W, #31 str W, [sp, #+eval(4*$1)] ') C F1(B,C,D) = D^(B&(C^D)) C ROUND1(A,B,C,D,E) define(`ROUND1', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 eor T0, T0, $4 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ') C F2(B,C,D) = B^C^D define(`ROUND2', ` eor T0, $2, $4 add $5, $5, K eor T0, T0, $3 add $5, $5, $1, ror #27 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ') C F3(B,C,D) = (B&C) | (D & (B|C)) = (B & (C ^ D)) + (C & D) define(`ROUND3', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 add $5, $5, T0 add $5, $5, W and T0, $3, $4 ror $2, $2, #2 add $5, $5, T0 ') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) .text .align 2 .LK1: .int 0x5A827999 .LK2: .int 0x6ED9EBA1 .LK3: .int 0x8F1BBCDC PROLOGUE(nettle_sha1_compress) push {r4,r5,r6,r7,r8,r10,lr} sub sp, sp, #64 C Sets SHIFT to 8*low bits of input pointer. Sets up GE flags C as follows, corresponding to bytes to be used from WPREV C SHIFT 0 8 16 24 C CPSR.GE 0000 1110 1100 1000 ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr WPREV, [INPUT] addne INPUT, INPUT, #4 C Unaligned input lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 IF_LE(` lsl W, T0, SHIFT') IF_BE(` lsr W, T0, SHIFT') uadd8 T0, T0, W C Sets APSR.GE bits C on BE rotate right by 32-SHIFT bits C because there is no rotate left IF_BE(` rsb SHIFT, SHIFT, #32') ldr K, .LK1 ldm STATE, {SA,SB,SC,SD,SE} LOAD( 0) ROUND1(SA, SB, SC, SD, SE) LOAD( 1) ROUND1(SE, SA, SB, SC, SD) LOAD( 2) ROUND1(SD, SE, SA, SB, SC) LOAD( 3) ROUND1(SC, SD, SE, SA, SB) LOAD( 4) ROUND1(SB, SC, SD, SE, SA) LOAD( 5) ROUND1(SA, SB, SC, SD, SE) LOAD( 6) ROUND1(SE, SA, SB, SC, SD) LOAD( 7) ROUND1(SD, SE, SA, SB, SC) LOAD( 8) ROUND1(SC, SD, SE, SA, SB) LOAD( 9) ROUND1(SB, SC, SD, SE, SA) LOAD(10) ROUND1(SA, SB, SC, SD, SE) LOAD(11) ROUND1(SE, SA, SB, SC, SD) LOAD(12) ROUND1(SD, SE, SA, SB, SC) LOAD(13) ROUND1(SC, SD, SE, SA, SB) LOAD(14) ROUND1(SB, SC, SD, SE, SA) LOAD(15) ROUND1(SA, SB, SC, SD, SE) EXPN( 0) ROUND1(SE, SA, SB, SC, SD) EXPN( 1) ROUND1(SD, SE, SA, SB, SC) EXPN( 2) ROUND1(SC, SD, SE, SA, SB) EXPN( 3) ROUND1(SB, SC, SD, SE, SA) ldr K, .LK2 EXPN( 4) ROUND2(SA, SB, SC, SD, SE) EXPN( 5) ROUND2(SE, SA, SB, SC, SD) EXPN( 6) ROUND2(SD, SE, SA, SB, SC) EXPN( 7) ROUND2(SC, SD, SE, SA, SB) EXPN( 8) ROUND2(SB, SC, SD, SE, SA) EXPN( 9) ROUND2(SA, SB, SC, SD, SE) EXPN(10) ROUND2(SE, SA, SB, SC, SD) EXPN(11) ROUND2(SD, SE, SA, SB, SC) EXPN(12) ROUND2(SC, SD, SE, SA, SB) EXPN(13) ROUND2(SB, SC, SD, SE, SA) EXPN(14) ROUND2(SA, SB, SC, SD, SE) EXPN(15) ROUND2(SE, SA, SB, SC, SD) EXPN( 0) ROUND2(SD, SE, SA, SB, SC) EXPN( 1) ROUND2(SC, SD, SE, SA, SB) EXPN( 2) ROUND2(SB, SC, SD, SE, SA) EXPN( 3) ROUND2(SA, SB, SC, SD, SE) EXPN( 4) ROUND2(SE, SA, SB, SC, SD) EXPN( 5) ROUND2(SD, SE, SA, SB, SC) EXPN( 6) ROUND2(SC, SD, SE, SA, SB) EXPN( 7) ROUND2(SB, SC, SD, SE, SA) ldr K, .LK3 EXPN( 8) ROUND3(SA, SB, SC, SD, SE) EXPN( 9) ROUND3(SE, SA, SB, SC, SD) EXPN(10) ROUND3(SD, SE, SA, SB, SC) EXPN(11) ROUND3(SC, SD, SE, SA, SB) EXPN(12) ROUND3(SB, SC, SD, SE, SA) EXPN(13) ROUND3(SA, SB, SC, SD, SE) EXPN(14) ROUND3(SE, SA, SB, SC, SD) EXPN(15) ROUND3(SD, SE, SA, SB, SC) EXPN( 0) ROUND3(SC, SD, SE, SA, SB) EXPN( 1) ROUND3(SB, SC, SD, SE, SA) EXPN( 2) ROUND3(SA, SB, SC, SD, SE) EXPN( 3) ROUND3(SE, SA, SB, SC, SD) EXPN( 4) ROUND3(SD, SE, SA, SB, SC) EXPN( 5) ROUND3(SC, SD, SE, SA, SB) EXPN( 6) ROUND3(SB, SC, SD, SE, SA) EXPN( 7) ROUND3(SA, SB, SC, SD, SE) EXPN( 8) ROUND3(SE, SA, SB, SC, SD) EXPN( 9) ROUND3(SD, SE, SA, SB, SC) EXPN(10) ROUND3(SC, SD, SE, SA, SB) EXPN(11) ROUND3(SB, SC, SD, SE, SA) ldr K, .LK4 EXPN(12) ROUND2(SA, SB, SC, SD, SE) EXPN(13) ROUND2(SE, SA, SB, SC, SD) EXPN(14) ROUND2(SD, SE, SA, SB, SC) EXPN(15) ROUND2(SC, SD, SE, SA, SB) EXPN( 0) ROUND2(SB, SC, SD, SE, SA) EXPN( 1) ROUND2(SA, SB, SC, SD, SE) EXPN( 2) ROUND2(SE, SA, SB, SC, SD) EXPN( 3) ROUND2(SD, SE, SA, SB, SC) EXPN( 4) ROUND2(SC, SD, SE, SA, SB) EXPN( 5) ROUND2(SB, SC, SD, SE, SA) EXPN( 6) ROUND2(SA, SB, SC, SD, SE) EXPN( 7) ROUND2(SE, SA, SB, SC, SD) EXPN( 8) ROUND2(SD, SE, SA, SB, SC) EXPN( 9) ROUND2(SC, SD, SE, SA, SB) EXPN(10) ROUND2(SB, SC, SD, SE, SA) EXPN(11) ROUND2(SA, SB, SC, SD, SE) EXPN(12) ROUND2(SE, SA, SB, SC, SD) EXPN(13) ROUND2(SD, SE, SA, SB, SC) EXPN(14) ROUND2(SC, SD, SE, SA, SB) EXPN(15) ROUND2(SB, SC, SD, SE, SA) C Use registers we no longer need. ldm STATE, {INPUT,T0,SHIFT,W,K} add SA, SA, INPUT add SB, SB, T0 add SC, SC, SHIFT add SD, SD, W add SE, SE, K add sp, sp, #64 stm STATE, {SA,SB,SC,SD,SE} pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(nettle_sha1_compress) .LK4: .int 0xCA62C1D6 nettle-4.0/arm/v6/sha256-compress-n.asm0000644000000000000000000001422015141166424014511 0ustar00C arm/v6/sha256-compress-n.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" .arch armv6 define(`STATE', `r0') define(`K', `r1') define(`BLOCKS', `r2') define(`INPUT', `r3') define(`SA', `r2') C Overlap BLOCKS define(`SB', `r4') define(`SC', `r5') define(`SD', `r6') define(`SE', `r7') define(`SF', `r8') define(`SG', `r10') define(`SH', `r11') define(`T0', `r12') define(`T1', `r3') C Overlap INPUT define(`COUNT', `r0') C Overlap STATE define(`W', `r14') C Used for data load. Must not clobber STATE (r0), K (r1) or INPUT (r3) define(`I0', `r2') define(`I1', `r4') define(`I2', `r5') define(`I3', `r6') define(`I4', `r7') define(`DST', `r8') define(`SHIFT', `r10') define(`ILEFT', `r11') define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 14) % 16))] ror T1, T0, #17 eor T1, T1, T0, ror #19 eor T1, T1, T0, lsr #10 add W, W, T1 ldr T0, [sp, #+eval(4*(($1 + 9) % 16))] add W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 1) % 16))] ror T1, T0, #7 eor T1, T1, T0, ror #18 eor T1, T1, T0, lsr #3 add W, W, T1 str W, [sp, #+eval(4*$1)] ') C ROUND(A,B,C,D,E,F,G,H) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` ror T0, $5, #6 eor T0, T0, $5, ror #11 eor T0, T0, $5, ror #25 add $8, $8, T0 eor T0, $6, $7 and T0, T0, $5 eor T0, T0, $7 add $8,$8, T0 ldr T0, [K], #+4 add $8, $8, W add $8, $8, T0 add $4, $4, $8 ror T0, $1, #2 eor T0, T0, $1, ror #13 eor T0, T0, $1, ror #22 add $8, $8, T0 and T0, $1, $2 add $8, $8, T0 eor T0, $1, $2 and T0, T0, $3 add $8, $8, T0 ') define(`NOEXPN', ` ldr W, [sp, + $1] add $1, $1, #4 ') .text .align 2 define(`SHIFT_OFFSET', 64) define(`INPUT_OFFSET', 68) define(`I0_OFFSET', 72) define(`STATE_OFFSET', 76) define(`K_OFFSET', 80) define(`BLOCKS_OFFSET', 84) C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) PROLOGUE(_nettle_sha256_compress_n) cmp BLOCKS, #0 bne .Lwork mov r0, INPUT bx lr .Lwork: C Also save STATE (r0), K (r1) and BLOCKS (r2) push {r0,r1,r2,r4,r5,r6,r7,r8,r10,r11,r12,r14} sub sp, sp, #STATE_OFFSET C Load data up front, since we don't have enough registers C to load and shift on-the-fly ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr I0, [INPUT] addne INPUT, INPUT, #4 lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 IF_LE(` lsl I1, T0, SHIFT') IF_BE(` lsr I1, T0, SHIFT') uadd8 T0, T0, I1 C Sets APSR.GE bits C on BE rotate right by 32-SHIFT bits C because there is no rotate left IF_BE(` rsb SHIFT, SHIFT, #32') str SHIFT, [sp, #SHIFT_OFFSET] .Loop_block: mov DST, sp mov ILEFT, #4 .Lcopy: ldm INPUT!, {I1,I2,I3,I4} sel I0, I0, I1 ror I0, I0, SHIFT IF_LE(` rev I0, I0') sel I1, I1, I2 ror I1, I1, SHIFT IF_LE(` rev I1, I1') sel I2, I2, I3 ror I2, I2, SHIFT IF_LE(` rev I2, I2') sel I3, I3, I4 ror I3, I3, SHIFT IF_LE(` rev I3, I3') subs ILEFT, ILEFT, #1 stm DST!, {I0,I1,I2,I3} mov I0, I4 bne .Lcopy str INPUT, [sp, #INPUT_OFFSET] str I0, [sp, #I0_OFFSET] C Process block, with input at sp, expanded on the fly ldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} mov COUNT,#0 .Loop1: NOEXPN(COUNT) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) NOEXPN(COUNT) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) NOEXPN(COUNT) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) NOEXPN(COUNT) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) NOEXPN(COUNT) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) NOEXPN(COUNT) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) NOEXPN(COUNT) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) NOEXPN(COUNT) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) cmp COUNT,#64 bne .Loop1 mov COUNT, #3 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) bne .Loop2 ldr STATE, [sp, #STATE_OFFSET] C No longer needed registers ldm STATE, {K, T1, T0, W} add SA, SA, K add SB, SB, T1 add SC, SC, T0 add SD, SD, W stm STATE!, {SA,SB,SC,SD} ldm STATE, {K, T1, T0, W} add SE, SE, K add SF, SF, T1 add SG, SG, T0 add SH, SH, W stm STATE, {SE,SF,SG,SH} sub STATE, STATE, #16 ldr BLOCKS, [sp, #BLOCKS_OFFSET] subs BLOCKS, BLOCKS, #1 str BLOCKS, [sp, #BLOCKS_OFFSET] ldr SHIFT, [sp, #SHIFT_OFFSET] ldr K, [sp, #K_OFFSET] ldr INPUT, [sp, #INPUT_OFFSET] ldr I0, [sp, #I0_OFFSET] bne .Loop_block C Restore input pointer adjustment IF_BE(` rsbs SHIFT, SHIFT, #32') IF_LE(` cmp SHIFT, #0') subne INPUT, INPUT, #4 orr r0, INPUT, SHIFT, lsr #3 C Discard saved STATE, K and BLOCKS. add sp, sp, #STATE_OFFSET + 12 pop {r4,r5,r6,r7,r8,r10,r11,r12,pc} EPILOGUE(_nettle_sha256_compress_n) nettle-4.0/arm64/0000755000000000000000000000000015141166425010534 5ustar00nettle-4.0/arm64/README0000644000000000000000000001153115141166424011414 0ustar00General-purpose Registers[1] There are thirty-one, 64-bit, general-purpose (integer) registers visible to the A64 instruction set; these are labeled r0-r30. In a 64-bit context these registers are normally referred to using the names x0-x30; in a 32-bit context the registers are specified by using w0-w30. Additionally, a stack-pointer register, SP, can be used with a restricted number of instructions. The first eight registers, r0-r7, are used to pass argument values into a subroutine and to return result values from a function. Software developers creating platform-independent code are advised to avoid using r18 if at all possible. Most compilers provide a mechanism to prevent specific registers from being used for general allocation; portable hand-coded assembler should avoid it entirely. It should not be assumed that treating the register as callee-saved will be sufficient to satisfy the requirements of the platform. Virtualization code must, of course, treat the register as they would any other resource provided to the virtual machine. A subroutine invocation must preserve the contents of the registers r19-r29 and SP. All 64 bits of each value stored in r19-r29 must be preserved, even when using the ILP32 data model. SIMD and Floating-Point Registers[1] Unlike in AArch32, in AArch64 the 128-bit and 64-bit views of a SIMD and Floating-Point register do not overlap multiple registers in a narrower view, so q1, d1 and s1 all refer to the same entry in the register bank. The first eight registers, v0-v7, are used to pass argument values into a subroutine and to return result values from a function. They may also be used to hold intermediate values within a routine (but, in general, only between subroutine calls). Registers v8-v15 must be preserved by a callee across subroutine calls; the remaining registers (v0-v7, v16-v31) do not need to be preserved (or should be preserved by the caller). Additionally, only the bottom 64 bits of each value stored in v8-v15 need to be preserved. Endianness Similar to arm, aarch64 can run with little-endian or big-endian memory accesses. Endianness is handled exclusively on load and store operations. Register layout and operation behaviour is identical in both modes. When writing SIMD code, endianness interaction with vector loads and stores may exhibit seemingly unintuitive behaviour, particularly when mixing normal and vector load/store operations. See [2] for a good overview, particularly into the pitfalls of using ldr/str vs. ld1/st1. For example, ld1 {v1.2d,v2.2d},[x0] will load v1 and v2 with elements of a one-dimensional vector from consecutive memory locations. So v1.d[0] will be read from x0+0, v1.d[1] from x0+8 (bytes) and v2.d[0] from x0+16 and v2.d[1] from x0+24. That'll be the same in LE and BE mode because it is the structure of the vector prescribed by the load operation. Endianness will be applied to the individual doublewords but the order in which they're loaded from memory and in which they're put into d[0] and d[1] won't change. Another way is to explicitly load a vector of bytes using ld1 {v1.16b, v2.16b},[x0]. This will load x0+0 into v1.b[0], x0+1 (byte) into v1.b[1] and so forth. This load (or store) is endianness-neutral and behaves identical in LE and BE mode. Care must however be taken when switching views onto the registers: d[0] is mapped onto b[0] through b[7] and b[0] will be the least significant byte in d[0] and b[7] will be MSB. This layout is also the same in both memory endianness modes. ld1 {v1.16b}, however, will always load a vector of bytes with eight elements as consecutive bytes from memory into b[0] through b[7]. When accessed trough d[0] this will only appear as the expected doubleword-sized number if it was indeed stored little-endian in memory. Something similar happens when loading a vector of doublewords (ld1 {v1.2d},[x0]) and then accessing individual bytes of it. Bytes will only be at the expected indices if the doublewords are indeed stored in current memory endianness in memory. Therefore it is most intuitive to use the appropriate vector element width for the data being loaded or stored to apply the necessary endianness correction. Finally, ldr/str are not vector operations. When used to load a 128bit quadword, they will apply endianness to the whole quadword. Therefore particular care must be taken if the loaded data is then to be regarded as elements of e.g. a doubleword vector. Indicies may appear reversed on big-endian systems (because they are). Hardware-accelerated SHA Instructions The SHA optimized cores are implemented using SHA hashing instructions added to AArch64 in crypto extensions. The repository [3] illustrates using those instructions for optimizing SHA hashing functions. [1] https://github.com/ARM-software/abi-aa/releases/download/2020Q4/aapcs64.pdf [2] https://llvm.org/docs/BigEndianNEON.html [3] https://github.com/noloader/SHA-Intrinsics nettle-4.0/arm64/chacha-2core.asm0000644000000000000000000001311415141166424013454 0ustar00C arm64/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state define(`ROT24', `v0') define(`T0', `v16') C State, even elements in X, odd elements in Y define(`X0', `v17') define(`X1', `v18') define(`X2', `v19') define(`X3', `v20') define(`Y0', `v21') define(`Y1', `v22') define(`Y2', `v23') define(`Y3', `v24') C Original input state define(`S0', `v25') define(`S1', `v26') define(`S2', `v27') define(`S3', `v28') define(`S3p1', `v29') define(`TMP0', `v30') define(`TMP1', `v31') C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_2core) eor X1.16b, X1.16b, X1.16b mov w3, #1 mov X1.s[0], w3 add x3, SRC, #48 ld1 {X3.4s}, [x3] add Y3.4s, X3.4s, X1.4s cmhi Y3.4s, X3.4s, Y3.4s ext Y3.16b, Y3.16b, Y3.16b, #12 orr Y3.16b, Y3.16b, X1.16b .Lshared_entry: adr x3, .Lrot24 ld1 {ROT24.4s},[x3] add Y3.4s, Y3.4s, X3.4s C Load state ld1 {X0.4s,X1.4s,X2.4s}, [SRC] mov S0.16b, X0.16b mov S1.16b, X1.16b mov S2.16b, X2.16b mov S3.16b, X3.16b mov S3p1.16b, Y3.16b trn2 Y0.4s, X0.4s, X0.4s C 1 1 3 3 trn1 X0.4s, X0.4s, X0.4s C 0 0 2 2 trn2 Y1.4s, X1.4s, X1.4s C 5 5 7 7 trn1 X1.4s, X1.4s, X1.4s C 4 4 6 6 trn2 Y2.4s, X2.4s, X2.4s C 9 9 11 11 trn1 X2.4s, X2.4s, X2.4s C 8 8 10 10 trn2 Y3.4s, X3.4s, S3p1.4s C 13 13 15 15 trn1 X3.4s, X3.4s, S3p1.4s C 12 12 14 14 .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 add X0.4s, X0.4s, X1.4s add Y0.4s, Y0.4s, Y1.4s eor X3.16b, X3.16b, X0.16b eor Y3.16b, Y3.16b, Y0.16b rev32 X3.8h, X3.8h rev32 Y3.8h, Y3.8h add X2.4s, X2.4s, X3.4s add Y2.4s, Y2.4s, Y3.4s eor TMP0.16b, X1.16b, X2.16b eor TMP1.16b, Y1.16b, Y2.16b ushr X1.4s, TMP0.4s, #20 ushr Y1.4s, TMP1.4s, #20 sli X1.4s, TMP0.4s, #12 sli Y1.4s, TMP1.4s, #12 add X0.4s, X0.4s, X1.4s add Y0.4s, Y0.4s, Y1.4s eor X3.16b, X3.16b, X0.16b eor Y3.16b, Y3.16b, Y0.16b tbl X3.16b, {X3.16b}, ROT24.16b tbl Y3.16b, {Y3.16b}, ROT24.16b add X2.4s, X2.4s, X3.4s add Y2.4s, Y2.4s, Y3.4s eor TMP0.16b, X1.16b, X2.16b eor TMP1.16b, Y1.16b, Y2.16b ushr X1.4s, TMP0.4s, #25 ushr Y1.4s, TMP1.4s, #25 sli X1.4s, TMP0.4s, #7 sli Y1.4s, TMP1.4s, #7 ext X1.16b, X1.16b, X1.16b, #8 ext X2.16b, X2.16b, X2.16b, #8 ext Y2.16b, Y2.16b, Y2.16b, #8 ext Y3.16b, Y3.16b, Y3.16b, #8 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) add X0.4s, X0.4s, Y1.4s add Y0.4s, Y0.4s, X1.4s eor Y3.16b, Y3.16b, X0.16b eor X3.16b, X3.16b, Y0.16b rev32 Y3.8h, Y3.8h rev32 X3.8h, X3.8h add X2.4s, X2.4s, Y3.4s add Y2.4s, Y2.4s, X3.4s eor TMP0.16b, Y1.16b, X2.16b eor TMP1.16b, X1.16b, Y2.16b ushr Y1.4s, TMP0.4s, #20 ushr X1.4s, TMP1.4s, #20 sli Y1.4s, TMP0.4s, #12 sli X1.4s, TMP1.4s, #12 add X0.4s, X0.4s, Y1.4s add Y0.4s, Y0.4s, X1.4s eor Y3.16b, Y3.16b, X0.16b eor X3.16b, X3.16b, Y0.16b tbl Y3.16b, {Y3.16b}, ROT24.16b tbl X3.16b, {X3.16b}, ROT24.16b add X2.4s, X2.4s, Y3.4s add Y2.4s, Y2.4s, X3.4s eor TMP0.16b, Y1.16b, X2.16b eor TMP1.16b, X1.16b, Y2.16b ushr Y1.4s, TMP0.4s, #25 ushr X1.4s, TMP1.4s, #25 sli Y1.4s, TMP0.4s, #7 sli X1.4s, TMP1.4s, #7 ext X1.16b, X1.16b, X1.16b, #8 ext X2.16b, X2.16b, X2.16b, #8 ext Y2.16b, Y2.16b, Y2.16b, #8 ext Y3.16b, Y3.16b, Y3.16b, #8 subs ROUNDS, ROUNDS, #2 b.ne .Loop trn1 T0.4s, X0.4s, Y0.4s trn2 Y0.4s, X0.4s, Y0.4s trn1 X0.4s, X1.4s, Y1.4s trn2 Y1.4s, X1.4s, Y1.4s trn1 X1.4s, X2.4s, Y2.4s trn2 Y2.4s, X2.4s, Y2.4s trn1 X2.4s, X3.4s, Y3.4s trn2 Y3.4s, X3.4s, Y3.4s add T0.4s, T0.4s, S0.4s add Y0.4s, Y0.4s, S0.4s add X0.4s, X0.4s, S1.4s add Y1.4s, Y1.4s, S1.4s add X1.4s, X1.4s, S2.4s add Y2.4s, Y2.4s, S2.4s add X2.4s, X2.4s, S3.4s add Y3.4s, Y3.4s, S3p1.4s st1 {T0.16b,X0.16b,X1.16b,X2.16b}, [DST], #64 st1 {Y0.16b,Y1.16b,Y2.16b,Y3.16b}, [DST] ret EPILOGUE(_nettle_chacha_2core) .text ALIGN(16) PROLOGUE(_nettle_chacha_2core32) eor Y3.16b, Y3.16b, Y3.16b C {0,0,...,0} mov w3, #1 mov Y3.s[0], w3 C {1,0,...,0} add x3, SRC, #48 ld1 {X3.4s}, [x3] b .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .align 4 .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-4.0/arm64/chacha-4core.asm0000644000000000000000000001526515141166424013467 0ustar00C arm64/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `v0') define(`T1', `v1') define(`T2', `v2') define(`T3', `v3') define(`TMP0', `v4') define(`TMP1', `v5') define(`TMP2', `v6') define(`TMP3', `v7') define(`ROT24', `v8') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, v16, $1, 1, v17, $1, 2, v18, $1, 3, v19, $1, 4, v20, $1, 5, v21, $1, 6, v22, $1, 7, v23, $1, 8, v24, $1, 9, v25, $1, 10, v26, $1, 11, v27, $1, 12, v28, $1, 13, v29, $1, 14, v30, $1, 15, v31)') define(`P2', `ifelse($1, 0, v16, $1, 1, v21, $1, 2, v26, $1, 3, v31, $1, 4, v20, $1, 5, v25, $1, 6, v30, $1, 7, v19, $1, 8, v24, $1, 9, v29, $1, 10, v18, $1, 11, v23, $1, 12, v28, $1, 13, v17, $1, 14, v22, $1, 15, v27)') C Main loop for round define(`QR',` add $1(0).4s, $1(0).4s, $1(1).4s add $1(4).4s, $1(4).4s, $1(5).4s add $1(8).4s, $1(8).4s, $1(9).4s add $1(12).4s, $1(12).4s, $1(13).4s eor $1(3).16b, $1(3).16b, $1(0).16b eor $1(7).16b, $1(7).16b, $1(4).16b eor $1(11).16b, $1(11).16b, $1(8).16b eor $1(15).16b, $1(15).16b, $1(12).16b rev32 $1(3).8h, $1(3).8h rev32 $1(7).8h, $1(7).8h rev32 $1(11).8h, $1(11).8h rev32 $1(15).8h, $1(15).8h add $1(2).4s, $1(2).4s, $1(3).4s add $1(6).4s, $1(6).4s, $1(7).4s add $1(10).4s, $1(10).4s, $1(11).4s add $1(14).4s, $1(14).4s, $1(15).4s eor TMP0.16b, $1(1).16b, $1(2).16b eor TMP1.16b, $1(5).16b, $1(6).16b eor TMP2.16b, $1(9).16b, $1(10).16b eor TMP3.16b, $1(13).16b, $1(14).16b ushr $1(1).4s, TMP0.4s, #20 ushr $1(5).4s, TMP1.4s, #20 ushr $1(9).4s, TMP2.4s, #20 ushr $1(13).4s, TMP3.4s, #20 sli $1(1).4s, TMP0.4s, #12 sli $1(5).4s, TMP1.4s, #12 sli $1(9).4s, TMP2.4s, #12 sli $1(13).4s, TMP3.4s, #12 add $1(0).4s, $1(0).4s, $1(1).4s add $1(4).4s, $1(4).4s, $1(5).4s add $1(8).4s, $1(8).4s, $1(9).4s add $1(12).4s, $1(12).4s, $1(13).4s eor $1(3).16b, $1(3).16b, $1(0).16b eor $1(7).16b, $1(7).16b, $1(4).16b eor $1(11).16b, $1(11).16b, $1(8).16b eor $1(15).16b, $1(15).16b, $1(12).16b tbl $1(3).16b, {$1(3).16b}, ROT24.16b tbl $1(7).16b, {$1(7).16b}, ROT24.16b tbl $1(11).16b, {$1(11).16b}, ROT24.16b tbl $1(15).16b, {$1(15).16b}, ROT24.16b add $1(2).4s, $1(2).4s, $1(3).4s add $1(6).4s, $1(6).4s, $1(7).4s add $1(10).4s, $1(10).4s, $1(11).4s add $1(14).4s, $1(14).4s, $1(15).4s eor TMP0.16b, $1(1).16b, $1(2).16b eor TMP1.16b, $1(5).16b, $1(6).16b eor TMP2.16b, $1(9).16b, $1(10).16b eor TMP3.16b, $1(13).16b, $1(14).16b ushr $1(1).4s, TMP0.4s, #25 ushr $1(5).4s, TMP1.4s, #25 ushr $1(9).4s, TMP2.4s, #25 ushr $1(13).4s, TMP3.4s, #25 sli $1(1).4s, TMP0.4s, #7 sli $1(5).4s, TMP1.4s, #7 sli $1(9).4s, TMP2.4s, #7 sli $1(13).4s, TMP3.4s, #7 ') define(`TRANSPOSE',` zip1 T0.4s, $1.4s, $3.4s C A0 A2 B0 B2 zip1 T1.4s, $2.4s, $4.4s C A1 A3 B1 B3 zip2 T2.4s, $1.4s, $3.4s C C0 C2 D0 D2 zip2 T3.4s, $2.4s, $4.4s C C1 C3 D1 D3 zip1 $1.4s, T0.4s, T1.4s C A0 A1 A2 A3 zip2 $2.4s, T0.4s, T1.4s C B0 B1 B2 B3 zip1 $3.4s, T2.4s, T3.4s C C0 C2 C1 C3 zip2 $4.4s, T2.4s, T3.4s C D0 D1 D2 D3 ') C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_4core) mov w3, #1 dup TMP2.4s, w3 C Apply counter carries .Lshared_entry: C Save callee-save registers fmov x3, d8 adr x4, .Lcnts ld1 {TMP3.4s,ROT24.4s},[x4] C Load state and splat ld1 {v16.4s,v17.4s,v18.4s,v19.4s}, [SRC] dup v20.4s, v16.s[1] dup v24.4s, v16.s[2] dup v28.4s, v16.s[3] dup v16.4s, v16.s[0] dup v21.4s, v17.s[1] dup v25.4s, v17.s[2] dup v29.4s, v17.s[3] dup v17.4s, v17.s[0] dup v22.4s, v18.s[1] dup v26.4s, v18.s[2] dup v30.4s, v18.s[3] dup v18.4s, v18.s[0] dup v23.4s, v19.s[1] dup v27.4s, v19.s[2] dup v31.4s, v19.s[3] dup v19.4s, v19.s[0] add v19.4s, v19.4s, TMP3.4s C low adds cmhi TMP1.4s, TMP3.4s, v19.4s C compute carry-out and TMP1.16b, TMP1.16b, TMP2.16b C discard carries for 32-bit counter variant add v23.4s, v23.4s, TMP1.4s C apply carries C Save all 4x4 of the last words. mov T0.16b, v19.16b mov T1.16b, v23.16b mov T2.16b, v27.16b mov T3.16b, v31.16b .Loop: QR(`P1') QR(`P2') subs ROUNDS, ROUNDS, #2 b.ne .Loop C Add in saved original words, including counters, before C transpose. add v19.4s, v19.4s, T0.4s add v23.4s, v23.4s, T1.4s add v27.4s, v27.4s, T2.4s add v31.4s, v31.4s, T3.4s TRANSPOSE(v16, v20,v24, v28) TRANSPOSE(v17, v21, v25, v29) TRANSPOSE(v18, v22, v26, v30) TRANSPOSE(v19, v23, v27, v31) ld1 {T0.4s,T1.4s,T2.4s}, [SRC] add v16.4s, v16.4s, T0.4s add v20.4s, v20.4s, T0.4s add v24.4s, v24.4s, T0.4s add v28.4s, v28.4s, T0.4s add v17.4s, v17.4s, T1.4s add v21.4s, v21.4s, T1.4s add v25.4s, v25.4s, T1.4s add v29.4s, v29.4s, T1.4s add v18.4s, v18.4s, T2.4s add v22.4s, v22.4s, T2.4s add v26.4s, v26.4s, T2.4s add v30.4s, v30.4s, T2.4s st1 {v16.16b,v17.16b,v18.16b,v19.16b}, [DST], #64 st1 {v20.16b,v21.16b,v22.16b,v23.16b}, [DST], #64 st1 {v24.16b,v25.16b,v26.16b,v27.16b}, [DST], #64 st1 {v28.16b,v29.16b,v30.16b,v31.16b}, [DST] C Restore callee-save registers fmov d8, x3 ret EPILOGUE(_nettle_chacha_4core) .text ALIGN(16) PROLOGUE(_nettle_chacha_4core32) eor TMP2.16b, TMP2.16b, TMP2.16b C Ignore counter carries b .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .align 4 .Lcnts: .long 0,1,2,3 C increments .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-4.0/arm64/chacha-core-internal.asm0000644000000000000000000000557415141166424015217 0ustar00C arm64/chacha-core-internal.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') C Original input state define(`S0', `v4') define(`S1', `v5') define(`S2', `v6') define(`S3', `v7') define(`ROT24', `v16') define(`TMP', `v17') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 add $1.4s, $1.4s, $2.4s eor $4.16b, $4.16b, $1.16b rev32 $4.8h, $4.8h add $3.4s, $3.4s, $4.4s eor TMP.16b, $2.16b, $3.16b ushr $2.4s, TMP.4s, #20 sli $2.4s, TMP.4s, #12 add $1.4s, $1.4s, $2.4s eor $4.16b, $4.16b, $1.16b tbl $4.16b, {$4.16b}, ROT24.16b add $3.4s, $3.4s, $4.4s eor TMP.16b, $2.16b, $3.16b ushr $2.4s, TMP.4s, #25 sli $2.4s, TMP.4s, #7 ') .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_core) adr x3, .Lrot24 ld1 {ROT24.4s},[x3] ld1 {X0.4s,X1.4s,X2.4s,X3.4s}, [SRC] mov S0.16b, X0.16b mov S1.16b, X1.16b mov S2.16b, X2.16b mov S3.16b, X3.16b .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 ext X1.16b, X1.16b, X1.16b, #4 ext X2.16b, X2.16b, X2.16b, #8 ext X3.16b, X3.16b, X3.16b, #12 QROUND(X0, X1, X2, X3) ext X1.16b, X1.16b, X1.16b, #12 ext X2.16b, X2.16b, X2.16b, #8 ext X3.16b, X3.16b, X3.16b, #4 subs ROUNDS, ROUNDS, #2 b.ne .Loop add X0.4s, X0.4s, S0.4s add X1.4s, X1.4s, S1.4s add X2.4s, X2.4s, S2.4s add X3.4s, X3.4s, S3.4s st1 {X0.16b,X1.16b,X2.16b,X3.16b}, [DST] ret EPILOGUE(_nettle_chacha_core) .align 4 .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-4.0/arm64/crypto/0000755000000000000000000000000015141166425012054 5ustar00nettle-4.0/arm64/crypto/aes128-decrypt.asm0000644000000000000000000000567215141166425015243 0ustar00C arm64/crypto/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') C void C aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes128_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes128_decrypt) nettle-4.0/arm64/crypto/aes128-encrypt.asm0000644000000000000000000000567215141166424015254 0ustar00C arm64/crypto/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') C void C aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes128_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K9,K10) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_LAST_ROUND_1B(S0,K9,K10) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes128_encrypt) nettle-4.0/arm64/crypto/aes192-decrypt.asm0000644000000000000000000000621415141166424015234 0ustar00C arm64/crypto/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') C void C aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes192_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K12) AESD_ROUND_4B(S0,S1,S2,S3,K11) AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K12) AESD_ROUND_1B(S0,K11) AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes192_decrypt) nettle-4.0/arm64/crypto/aes192-encrypt.asm0000644000000000000000000000621415141166424015246 0ustar00C arm64/crypto/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') C void C aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes192_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_ROUND_4B(S0,S1,S2,S3,K9) AESE_ROUND_4B(S0,S1,S2,S3,K10) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K11,K12) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_ROUND_1B(S0,K9) AESE_ROUND_1B(S0,K10) AESE_LAST_ROUND_1B(S0,K11,K12) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes192_encrypt) nettle-4.0/arm64/crypto/aes256-decrypt.asm0000644000000000000000000000647615141166424015247 0ustar00C arm64/crypto/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') define(`K13', `v29') define(`K14', `v30') C void C aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes256_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s,K13.4s,K14.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K14) AESD_ROUND_4B(S0,S1,S2,S3,K13) AESD_ROUND_4B(S0,S1,S2,S3,K12) AESD_ROUND_4B(S0,S1,S2,S3,K11) AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K14) AESD_ROUND_1B(S0,K13) AESD_ROUND_1B(S0,K12) AESD_ROUND_1B(S0,K11) AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes256_decrypt) nettle-4.0/arm64/crypto/aes256-encrypt.asm0000644000000000000000000000647615141166424015261 0ustar00C arm64/crypto/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') define(`K13', `v29') define(`K14', `v30') C void C aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_aes256_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s,K13.4s,K14.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_ROUND_4B(S0,S1,S2,S3,K9) AESE_ROUND_4B(S0,S1,S2,S3,K10) AESE_ROUND_4B(S0,S1,S2,S3,K11) AESE_ROUND_4B(S0,S1,S2,S3,K12) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K13,K14) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_ROUND_1B(S0,K9) AESE_ROUND_1B(S0,K10) AESE_ROUND_1B(S0,K11) AESE_ROUND_1B(S0,K12) AESE_LAST_ROUND_1B(S0,K13,K14) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes256_encrypt) nettle-4.0/arm64/crypto/ghash-set-key.asm0000644000000000000000000001420315141166425015227 0ustar00C arm64/crypto/ghash-set-key.asm ifelse(` Copyright (C) 2020 Niels Möller and Mamone Tarsha Copyright (C) 2021 Michael Weiser This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-set-key.asm" .arch armv8-a+crypto .text C common SIMD register usage: define(`POLY', `v6') C temporary register that assist the reduction procedure define(`T', `v7') C permenant register that hold the 16-byte result of pmull define(`F', `v16') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`F1', `v17') C permenant register that hold the 16-byte result of pmull define(`R', `v18') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`R1', `v19') C common macros: C long multiply of six 64-bit polynomials and sum C R = (in.l × param2.l) + (in.h × param2.h) C F = (in.l × param3.l) + (in.h × param3.h) C PMUL(in, param1, param2) define(`PMUL', m4_assert_numargs(3)` pmull F.1q,$3.1d,$1.1d pmull2 F1.1q,$3.2d,$1.2d pmull R.1q,$2.1d,$1.1d pmull2 R1.1q,$2.2d,$1.2d eor F.16b,F.16b,F1.16b eor R.16b,R.16b,R1.16b ') C Reduce 'R' and 'F' values to 128-bit output C REDUCTION(out) define(`REDUCTION', m4_assert_numargs(1)` pmull T.1q,F.1d,POLY.1d eor R.16b,R.16b,T.16b ext R.16b,R.16b,R.16b,#8 eor $1.16b,F.16b,R.16b ') C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) C This function populates the gcm table as the following layout C ******************************************************************************* C | H1M = (H1 div x⁶⁴)||((H1 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H1L = (H1 mod x⁶⁴)||(((H1 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H1 div x⁶⁴) | C | | C | H2M = (H2 div x⁶⁴)||((H2 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H2L = (H2 mod x⁶⁴)||(((H2 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H2 div x⁶⁴) | C | | C | H3M = (H3 div x⁶⁴)||((H3 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H3L = (H3 mod x⁶⁴)||(((H3 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H3 div x⁶⁴) | C | | C | H4M = (H3 div x⁶⁴)||((H4 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H4L = (H3 mod x⁶⁴)||(((H4 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H4 div x⁶⁴) | C ******************************************************************************* C Register usage: define(`CTX', `x0') define(`KEY', `x1') define(`EMSB', `v0') define(`B', `v1') define(`H', `v2') define(`H2', `v3') define(`H3', `v4') define(`H4', `v5') define(`Hp', `v20') define(`Hl', `v21') define(`Hm', `v22') define(`H1M', `v23') define(`H1L', `v24') define(`H2M', `v25') define(`H2L', `v26') define(`H3M', `v27') define(`H3L', `v28') define(`H4M', `v29') define(`H4L', `v30') C PMUL_PARAM(in, param1, param2) define(`PMUL_PARAM', m4_assert_numargs(3)` pmull2 Hp.1q,$1.2d,POLY.2d eor Hm.16b,$1.16b,Hp.16b ext $2.16b,Hm.16b,$1.16b,#8 ext $3.16b,$1.16b,Hm.16b,#8 ext $2.16b,$2.16b,$2.16b,#8 ') .text ALIGN(16) PROLOGUE(_nettle_ghash_set_key) ld1 {H.2d},[KEY] C we treat data as big-endian doublewords for processing. Since there is no C endianness-neutral MSB-first load operation we need to restore our desired C byte order on little-endian systems. The same holds true for DATA below C but not our own internal precalculated CTX (see below). IF_LE(` rev64 H.16b,H.16b ') C --- calculate H = H × x mod R(X); R(X) = (x¹²⁸+x¹²⁷+x¹²⁶+x¹²¹+1) --- dup EMSB.16b,H.b[7] mov x1,#0xC200000000000000 mov x2,#1 mov POLY.d[0],x1 mov POLY.d[1],x2 sshr EMSB.16b,EMSB.16b,#7 and EMSB.16b,EMSB.16b,POLY.16b ushr B.2d,H.2d,#63 and B.16b,B.16b,POLY.16b ext B.16b,B.16b,B.16b,#8 shl H.2d,H.2d,#1 orr H.16b,H.16b,B.16b eor H.16b,H.16b,EMSB.16b dup POLY.2d,POLY.d[0] C --- calculate H^2 = H × H --- PMUL_PARAM(H,H1M,H1L) PMUL(H,H1M,H1L) REDUCTION(H2) PMUL_PARAM(H2,H2M,H2L) C we store to the table as doubleword-vectors in current memory endianness C because it's our own strictly internal data structure and what ghash_update C can most naturally use st1 {H1M.2d,H1L.2d,H2M.2d,H2L.2d},[CTX],#64 C --- calculate H^3 = H^1 × H^2 --- PMUL(H2,H1M,H1L) REDUCTION(H3) PMUL_PARAM(H3,H3M,H3L) C --- calculate H^4 = H^2 × H^2 --- PMUL(H2,H2M,H2L) REDUCTION(H4) PMUL_PARAM(H4,H4M,H4L) st1 {H3M.2d,H3L.2d,H4M.2d,H4L.2d},[CTX] ret EPILOGUE(_nettle_ghash_set_key) nettle-4.0/arm64/crypto/ghash-update.asm0000644000000000000000000001117715141166424015136 0ustar00C arm64/crypto/ghash-update.asm ifelse(` Copyright (C) 2020 Niels Möller and Mamone Tarsha Copyright (C) 2021 Michael Weiser This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-update.asm" .arch armv8-a+crypto .text C common SIMD register usage: define(`POLY', `v6') C temporary register that assist the reduction procedure define(`T', `v7') C permenant register that hold the 16-byte result of pmull define(`F', `v16') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`F1', `v17') C permenant register that hold the 16-byte result of pmull define(`R', `v18') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`R1', `v19') C common macros: C long multiply of six 64-bit polynomials and sum C R = (in.l × param2.l) + (in.h × param2.h) C F = (in.l × param3.l) + (in.h × param3.h) C PMUL(in, param1, param2) define(`PMUL', m4_assert_numargs(3)` pmull F.1q,$3.1d,$1.1d pmull2 F1.1q,$3.2d,$1.2d pmull R.1q,$2.1d,$1.1d pmull2 R1.1q,$2.2d,$1.2d eor F.16b,F.16b,F1.16b eor R.16b,R.16b,R1.16b ') C Reduce 'R' and 'F' values to 128-bit output C REDUCTION(out) define(`REDUCTION', m4_assert_numargs(1)` pmull T.1q,F.1d,POLY.1d eor R.16b,R.16b,T.16b ext R.16b,R.16b,R.16b,#8 eor $1.16b,F.16b,R.16b ') C register usage: define(`CTX', `x0') define(`X', `x1') define(`BLOCKS', `x2') define(`DATA', `x3') define(`D', `v0') define(`C0', `v1') define(`C1', `v2') define(`C2', `v3') define(`C3', `v4') define(`R2', `v20') define(`F2', `v21') define(`R3', `v22') define(`F3', `v23') define(`H1M', `v24') define(`H1L', `v25') define(`H2M', `v26') define(`H2L', `v27') define(`H3M', `v28') define(`H3L', `v29') define(`H4M', `v30') define(`H4L', `v31') C PMUL_SUM(in, param1, param2) define(`PMUL_SUM', m4_assert_numargs(3)` pmull F2.1q,$3.1d,$1.1d pmull2 F3.1q,$3.2d,$1.2d pmull R2.1q,$2.1d,$1.1d pmull2 R3.1q,$2.2d,$1.2d eor F2.16b,F2.16b,F3.16b eor R2.16b,R2.16b,R3.16b eor F.16b,F.16b,F2.16b eor R.16b,R.16b,R2.16b ') C const uint8_t *_ghash_update (const struct gcm_key *key, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_ghash_update) mov x4,#0xC200000000000000 mov POLY.d[0],x4 ld1 {D.2d},[X] IF_LE(` rev64 D.16b,D.16b ') ands x4,BLOCKS,#-4 b.eq L1_block add x5,CTX,#64 ld1 {H1M.2d,H1L.2d,H2M.2d,H2L.2d},[CTX] ld1 {H3M.2d,H3L.2d,H4M.2d,H4L.2d},[x5] L4_blocks_loop: ld1 {C0.2d,C1.2d,C2.2d,C3.2d},[DATA],#64 IF_LE(` rev64 C0.16b,C0.16b rev64 C1.16b,C1.16b rev64 C2.16b,C2.16b rev64 C3.16b,C3.16b ') eor C0.16b,C0.16b,D.16b PMUL(C1,H3M,H3L) PMUL_SUM(C2,H2M,H2L) PMUL_SUM(C3,H1M,H1L) PMUL_SUM(C0,H4M,H4L) REDUCTION(D) subs x4,x4,#4 b.ne L4_blocks_loop L1_block: ands BLOCKS,BLOCKS,#3 b.eq Lghash_done ld1 {H1M.2d,H1L.2d},[CTX] L1_block_loop: ld1 {C0.2d},[DATA],#16 IF_LE(` rev64 C0.16b,C0.16b ') eor C0.16b,C0.16b,D.16b PMUL(C0,H1M,H1L) REDUCTION(D) subs BLOCKS, BLOCKS, #1 b.ne L1_block_loop Lghash_done: IF_LE(` rev64 D.16b,D.16b ') st1 {D.2d},[X] mov x0, DATA ret EPILOGUE(_nettle_ghash_update) nettle-4.0/arm64/crypto/sha1-compress.asm0000644000000000000000000001617115141166424015250 0ustar00C arm64/crypto/sha1-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C This implementation uses the SHA-1 instructions of Armv8 crypto C extension. C SHA1C: SHA1 hash update (choose) C SHA1H: SHA1 fixed rotate C SHA1M: SHA1 hash update (majority) C SHA1P: SHA1 hash update (parity) C SHA1SU0: SHA1 schedule update 0 C SHA1SU1: SHA1 schedule update 1 .file "sha1-compress.asm" .arch armv8-a+crypto .text C Register usage: define(`STATE', `x0') define(`INPUT', `x1') define(`CONST0', `v0') define(`CONST1', `v1') define(`CONST2', `v2') define(`CONST3', `v3') define(`MSG0', `v4') define(`MSG1', `v5') define(`MSG2', `v6') define(`MSG3', `v7') define(`ABCD', `v16') define(`ABCD_SAVED', `v17') define(`E0', `v18') define(`E0_SAVED', `v19') define(`E1', `v20') define(`TMP', `v21') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) .text ALIGN(16) PROLOGUE(nettle_sha1_compress) C Initialize constants mov w2,#0x7999 movk w2,#0x5A82,lsl #16 dup CONST0.4s,w2 mov w2,#0xEBA1 movk w2,#0x6ED9,lsl #16 dup CONST1.4s,w2 mov w2,#0xBCDC movk w2,#0x8F1B,lsl #16 dup CONST2.4s,w2 mov w2,#0xC1D6 movk w2,#0xCA62,lsl #16 dup CONST3.4s,w2 C Load state add x2,STATE,#16 movi E0.4s,#0 ld1 {ABCD.4s},[STATE] ld1 {E0.s}[0],[x2] C Save state mov ABCD_SAVED.16b,ABCD.16b mov E0_SAVED.16b,E0.16b C Load message ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT] C Reverse for little endian rev32 MSG0.16b,MSG0.16b rev32 MSG1.16b,MSG1.16b rev32 MSG2.16b,MSG2.16b rev32 MSG3.16b,MSG3.16b C Rounds 0-3 add TMP.4s,MSG0.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 4-7 add TMP.4s,MSG1.4s,CONST0.4s sha1h SFP(E0),SFP(ABCD) sha1c QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 8-11 add TMP.4s,MSG2.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 12-15 add TMP.4s,MSG3.4s,CONST0.4s sha1h SFP(E0),SFP(ABCD) sha1c QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 16-19 add TMP.4s,MSG0.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 20-23 add TMP.4s,MSG1.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 24-27 add TMP.4s,MSG2.4s,CONST1.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 28-31 add TMP.4s,MSG3.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 32-35 add TMP.4s,MSG0.4s,CONST1.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 36-39 add TMP.4s,MSG1.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 40-43 add TMP.4s,MSG2.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 44-47 add TMP.4s,MSG3.4s,CONST2.4s sha1h SFP(E0),SFP(ABCD) sha1m QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 48-51 add TMP.4s,MSG0.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 52-55 add TMP.4s,MSG1.4s,CONST2.4s sha1h SFP(E0),SFP(ABCD) sha1m QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 56-59 add TMP.4s,MSG2.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 60-63 add TMP.4s,MSG3.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 64-67 add TMP.4s,MSG0.4s,CONST3.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 68-71 add TMP.4s,MSG1.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s C Rounds 72-75 add TMP.4s,MSG2.4s,CONST3.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s C Rounds 76-79 add TMP.4s,MSG3.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s C Combine state add E0.4s,E0.4s,E0_SAVED.4s add ABCD.4s,ABCD.4s,ABCD_SAVED.4s C Store state st1 {ABCD.4s},[STATE] st1 {E0.s}[0],[x2] ret EPILOGUE(nettle_sha1_compress) nettle-4.0/arm64/crypto/sha256-compress-n.asm0000644000000000000000000001654615141166424015665 0ustar00C arm64/crypto/sha256-compress-n.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C This implementation uses the SHA-256 instructions of Armv8 crypto C extension. C SHA256H: SHA256 hash update (part 1) C SHA256H2: SHA256 hash update (part 2) C SHA256SU0: SHA256 schedule update 0 C SHA256SU1: SHA256 schedule update 1 .file "sha256-compress-n.asm" .arch armv8-a+crypto .text C Register usage: define(`STATE', `x0') define(`K', `x1') define(`BLOCKS', `x2') define(`INPUT', `x3') define(`MSG0', `v0') define(`MSG1', `v1') define(`MSG2', `v2') define(`MSG3', `v3') define(`STATE0', `v4') define(`STATE1', `v5') define(`CONST', `v6') define(`TMP', `v7') define(`STATE0_SAVED', `v16') define(`STATE1_SAVED', `v17') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_sha256_compress_n) cbz BLOCKS, .Lend C Load state ld1 {STATE0.4s,STATE1.4s},[STATE] .Loop: C Save state mov STATE0_SAVED.16b,STATE0.16b mov STATE1_SAVED.16b,STATE1.16b C Load message ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT],#64 C Reverse for little endian rev32 MSG0.16b,MSG0.16b rev32 MSG1.16b,MSG1.16b rev32 MSG2.16b,MSG2.16b rev32 MSG3.16b,MSG3.16b C Rounds 0-3 ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(STATE0_SAVED),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 4-7 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 8-11 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 12-15 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 16-19 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 20-23 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 24-27 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 28-31 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 32-35 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 36-39 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 40-43 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 44-47 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 48-51 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 52-55 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 56-59 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 60-63 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K] add CONST.4s,MSG3.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Combine state add STATE0.4s,STATE0.4s,STATE0_SAVED.4s add STATE1.4s,STATE1.4s,STATE1_SAVED.4s subs BLOCKS, BLOCKS, #1 sub K, K, #240 b.ne .Loop C Store state st1 {STATE0.4s,STATE1.4s},[STATE] .Lend: mov x0, INPUT ret EPILOGUE(_nettle_sha256_compress_n) nettle-4.0/arm64/fat/0000755000000000000000000000000015141166425011306 5ustar00nettle-4.0/arm64/fat/aes128-decrypt-2.asm0000644000000000000000000000224315141166425014623 0ustar00C arm64/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes128-decrypt.asm') nettle-4.0/arm64/fat/aes128-encrypt-2.asm0000644000000000000000000000224315141166425014635 0ustar00C arm64/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes128-encrypt.asm') nettle-4.0/arm64/fat/aes192-decrypt-2.asm0000644000000000000000000000224315141166425014624 0ustar00C arm64/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes192-decrypt.asm') nettle-4.0/arm64/fat/aes192-encrypt-2.asm0000644000000000000000000000224315141166425014636 0ustar00C arm64/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes192-encrypt.asm') nettle-4.0/arm64/fat/aes256-decrypt-2.asm0000644000000000000000000000224315141166425014625 0ustar00C arm64/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes256-decrypt.asm') nettle-4.0/arm64/fat/aes256-encrypt-2.asm0000644000000000000000000000224315141166425014637 0ustar00C arm64/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes256-encrypt.asm') nettle-4.0/arm64/fat/ghash-set-key-2.asm0000644000000000000000000000224415141166425014622 0ustar00C arm64/fat/ghash-set-key.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/ghash-set-key.asm') nettle-4.0/arm64/fat/ghash-update-2.asm0000644000000000000000000000224115141166425014520 0ustar00C arm64/fat/ghash-update.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/ghash-update.asm') nettle-4.0/arm64/fat/sha1-compress-2.asm0000644000000000000000000000224315141166425014635 0ustar00C arm64/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/sha1-compress.asm') nettle-4.0/arm64/fat/sha256-compress-n-2.asm0000644000000000000000000000225715141166425015251 0ustar00C arm64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/sha256-compress-n.asm') nettle-4.0/arm64/machine.m40000644000000000000000000000400015141166424012373 0ustar00C Get 32-bit floating-point register from vector register C SFP(VR) define(`SFP',``s'substr($1,1,len($1))') C Get 128-bit floating-point register from vector register C QFP(VR) define(`QFP',``q'substr($1,1,len($1))') C AES encryption round of 1-block C AESE_ROUND_1B(BLOCK, KEY) define(`AESE_ROUND_1B', m4_assert_numargs(2)` aese $1.16b,$2.16b aesmc $1.16b,$1.16b ') C AES last encryption round of 1-block C AESE_LAST_ROUND_1B(BLOCK, KEY0, KEY1) define(`AESE_LAST_ROUND_1B', m4_assert_numargs(3)` aese $1.16b,$2.16b eor $1.16b,$1.16b,$3.16b ') C AES decryption round of 1-block C AESD_ROUND_1B(BLOCK, KEY) define(`AESD_ROUND_1B', m4_assert_numargs(2)` aesd $1.16b,$2.16b aesimc $1.16b,$1.16b ') C AES last decryption round of 1-block C AESD_LAST_ROUND_1B(BLOCK, KEY0, KEY1) define(`AESD_LAST_ROUND_1B', m4_assert_numargs(3)` aesd $1.16b,$2.16b eor $1.16b,$1.16b,$3.16b ') C AES encryption round of 4-blocks C AESE_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY) define(`AESE_ROUND_4B', m4_assert_numargs(5)` AESE_ROUND_1B($1,$5) AESE_ROUND_1B($2,$5) AESE_ROUND_1B($3,$5) AESE_ROUND_1B($4,$5) ') C AES last encryption round of 4-blocks C AESE_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1) define(`AESE_LAST_ROUND_4B', m4_assert_numargs(6)` AESE_LAST_ROUND_1B($1,$5,$6) AESE_LAST_ROUND_1B($2,$5,$6) AESE_LAST_ROUND_1B($3,$5,$6) AESE_LAST_ROUND_1B($4,$5,$6) ') C AES decryption round of 4-blocks C AESD_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY) define(`AESD_ROUND_4B', m4_assert_numargs(5)` AESD_ROUND_1B($1,$5) AESD_ROUND_1B($2,$5) AESD_ROUND_1B($3,$5) AESD_ROUND_1B($4,$5) ') C AES last decryption round of 4-blocks C AESD_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1) define(`AESD_LAST_ROUND_4B', m4_assert_numargs(6)` AESD_LAST_ROUND_1B($1,$5,$6) AESD_LAST_ROUND_1B($2,$5,$6) AESD_LAST_ROUND_1B($3,$5,$6) AESD_LAST_ROUND_1B($4,$5,$6) ') nettle-4.0/asm.m40000644000000000000000000000406615141166424010632 0ustar00divert(-1) dnl FORTRAN style comment character define(`C', ` dnl')dnl dnl Disable m4 comment processing, since the default, #, is used for dnl constants on some architectures, in particular ARM. changecom()dnl dnl Including files from the srcdir define(`include_src', `include(srcdir/$1)')dnl dnl default definition, changed in fat builds define(`fat_transform', `$1') define(`C_NAME', `SYMBOL_PREFIX`'fat_transform($1)') dnl Pseudo ops define(`DECLARE_FUNC', `ifelse(ELF_STYLE,yes, `.type $1,TYPE_FUNCTION', COFF_STYLE, yes, `.def $1 .scl 2 .type 32 .endef', `')') define(`GMP_NUMB_BITS',`')dnl define(`PROLOGUE', `.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) C_NAME($1): ASM_X86_ENDBR') define(`EPILOGUE', `ifelse(ELF_STYLE,yes, `.size C_NAME($1), . - C_NAME($1)',`')') define(`m4_log2', `m4_log2_internal($1,1,0)') define(`m4_log2_internal', `ifelse($3, 10, `not-a-power-of-two', $1, $2, $3, `m4_log2_internal($1, eval(2*$2), eval(1 + $3))')') dnl Argument to ALIGN is always in bytes, and converted to a dnl logarithmic .align if necessary. define(`ALIGN', `.align ifelse(ALIGN_LOG,yes,`m4_log2($1)',$1) ') define(`IF_BE', `ifelse( WORDS_BIGENDIAN,yes,`$1', WORDS_BIGENDIAN,no,`$2', `errprint(`Unsupported endianness value',WORDS_BIGENDIAN,` ') m4exit(1)')') define(`IF_LE', `IF_BE(`$2', `$1')') dnl Struct defining macros dnl STRUCTURE(prefix) define(`STRUCTURE', `define(`SOFFSET', 0)define(`SPREFIX', `$1')')dnl dnl STRUCT(name, size) define(`STRUCT', `define(SPREFIX`_'$1, SOFFSET)dnl define(`SOFFSET', eval(SOFFSET + ($2)))')dnl dnl UCHAR(name) define(`UCHAR', `STRUCT(`$1', 1)')dnl dnl UNSIGNED(name) define(`UNSIGNED', `STRUCT(`$1', 4)')dnl dnl Offsets in aes_table define(AES_SBOX_SIZE, 256)dnl define(AES_TABLE_SIZE, 1024)dnl STRUCTURE(AES) STRUCT(SBOX, AES_SBOX_SIZE) STRUCT(TABLE0, AES_TABLE_SIZE) STRUCT(TABLE1, AES_TABLE_SIZE) STRUCT(TABLE2, AES_TABLE_SIZE) STRUCT(TABLE3, AES_TABLE_SIZE) C For 64-bit implementation STRUCTURE(P1305) STRUCT(R0, 8) STRUCT(R1, 8) STRUCT(S0, 8) STRUCT(S1, 8) STRUCT(H0, 8) STRUCT(H1, 8) STRUCT(H2, 8) divert nettle-4.0/asn1.h0000644000000000000000000001017115141166424010615 0ustar00/* asn1.h Limited support for ASN.1 DER decoding. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ASN1_H_INCLUDED #define NETTLE_ASN1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define asn1_der_iterator_first nettle_asn1_der_iterator_first #define asn1_der_iterator_next nettle_asn1_der_iterator_next #define asn1_der_decode_constructed nettle_asn1_der_decode_constructed #define asn1_der_decode_constructed_last nettle_asn1_der_decode_constructed_last #define asn1_der_decode_bitstring nettle_asn1_der_decode_bitstring #define asn1_der_decode_bitstring_last nettle_asn1_der_decode_bitstring_last #define asn1_der_get_uint32 nettle_asn1_der_get_uint32 #define asn1_der_get_bignum nettle_asn1_der_get_bignum /* enum asn1_type keeps the class number and the constructive in bits 13-14, and the constructive flag in bit 12. The remaining 14 bits are the tag (although currently, only tags in the range 0-30 are supported). */ enum { ASN1_TYPE_CONSTRUCTED = 1 << 12, ASN1_CLASS_UNIVERSAL = 0, ASN1_CLASS_APPLICATION = 1 << 13, ASN1_CLASS_CONTEXT_SPECIFIC = 2 << 13, ASN1_CLASS_PRIVATE = 3 << 13, ASN1_CLASS_MASK = 3 << 13, ASN1_CLASS_SHIFT = 13, }; enum asn1_type { ASN1_BOOLEAN = 1, ASN1_INTEGER = 2, ASN1_BITSTRING = 3, ASN1_OCTETSTRING = 4, ASN1_NULL = 5, ASN1_IDENTIFIER = 6, ASN1_REAL = 9, ASN1_ENUMERATED = 10, ASN1_UTF8STRING = 12, ASN1_SEQUENCE = 16 | ASN1_TYPE_CONSTRUCTED, ASN1_SET = 17 | ASN1_TYPE_CONSTRUCTED, ASN1_PRINTABLESTRING = 19, ASN1_TELETEXSTRING = 20, ASN1_IA5STRING = 22, ASN1_UTC = 23, ASN1_UNIVERSALSTRING = 28, ASN1_BMPSTRING = 30, }; enum asn1_iterator_result { ASN1_ITERATOR_ERROR, ASN1_ITERATOR_PRIMITIVE, ASN1_ITERATOR_CONSTRUCTED, ASN1_ITERATOR_END, }; /* Parsing DER objects. */ struct asn1_der_iterator { size_t buffer_length; const uint8_t *buffer; /* Next object to parse. */ size_t pos; enum asn1_type type; /* Pointer to the current object */ size_t length; const uint8_t *data; }; /* Initializes the iterator. */ enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input); enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *iterator); /* Starts parsing of a constructed object. */ enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); /* For the common case that we have a sequence at the end of the object. Checks that the current object is the final one, and then reinitializes the iterator to parse its ontents. */ enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i); enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i); /* All these functions return 1 on success, 0 on failure */ int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x); #ifdef __cplusplus } #endif #endif /* NETTLE_ASN1_H_INCLUDED */ nettle-4.0/balloon-sha1.c0000644000000000000000000000317615141166423012234 0ustar00/* balloon-sha1.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha1.h" void balloon_sha1(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha1_ctx ctx; sha1_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha1_update, (nettle_hash_digest_func*)sha1_digest, SHA1_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-4.0/balloon-sha256.c0000644000000000000000000000322215141166423012400 0ustar00/* balloon-sha256.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha256(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha256_ctx ctx; sha256_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha256_update, (nettle_hash_digest_func*)sha256_digest, SHA256_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-4.0/balloon-sha384.c0000644000000000000000000000322215141166423012402 0ustar00/* balloon-sha384.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha384(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha384_ctx ctx; sha384_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha384_update, (nettle_hash_digest_func*)sha384_digest, SHA384_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-4.0/balloon-sha512.c0000644000000000000000000000322215141166423012373 0ustar00/* balloon-sha512.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha512(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha512_ctx ctx; sha512_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha512_update, (nettle_hash_digest_func*)sha512_digest, SHA512_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-4.0/balloon.c0000644000000000000000000000771515141166423011405 0ustar00/* balloon.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: * A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. * Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "balloon.h" #include "macros.h" #define DELTA 3 static void hash(void *ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, uint64_t cnt, size_t a_len, const uint8_t *a, size_t b_len, const uint8_t *b, uint8_t *dst) { uint8_t tmp[8]; LE_WRITE_UINT64(tmp, cnt); update(ctx, sizeof(tmp), tmp); if (a && a_len) update(ctx, a_len, a); if (b && b_len) update(ctx, b_len, b); digest(ctx, dst); } static void hash_ints(void *ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, uint64_t i, uint64_t j, uint64_t k, uint8_t *dst) { uint8_t tmp[24]; LE_WRITE_UINT64(tmp, i); LE_WRITE_UINT64(tmp + 8, j); LE_WRITE_UINT64(tmp + 16, k); update(ctx, sizeof(tmp), tmp); digest(ctx, dst); } /* Takes length bytes long big number stored * in little endian format and computes modulus */ static size_t block_to_int(size_t length, const uint8_t *block, size_t mod) { size_t i = length, r = 0; while (i--) { r = (r << 8) + block[i]; r %= mod; } return r; } void balloon(void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { const size_t BS = digest_size; uint8_t *block = scratch; uint8_t *buf = scratch + BS; size_t i, j, k, cnt = 0; hash(hash_ctx, update, digest, cnt++, passwd_length, passwd, salt_length, salt, buf); for (i = 1; i < s_cost; ++i) hash(hash_ctx, update, digest, cnt++, BS, buf + (i - 1) * BS, 0, NULL, buf + i * BS); for (i = 0; i < t_cost; ++i) { for (j = 0; j < s_cost; ++j) { hash(hash_ctx, update, digest, cnt++, BS, buf + (j ? j - 1 : s_cost - 1) * BS, BS, buf + j * BS, buf + j * BS); for (k = 0; k < DELTA; ++k) { hash_ints(hash_ctx, update, digest, i, j, k, block); hash(hash_ctx, update, digest, cnt++, salt_length, salt, BS, block, block); hash(hash_ctx, update, digest, cnt++, BS, buf + j * BS, BS, buf + block_to_int(BS, block, s_cost) * BS, buf + j * BS); } } } memcpy(dst, buf + (s_cost - 1) * BS, BS); } size_t balloon_itch(size_t digest_size, size_t s_cost) { return (s_cost + 1) * digest_size; } nettle-4.0/balloon.h0000644000000000000000000000577715141166424011421 0ustar00/* balloon.h Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: * A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. * Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf */ #ifndef NETTLE_BALLOON_H_INCLUDED #define NETTLE_BALLOON_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define balloon nettle_balloon #define balloon_itch nettle_balloon_itch #define balloon_sha1 nettle_balloon_sha1 #define balloon_sha256 nettle_balloon_sha256 #define balloon_sha384 nettle_balloon_sha384 #define balloon_sha512 nettle_balloon_sha512 void balloon(void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); size_t balloon_itch(size_t digest_size, size_t s_cost); void balloon_sha1(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha256(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha384(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha512(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_BALLOON_H_INCLUDED */ nettle-4.0/base16-decode.c0000644000000000000000000000563515141166423012260 0ustar00/* base16-encode.c Hex decoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base16.h" void base16_decode_init(struct base16_decode_ctx *ctx) { ctx->word = ctx->bits = 0; } enum { HEX_INVALID = -1, HEX_SPACE=-2 }; static const signed char hex_decode_table[0x80] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base16_decode_single(struct base16_decode_ctx *ctx, uint8_t *dst, char src) { size_t dst_length = 1; return base16_decode_update (ctx, &dst_length, dst, 1, &src) ? dst_length : -1; } int base16_decode_update(struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = done = 0; i= 0x80) return 0; int digit = hex_decode_table[usrc]; if (digit == HEX_SPACE) continue; if (digit < 0 || done >= *dst_length) return 0; assert(digit < 0x10); if (ctx->bits) { dst[done++] = (ctx->word << 4) | digit; ctx->bits = 0; } else { ctx->word = digit; ctx->bits = 4; } } assert(done <= BASE16_DECODE_LENGTH(src_length)); *dst_length = done; return 1; } int base16_decode_final(struct base16_decode_ctx *ctx) { return ctx->bits == 0; } nettle-4.0/base16-encode.c0000644000000000000000000000315715141166423012267 0ustar00/* base16-encode.c Hex encoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base16.h" static const uint8_t hex_digits[16] = "0123456789abcdef"; #define DIGIT(x) (hex_digits[(x) & 0xf]) /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */ void base16_encode_single(char *dst, uint8_t src) { dst[0] = DIGIT(src/0x10); dst[1] = DIGIT(src); } /* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */ void base16_encode_update(char *dst, size_t length, const uint8_t *src) { size_t i; for (i = 0; i #include #include "base64.h" #define TABLE_INVALID -1 #define TABLE_SPACE -2 #define TABLE_END -3 void base64_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64_decode_table; } int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src) { size_t dst_length = 1; return base64_decode_update (ctx, &dst_length, dst, 1, &src) ? dst_length : -1; } int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = done = 0; itable[(uint8_t) src[i]]; switch (data) { default: assert(data >= 0 && data < 0x40); if (ctx->padding || (done >= *dst_length)) return 0; ctx->word = ctx->word << 6 | data; ctx->bits += 6; if (ctx->bits >= 8) { ctx->bits -= 8; dst[done++] = ctx->word >> ctx->bits; } break; case TABLE_INVALID: return 0; case TABLE_SPACE: continue; case TABLE_END: /* There can be at most two padding characters. */ if (!ctx->bits || ctx->padding > 2) return 0; if (ctx->word & ( (1<bits) - 1)) /* We shouldn't have any leftover bits */ return 0; ctx->padding++; ctx->bits -= 2; break; } } assert(done <= BASE64_DECODE_LENGTH(src_length)); *dst_length = done; return 1; } int base64_decode_final(struct base64_decode_ctx *ctx) { return ctx->bits == 0; } nettle-4.0/base64-encode.c0000644000000000000000000001020315141166423012260 0ustar00/* base64-encode.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base64.h" #define ENCODE(alphabet,x) ((alphabet)[0x3F & (x)]) static void encode_raw(const char *alphabet, char *dst, size_t length, const uint8_t *src) { const uint8_t *in = src + length; char *out = dst + BASE64_ENCODE_RAW_LENGTH(length); unsigned left_over = length % 3; if (left_over) { in -= left_over; *--out = '='; switch(left_over) { case 1: *--out = '='; *--out = ENCODE(alphabet, (in[0] << 4)); break; case 2: *--out = ENCODE(alphabet, (in[1] << 2)); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); break; default: abort(); } *--out = ENCODE(alphabet, (in[0] >> 2)); } while (in > src) { in -= 3; *--out = ENCODE(alphabet, (in[2])); *--out = ENCODE(alphabet, ((in[1] << 2) | (in[2] >> 6))); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); *--out = ENCODE(alphabet, (in[0] >> 2)); } assert(in == src); assert(out == dst); } static const char base64_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789+/"; void base64_encode_raw(char *dst, size_t length, const uint8_t *src) { encode_raw(base64_encode_table, dst, length, src); } void base64_encode_init(struct base64_encode_ctx *ctx) { ctx->word = ctx->bits = 0; ctx->alphabet = base64_encode_table; } /* Encodes a single byte. */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src) { unsigned done = 0; unsigned word = ctx->word << 8 | src; unsigned bits = ctx->bits + 8; while (bits >= 6) { bits -= 6; dst[done++] = ENCODE(ctx->alphabet, (word >> bits)); } ctx->bits = bits; ctx->word = word; assert(done <= 2); return done; } /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src) { size_t done = 0; size_t left = length; unsigned left_over; size_t bulk; while (ctx->bits && left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } left_over = left % 3; bulk = left - left_over; if (bulk) { assert(!(bulk % 3)); encode_raw(ctx->alphabet, dst + done, bulk, src); done += BASE64_ENCODE_RAW_LENGTH(bulk); src += bulk; left = left_over; } while (left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } assert(done <= BASE64_ENCODE_LENGTH(length)); return done; } /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_SIZE */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst) { unsigned done = 0; unsigned bits = ctx->bits; if (bits) { dst[done++] = ENCODE(ctx->alphabet, (ctx->word << (6 - ctx->bits))); for (; bits < 6; bits += 2) dst[done++] = '='; ctx->bits = 0; } assert(done <= BASE64_ENCODE_FINAL_LENGTH); return done; } nettle-4.0/base64.h0000644000000000000000000001233315141166424011041 0ustar00/* base64.h Base-64 encoding and decoding. Copyright (C) 2002 Niels Möller, Dan Egnor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BASE64_H_INCLUDED #define NETTLE_BASE64_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define base64_encode_init nettle_base64_encode_init #define base64url_encode_init nettle_base64url_encode_init #define base64_encode_single nettle_base64_encode_single #define base64_encode_update nettle_base64_encode_update #define base64_encode_final nettle_base64_encode_final #define base64_encode_raw nettle_base64_encode_raw #define base64_decode_init nettle_base64_decode_init #define base64url_decode_init nettle_base64url_decode_init #define base64_decode_single nettle_base64_decode_single #define base64_decode_update nettle_base64_decode_update #define base64_decode_final nettle_base64_decode_final #define BASE64_BINARY_BLOCK_SIZE 3 #define BASE64_TEXT_BLOCK_SIZE 4 /* Base64 encoding */ /* Maximum length of output for base64_encode_update. NOTE: Doesn't * include any padding that base64_encode_final may add. */ /* We have at most 4 buffered bits, and a total of (4 + length * 8) bits. */ #define BASE64_ENCODE_LENGTH(length) (((length) * 8 + 4)/6) /* Maximum length of output generated by base64_encode_final. */ #define BASE64_ENCODE_FINAL_LENGTH 3 /* Exact length of output generated by base64_encode_raw, including * padding. */ #define BASE64_ENCODE_RAW_LENGTH(length) ((((length) + 2)/3)*4) struct base64_encode_ctx { const char *alphabet; /* Alphabet to use for encoding */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number of bits, always 0, 2, or 4. */ }; /* Initialize encoding context for base-64 */ void base64_encode_init(struct base64_encode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_encode_init(struct base64_encode_ctx *ctx); /* Encodes a single byte. Returns amount of output (always 1 or 2). */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src); /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src); /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_LENGTH */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst); /* Lower level functions */ /* Encodes a string in one go, including any padding at the end. * Generates exactly BASE64_ENCODE_RAW_LENGTH(length) bytes of output. * Supports overlapped operation, if src <= dst. FIXME: Use of overlap * is deprecated, if needed there should be a separate public function * to do that.*/ void base64_encode_raw(char *dst, size_t length, const uint8_t *src); /* Base64 decoding */ /* Maximum length of output for base64_decode_update. */ /* We have at most 6 buffered bits, and a total of (length + 1) * 6 bits. */ #define BASE64_DECODE_LENGTH(length) ((((length) + 1) * 6) / 8) struct base64_decode_ctx { const signed char *table; /* Decoding table */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number buffered bits */ /* Number of padding characters encountered */ unsigned char padding; }; /* Initialize decoding context for base-64 */ void base64_decode_init(struct base64_decode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_decode_init(struct base64_decode_ctx *ctx); /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src); /* Returns 1 on success, 0 on error. DST should point to an area of * size *DST_LENGTH. Decoding returns failure it output would exceed * this size. BASE64_DECODE_LENGTH(length) is always sufficient. * *DST_LENGTH is updated to reflect the amount of data actually * generated. */ int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); /* Returns 1 on success. */ int base64_decode_final(struct base64_decode_ctx *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_BASE64_H_INCLUDED */ nettle-4.0/base64url-decode.c0000644000000000000000000000470415141166423013002 0ustar00/* base64url-decode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64url_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64url_decode_table; } nettle-4.0/base64url-encode.c0000644000000000000000000000254115141166423013011 0ustar00/* base64url-encode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_encode_init(struct base64_encode_ctx *ctx) { static const char base64url_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789-_"; ctx->word = ctx->bits = 0; ctx->alphabet = base64url_encode_table; } nettle-4.0/bignum-random-prime.c0000644000000000000000000003540315141166424013624 0ustar00/* bignum-random-prime.c Generation of random provable primes. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef RANDOM_PRIME_VERBOSE #define RANDOM_PRIME_VERBOSE 0 #endif #include #include #if RANDOM_PRIME_VERBOSE #include #define VERBOSE(x) (fputs((x), stderr)) #else #define VERBOSE(x) #endif #include "bignum.h" #include "hogweed-internal.h" #include "macros.h" /* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers of up to 20 bits. */ #define NPRIMES 171 #define TRIAL_DIV_BITS 20 #define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1) /* A 20-bit number x is divisible by p iff ((x * inverse) & TRIAL_DIV_MASK) <= limit */ struct trial_div_info { uint32_t inverse; /* p^{-1} (mod 2^20) */ uint32_t limit; /* floor( (2^20 - 1) / p) */ }; static const uint16_t primes[NPRIMES] = { 3,5,7,11,13,17,19,23, 29,31,37,41,43,47,53,59, 61,67,71,73,79,83,89,97, 101,103,107,109,113,127,131,137, 139,149,151,157,163,167,173,179, 181,191,193,197,199,211,223,227, 229,233,239,241,251,257,263,269, 271,277,281,283,293,307,311,313, 317,331,337,347,349,353,359,367, 373,379,383,389,397,401,409,419, 421,431,433,439,443,449,457,461, 463,467,479,487,491,499,503,509, 521,523,541,547,557,563,569,571, 577,587,593,599,601,607,613,617, 619,631,641,643,647,653,659,661, 673,677,683,691,701,709,719,727, 733,739,743,751,757,761,769,773, 787,797,809,811,821,823,827,829, 839,853,857,859,863,877,881,883, 887,907,911,919,929,937,941,947, 953,967,971,977,983,991,997,1009, 1013,1019,1021, }; static const uint32_t prime_square[NPRIMES+1] = { 9,25,49,121,169,289,361,529, 841,961,1369,1681,1849,2209,2809,3481, 3721,4489,5041,5329,6241,6889,7921,9409, 10201,10609,11449,11881,12769,16129,17161,18769, 19321,22201,22801,24649,26569,27889,29929,32041, 32761,36481,37249,38809,39601,44521,49729,51529, 52441,54289,57121,58081,63001,66049,69169,72361, 73441,76729,78961,80089,85849,94249,96721,97969, 100489,109561,113569,120409,121801,124609,128881,134689, 139129,143641,146689,151321,157609,160801,167281,175561, 177241,185761,187489,192721,196249,201601,208849,212521, 214369,218089,229441,237169,241081,249001,253009,259081, 271441,273529,292681,299209,310249,316969,323761,326041, 332929,344569,351649,358801,361201,368449,375769,380689, 383161,398161,410881,413449,418609,426409,434281,436921, 452929,458329,466489,477481,491401,502681,516961,528529, 537289,546121,552049,564001,573049,579121,591361,597529, 619369,635209,654481,657721,674041,677329,683929,687241, 703921,727609,734449,737881,744769,769129,776161,779689, 786769,822649,829921,844561,863041,877969,885481,896809, 908209,935089,942841,954529,966289,982081,994009,1018081, 1026169,1038361,1042441,1L<<20 }; static const struct trial_div_info trial_div_table[NPRIMES] = { {699051,349525},{838861,209715},{748983,149796},{953251,95325}, {806597,80659},{61681,61680},{772635,55188},{866215,45590}, {180789,36157},{1014751,33825},{793517,28339},{1023001,25575}, {48771,24385},{870095,22310},{217629,19784},{710899,17772}, {825109,17189},{281707,15650},{502135,14768},{258553,14364}, {464559,13273},{934875,12633},{1001449,11781},{172961,10810}, {176493,10381},{203607,10180},{568387,9799},{788837,9619}, {770193,9279},{1032063,8256},{544299,8004},{619961,7653}, {550691,7543},{182973,7037},{229159,6944},{427445,6678}, {701195,6432},{370455,6278},{90917,6061},{175739,5857}, {585117,5793},{225087,5489},{298817,5433},{228877,5322}, {442615,5269},{546651,4969},{244511,4702},{83147,4619}, {769261,4578},{841561,4500},{732687,4387},{978961,4350}, {133683,4177},{65281,4080},{629943,3986},{374213,3898}, {708079,3869},{280125,3785},{641833,3731},{618771,3705}, {930477,3578},{778747,3415},{623751,3371},{40201,3350}, {122389,3307},{950371,3167},{1042353,3111},{18131,3021}, {285429,3004},{549537,2970},{166487,2920},{294287,2857}, {919261,2811},{636339,2766},{900735,2737},{118605,2695}, {10565,2641},{188273,2614},{115369,2563},{735755,2502}, {458285,2490},{914767,2432},{370513,2421},{1027079,2388}, {629619,2366},{462401,2335},{649337,2294},{316165,2274}, {484655,2264},{65115,2245},{326175,2189},{1016279,2153}, {990915,2135},{556859,2101},{462791,2084},{844629,2060}, {404537,2012},{457123,2004},{577589,1938},{638347,1916}, {892325,1882},{182523,1862},{1002505,1842},{624371,1836}, {69057,1817},{210787,1786},{558769,1768},{395623,1750}, {992745,1744},{317855,1727},{384877,1710},{372185,1699}, {105027,1693},{423751,1661},{408961,1635},{908331,1630}, {74551,1620},{36933,1605},{617371,1591},{506045,1586}, {24929,1558},{529709,1548},{1042435,1535},{31867,1517}, {166037,1495},{928781,1478},{508975,1458},{4327,1442}, {779637,1430},{742091,1418},{258263,1411},{879631,1396}, {72029,1385},{728905,1377},{589057,1363},{348621,1356}, {671515,1332},{710453,1315},{84249,1296},{959363,1292}, {685853,1277},{467591,1274},{646643,1267},{683029,1264}, {439927,1249},{254461,1229},{660713,1223},{554195,1220}, {202911,1215},{753253,1195},{941457,1190},{776635,1187}, {509511,1182},{986147,1156},{768879,1151},{699431,1140}, {696417,1128},{86169,1119},{808997,1114},{25467,1107}, {201353,1100},{708087,1084},{1018339,1079},{341297,1073}, {434151,1066},{96287,1058},{950765,1051},{298257,1039}, {675933,1035},{167731,1029},{815445,1027}, }; /* Element j gives the index of the first prime of size 3+j bits */ static uint8_t prime_by_size[9] = { 1,3,5,10,17,30,53,96,171 }; /* Combined Miller-Rabin test to the base a, and checking the conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q prime. */ static int miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) { mpz_t r; mpz_t y; int is_prime = 0; mp_bitcnt_t k, j; VERBOSE("."); if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0) return 0; mpz_init(r); mpz_init(y); k = mpz_scan1(nm1, 0); assert(k > 0); mpz_fdiv_q_2exp (r, nm1, k); mpz_powm(y, a, r, n); if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0) goto passed_miller_rabin; for (j = 1; j < k; j++) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp_ui (y, 1) == 0) break; if (mpz_cmp (y, nm1) == 0) { passed_miller_rabin: /* We know that a^{n-1} = 1 (mod n) Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */ VERBOSE("x"); mpz_powm(y, a, nm1dq, n); mpz_sub_ui(y, y, 1); mpz_gcd(y, y, n); is_prime = mpz_cmp_ui (y, 1) == 0; VERBOSE(is_prime ? "\n" : ""); break; } } mpz_clear(r); mpz_clear(y); return is_prime; } /* The most basic variant of Pocklingtons theorem: Assume that q^e | (n-1), with q prime. If we can find an a such that a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 then any prime divisor p of n satisfies p = 1 (mod q^e). Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central idea of the proof is to consider the order, modulo p, of a. Denote this by d. a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1). Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is prime, this means that q^e | d. Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d | (p-1), which gives the desired result: p = 1 (mod q^e). * Variant, slightly stronger than Fact 4.59, HAC: Assume n = 1 + 2rq, q an odd prime, r <= 2q, and a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Then n is prime. Proof: By Pocklington's theorem, any prime factor p satisfies p = 1 (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is composite, we have n >= (1+2q)^2. But the assumption r <= 2q implies n <= 1 + 4q^2, a contradiction. In bits, the requirement is that #n <= 2 #q, then r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q * Another variant with an extra test (Variant of Fact 4.42, HAC): Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Also let x = floor(r / 2q), y = r mod 2q, If y^2 - 4x is not a square, then n is prime. Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)): Assume n is composite. There are at most two factors, both odd, n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1 m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 < sqrt(2q), 0 < m_1 < 2q / m_2. We have the bound m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1) And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n > 8q^3. So in fact, m_1 + m_2 < 2q. Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2. If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are thus the roots of the equation m^2 - y m + x = 0 which has integer roots iff y^2 - 4 x is the square of an integer. In bits, the requirement is that #n <= 3 #q, then n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3 */ /* Generate a prime number p of size bits with 2 p0q dividing (p-1). p0 must be of size >= ceil(bits/3). The extra factor q can be omitted (then p0 and p0q should be equal). If top_bits_set is one, the topmost two bits are set to one, suitable for RSA primes. Also returns r = (p-1)/p0q. */ void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q) { mpz_t r_min, r_range, pm1, a, e; int need_square_test; unsigned p0_bits; mpz_t x, y, p04; p0_bits = mpz_sizeinbase (p0, 2); assert (bits <= 3*p0_bits); assert (bits > p0_bits); need_square_test = (bits > 2 * p0_bits); mpz_init (r_min); mpz_init (r_range); mpz_init (pm1); mpz_init (a); if (need_square_test) { mpz_init (x); mpz_init (y); mpz_init (p04); mpz_mul_2exp (p04, p0, 2); } if (q) mpz_init (e); if (top_bits_set) { /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I - 2 possible values. */ mpz_set_ui (r_min, 1); mpz_mul_2exp (r_min, r_min, bits-3); mpz_fdiv_q (r_min, r_min, p0q); mpz_sub_ui (r_range, r_min, 2); mpz_mul_ui (r_min, r_min, 3); mpz_add_ui (r_min, r_min, 3); } else { /* i = floor (2^{bits-2} / p0q), I + 1 <= r <= 2I */ mpz_set_ui (r_range, 1); mpz_mul_2exp (r_range, r_range, bits-2); mpz_fdiv_q (r_range, r_range, p0q); mpz_add_ui (r_min, r_range, 1); } for (;;) { uint8_t buf[1]; nettle_mpz_random (r, ctx, random, r_range); mpz_add (r, r, r_min); /* Set p = 2*r*p0q + 1 */ mpz_mul_2exp(r, r, 1); mpz_mul (pm1, r, p0q); mpz_add_ui (p, pm1, 1); assert(mpz_sizeinbase(p, 2) == bits); /* Should use GMP trial division interface when that materializes, we don't need any testing beyond trial division. */ if (!mpz_probab_prime_p (p, 1)) continue; random(ctx, sizeof(buf), buf); mpz_set_ui (a, buf[0] + 2); if (q) { mpz_mul (e, r, q); if (!miller_rabin_pocklington(p, pm1, e, a)) continue; if (need_square_test) { /* Our e corresponds to 2r in the theorem */ mpz_tdiv_qr (x, y, e, p04); goto square_test; } } else { if (!miller_rabin_pocklington(p, pm1, r, a)) continue; if (need_square_test) { mpz_tdiv_qr (x, y, r, p04); square_test: /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q), and y' = r' - x 4q = 2 (r - x 2q) = 2y. Then y^2 - 4x is a square iff y'^2 - 16 x is a square. */ mpz_mul (y, y, y); mpz_submul_ui (y, x, 16); if (mpz_perfect_square_p (y)) continue; } } /* If we passed all the tests, we have found a prime. */ break; } mpz_clear (r_min); mpz_clear (r_range); mpz_clear (pm1); mpz_clear (a); if (need_square_test) { mpz_clear (x); mpz_clear (y); mpz_clear (p04); } if (q) mpz_clear (e); } /* Generate random prime of a given size. Maurer's algorithm (Alg. 6.42 Handbook of applied cryptography), but with ratio = 1/2 (like the variant in fips186-3). */ void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress) { assert (bits >= 3); if (bits <= 10) { unsigned first; unsigned choices; uint8_t buf; assert (!top_bits_set); random (random_ctx, sizeof(buf), &buf); first = prime_by_size[bits-3]; choices = prime_by_size[bits-2] - first; mpz_set_ui (p, primes[first + buf % choices]); } else if (bits <= 20) { unsigned long highbit; uint8_t buf[3]; unsigned long x; unsigned j; assert (!top_bits_set); highbit = 1L << (bits - 1); again: random (random_ctx, sizeof(buf), buf); x = READ_UINT24(buf); x &= (highbit - 1); x |= highbit | 1; for (j = 0; prime_square[j] <= x; j++) { unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK; if (q <= trial_div_table[j].limit) goto again; } mpz_set_ui (p, x); } else { mpz_t q, r; mpz_init (q); mpz_init (r); /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62 in Handbook of Applied Cryptography (which seems to be incorrect for odd k). */ nettle_random_prime (q, (bits+3)/2, 0, random_ctx, random, progress_ctx, progress); _nettle_generate_pocklington_prime (p, r, bits, top_bits_set, random_ctx, random, q, NULL, q); if (progress) progress (progress_ctx, 'x'); mpz_clear (q); mpz_clear (r); } } nettle-4.0/bignum-random.c0000644000000000000000000000537715141166424012521 0ustar00/* bignum-random.c Generating big random numbers Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "bignum.h" #include "gmp-glue.h" void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits) { unsigned length = (bits + 7) / 8; TMP_GMP_DECL(data, uint8_t); TMP_GMP_ALLOC(data, length); random(ctx, length, data); nettle_mpz_set_str_256_u(x, length, data); if (bits % 8) mpz_fdiv_r_2exp(x, x, bits); TMP_GMP_FREE(data); } /* Returns a random number x, 0 <= x < n */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n) { /* NOTE: This leaves some bias, which may be bad for DSA. A better * way might be to generate a random number of mpz_sizeinbase(n, 2) * bits, and loop until one smaller than n is found. */ /* From Daniel Bleichenbacher (via coderpunks): * * There is still a theoretical attack possible with 8 extra bits. * But, the attack would need about 2^66 signatures 2^66 memory and * 2^66 time (if I remember that correctly). Compare that to DSA, * where the attack requires 2^22 signatures 2^40 memory and 2^64 * time. And of course, the numbers above are not a real threat for * PGP. Using 16 extra bits (i.e. generating a 176 bit random number * and reducing it modulo q) will defeat even this theoretical * attack. * * More generally log_2(q)/8 extra bits are enough to defeat my * attack. NIST also plans to update the standard. */ /* Add a few bits extra, to decrease the bias from the final modulo * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with * DSA. */ nettle_mpz_random_size(x, ctx, random, mpz_sizeinbase(n, 2) + 64); mpz_fdiv_r(x, x, n); } nettle-4.0/bignum.c0000644000000000000000000000755415141166424011242 0ustar00/* bignum.c Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" /* Two's complement negation means that -x = ~x + 1, ~x = -(x+1), * and we use that x = ~~x = ~(-x-1). * * Examples: * * x ~x = -x+1 ~~x = x * -1 0 ff * -2 1 fe * -7f 7e 81 * -80 7f 80 * -81 80 ff7f */ /* Including extra sign bit, if needed. Also one byte for zero. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x) { if (mpz_sgn(x) >= 0) return 1 + mpz_sizeinbase(x, 2) / 8; else { /* We'll output ~~x, so we need as many bits as for ~x */ size_t size; mpz_t c; mpz_init(c); mpz_com(c, x); /* Same as c = - x - 1 = |x| + 1 */ size = 1 + mpz_sizeinbase(c,2) / 8; mpz_clear(c); return size; } } size_t nettle_mpz_sizeinbase_256_u(const mpz_t x) { return (mpz_sizeinbase(x,2) + 7) / 8; } static void nettle_mpz_to_octets(size_t length, uint8_t *s, const mpz_t x, uint8_t sign) { uint8_t *dst = s + length - 1; size_t size = mpz_size(x); size_t i; for (i = 0; i>= 8; length--; } } if (length) memset(s, sign, length); } void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x) { if (!length) { /* x must be zero */ assert(!mpz_sgn(x)); return; } if (mpz_sgn(x) >= 0) { assert(nettle_mpz_sizeinbase_256_u(x) <= length); nettle_mpz_to_octets(length, s, x, 0); } else { mpz_t c; mpz_init(c); mpz_com(c, x); assert(nettle_mpz_sizeinbase_256_u(c) <= length); nettle_mpz_to_octets(length, s, c, 0xff); mpz_clear(c); } } /* Converting from strings */ /* mpz_import was introduced in GMP-4.1 */ #define nettle_mpz_from_octets(x, length, s) \ mpz_import((x), (length), 1, 1, 0, 0, (s)) void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { nettle_mpz_from_octets(x, length, s); } void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_from_octets(x, length, s); } void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { if (!length) { mpz_set_ui(x, 0); return; } nettle_mpz_from_octets(x, length, s); if (s[0] & 0x80) { mpz_t t; mpz_init_set_ui(t, 1); mpz_mul_2exp(t, t, length*8); mpz_sub(x, x, t); mpz_clear(t); } } void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_set_str_256_s(x, length, s); } nettle-4.0/bignum.h0000644000000000000000000000640315141166424011237 0ustar00/* bignum.h Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BIGNUM_H_INCLUDED #define NETTLE_BIGNUM_H_INCLUDED #include "nettle-types.h" /* For NETTLE_USE_MINI_GMP */ #include "version.h" #if NETTLE_USE_MINI_GMP # include "mini-gmp.h" # define GMP_NUMB_MASK (~(mp_limb_t) 0) /* Side-channel silent powm not available in mini-gmp. */ # define mpz_powm_sec mpz_powm #else # include #endif #ifdef __cplusplus extern "C" { #endif /* Size needed for signed encoding, including extra sign byte if * necessary. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x); /* Size needed for unsigned encoding */ size_t nettle_mpz_sizeinbase_256_u(const mpz_t x); /* Writes an integer as length octets, using big endian byte order, * and two's complement for negative numbers. */ void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x); /* Reads a big endian, two's complement, integer. */ void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); /* Similar, but for unsigned format. These function don't interpret * the most significant bit as the sign. */ void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); /* Returns a uniformly distributed random number 0 <= x < 2^n */ void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits); /* Returns a number x, almost uniformly random in the range * 0 <= x < n. */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n); void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress); /* sexp parsing */ struct sexp_iterator; /* If LIMIT is non-zero, the number must be at most LIMIT bits. * Implies sexp_iterator_next. */ int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i); /* der parsing */ struct asn1_der_iterator; int nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator, mpz_t x, unsigned max_bits); #ifdef __cplusplus } #endif #endif /* NETTLE_BIGNUM_H_INCLUDED */ nettle-4.0/block-internal.h0000644000000000000000000001350015141166424012656 0ustar00/* block-internal.h Internal implementations of nettle_blockZ-related functions. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED #define NETTLE_BLOCK_INTERNAL_H_INCLUDED #include #include "nettle-types.h" #include "bswap-internal.h" #include "memxor.h" static inline void block16_zero (union nettle_block16 *r) { static const union nettle_block16 zero_block; *r = zero_block; } static inline void block16_set (union nettle_block16 *r, const union nettle_block16 *x) { r->u64[0] = x->u64[0]; r->u64[1] = x->u64[1]; } static inline void block16_xor (union nettle_block16 *r, const union nettle_block16 *x) { r->u64[0] ^= x->u64[0]; r->u64[1] ^= x->u64[1]; } static inline void block16_xor3 (union nettle_block16 *r, const union nettle_block16 *x, const union nettle_block16 *y) { r->u64[0] = x->u64[0] ^ y->u64[0]; r->u64[1] = x->u64[1] ^ y->u64[1]; } static inline void block16_xor_bytes (union nettle_block16 *r, const union nettle_block16 *x, const uint8_t *bytes) { memxor3 (r->b, x->b, bytes, 16); } static inline void block8_xor (union nettle_block8 *r, const union nettle_block8 *x) { r->u64 ^= x->u64; } static inline void block8_xor3 (union nettle_block8 *r, const union nettle_block8 *x, const union nettle_block8 *y) { r->u64 = x->u64 ^ y->u64; } static inline void block8_xor_bytes (union nettle_block8 *r, const union nettle_block8 *x, const uint8_t *bytes) { memxor3 (r->b, x->b, bytes, 8); } /* Do a foreign-endianness shift of data */ #define LSHIFT_ALIEN_UINT64(x) \ ((((x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \ (((x) & UINT64_C(0x8080808080808080)) >> 15)) #define RSHIFT_ALIEN_UINT64(x) \ ((((x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \ (((x) & UINT64_C(0x0001010101010101)) << 15)) /* Two typical defining polynoms */ #define BLOCK16_POLY (UINT64_C(0x87)) #define BLOCK8_POLY (UINT64_C(0x1b)) #define GHASH_POLY (UINT64_C(0xE1)) /* Galois multiplications by 2: * functions differ in shifting right or left, big- or little- endianness * and by defining polynom. * r == x is allowed. */ #if WORDS_BIGENDIAN static inline void block16_mulx_be (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = src->u64[0] >> 63; dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry); } static inline void block16_mulx_le (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = (src->u64[1] & 0x80) >> 7; dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) << 49); dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) & -carry); } static inline void block8_mulx_be (union nettle_block8 *dst, const union nettle_block8 *src) { uint64_t carry = src->u64 >> 63; dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry); } static inline void block16_mulx_ghash (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t mask; /* Shift uses big-endian representation. */ mask = - (x->u64[1] & 1); r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56)); } #else /* !WORDS_BIGENDIAN */ static inline void block16_mulx_be (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = (src->u64[0] & 0x80) >> 7; dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) << 49); dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) & -carry); } static inline void block16_mulx_le (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = src->u64[1] >> 63; dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry); } static inline void block8_mulx_be (union nettle_block8 *dst, const union nettle_block8 *src) { uint64_t carry = (src->u64 & 0x80) >> 7; dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry); } static inline void block16_mulx_ghash (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t mask; /* Shift uses big-endian representation. */ mask = - ((x->u64[1] >> 56) & 1); r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY); } #endif /* ! WORDS_BIGENDIAN */ /* Reverse bytes in X and store the result in R. This supports in-place operation (R and X can overlap). */ static inline void block16_bswap (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t t = nettle_bswap64 (x->u64[0]); r->u64[0] = nettle_bswap64 (x->u64[1]); r->u64[1] = t; } #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ nettle-4.0/blowfish-bcrypt.c0000644000000000000000000004275615141166423013101 0ustar00/* blowfish-bcrypt.c The blowfish bcrypt implementation. Copyright (c) 2020 Stephen R. van den Berg This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include "blowfish.h" #include "blowfish-internal.h" #include "base64.h" #include "bswap-internal.h" #include "macros.h" #define CRYPTPLEN 7 #define SALTLEN ((BLOWFISH_BCRYPT_BINSALT_SIZE*8+5) / 6) #define HASHOFFSET (CRYPTPLEN + SALTLEN) static const signed char radix64_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, -1, -3, -1, -1, -1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, -1, -1, -1, -1, -1, -1, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; static const char radix64_encode_table[64] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; int blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, size_t lenhashed, const uint8_t *hashed) { uint8_t newhash[BLOWFISH_BCRYPT_HASH_SIZE]; return blowfish_bcrypt_hash(newhash, lenkey, key, lenhashed, hashed, -1, (void*)0) && !strcmp((const char*)newhash, (const char*)hashed); } static char *encode_radix64(char *dst, size_t len, const uint8_t *src) { struct base64_encode_ctx ctx; base64_encode_init(&ctx); ctx.alphabet = radix64_encode_table; dst += base64_encode_update(&ctx, dst, len, src); dst += base64_encode_final(&ctx, dst); *--dst = '\0'; /* Strip the trailing = */ return dst; } /* * Large parts of the code below are based on public domain sources. * The comments and copyright notices have been preserved. * Any code added or modified by me is licensed under the * licenses listed above. -- Stephen R. van den Berg */ /* * This code comes from John the Ripper password cracker, with reentrant * and crypt(3) interfaces added, but optimizations specific to password * cracking removed. * * Written by Solar Designer in 1998-2015. * No copyright is claimed, and the software is hereby placed in the public * domain. In case this attempt to disclaim copyright and place the software * in the public domain is deemed null and void, then the software is * Copyright (c) 1998-2015 Solar Designer and it is hereby released to the * general public under the following terms: * * Redistribution and use in source and binary forms, with or without * modification, are permitted. * * There's ABSOLUTELY NO WARRANTY, express or implied. * * It is my intent that you should be able to use this on your system, * as part of a software package, or anywhere else to improve security, * ensure compatibility, or for any other purpose. I would appreciate * it if you give credit where it is due and keep your modifications in * the public domain as well, but I don't require that in order to let * you place this code and any modifications you make under a license * of your choice. * * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix * "$2b$", originally by Niels Provos , and it uses * some of his ideas. The password hashing algorithm was designed by David * Mazieres . For information on the level of * compatibility for bcrypt hash prefixes other than "$2b$", please refer to * the comments in set_key() below and to the included crypt(3) man page. */ typedef uint32_t bf_key[_BLOWFISH_ROUNDS + 2]; /* * Magic IV for 64 Blowfish encryptions that we do at the end. * The string is "OrpheanBeholderScryDoubt" on big-endian. */ static uint32_t magic_w[6] = { 0x4F727068, 0x65616E42, 0x65686F6C, 0x64657253, 0x63727944, 0x6F756274 }; static void set_xkey(size_t lenkey, const uint8_t *key, bf_key expanded, bf_key initial, unsigned bug, uint32_t safety) { const uint8_t *ptr = key; size_t n = lenkey; unsigned i, j; uint32_t sign, diff, tmp[2]; /* * There was a sign extension bug in older revisions of this function. While * we would have liked to simply fix the bug and move on, we have to provide * a backwards compatibility feature (essentially the bug) for some systems and * a safety measure for some others. The latter is needed because for certain * multiple inputs to the buggy algorithm there exist easily found inputs to * the correct algorithm that produce the same hash. Thus, we optionally * deviate from the correct algorithm just enough to avoid such collisions. * While the bug itself affected the majority of passwords containing * characters with the 8th bit set (although only a percentage of those in a * collision-producing way), the anti-collision safety measure affects * only a subset of passwords containing the '\xff' character (not even all of * those passwords, just some of them). This character is not found in valid * UTF-8 sequences and is rarely used in popular 8-bit character encodings. * Thus, the safety measure is unlikely to cause much annoyance, and is a * reasonable tradeoff to use when authenticating against existing hashes that * are not reliably known to have been computed with the correct algorithm. * * We use an approach that tries to minimize side-channel leaks of password * information - that is, we mostly use fixed-cost bitwise operations instead * of branches or table lookups. (One conditional branch based on password * length remains. It is not part of the bug aftermath, though, and is * difficult and possibly unreasonable to avoid given the use of C strings by * the caller, which results in similar timing leaks anyway.) * * For actual implementation, we set an array index in the variable "bug" * (0 means no bug, 1 means sign extension bug emulation) and a flag in the * variable "safety" (bit 16 is set when the safety measure is requested). * Valid combinations of settings are: * * Prefix "$2a$": bug = 0, safety = 0x10000 * Prefix "$2b$": bug = 0, safety = 0 * Prefix "$2x$": bug = 1, safety = 0 * Prefix "$2y$": bug = 0, safety = 0 */ sign = diff = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i++) { tmp[0] = tmp[1] = 0; for (j = 0; j < 4; j++) { tmp[0] <<= 8; tmp[0] |= (unsigned char)*ptr; /* correct */ tmp[1] <<= 8; tmp[1] |= (signed char)*ptr; /* bug */ /* * Sign extension in the first char has no effect - nothing to overwrite yet, * and those extra 24 bits will be fully shifted out of the 32-bit word. For * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign * extension in tmp[1] occurs. Once this flag is set, it remains set. */ if (j) sign |= tmp[1] & 0x80; if (n--) ptr++; else ptr = key, n = lenkey; } diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */ expanded[i] = tmp[bug]; initial[i] = _nettle_blowfish_initial_ctx.p[i] ^ tmp[bug]; } /* * At this point, "diff" is zero if the correct and buggy algorithms produced * exactly the same result. If so and if "sign" is non-zero, which indicates * that there was a non-benign sign extension, this means that we have a * collision between the correctly computed hash for this password and a set of * passwords that could be supplied to the buggy algorithm. Our safety measure * is meant to protect from such many-buggy to one-correct collisions, by * deviating from the correct algorithm in such cases. Let's check for this. */ diff |= diff >> 16; /* still zero if exact match */ diff &= 0xffff; /* ditto */ diff += 0xffff; /* bit 16 set if "diff" was non-zero (on non-match) */ sign <<= 9; /* move the non-benign sign extension flag to bit 16 */ sign &= ~diff & safety; /* action needed? */ /* * If we have determined that we need to deviate from the correct algorithm, * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but * let's stick to it now. It came out of the approach we used above, and it's * not any worse than any other choice we could make.) * * It is crucial that we don't do the same to the expanded key used in the main * Eksblowfish loop. By doing it to only one of these two, we deviate from a * state that could be directly specified by a password to the buggy algorithm * (and to the fully correct one as well, but that's a side-effect). */ initial[0] ^= sign; } static int ibcrypt(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int minlog2rounds, int log2rounds, const uint8_t *salt) { struct { struct blowfish_ctx ctx; bf_key expanded_key; union { uint32_t salt[4]; uint32_t output[6]; } binary; } data; uint8_t psalt[BLOWFISH_BCRYPT_BINSALT_SIZE]; uint32_t L, R; uint32_t *ptr; uint32_t count; int i; unsigned cscheme; unsigned bug = 0; uint32_t safety = 0; if (lenscheme < 2) return 0; if (lenscheme >= 3 && *scheme++ != '$') return 0; if (*scheme++ != '2') return 0; switch (cscheme = *scheme++) { default: return 0; case 'a': safety = 0x10000; break; case 'x': bug = 1; break; case 'b': case 'y': break; } if (lenscheme >= 4) { if (*scheme++ != '$') return 0; if (lenscheme >= 6) { if (log2rounds < 0) { unsigned c = *scheme++ - '0'; if (c > 9) return 0; log2rounds = c * 10; c = *scheme++ - '0'; if (c > 9) return 0; log2rounds += c; } else scheme += 2; if (lenscheme >= CRYPTPLEN && *scheme++ != '$') return 0; } } if (salt) memcpy(data.binary.salt, salt, BLOWFISH_BCRYPT_BINSALT_SIZE); else if (lenscheme >= HASHOFFSET) { struct base64_decode_ctx ctx; size_t saltlen = BLOWFISH_BCRYPT_BINSALT_SIZE; base64_decode_init(&ctx); ctx.table = radix64_decode_table; if (!base64_decode_update(&ctx, &saltlen, (uint8_t *) data.binary.salt, SALTLEN, (const char*) scheme) || saltlen != BLOWFISH_BCRYPT_BINSALT_SIZE) return 0; } else return 0; memcpy(psalt, data.binary.salt, BLOWFISH_BCRYPT_BINSALT_SIZE); bswap32_n_if_le (4, data.binary.salt); if (log2rounds < minlog2rounds || log2rounds > 31) return 0; count = (uint32_t)1 << log2rounds; set_xkey(lenkey, key, data.expanded_key, data.ctx.p, bug, safety); memcpy(data.ctx.s, _nettle_blowfish_initial_ctx.s, sizeof(data.ctx.s)); L = R = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { L ^= data.binary.salt[i & 2]; R ^= data.binary.salt[(i & 2) + 1]; _nettle_blowfish_encround(&data.ctx, &L, &R); data.ctx.p[i] = L; data.ctx.p[i + 1] = R; } ptr = data.ctx.s[0]; do { ptr += 4; L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 2) & 3]; R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 3) & 3]; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 4) = L; *(ptr - 3) = R; L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 4) & 3]; R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 5) & 3]; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.s[3][0xFF]); do { int done; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { data.ctx.p[i] ^= data.expanded_key[i]; data.ctx.p[i + 1] ^= data.expanded_key[i + 1]; } done = 0; do { uint32_t tmp1, tmp2, tmp3, tmp4; L = R = 0; ptr = data.ctx.p; do { ptr += 2; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.p[_BLOWFISH_ROUNDS + 2]); ptr = data.ctx.s[0]; do { ptr += 2; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.s[3][0xFF]); if (done) break; done = 1; tmp1 = data.binary.salt[0]; tmp2 = data.binary.salt[1]; tmp3 = data.binary.salt[2]; tmp4 = data.binary.salt[3]; for (i = 0; i < _BLOWFISH_ROUNDS; i += 4) { data.ctx.p[i] ^= tmp1; data.ctx.p[i + 1] ^= tmp2; data.ctx.p[i + 2] ^= tmp3; data.ctx.p[i + 3] ^= tmp4; } data.ctx.p[16] ^= tmp1; data.ctx.p[17] ^= tmp2; } while (1); } while (--count); for (i = 0; i < 6; i += 2) { L = magic_w[i]; R = magic_w[i + 1]; count = 64; do _nettle_blowfish_encround(&data.ctx, &L, &R); while (--count); data.binary.output[i] = L; data.binary.output[i + 1] = R; } *dst++ = '$'; *dst++ = '2'; *dst++ = cscheme; *dst++ = '$'; *dst++ = '0' + log2rounds / 10; *dst++ = '0' + log2rounds % 10; *dst++ = '$'; dst = (uint8_t*) encode_radix64((char*) dst, BLOWFISH_BCRYPT_BINSALT_SIZE, psalt) - 1; bswap32_n_if_le (6, data.binary.output); /* This has to be bug-compatible with the original implementation, so only encode 23 of the 24 bytes. */ encode_radix64((char*) dst, 23, (uint8_t *) data.binary.output); return cscheme; } /* * Please preserve the runtime self-test. It serves two purposes at once: * * 1. We really can't afford the risk of producing incompatible hashes e.g. * when there's something like gcc bug 26587 again, whereas an application or * library integrating this code might not also integrate our external tests or * it might not run them after every build. Even if it does, the miscompile * might only occur on the production build, but not on a testing build (such * as because of different optimization settings). It is painful to recover * from incorrectly-computed hashes - merely fixing whatever broke is not * enough. Thus, a proactive measure like this self-test is needed. * * 2. We don't want to leave sensitive data from our actual password hash * computation on the stack or in registers. Previous revisions of the code * would do explicit cleanups, but simply running the self-test after hash * computation is more reliable. * * The performance cost of this quick self-test is around 0.6% at the "$2a$08" * setting. */ int blowfish_bcrypt_hash(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int log2rounds, const uint8_t *salt) { const uint8_t test_pw[] = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; const uint8_t test_scheme[] = "$2a$00$abcdefghijklmnopqrstuu"; static const char * const test_hashes[2] = {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */ "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */ const char *test_hash = test_hashes[0]; int cscheme; int ok; uint8_t bufs[sizeof(test_scheme) - 1]; uint8_t bufo[BLOWFISH_BCRYPT_HASH_SIZE]; *dst = '\0'; /* Hash the supplied password */ cscheme = ibcrypt(dst, lenkey, key, lenscheme, scheme, 4, log2rounds, salt); /* * Do a quick self-test. It is important that we make both calls to ibcrypt() * from the same scope such that they likely use the same stack locations, * which makes the second call overwrite the first call's sensitive data on the * stack and makes it more likely that any alignment related issues would be * detected by the self-test. */ memcpy(bufs, test_scheme, sizeof(test_scheme) - 1); if (cscheme) test_hash = test_hashes[(bufs[2] = cscheme) == 'x']; *bufo = 0; ok = ibcrypt(bufo, sizeof(test_pw) - 1, test_pw, sizeof(bufs), bufs, 0, -1, (void*)0); ok = (ok && !memcmp(bufo, bufs, sizeof(bufs)) && !memcmp(bufo + HASHOFFSET, test_hash, sizeof(test_hash) - 1)); { const uint8_t k[] = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; bf_key ae, ai, ye, yi; set_xkey(sizeof(k) - 1, k, ae, ai, 0, 0x10000); /* $2a$ */ set_xkey(sizeof(k) - 1, k, ye, yi, 0, 0); /* $2y$ */ ai[0] ^= 0x10000; /* undo the safety (for comparison) */ ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 && !memcmp(ae, ye, sizeof(ae)) && !memcmp(ai, yi, sizeof(ai)); } return ok && !!cscheme; } nettle-4.0/blowfish-internal.h0000644000000000000000000000302715141166424013404 0ustar00/* blowfish-internal.h Blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOWFISH_INTERNAL_H_INCLUDED #define NETTLE_BLOWFISH_INTERNAL_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif extern const struct blowfish_ctx _nettle_blowfish_initial_ctx; extern void _nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr); #ifdef __cplusplus } #endif #endif /* NETTLE_BLOWFISH_INTERNAL_H_INCLUDED */ nettle-4.0/blowfish.c0000644000000000000000000004667515141166423011604 0ustar00/* blowfish.c The blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 2010 Simon Josefsson Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996. * ISBN 0-471-11709-9. Pages 336 ff. */ /* This file is derived from cipher/blowfish.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-11-23. Changes include removing the selftest, renaming u32/byte types to uint32_t/uint8_t, renaming BLOWFISH_ROUNDS to _BLOWFISH_ROUNDS (from Nettle's blowfish.h), dropping the libgcrypt wrapper functions, fixing #include's, remove support for non-16 rounds (there are no test vectors), adding FOR_BLOCK iterations, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include "blowfish.h" #include "blowfish-internal.h" #include "macros.h" /* precomputed S boxes */ const struct blowfish_ctx _nettle_blowfish_initial_ctx = { { { /* ks0 */ 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96, 0xBA7C9045, 0xF12C7F99, 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16, 0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, 0x0D95748F, 0x728EB658, 0x718BCD58, 0x82154AEE, 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013, 0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, 0x8E79DCB0, 0x603A180E, 0x6C9E0E8B, 0xB01E8A3E, 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60, 0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, 0x55CA396A, 0x2AAB10B6, 0xB4CC5C34, 0x1141E8CE, 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A, 0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, 0xAFD6BA33, 0x6C24CF5C, 0x7A325381, 0x28958677, 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193, 0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, 0xEF845D5D, 0xE98575B1, 0xDC262302, 0xEB651B88, 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239, 0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, 0x21C66842, 0xF6E96C9A, 0x670C9C61, 0xABD388F0, 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3, 0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, 0xA1F1651D, 0x39AF0176, 0x66CA593E, 0x82430E88, 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE, 0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, 0x4ED3AA62, 0x363F7706, 0x1BFEDF72, 0x429B023D, 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B, 0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, 0xE3FE501A, 0xB6794C3B, 0x976CE0BD, 0x04C006BA, 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463, 0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, 0x6DFC511F, 0x9B30952C, 0xCC814544, 0xAF5EBD09, 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3, 0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, 0x5579C0BD, 0x1A60320A, 0xD6A100C6, 0x402C7279, 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8, 0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, 0x323DB5FA, 0xFD238760, 0x53317B48, 0x3E00DF82, 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB, 0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, 0x695B27B0, 0xBBCA58C8, 0xE1FFA35D, 0xB8F011A0, 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B, 0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, 0xE1DDF2DA, 0xA4CB7E33, 0x62FB1341, 0xCEE4C6E8, 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4, 0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, 0xD08ED1D0, 0xAFC725E0, 0x8E3C5B2F, 0x8E7594B7, 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C, 0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, 0x2F2F2218, 0xBE0E1777, 0xEA752DFE, 0x8B021FA1, 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299, 0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, 0x165FA266, 0x80957705, 0x93CC7314, 0x211A1477, 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF, 0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, 0x00250E2D, 0x2071B35E, 0x226800BB, 0x57B8E0AF, 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA, 0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, 0x83260376, 0x6295CFA9, 0x11C81968, 0x4E734A41, 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915, 0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, 0x08BA6FB5, 0x571BE91F, 0xF296EC6B, 0x2A0DD915, 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664, 0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A }, { /* ks1 */ 0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, 0xAD6EA6B0, 0x49A7DF7D, 0x9CEE60B8, 0x8FEDB266, 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1, 0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, 0x3F54989A, 0x5B429D65, 0x6B8FE4D6, 0x99F73FD6, 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1, 0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, 0x09686B3F, 0x3EBAEFC9, 0x3C971814, 0x6B6A70A1, 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737, 0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, 0xB03ADA37, 0xF0500C0D, 0xF01C1F04, 0x0200B3FF, 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD, 0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, 0x3AE5E581, 0x37C2DADC, 0xC8B57634, 0x9AF3DDA7, 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41, 0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, 0x4E548B38, 0x4F6DB908, 0x6F420D03, 0xF60A04BF, 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF, 0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, 0x5512721F, 0x2E6B7124, 0x501ADDE6, 0x9F84CD87, 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C, 0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, 0xEF1C1847, 0x3215D908, 0xDD433B37, 0x24C2BA16, 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD, 0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, 0x043556F1, 0xD7A3C76B, 0x3C11183B, 0x5924A509, 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E, 0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, 0x771FE71C, 0x4E3D06FA, 0x2965DCB9, 0x99E71D0F, 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A, 0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, 0xF2F74EA7, 0x361D2B3D, 0x1939260F, 0x19C27960, 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66, 0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, 0xC332DDEF, 0xBE6C5AA5, 0x65582185, 0x68AB9802, 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84, 0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, 0x13CCA830, 0xEB61BD96, 0x0334FE1E, 0xAA0363CF, 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14, 0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, 0x648B1EAF, 0x19BDF0CA, 0xA02369B9, 0x655ABB50, 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7, 0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, 0xF837889A, 0x97E32D77, 0x11ED935F, 0x16681281, 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99, 0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, 0xCDB30AEB, 0x532E3054, 0x8FD948E4, 0x6DBC3128, 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73, 0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, 0x45EEE2B6, 0xA3AAABEA, 0xDB6C4F15, 0xFACB4FD0, 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105, 0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, 0xCF62A1F2, 0x5B8D2646, 0xFC8883A0, 0xC1C7B6A3, 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285, 0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, 0x58428D2A, 0x0C55F5EA, 0x1DADF43E, 0x233F7061, 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB, 0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, 0xA6078084, 0x19F8509E, 0xE8EFD855, 0x61D99735, 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC, 0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, 0xDB73DBD3, 0x105588CD, 0x675FDA79, 0xE3674340, 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20, 0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7 }, { /* ks2 */ 0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, 0x411520F7, 0x7602D4F7, 0xBCF46B2E, 0xD4A20068, 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF, 0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, 0x4D95FC1D, 0x96B591AF, 0x70F4DDD3, 0x66A02F45, 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504, 0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, 0x28507825, 0x530429F4, 0x0A2C86DA, 0xE9B66DFB, 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE, 0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, 0xAACE1E7C, 0xD3375FEC, 0xCE78A399, 0x406B2A42, 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B, 0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, 0x3A6EFA74, 0xDD5B4332, 0x6841E7F7, 0xCA7820FB, 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527, 0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, 0x55A867BC, 0xA1159A58, 0xCCA92963, 0x99E1DB33, 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C, 0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, 0x95C11548, 0xE4C66D22, 0x48C1133F, 0xC70F86DC, 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17, 0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, 0x257B7834, 0x602A9C60, 0xDFF8E8A3, 0x1F636C1B, 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115, 0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, 0x85B2A20E, 0xE6BA0D99, 0xDE720C8C, 0x2DA2F728, 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0, 0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, 0x0A476341, 0x992EFF74, 0x3A6F6EAB, 0xF4F8FD37, 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D, 0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, 0xF1290DC7, 0xCC00FFA3, 0xB5390F92, 0x690FED0B, 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3, 0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, 0x37392EB3, 0xCC115979, 0x8026E297, 0xF42E312D, 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C, 0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, 0x1A6B1018, 0x11CAEDFA, 0x3D25BDD8, 0xE2E1C3C9, 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A, 0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, 0x9DBC8057, 0xF0F7C086, 0x60787BF8, 0x6003604D, 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC, 0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, 0x77A057BE, 0xBDE8AE24, 0x55464299, 0xBF582E61, 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2, 0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, 0x7AEB2661, 0x8B1DDF84, 0x846A0E79, 0x915F95E2, 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C, 0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, 0xB77F19B6, 0xE0A9DC09, 0x662D09A1, 0xC4324633, 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10, 0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, 0xDCB7DA83, 0x573906FE, 0xA1E2CE9B, 0x4FCD7F52, 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027, 0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, 0xF0177A28, 0xC0F586E0, 0x006058AA, 0x30DC7D62, 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634, 0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, 0x6F05E409, 0x4B7C0188, 0x39720A3D, 0x7C927C24, 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC, 0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, 0x1E50EF5E, 0xB161E6F8, 0xA28514D9, 0x6C51133C, 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837, 0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0 }, { /* ks3 */ 0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, 0x5CB0679E, 0x4FA33742, 0xD3822740, 0x99BC9BBE, 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B, 0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, 0x5748AB2F, 0xBC946E79, 0xC6A376D2, 0x6549C2C8, 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6, 0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, 0xA1FAD5F0, 0x6A2D519A, 0x63EF8CE2, 0x9A86EE22, 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4, 0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, 0x2826A2F9, 0xA73A3AE1, 0x4BA99586, 0xEF5562E9, 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59, 0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, 0xE990FD5A, 0x9E34D797, 0x2CF0B7D9, 0x022B8B51, 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28, 0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, 0xE029AC71, 0xE019A5E6, 0x47B0ACFD, 0xED93FA9B, 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28, 0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, 0x15056DD4, 0x88F46DBA, 0x03A16125, 0x0564F0BD, 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A, 0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, 0x7533D928, 0xB155FDF5, 0x03563482, 0x8ABA3CBB, 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F, 0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, 0xEA7A90C2, 0xFB3E7BCE, 0x5121CE64, 0x774FBE32, 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680, 0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, 0xB39A460A, 0x6445C0DD, 0x586CDECF, 0x1C20C8AE, 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB, 0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, 0x72EACEA8, 0xFA6484BB, 0x8D6612AE, 0xBF3C6F47, 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370, 0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, 0x4040CB08, 0x4EB4E2CC, 0x34D2466A, 0x0115AF84, 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048, 0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, 0x611560B1, 0xE7933FDC, 0xBB3A792B, 0x344525BD, 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9, 0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, 0x1A908749, 0xD44FBD9A, 0xD0DADECB, 0xD50ADA38, 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F, 0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, 0xBF97222C, 0x15E6FC2A, 0x0F91FC71, 0x9B941525, 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1, 0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, 0xE0EC6E0E, 0x1698DB3B, 0x4C98A0BE, 0x3278E964, 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E, 0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, 0xDF359F8D, 0x9B992F2E, 0xE60B6F47, 0x0FE3F11D, 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F, 0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, 0xF523F357, 0xA6327623, 0x93A83531, 0x56CCCD02, 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC, 0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, 0xE6C6C7BD, 0x327A140A, 0x45E1D006, 0xC3F27B9A, 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6, 0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, 0x53113EC0, 0x1640E3D3, 0x38ABBD60, 0x2547ADF0, 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060, 0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, 0x1948C25C, 0x02FB8A8C, 0x01C36AE4, 0xD6EBE1F9, 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F, 0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6 } }, { /* ps */ 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, 0xA4093822, 0x299F31D0, 0x082EFA98, 0xEC4E6C89, 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, 0x9216D5D9, 0x8979FB1B } }; /* It's unfortunate to have to pick the bytes apart in the round * function. Werner's gnupg/libgcrypt code took the address of x, and * then read the individual bytes depending on the endianness. But * since xr and xl ought to live in registers, copying via memory is a * bad idea. */ #define F(c, x) \ ((( (c->s[0][(x>>24) &0xff] + c->s[1][(x>>16) & 0xff]) \ ^ c->s[2][(x>>8) & 0xff]) + c->s[3][x & 0xff]) & 0xffffffff) #define R(c, l,r,i) do { l ^= c->p[i]; r ^= F(c,l); } while(0) void _nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 0); R (ctx, xr, xl, 1); R (ctx, xl, xr, 2); R (ctx, xr, xl, 3); R (ctx, xl, xr, 4); R (ctx, xr, xl, 5); R (ctx, xl, xr, 6); R (ctx, xr, xl, 7); R (ctx, xl, xr, 8); R (ctx, xr, xl, 9); R (ctx, xl, xr, 10); R (ctx, xr, xl, 11); R (ctx, xl, xr, 12); R (ctx, xr, xl, 13); R (ctx, xl, xr, 14); R (ctx, xr, xl, 15); xl ^= ctx->p[_BLOWFISH_ROUNDS]; xr ^= ctx->p[_BLOWFISH_ROUNDS + 1]; *ret_xl = xr; *ret_xr = xl; } static void decround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 17); R (ctx, xr, xl, 16); R (ctx, xl, xr, 15); R (ctx, xr, xl, 14); R (ctx, xl, xr, 13); R (ctx, xr, xl, 12); R (ctx, xl, xr, 11); R (ctx, xr, xl, 10); R (ctx, xl, xr, 9); R (ctx, xr, xl, 8); R (ctx, xl, xr, 7); R (ctx, xr, xl, 6); R (ctx, xl, xr, 5); R (ctx, xr, xl, 4); R (ctx, xl, xr, 3); R (ctx, xr, xl, 2); xl ^= ctx->p[1]; xr ^= ctx->p[0]; *ret_xl = xr; *ret_xr = xl; } #undef F #undef R void blowfish_encrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); _nettle_blowfish_encround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } void blowfish_decrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); decround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t * key) { int i, j; uint32_t data, datal, datar; *ctx = _nettle_blowfish_initial_ctx; for (i = j = 0; i < _BLOWFISH_ROUNDS + 2; i++) { data = ((uint32_t) key[j] << 24) | ((uint32_t) key[(j+1) % length] << 16) | ((uint32_t) key[(j+2) % length] << 8) | (uint32_t) key[(j+3) % length]; ctx->p[i] ^= data; j = (j + 4) % length; } datal = datar = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { _nettle_blowfish_encround (ctx, &datal, &datar); ctx->p[i] = datal; ctx->p[i + 1] = datar; } for (j = 0; j < 4; j++) for (i = 0; i < 256; i += 2) { _nettle_blowfish_encround (ctx, &datal, &datar); ctx->s[j][i] = datal; ctx->s[j][i + 1] = datar; } /* Check for weak key. A weak key is a key in which a value in the P-array (here c) occurs more than once per table. */ for (i = 0; i < 255; i++) { for (j = i + 1; j < 256; j++) { if ((ctx->s[0][i] == ctx->s[0][j]) || (ctx->s[1][i] == ctx->s[1][j]) || (ctx->s[2][i] == ctx->s[2][j]) || (ctx->s[3][i] == ctx->s[3][j])) return 0; } } return 1; } int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key) { return blowfish_set_key (ctx, BLOWFISH128_KEY_SIZE, key); } nettle-4.0/blowfish.h0000644000000000000000000000576715141166424011607 0ustar00/* blowfish.h Blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOWFISH_H_INCLUDED #define NETTLE_BLOWFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define blowfish_set_key nettle_blowfish_set_key #define blowfish128_set_key nettle_blowfish128_set_key #define blowfish_encrypt nettle_blowfish_encrypt #define blowfish_decrypt nettle_blowfish_decrypt #define blowfish_bcrypt_hash nettle_blowfish_bcrypt_hash #define blowfish_bcrypt_verify nettle_blowfish_bcrypt_verify #define BLOWFISH_BLOCK_SIZE 8 /* Variable key size between 64 and 448 bits. */ #define BLOWFISH_MIN_KEY_SIZE 8 #define BLOWFISH_MAX_KEY_SIZE 56 /* Default to 128 bits */ #define BLOWFISH_KEY_SIZE 16 #define BLOWFISH128_KEY_SIZE 16 #define _BLOWFISH_ROUNDS 16 #define BLOWFISH_BCRYPT_HASH_SIZE (60 + 1) /* Including null-terminator */ #define BLOWFISH_BCRYPT_BINSALT_SIZE 16 /* Binary string size */ struct blowfish_ctx { uint32_t s[4][256]; uint32_t p[_BLOWFISH_ROUNDS+2]; }; /* Returns 0 for weak keys, otherwise 1. */ int blowfish_set_key(struct blowfish_ctx *ctx, size_t length, const uint8_t *key); int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key); void blowfish_encrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void blowfish_decrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* dst parameter must point to a buffer of minimally * BLOWFISH_BCRYPT_HASH_SIZE bytes */ int blowfish_bcrypt_hash(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int log2rounds, const uint8_t *salt); int blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, size_t lenhashed, const uint8_t *hashed); #ifdef __cplusplus } #endif #endif /* NETTLE_BLOWFISH_H_INCLUDED */ nettle-4.0/bswap-internal.h0000644000000000000000000000450715141166424012707 0ustar00/* bswap-internal.h Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BSWAP_INTERNAL_H_INCLUDED #define NETTLE_BSWAP_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Note that these definitions depend config.h, which should be included first. */ #if HAVE_BUILTIN_BSWAP64 #define nettle_bswap64 __builtin_bswap64 /* Assume bswap32 is also available. */ #define nettle_bswap32 __builtin_bswap32 #else static inline uint64_t nettle_bswap64 (uint64_t x) { x = (x >> 32) | (x << 32); x = ((x >> 16) & UINT64_C (0xffff0000ffff)) | ((x & UINT64_C (0xffff0000ffff)) << 16); x = ((x >> 8) & UINT64_C (0xff00ff00ff00ff)) | ((x & UINT64_C (0xff00ff00ff00ff)) << 8); return x; } static inline uint32_t nettle_bswap32 (uint32_t x) { x = (x << 16) | (x >> 16); x = ((x & 0x00FF00FF) << 8) | ((x >> 8) & 0x00FF00FF); return x; } #endif static inline void nettle_bswap32_n (unsigned n, uint32_t *x) { unsigned i; for (i = 0; i < n; i++) x[i] = nettle_bswap32 (x[i]); } #if WORDS_BIGENDIAN #define bswap64_if_be nettle_bswap64 #define bswap32_if_be nettle_bswap32 #define bswap64_if_le(x) (x) #define bswap32_if_le(x) (x) #define bswap32_n_if_le(n, x) #else #define bswap64_if_be(x) (x) #define bswap32_if_be(x) (x) #define bswap64_if_le nettle_bswap64 #define bswap32_if_le nettle_bswap32 #define bswap32_n_if_le nettle_bswap32_n #endif #endif /* NETTLE_BSWAP_INTERNAL_H_INCLUDED */ nettle-4.0/buffer-init.c0000644000000000000000000000250615141166423012162 0ustar00/* buffer-init.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "buffer.h" #include "realloc.h" /* This is in a separate file so that we don't link in realloc in * programs that don't need it. */ void nettle_buffer_init(struct nettle_buffer *buffer) { nettle_buffer_init_realloc(buffer, NULL, nettle_realloc); } nettle-4.0/buffer.c0000644000000000000000000000602415141166423011220 0ustar00/* buffer.c A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "buffer.h" int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length) { assert(buffer->size <= buffer->alloc); if (buffer->size + length > buffer->alloc) { size_t alloc; uint8_t *p; if (!buffer->realloc) return 0; alloc = buffer->alloc * 2 + length + 100; p = buffer->realloc(buffer->realloc_ctx, buffer->contents, alloc); if (!p) return 0; buffer->contents = p; buffer->alloc = alloc; } return 1; } void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc) { buffer->contents = NULL; buffer->alloc = 0; buffer->realloc = realloc; buffer->realloc_ctx = realloc_ctx; buffer->size = 0; } void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space) { buffer->contents = space; buffer->alloc = length; buffer->realloc = NULL; buffer->realloc_ctx = NULL; buffer->size = 0; } void nettle_buffer_clear(struct nettle_buffer *buffer) { if (buffer->realloc) buffer->realloc(buffer->realloc_ctx, buffer->contents, 0); buffer->contents = NULL; buffer->alloc = 0; buffer->size = 0; } void nettle_buffer_reset(struct nettle_buffer *buffer) { buffer->size = 0; } uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length) { uint8_t *p; if (!nettle_buffer_grow(buffer, length)) return NULL; p = buffer->contents + buffer->size; buffer->size += length; return p; } int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { uint8_t *p = nettle_buffer_space(buffer, length); if (p) { memcpy(p, data, length); return 1; } else return 0; } int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src) { return nettle_buffer_write(dst, src->size, src->contents); } nettle-4.0/buffer.h0000644000000000000000000000531015141166424011223 0ustar00/* buffer.h A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BUFFER_H_INCLUDED #define NETTLE_BUFFER_H_INCLUDED #include "realloc.h" #ifdef __cplusplus extern "C" { #endif struct nettle_buffer { uint8_t *contents; /* Allocated size */ size_t alloc; void *realloc_ctx; nettle_realloc_func *realloc; /* Current size */ size_t size; }; /* Initializes a buffer that uses plain realloc */ void nettle_buffer_init(struct nettle_buffer *buffer); void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc); /* Initializes a buffer of fix size */ void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space); void nettle_buffer_clear(struct nettle_buffer *buffer); /* Resets the buffer, without freeing the buffer space. */ void nettle_buffer_reset(struct nettle_buffer *buffer); int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length); #define NETTLE_BUFFER_PUTC(buffer, c) \ ( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \ && ((buffer)->contents[(buffer)->size++] = (c), 1) ) int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data); /* Like nettle_buffer_write, but instead of copying data to the * buffer, it returns a pointer to the area where the caller can copy * the data. The pointer is valid only until the next call that can * reallocate the buffer. */ uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length); /* Copy the contents of SRC to the end of DST. */ int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src); #ifdef __cplusplus } #endif #endif /* NETTLE_BUFFER_H_INCLUDED */ nettle-4.0/camellia-absorb.c0000644000000000000000000001002215141166423012755 0ustar00/* camellia-absorb.c Final key setup processing for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif /* For CHAR_BIT, needed by HAVE_NATIVE_64_BIT */ #include #include "camellia-internal.h" #include "macros.h" void _nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) { uint64_t kw2, kw4; uint32_t dw, tl, tr; unsigned i; /* At this point, the subkey array contains the subkeys as described in the spec, 26 for short keys and 34 for large keys. */ /* absorb kw2 to other subkeys */ kw2 = subkey[1]; subkey[3] ^= kw2; subkey[5] ^= kw2; subkey[7] ^= kw2; for (i = 8; i < nkeys; i += 8) { /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits and xor the result into the 32 high bits, but it still generates worse code than for explicit 32-bit operations. */ kw2 ^= (kw2 & ~subkey[i+1]) << 32; dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw); subkey[i+3] ^= kw2; subkey[i+5] ^= kw2; subkey[i+7] ^= kw2; } subkey[i] ^= kw2; /* absorb kw4 to other subkeys */ kw4 = subkey[nkeys + 1]; for (i = nkeys - 8; i > 0; i -= 8) { subkey[i+6] ^= kw4; subkey[i+4] ^= kw4; subkey[i+2] ^= kw4; kw4 ^= (kw4 & ~subkey[i]) << 32; dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw); } subkey[6] ^= kw4; subkey[4] ^= kw4; subkey[2] ^= kw4; subkey[0] ^= kw4; /* key XOR is end of F-function */ dst[0] = subkey[0] ^ subkey[2]; dst[1] = subkey[3]; dst[2] = subkey[2] ^ subkey[4]; dst[3] = subkey[3] ^ subkey[5]; dst[4] = subkey[4] ^ subkey[6]; dst[5] = subkey[5] ^ subkey[7]; for (i = 8; i < nkeys; i += 8) { tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]); dw = tl & (subkey[i] >> 32); tr = subkey[i+2] ^ ROTL32(1, dw); dst[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr); dst[i-1] = subkey[i]; dst[i] = subkey[i+1]; tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]); dw = tl & (subkey[i+1] >> 32); tr = subkey[i-1] ^ ROTL32(1, dw); dst[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr); dst[i+2] = subkey[i+2] ^ subkey[i+4]; dst[i+3] = subkey[i+3] ^ subkey[i+5]; dst[i+4] = subkey[i+4] ^ subkey[i+6]; dst[i+5] = subkey[i+5] ^ subkey[i+7]; } dst[i-2] = subkey[i-2]; dst[i-1] = subkey[i] ^ subkey[i-1]; #if !HAVE_NATIVE_64_BIT for (i = 0; i < nkeys; i += 8) { /* apply the inverse of the last half of F-function */ CAMELLIA_F_HALF_INV(dst[i+1]); CAMELLIA_F_HALF_INV(dst[i+2]); CAMELLIA_F_HALF_INV(dst[i+3]); CAMELLIA_F_HALF_INV(dst[i+4]); CAMELLIA_F_HALF_INV(dst[i+5]); CAMELLIA_F_HALF_INV(dst[i+6]); } #endif } nettle-4.0/camellia-crypt-internal.c0000644000000000000000000001274215141166423014473 0ustar00/* camellia-crypt-internal.c Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" #define CAMELLIA_FL(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ __xl ^= (__xr | __kr); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #define CAMELLIA_FLINV(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __xl ^= (__xr | __kr); \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #if HAVE_NATIVE_64_BIT #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= (k); \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #else /* !HAVE_NATIVE_64_BIT */ #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __il ^= (k) >> 32; \ __ir ^= (k) & 0xffffffff; \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #endif void _nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE) { uint64_t i0,i1; unsigned i; i0 = READ_UINT64(src); i1 = READ_UINT64(src + 8); /* pre whitening but absorb kw2*/ i0 ^= keys[0]; /* main iteration */ CAMELLIA_ROUNDSM(T, i0, keys[1], i1); CAMELLIA_ROUNDSM(T, i1, keys[2], i0); CAMELLIA_ROUNDSM(T, i0, keys[3], i1); CAMELLIA_ROUNDSM(T, i1, keys[4], i0); CAMELLIA_ROUNDSM(T, i0, keys[5], i1); CAMELLIA_ROUNDSM(T, i1, keys[6], i0); for (i = 0; i < nkeys - 8; i+= 8) { CAMELLIA_FL(i0, keys[i+7]); CAMELLIA_FLINV(i1, keys[i+8]); CAMELLIA_ROUNDSM(T, i0, keys[i+9], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+10], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+11], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+12], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+13], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+14], i0); } /* post whitening but kw4 */ i1 ^= keys[i+7]; WRITE_UINT64(dst , i1); WRITE_UINT64(dst + 8, i0); } } nettle-4.0/camellia-internal.h0000644000000000000000000000765615141166424013352 0ustar00/* camellia-internal.h The camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #ifndef NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #define NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #include "camellia.h" /* * macros */ /* Destructive rotation of 128 bit values. */ #define ROTL128(bits, xl, xr) do { \ uint64_t __rol128_t = (xl); \ (xl) = ((xl) << (bits)) | ((xr) >> (64 - (bits))); \ (xr) = ((xr) << (bits)) | (__rol128_t >> (64 - (bits))); \ } while (0) struct camellia_table { uint32_t sp1110[256]; uint32_t sp0222[256]; uint32_t sp3033[256]; uint32_t sp4404[256]; }; /* key constants */ #define SIGMA1 0xA09E667F3BCC908BULL #define SIGMA2 0xB67AE8584CAA73B2ULL #define SIGMA3 0xC6EF372FE94F82BEULL #define SIGMA4 0x54FF53A5F1D36F1CULL #define SIGMA5 0x10E527FADE682D1DULL #define SIGMA6 0xB05688C2B3E6C1FDULL #define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)]) #define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)]) #define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)]) #define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)]) #define CAMELLIA_F(x, k, y) do { \ uint32_t __yl, __yr; \ uint64_t __i = (x) ^ (k); \ __yl \ = CAMELLIA_SP1110( __i & 0xff) \ ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \ __yr \ = CAMELLIA_SP1110( __i >> 56) \ ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \ __yl ^= __yr; \ __yr = ROTL32(24, __yr); \ __yr ^= __yl; \ (y) = ((uint64_t) __yl << 32) | __yr; \ } while (0) #if ! HAVE_NATIVE_64_BIT #define CAMELLIA_F_HALF_INV(x) do { \ uint32_t __t, __w; \ __t = (x) >> 32; \ __w = __t ^(x); \ __w = ROTL32(8, __w); \ (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ } while (0) #endif void _nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final NKEYS subkeys stored in DST. SUBKEY data is modified in the process. */ void _nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); void _nettle_camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src); extern const struct camellia_table _nettle_camellia_table; #endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */ nettle-4.0/camellia-invert-key.c0000644000000000000000000000276415141166423013620 0ustar00/* camellia-invert-key.c Inverting a key means reversing order of subkeys. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" #define SWAP(a, b) \ do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _nettle_camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src) { unsigned i; if (dst == src) for (i = 0; i < nkeys - 1 - i; i++) SWAP (dst[i], dst[nkeys - 1- i]); else for (i = 0; i < nkeys; i++) dst[i] = src[nkeys - 1 - i]; } nettle-4.0/camellia-table.c0000644000000000000000000003352215141166423012606 0ustar00/* camellia-table.c SBOX tables used by both encryption and key setup. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" const struct camellia_table _nettle_camellia_table = { /* sp1110 */ { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, 0xe4e4e400,0x85858500,0x57575700,0x35353500, 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100, 0x23232300,0xefefef00,0x6b6b6b00,0x93939300, 0x45454500,0x19191900,0xa5a5a500,0x21212100, 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00, 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00, 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00, 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00, 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00, 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00, 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00, 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00, 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600, 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00, 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600, 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00, 0x74747400,0x12121200,0x2b2b2b00,0x20202000, 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900, 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200, 0x34343400,0x7e7e7e00,0x76767600,0x05050500, 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100, 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700, 0x14141400,0x58585800,0x3a3a3a00,0x61616100, 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00, 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600, 0x53535300,0x18181800,0xf2f2f200,0x22222200, 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200, 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100, 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800, 0x60606000,0xfcfcfc00,0x69696900,0x50505000, 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00, 0xa1a1a100,0x89898900,0x62626200,0x97979700, 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500, 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200, 0x10101000,0xc4c4c400,0x00000000,0x48484800, 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00, 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00, 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400, 0x87878700,0x5c5c5c00,0x83838300,0x02020200, 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300, 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300, 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200, 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600, 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00, 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00, 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00, 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00, 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00, 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600, 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900, 0x78787800,0x98989800,0x06060600,0x6a6a6a00, 0xe7e7e700,0x46464600,0x71717100,0xbababa00, 0xd4d4d400,0x25252500,0xababab00,0x42424200, 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00, 0x72727200,0x07070700,0xb9b9b900,0x55555500, 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00, 0x36363600,0x49494900,0x2a2a2a00,0x68686800, 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400, 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00, 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100, 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400, 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, }, /* sp0222 */ { 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a, 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282, 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727, 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242, 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c, 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b, 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f, 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d, 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe, 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434, 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595, 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a, 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad, 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a, 0x00171717,0x001a1a1a,0x00353535,0x00cccccc, 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a, 0x00e8e8e8,0x00242424,0x00565656,0x00404040, 0x00e1e1e1,0x00636363,0x00090909,0x00333333, 0x00bfbfbf,0x00989898,0x00979797,0x00858585, 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a, 0x00dadada,0x006f6f6f,0x00535353,0x00626262, 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf, 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2, 0x00bdbdbd,0x00363636,0x00222222,0x00383838, 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c, 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444, 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565, 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323, 0x00484848,0x00101010,0x00d1d1d1,0x00515151, 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0, 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa, 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f, 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b, 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5, 0x00202020,0x00898989,0x00000000,0x00909090, 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7, 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5, 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929, 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404, 0x009b9b9b,0x00949494,0x00212121,0x00666666, 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7, 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5, 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c, 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676, 0x00030303,0x002d2d2d,0x00dedede,0x00969696, 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c, 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919, 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d, 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d, 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2, 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4, 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575, 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484, 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5, 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa, 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414, 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0, 0x00787878,0x00707070,0x00e3e3e3,0x00494949, 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6, 0x00777777,0x00939393,0x00868686,0x00838383, 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9, 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, }, /* sp3033 */ { 0x38003838,0x41004141,0x16001616,0x76007676, 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a, 0x75007575,0x06000606,0x57005757,0xa000a0a0, 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9, 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090, 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727, 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede, 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7, 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767, 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf, 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d, 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565, 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e, 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b, 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6, 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333, 0xfd00fdfd,0x66006666,0x58005858,0x96009696, 0x3a003a3a,0x09000909,0x95009595,0x10001010, 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc, 0xef00efef,0x26002626,0xe500e5e5,0x61006161, 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282, 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898, 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb, 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0, 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e, 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b, 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111, 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959, 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8, 0x12001212,0x04000404,0x74007474,0x54005454, 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828, 0x55005555,0x68006868,0x50005050,0xbe00bebe, 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb, 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca, 0x70007070,0xff00ffff,0x32003232,0x69006969, 0x08000808,0x62006262,0x00000000,0x24002424, 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded, 0x45004545,0x81008181,0x73007373,0x6d006d6d, 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a, 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101, 0xe600e6e6,0x25002525,0x48004848,0x99009999, 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9, 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171, 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313, 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d, 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5, 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717, 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646, 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747, 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b, 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac, 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535, 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d, 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121, 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d, 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa, 0x7c007c7c,0x77007777,0x56005656,0x05000505, 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434, 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252, 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd, 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0, 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a, 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, }, /* sp4404 */ { 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5, 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092, 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f, 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b, 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d, 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c, 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0, 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084, 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076, 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004, 0x14140014,0x3a3a003a,0xdede00de,0x11110011, 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2, 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a, 0x24240024,0xe8e800e8,0x60600060,0x69690069, 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062, 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064, 0x10100010,0x00000000,0xa3a300a3,0x75750075, 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd, 0x87870087,0x83830083,0xcdcd00cd,0x90900090, 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf, 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6, 0x81810081,0x6f6f006f,0x13130013,0x63630063, 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc, 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4, 0x78780078,0x06060006,0xe7e700e7,0x71710071, 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d, 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac, 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1, 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043, 0x15150015,0xadad00ad,0x77770077,0x80800080, 0x82820082,0xecec00ec,0x27270027,0xe5e500e5, 0x85850085,0x35350035,0x0c0c000c,0x41410041, 0xefef00ef,0x93930093,0x19190019,0x21210021, 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd, 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce, 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a, 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d, 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d, 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d, 0x12120012,0x20200020,0xb1b100b1,0x99990099, 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005, 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7, 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c, 0x0f0f000f,0x16160016,0x18180018,0x22220022, 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091, 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050, 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097, 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2, 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db, 0x03030003,0xdada00da,0x3f3f003f,0x94940094, 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033, 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2, 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b, 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e, 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e, 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059, 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba, 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa, 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a, 0x49490049,0x68680068,0x38380038,0xa4a400a4, 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1, 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, } }; nettle-4.0/camellia.h0000644000000000000000000001023415141166424011522 0ustar00/* camellia.h Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAMELLIA_H_INCLUDED #define NETTLE_CAMELLIA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key #define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key #define camellia128_invert_key nettle_camellia128_invert_key #define camellia128_crypt nettle_camellia128_crypt #define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key #define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key #define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key #define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key #define camellia256_invert_key nettle_camellia256_invert_key #define camellia256_crypt nettle_camellia256_crypt #define CAMELLIA_BLOCK_SIZE 16 /* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */ #define CAMELLIA128_KEY_SIZE 16 #define CAMELLIA192_KEY_SIZE 24 #define CAMELLIA256_KEY_SIZE 32 /* For 128-bit keys, there are 18 regular rounds, pre- and post-whitening, and two FL and FLINV rounds, using a total of 26 subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6 additional regular rounds and one additional FL and FLINV, using a total of 34 subkeys. */ /* The clever combination of subkeys imply one of the pre- and post-whitening keys is folded with the round keys, so that subkey #1 and the last one (#25 or #33) is not used. The result is that we have only 24 or 32 subkeys at the end of key setup. */ #define _CAMELLIA128_NKEYS 24 #define _CAMELLIA256_NKEYS 32 struct camellia128_ctx { uint64_t keys[_CAMELLIA128_NKEYS]; }; void camellia128_set_encrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src); void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct camellia256_ctx { uint64_t keys[_CAMELLIA256_NKEYS]; }; void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src); void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* camellia192 is the same as camellia256, except for the key schedule. */ /* Slightly ugly with a #define on a struct tag, since it might cause surprises if also used as a name of a variable. */ #define camellia192_ctx camellia256_ctx void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); #define camellia192_invert_key camellia256_invert_key #define camellia192_crypt camellia256_crypt #ifdef __cplusplus } #endif #endif /* NETTLE_CAMELLIA_H_INCLUDED */ nettle-4.0/camellia128-crypt.c0000644000000000000000000000316515141166423013113 0ustar00/* camellia128-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _nettle_camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, &_nettle_camellia_table, length, dst, src); } nettle-4.0/camellia128-meta.c0000644000000000000000000000274615141166423012704 0ustar00/* camellia128-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia128 = { "camellia128", sizeof(struct camellia128_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, (nettle_set_key_func *) camellia128_set_encrypt_key, (nettle_set_key_func *) camellia128_set_decrypt_key, (nettle_cipher_func *) camellia128_crypt, (nettle_cipher_func *) camellia128_crypt }; nettle-4.0/camellia128-set-decrypt-key.c0000644000000000000000000000276415141166423015007 0ustar00/* camellia128-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src) { _nettle_camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); } void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key) { camellia128_set_encrypt_key(ctx, key); camellia128_invert_key(ctx, ctx); } nettle-4.0/camellia128-set-encrypt-key.c0000644000000000000000000000624215141166423015014 0ustar00/* camellia128-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key) { uint64_t k0, k1; uint64_t subkey[_CAMELLIA128_NKEYS + 2]; uint64_t w; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); /** * generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(15, k0, k1); subkey[4] = k0; subkey[5] = k1; ROTL128(30, k0, k1); subkey[10] = k0; subkey[11] = k1; ROTL128(15, k0, k1); subkey[13] = k1; ROTL128(17, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[18] = k0; subkey[19] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; /* generate KA. D1 is k0, d2 is k1. */ /* FIXME: Make notation match the spec better. */ /* For the 128-bit case, KR = 0, the construction of KA reduces to: D1 = KL >> 64; W = KL & MASK64; D2 = F(D1, Sigma1); W = D2 ^ W D1 = F(W, Sigma2) D2 = D2 ^ F(D1, Sigma3); D1 = D1 ^ F(D2, Sigma4); KA = (D1 << 64) | D2; */ k0 = subkey[0]; w = subkey[1]; CAMELLIA_F(k0, SIGMA1, k1); w ^= k1; CAMELLIA_F(w, SIGMA2, k0); CAMELLIA_F(k0, SIGMA3, w); k1 ^= w; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KA dependent subkeys */ subkey[2] = k0; subkey[3] = k1; ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(15, k0, k1); subkey[8] = k0; subkey[9] = k1; ROTL128(15, k0, k1); subkey[12] = k0; ROTL128(15, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(34, k0, k1); subkey[20] = k0; subkey[21] = k1; ROTL128(17, k0, k1); subkey[24] = k0; subkey[25] = k1; /* Common final processing */ _nettle_camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); } nettle-4.0/camellia192-meta.c0000644000000000000000000000274615141166423012705 0ustar00/* camellia192-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia192 = { "camellia192", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA192_KEY_SIZE, (nettle_set_key_func *) camellia192_set_encrypt_key, (nettle_set_key_func *) camellia192_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-4.0/camellia256-crypt.c0000644000000000000000000000316515141166423013115 0ustar00/* camellia256-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _nettle_camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, &_nettle_camellia_table, length, dst, src); } nettle-4.0/camellia256-meta.c0000644000000000000000000000274615141166423012706 0ustar00/* camellia256-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia256 = { "camellia256", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, (nettle_set_key_func *) camellia256_set_encrypt_key, (nettle_set_key_func *) camellia256_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-4.0/camellia256-set-decrypt-key.c0000644000000000000000000000323715141166423015005 0ustar00/* camellia256-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src) { _nettle_camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); } void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia256_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia192_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } nettle-4.0/camellia256-set-encrypt-key.c0000644000000000000000000001013015141166423015005 0ustar00/* camellia256-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" static void _camellia256_set_encrypt_key (struct camellia256_ctx *ctx, uint64_t k0, uint64_t k1, uint64_t k2, uint64_t k3) { uint64_t subkey[_CAMELLIA256_NKEYS + 2]; uint64_t w; /* generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(45, k0, k1); subkey[12] = k0; subkey[13] = k1; ROTL128(15, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; ROTL128(34, k0, k1); subkey[30] = k0; subkey[31] = k1; /* generate KR dependent subkeys */ ROTL128(15, k2, k3); subkey[4] = k2; subkey[5] = k3; ROTL128(15, k2, k3); subkey[8] = k2; subkey[9] = k3; ROTL128(30, k2, k3); subkey[18] = k2; subkey[19] = k3; ROTL128(34, k2, k3); subkey[26] = k2; subkey[27] = k3; ROTL128(34, k2, k3); /* generate KA */ /* The construction of KA is done as D1 = (KL ^ KR) >> 64 D2 = (KL ^ KR) & MASK64 W = F(D1, SIGMA1) D2 = D2 ^ W D1 = F(D2, SIGMA2) ^ (KR >> 64) D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) D1 = D1 ^ F(W, SIGMA2) D2 = D2 ^ F(D1, SIGMA3) D1 = D1 ^ F(D2, SIGMA4) */ k0 = subkey[0] ^ k2; k1 = subkey[1] ^ k3; CAMELLIA_F(k0, SIGMA1, w); k1 ^= w; CAMELLIA_F(k1, SIGMA2, k0); k0 ^= k2; CAMELLIA_F(k0, SIGMA3, k1); k1 ^= w ^ k3; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KB */ k2 ^= k0; k3 ^= k1; CAMELLIA_F(k2, SIGMA5, w); k3 ^= w; CAMELLIA_F(k3, SIGMA6, w); k2 ^= w; /* generate KA dependent subkeys */ ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(30, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(32, k0, k1); subkey[24] = k0; subkey[25] = k1; ROTL128(17, k0, k1); subkey[28] = k0; subkey[29] = k1; /* generate KB dependent subkeys */ subkey[2] = k2; subkey[3] = k3; ROTL128(30, k2, k3); subkey[10] = k2; subkey[11] = k3; ROTL128(30, k2, k3); subkey[20] = k2; subkey[21] = k3; ROTL128(51, k2, k3); subkey[32] = k2; subkey[33] = k3; /* Common final processing */ _nettle_camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); } void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2, k3; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); k3 = READ_UINT64(key + 24); _camellia256_set_encrypt_key (ctx, k0, k1, k2, k3); } void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); _camellia256_set_encrypt_key (ctx, k0, k1, k2, ~k2); } nettle-4.0/cast128-meta.c0000644000000000000000000000262315141166423012061 0ustar00/* cast128-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "cast128.h" const struct nettle_cipher nettle_cast128 = { "cast128", sizeof(struct cast128_ctx), CAST128_BLOCK_SIZE, CAST128_KEY_SIZE, (nettle_set_key_func *) cast128_set_key, (nettle_set_key_func *) cast128_set_key, (nettle_cipher_func *) cast128_encrypt, (nettle_cipher_func *) cast128_decrypt }; nettle-4.0/cast128.c0000644000000000000000000001761015141166423011137 0ustar00/* cast128.c The CAST-128 block cipher, described in RFC 2144. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: * * CAST-128 in C * Written by Steve Reid * 100% Public Domain - no warranty * Released 1997.10.11 */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cast128.h" #include "cast128_sboxes.h" #include "macros.h" #define CAST_SMALL_KEY 10 #define S1 cast_sbox1 #define S2 cast_sbox2 #define S3 cast_sbox3 #define S4 cast_sbox4 #define S5 cast_sbox5 #define S6 cast_sbox6 #define S7 cast_sbox7 #define S8 cast_sbox8 /* Macros to access 8-bit bytes out of a 32-bit word */ #define B0(x) ( (uint8_t) (x>>24) ) #define B1(x) ( (uint8_t) ((x>>16)&0xff) ) #define B2(x) ( (uint8_t) ((x>>8)&0xff) ) #define B3(x) ( (uint8_t) ((x)&0xff) ) /* NOTE: Depends on ROTL32 supporting a zero shift count. */ /* CAST-128 uses three different round functions */ #define F1(l, r, i) do { \ t = ctx->Km[i] + r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] ^ S2[B1(t)]) - S3[B2(t)]) + S4[B3(t)]; \ } while (0) #define F2(l, r, i) do { \ t = ctx->Km[i] ^ r; \ t = ROTL32( ctx->Kr[i], t); \ l ^= ((S1[B0(t)] - S2[B1(t)]) + S3[B2(t)]) ^ S4[B3(t)]; \ } while (0) #define F3(l, r, i) do { \ t = ctx->Km[i] - r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] + S2[B1(t)]) ^ S3[B2(t)]) - S4[B3(t)]; \ } while (0) /***** Encryption Function *****/ void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ l = READ_UINT32(src); r = READ_UINT32(src+4); /* Do the work */ F1(l, r, 0); F2(r, l, 1); F3(l, r, 2); F1(r, l, 3); F2(l, r, 4); F3(r, l, 5); F1(l, r, 6); F2(r, l, 7); F3(l, r, 8); F1(r, l, 9); F2(l, r, 10); F3(r, l, 11); /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(l, r, 12); F2(r, l, 13); F3(l, r, 14); F1(r, l, 15); } /* Put l,r into outblock */ WRITE_UINT32(dst, r); WRITE_UINT32(dst + 4, l); } } /***** Decryption Function *****/ void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ r = READ_UINT32(src); l = READ_UINT32(src+4); /* Do the work */ /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(r, l, 15); F3(l, r, 14); F2(r, l, 13); F1(l, r, 12); } F3(r, l, 11); F2(l, r, 10); F1(r, l, 9); F3(l, r, 8); F2(r, l, 7); F1(l, r, 6); F3(r, l, 5); F2(l, r, 4); F1(r, l, 3); F3(l, r, 2); F2(r, l, 1); F1(l, r, 0); /* Put l,r into outblock */ WRITE_UINT32(dst, l); WRITE_UINT32(dst + 4, r); } } /***** Key Schedule *****/ #define SET_KM(i, k) ctx->Km[i] = (k) #define SET_KR(i, k) ctx->Kr[i] = (k) & 31 #define EXPAND(set, full) do { \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(0, S5[B0(z2)] ^ S6[B1(z2)] ^ S7[B3(z1)] ^ S8[B2(z1)] ^ S5[B2(z0)]); \ set(1, S5[B2(z2)] ^ S6[B3(z2)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S6[B2(z1)]); \ set(2, S5[B0(z3)] ^ S6[B1(z3)] ^ S7[B3(z0)] ^ S8[B2(z0)] ^ S7[B1(z2)]); \ set(3, S5[B2(z3)] ^ S6[B3(z3)] ^ S7[B1(z0)] ^ S8[B0(z0)] ^ S8[B0(z3)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ \ set(4, S5[B3(x0)] ^ S6[B2(x0)] ^ S7[B0(x3)] ^ S8[B1(x3)] ^ S5[B0(x2)]); \ set(5, S5[B1(x0)] ^ S6[B0(x0)] ^ S7[B2(x3)] ^ S8[B3(x3)] ^ S6[B1(x3)]); \ set(6, S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B0(x2)] ^ S8[B1(x2)] ^ S7[B3(x0)]); \ set(7, S5[B1(x1)] ^ S6[B0(x1)] ^ S7[B2(x2)] ^ S8[B3(x2)] ^ S8[B3(x1)]); \ \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(8, S5[B3(z0)] ^ S6[B2(z0)] ^ S7[B0(z3)] ^ S8[B1(z3)] ^ S5[B1(z2)]); \ set(9, S5[B1(z0)] ^ S6[B0(z0)] ^ S7[B2(z3)] ^ S8[B3(z3)] ^ S6[B0(z3)]); \ set(10, S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B0(z2)] ^ S8[B1(z2)] ^ S7[B2(z0)]); \ set(11, S5[B1(z1)] ^ S6[B0(z1)] ^ S7[B2(z2)] ^ S8[B3(z2)] ^ S8[B2(z1)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ if (full) \ { \ set(12, S5[B0(x2)] ^ S6[B1(x2)] ^ S7[B3(x1)] ^ S8[B2(x1)] ^ S5[B3(x0)]); \ set(13, S5[B2(x2)] ^ S6[B3(x2)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S6[B3(x1)]); \ set(14, S5[B0(x3)] ^ S6[B1(x3)] ^ S7[B3(x0)] ^ S8[B2(x0)] ^ S7[B0(x2)]); \ set(15, S5[B2(x3)] ^ S6[B3(x3)] ^ S7[B1(x0)] ^ S8[B0(x0)] ^ S8[B1(x3)]); \ } \ } while (0) void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key) { uint32_t x0, x1, x2, x3, z0, z1, z2, z3; uint32_t w; int full; assert (length >= CAST5_MIN_KEY_SIZE); assert (length <= CAST5_MAX_KEY_SIZE); full = (length > CAST_SMALL_KEY); x0 = READ_UINT32 (key); /* Read final word, possibly zero-padded. */ switch (length & 3) { case 0: w = READ_UINT32 (key + length - 4); break; case 3: w = READ_UINT24 (key + length - 3) << 8; break; case 2: w = READ_UINT16 (key + length - 2) << 16; break; case 1: w = (uint32_t) key[length - 1] << 24; break; } if (length <= 8) { x1 = w; x2 = x3 = 0; } else { x1 = READ_UINT32 (key + 4); if (length <= 12) { x2 = w; x3 = 0; } else { x2 = READ_UINT32 (key + 8); x3 = w; } } EXPAND(SET_KM, full); EXPAND(SET_KR, full); ctx->rounds = full ? 16 : 12; } void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key) { cast5_set_key (ctx, CAST128_KEY_SIZE, key); } nettle-4.0/cast128.h0000644000000000000000000000425215141166424011143 0ustar00/* cast128.h The CAST-128 block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAST128_H_INCLUDED #define NETTLE_CAST128_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cast5_set_key nettle_cast5_set_key #define cast128_set_key nettle_cast128_set_key #define cast128_encrypt nettle_cast128_encrypt #define cast128_decrypt nettle_cast128_decrypt #define CAST128_BLOCK_SIZE 8 /* Variable key size between 40 and 128. */ #define CAST5_MIN_KEY_SIZE 5 #define CAST5_MAX_KEY_SIZE 16 #define CAST128_KEY_SIZE 16 struct cast128_ctx { unsigned rounds; /* Number of rounds to use, 12 or 16 */ /* Expanded key, rotations (5 bits only) and 32-bit masks. */ unsigned char Kr[16]; uint32_t Km[16]; }; /* Using variable key size. */ void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key); void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key); void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CAST128_H_INCLUDED */ nettle-4.0/cast128_sboxes.h0000644000000000000000000006275415141166424012541 0ustar00/* * CAST-128 in C * Written by Steve Reid * 100% Public Domain - no warranty * Released 1997.10.11 */ static const uint32_t cast_sbox1[256] = { 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A, 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949, 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675, 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E, 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2, 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D, 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F, 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0, 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE, 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7, 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F, 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935, 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D, 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D, 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165, 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50, 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272, 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE, 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D, 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3, 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A, 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167, 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F, 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291, 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9, 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779, 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6, 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2, 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9, 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511, 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E, 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D, 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E, 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5, 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82, 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324, 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC, 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C, 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F, 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC, 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491, 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D, 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE, 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96, 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A, 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A, 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79, 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D, 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779, 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD, 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755, 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6, 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB, 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9, 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0, 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872, 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79, 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C, 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298, 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E, 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571, 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9, 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D, 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF }; static const uint32_t cast_sbox2[256] = { 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380, 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651, 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA, 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3, 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909, 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB, 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B, 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806, 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4, 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B, 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F, 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359, 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21, 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B, 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D, 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C, 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F, 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34, 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D, 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB, 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4, 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD, 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801, 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860, 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755, 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B, 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709, 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304, 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B, 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B, 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C, 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF, 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9, 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C, 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3, 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13, 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9, 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F, 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB, 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6, 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4, 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6, 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43, 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58, 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8, 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906, 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171, 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D, 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89, 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6, 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B, 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4, 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB, 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6, 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E, 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F, 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA, 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249, 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA, 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA, 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD, 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9, 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF, 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1 }; static const uint32_t cast_sbox3[256] = { 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907, 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90, 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE, 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5, 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E, 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E, 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC, 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240, 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E, 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5, 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F, 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B, 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99, 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71, 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F, 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04, 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380, 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82, 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8, 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15, 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504, 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2, 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6, 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176, 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E, 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148, 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D, 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC, 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1, 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341, 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C, 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E, 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15, 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51, 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4, 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F, 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B, 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A, 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392, 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B, 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231, 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B, 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889, 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5, 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67, 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45, 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49, 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536, 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D, 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC, 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D, 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0, 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E, 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69, 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767, 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2, 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE, 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49, 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24, 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D, 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0, 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A, 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5, 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783 }; static const uint32_t cast_sbox4[256] = { 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298, 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1, 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120, 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF, 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220, 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15, 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE, 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121, 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701, 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25, 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B, 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5, 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93, 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB, 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746, 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5, 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9, 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D, 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB, 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6, 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C, 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23, 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7, 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003, 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340, 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6, 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327, 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119, 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC, 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24, 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205, 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A, 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031, 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79, 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5, 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF, 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C, 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26, 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69, 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB, 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9, 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7, 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF, 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417, 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3, 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2, 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2, 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2, 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF, 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A, 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091, 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919, 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF, 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF, 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF, 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876, 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367, 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB, 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C, 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04, 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43, 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282, 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E, 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2 }; static const uint32_t cast_sbox5[256] = { 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911, 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F, 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00, 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A, 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180, 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF, 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2, 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02, 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725, 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A, 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B, 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7, 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571, 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9, 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC, 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981, 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA, 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774, 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263, 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655, 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468, 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2, 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B, 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910, 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284, 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1, 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4, 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA, 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7, 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049, 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE, 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F, 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6, 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA, 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4, 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE, 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561, 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3, 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6, 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840, 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406, 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4, 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472, 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2, 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487, 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7, 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288, 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5, 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2, 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E, 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78, 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E, 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76, 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801, 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0, 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD, 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58, 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0, 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2, 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20, 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE, 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8, 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55, 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4 }; static const uint32_t cast_sbox6[256] = { 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C, 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC, 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9, 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138, 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E, 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367, 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866, 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98, 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C, 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072, 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD, 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3, 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53, 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD, 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D, 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8, 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF, 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9, 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807, 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54, 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A, 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387, 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563, 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC, 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0, 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF, 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE, 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF, 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0, 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F, 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2, 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289, 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853, 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950, 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA, 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F, 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9, 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B, 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751, 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE, 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358, 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13, 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397, 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976, 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459, 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0, 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4, 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891, 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F, 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA, 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB, 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC, 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2, 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084, 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB, 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25, 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B, 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121, 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B, 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5, 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855, 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD, 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454, 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F }; static const uint32_t cast_sbox7[256] = { 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693, 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F, 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82, 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE, 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD, 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43, 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F, 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19, 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9, 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2, 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E, 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516, 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83, 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88, 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E, 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816, 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A, 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756, 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F, 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A, 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B, 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264, 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78, 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688, 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D, 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28, 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802, 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3, 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9, 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7, 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302, 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06, 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858, 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033, 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A, 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A, 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4, 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566, 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF, 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509, 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9, 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962, 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C, 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E, 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07, 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C, 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939, 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C, 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E, 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285, 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378, 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301, 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD, 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE, 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567, 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767, 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2, 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647, 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF, 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914, 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2, 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C, 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA, 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3 }; static const uint32_t cast_sbox8[256] = { 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095, 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5, 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174, 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC, 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940, 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD, 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42, 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D, 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164, 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2, 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4, 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862, 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0, 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC, 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6, 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C, 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491, 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E, 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B, 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039, 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8, 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8, 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006, 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42, 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564, 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5, 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB, 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472, 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC, 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225, 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8, 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C, 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441, 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB, 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F, 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054, 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504, 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70, 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C, 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC, 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6, 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C, 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD, 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3, 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4, 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4, 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC, 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101, 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA, 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F, 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF, 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E, 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603, 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A, 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37, 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C, 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819, 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384, 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D, 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C, 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347, 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82, 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D, 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E }; nettle-4.0/cbc-aes128-encrypt.c0000644000000000000000000000307015141166423013157 0ustar00/* cbc-aes128-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes128_encrypt void _nettle_cbc_aes128_encrypt_c(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes128_encrypt _nettle_cbc_aes128_encrypt_c #endif void cbc_aes128_encrypt(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-4.0/cbc-aes192-encrypt.c0000644000000000000000000000307115141166423013161 0ustar00/* cbc-aes192-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes192_encrypt void _nettle_cbc_aes192_encrypt_c(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes192_encrypt _nettle_cbc_aes192_encrypt_c #endif void cbc_aes192_encrypt(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes192_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-4.0/cbc-aes256-encrypt.c0000644000000000000000000000307015141166423013161 0ustar00/* cbc-aes256-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes256_encrypt void _nettle_cbc_aes256_encrypt_c(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes256_encrypt _nettle_cbc_aes256_encrypt_c #endif void cbc_aes256_encrypt(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes256_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-4.0/cbc.c0000644000000000000000000001056015141166423010476 0ustar00/* cbc.c Cipher block chaining mode. Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cbc.h" #include "memxor.h" #include "nettle-internal.h" void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); for ( ; length; length -= block_size, src += block_size, dst += block_size) { memxor(iv, src, block_size); f(ctx, block_size, dst, iv); memcpy(iv, dst, block_size); } } /* Don't allocate any more space than this on the stack */ #define CBC_BUFFER_LIMIT 512 void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); if (!length) return; if (src != dst) { /* Decrypt in ECB mode */ f(ctx, length, dst, src); /* XOR the cryptotext, shifted one block */ memxor(dst, iv, block_size); memxor(dst + block_size, src, length - block_size); memcpy(iv, src + length - block_size, block_size); } else { /* For in-place CBC, we decrypt into a temporary buffer of size * at most CBC_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CBC_BUFFER_LIMIT, and we depend on memxor3 working from the end of the area, allowing certain overlapping operands. */ TMP_DECL(buffer, uint8_t, CBC_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; if (length <= CBC_BUFFER_LIMIT) buffer_size = length; else buffer_size = CBC_BUFFER_LIMIT - (CBC_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); for ( ; length > buffer_size; length -= buffer_size, dst += buffer_size) { f(ctx, buffer_size, buffer, dst); memcpy(initial_iv, iv, block_size); memcpy(iv, dst + buffer_size - block_size, block_size); memxor3(dst + block_size, buffer + block_size, dst, buffer_size - block_size); memxor3(dst, buffer, initial_iv, block_size); } f(ctx, length, buffer, dst); memcpy(initial_iv, iv, block_size); /* Copies last block */ memcpy(iv, dst + length - block_size, block_size); /* Writes all but first block, reads all but last block. */ memxor3(dst + block_size, buffer + block_size, dst, length - block_size); /* Writes first block. */ memxor3(dst, buffer, initial_iv, block_size); } } #if 0 #include "twofish.h" #include "aes.h" static void foo(void) { struct CBC_CTX(struct twofish_ctx, TWOFISH_BLOCK_SIZE) ctx; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, dst, src); } static void foo2(void) { struct twofish_ctx ctx; uint8_t iv[TWOFISH_BLOCK_SIZE]; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT2(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT2(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); } #endif nettle-4.0/cbc.h0000644000000000000000000000562515141166424010512 0ustar00/* cbc.h Cipher block chaining mode. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CBC_H_INCLUDED #define NETTLE_CBC_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cbc_encrypt nettle_cbc_encrypt #define cbc_decrypt nettle_cbc_decrypt #define cbc_aes128_encrypt nettle_cbc_aes128_encrypt #define cbc_aes192_encrypt nettle_cbc_aes192_encrypt #define cbc_aes256_encrypt nettle_cbc_aes256_encrypt void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CBC_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CBC_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CBC_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CBC_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) void cbc_aes128_encrypt(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_aes192_encrypt(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_aes256_encrypt(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CBC_H_INCLUDED */ nettle-4.0/ccm-aes128.c0000644000000000000000000000615315141166423011515 0ustar00/* ccm-aes128.c Counter with CBC-MAC mode using AES128 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key(&ctx->cipher, key); } void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes128_update(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, data); } void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, digest); } void ccm_aes128_encrypt_message(const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(ctx, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes128_decrypt_message(const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(ctx, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-4.0/ccm-aes192.c0000644000000000000000000000614515141166423011517 0ustar00/* ccm-aes192.c Counter with CBC-MAC mode using AES192 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key(&ctx->cipher, key); } void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, data); } void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, digest); } void ccm_aes192_encrypt_message(const struct aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(ctx, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes192_decrypt_message(const struct aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(ctx, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-4.0/ccm-aes256.c0000644000000000000000000000615415141166423011520 0ustar00/* ccm-aes256.c Counter with CBC-MAC mode using AES256 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key(&ctx->cipher, key); } void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, data); } void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, digest); } void ccm_aes256_encrypt_message(const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(ctx, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes256_decrypt_message(const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(ctx, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-4.0/ccm.c0000644000000000000000000002134215141166423010511 0ustar00/* ccm.c Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ccm.h" #include "ctr.h" #include "memops.h" #include "nettle-internal.h" #include "macros.h" /* * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count * flags = 1 octet * nonce = N octets * count >= 1 octet * * such that: * sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block */ #define CCM_FLAG_L 0x07 #define CCM_FLAG_M 0x38 #define CCM_FLAG_ADATA 0x40 #define CCM_FLAG_RESERVED 0x80 #define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1) #define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L) #define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M) #define CCM_OFFSET_FLAGS 0 #define CCM_OFFSET_NONCE 1 #define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_)) /* * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding * * blength is the length of data that has been added to the CBC-MAC modulus the * cipher block size. If the value of blength is non-zero then some data has * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0), * and iterate the cipher one more time. * * The end of adata is detected implicitly by the first call to the encrypt() * and decrypt() functions, and will call ccm_pad() to insert the padding if * necessary. Because of the underlying CTR encryption, the encrypt() and * decrypt() functions must be called with a multiple of the block size and * therefore blength should be zero on all but the first call. * * Likewise, the end of the plaintext is implicitly determined by the first call * to the digest() function, which will pad if the final CTR encryption was not * a multiple of the block size. */ static void ccm_pad(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f) { if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); ctx->blength = 0; } static void ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce, uint8_t flags, size_t count) { unsigned int i; /* Sanity check the nonce length. */ assert(noncelen >= CCM_MIN_NONCE_SIZE); assert(noncelen <= CCM_MAX_NONCE_SIZE); /* Generate the IV */ iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen)); memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen); for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) { iv[i] = count & 0xff; count >>= 8; } /* Ensure the count was not truncated. */ assert(!count); } void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { assert (taglen >= 4 && taglen <= 16 && !(taglen & 1)); ctx->tag_length = taglen; /* Generate the IV for the CTR and CBC-MAC */ ctx->blength = 0; ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen); ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1); /* If no auth data, encrypt B0 and skip L(a) */ if (!authlen) { f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); return; } /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */ ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA; f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); #if SIZEOF_SIZE_T > 4 if (authlen >= (0x01ULL << 32)) { /* Encode L(a) as 0xff || 0xff || <64-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } else #endif if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) { /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xfe; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff; } void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { const uint8_t *end = data + length; /* If we don't have enough to fill a block, save the data for later. */ if ((ctx->blength + length) < CCM_BLOCK_SIZE) { memxor(&ctx->tag.b[ctx->blength], data, length); ctx->blength += length; return; } /* Process a partially filled block. */ if (ctx->blength) { memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength); data += (CCM_BLOCK_SIZE - ctx->blength); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); } /* Process full blocks. */ while ((data + CCM_BLOCK_SIZE) < end) { memxor(ctx->tag.b, data, CCM_BLOCK_SIZE); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); data += CCM_BLOCK_SIZE; } /* while */ /* Save leftovers for later. */ ctx->blength = (end - data); if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength); } /* * Because of the underlying CTR mode encryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, src); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); } /* * Because of the underlying CTR mode decryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, dst); } void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, uint8_t *digest) { int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]); while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0; ccm_pad(ctx, cipher, f); assert (ctx->tag_length <= CCM_BLOCK_SIZE); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, ctx->tag_length, digest, ctx->tag.b); } void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t *tag = dst + (clength-tlength); assert(clength >= tlength); ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src); ccm_digest(&ctx, cipher, f, tag); } int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t tag[CCM_BLOCK_SIZE]; ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_decrypt(&ctx, cipher, f, mlength, dst, src); ccm_digest(&ctx, cipher, f, tag); return memeql_sec(tag, src + mlength, tlength); } nettle-4.0/ccm.h0000644000000000000000000002273615141166424010527 0ustar00/* ccm.h Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby Contributed to GNU Nettle by Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NIST SP800-38C doesn't specify the particular formatting and * counter generation algorithm for CCM, but it does include an * example algorithm. This example has become the de-factor standard, * and has been adopted by both the IETF and IEEE across a wide * variety of protocols. */ #ifndef NETTLE_CCM_H_INCLUDED #define NETTLE_CCM_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ccm_set_nonce nettle_ccm_set_nonce #define ccm_update nettle_ccm_update #define ccm_encrypt nettle_ccm_encrypt #define ccm_decrypt nettle_ccm_decrypt #define ccm_digest nettle_ccm_digest #define ccm_encrypt_message nettle_ccm_encrypt_message #define ccm_decrypt_message nettle_ccm_decrypt_message #define ccm_aes128_set_key nettle_ccm_aes128_set_key #define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce #define ccm_aes128_update nettle_ccm_aes128_update #define ccm_aes128_encrypt nettle_ccm_aes128_encrypt #define ccm_aes128_decrypt nettle_ccm_aes128_decrypt #define ccm_aes128_digest nettle_ccm_aes128_digest #define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message #define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message #define ccm_aes192_set_key nettle_ccm_aes192_set_key #define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce #define ccm_aes192_update nettle_ccm_aes192_update #define ccm_aes192_encrypt nettle_ccm_aes192_encrypt #define ccm_aes192_decrypt nettle_ccm_aes192_decrypt #define ccm_aes192_digest nettle_ccm_aes192_digest #define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message #define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message #define ccm_aes256_set_key nettle_ccm_aes256_set_key #define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce #define ccm_aes256_update nettle_ccm_aes256_update #define ccm_aes256_encrypt nettle_ccm_aes256_encrypt #define ccm_aes256_decrypt nettle_ccm_aes256_decrypt #define ccm_aes256_digest nettle_ccm_aes256_digest #define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message #define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message /* For CCM, the block size of the block cipher shall be 128 bits. */ #define CCM_BLOCK_SIZE 16 #define CCM_DIGEST_SIZE 16 /* Digest size must be even, valid values 4, 6, 8, 10, 12, 14, 16 */ #define CCM_MIN_DIGEST_SIZE 4 #define CCM_MIN_NONCE_SIZE 7 #define CCM_MAX_NONCE_SIZE 14 /* Maximum cleartext message size, as a function of the nonce size N. The length field is L octets, with L = 15 - N, and then the maximum size M = 2^{8L} - 1. */ #define CCM_MAX_MSG_SIZE(N) \ ((sizeof(size_t) + (N) <= 15) \ ? ~(size_t) 0 \ : ((size_t) 1 << (8*(15 - N))) - 1) /* Per-message state */ struct ccm_ctx { union nettle_block16 ctr; /* Counter for CTR encryption. */ union nettle_block16 tag; /* CBC-MAC message tag. */ /* Length of data processed by the CBC-MAC modulus the block size */ unsigned short blength; unsigned short tag_length; }; /* * CCM mode requires the adata and message lengths when building the IV, which * prevents streaming processing and is incompatible with the AEAD API. */ void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data); void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, uint8_t *digest); /* * All-in-one encryption and decryption API: * tlength = sizeof(digest) * mlength = sizeof(cleartext) * clength = sizeof(ciphertext) = mlength + tlength * * The ciphertext will contain the encrypted payload with the message digest * appended to the end. */ void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); /* * The decryption function will write the plaintext to dst and parse the digest * from the final tlength bytes of the ciphertext. If the digest matched the * value computed during decryption then this will return 1, or it will return * 0 if the digest was invalid. */ int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-128 */ struct ccm_aes128_ctx { struct ccm_ctx ccm; struct aes128_ctx cipher; }; void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key); void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, uint8_t *digest); void ccm_aes128_encrypt_message(const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes128_decrypt_message(const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); struct ccm_aes192_ctx { struct ccm_ctx ccm; struct aes192_ctx cipher; }; /* CCM Mode with AES-192 */ void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key); void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, uint8_t *digest); void ccm_aes192_encrypt_message(const struct aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes192_decrypt_message(const struct aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-256 */ struct ccm_aes256_ctx { struct ccm_ctx ccm; struct aes256_ctx cipher; }; void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key); void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, uint8_t *digest); void ccm_aes256_encrypt_message(const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes256_decrypt_message(const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CCM_H_INCLUDED */ nettle-4.0/cfb.c0000644000000000000000000001351515141166423010504 0ustar00/* cfb.c Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cfb.h" #include "memxor.h" #include "nettle-internal.h" void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { uint8_t *p; TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); if (src != dst) { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, dst, p); memxor(dst, src, block_size); } } else { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, buffer, p); memxor(dst, buffer, block_size); } } if (p != iv) memcpy(iv, p, block_size); if (length) { f(ctx, block_size, buffer, iv); memxor3(dst, buffer, src, length); /* We do not care about updating IV here. This is the last call in * message sequence and one has to set IV afterwards anyway */ } } /* Don't allocate any more space than this on the stack */ #define CFB_BUFFER_LIMIT 512 void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { if (src != dst) { size_t left = length % block_size; length -= left; if (length > 0) { /* Decrypt in ECB mode */ f(ctx, block_size, dst, iv); f(ctx, length - block_size, dst + block_size, src); memcpy(iv, src + length - block_size, block_size); memxor(dst, src, length); } if (left > 0) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); f(ctx, block_size, buffer, iv); memxor3(dst + length, src + length, buffer, left); } } else { /* For in-place CFB, we decrypt into a temporary buffer of size * at most CFB_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CFB_BUFFER_LIMIT */ TMP_DECL(buffer, uint8_t, CFB_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; size_t left; buffer_size = CFB_BUFFER_LIMIT - (CFB_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); left = length % block_size; length -= left; while (length > 0) { size_t part = length > buffer_size ? buffer_size : length; /* length is greater that zero and is divided by block_size, so it is * not less than block_size. So does part */ f(ctx, block_size, buffer, iv); f(ctx, part - block_size, buffer + block_size, dst); memcpy(iv, dst + part - block_size, block_size); memxor(dst, buffer, part); length -= part; dst += part; } if (left > 0) { f(ctx, block_size, buffer, iv); memxor(dst, buffer, left); } } } /* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size * bytes and does memcpy/memxor afterwards */ void cfb8_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size * 2); TMP_ALLOC(outbuf, block_size); uint8_t pos; memcpy(buffer, iv, block_size); pos = 0; while (length) { uint8_t t; if (pos == block_size) { memcpy(buffer, buffer + block_size, block_size); pos = 0; } f(ctx, block_size, outbuf, buffer + pos); t = *(dst++) = *(src++) ^ outbuf[0]; buffer[pos + block_size] = t; length--; pos ++; } memcpy(iv, buffer + pos, block_size); } void cfb8_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_ALLOC(buffer, block_size * 2); TMP_ALLOC(outbuf, block_size * 2); uint8_t i = 0; memcpy(buffer, iv, block_size); memcpy(buffer + block_size, src, length < block_size ? length : block_size); while (length) { for (i = 0; i < length && i < block_size; i++) f(ctx, block_size, outbuf + i, buffer + i); memxor3(dst, src, outbuf, i); length -= i; src += i; dst += i; if (i == block_size) { memcpy(buffer, buffer + block_size, block_size); memcpy(buffer + block_size, src, length < block_size ? length : block_size); } } memcpy(iv, buffer + i, block_size); } nettle-4.0/cfb.h0000644000000000000000000000664715141166424010522 0ustar00/* cfb.h Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CFB_H_INCLUDED #define NETTLE_CFB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt #define cfb8_encrypt nettle_cfb8_encrypt #define cfb8_decrypt nettle_cfb8_decrypt void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb8_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb8_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) #define CFB8_CTX CFB_CTX #define CFB8_SET_IV CFB_SET_IV /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB8_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb8_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB8_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb8_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CFB_H_INCLUDED */ nettle-4.0/chacha-core-internal.c0000644000000000000000000000604415141166423013720 0ustar00/* chacha-core-internal.c Core functionality of the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "chacha-internal.h" #include "bswap-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_chacha_core void _nettle_chacha_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); #define _nettle_chacha_core _nettle_chacha_core_c #endif #ifndef CHACHA_DEBUG # define CHACHA_DEBUG 0 #endif #if CHACHA_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #define QROUND(x0, x1, x2, x3) do { \ x0 = x0 + x1; x3 = ROTL32(16, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(12, (x1 ^ x2)); \ x0 = x0 + x1; x3 = ROTL32(8, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(7, (x1 ^ x2)); \ } while(0) void _nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_CHACHA_STATE_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[1], x[5], x[9], x[13]); QROUND(x[2], x[6], x[10], x[14]); QROUND(x[3], x[7], x[11], x[15]); DEBUG (i+1); QROUND(x[0], x[5], x[10], x[15]); QROUND(x[1], x[6], x[11], x[12]); QROUND(x[2], x[7], x[8], x[13]); QROUND(x[3], x[4], x[9], x[14]); } DEBUG (i); for (i = 0; i < _CHACHA_STATE_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = bswap32_if_be (t); } } nettle-4.0/chacha-crypt.c0000644000000000000000000001640115141166423012315 0ustar00/* chacha-crypt.c The crypt function in the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2014 Niels Möller Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "chacha-internal.h" #include "macros.h" #include "memxor.h" #define CHACHA_ROUNDS 20 #if HAVE_NATIVE_chacha_4core #define _nettle_chacha_crypt_4core chacha_crypt #define _nettle_chacha_crypt32_4core chacha_crypt32 #elif HAVE_NATIVE_chacha_3core #define _nettle_chacha_crypt_3core chacha_crypt #define _nettle_chacha_crypt32_3core chacha_crypt32 #elif !(HAVE_NATIVE_fat_chacha_4core || HAVE_NATIVE_fat_chacha_3core) #define _nettle_chacha_crypt_1core chacha_crypt #define _nettle_chacha_crypt32_1core chacha_crypt32 #endif #if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core void _nettle_chacha_crypt_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[4*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS); if (length <= 4*CHACHA_BLOCK_SIZE) { uint32_t incr = 3 + (length > 3*CHACHA_BLOCK_SIZE); ctx->state[12] += incr; ctx->state[13] += (ctx->state[12] < incr); memxor3 (dst, src, x, length); return; } ctx->state[12] += 4; ctx->state[13] += (ctx->state[12] < 4); memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); length -= 4*CHACHA_BLOCK_SIZE; dst += 4*CHACHA_BLOCK_SIZE; src += 4*CHACHA_BLOCK_SIZE; } if (length > CHACHA_BLOCK_SIZE) { _nettle_chacha_2core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; ctx->state[13] += (ctx->state[12] < 2); } else { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); } memxor3 (dst, src, x, length); } #endif #if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core void _nettle_chacha_crypt_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[3*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 3; ctx->state[13] += (ctx->state[12] < 3); if (length <= 3*CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); length -= 3*CHACHA_BLOCK_SIZE; dst += 3*CHACHA_BLOCK_SIZE; src += 3*CHACHA_BLOCK_SIZE; } if (length <= CHACHA_BLOCK_SIZE) { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); } else { _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; ctx->state[13] += (ctx->state[12] < 2); } memxor3 (dst, src, x, length); } #endif #if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) void _nettle_chacha_crypt_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; for (;;) { uint32_t x[_CHACHA_STATE_LENGTH]; _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; dst += CHACHA_BLOCK_SIZE; src += CHACHA_BLOCK_SIZE; } } #endif #if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core void _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[4*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS); if (length <= 4*CHACHA_BLOCK_SIZE) { ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE); memxor3 (dst, src, x, length); return; } ctx->state[12] += 4; memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); length -= 4*CHACHA_BLOCK_SIZE; dst += 4*CHACHA_BLOCK_SIZE; src += 4*CHACHA_BLOCK_SIZE; } if (length > CHACHA_BLOCK_SIZE) { _nettle_chacha_2core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; } else { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; } memxor3 (dst, src, x, length); } #endif #if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core void _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[3*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 3; if (length <= 3*CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); length -= 3*CHACHA_BLOCK_SIZE; dst += 3*CHACHA_BLOCK_SIZE; src += 3*CHACHA_BLOCK_SIZE; } if (length <= CHACHA_BLOCK_SIZE) { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; } else { _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; } memxor3 (dst, src, x, length); } #endif #if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) void _nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; for (;;) { uint32_t x[_CHACHA_STATE_LENGTH]; _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; /* stopping at 2^38 length per nonce is user's responsibility */ if (length <= CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; dst += CHACHA_BLOCK_SIZE; src += CHACHA_BLOCK_SIZE; } } #endif nettle-4.0/chacha-internal.h0000644000000000000000000000523315141166424012777 0ustar00/* chacha-internal.h The ChaCha stream cipher. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_INTERNAL_H_INCLUDED #define NETTLE_CHACHA_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "chacha.h" void _nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); /* Functions available only in some configurations */ void _nettle_chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_2core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_3core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_4core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_crypt_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_CHACHA_INTERNAL_H_INCLUDED */ nettle-4.0/chacha-poly1305-meta.c0000644000000000000000000000334115141166423013373 0ustar00/* chacha-poly1305-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "chacha-poly1305.h" const struct nettle_aead nettle_chacha_poly1305 = { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx), CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE, CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_nonce, (nettle_hash_update_func *) chacha_poly1305_update, (nettle_crypt_func *) chacha_poly1305_encrypt, (nettle_crypt_func *) chacha_poly1305_decrypt, (nettle_hash_digest_func *) chacha_poly1305_digest, }; nettle-4.0/chacha-poly1305.c0000644000000000000000000001040015141166423012441 0ustar00/* chacha-poly1305.c AEAD mechanism based on chacha and poly1305. Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implements chacha-poly1305 according to draft-irtf-cfrg-chacha20-poly1305-08. The inputs to poly1305 are: associated data zero padding ciphertext zero padding length of associated data (64-bit, little endian) length of ciphertext (64-bit, little endian) where the padding fields are 0-15 zero bytes, filling up to a 16-byte boundary. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha-internal.h" #include "chacha-poly1305.h" #include "poly1305-internal.h" #include "macros.h" #define CHACHA_ROUNDS 20 /* FIXME: Also set nonce to zero, and implement nonce auto-increment? */ void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key) { chacha_set_key (&ctx->chacha, key); } void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce) { union { uint32_t x[_CHACHA_STATE_LENGTH]; uint8_t subkey[32]; } u; chacha_set_nonce96 (&ctx->chacha, nonce); /* Generate authentication key */ _nettle_chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); _nettle_poly1305_set_key (&ctx->poly1305, u.subkey); /* For final poly1305 processing */ memcpy (ctx->s.b, u.subkey + 16, 16); /* Increment block count */ ctx->chacha.state[12] = 1; ctx->auth_size = ctx->data_size = ctx->index = 0; } /* FIXME: Duplicated in poly1305-aes128.c */ #define COMPRESS(ctx, data) _nettle_poly1305_block(&(ctx)->poly1305, (data), 1) static void poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_poly1305_update (&(ctx)->poly1305, ctx->block, ctx->index, length, data); } static void poly1305_pad (struct chacha_poly1305_ctx *ctx) { if (ctx->index) { memset (ctx->block + ctx->index, 0, POLY1305_BLOCK_SIZE - ctx->index); _nettle_poly1305_block(&ctx->poly1305, ctx->block, 1); ctx->index = 0; } } void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { assert (ctx->data_size == 0); poly1305_update (ctx, length, data); ctx->auth_size += length; } void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); chacha_crypt32 (&ctx->chacha, length, dst, src); poly1305_update (ctx, length, dst); ctx->data_size += length; } void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); poly1305_update (ctx, length, src); chacha_crypt32 (&ctx->chacha, length, dst, src); ctx->data_size += length; } void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, uint8_t *digest) { uint8_t buf[16]; poly1305_pad (ctx); LE_WRITE_UINT64 (buf, ctx->auth_size); LE_WRITE_UINT64 (buf + 8, ctx->data_size); _nettle_poly1305_block (&ctx->poly1305, buf, 1); _nettle_poly1305_digest (&ctx->poly1305, &ctx->s); memcpy (digest, &ctx->s.b, CHACHA_POLY1305_DIGEST_SIZE); } nettle-4.0/chacha-poly1305.h0000644000000000000000000000541215141166424012456 0ustar00/* chacha-poly1305.h AEAD mechanism based on chacha and poly1305. See draft-agl-tls-chacha20poly1305-04. Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED #define NETTLE_CHACHA_POLY1305_H_INCLUDED #include "chacha.h" #include "poly1305.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_poly1305_set_key nettle_chacha_poly1305_set_key #define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce #define chacha_poly1305_update nettle_chacha_poly1305_update #define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt #define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt #define chacha_poly1305_digest nettle_chacha_poly1305_digest #define CHACHA_POLY1305_BLOCK_SIZE 64 /* FIXME: Any need for 128-bit variant? */ #define CHACHA_POLY1305_KEY_SIZE 32 #define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE96_SIZE #define CHACHA_POLY1305_DIGEST_SIZE 16 struct chacha_poly1305_ctx { struct chacha_ctx chacha; struct poly1305_ctx poly1305; union nettle_block16 s; uint64_t auth_size; uint64_t data_size; /* poly1305 block */ uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; }; void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key); void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce); void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data); void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */ nettle-4.0/chacha-set-key.c0000644000000000000000000000331715141166423012537 0ustar00/* chacha-set-key.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "macros.h" void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key) { static const uint32_t sigma[4] = { /* "expand 32-byte k" */ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 }; ctx->state[4] = LE_READ_UINT32(key + 0); ctx->state[5] = LE_READ_UINT32(key + 4); ctx->state[6] = LE_READ_UINT32(key + 8); ctx->state[7] = LE_READ_UINT32(key + 12); ctx->state[8] = LE_READ_UINT32(key + 16); ctx->state[9] = LE_READ_UINT32(key + 20); ctx->state[10] = LE_READ_UINT32(key + 24); ctx->state[11] = LE_READ_UINT32(key + 28); memcpy (ctx->state, sigma, sizeof(sigma)); } nettle-4.0/chacha-set-nonce.c0000644000000000000000000000427215141166423013052 0ustar00/* chacha-set-nonce.c Setting the nonce the ChaCha stream cipher. Based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergon Copyright (C) 2012 Simon Josefsson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: ChaCha specification (doc id: 4027b5256e17b9796842e6d0f68b0b5e) and reference implementation dated 2008.01.20 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "macros.h" void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = 0; ctx->state[14] = LE_READ_UINT32(nonce + 0); ctx->state[15] = LE_READ_UINT32(nonce + 4); } void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = LE_READ_UINT32(nonce + 0); ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } void chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter) { ctx->state[12] = LE_READ_UINT32(counter + 0); ctx->state[13] = LE_READ_UINT32(counter + 4); } void chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter) { ctx->state[12] = LE_READ_UINT32(counter + 0); } nettle-4.0/chacha.h0000644000000000000000000000542715141166424011172 0ustar00/* chacha.h The ChaCha stream cipher. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_H_INCLUDED #define NETTLE_CHACHA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 #define chacha_set_counter nettle_chacha_set_counter #define chacha_set_counter32 nettle_chacha_set_counter32 #define chacha_crypt nettle_chacha_crypt #define chacha_crypt32 nettle_chacha_crypt32 /* Currently, only 256-bit keys are supported. */ #define CHACHA_KEY_SIZE 32 #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 #define CHACHA_COUNTER_SIZE 8 #define CHACHA_COUNTER32_SIZE 4 #define _CHACHA_STATE_LENGTH 16 struct chacha_ctx { /* Indices 0-3 holds a constant (SIGMA or TAU). Indices 4-11 holds the key. Indices 12-13 holds the block counter. Indices 14-15 holds the IV: This creates the state matrix: C C C C K K K K K K K K B B I I */ uint32_t state[_CHACHA_STATE_LENGTH]; }; void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key); void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter); void chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter); void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_crypt32(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_H_INCLUDED */ nettle-4.0/cmac-aes128-meta.c0000644000000000000000000000262715141166423012604 0ustar00/* cmac-aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_aes128 = { "cmac_aes128", sizeof(struct cmac_aes128_ctx), CMAC128_DIGEST_SIZE, AES128_KEY_SIZE, (nettle_set_key_func*) cmac_aes128_set_key, (nettle_hash_update_func*) cmac_aes128_update, (nettle_hash_digest_func*) cmac_aes128_digest }; nettle-4.0/cmac-aes128.c0000644000000000000000000000305715141166423011656 0ustar00/* cmac-aes128.c CMAC using AES128 as the underlying cipher. Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key) { CMAC128_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void cmac_aes128_update (struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data) { CMAC128_UPDATE (ctx, aes128_encrypt, length, data); } void cmac_aes128_digest(struct cmac_aes128_ctx *ctx, uint8_t *digest) { CMAC128_DIGEST(ctx, aes128_encrypt, digest); } nettle-4.0/cmac-aes256-meta.c0000644000000000000000000000262715141166423012606 0ustar00/* cmac-aes256-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_aes256 = { "cmac_aes256", sizeof(struct cmac_aes256_ctx), CMAC128_DIGEST_SIZE, AES256_KEY_SIZE, (nettle_set_key_func*) cmac_aes256_set_key, (nettle_hash_update_func*) cmac_aes256_update, (nettle_hash_digest_func*) cmac_aes256_digest }; nettle-4.0/cmac-aes256.c0000644000000000000000000000305715141166423011660 0ustar00/* cmac-aes256.c CMAC using AES256 as the underlying cipher. Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key) { CMAC128_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); } void cmac_aes256_update (struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data) { CMAC128_UPDATE (ctx, aes256_encrypt, length, data); } void cmac_aes256_digest(struct cmac_aes256_ctx *ctx, uint8_t *digest) { CMAC128_DIGEST(ctx, aes256_encrypt, digest); } nettle-4.0/cmac-des3-meta.c0000644000000000000000000000260315141166423012431 0ustar00/* cmac-des3-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_des3 = { "cmac_des3", sizeof(struct cmac_des3_ctx), CMAC64_DIGEST_SIZE, DES3_KEY_SIZE, (nettle_set_key_func*) cmac_des3_set_key, (nettle_hash_update_func*) cmac_des3_update, (nettle_hash_digest_func*) cmac_des3_digest }; nettle-4.0/cmac-des3.c0000644000000000000000000000303615141166423011506 0ustar00/* cmac-des3.c CMAC using TripleDES as the underlying cipher. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key) { CMAC64_SET_KEY (ctx, des3_set_key, des3_encrypt, key); } void cmac_des3_update (struct cmac_des3_ctx *ctx, size_t length, const uint8_t *data) { CMAC64_UPDATE (ctx, des3_encrypt, length, data); } void cmac_des3_digest (struct cmac_des3_ctx *ctx, uint8_t *digest) { CMAC64_DIGEST (ctx, des3_encrypt, digest); } nettle-4.0/cmac.c0000644000000000000000000000653115141166423010655 0ustar00/* AES-CMAC-128 (rfc 4493) Copyright (C) Stefan Metzmacher 2012 Copyright (C) Jeremy Allison 2012 Copyright (C) Michael Adam 2012 Copyright (C) 2017, Red Hat Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cmac.h" #include "memxor.h" #include "nettle-internal.h" #include "block-internal.h" #include "macros.h" void cmac128_set_key(struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt) { static const union nettle_block16 zero_block; union nettle_block16 L; /* step 1 - generate subkeys k1 and k2 */ encrypt(cipher, 16, L.b, zero_block.b); block16_mulx_be(&key->K1, &L); block16_mulx_be(&key->K2, &key->K1); } void cmac128_init(struct cmac128_ctx *ctx) { memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } #define MIN(x,y) ((x)<(y)?(x):(y)) void cmac128_update(struct cmac128_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg) { union nettle_block16 Y; /* * check if we expand the block */ if (ctx->index < 16) { size_t len = MIN(16 - ctx->index, msg_len); memcpy(&ctx->block.b[ctx->index], msg, len); msg += len; msg_len -= len; ctx->index += len; } if (msg_len == 0) { /* if it is still the last block, we are done */ return; } /* * now checksum everything but the last block */ block16_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 16, ctx->X.b, Y.b); while (msg_len > 16) { block16_xor_bytes (&Y, &ctx->X, msg); encrypt(cipher, 16, ctx->X.b, Y.b); msg += 16; msg_len -= 16; } /* * copy the last block, it will be processed in * cmac128_digest(). */ memcpy(ctx->block.b, msg, msg_len); ctx->index = msg_len; } void cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt, uint8_t *dst) { union nettle_block16 Y; /* re-use ctx->block for memxor output */ if (ctx->index < 16) { ctx->block.b[ctx->index] = 0x80; memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index); block16_xor (&ctx->block, &key->K2); } else { block16_xor (&ctx->block, &key->K1); } block16_xor3 (&Y, &ctx->block, &ctx->X); encrypt(cipher, 16, dst, Y.b); /* reset state for re-use */ cmac128_init(ctx); } nettle-4.0/cmac.h0000644000000000000000000001473115141166424010664 0ustar00/* cmac.h CMAC mode, as specified in RFC4493 Copyright (C) 2017 Red Hat, Inc. Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CMAC_H_INCLUDED #define NETTLE_CMAC_H_INCLUDED #include "aes.h" #include "des.h" #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif #define CMAC128_DIGEST_SIZE 16 #define CMAC64_DIGEST_SIZE 8 #define cmac128_set_key nettle_cmac128_set_key #define cmac128_init nettle_cmac128_init #define cmac128_update nettle_cmac128_update #define cmac128_digest nettle_cmac128_digest #define cmac_aes128_set_key nettle_cmac_aes128_set_key #define cmac_aes128_update nettle_cmac_aes128_update #define cmac_aes128_digest nettle_cmac_aes128_digest #define cmac_aes256_set_key nettle_cmac_aes256_set_key #define cmac_aes256_update nettle_cmac_aes256_update #define cmac_aes256_digest nettle_cmac_aes256_digest #define cmac64_set_key nettle_cmac64_set_key #define cmac64_init nettle_cmac64_init #define cmac64_update nettle_cmac64_update #define cmac64_digest nettle_cmac64_digest #define cmac_des3_set_key nettle_cmac_des3_set_key #define cmac_des3_update nettle_cmac_des3_update #define cmac_des3_digest nettle_cmac_des3_digest struct cmac128_key { union nettle_block16 K1; union nettle_block16 K2; }; struct cmac128_ctx { /* MAC state */ union nettle_block16 X; /* Block buffer */ union nettle_block16 block; size_t index; }; struct cmac64_key { union nettle_block8 K1; union nettle_block8 K2; }; struct cmac64_ctx { /* MAC state */ union nettle_block8 X; /* Block buffer */ union nettle_block8 block; size_t index; }; void cmac128_set_key(struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt); void cmac128_init(struct cmac128_ctx *ctx); void cmac128_update(struct cmac128_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg); void cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt, uint8_t *digest); #define CMAC128_CTX(type) \ { struct cmac128_key key; struct cmac128_ctx ctx; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key) \ do { \ (set_key)(&(self)->cipher, (cmac_key)); \ if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ cmac128_set_key(&(self)->key, &(self)->cipher, \ (nettle_cipher_func *) (encrypt)); \ cmac128_init(&(self)->ctx); \ } while (0) #define CMAC128_UPDATE(self, encrypt, length, src) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac128_update(&(self)->ctx, &(self)->cipher, \ (nettle_cipher_func *)encrypt, \ (length), (src))) #define CMAC128_DIGEST(self, encrypt, digest) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac128_digest(&(self)->ctx, &(self)->key, \ &(self)->cipher, \ (nettle_cipher_func *) (encrypt), \ (digest))) void cmac64_set_key(struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt); void cmac64_init(struct cmac64_ctx *ctx); void cmac64_update(struct cmac64_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg); void cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt, uint8_t *digest); #define CMAC64_CTX(type) \ { struct cmac64_key key; struct cmac64_ctx ctx; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CMAC64_SET_KEY(self, set_key, encrypt, cmac_key) \ do { \ (set_key)(&(self)->cipher, (cmac_key)); \ if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ cmac64_set_key(&(self)->key, &(self)->cipher, \ (nettle_cipher_func *) (encrypt)); \ cmac64_init(&(self)->ctx); \ } while (0) #define CMAC64_UPDATE(self, encrypt, length, src) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac64_update(&(self)->ctx, &(self)->cipher, \ (nettle_cipher_func *)encrypt, \ (length), (src))) #define CMAC64_DIGEST(self, encrypt, digest) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac64_digest(&(self)->ctx, &(self)->key, \ &(self)->cipher, \ (nettle_cipher_func *) (encrypt), \ (digest))) struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx); void cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key); void cmac_aes128_update(struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data); void cmac_aes128_digest(struct cmac_aes128_ctx *ctx, uint8_t *digest); struct cmac_aes256_ctx CMAC128_CTX(struct aes256_ctx); void cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key); void cmac_aes256_update(struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data); void cmac_aes256_digest(struct cmac_aes256_ctx *ctx, uint8_t *digest); struct cmac_des3_ctx CMAC64_CTX(struct des3_ctx); void cmac_des3_set_key(struct cmac_des3_ctx *ctx, const uint8_t *key); void cmac_des3_update(struct cmac_des3_ctx *ctx, size_t length, const uint8_t *data); void cmac_des3_digest(struct cmac_des3_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* CMAC_H_INCLUDED */ nettle-4.0/cmac64.c0000644000000000000000000000657015141166423011032 0ustar00/* CMAC-64, NIST SP 800-38B Copyright (C) Stefan Metzmacher 2012 Copyright (C) Jeremy Allison 2012 Copyright (C) Michael Adam 2012 Copyright (C) 2017, Red Hat Inc. Copyright (C) 2019, Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cmac.h" #include "nettle-internal.h" #include "block-internal.h" #include "macros.h" void cmac64_set_key(struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt) { static const union nettle_block8 zero_block; union nettle_block8 L; /* step 1 - generate subkeys k1 and k2 */ encrypt(cipher, 8, L.b, zero_block.b); block8_mulx_be(&key->K1, &L); block8_mulx_be(&key->K2, &key->K1); } void cmac64_init(struct cmac64_ctx *ctx) { memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } #define MIN(x,y) ((x)<(y)?(x):(y)) void cmac64_update(struct cmac64_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg) { union nettle_block8 Y; /* * check if we expand the block */ if (ctx->index < 8) { size_t len = MIN(8 - ctx->index, msg_len); memcpy(&ctx->block.b[ctx->index], msg, len); msg += len; msg_len -= len; ctx->index += len; } if (msg_len == 0) { /* if it is still the last block, we are done */ return; } /* * now checksum everything but the last block */ block8_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 8, ctx->X.b, Y.b); while (msg_len > 8) { block8_xor_bytes(&Y, &ctx->X, msg); encrypt(cipher, 8, ctx->X.b, Y.b); msg += 8; msg_len -= 8; } /* * copy the last block, it will be processed in * cmac64_digest(). */ memcpy(ctx->block.b, msg, msg_len); ctx->index = msg_len; } void cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt, uint8_t *dst) { union nettle_block8 Y; memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index); /* re-use ctx->block for memxor output */ if (ctx->index < 8) { ctx->block.b[ctx->index] = 0x80; block8_xor(&ctx->block, &key->K2); } else { block8_xor(&ctx->block, &key->K1); } block8_xor3(&Y, &ctx->block, &ctx->X); encrypt(cipher, 8, dst, Y.b); /* reset state for re-use */ memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } nettle-4.0/cnd-copy.c0000644000000000000000000000257315141166424011471 0ustar00/* cnd-copy.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t mask, keep; mp_size_t i; mask = -(mp_limb_t) cnd; keep = ~mask; for (i = 0; i < n; i++) rp[i] = (rp[i] & keep) + (ap[i] & mask); } nettle-4.0/cnd-memcpy.c0000644000000000000000000000265315141166423012007 0ustar00/* cnd-memcpy.c Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n) { const volatile unsigned char *sp = src; volatile unsigned char *dp = dst; volatile unsigned char c; volatile unsigned char m; size_t i; m = -(unsigned char) cnd; for (i = 0; i < n; i++) { c = (sp[i] & m); c |= (dp[i] & ~m); dp[i] = c; } } nettle-4.0/config.guess0000755000000000000000000014324215141166424012130 0ustar00#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2025 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale timestamp='2025-07-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: # https://git.savannah.gnu.org/cgit/config.git/plain/config.guess # # Please send patches to . # The "shellcheck disable" line above the timestamp inhibits complaints # about features and limitations of the classic Bourne shell that were # superseded or lifted in POSIX. However, this script identifies a wide # variety of pre-POSIX systems that do not have POSIX shells at all, and # even some reasonably current systems (Solaris 10 as case-in-point) still # have a pre-POSIX /bin/sh. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system '$me' is run on. Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2025 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try '$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi # Just in case it came from the environment. GUESS= # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still # use 'HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. tmp= # shellcheck disable=SC2172 trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 set_cc_for_build() { # prevent multiple calls if $tmp is already set test "$tmp" && return 0 : "${TMPDIR=/tmp}" # shellcheck disable=SC2039,SC3028 { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } dummy=$tmp/dummy case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in ,,) echo "int x;" > "$dummy.c" for driver in cc gcc c17 c99 c89 ; do if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then CC_FOR_BUILD=$driver break fi done if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac } # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case $UNAME_SYSTEM in Linux|GNU|GNU/*) LIBC=unknown set_cc_for_build cat <<-EOF > "$dummy.c" #if defined(__ANDROID__) LIBC=android #else #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #elif defined(__GLIBC__) LIBC=gnu #elif defined(__LLVM_LIBC__) LIBC=llvm #else #include /* First heuristic to detect musl libc. */ #ifdef __DEFINED_va_list LIBC=musl #endif #endif #endif EOF cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` eval "$cc_set_libc" # Second heuristic to detect musl libc. if [ "$LIBC" = unknown ] && command -v ldd >/dev/null && ldd --version 2>&1 | grep -q ^musl; then LIBC=musl fi # If the system lacks a compiler, then just pick glibc. # We could probably try harder. if [ "$LIBC" = unknown ]; then LIBC=gnu fi ;; esac # Note: order is significant - the case branches are not exclusive. case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ echo unknown)` case $UNAME_MACHINE_ARCH in aarch64eb) machine=aarch64_be-unknown ;; armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; earmv*) arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` machine=${arch}${endian}-unknown ;; *) machine=$UNAME_MACHINE_ARCH-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. case $UNAME_MACHINE_ARCH in earm*) os=netbsdelf ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # Determine ABI tags. case $UNAME_MACHINE_ARCH in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case $UNAME_VERSION in Debian*) release='-gnu' ;; *) release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. GUESS=$machine-${os}${release}${abi-} ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-bitrig$UNAME_RELEASE ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-openbsd$UNAME_RELEASE ;; *:SecBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/SecBSD.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-secbsd$UNAME_RELEASE ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-libertybsd$UNAME_RELEASE ;; *:MidnightBSD:*:*) GUESS=$UNAME_MACHINE-unknown-midnightbsd$UNAME_RELEASE ;; *:ekkoBSD:*:*) GUESS=$UNAME_MACHINE-unknown-ekkobsd$UNAME_RELEASE ;; *:SolidBSD:*:*) GUESS=$UNAME_MACHINE-unknown-solidbsd$UNAME_RELEASE ;; *:OS108:*:*) GUESS=$UNAME_MACHINE-unknown-os108_$UNAME_RELEASE ;; macppc:MirBSD:*:*) GUESS=powerpc-unknown-mirbsd$UNAME_RELEASE ;; *:MirBSD:*:*) GUESS=$UNAME_MACHINE-unknown-mirbsd$UNAME_RELEASE ;; *:Sortix:*:*) GUESS=$UNAME_MACHINE-unknown-sortix ;; *:Twizzler:*:*) GUESS=$UNAME_MACHINE-unknown-twizzler ;; *:Redox:*:*) GUESS=$UNAME_MACHINE-unknown-redox ;; mips:OSF1:*.*) GUESS=mips-dec-osf1 ;; alpha:OSF1:*:*) # Reset EXIT trap before exiting to avoid spurious non-zero exit code. trap '' 0 case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case $ALPHA_CPU_TYPE in "EV4 (21064)") UNAME_MACHINE=alpha ;; "EV4.5 (21064)") UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") UNAME_MACHINE=alpha ;; "EV5 (21164)") UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. OSF_REL=`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` GUESS=$UNAME_MACHINE-dec-osf$OSF_REL ;; Amiga*:UNIX_System_V:4.0:*) GUESS=m68k-unknown-sysv4 ;; *:[Aa]miga[Oo][Ss]:*:*) GUESS=$UNAME_MACHINE-unknown-amigaos ;; *:[Mm]orph[Oo][Ss]:*:*) GUESS=$UNAME_MACHINE-unknown-morphos ;; *:OS/390:*:*) GUESS=i370-ibm-openedition ;; *:z/VM:*:*) GUESS=s390-ibm-zvmoe ;; *:OS400:*:*) GUESS=powerpc-ibm-os400 ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) GUESS=arm-acorn-riscix$UNAME_RELEASE ;; arm*:riscos:*:*|arm*:RISCOS:*:*) GUESS=arm-unknown-riscos ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) GUESS=hppa1.1-hitachi-hiuxmpp ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. case `(/bin/universe) 2>/dev/null` in att) GUESS=pyramid-pyramid-sysv3 ;; *) GUESS=pyramid-pyramid-bsd ;; esac ;; NILE*:*:*:dcosx) GUESS=pyramid-pyramid-svr4 ;; DRS?6000:unix:4.0:6*) GUESS=sparc-icl-nx6 ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) GUESS=sparc-icl-nx7 ;; esac ;; s390x:SunOS:*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=$UNAME_MACHINE-ibm-solaris2$SUN_REL ;; sun4H:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-hal-solaris2$SUN_REL ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-sun-solaris2$SUN_REL ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) GUESS=i386-pc-auroraux$UNAME_RELEASE ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) set_cc_for_build SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 fi fi SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=$SUN_ARCH-pc-solaris2$SUN_REL ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-sun-solaris3$SUN_REL ;; sun4*:SunOS:*:*) case `/usr/bin/arch -k` in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like '4.1.3-JL'. SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'` GUESS=sparc-sun-sunos$SUN_REL ;; sun3*:SunOS:*:*) GUESS=m68k-sun-sunos$UNAME_RELEASE ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case `/bin/arch` in sun3) GUESS=m68k-sun-sunos$UNAME_RELEASE ;; sun4) GUESS=sparc-sun-sunos$UNAME_RELEASE ;; esac ;; aushp:SunOS:*:*) GUESS=sparc-auspex-sunos$UNAME_RELEASE ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) GUESS=m68k-milan-mint$UNAME_RELEASE ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) GUESS=m68k-hades-mint$UNAME_RELEASE ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) GUESS=m68k-unknown-mint$UNAME_RELEASE ;; m68k:machten:*:*) GUESS=m68k-apple-machten$UNAME_RELEASE ;; powerpc:machten:*:*) GUESS=powerpc-apple-machten$UNAME_RELEASE ;; RISC*:Mach:*:*) GUESS=mips-dec-mach_bsd4.3 ;; RISC*:ULTRIX:*:*) GUESS=mips-dec-ultrix$UNAME_RELEASE ;; VAX*:ULTRIX*:*:*) GUESS=vax-dec-ultrix$UNAME_RELEASE ;; 2020:CLIX:*:* | 2430:CLIX:*:*) GUESS=clipper-intergraph-clix$UNAME_RELEASE ;; mips:*:*:UMIPS | mips:*:*:RISCos) set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" && dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } GUESS=mips-mips-riscos$UNAME_RELEASE ;; Motorola:PowerMAX_OS:*:*) GUESS=powerpc-motorola-powermax ;; Motorola:*:4.3:PL8-*) GUESS=powerpc-harris-powermax ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) GUESS=powerpc-harris-powermax ;; Night_Hawk:Power_UNIX:*:*) GUESS=powerpc-harris-powerunix ;; m88k:CX/UX:7*:*) GUESS=m88k-harris-cxux7 ;; m88k:*:4*:R4*) GUESS=m88k-motorola-sysv4 ;; m88k:*:3*:R3*) GUESS=m88k-motorola-sysv3 ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110 then if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \ test "$TARGET_BINARY_INTERFACE"x = x then GUESS=m88k-dg-dgux$UNAME_RELEASE else GUESS=m88k-dg-dguxbcs$UNAME_RELEASE fi else GUESS=i586-dg-dgux$UNAME_RELEASE fi ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) GUESS=m88k-dolphin-sysv3 ;; M88*:*:R3*:*) # Delta 88k system running SVR3 GUESS=m88k-motorola-sysv3 ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) GUESS=m88k-tektronix-sysv3 ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) GUESS=m68k-tektronix-bsd ;; *:IRIX*:*:*) IRIX_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/g'` GUESS=mips-sgi-irix$IRIX_REL ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. GUESS=romp-ibm-aix # uname -m gives an 8 hex-code CPU id ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) GUESS=i386-ibm-aix ;; ia64:AIX:*:*) if test -x /usr/bin/oslevel ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi GUESS=$UNAME_MACHINE-ibm-aix$IBM_REV ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include int main () { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then GUESS=$SYSTEM_NAME else GUESS=rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then GUESS=rs6000-ibm-aix3.2.4 else GUESS=rs6000-ibm-aix3.2 fi ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if test -x /usr/bin/lslpp ; then IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | \ awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi GUESS=$IBM_ARCH-ibm-aix$IBM_REV ;; *:AIX:*:*) GUESS=rs6000-ibm-aix ;; ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) GUESS=romp-ibm-bsd4.4 ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and GUESS=romp-ibm-bsd$UNAME_RELEASE # 4.3 with uname added to ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) GUESS=rs6000-bull-bosx ;; DPX/2?00:B.O.S.:*:*) GUESS=m68k-bull-sysv3 ;; 9000/[34]??:4.3bsd:1.*:*) GUESS=m68k-hp-bsd ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) GUESS=m68k-hp-bsd4.4 ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` case $UNAME_MACHINE in 9000/31?) HP_ARCH=m68000 ;; 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if test -x /usr/bin/getconf; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case $sc_cpu_version in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case $sc_kernel_bits in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi if test "$HP_ARCH" = ""; then set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if test "$HP_ARCH" = hppa2.0w then set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH=hppa2.0w else HP_ARCH=hppa64 fi fi GUESS=$HP_ARCH-hp-hpux$HPUX_REV ;; ia64:HP-UX:*:*) HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` GUESS=ia64-hp-hpux$HPUX_REV ;; 3050*:HI-UX:*:*) set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } GUESS=unknown-hitachi-hiuxwe2 ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) GUESS=hppa1.1-hp-bsd ;; 9000/8??:4.3bsd:*:*) GUESS=hppa1.0-hp-bsd ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) GUESS=hppa1.0-hp-mpeix ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) GUESS=hppa1.1-hp-osf ;; hp8??:OSF1:*:*) GUESS=hppa1.0-hp-osf ;; i*86:OSF1:*:*) if test -x /usr/sbin/sysversion ; then GUESS=$UNAME_MACHINE-unknown-osf1mk else GUESS=$UNAME_MACHINE-unknown-osf1 fi ;; parisc*:Lites*:*:*) GUESS=hppa1.1-hp-lites ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) GUESS=c1-convex-bsd ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) GUESS=c34-convex-bsd ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) GUESS=c38-convex-bsd ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) GUESS=c4-convex-bsd ;; CRAY*Y-MP:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=ymp-cray-unicos$CRAY_REL ;; CRAY*[A-Z]90:*:*:*) echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=t90-cray-unicos$CRAY_REL ;; CRAY*T3E:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=alphaev5-cray-unicosmk$CRAY_REL ;; CRAY*SV1:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=sv1-cray-unicos$CRAY_REL ;; *:UNICOS/mp:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=craynv-cray-unicosmp$CRAY_REL ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` GUESS=${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` GUESS=sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) GUESS=$UNAME_MACHINE-pc-bsdi$UNAME_RELEASE ;; sparc*:BSD/OS:*:*) GUESS=sparc-unknown-bsdi$UNAME_RELEASE ;; *:BSD/OS:*:*) GUESS=$UNAME_MACHINE-unknown-bsdi$UNAME_RELEASE ;; arm:FreeBSD:*:*) UNAME_PROCESSOR=`uname -p` set_cc_for_build if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabi else FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabihf fi ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`uname -p` case $UNAME_PROCESSOR in amd64) UNAME_PROCESSOR=x86_64 ;; i386) UNAME_PROCESSOR=i586 ;; esac FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL ;; i*:CYGWIN*:*) GUESS=$UNAME_MACHINE-pc-cygwin ;; *:MINGW64*:*) GUESS=$UNAME_MACHINE-pc-mingw64 ;; *:MINGW*:*) GUESS=$UNAME_MACHINE-pc-mingw32 ;; *:MSYS*:*) GUESS=$UNAME_MACHINE-pc-msys ;; i*:PW*:*) GUESS=$UNAME_MACHINE-pc-pw32 ;; *:SerenityOS:*:*) GUESS=$UNAME_MACHINE-pc-serenity ;; *:Interix*:*) case $UNAME_MACHINE in x86) GUESS=i586-pc-interix$UNAME_RELEASE ;; authenticamd | genuineintel | EM64T) GUESS=x86_64-unknown-interix$UNAME_RELEASE ;; IA64) GUESS=ia64-unknown-interix$UNAME_RELEASE ;; esac ;; i*:UWIN*:*) GUESS=$UNAME_MACHINE-pc-uwin ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) GUESS=x86_64-pc-cygwin ;; prep*:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=powerpcle-unknown-solaris2$SUN_REL ;; *:GNU:*:*) # the GNU system GNU_ARCH=`echo "$UNAME_MACHINE" | sed -e 's,[-/].*$,,'` GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's,/.*$,,'` GUESS=$GNU_ARCH-unknown-$LIBC$GNU_REL ;; *:GNU/*:*:*) # other systems with GNU libc and userland GNU_SYS=`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"` GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC ;; x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*) GUESS="$UNAME_MACHINE-pc-managarm-mlibc" ;; *:[Mm]anagarm:*:*) GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" ;; *:Minix:*:*) GUESS=$UNAME_MACHINE-unknown-minix ;; aarch64:Linux:*:*) set_cc_for_build CPU=$UNAME_MACHINE LIBCABI=$LIBC if test "$CC_FOR_BUILD" != no_compiler_found; then ABI=64 sed 's/^ //' << EOF > "$dummy.c" #ifdef __ARM_EABI__ #ifdef __ARM_PCS_VFP ABI=eabihf #else ABI=eabi #endif #endif EOF cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` eval "$cc_set_abi" case $ABI in eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;; esac fi GUESS=$CPU-unknown-linux-$LIBCABI ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; arc:Linux:*:* | arceb:Linux:*:* | arc32:Linux:*:* | arc64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; arm*:Linux:*:*) set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then GUESS=$UNAME_MACHINE-unknown-linux-$LIBC else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabi else GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabihf fi fi ;; avr32*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; cris:Linux:*:*) GUESS=$UNAME_MACHINE-axis-linux-$LIBC ;; crisv32:Linux:*:*) GUESS=$UNAME_MACHINE-axis-linux-$LIBC ;; e2k:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; frv:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; hexagon:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; i*86:Linux:*:*) GUESS=$UNAME_MACHINE-pc-linux-$LIBC ;; ia64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; k1om:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; kvx:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; kvx:cos:*:*) GUESS=$UNAME_MACHINE-unknown-cos ;; kvx:mbr:*:*) GUESS=$UNAME_MACHINE-unknown-mbr ;; loongarch32:Linux:*:* | loongarch64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m32r*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m68*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; mips:Linux:*:* | mips64:Linux:*:*) set_cc_for_build IS_GLIBC=0 test x"${LIBC}" = xgnu && IS_GLIBC=1 sed 's/^ //' << EOF > "$dummy.c" #undef CPU #undef mips #undef mipsel #undef mips64 #undef mips64el #if ${IS_GLIBC} && defined(_ABI64) LIBCABI=gnuabi64 #else #if ${IS_GLIBC} && defined(_ABIN32) LIBCABI=gnuabin32 #else LIBCABI=${LIBC} #endif #endif #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 CPU=mipsisa64r6 #else #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 CPU=mipsisa32r6 #else #if defined(__mips64) CPU=mips64 #else CPU=mips #endif #endif #endif #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) MIPS_ENDIAN=el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) MIPS_ENDIAN= #else MIPS_ENDIAN= #endif #endif EOF cc_set_vars=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'` eval "$cc_set_vars" test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } ;; mips64el:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; openrisc*:Linux:*:*) GUESS=or1k-unknown-linux-$LIBC ;; or32:Linux:*:* | or1k*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; padre:Linux:*:*) GUESS=sparc-unknown-linux-$LIBC ;; parisc64:Linux:*:* | hppa64:Linux:*:*) GUESS=hppa64-unknown-linux-$LIBC ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) GUESS=hppa1.1-unknown-linux-$LIBC ;; PA8*) GUESS=hppa2.0-unknown-linux-$LIBC ;; *) GUESS=hppa-unknown-linux-$LIBC ;; esac ;; ppc64:Linux:*:*) GUESS=powerpc64-unknown-linux-$LIBC ;; ppc:Linux:*:*) GUESS=powerpc-unknown-linux-$LIBC ;; ppc64le:Linux:*:*) GUESS=powerpc64le-unknown-linux-$LIBC ;; ppcle:Linux:*:*) GUESS=powerpcle-unknown-linux-$LIBC ;; riscv32:Linux:*:* | riscv32be:Linux:*:* | riscv64:Linux:*:* | riscv64be:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; s390:Linux:*:* | s390x:Linux:*:*) GUESS=$UNAME_MACHINE-ibm-linux-$LIBC ;; sh64*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; sh*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; sparc:Linux:*:* | sparc64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; tile*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; vax:Linux:*:*) GUESS=$UNAME_MACHINE-dec-linux-$LIBC ;; x86_64:Linux:*:*) set_cc_for_build CPU=$UNAME_MACHINE LIBCABI=$LIBC if test "$CC_FOR_BUILD" != no_compiler_found; then ABI=64 sed 's/^ //' << EOF > "$dummy.c" #ifdef __i386__ ABI=x86 #else #ifdef __ILP32__ ABI=x32 #endif #endif EOF cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` eval "$cc_set_abi" case $ABI in x86) CPU=i686 ;; x32) LIBCABI=${LIBC}x32 ;; esac fi GUESS=$CPU-pc-linux-$LIBCABI ;; xtensa*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. GUESS=i386-sequent-sysv4 ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION ;; i*86:OS/2:*:*) # If we were able to find 'uname', then EMX Unix compatibility # is probably installed. GUESS=$UNAME_MACHINE-pc-os2-emx ;; i*86:XTS-300:*:STOP) GUESS=$UNAME_MACHINE-unknown-stop ;; i*86:atheos:*:*) GUESS=$UNAME_MACHINE-unknown-atheos ;; i*86:syllable:*:*) GUESS=$UNAME_MACHINE-pc-syllable ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) GUESS=i386-unknown-lynxos$UNAME_RELEASE ;; i*86:*DOS:*:*) GUESS=$UNAME_MACHINE-pc-msdosdjgpp ;; i*86:*:4.*:*) UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then GUESS=$UNAME_MACHINE-univel-sysv$UNAME_REL else GUESS=$UNAME_MACHINE-pc-sysv$UNAME_REL fi ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac GUESS=$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 GUESS=$UNAME_MACHINE-pc-sco$UNAME_REL else GUESS=$UNAME_MACHINE-pc-sysv32 fi ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. GUESS=i586-pc-msdosdjgpp ;; Intel:Mach:3*:*) GUESS=i386-pc-mach3 ;; paragon:*:*:*) GUESS=i860-intel-osf1 ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then GUESS=i860-stardent-sysv$UNAME_RELEASE # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. GUESS=i860-unknown-sysv$UNAME_RELEASE # Unknown i860-SVR4 fi ;; mini*:CTIX:SYS*5:*) # "miniframe" GUESS=m68010-convergent-sysv ;; mc68k:UNIX:SYSTEM5:3.51m) GUESS=m68k-convergent-sysv ;; M680?0:D-NIX:5.3:*) GUESS=m68k-diab-dnix ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) GUESS=m68k-unknown-lynxos$UNAME_RELEASE ;; mc68030:UNIX_System_V:4.*:*) GUESS=m68k-atari-sysv4 ;; TSUNAMI:LynxOS:2.*:*) GUESS=sparc-unknown-lynxos$UNAME_RELEASE ;; rs6000:LynxOS:2.*:*) GUESS=rs6000-unknown-lynxos$UNAME_RELEASE ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) GUESS=powerpc-unknown-lynxos$UNAME_RELEASE ;; SM[BE]S:UNIX_SV:*:*) GUESS=mips-dde-sysv$UNAME_RELEASE ;; RM*:ReliantUNIX-*:*:*) GUESS=mips-sni-sysv4 ;; RM*:SINIX-*:*:*) GUESS=mips-sni-sysv4 ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` GUESS=$UNAME_MACHINE-sni-sysv4 else GUESS=ns32k-sni-sysv fi ;; PENTIUM:*:4.0*:*) # Unisys 'ClearPath HMP IX 4000' SVR4/MP effort # says GUESS=i586-unisys-sysv4 ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm GUESS=hppa1.1-stratus-sysv4 ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. GUESS=i860-stratus-sysv4 ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. GUESS=$UNAME_MACHINE-stratus-vos ;; *:VOS:*:*) # From Paul.Green@stratus.com. GUESS=hppa1.1-stratus-vos ;; mc68*:A/UX:*:*) GUESS=m68k-apple-aux$UNAME_RELEASE ;; news*:NEWS-OS:6*:*) GUESS=mips-sony-newsos6 ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if test -d /usr/nec; then GUESS=mips-nec-sysv$UNAME_RELEASE else GUESS=mips-unknown-sysv$UNAME_RELEASE fi ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. GUESS=powerpc-be-beos ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. GUESS=powerpc-apple-beos ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. GUESS=i586-pc-beos ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. GUESS=i586-pc-haiku ;; ppc:Haiku:*:*) # Haiku running on Apple PowerPC GUESS=powerpc-apple-haiku ;; *:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat) GUESS=$UNAME_MACHINE-unknown-haiku ;; SX-4:SUPER-UX:*:*) GUESS=sx4-nec-superux$UNAME_RELEASE ;; SX-5:SUPER-UX:*:*) GUESS=sx5-nec-superux$UNAME_RELEASE ;; SX-6:SUPER-UX:*:*) GUESS=sx6-nec-superux$UNAME_RELEASE ;; SX-7:SUPER-UX:*:*) GUESS=sx7-nec-superux$UNAME_RELEASE ;; SX-8:SUPER-UX:*:*) GUESS=sx8-nec-superux$UNAME_RELEASE ;; SX-8R:SUPER-UX:*:*) GUESS=sx8r-nec-superux$UNAME_RELEASE ;; SX-ACE:SUPER-UX:*:*) GUESS=sxace-nec-superux$UNAME_RELEASE ;; Power*:Rhapsody:*:*) GUESS=powerpc-apple-rhapsody$UNAME_RELEASE ;; *:Rhapsody:*:*) GUESS=$UNAME_MACHINE-apple-rhapsody$UNAME_RELEASE ;; arm64:Darwin:*:*) GUESS=aarch64-apple-darwin$UNAME_RELEASE ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` case $UNAME_PROCESSOR in unknown) UNAME_PROCESSOR=powerpc ;; esac if command -v xcode-select > /dev/null 2> /dev/null && \ ! xcode-select --print-path > /dev/null 2> /dev/null ; then # Avoid executing cc if there is no toolchain installed as # cc will be a stub that puts up a graphical alert # prompting the user to install developer tools. CC_FOR_BUILD=no_compiler_found else set_cc_for_build fi if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_PPC >/dev/null then UNAME_PROCESSOR=powerpc fi elif test "$UNAME_PROCESSOR" = i386 ; then # uname -m returns i386 or x86_64 UNAME_PROCESSOR=$UNAME_MACHINE fi GUESS=$UNAME_PROCESSOR-apple-darwin$UNAME_RELEASE ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi GUESS=$UNAME_PROCESSOR-$UNAME_MACHINE-nto-qnx$UNAME_RELEASE ;; *:QNX:*:4*) GUESS=i386-pc-qnx ;; NEO-*:NONSTOP_KERNEL:*:*) GUESS=neo-tandem-nsk$UNAME_RELEASE ;; NSE-*:NONSTOP_KERNEL:*:*) GUESS=nse-tandem-nsk$UNAME_RELEASE ;; NSR-*:NONSTOP_KERNEL:*:*) GUESS=nsr-tandem-nsk$UNAME_RELEASE ;; NSV-*:NONSTOP_KERNEL:*:*) GUESS=nsv-tandem-nsk$UNAME_RELEASE ;; NSX-*:NONSTOP_KERNEL:*:*) GUESS=nsx-tandem-nsk$UNAME_RELEASE ;; *:NonStop-UX:*:*) GUESS=mips-compaq-nonstopux ;; BS2000:POSIX*:*:*) GUESS=bs2000-siemens-sysv ;; DS/*:UNIX_System_V:*:*) GUESS=$UNAME_MACHINE-$UNAME_SYSTEM-$UNAME_RELEASE ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "${cputype-}" = 386; then UNAME_MACHINE=i386 elif test "x${cputype-}" != x; then UNAME_MACHINE=$cputype fi GUESS=$UNAME_MACHINE-unknown-plan9 ;; *:TOPS-10:*:*) GUESS=pdp10-unknown-tops10 ;; *:TENEX:*:*) GUESS=pdp10-unknown-tenex ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) GUESS=pdp10-dec-tops20 ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) GUESS=pdp10-xkl-tops20 ;; *:TOPS-20:*:*) GUESS=pdp10-unknown-tops20 ;; *:ITS:*:*) GUESS=pdp10-unknown-its ;; SEI:*:*:SEIUX) GUESS=mips-sei-seiux$UNAME_RELEASE ;; *:DragonFly:*:*) DRAGONFLY_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_MACHINE-unknown-dragonfly$DRAGONFLY_REL ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case $UNAME_MACHINE in A*) GUESS=alpha-dec-vms ;; I*) GUESS=ia64-dec-vms ;; V*) GUESS=vax-dec-vms ;; esac ;; *:XENIX:*:SysV) GUESS=i386-pc-xenix ;; i*86:skyos:*:*) SKYOS_REL=`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'` GUESS=$UNAME_MACHINE-pc-skyos$SKYOS_REL ;; i*86:rdos:*:*) GUESS=$UNAME_MACHINE-pc-rdos ;; i*86:Fiwix:*:*) GUESS=$UNAME_MACHINE-pc-fiwix ;; *:AROS:*:*) GUESS=$UNAME_MACHINE-unknown-aros ;; x86_64:VMkernel:*:*) GUESS=$UNAME_MACHINE-unknown-esx ;; amd64:Isilon\ OneFS:*:*) GUESS=x86_64-unknown-onefs ;; *:Unleashed:*:*) GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE ;; x86_64:[Ii]ronclad:*:*|i?86:[Ii]ronclad:*:*) GUESS=$UNAME_MACHINE-pc-ironclad-mlibc ;; *:[Ii]ronclad:*:*) GUESS=$UNAME_MACHINE-unknown-ironclad-mlibc ;; esac # Do we have a guess based on uname results? if test "x$GUESS" != x; then echo "$GUESS" exit fi # No uname command or uname output not recognized. set_cc_for_build cat > "$dummy.c" < #include #endif #if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) #if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) #include #if defined(_SIZE_T_) || defined(SIGLOST) #include #endif #endif #endif int main () { #if defined (sony) #if defined (MIPSEB) /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, I don't know.... */ printf ("mips-sony-bsd\n"); exit (0); #else #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 "4" #else "" #endif ); exit (0); #endif #endif #if defined (NeXT) #if !defined (__ARCHITECTURE__) #define __ARCHITECTURE__ "m68k" #endif int version; version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; if (version < 4) printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); else printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); exit (0); #endif #if defined (MULTIMAX) || defined (n16) #if defined (UMAXV) printf ("ns32k-encore-sysv\n"); exit (0); #else #if defined (CMU) printf ("ns32k-encore-mach\n"); exit (0); #else printf ("ns32k-encore-bsd\n"); exit (0); #endif #endif #endif #if defined (__386BSD__) printf ("i386-pc-bsd\n"); exit (0); #endif #if defined (sequent) #if defined (i386) printf ("i386-sequent-dynix\n"); exit (0); #endif #if defined (ns32000) printf ("ns32k-sequent-dynix\n"); exit (0); #endif #endif #if defined (_SEQUENT_) struct utsname un; uname(&un); if (strncmp(un.version, "V2", 2) == 0) { printf ("i386-sequent-ptx2\n"); exit (0); } if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ printf ("i386-sequent-ptx1\n"); exit (0); } printf ("i386-sequent-ptx\n"); exit (0); #endif #if defined (vax) #if !defined (ultrix) #include #if defined (BSD) #if BSD == 43 printf ("vax-dec-bsd4.3\n"); exit (0); #else #if BSD == 199006 printf ("vax-dec-bsd4.3reno\n"); exit (0); #else printf ("vax-dec-bsd\n"); exit (0); #endif #endif #else printf ("vax-dec-bsd\n"); exit (0); #endif #else #if defined(_SIZE_T_) || defined(SIGLOST) struct utsname un; uname (&un); printf ("vax-dec-ultrix%s\n", un.release); exit (0); #else printf ("vax-dec-ultrix\n"); exit (0); #endif #endif #endif #if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) #if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) #if defined(_SIZE_T_) || defined(SIGLOST) struct utsname *un; uname (&un); printf ("mips-dec-ultrix%s\n", un.release); exit (0); #else printf ("mips-dec-ultrix\n"); exit (0); #endif #endif #endif #if defined (alliant) && defined (i860) printf ("i860-alliant-bsd\n"); exit (0); #endif exit (1); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } echo "$0: unable to guess system type" >&2 case $UNAME_MACHINE:$UNAME_SYSTEM in mips:Linux | mips64:Linux) # If we got here on MIPS GNU/Linux, output extra information. cat >&2 <&2 <&2 </dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = "$UNAME_MACHINE" UNAME_RELEASE = "$UNAME_RELEASE" UNAME_SYSTEM = "$UNAME_SYSTEM" UNAME_VERSION = "$UNAME_VERSION" EOF fi exit 1 # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp nil t) # time-stamp-start: "timestamp='" # time-stamp-format: "%Y-%02m-%02d" # time-stamp-end: "'" # End: nettle-4.0/config.h.in0000644000000000000000000001731515141166424011634 0ustar00/* config.h.in. Generated from configure.ac by autoheader. */ /* Define if building universal (internal helper macro) */ #undef AC_APPLE_UNIVERSAL_BUILD /* Define to 1 if using 'alloca.c'. */ #undef C_ALLOCA /* Define to 1 if you have 'alloca', as a function or macro. */ #undef HAVE_ALLOCA /* Define to 1 if works. */ #undef HAVE_ALLOCA_H /* Define if __builtin_bswap64 is available */ #undef HAVE_BUILTIN_BSWAP64 /* Define if clock_gettime is available */ #undef HAVE_CLOCK_GETTIME /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define to 1 if you have the 'elf_aux_info' function. */ #undef HAVE_ELF_AUX_INFO /* Define if fcntl file locking is available */ #undef HAVE_FCNTL_LOCKING /* Define if the compiler understands __attribute__ */ #undef HAVE_GCC_ATTRIBUTE /* Define to 1 if you have the 'getline' function. */ #undef HAVE_GETLINE /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have dlopen (with -ldl). */ #undef HAVE_LIBDL /* Define to 1 if you have the 'gmp' library (-lgmp). */ #undef HAVE_LIBGMP /* Define if compiler and linker supports __attribute__ ifunc */ #undef HAVE_LINK_IFUNC /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ #undef HAVE_NATIVE_memxor3 #undef HAVE_NATIVE_aes_decrypt #undef HAVE_NATIVE_aes_encrypt #undef HAVE_NATIVE_aes_invert #undef HAVE_NATIVE_aes128_decrypt #undef HAVE_NATIVE_aes128_encrypt #undef HAVE_NATIVE_aes128_invert_key #undef HAVE_NATIVE_aes128_set_decrypt_key #undef HAVE_NATIVE_aes128_set_encrypt_key #undef HAVE_NATIVE_aes192_decrypt #undef HAVE_NATIVE_aes192_encrypt #undef HAVE_NATIVE_aes192_invert_key #undef HAVE_NATIVE_aes192_set_decrypt_key #undef HAVE_NATIVE_aes192_set_encrypt_key #undef HAVE_NATIVE_aes256_decrypt #undef HAVE_NATIVE_aes256_encrypt #undef HAVE_NATIVE_aes256_invert_key #undef HAVE_NATIVE_aes256_set_decrypt_key #undef HAVE_NATIVE_aes256_set_encrypt_key #undef HAVE_NATIVE_cbc_aes128_encrypt #undef HAVE_NATIVE_cbc_aes192_encrypt #undef HAVE_NATIVE_cbc_aes256_encrypt #undef HAVE_NATIVE_chacha_core #undef HAVE_NATIVE_chacha_2core #undef HAVE_NATIVE_chacha_3core #undef HAVE_NATIVE_chacha_4core #undef HAVE_NATIVE_fat_chacha_2core #undef HAVE_NATIVE_fat_chacha_3core #undef HAVE_NATIVE_fat_chacha_4core #undef HAVE_NATIVE_ecc_curve25519_modp #undef HAVE_NATIVE_ecc_curve448_modp #undef HAVE_NATIVE_ecc_secp192r1_modp #undef HAVE_NATIVE_ecc_secp192r1_redc #undef HAVE_NATIVE_ecc_secp224r1_modp #undef HAVE_NATIVE_ecc_secp224r1_redc #undef HAVE_NATIVE_ecc_secp256r1_modp #undef HAVE_NATIVE_ecc_secp256r1_redc #undef HAVE_NATIVE_ecc_secp384r1_modp #undef HAVE_NATIVE_ecc_secp384r1_redc #undef HAVE_NATIVE_ecc_secp521r1_modp #undef HAVE_NATIVE_ecc_secp521r1_redc #undef HAVE_NATIVE_poly1305_set_key #undef HAVE_NATIVE_poly1305_block #undef HAVE_NATIVE_poly1305_digest #undef HAVE_NATIVE_poly1305_blocks #undef HAVE_NATIVE_fat_poly1305_blocks #undef HAVE_NATIVE_ghash_set_key #undef HAVE_NATIVE_ghash_update #undef HAVE_NATIVE_gcm_aes_encrypt #undef HAVE_NATIVE_gcm_aes_decrypt #undef HAVE_NATIVE_salsa20_core #undef HAVE_NATIVE_salsa20_2core #undef HAVE_NATIVE_fat_salsa20_2core #undef HAVE_NATIVE_sha1_compress #undef HAVE_NATIVE_sha256_compress_n #undef HAVE_NATIVE_sha512_compress #undef HAVE_NATIVE_sha3_permute #undef HAVE_NATIVE_umac_nh #undef HAVE_NATIVE_umac_nh_n /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_EC_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_EVP_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_RSA_H /* Define to 1 if you have the 'secure_getenv' function. */ #undef HAVE_SECURE_GETENV /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the header file. */ #undef HAVE_VALGRIND_MEMCHECK_H /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* The size of 'long', as computed by sizeof. */ #undef SIZEOF_LONG /* The size of 'size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION = 0 => direction of growth unknown */ #undef STACK_DIRECTION /* Define to 1 if all of the C89 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for backward compatibility; new code need not use it. */ #undef STDC_HEADERS /* Defined to enable additional asserts */ #undef WITH_EXTRA_ASSERTS /* Defined if public key features are enabled */ #undef WITH_HOGWEED /* Define if you have openssl libcrypto (used for benchmarking) */ #undef WITH_OPENSSL /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD # if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 # endif #else # ifndef WORDS_BIGENDIAN # undef WORDS_BIGENDIAN # endif #endif /* Define to empty if 'const' does not conform to ANSI C. */ #undef const /* Define as 'int' if doesn't define. */ #undef gid_t /* Define to '__inline__' or '__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define as 'unsigned int' if doesn't define. */ #undef size_t /* Define as 'int' if doesn't define. */ #undef uid_t /* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif #if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif #if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif nettle-4.0/config.m4.in0000644000000000000000000000131115141166424011712 0ustar00define(`srcdir', ``@srcdir@'')dnl define(`SYMBOL_PREFIX', `@ASM_SYMBOL_PREFIX@'`$1')dnl define(`ELF_STYLE', `@ASM_ELF_STYLE@')dnl define(`COFF_STYLE', `@ASM_COFF_STYLE@')dnl define(`TYPE_FUNCTION', `@ASM_TYPE_FUNCTION@')dnl define(`TYPE_PROGBITS', `@ASM_TYPE_PROGBITS@')dnl define(`ALIGN_LOG', `@ASM_ALIGN_LOG@')dnl define(`ELFV2_ABI', `@ELFV2_ABI@')dnl define(`W64_ABI', `@W64_ABI@')dnl define(`RODATA', `@ASM_RODATA@')dnl define(`WORDS_BIGENDIAN', `@ASM_WORDS_BIGENDIAN@')dnl define(`ASM_X86_ENDBR',`@ASM_X86_ENDBR@')dnl define(`ASM_X86_MARK_CET_ALIGN',`@ASM_X86_MARK_CET_ALIGN@')dnl define(`ASM_PPC_WANT_R_REGISTERS',`@ASM_PPC_WANT_R_REGISTERS@')dnl divert(1) @ASM_X86_MARK_CET@ @ASM_MARK_NOEXEC_STACK@ divert nettle-4.0/config.make.in0000644000000000000000000000515515141166424012321 0ustar00# Makefile settings shared between Makefiles. CC = @CC@ CXX = @CXX@ CFLAGS = @CFLAGS@ CXXFLAGS = @CXXFLAGS@ CCPIC = @CCPIC@ CPPFLAGS = @CPPFLAGS@ DEFS = @DEFS@ LDFLAGS = @LDFLAGS@ ASM_FLAGS = @ASM_FLAGS@ LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ EMULATOR = @EMULATOR@ NM = @NM@ OBJEXT = @OBJEXT@ EXEEXT = @EXEEXT@ CC_FOR_BUILD = @CC_FOR_BUILD@ EXEEXT_FOR_BUILD = @EXEEXT_FOR_BUILD@ DEP_FLAGS = @DEP_FLAGS@ DEP_PROCESS = @DEP_PROCESS@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ LIBNETTLE_MAJOR = @LIBNETTLE_MAJOR@ LIBNETTLE_MINOR = @LIBNETTLE_MINOR@ LIBNETTLE_SONAME = @LIBNETTLE_SONAME@ LIBNETTLE_FILE = @LIBNETTLE_FILE@ LIBNETTLE_FILE_SRC = @LIBNETTLE_FILE_SRC@ LIBNETTLE_FORLINK = @LIBNETTLE_FORLINK@ LIBNETTLE_LIBS = @LIBNETTLE_LIBS@ LIBNETTLE_LINK = @LIBNETTLE_LINK@ LIBHOGWEED_MAJOR = @LIBHOGWEED_MAJOR@ LIBHOGWEED_MINOR = @LIBHOGWEED_MINOR@ LIBHOGWEED_SONAME = @LIBHOGWEED_SONAME@ LIBHOGWEED_FILE = @LIBHOGWEED_FILE@ LIBHOGWEED_FILE_SRC = @LIBHOGWEED_FILE_SRC@ LIBHOGWEED_FORLINK = @LIBHOGWEED_FORLINK@ LIBHOGWEED_LIBS = @LIBHOGWEED_LIBS@ LIBHOGWEED_LINK = @LIBHOGWEED_LINK@ NUMB_BITS = @NUMB_BITS@ AR = @AR@ ARFLAGS = cru AUTOCONF = autoconf AUTOHEADER = autoheader M4 = @M4@ MAKEINFO = makeinfo RANLIB = @RANLIB@ LN_S = @LN_S@ prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ bindir = @bindir@ libdir = @libdir@ includedir = @includedir@ infodir = @infodir@ abs_top_builddir = @abs_top_builddir@ # Absolute name, since some systems require that for LD_LIBRARY_PATH. TEST_SHLIB_DIR = ${abs_top_builddir}/.lib # PRE_CPPFLAGS and PRE_LDFLAGS lets each Makefile.in prepend its own # flags before CPPFLAGS and LDFLAGS. While EXTRA_CFLAGS are added at the end. COMPILE = $(CC) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CFLAGS) $(EXTRA_CFLAGS) $(DEP_FLAGS) COMPILE_CXX = $(CXX) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CXXFLAGS) $(DEP_FLAGS) LINK = $(CC) $(CFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) LINK_CXX = $(CXX) $(CXXFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) # Default rule. Must be here, since config.make is included before the # usual targets. default: all # Don't use any old-fashioned suffix rules. .SUFFIXES: # Disable builtin rule %$(EXEEXT) : %.c # Keep object files .PRECIOUS: %.o .PHONY: all check install uninstall clean distclean mostlyclean maintainer-clean distdir \ all-here check-here install-here clean-here distclean-here mostlyclean-here \ maintainer-clean-here distdir-here \ install-shared install-info install-headers \ uninstall-shared uninstall-info uninstall-headers \ dist distcleancheck nettle-4.0/config.sub0000755000000000000000000011600715141166424011572 0ustar00#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2025 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268,SC2162 # see below for rationale timestamp='2025-07-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches to . # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # https://git.savannah.gnu.org/cgit/config.git/plain/config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. # The "shellcheck disable" line above the timestamp inhibits complaints # about features and limitations of the classic Bourne shell that were # superseded or lifted in POSIX. However, this script identifies a wide # variety of pre-POSIX systems that do not have POSIX shells at all, and # even some reasonably current systems (Solaris 10 as case-in-point) still # have a pre-POSIX /bin/sh. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2025 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try '$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) # First pass through any local machine types. echo "$1" exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Split fields of configuration type saved_IFS=$IFS IFS="-" read field1 field2 field3 field4 <&2 exit 1 ;; *-*-*-*) basic_machine=$field1-$field2 basic_os=$field3-$field4 ;; *-*-*) # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two # parts maybe_os=$field2-$field3 case $maybe_os in cloudabi*-eabi* \ | kfreebsd*-gnu* \ | knetbsd*-gnu* \ | kopensolaris*-gnu* \ | ironclad-* \ | linux-* \ | managarm-* \ | netbsd*-eabi* \ | netbsd*-gnu* \ | nto-qnx* \ | os2-emx* \ | rtmk-nova* \ | storm-chaos* \ | uclinux-gnu* \ | uclinux-uclibc* \ | windows-* ) basic_machine=$field1 basic_os=$maybe_os ;; android-linux) basic_machine=$field1-unknown basic_os=linux-android ;; *) basic_machine=$field1-$field2 basic_os=$field3 ;; esac ;; *-*) case $field1-$field2 in # Shorthands that happen to contain a single dash convex-c[12] | convex-c3[248]) basic_machine=$field2-convex basic_os= ;; decstation-3100) basic_machine=mips-dec basic_os= ;; *-*) # Second component is usually, but not always the OS case $field2 in # Do not treat sunos as a manufacturer sun*os*) basic_machine=$field1 basic_os=$field2 ;; # Manufacturers 3100* \ | 32* \ | 3300* \ | 3600* \ | 7300* \ | acorn \ | altos* \ | apollo \ | apple \ | atari \ | att* \ | axis \ | be \ | bull \ | cbm \ | ccur \ | cisco \ | commodore \ | convergent* \ | convex* \ | cray \ | crds \ | dec* \ | delta* \ | dg \ | digital \ | dolphin \ | encore* \ | gould \ | harris \ | highlevel \ | hitachi* \ | hp \ | ibm* \ | intergraph \ | isi* \ | knuth \ | masscomp \ | microblaze* \ | mips* \ | motorola* \ | ncr* \ | news \ | next \ | ns \ | oki \ | omron* \ | pc533* \ | rebel \ | rom68k \ | rombug \ | semi \ | sequent* \ | sgi* \ | siemens \ | sim \ | sni \ | sony* \ | stratus \ | sun \ | sun[234]* \ | tektronix \ | tti* \ | ultra \ | unicom* \ | wec \ | winbond \ | wrs) basic_machine=$field1-$field2 basic_os= ;; tock* | zephyr*) basic_machine=$field1-unknown basic_os=$field2 ;; *) basic_machine=$field1 basic_os=$field2 ;; esac ;; esac ;; *) # Convert single-component short-hands not valid as part of # multi-component configurations. case $field1 in 386bsd) basic_machine=i386-pc basic_os=bsd ;; a29khif) basic_machine=a29k-amd basic_os=udi ;; adobe68k) basic_machine=m68010-adobe basic_os=scout ;; alliant) basic_machine=fx80-alliant basic_os= ;; altos | altos3068) basic_machine=m68k-altos basic_os= ;; am29k) basic_machine=a29k-none basic_os=bsd ;; amdahl) basic_machine=580-amdahl basic_os=sysv ;; amiga) basic_machine=m68k-unknown basic_os= ;; amigaos | amigados) basic_machine=m68k-unknown basic_os=amigaos ;; amigaunix | amix) basic_machine=m68k-unknown basic_os=sysv4 ;; apollo68) basic_machine=m68k-apollo basic_os=sysv ;; apollo68bsd) basic_machine=m68k-apollo basic_os=bsd ;; aros) basic_machine=i386-pc basic_os=aros ;; aux) basic_machine=m68k-apple basic_os=aux ;; balance) basic_machine=ns32k-sequent basic_os=dynix ;; blackfin) basic_machine=bfin-unknown basic_os=linux ;; cegcc) basic_machine=arm-unknown basic_os=cegcc ;; cray) basic_machine=j90-cray basic_os=unicos ;; crds | unos) basic_machine=m68k-crds basic_os= ;; da30) basic_machine=m68k-da30 basic_os= ;; decstation | pmax | pmin | dec3100 | decstatn) basic_machine=mips-dec basic_os= ;; delta88) basic_machine=m88k-motorola basic_os=sysv3 ;; dicos) basic_machine=i686-pc basic_os=dicos ;; djgpp) basic_machine=i586-pc basic_os=msdosdjgpp ;; ebmon29k) basic_machine=a29k-amd basic_os=ebmon ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson basic_os=ose ;; gmicro) basic_machine=tron-gmicro basic_os=sysv ;; go32) basic_machine=i386-pc basic_os=go32 ;; h8300hms) basic_machine=h8300-hitachi basic_os=hms ;; h8300xray) basic_machine=h8300-hitachi basic_os=xray ;; h8500hms) basic_machine=h8500-hitachi basic_os=hms ;; harris) basic_machine=m88k-harris basic_os=sysv3 ;; hp300 | hp300hpux) basic_machine=m68k-hp basic_os=hpux ;; hp300bsd) basic_machine=m68k-hp basic_os=bsd ;; hppaosf) basic_machine=hppa1.1-hp basic_os=osf ;; hppro) basic_machine=hppa1.1-hp basic_os=proelf ;; i386mach) basic_machine=i386-mach basic_os=mach ;; isi68 | isi) basic_machine=m68k-isi basic_os=sysv ;; m68knommu) basic_machine=m68k-unknown basic_os=linux ;; magnum | m3230) basic_machine=mips-mips basic_os=sysv ;; merlin) basic_machine=ns32k-utek basic_os=sysv ;; mingw64) basic_machine=x86_64-pc basic_os=mingw64 ;; mingw32) basic_machine=i686-pc basic_os=mingw32 ;; mingw32ce) basic_machine=arm-unknown basic_os=mingw32ce ;; monitor) basic_machine=m68k-rom68k basic_os=coff ;; morphos) basic_machine=powerpc-unknown basic_os=morphos ;; moxiebox) basic_machine=moxie-unknown basic_os=moxiebox ;; msdos) basic_machine=i386-pc basic_os=msdos ;; msys) basic_machine=i686-pc basic_os=msys ;; mvs) basic_machine=i370-ibm basic_os=mvs ;; nacl) basic_machine=le32-unknown basic_os=nacl ;; ncr3000) basic_machine=i486-ncr basic_os=sysv4 ;; netbsd386) basic_machine=i386-pc basic_os=netbsd ;; netwinder) basic_machine=armv4l-rebel basic_os=linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony basic_os=newsos ;; news1000) basic_machine=m68030-sony basic_os=newsos ;; necv70) basic_machine=v70-nec basic_os=sysv ;; nh3000) basic_machine=m68k-harris basic_os=cxux ;; nh[45]000) basic_machine=m88k-harris basic_os=cxux ;; nindy960) basic_machine=i960-intel basic_os=nindy ;; mon960) basic_machine=i960-intel basic_os=mon960 ;; nonstopux) basic_machine=mips-compaq basic_os=nonstopux ;; os400) basic_machine=powerpc-ibm basic_os=os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson basic_os=ose ;; os68k) basic_machine=m68k-none basic_os=os68k ;; paragon) basic_machine=i860-intel basic_os=osf ;; parisc) basic_machine=hppa-unknown basic_os=linux ;; psp) basic_machine=mipsallegrexel-sony basic_os=psp ;; pw32) basic_machine=i586-unknown basic_os=pw32 ;; rdos | rdos64) basic_machine=x86_64-pc basic_os=rdos ;; rdos32) basic_machine=i386-pc basic_os=rdos ;; rom68k) basic_machine=m68k-rom68k basic_os=coff ;; sa29200) basic_machine=a29k-amd basic_os=udi ;; sei) basic_machine=mips-sei basic_os=seiux ;; sequent) basic_machine=i386-sequent basic_os= ;; sps7) basic_machine=m68k-bull basic_os=sysv2 ;; st2000) basic_machine=m68k-tandem basic_os= ;; stratus) basic_machine=i860-stratus basic_os=sysv4 ;; sun2) basic_machine=m68000-sun basic_os= ;; sun2os3) basic_machine=m68000-sun basic_os=sunos3 ;; sun2os4) basic_machine=m68000-sun basic_os=sunos4 ;; sun3) basic_machine=m68k-sun basic_os= ;; sun3os3) basic_machine=m68k-sun basic_os=sunos3 ;; sun3os4) basic_machine=m68k-sun basic_os=sunos4 ;; sun4) basic_machine=sparc-sun basic_os= ;; sun4os3) basic_machine=sparc-sun basic_os=sunos3 ;; sun4os4) basic_machine=sparc-sun basic_os=sunos4 ;; sun4sol2) basic_machine=sparc-sun basic_os=solaris2 ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun basic_os= ;; sv1) basic_machine=sv1-cray basic_os=unicos ;; symmetry) basic_machine=i386-sequent basic_os=dynix ;; t3e) basic_machine=alphaev5-cray basic_os=unicos ;; t90) basic_machine=t90-cray basic_os=unicos ;; toad1) basic_machine=pdp10-xkl basic_os=tops20 ;; tpf) basic_machine=s390x-ibm basic_os=tpf ;; udi29k) basic_machine=a29k-amd basic_os=udi ;; ultra3) basic_machine=a29k-nyu basic_os=sym1 ;; v810 | necv810) basic_machine=v810-nec basic_os=none ;; vaxv) basic_machine=vax-dec basic_os=sysv ;; vms) basic_machine=vax-dec basic_os=vms ;; vsta) basic_machine=i386-pc basic_os=vsta ;; vxworks960) basic_machine=i960-wrs basic_os=vxworks ;; vxworks68) basic_machine=m68k-wrs basic_os=vxworks ;; vxworks29k) basic_machine=a29k-wrs basic_os=vxworks ;; xbox) basic_machine=i686-pc basic_os=mingw32 ;; ymp) basic_machine=ymp-cray basic_os=unicos ;; *) basic_machine=$1 basic_os= ;; esac ;; esac # Decode 1-component or ad-hoc basic machines case $basic_machine in # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) cpu=hppa1.1 vendor=winbond ;; op50n) cpu=hppa1.1 vendor=oki ;; op60c) cpu=hppa1.1 vendor=oki ;; ibm*) cpu=i370 vendor=ibm ;; orion105) cpu=clipper vendor=highlevel ;; mac | mpw | mac-mpw) cpu=m68k vendor=apple ;; pmac | pmac-mpw) cpu=powerpc vendor=apple ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) cpu=m68000 vendor=att ;; 3b*) cpu=we32k vendor=att ;; bluegene*) cpu=powerpc vendor=ibm basic_os=cnk ;; decsystem10* | dec10*) cpu=pdp10 vendor=dec basic_os=tops10 ;; decsystem20* | dec20*) cpu=pdp10 vendor=dec basic_os=tops20 ;; delta | 3300 | delta-motorola | 3300-motorola | motorola-delta | motorola-3300) cpu=m68k vendor=motorola ;; # This used to be dpx2*, but that gets the RS6000-based # DPX/20 and the x86-based DPX/2-100 wrong. See # https://oldskool.silicium.org/stations/bull_dpx20.htm # https://www.feb-patrimoine.com/english/bull_dpx2.htm # https://www.feb-patrimoine.com/english/unix_and_bull.htm dpx2 | dpx2[23]00 | dpx2[23]xx) cpu=m68k vendor=bull ;; dpx2100 | dpx21xx) cpu=i386 vendor=bull ;; dpx20) cpu=rs6000 vendor=bull ;; encore | umax | mmax) cpu=ns32k vendor=encore ;; elxsi) cpu=elxsi vendor=elxsi basic_os=${basic_os:-bsd} ;; fx2800) cpu=i860 vendor=alliant ;; genix) cpu=ns32k vendor=ns ;; h3050r* | hiux*) cpu=hppa1.1 vendor=hitachi basic_os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) cpu=m68000 vendor=hp ;; hp9k3[2-9][0-9]) cpu=m68k vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) cpu=hppa1.1 vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp cpu=hppa1.1 vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp cpu=hppa1.1 vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) cpu=hppa1.1 vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; i*86v32) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv32 ;; i*86v4*) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv4 ;; i*86v) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv ;; i*86sol2) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=solaris2 ;; j90 | j90-cray) cpu=j90 vendor=cray basic_os=${basic_os:-unicos} ;; iris | iris4d) cpu=mips vendor=sgi case $basic_os in irix*) ;; *) basic_os=irix4 ;; esac ;; miniframe) cpu=m68000 vendor=convergent ;; *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) cpu=m68k vendor=atari basic_os=mint ;; news-3600 | risc-news) cpu=mips vendor=sony basic_os=newsos ;; next | m*-next) cpu=m68k vendor=next ;; np1) cpu=np1 vendor=gould ;; op50n-* | op60c-*) cpu=hppa1.1 vendor=oki basic_os=proelf ;; pa-hitachi) cpu=hppa1.1 vendor=hitachi basic_os=hiuxwe2 ;; pbd) cpu=sparc vendor=tti ;; pbb) cpu=m68k vendor=tti ;; pc532) cpu=ns32k vendor=pc532 ;; pn) cpu=pn vendor=gould ;; power) cpu=power vendor=ibm ;; ps2) cpu=i386 vendor=ibm ;; rm[46]00) cpu=mips vendor=siemens ;; rtpc | rtpc-*) cpu=romp vendor=ibm ;; sde) cpu=mipsisa32 vendor=sde basic_os=${basic_os:-elf} ;; simso-wrs) cpu=sparclite vendor=wrs basic_os=vxworks ;; tower | tower-32) cpu=m68k vendor=ncr ;; vpp*|vx|vx-*) cpu=f301 vendor=fujitsu ;; w65) cpu=w65 vendor=wdc ;; w89k-*) cpu=hppa1.1 vendor=winbond basic_os=proelf ;; none) cpu=none vendor=none ;; leon|leon[3-9]) cpu=sparc vendor=$basic_machine ;; leon-*|leon[3-9]-*) cpu=sparc vendor=`echo "$basic_machine" | sed 's/-.*//'` ;; *-*) saved_IFS=$IFS IFS="-" read cpu vendor <&2 exit 1 ;; esac ;; esac # Here we canonicalize certain aliases for manufacturers. case $vendor in digital*) vendor=dec ;; commodore*) vendor=cbm ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if test x"$basic_os" != x then # First recognize some ad-hoc cases, or perhaps split kernel-os, or else just # set os. obj= case $basic_os in gnu/linux*) kernel=linux os=`echo "$basic_os" | sed -e 's|gnu/linux|gnu|'` ;; os2-emx) kernel=os2 os=`echo "$basic_os" | sed -e 's|os2-emx|emx|'` ;; nto-qnx*) kernel=nto os=`echo "$basic_os" | sed -e 's|nto-qnx|qnx|'` ;; *-*) saved_IFS=$IFS IFS="-" read kernel os <&2 fi ;; *) echo "Invalid configuration '$1': OS '$os' not recognized" 1>&2 exit 1 ;; esac case $obj in aout* | coff* | elf* | pe*) ;; '') # empty is fine ;; *) echo "Invalid configuration '$1': Machine code format '$obj' not recognized" 1>&2 exit 1 ;; esac # Here we handle the constraint that a (synthetic) cpu and os are # valid only in combination with each other and nowhere else. case $cpu-$os in # The "javascript-unknown-ghcjs" triple is used by GHC; we # accept it here in order to tolerate that, but reject any # variations. javascript-ghcjs) ;; javascript-* | *-ghcjs) echo "Invalid configuration '$1': cpu '$cpu' is not valid with os '$os$obj'" 1>&2 exit 1 ;; esac # As a final step for OS-related things, validate the OS-kernel combination # (given a valid OS), if there is a kernel. case $kernel-$os-$obj in linux-gnu*- | linux-android*- | linux-dietlibc*- | linux-llvm*- \ | linux-mlibc*- | linux-musl*- | linux-newlib*- \ | linux-relibc*- | linux-uclibc*- | linux-ohos*- ) ;; uclinux-uclibc*- | uclinux-gnu*- ) ;; ironclad-mlibc*-) ;; managarm-mlibc*- | managarm-kernel*- ) ;; windows*-msvc*-) ;; -dietlibc*- | -llvm*- | -mlibc*- | -musl*- | -newlib*- | -relibc*- \ | -uclibc*- ) # These are just libc implementations, not actual OSes, and thus # require a kernel. echo "Invalid configuration '$1': libc '$os' needs explicit kernel." 1>&2 exit 1 ;; -kernel*- ) echo "Invalid configuration '$1': '$os' needs explicit kernel." 1>&2 exit 1 ;; *-kernel*- ) echo "Invalid configuration '$1': '$kernel' does not support '$os'." 1>&2 exit 1 ;; *-msvc*- ) echo "Invalid configuration '$1': '$os' needs 'windows'." 1>&2 exit 1 ;; kfreebsd*-gnu*- | knetbsd*-gnu*- | netbsd*-gnu*- | kopensolaris*-gnu*-) ;; vxworks-simlinux- | vxworks-simwindows- | vxworks-spe-) ;; nto-qnx*-) ;; os2-emx-) ;; rtmk-nova-) ;; *-eabi*- | *-gnueabi*-) ;; ios*-simulator- | tvos*-simulator- | watchos*-simulator- ) ;; none--*) # None (no kernel, i.e. freestanding / bare metal), # can be paired with an machine code file format ;; -*-) # Blank kernel with real OS is always fine. ;; --*) # Blank kernel and OS with real machine code file format is always fine. ;; *-*-*) echo "Invalid configuration '$1': Kernel '$kernel' not known to work with OS '$os'." 1>&2 exit 1 ;; esac # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. case $vendor in unknown) case $cpu-$os in *-riscix*) vendor=acorn ;; *-sunos* | *-solaris*) vendor=sun ;; *-cnk* | *-aix*) vendor=ibm ;; *-beos*) vendor=be ;; *-hpux*) vendor=hp ;; *-mpeix*) vendor=hp ;; *-hiux*) vendor=hitachi ;; *-unos*) vendor=crds ;; *-dgux*) vendor=dg ;; *-luna*) vendor=omron ;; *-genix*) vendor=ns ;; *-clix*) vendor=intergraph ;; *-mvs* | *-opened*) vendor=ibm ;; *-os400*) vendor=ibm ;; s390-* | s390x-*) vendor=ibm ;; *-ptx*) vendor=sequent ;; *-tpf*) vendor=ibm ;; *-vxsim* | *-vxworks* | *-windiss*) vendor=wrs ;; *-aux*) vendor=apple ;; *-hms*) vendor=hitachi ;; *-mpw* | *-macos*) vendor=apple ;; *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) vendor=atari ;; *-vos*) vendor=stratus ;; esac ;; esac echo "$cpu-$vendor${kernel:+-$kernel}${os:+-$os}${obj:+-$obj}" exit # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp nil t) # time-stamp-start: "timestamp='" # time-stamp-format: "%Y-%02m-%02d" # time-stamp-end: "'" # End: nettle-4.0/configure0000755000000000000000000101055215141166424011515 0ustar00#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.72 for nettle 4.0. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2017, 2020-2023 Free Software Foundation, # Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case e in #( e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case e in #( e) case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ) then : else case e in #( e) exitcode=1; echo positional parameters were not saved. ;; esac fi test x\$exitcode = x0 || exit 1 blah=\$(echo \$(echo blah)) test x\"\$blah\" = xblah || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null then : as_have_required=yes else case e in #( e) as_have_required=no ;; esac fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null then : else case e in #( e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && as_run=a "$as_shell" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$as_shell as_have_required=yes if as_run=a "$as_shell" -c "$as_bourne_compatible""$as_suggested" 2>/dev/null then : break 2 fi fi done;; esac as_found=false done IFS=$as_save_IFS if $as_found then : else case e in #( e) if { test -f "$SHELL" || test -f "$SHELL.exe"; } && as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$SHELL as_have_required=yes fi ;; esac fi if test "x$CONFIG_SHELL" != x then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno then : printf "%s\n" "$0: This script requires a shell more modern than all" printf "%s\n" "$0: the shells that I found on your system." if test ${ZSH_VERSION+y} ; then printf "%s\n" "$0: In particular, zsh $ZSH_VERSION has bugs and should" printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later." else printf "%s\n" "$0: Please tell bug-autoconf@gnu.org and $0: nettle-bugs@lists.lysator.liu.se about your system, $0: including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." fi exit 1 fi ;; esac fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else case e in #( e) as_fn_append () { eval $1=\$$1\$2 } ;; esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else case e in #( e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } ;; esac fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' t clear :clear s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { printf "%s\n" "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" as_tr_sh="eval sed '$as_sed_sh'" # deprecated test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' PACKAGE_VERSION='4.0' PACKAGE_STRING='nettle 4.0' PACKAGE_BUGREPORT='nettle-bugs@lists.lysator.liu.se' PACKAGE_URL='' ac_unique_file="nettle-types.h" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_STDIO_H # include #endif #ifdef HAVE_STDLIB_H # include #endif #ifdef HAVE_STRING_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_header_c_list= ac_subst_vars='LTLIBOBJS LIBOBJS BENCH_LIBS OPENSSL_LIBFLAGS IF_MINI_GMP IF_DLL IF_DOCUMENTATION IF_DLOPEN_TEST IF_NOT_SHARED IF_SHARED IF_STATIC IF_HOGWEED MAKEINFO M4 LIBHOGWEED_LIBS LIBHOGWEED_LINK LIBHOGWEED_FILE_SRC LIBHOGWEED_FILE LIBHOGWEED_SONAME LIBHOGWEED_FORLINK LIBHOGWEED_MINOR LIBHOGWEED_MAJOR LIBNETTLE_LIBS LIBNETTLE_LINK LIBNETTLE_FILE_SRC LIBNETTLE_FILE LIBNETTLE_SONAME LIBNETTLE_FORLINK LIBNETTLE_MINOR LIBNETTLE_MAJOR ASM_X86_MARK_CET_ALIGN ASM_X86_MARK_CET ASM_X86_ENDBR EMULATOR ASM_WORDS_BIGENDIAN W64_ABI ELFV2_ABI ASM_ALIGN_LOG ASM_MARK_NOEXEC_STACK ASM_TYPE_PROGBITS ASM_TYPE_FUNCTION ASM_COFF_STYLE ASM_ELF_STYLE ASM_SYMBOL_PREFIX CCPIC ASM_PPC_WANT_R_REGISTERS IF_ASM ASM_RODATA FAT_EMULATE_LIST FAT_OVERRIDE_LIST OPT_NETTLE_SOURCES OPT_HOGWEED_OBJS OPT_NETTLE_OBJS GMP_NUMB_BITS NUMB_BITS ALLOCA DEP_PROCESS DEP_FLAGS IF_VALGRIND EXEEXT_FOR_BUILD CC_FOR_BUILD LN_S MKDIR_P INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM AR OBJDUMP NM RANLIB SET_MAKE EXTRA_HOGWEED_LINKER_FLAGS EXTRA_LINKER_FLAGS IF_CXX ac_ct_CXX CXXFLAGS CXX OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC HOGWEED_EXTRA_SYMBOLS NETTLE_USE_MINI_GMP ASM_FLAGS host_os host_vendor host_cpu host build_os build_vendor build_cpu build MINOR_VERSION MAJOR_VERSION target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir runstatedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking enable_public_key enable_assembler enable_static enable_shared enable_pic enable_openssl enable_gcov enable_documentation enable_fat enable_arm_neon enable_arm64_crypto enable_x86_aesni enable_x86_sha_ni enable_x86_pclmul enable_power_crypto_ext enable_power_altivec enable_power9 enable_s390x_vf enable_s390x_msa enable_extra_asserts enable_mini_gmp enable_ld_version_script enable_dependency_tracking ' ac_precious_vars='build_alias host_alias target_alias ASM_FLAGS CC CFLAGS LDFLAGS LIBS CPPFLAGS CXX CXXFLAGS CCC CC_FOR_BUILD' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -runstatedir | --runstatedir | --runstatedi | --runstated \ | --runstate | --runstat | --runsta | --runst | --runs \ | --run | --ru | --r) ac_prev=runstatedir ;; -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | --run=* | --ru=* | --r=*) runstatedir=$ac_optarg ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: '$ac_option' Try '$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: '$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. printf "%s\n" "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && printf "%s\n" "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: '$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but 'cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF 'configure' configures nettle 4.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print 'checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for '--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or '..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, 'make install' will install all the files in '$ac_default_prefix/bin', '$ac_default_prefix/lib' etc. You can specify an installation prefix other than '$ac_default_prefix' using '--prefix', for instance '--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/nettle] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of nettle 4.0:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-public-key Disable public key algorithms --disable-assembler Disable assembler code --disable-static Do not build any static library --disable-shared Do not build any shared library --disable-pic Do not try to compile library files as position independent code --disable-openssl Do not include openssl glue in the benchmark program --enable-gcov Instrument for gcov (requires a modern gcc) --disable-documentation Omit building and installing the documentation. (default=auto) --disable-fat Disable fat library build --enable-arm-neon Enable ARM Neon assembly. (default=auto) --enable-arm64-crypto Enable Arm64 crypto extension. (default=no) --enable-x86-aesni Enable x86_64 aes instructions. (default=no) --enable-x86-sha-ni Enable x86_64 sha_ni instructions. (default=no) --enable-x86-pclmul Enable x86_64 pclmulqdq instructions. (default=no) --enable-power-crypto-ext Enable POWER crypto extensions. (default=no) --enable-power-altivec Enable POWER altivec and vsx extensions. (default=no) --enable-power9 Enable POWER ISA v3.0. (default=no) --enable-s390x-vf Enable vector facility on z/Architecture. (default=no) --enable-s390x-msa Enable message-security assist extensions on z/Architecture. (default=no) --enable-extra-asserts Enable additional asserts in ECC code (incompatible side-channel tests) --enable-mini-gmp Enable mini-gmp, used instead of libgmp. --enable-ld-version-script enable linker version script (default is enabled when possible) --disable-dependency-tracking Disable dependency tracking. Dependency tracking doesn't work with BSD make Some influential environment variables: ASM_FLAGS Extra flags for processing assembly source files CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CXX C++ compiler command CXXFLAGS C++ compiler flags CC_FOR_BUILD build system C compiler Use these variables to override the choices made by 'configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for configure.gnu first; this name is used for a wrapper for # Metaconfig's "Configure" on case-insensitive file systems. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else printf "%s\n" "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF nettle configure 4.0 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext } then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_cxx_try_compile LINENO # ---------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_cxx_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_cxx_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_cxx_try_compile # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) eval "$3=yes" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$3=yes" else case e in #( e) eval "$3=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_try_run LINENO # ---------------------- # Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that # executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; } then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: program exited with status $ac_status" >&5 printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status ;; esac fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes # INCLUDES, setting VAR accordingly. Returns whether the value could be # computed ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) >= 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_lo=0 ac_mid=0 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=$ac_mid; break else case e in #( e) as_fn_arith $ac_mid + 1 && ac_lo=$as_val if test $ac_lo -le $ac_mid; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) < 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=-1 ac_mid=-1 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_lo=$ac_mid; break else case e in #( e) as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val if test $ac_mid -le $ac_hi; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done else case e in #( e) ac_lo= ac_hi= ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext # Binary search between lo and hi bounds. while test "x$ac_lo" != "x$ac_hi"; do as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=$ac_mid else case e in #( e) as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done case $ac_lo in #(( ?*) eval "$3=\$ac_lo"; ac_retval=0 ;; '') ac_retval=1 ;; esac else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 static long int longval (void) { return $2; } static unsigned long int ulongval (void) { return $2; } #include #include int main (void) { FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; if (($2) < 0) { long int i = longval (); if (i != ($2)) return 1; fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); if (i != ($2)) return 1; fprintf (f, "%lu", i); } /* Do not output a trailing newline, as this causes \r\n confusion on some platforms. */ return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : echo >>conftest.val; read $3 &5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (void); below. */ #include #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (void); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main (void) { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : eval "$3=yes" else case e in #( e) eval "$3=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func ac_configure_args_raw= for ac_arg do case $ac_arg in *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append ac_configure_args_raw " '$ac_arg'" done case $ac_configure_args_raw in *$as_nl*) ac_safe_unquote= ;; *) ac_unsafe_z='|&;<>()$`\\"*?[ '' ' # This string ends in space, tab. ac_unsafe_a="$ac_unsafe_z#~" ac_safe_unquote="s/ '\\([^$ac_unsafe_a][^$ac_unsafe_z]*\\)'/ \\1/g" ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; esac cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by nettle $as_me 4.0, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac printf "%s\n" "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Sanitize IFS. IFS=" "" $as_nl" # Save into config.log some information that might help in debugging. { echo printf "%s\n" "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo printf "%s\n" "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then printf "%s\n" "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then printf "%s\n" "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && printf "%s\n" "$as_me: caught signal $ac_signal" printf "%s\n" "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h printf "%s\n" "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. printf "%s\n" "#define PACKAGE_NAME \"$PACKAGE_NAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_TARNAME \"$PACKAGE_TARNAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_VERSION \"$PACKAGE_VERSION\"" >>confdefs.h printf "%s\n" "#define PACKAGE_STRING \"$PACKAGE_STRING\"" >>confdefs.h printf "%s\n" "#define PACKAGE_BUGREPORT \"$PACKAGE_BUGREPORT\"" >>confdefs.h printf "%s\n" "#define PACKAGE_URL \"$PACKAGE_URL\"" >>confdefs.h # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. if test -n "$CONFIG_SITE"; then ac_site_files="$CONFIG_SITE" elif test "x$prefix" != xNONE; then ac_site_files="$prefix/share/config.site $prefix/etc/config.site" else ac_site_files="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" fi for ac_site_file in $ac_site_files do case $ac_site_file in #( */*) : ;; #( *) : ac_site_file=./$ac_site_file ;; esac if test -f "$ac_site_file" && test -r "$ac_site_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See 'config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 printf "%s\n" "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 printf "%s\n" "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Test code for whether the C compiler supports C89 (global declarations) ac_c_conftest_c89_globals=' /* Does the compiler advertise C89 conformance? Do not test the value of __STDC__, because some compilers set it to 0 while being otherwise adequately conformant. */ #if !defined __STDC__ # error "Compiler does not advertise C89 conformance" #endif #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7 src/conf.sh. */ struct buf { int x; }; struct buf * (*rcsopen) (struct buf *, struct stat *, int); static char *e (char **p, int i) { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* C89 style stringification. */ #define noexpand_stringify(a) #a const char *stringified = noexpand_stringify(arbitrary+token=sequence); /* C89 style token pasting. Exercises some of the corner cases that e.g. old MSVC gets wrong, but not very hard. */ #define noexpand_concat(a,b) a##b #define expand_concat(a,b) noexpand_concat(a,b) extern int vA; extern int vbee; #define aye A #define bee B int *pvA = &expand_concat(v,aye); int *pvbee = &noexpand_concat(v,bee); /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not \xHH hex character constants. These do not provoke an error unfortunately, instead are silently treated as an "x". The following induces an error, until -std is added to get proper ANSI mode. Curiously \x00 != x always comes out true, for an array size at least. It is necessary to write \x00 == 0 to get something that is true only with -std. */ int osf4_cc_array ['\''\x00'\'' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) '\''x'\'' int xlc6_cc_array[FOO(a) == '\''x'\'' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, int *(*)(struct buf *, struct stat *, int), int, int);' # Test code for whether the C compiler supports C89 (body of main). ac_c_conftest_c89_main=' ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]); ' # Test code for whether the C compiler supports C99 (global declarations) ac_c_conftest_c99_globals=' /* Does the compiler advertise C99 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L # error "Compiler does not advertise C99 conformance" #endif // See if C++-style comments work. #include extern int puts (const char *); extern int printf (const char *, ...); extern int dprintf (int, const char *, ...); extern void *malloc (size_t); extern void free (void *); // Check varargs macros. These examples are taken from C99 6.10.3.5. // dprintf is used instead of fprintf to avoid needing to declare // FILE and stderr. #define debug(...) dprintf (2, __VA_ARGS__) #define showlist(...) puts (#__VA_ARGS__) #define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) static void test_varargs_macros (void) { int x = 1234; int y = 5678; debug ("Flag"); debug ("X = %d\n", x); showlist (The first, second, and third items.); report (x>y, "x is %d but y is %d", x, y); } // Check long long types. #define BIG64 18446744073709551615ull #define BIG32 4294967295ul #define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) #if !BIG_OK #error "your preprocessor is broken" #endif #if BIG_OK #else #error "your preprocessor is broken" #endif static long long int bignum = -9223372036854775807LL; static unsigned long long int ubignum = BIG64; struct incomplete_array { int datasize; double data[]; }; struct named_init { int number; const wchar_t *name; double average; }; typedef const char *ccp; static inline int test_restrict (ccp restrict text) { // Iterate through items via the restricted pointer. // Also check for declarations in for loops. for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i) continue; return 0; } // Check varargs and va_copy. static bool test_varargs (const char *format, ...) { va_list args; va_start (args, format); va_list args_copy; va_copy (args_copy, args); const char *str = ""; int number = 0; float fnumber = 0; while (*format) { switch (*format++) { case '\''s'\'': // string str = va_arg (args_copy, const char *); break; case '\''d'\'': // int number = va_arg (args_copy, int); break; case '\''f'\'': // float fnumber = va_arg (args_copy, double); break; default: break; } } va_end (args_copy); va_end (args); return *str && number && fnumber; } ' # Test code for whether the C compiler supports C99 (body of main). ac_c_conftest_c99_main=' // Check bool. _Bool success = false; success |= (argc != 0); // Check restrict. if (test_restrict ("String literal") == 0) success = true; char *restrict newvar = "Another string"; // Check varargs. success &= test_varargs ("s, d'\'' f .", "string", 65, 34.234); test_varargs_macros (); // Check flexible array members. struct incomplete_array *ia = malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); ia->datasize = 10; for (int i = 0; i < ia->datasize; ++i) ia->data[i] = i * 1.234; // Work around memory leak warnings. free (ia); // Check named initializers. struct named_init ni = { .number = 34, .name = L"Test wide string", .average = 543.34343, }; ni.number = 58; int dynamic_array[ni.number]; dynamic_array[0] = argv[0][0]; dynamic_array[ni.number - 1] = 543; // work around unused variable warnings ok |= (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == '\''x'\'' || dynamic_array[ni.number - 1] != 543); ' # Test code for whether the C compiler supports C11 (global declarations) ac_c_conftest_c11_globals=' /* Does the compiler advertise C11 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L # error "Compiler does not advertise C11 conformance" #endif // Check _Alignas. char _Alignas (double) aligned_as_double; char _Alignas (0) no_special_alignment; extern char aligned_as_int; char _Alignas (0) _Alignas (int) aligned_as_int; // Check _Alignof. enum { int_alignment = _Alignof (int), int_array_alignment = _Alignof (int[100]), char_alignment = _Alignof (char) }; _Static_assert (0 < -_Alignof (int), "_Alignof is signed"); // Check _Noreturn. int _Noreturn does_not_return (void) { for (;;) continue; } // Check _Static_assert. struct test_static_assert { int x; _Static_assert (sizeof (int) <= sizeof (long int), "_Static_assert does not work in struct"); long int y; }; // Check UTF-8 literals. #define u8 syntax error! char const utf8_literal[] = u8"happens to be ASCII" "another string"; // Check duplicate typedefs. typedef long *long_ptr; typedef long int *long_ptr; typedef long_ptr long_ptr; // Anonymous structures and unions -- taken from C11 6.7.2.1 Example 1. struct anonymous { union { struct { int i; int j; }; struct { int k; long int l; } w; }; int m; } v1; ' # Test code for whether the C compiler supports C11 (body of main). ac_c_conftest_c11_main=' _Static_assert ((offsetof (struct anonymous, i) == offsetof (struct anonymous, w.k)), "Anonymous union alignment botch"); v1.i = 2; v1.w.k = 5; ok |= v1.i != 5; ' # Test code for whether the C compiler supports C11 (complete). ac_c_conftest_c11_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} ${ac_c_conftest_c11_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} ${ac_c_conftest_c11_main} return ok; } " # Test code for whether the C compiler supports C99 (complete). ac_c_conftest_c99_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} return ok; } " # Test code for whether the C compiler supports C89 (complete). ac_c_conftest_c89_program="${ac_c_conftest_c89_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} return ok; } " # Test code for whether the C++ compiler supports C++98 (global declarations) ac_cxx_conftest_cxx98_globals=' // Does the compiler advertise C++98 conformance? #if !defined __cplusplus || __cplusplus < 199711L # error "Compiler does not advertise C++98 conformance" #endif // These inclusions are to reject old compilers that // lack the unsuffixed header files. #include #include // and are *not* freestanding headers in C++98. extern void assert (int); namespace std { extern int strcmp (const char *, const char *); } // Namespaces, exceptions, and templates were all added after "C++ 2.0". using std::exception; using std::strcmp; namespace { void test_exception_syntax() { try { throw "test"; } catch (const char *s) { // Extra parentheses suppress a warning when building autoconf itself, // due to lint rules shared with more typical C programs. assert (!(strcmp) (s, "test")); } } template struct test_template { T const val; explicit test_template(T t) : val(t) {} template T add(U u) { return static_cast(u) + val; } }; } // anonymous namespace ' # Test code for whether the C++ compiler supports C++98 (body of main) ac_cxx_conftest_cxx98_main=' assert (argc); assert (! argv[0]); { test_exception_syntax (); test_template tt (2.0); assert (tt.add (4) == 6.0); assert (true && !false); } ' # Test code for whether the C++ compiler supports C++11 (global declarations) ac_cxx_conftest_cxx11_globals=' // Does the compiler advertise C++ 2011 conformance? #if !defined __cplusplus || __cplusplus < 201103L # error "Compiler does not advertise C++11 conformance" #endif namespace cxx11test { constexpr int get_val() { return 20; } struct testinit { int i; double d; }; class delegate { public: delegate(int n) : n(n) {} delegate(): delegate(2354) {} virtual int getval() { return this->n; }; protected: int n; }; class overridden : public delegate { public: overridden(int n): delegate(n) {} virtual int getval() override final { return this->n * 2; } }; class nocopy { public: nocopy(int i): i(i) {} nocopy() = default; nocopy(const nocopy&) = delete; nocopy & operator=(const nocopy&) = delete; private: int i; }; // for testing lambda expressions template Ret eval(Fn f, Ret v) { return f(v); } // for testing variadic templates and trailing return types template auto sum(V first) -> V { return first; } template auto sum(V first, Args... rest) -> V { return first + sum(rest...); } } ' # Test code for whether the C++ compiler supports C++11 (body of main) ac_cxx_conftest_cxx11_main=' { // Test auto and decltype auto a1 = 6538; auto a2 = 48573953.4; auto a3 = "String literal"; int total = 0; for (auto i = a3; *i; ++i) { total += *i; } decltype(a2) a4 = 34895.034; } { // Test constexpr short sa[cxx11test::get_val()] = { 0 }; } { // Test initializer lists cxx11test::testinit il = { 4323, 435234.23544 }; } { // Test range-based for int array[] = {9, 7, 13, 15, 4, 18, 12, 10, 5, 3, 14, 19, 17, 8, 6, 20, 16, 2, 11, 1}; for (auto &x : array) { x += 23; } } { // Test lambda expressions using cxx11test::eval; assert (eval ([](int x) { return x*2; }, 21) == 42); double d = 2.0; assert (eval ([&](double x) { return d += x; }, 3.0) == 5.0); assert (d == 5.0); assert (eval ([=](double x) mutable { return d += x; }, 4.0) == 9.0); assert (d == 5.0); } { // Test use of variadic templates using cxx11test::sum; auto a = sum(1); auto b = sum(1, 2); auto c = sum(1.0, 2.0, 3.0); } { // Test constructor delegation cxx11test::delegate d1; cxx11test::delegate d2(); cxx11test::delegate d3(45); } { // Test override and final cxx11test::overridden o1(55464); } { // Test nullptr char *c = nullptr; } { // Test template brackets test_template<::test_template> v(test_template(12)); } { // Unicode literals char const *utf8 = u8"UTF-8 string \u2500"; char16_t const *utf16 = u"UTF-8 string \u2500"; char32_t const *utf32 = U"UTF-32 string \u2500"; } ' # Test code for whether the C compiler supports C++11 (complete). ac_cxx_conftest_cxx11_program="${ac_cxx_conftest_cxx98_globals} ${ac_cxx_conftest_cxx11_globals} int main (int argc, char **argv) { int ok = 0; ${ac_cxx_conftest_cxx98_main} ${ac_cxx_conftest_cxx11_main} return ok; } " # Test code for whether the C compiler supports C++98 (complete). ac_cxx_conftest_cxx98_program="${ac_cxx_conftest_cxx98_globals} int main (int argc, char **argv) { int ok = 0; ${ac_cxx_conftest_cxx98_main} return ok; } " as_fn_append ac_header_c_list " stdio.h stdio_h HAVE_STDIO_H" as_fn_append ac_header_c_list " stdlib.h stdlib_h HAVE_STDLIB_H" as_fn_append ac_header_c_list " string.h string_h HAVE_STRING_H" as_fn_append ac_header_c_list " inttypes.h inttypes_h HAVE_INTTYPES_H" as_fn_append ac_header_c_list " stdint.h stdint_h HAVE_STDINT_H" as_fn_append ac_header_c_list " strings.h strings_h HAVE_STRINGS_H" as_fn_append ac_header_c_list " sys/stat.h sys_stat_h HAVE_SYS_STAT_H" as_fn_append ac_header_c_list " sys/types.h sys_types_h HAVE_SYS_TYPES_H" as_fn_append ac_header_c_list " unistd.h unistd_h HAVE_UNISTD_H" # Auxiliary files required by this configure script. ac_aux_files="install-sh config.guess config.sub" # Locations in which to look for auxiliary files. ac_aux_dir_candidates="${srcdir}/." # Search for a directory containing all of the required auxiliary files, # $ac_aux_files, from the $PATH-style list $ac_aux_dir_candidates. # If we don't find one directory that contains all the files we need, # we report the set of missing files from the *first* directory in # $ac_aux_dir_candidates and give up. ac_missing_aux_files="" ac_first_candidate=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: looking for aux files: $ac_aux_files" >&5 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in $ac_aux_dir_candidates do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: trying $as_dir" >&5 ac_aux_dir_found=yes ac_install_sh= for ac_aux in $ac_aux_files do # As a special case, if "install-sh" is required, that requirement # can be satisfied by any of "install-sh", "install.sh", or "shtool", # and $ac_install_sh is set appropriately for whichever one is found. if test x"$ac_aux" = x"install-sh" then if test -f "${as_dir}install-sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install-sh found" >&5 ac_install_sh="${as_dir}install-sh -c" elif test -f "${as_dir}install.sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install.sh found" >&5 ac_install_sh="${as_dir}install.sh -c" elif test -f "${as_dir}shtool"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}shtool found" >&5 ac_install_sh="${as_dir}shtool install -c" else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} install-sh" else break fi fi else if test -f "${as_dir}${ac_aux}"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}${ac_aux} found" >&5 else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} ${ac_aux}" else break fi fi fi done if test "$ac_aux_dir_found" = yes; then ac_aux_dir="$as_dir" break fi ac_first_candidate=false as_found=false done IFS=$as_save_IFS if $as_found then : else case e in #( e) as_fn_error $? "cannot find required auxiliary files:$ac_missing_aux_files" "$LINENO" 5 ;; esac fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. if test -f "${ac_aux_dir}config.guess"; then ac_config_guess="$SHELL ${ac_aux_dir}config.guess" fi if test -f "${ac_aux_dir}config.sub"; then ac_config_sub="$SHELL ${ac_aux_dir}config.sub" fi if test -f "$ac_aux_dir/configure"; then ac_configure="$SHELL ${ac_aux_dir}configure" fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&5 printf "%s\n" "$as_me: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was not set in the previous run" >&5 printf "%s\n" "$as_me: error: '$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' has changed since the previous run:" >&5 printf "%s\n" "$as_me: error: '$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&5 printf "%s\n" "$as_me: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: '$ac_old_val'" >&5 printf "%s\n" "$as_me: former value: '$ac_old_val'" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: '$ac_new_val'" >&5 printf "%s\n" "$as_me: current value: '$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`printf "%s\n" "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run '${MAKE-make} distclean' and/or 'rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Needed to stop autoconf from looking for files in parent directories. ac_config_headers="$ac_config_headers config.h" LIBNETTLE_MAJOR=9 LIBNETTLE_MINOR=0 LIBHOGWEED_MAJOR=7 LIBHOGWEED_MINOR=0 MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` # Make sure we can run config.sub. $SHELL "${ac_aux_dir}config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL ${ac_aux_dir}config.sub" "$LINENO" 5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 printf %s "checking build system type... " >&6; } if test ${ac_cv_build+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "${ac_aux_dir}config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "${ac_aux_dir}config.sub" $ac_build_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $ac_build_alias failed" "$LINENO" 5 ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 printf "%s\n" "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 printf %s "checking host system type... " >&6; } if test ${ac_cv_host+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "${ac_aux_dir}config.sub" $host_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $host_alias failed" "$LINENO" 5 fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 printf "%s\n" "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac # Command line options # Check whether --enable-public-key was given. if test ${enable_public_key+y} then : enableval=$enable_public_key; else case e in #( e) enable_public_key=yes ;; esac fi # Check whether --enable-assembler was given. if test ${enable_assembler+y} then : enableval=$enable_assembler; else case e in #( e) enable_assembler=yes ;; esac fi # Check whether --enable-static was given. if test ${enable_static+y} then : enableval=$enable_static; else case e in #( e) enable_static=yes ;; esac fi # Check whether --enable-shared was given. if test ${enable_shared+y} then : enableval=$enable_shared; else case e in #( e) enable_shared=yes ;; esac fi # Check whether --enable-pic was given. if test ${enable_pic+y} then : enableval=$enable_pic; else case e in #( e) enable_pic=yes ;; esac fi # Check whether --enable-openssl was given. if test ${enable_openssl+y} then : enableval=$enable_openssl; else case e in #( e) enable_openssl=yes ;; esac fi # Check whether --enable-gcov was given. if test ${enable_gcov+y} then : enableval=$enable_gcov; else case e in #( e) enable_gcov=no ;; esac fi # Check whether --enable-documentation was given. if test ${enable_documentation+y} then : enableval=$enable_documentation; else case e in #( e) enable_documentation=auto ;; esac fi # Check whether --enable-fat was given. if test ${enable_fat+y} then : enableval=$enable_fat; else case e in #( e) enable_fat=yes ;; esac fi # Check whether --enable-arm-neon was given. if test ${enable_arm_neon+y} then : enableval=$enable_arm_neon; else case e in #( e) enable_arm_neon=auto ;; esac fi # Check whether --enable-arm64-crypto was given. if test ${enable_arm64_crypto+y} then : enableval=$enable_arm64_crypto; else case e in #( e) enable_arm64_crypto=no ;; esac fi # Check whether --enable-x86-aesni was given. if test ${enable_x86_aesni+y} then : enableval=$enable_x86_aesni; else case e in #( e) enable_x86_aesni=no ;; esac fi # Check whether --enable-x86-sha-ni was given. if test ${enable_x86_sha_ni+y} then : enableval=$enable_x86_sha_ni; else case e in #( e) enable_x86_sha_ni=no ;; esac fi # Check whether --enable-x86-pclmul was given. if test ${enable_x86_pclmul+y} then : enableval=$enable_x86_pclmul; else case e in #( e) enable_x86_pclmul=no ;; esac fi # Check whether --enable-power-crypto-ext was given. if test ${enable_power_crypto_ext+y} then : enableval=$enable_power_crypto_ext; else case e in #( e) enable_power_crypto_ext=no ;; esac fi # Check whether --enable-power-altivec was given. if test ${enable_power_altivec+y} then : enableval=$enable_power_altivec; else case e in #( e) enable_altivec=no ;; esac fi # Check whether --enable-power9 was given. if test ${enable_power9+y} then : enableval=$enable_power9; else case e in #( e) enable_power9=no ;; esac fi # Check whether --enable-s390x-vf was given. if test ${enable_s390x_vf+y} then : enableval=$enable_s390x_vf; else case e in #( e) enable_s390x_vf=no ;; esac fi # Check whether --enable-s390x-msa was given. if test ${enable_s390x_msa+y} then : enableval=$enable_s390x_msa; else case e in #( e) enable_s390x_msa=no ;; esac fi # Check whether --enable-extra-asserts was given. if test ${enable_extra_asserts+y} then : enableval=$enable_extra_asserts; else case e in #( e) enable_extra_asserts=no ;; esac fi # Check whether --enable-mini-gmp was given. if test ${enable_mini_gmp+y} then : enableval=$enable_mini_gmp; else case e in #( e) enable_mini_gmp=no ;; esac fi if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" CFLAGS="$CFLAGS -DMINI_GMP_ENABLE_FLOAT=0" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi if test "$enable_extra_asserts" = yes ; then printf "%s\n" "#define WITH_EXTRA_ASSERTS 1" >>confdefs.h fi # Checks for programs. ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then if test "$as_dir$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" fi fi fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}clang", so it can be a program name with args. set dummy ${ac_tool_prefix}clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "clang", so it can be a program name with args. set dummy clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi fi test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See 'config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion -version; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 printf %s "checking whether the C compiler works... " >&6; } ac_link_default=`printf "%s\n" "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # Autoconf-2.13 could set the ac_cv_exeext variable to 'no'. # So ignore a value of 'no', otherwise this would lead to 'EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an '-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else case e in #( e) ac_file='' ;; esac fi if test -z "$ac_file" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See 'config.log' for more details" "$LINENO" 5; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 printf %s "checking for C compiler default output file name... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 printf "%s\n" "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 printf %s "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # If both 'conftest.exe' and 'conftest' are 'present' (well, observable) # catch 'conftest.exe'. For instance with Cygwin, 'ls conftest' will # work properly (i.e., refer to 'conftest.exe'), while it won't with # 'rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else case e in #( e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See 'config.log' for more details" "$LINENO" 5; } ;; esac fi rm -f conftest conftest$ac_cv_exeext { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 printf "%s\n" "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { FILE *f = fopen ("conftest.out", "w"); if (!f) return 1; return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 printf %s "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "cannot run C compiled programs. If you meant to cross compile, use '--host'. See 'config.log' for more details" "$LINENO" 5; } fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 printf "%s\n" "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext \ conftest.o conftest.obj conftest.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 printf %s "checking for suffix of object files... " >&6; } if test ${ac_cv_objext+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See 'config.log' for more details" "$LINENO" 5; } ;; esac fi rm -f conftest.$ac_cv_objext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 printf "%s\n" "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 printf %s "checking whether the compiler supports GNU C... " >&6; } if test ${ac_cv_c_compiler_gnu+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_compiler_gnu=yes else case e in #( e) ac_compiler_gnu=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_c_compiler_gnu if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+y} ac_save_CFLAGS=$CFLAGS { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 printf %s "checking whether $CC accepts -g... " >&6; } if test ${ac_cv_prog_cc_g+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes else case e in #( e) CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 printf "%s\n" "$ac_cv_prog_cc_g" >&6; } if test $ac_test_CFLAGS; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi ac_prog_cc_stdc=no if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 printf %s "checking for $CC option to enable C11 features... " >&6; } if test ${ac_cv_prog_cc_c11+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c11=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c11_program _ACEOF for ac_arg in '' -std=gnu11 do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c11=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c11" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } CC="$CC $ac_cv_prog_cc_c11" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 ac_prog_cc_stdc=c11 ;; esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 printf %s "checking for $CC option to enable C99 features... " >&6; } if test ${ac_cv_prog_cc_c99+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c99=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c99_program _ACEOF for ac_arg in '' -std=gnu99 -std=c99 -c99 -qlanglvl=extc1x -qlanglvl=extc99 -AC99 -D_STDC_C99= do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c99=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c99" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c99" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c99" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } CC="$CC $ac_cv_prog_cc_c99" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 ac_prog_cc_stdc=c99 ;; esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 printf %s "checking for $CC option to enable C89 features... " >&6; } if test ${ac_cv_prog_cc_c89+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c89_program _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c89" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c89" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } CC="$CC $ac_cv_prog_cc_c89" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 ac_prog_cc_stdc=c89 ;; esac fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ifunc support" >&5 printf %s "checking for ifunc support... " >&6; } if test ${nettle_cv_link_ifunc+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); int main (void) { return foo(0); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : nettle_cv_link_ifunc=yes else case e in #( e) nettle_cv_link_ifunc=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_link_ifunc" >&5 printf "%s\n" "$nettle_cv_link_ifunc" >&6; } if test "x$nettle_cv_link_ifunc" = xyes ; then printf "%s\n" "#define HAVE_LINK_IFUNC 1" >>confdefs.h fi # Used by the testsuite only ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu if test -z "$CXX"; then if test -n "$CCC"; then CXX=$CCC else if test -n "$ac_tool_prefix"; then for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC clang++ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CXX+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CXX"; then ac_cv_prog_CXX="$CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CXX=$ac_cv_prog_CXX if test -n "$CXX"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CXX" >&5 printf "%s\n" "$CXX" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$CXX" && break done fi if test -z "$CXX"; then ac_ct_CXX=$CXX for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC clang++ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CXX+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CXX"; then ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CXX="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CXX=$ac_cv_prog_ac_ct_CXX if test -n "$ac_ct_CXX"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CXX" >&5 printf "%s\n" "$ac_ct_CXX" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$ac_ct_CXX" && break done if test "x$ac_ct_CXX" = x; then CXX="g++" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CXX=$ac_ct_CXX fi fi fi fi # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C++ compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C++" >&5 printf %s "checking whether the compiler supports GNU C++... " >&6; } if test ${ac_cv_cxx_compiler_gnu+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_compiler_gnu=yes else case e in #( e) ac_compiler_gnu=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_cxx_compiler_gnu=$ac_compiler_gnu ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cxx_compiler_gnu" >&5 printf "%s\n" "$ac_cv_cxx_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_cxx_compiler_gnu if test $ac_compiler_gnu = yes; then GXX=yes else GXX= fi ac_test_CXXFLAGS=${CXXFLAGS+y} ac_save_CXXFLAGS=$CXXFLAGS { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CXX accepts -g" >&5 printf %s "checking whether $CXX accepts -g... " >&6; } if test ${ac_cv_prog_cxx_g+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_cxx_werror_flag=$ac_cxx_werror_flag ac_cxx_werror_flag=yes ac_cv_prog_cxx_g=no CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_g=yes else case e in #( e) CXXFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : else case e in #( e) ac_cxx_werror_flag=$ac_save_cxx_werror_flag CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cxx_werror_flag=$ac_save_cxx_werror_flag ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_g" >&5 printf "%s\n" "$ac_cv_prog_cxx_g" >&6; } if test $ac_test_CXXFLAGS; then CXXFLAGS=$ac_save_CXXFLAGS elif test $ac_cv_prog_cxx_g = yes; then if test "$GXX" = yes; then CXXFLAGS="-g -O2" else CXXFLAGS="-g" fi else if test "$GXX" = yes; then CXXFLAGS="-O2" else CXXFLAGS= fi fi ac_prog_cxx_stdcxx=no if test x$ac_prog_cxx_stdcxx = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CXX option to enable C++11 features" >&5 printf %s "checking for $CXX option to enable C++11 features... " >&6; } if test ${ac_cv_prog_cxx_cxx11+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cxx_cxx11=no ac_save_CXX=$CXX cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_cxx_conftest_cxx11_program _ACEOF for ac_arg in '' -std=gnu++11 -std=gnu++0x -std=c++11 -std=c++0x -qlanglvl=extended0x -AA do CXX="$ac_save_CXX $ac_arg" if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_cxx11=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cxx_cxx11" != "xno" && break done rm -f conftest.$ac_ext CXX=$ac_save_CXX ;; esac fi if test "x$ac_cv_prog_cxx_cxx11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cxx_cxx11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_cxx11" >&5 printf "%s\n" "$ac_cv_prog_cxx_cxx11" >&6; } CXX="$CXX $ac_cv_prog_cxx_cxx11" ;; esac fi ac_cv_prog_cxx_stdcxx=$ac_cv_prog_cxx_cxx11 ac_prog_cxx_stdcxx=cxx11 ;; esac fi fi if test x$ac_prog_cxx_stdcxx = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CXX option to enable C++98 features" >&5 printf %s "checking for $CXX option to enable C++98 features... " >&6; } if test ${ac_cv_prog_cxx_cxx98+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cxx_cxx98=no ac_save_CXX=$CXX cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_cxx_conftest_cxx98_program _ACEOF for ac_arg in '' -std=gnu++98 -std=c++98 -qlanglvl=extended -AA do CXX="$ac_save_CXX $ac_arg" if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_cxx98=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cxx_cxx98" != "xno" && break done rm -f conftest.$ac_ext CXX=$ac_save_CXX ;; esac fi if test "x$ac_cv_prog_cxx_cxx98" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cxx_cxx98" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_cxx98" >&5 printf "%s\n" "$ac_cv_prog_cxx_cxx98" >&6; } CXX="$CXX $ac_cv_prog_cxx_cxx98" ;; esac fi ac_cv_prog_cxx_stdcxx=$ac_cv_prog_cxx_cxx98 ac_prog_cxx_stdcxx=cxx98 ;; esac fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return 0; ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : IF_CXX='' else case e in #( e) IF_CXX='#' ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Check whether --enable-ld-version-script was given. if test ${enable_ld_version_script+y} then : enableval=$enable_ld_version_script; have_ld_version_script=$enableval fi if test -z "$have_ld_version_script"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if LD -Wl,--version-script works" >&5 printf %s "checking if LD -Wl,--version-script works... " >&6; } save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : accepts_syntax_errors=yes else case e in #( e) accepts_syntax_errors=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext if test "$accepts_syntax_errors" = no; then cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : have_ld_version_script=yes else case e in #( e) have_ld_version_script=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext else have_ld_version_script=no fi rm -f conftest.map LDFLAGS="$save_LDFLAGS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $have_ld_version_script" >&5 printf "%s\n" "$have_ld_version_script" >&6; } fi if test "$have_ld_version_script" = "yes";then EXTRA_LINKER_FLAGS="-Wl,--version-script=libnettle.map" EXTRA_HOGWEED_LINKER_FLAGS="-Wl,--version-script=libhogweed.map" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 printf %s "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`printf "%s\n" "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval test \${ac_cv_prog_make_${ac_make}_set+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make ;; esac fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } SET_MAKE= else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RANLIB+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 printf "%s\n" "$RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RANLIB+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 printf "%s\n" "$ac_ct_RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nm", so it can be a program name with args. set dummy ${ac_tool_prefix}nm; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_NM+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$NM"; then ac_cv_prog_NM="$NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_NM="${ac_tool_prefix}nm" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi NM=$ac_cv_prog_NM if test -n "$NM"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $NM" >&5 printf "%s\n" "$NM" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_NM"; then ac_ct_NM=$NM # Extract the first word of "nm", so it can be a program name with args. set dummy nm; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_NM+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_NM"; then ac_cv_prog_ac_ct_NM="$ac_ct_NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_NM="nm" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_NM=$ac_cv_prog_ac_ct_NM if test -n "$ac_ct_NM"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NM" >&5 printf "%s\n" "$ac_ct_NM" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_NM" = x; then NM="strings" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac NM=$ac_ct_NM fi else NM="$ac_cv_prog_NM" fi # Used only for the GNU-stack configure test. if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_OBJDUMP+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$OBJDUMP"; then ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 printf "%s\n" "$OBJDUMP" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_OBJDUMP"; then ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_OBJDUMP+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_OBJDUMP"; then ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 printf "%s\n" "$ac_ct_OBJDUMP" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_OBJDUMP" = x; then OBJDUMP="false" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OBJDUMP=$ac_ct_OBJDUMP fi else OBJDUMP="$ac_cv_prog_OBJDUMP" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_AR+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$AR"; then ac_cv_prog_AR="$AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_AR="${ac_tool_prefix}ar" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi AR=$ac_cv_prog_AR if test -n "$AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 printf "%s\n" "$AR" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_AR"; then ac_ct_AR=$AR # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_AR+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_AR"; then ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AR="ar" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 printf "%s\n" "$ac_ct_AR" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_AR" = x; then AR="false" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac AR=$ac_ct_AR fi else AR="$ac_cv_prog_AR" fi # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 printf %s "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if test ${ac_cv_path_install+y} then : printf %s "(cached) " >&6 else case e in #( e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac # Account for fact that we put trailing slashes in our PATH walk. case $as_dir in #(( ./ | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir/" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir ;; esac fi if test ${ac_cv_path_install+y}; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 printf "%s\n" "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a race-free mkdir -p" >&5 printf %s "checking for a race-free mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if test ${ac_cv_path_mkdir+y} then : printf %s "(cached) " >&6 else case e in #( e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext" || continue case `"$as_dir$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir ('*'coreutils) '* | \ *'BusyBox '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS ;; esac fi test -d ./--version && rmdir ./--version if test ${ac_cv_path_mkdir+y}; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use plain mkdir -p, # in the hope it doesn't have the bugs of ancient mkdir. MKDIR_P='mkdir -p' fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 printf "%s\n" "$MKDIR_P" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 printf %s "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 printf "%s\n" "no, using $LN_S" >&6; } fi # Compiler tests for the build system if test -n "$CC_FOR_BUILD"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $CC_FOR_BUILD" >&5 printf %s "checking build system compiler $CC_FOR_BUILD... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then : else as_fn_error $? "Specified CC_FOR_BUILD doesn't seem to work" "$LINENO" 5 fi elif test -n "$HOST_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $HOST_CC" >&5 printf %s "checking build system compiler $HOST_CC... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$HOST_CC else as_fn_error $? "Specified HOST_CC doesn't seem to work" "$LINENO" 5 fi else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $i" >&5 printf %s "checking build system compiler $i... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$i break else : fi done if test -z "$CC_FOR_BUILD"; then as_fn_error $? "Cannot find a build system compiler" "$LINENO" 5 fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build system executable suffix" >&5 printf %s "checking for build system executable suffix... " >&6; } if test ${gmp_cv_prog_exeext_for_build+y} then : printf %s "(cached) " >&6 else case e in #( e) if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./conftest) 2>&5; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then as_fn_error $? "Cannot determine executable suffix" "$LINENO" 5 fi fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_prog_exeext_for_build" >&5 printf "%s\n" "$gmp_cv_prog_exeext_for_build" >&6; } EXEEXT_FOR_BUILD=$gmp_cv_prog_exeext_for_build # Check if valgrind is working; expected to fail in cross builds. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if valgrind is working" >&5 printf %s "checking if valgrind is working... " >&6; } if test ${nettle_cv_prog_valgrind+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : # Valgrind is known to work poorly and sometimes hang indefinitely # on executables built with gcc's leak-sanitizer and # address-sanitizer, and with clang's memory sanitizer. Attempt to # work around. See https://bugs.kde.org/show_bug.cgi?id=492255 if "$NM" ./conftest$EXEEXT 2>&5 | grep '_lsan_\|_msan_\|_asan_' >/dev/null; then nettle_cv_prog_valgrind=no elif valgrind -q ./conftest$EXEEXT 2>&5; then nettle_cv_prog_valgrind=yes else nettle_cv_prog_valgrind=no fi else case e in #( e) nettle_cv_prog_valgrind=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_prog_valgrind" >&5 printf "%s\n" "$nettle_cv_prog_valgrind" >&6; } if test "$nettle_cv_prog_valgrind" = yes ; then IF_VALGRIND='' else IF_VALGRIND='#' fi # Check whether --enable-dependency_tracking was given. if test ${enable_dependency_tracking+y} then : enableval=$enable_dependency_tracking; else case e in #( e) enable_dependency_tracking=yes ;; esac fi DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[!0-9.]2.*) enable_dependency_tracking=no { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&5 printf "%s\n" "$as_me: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&2;} ;; *) DEP_FLAGS='-MT $@ -MD -MP -MF $@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled" >&5 printf "%s\n" "$as_me: WARNING: Dependency tracking disabled" >&2;} fi fi if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 printf %s "checking for an ANSI C-conforming const... " >&6; } if test ${ac_cv_c_const+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* IBM XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* IBM XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_const=yes else case e in #( e) ac_cv_c_const=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 printf "%s\n" "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then printf "%s\n" "#define const /**/" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 printf %s "checking for inline... " >&6; } if test ${ac_cv_c_inline+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo (void) {return 0; } $ac_kw foo_t foo (void) {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test "$ac_cv_c_inline" != no && break done ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 printf "%s\n" "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac ac_header= ac_cache= for ac_item in $ac_header_c_list do if test $ac_cache; then ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default" if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then printf "%s\n" "#define $ac_item 1" >> confdefs.h fi ac_header= ac_cache= elif test $ac_header; then ac_cache=$ac_item else ac_header=$ac_item fi done if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes then : printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "uid_t" "ac_cv_type_uid_t" "$ac_includes_default" if test "x$ac_cv_type_uid_t" = xyes then : else case e in #( e) printf "%s\n" "#define uid_t int" >>confdefs.h ;; esac fi ac_fn_c_check_type "$LINENO" "gid_t" "ac_cv_type_gid_t" "$ac_includes_default" if test "x$ac_cv_type_gid_t" = xyes then : else case e in #( e) printf "%s\n" "#define gid_t int" >>confdefs.h ;; esac fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes then : else case e in #( e) printf "%s\n" "#define size_t unsigned int" >>confdefs.h ;; esac fi # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like 'int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 printf %s "checking size of long... " >&6; } if test ${ac_cv_sizeof_long+y} then : printf %s "(cached) " >&6 else case e in #( e) if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default" then : else case e in #( e) if test "$ac_cv_type_long" = yes; then { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (long) See 'config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_long=0 fi ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 printf "%s\n" "$ac_cv_sizeof_long" >&6; } printf "%s\n" "#define SIZEOF_LONG $ac_cv_sizeof_long" >>confdefs.h # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like 'int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 printf %s "checking size of size_t... " >&6; } if test ${ac_cv_sizeof_size_t+y} then : printf %s "(cached) " >&6 else case e in #( e) if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default" then : else case e in #( e) if test "$ac_cv_type_size_t" = yes; then { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (size_t) See 'config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_size_t=0 fi ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 printf "%s\n" "$ac_cv_sizeof_size_t" >&6; } printf "%s\n" "#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t" >>confdefs.h for ac_header in openssl/evp.h openssl/ec.h openssl/rsa.h do : as_ac_Header=`printf "%s\n" "ac_cv_header_$ac_header" | sed "$as_sed_sh"` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes" then : cat >>confdefs.h <<_ACEOF #define `printf "%s\n" "HAVE_$ac_header" | sed "$as_sed_cpp"` 1 _ACEOF else case e in #( e) enable_openssl=no break ;; esac fi done # For use by the testsuite ac_fn_c_check_header_compile "$LINENO" "valgrind/memcheck.h" "ac_cv_header_valgrind_memcheck_h" "$ac_includes_default" if test "x$ac_cv_header_valgrind_memcheck_h" = xyes then : printf "%s\n" "#define HAVE_VALGRIND_MEMCHECK_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default" if test "x$ac_cv_header_dlfcn_h" = xyes then : printf "%s\n" "#define HAVE_DLFCN_H 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 printf %s "checking for dlopen in -ldl... " >&6; } if test ${ac_cv_lib_dl_dlopen+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char dlopen (void); int main (void) { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_dl_dlopen=yes else case e in #( e) ac_cv_lib_dl_dlopen=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 printf "%s\n" "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes then : printf "%s\n" "#define HAVE_LIBDL 1" >>confdefs.h fi # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # for constant arguments. Useless! { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 printf %s "checking for working alloca.h... " >&6; } if test ${ac_cv_working_alloca_h+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { char *p = (char *) alloca (2 * sizeof (int)); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_working_alloca_h=yes else case e in #( e) ac_cv_working_alloca_h=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 printf "%s\n" "$ac_cv_working_alloca_h" >&6; } if test $ac_cv_working_alloca_h = yes; then printf "%s\n" "#define HAVE_ALLOCA_H 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 printf %s "checking for alloca... " >&6; } if test ${ac_cv_func_alloca_works+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_func_alloca_works=$ac_cv_working_alloca_h if test "$ac_cv_func_alloca_works" != yes then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef alloca # ifdef __GNUC__ # define alloca __builtin_alloca # elif defined _MSC_VER # include # define alloca _alloca # else # ifdef __cplusplus extern "C" # endif void *alloca (size_t); # endif #endif int main (void) { char *p = (char *) alloca (1); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_func_alloca_works=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 printf "%s\n" "$ac_cv_func_alloca_works" >&6; } if test $ac_cv_func_alloca_works = yes; then printf "%s\n" "#define HAVE_ALLOCA 1" >>confdefs.h else # The SVR3 libPW and SVR4 libucb both contain incompatible functions # that cause trouble. Some versions do not even contain alloca or # contain a buggy version. If you still want to use their alloca, # use ar to extract alloca.o from them instead of compiling alloca.c. ALLOCA=\${LIBOBJDIR}alloca.$ac_objext printf "%s\n" "#define C_ALLOCA 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 printf %s "checking stack direction for C alloca... " >&6; } if test ${ac_cv_c_stack_direction+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_c_stack_direction=0 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int find_stack_direction (int *addr, int depth) { int dir, dummy = 0; if (! addr) addr = &dummy; *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; dir = depth ? find_stack_direction (addr, depth - 1) : 0; return dir + dummy; } int main (int argc, char **argv) { return find_stack_direction (0, argc + !argv + 20) < 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_stack_direction=1 else case e in #( e) ac_cv_c_stack_direction=-1 ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 printf "%s\n" "$ac_cv_c_stack_direction" >&6; } printf "%s\n" "#define STACK_DIRECTION $ac_cv_c_stack_direction" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" if test "x$ac_cv_header_malloc_h" = xyes then : printf "%s\n" "#define HAVE_MALLOC_H 1" >>confdefs.h fi # getenv_secure is used for fat overrides, # getline is used in the testsuite ac_fn_c_check_func "$LINENO" "secure_getenv" "ac_cv_func_secure_getenv" if test "x$ac_cv_func_secure_getenv" = xyes then : printf "%s\n" "#define HAVE_SECURE_GETENV 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "getline" "ac_cv_func_getline" if test "x$ac_cv_func_getline" = xyes then : printf "%s\n" "#define HAVE_GETLINE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "elf_aux_info" "ac_cv_func_elf_aux_info" if test "x$ac_cv_func_elf_aux_info" = xyes then : printf "%s\n" "#define HAVE_ELF_AUX_INFO 1" >>confdefs.h fi ASM_WORDS_BIGENDIAN=unknown { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 printf %s "checking whether byte ordering is bigendian... " >&6; } if test ${ac_cv_c_bigendian+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_c_bigendian=unknown # See if we're dealing with a universal compiler. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __APPLE_CC__ not a universal capable compiler #endif typedef int dummy; _ACEOF if ac_fn_c_try_compile "$LINENO" then : # Check for potential -arch flags. It is not universal unless # there are at least two -arch flags with different values. ac_arch= ac_prev= for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do if test -n "$ac_prev"; then case $ac_word in i?86 | x86_64 | ppc | ppc64) if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then ac_arch=$ac_word else ac_cv_c_bigendian=universal break fi ;; esac ac_prev= elif test "x$ac_word" = "x-arch"; then ac_prev=arch fi done fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if test $ac_cv_c_bigendian = unknown; then # See if sys/param.h defines the BYTE_ORDER macro. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { #if ! (defined BYTE_ORDER && defined BIG_ENDIAN \\ && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \\ && LITTLE_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : # It does; now see whether it defined to BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { #if BYTE_ORDER != BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes else case e in #( e) ac_cv_c_bigendian=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { #if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : # It does; now see whether it defined to _BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { #ifndef _BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes else case e in #( e) ac_cv_c_bigendian=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # Compile a test program. if test "$cross_compiling" = yes then : # Try to guess by grepping values from an object file. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ unsigned short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; unsigned short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; int use_ascii (int i) { return ascii_mm[i] + ascii_ii[i]; } unsigned short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; unsigned short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; int use_ebcdic (int i) { return ebcdic_mm[i] + ebcdic_ii[i]; } int main (int argc, char **argv) { /* Intimidate the compiler so that it does not optimize the arrays away. */ char *p = argv[0]; ascii_mm[1] = *p++; ebcdic_mm[1] = *p++; ascii_ii[1] = *p++; ebcdic_ii[1] = *p++; return use_ascii (argc) == use_ebcdic (*p); } _ACEOF if ac_fn_c_try_link "$LINENO" then : if grep BIGenDianSyS conftest$ac_exeext >/dev/null; then ac_cv_c_bigendian=yes fi if grep LiTTleEnDian conftest$ac_exeext >/dev/null ; then if test "$ac_cv_c_bigendian" = unknown; then ac_cv_c_bigendian=no else # finding both strings is unlikely to happen, but who knows? ac_cv_c_bigendian=unknown fi fi fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { /* Are we little or big endian? From Harbison&Steele. */ union { long int l; char c[sizeof (long int)]; } u; u.l = 1; return u.c[sizeof (long int) - 1] == 1; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_bigendian=no else case e in #( e) ac_cv_c_bigendian=yes ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 printf "%s\n" "$ac_cv_c_bigendian" >&6; } case $ac_cv_c_bigendian in #( yes) printf "%s\n" "#define WORDS_BIGENDIAN 1" >>confdefs.h ASM_WORDS_BIGENDIAN=yes;; #( no) ASM_WORDS_BIGENDIAN=no ;; #( universal) printf "%s\n" "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h ;; #( *) as_fn_error $? "unknown endianness presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __builtin_bswap64" >&5 printf %s "checking for __builtin_bswap64... " >&6; } if test ${nettle_cv_c_builtin_bswap64+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { uint64_t x = 17; uint64_t y = __builtin_bswap64(x); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : nettle_cv_c_builtin_bswap64=yes else case e in #( e) nettle_cv_c_builtin_bswap64=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_c_builtin_bswap64" >&5 printf "%s\n" "$nettle_cv_c_builtin_bswap64" >&6; } if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then printf "%s\n" "#define HAVE_BUILTIN_BSWAP64 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 printf %s "checking for __attribute__... " >&6; } if test ${lsh_cv_c_attribute+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : lsh_cv_c_attribute=yes else case e in #( e) lsh_cv_c_attribute=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $lsh_cv_c_attribute" >&5 printf "%s\n" "$lsh_cv_c_attribute" >&6; } if test "x$lsh_cv_c_attribute" = "xyes"; then printf "%s\n" "#define HAVE_GCC_ATTRIBUTE 1" >>confdefs.h fi # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 printf %s "checking for fcntl file locking... " >&6; } if test ${nettle_cv_fcntl_locking+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include int main (void) { int op = F_SETLKW; struct flock fl; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_fcntl_locking=yes else case e in #( e) nettle_cv_fcntl_locking=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 printf "%s\n" "$nettle_cv_fcntl_locking" >&6; } if test "x$nettle_cv_fcntl_locking" = "xyes" ; then printf "%s\n" "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then # mpn_zero_p was added in GMP-6.1.0 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __gmpn_zero_p in -lgmp" >&5 printf %s "checking for __gmpn_zero_p in -lgmp... " >&6; } if test ${ac_cv_lib_gmp___gmpn_zero_p+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lgmp $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char __gmpn_zero_p (void); int main (void) { return __gmpn_zero_p (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_gmp___gmpn_zero_p=yes else case e in #( e) ac_cv_lib_gmp___gmpn_zero_p=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpn_zero_p" >&5 printf "%s\n" "$ac_cv_lib_gmp___gmpn_zero_p" >&6; } if test "x$ac_cv_lib_gmp___gmpn_zero_p" = xyes then : printf "%s\n" "#define HAVE_LIBGMP 1" >>confdefs.h LIBS="-lgmp $LIBS" else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&5 printf "%s\n" "$as_me: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&2;} enable_public_key=no ;; esac fi fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 printf %s "checking for mini-gmp limb size... " >&6; } # With mini-gmp, mp_limb_t is always unsigned long. if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include " then : else case e in #( e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See 'config.log' for more details" "$LINENO" 5; } ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 printf "%s\n" "$nettle_cv_gmp_numb_bits bits" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 printf %s "checking for GMP limb size... " >&6; } if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include " then : else case e in #( e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See 'config.log' for more details" "$LINENO" 5; } ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 printf "%s\n" "$nettle_cv_gmp_numb_bits bits" >&6; } fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard ELFV2_ABI=no # For powerpc64 W64_ABI=no # For x86_64 windows case "$host_cpu" in x86_64 | amd64) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *sparc*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *mips64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__mips64) || defined(__mips64__) || (defined(__sgi) && defined(__LP64__)) #error 64-bit mips #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *powerpc64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__PPC64__) #error 64-bit powerpc #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if test "$ABI" = 64 ; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if _CALL_ELF == 2 #error ELFv2 ABI #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) ELFV2_ABI=yes ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if test "$enable_assembler" = yes ; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__VSX__) #error VSX available #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: VSX instructions (Power7 or later) not available, disabling use of assembly." >&5 printf "%s\n" "$as_me: WARNING: VSX instructions (Power7 or later) not available, disabling use of assembly." >&2;} enable_assembler=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi ;; aarch64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__aarch64__) #error 64-bit arm #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *s390x*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__s390x__) #error 64-bit s390x #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else case e in #( e) ABI=64 ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac if test "x$ABI" != xstandard ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: Compiler uses $ABI-bit ABI. To change, set CC." >&5 printf "%s\n" "$as_me: Compiler uses $ABI-bit ABI. To change, set CC." >&6;} fi OPT_NETTLE_SOURCES="" FAT_OVERRIDE_LIST="" FAT_EMULATE_LIST="" ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in x86 | i?86* | k[5-8]* | pentium* | athlon) asm_path=x86 ;; x86_64 | amd64) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" # For now, not enabling aesni or sha_ni, since at least # the latter appears unavailable on the gitlab test machines. FAT_OVERRIDE_LIST="vendor:intel vendor:amd" else if test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi if test "x$enable_x86_sha_ni" = xyes ; then asm_path="x86_64/sha_ni $asm_path" fi if test "x$enable_x86_pclmul" = xyes ; then asm_path="x86_64/pclmul $asm_path" fi fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if assembler accepts Neon instructions" >&5 printf %s "checking if assembler accepts Neon instructions... " >&6; } if test ${nettle_cv_asm_arm_neon+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_arm_neon=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_arm_neon=no fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_arm_neon" >&5 printf "%s\n" "$nettle_cv_asm_arm_neon" >&6; } enable_arm_neon="$nettle_cv_asm_arm_neon" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if /proc/cpuinfo claims neon support" >&5 printf %s "checking if /proc/cpuinfo claims neon support... " >&6; } if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_arm_neon" >&5 printf "%s\n" "$enable_arm_neon" >&6; } fi fi asm_path="arm/v6 arm" ;; esac if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi fi ;; aarch64*) if test "$ABI" = 64 ; then asm_path=arm64 if test "x$enable_fat" = xyes ; then asm_path="arm64/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm64.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none aes pmull sha1 sha2" else if test "$enable_arm64_crypto" = yes ; then asm_path="arm64/crypto $asm_path" fi fi else # As far as I understand, Neon instructions are unlikely to be # missing. It may be omitted "only for implementations # targeting specialized markets", to quote the Armv8 reference # manual. asm_path="arm/neon arm/v6 arm" fi ;; *powerpc64*) if test "$ABI" = 64 ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if the assembler needs r on registers" >&5 printf %s "checking if the assembler needs r on registers... " >&6; } if test ${gmp_cv_asm_powerpc_r_registers+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 gmp_cv_asm_powerpc_r_registers=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 gmp_cv_asm_powerpc_r_registers=no else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 as_fn_error $? "neither \"mtctr 6\" nor \"mtctr r6\" works" "$LINENO" 5 fi rm -f conftest* fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_asm_powerpc_r_registers" >&5 printf "%s\n" "$gmp_cv_asm_powerpc_r_registers" >&6; } ASM_PPC_WANT_R_REGISTERS="$gmp_cv_asm_powerpc_r_registers" asm_path="powerpc64" if test "x$enable_fat" = xyes ; then asm_path="powerpc64/fat $asm_path" OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none crypto_ext altivec power9" # No debian support for power7, making it hard to test. FAT_EMULATE_LIST="power8 power9" else if test "$enable_power9" = yes ; then asm_path="powerpc64/p9 $asm_path" fi if test "$enable_power_crypto_ext" = yes ; then asm_path="powerpc64/p8 $asm_path" fi if test "$enable_power_altivec" = yes ; then asm_path="powerpc64/p7 $asm_path" fi fi fi ;; *s390x*) if test "$ABI" = 64 ; then asm_path="s390x" if test "x$enable_fat" = xyes ; then asm_path="s390x/fat $asm_path" OPT_NETTLE_SOURCES="fat-s390x.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none vf msa msa_x1 msa_x2 msa_x4" else if test "$enable_s390x_vf" = yes ; then asm_path="s390x/vf $asm_path" fi if test "$enable_s390x_msa" = yes ; then asm_path="s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 $asm_path" fi fi fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ aes-invert-internal.asm \ aes128-set-encrypt-key.asm aes128-set-decrypt-key.asm \ aes128-encrypt.asm aes128-decrypt.asm \ aes192-set-encrypt-key.asm aes192-set-decrypt-key.asm \ aes192-encrypt.asm aes192-decrypt.asm \ aes256-set-encrypt-key.asm aes256-set-decrypt-key.asm \ aes256-encrypt.asm aes256-decrypt.asm \ cbc-aes128-encrypt.asm cbc-aes192-encrypt.asm \ cbc-aes256-encrypt.asm \ camellia-crypt-internal.asm \ memxor.asm memxor3.asm \ ghash-set-key.asm ghash-update.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress-n.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="cpuid.asm cpu-facility.asm \ memxor-2.asm memxor3-2.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm aes-invert-internal-2.asm \ aes128-set-encrypt-key-2.asm aes128-set-decrypt-key-2.asm \ aes128-encrypt-2.asm aes128-decrypt-2.asm \ aes192-set-encrypt-key-2.asm aes192-set-decrypt-key-2.asm \ aes192-encrypt-2.asm aes192-decrypt-2.asm \ aes256-set-encrypt-key-2.asm aes256-set-decrypt-key-2.asm \ aes256-encrypt-2.asm aes256-decrypt-2.asm \ cbc-aes128-encrypt-2.asm cbc-aes192-encrypt-2.asm cbc-aes256-encrypt-2.asm \ chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ poly1305-blocks.asm poly1305-internal-2.asm \ ghash-set-key-2.asm ghash-update-2.asm \ gcm-aes-encrypt.asm gcm-aes-encrypt-2.asm \ gcm-aes-decrypt.asm gcm-aes-decrypt-2.asm\ salsa20-2core.asm salsa20-core-internal-2.asm \ sha1-compress-2.asm sha256-compress-n-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: Looking for assembler files in $asm_path." >&5 printf "%s\n" "$as_me: Looking for assembler files in $asm_path." >&6;} for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" ac_config_links="$ac_config_links $tmp_f:$asm_dir/$tmp_f" break fi done done for tmp_n in $asm_nettle_optional_list ; do tmp_b=`echo "$tmp_n" | sed 's/\.[^.]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" ac_config_links="$ac_config_links $tmp_n:$asm_dir/$tmp_n" while read tmp_func ; do printf "%s\n" "#define HAVE_NATIVE_$tmp_func 1" >>confdefs.h eval HAVE_NATIVE_$tmp_func=yes done <&5 printf "%s\n" "$as_me: WARNING: skipping $tmp_h, because GMP_NUMB_BITS != $tmp_bits" >&2;} continue fi asm_file_list="$asm_file_list $tmp_h" ac_config_links="$ac_config_links $tmp_h:$asm_dir/$tmp_h" while read tmp_func ; do printf "%s\n" "#define HAVE_NATIVE_$tmp_func 1" >>confdefs.h eval HAVE_NATIVE_$tmp_func=yes done <&5 printf "%s\n" "$as_me: WARNING: No assembler files found." >&2;} fi fi case "$host_os" in darwin*) ASM_RODATA='.section __TEXT,__const' ;; *) ASM_RODATA='.section .rodata' ;; esac fi if test "x$enable_assembler" = xyes ; then IF_ASM='' else IF_ASM='#' fi if test "x$enable_pic" = xyes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 printf %s "checking CCPIC... " >&6; } if test ${lsh_cv_sys_ccpic+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : lsh_cv_sys_ccpic="$CCPIC" else case e in #( e) lsh_cv_sys_ccpic='' ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext CFLAGS="$OLD_CFLAGS" ;; esac fi CCPIC="$lsh_cv_sys_ccpic" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CCPIC" >&5 printf "%s\n" "$CCPIC" >&6; } else CCPIC='' fi IF_DLL='#' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FORLINK)' EMULATOR='' case "$host_os" in mingw32*|cygwin*) # The actual DLLs, e.g. libnettle-$major-$minor.dll, are normally # installed into the bin dir (or more exactly $libdir/../bin, for # automake), while libnettle.dll.a, which is a stub file for # linking to the DLL, is installed into the lib dir. case "$host_os" in mingw32*) LIBNETTLE_FORLINK='libnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='libhogweed-$(LIBHOGWEED_MAJOR).dll' ;; cygwin*) LIBNETTLE_FORLINK='cygnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='cyghogweed-$(LIBHOGWEED_MAJOR).dll' ;; esac if test "x$cross_compiling" = xyes ; then EMULATOR=wine fi if test "x$ABI" = x64 ; then W64_ABI=yes fi LIBNETTLE_SONAME='' LIBNETTLE_FILE='libnettle.dll.a' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FILE)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBNETTLE_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBNETTLE_LIBS='-Wl,--no-whole-archive $(LIBS)' LIBHOGWEED_SONAME='' LIBHOGWEED_FILE='libhogweed.dll.a' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FILE)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBHOGWEED_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBHOGWEED_LIBS='-Wl,--no-whole-archive $(LIBS) libnettle.dll.a' IF_DLL='' ;; midipix*) if test "x$ABI" = x64 ; then W64_ABI=yes fi LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-dsolib=libnettle.lib.a -Wl,-soname=$(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-dsolib=libhogweed.lib.a -Wl,-soname=$(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='$(LIBS) .lib/libnettle.so.8' ;; darwin*) LIBNETTLE_FORLINK=libnettle.dylib LIBNETTLE_SONAME='libnettle.$(LIBNETTLE_MAJOR).dylib' LIBNETTLE_FILE='libnettle.$(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR).dylib' LIBNETTLE_LINK='$(CC) $(CFLAGS) -dynamiclib $(LDFLAGS) -install_name ${libdir}/$(LIBNETTLE_SONAME) -compatibility_version $(LIBNETTLE_MAJOR) -current_version $(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.dylib LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LIBS='-lnettle $(LIBS)' ;; solaris*) # Sun's ld uses -h to set the soname, and this option is passed # through by both Sun's compiler and gcc. Might not work with GNU # ld, but it's unusual to use GNU ld on Solaris. LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -h $(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) --shared -h $(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; *) LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' # Requested by debian, to make linking with only -lhogweed work # (does not work in general, e.g., with static linking all of # -lhogweed -lgmp -lnettle are still required). Also makes dlopen # of libhogweed.so work, without having to use RTLD_GLOBAL. LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; esac ASM_SYMBOL_PREFIX='' ASM_ELF_STYLE='no' ASM_COFF_STYLE='no' # GNU as default is to use @ ASM_TYPE_FUNCTION='@function' ASM_TYPE_PROGBITS='@progbits' ASM_MARK_NOEXEC_STACK='' ASM_ALIGN_LOG='' if test x$enable_assembler = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if globals are prefixed by underscore" >&5 printf %s "checking if globals are prefixed by underscore... " >&6; } if test ${nettle_cv_asm_underscore+y} then : printf %s "(cached) " >&6 else case e in #( e) # Default is no underscore nettle_cv_asm_underscore=no cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int a_global_symbol; _ACEOF if ac_fn_c_try_compile "$LINENO" then : $NM conftest.$OBJEXT >conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: nm does not list a_global_symbol at all" >&5 printf "%s\n" "$as_me: WARNING: nm does not list a_global_symbol at all" >&2;} fi else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: test program with a single global could not be compiled!?" >&5 printf "%s\n" "$as_me: WARNING: test program with a single global could not be compiled!?" >&2;} ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_underscore" >&5 printf "%s\n" "$nettle_cv_asm_underscore" >&6; } if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,%function pseudo-ops" >&5 printf %s "checking for ELF-style .type,%function pseudo-ops... " >&6; } if test ${nettle_cv_asm_type_percent_function+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_percent_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_percent_function=no fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_percent_function" >&5 printf "%s\n" "$nettle_cv_asm_type_percent_function" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,#function pseudo-ops" >&5 printf %s "checking for ELF-style .type,#function pseudo-ops... " >&6; } if test ${nettle_cv_asm_type_hash_function+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_hash_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_hash_function=no fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_hash_function" >&5 printf "%s\n" "$nettle_cv_asm_type_hash_function" >&6; } if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for COFF-style .type directive" >&5 printf %s "checking for COFF-style .type directive... " >&6; } if test ${nettle_cv_asm_coff_type+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_coff_type=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_coff_type=no fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_coff_type" >&5 printf "%s\n" "$nettle_cv_asm_coff_type" >&6; } if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if we should use a .note.GNU-stack section" >&5 printf %s "checking if we should use a .note.GNU-stack section... " >&6; } if test ${nettle_cv_asm_gnu_stack+y} then : printf %s "(cached) " >&6 else case e in #( e) # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&5 (eval $nettle_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 fi rm -f conftest.* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_gnu_stack" >&5 printf "%s\n" "$nettle_cv_asm_gnu_stack" >&6; } if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if .align assembly directive is logarithmic" >&5 printf %s "checking if .align assembly directive is logarithmic... " >&6; } if test ${nettle_cv_asm_align_log+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_align_log=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_align_log=no fi rm -f conftest* ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_align_log" >&5 printf "%s\n" "$nettle_cv_asm_align_log" >&6; } ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if Intel CET is enabled" >&5 printf %s "checking if Intel CET is enabled... " >&6; } if test ${nettle_cv_asm_x86_intel_cet+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __CET__ #error Intel CET is not enabled #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_asm_x86_intel_cet=yes else case e in #( e) nettle_cv_asm_x86_intel_cet=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_intel_cet" >&5 printf "%s\n" "$nettle_cv_asm_x86_intel_cet" >&6; } if test "$nettle_cv_asm_x86_intel_cet" = yes; then case $ABI in 32|standard) ASM_X86_ENDBR=endbr32 ASM_X86_MARK_CET_ALIGN=2 ;; 64) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=3 ;; x32) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=2 ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if .note.gnu.property section is needed" >&5 printf %s "checking if .note.gnu.property section is needed... " >&6; } if test ${nettle_cv_asm_x86_gnu_property+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if !defined __ELF__ || !defined __CET__ #error GNU property is not needed #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_asm_x86_gnu_property=yes else case e in #( e) nettle_cv_asm_x86_gnu_property=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_gnu_property" >&5 printf "%s\n" "$nettle_cv_asm_x86_gnu_property" >&6; } else nettle_cv_asm_x86_gnu_property=no fi if test "$nettle_cv_asm_x86_gnu_property" = yes; then ASM_X86_MARK_CET=' .pushsection ".note.gnu.property", "a" .p2align ASM_X86_MARK_CET_ALIGN .long 1f - 0f .long 4f - 1f .long 5 0: .asciz "GNU" 1: .p2align ASM_X86_MARK_CET_ALIGN .long 0xc0000002 .long 3f - 2f 2: .long 3 3: .p2align ASM_X86_MARK_CET_ALIGN 4: .popsection' fi # Extract the first word of "m4", so it can be a program name with args. set dummy m4; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_M4+y} then : printf %s "(cached) " >&6 else case e in #( e) case $M4 in [\\/]* | ?:[\\/]*) ac_cv_path_M4="$M4" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_M4="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_M4" && ac_cv_path_M4="m4" ;; esac ;; esac fi M4=$ac_cv_path_M4 if test -n "$M4"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $M4" >&5 printf "%s\n" "$M4" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$enable_public_key" = xyes ; then printf "%s\n" "#define WITH_HOGWEED 1" >>confdefs.h IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then # Extract the first word of "makeinfo", so it can be a program name with args. set dummy makeinfo; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_MAKEINFO+y} then : printf %s "(cached) " >&6 else case e in #( e) case $MAKEINFO in [\\/]* | ?:[\\/]*) ac_cv_path_MAKEINFO="$MAKEINFO" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_MAKEINFO="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_MAKEINFO" && ac_cv_path_MAKEINFO="not-found" ;; esac ;; esac fi MAKEINFO=$ac_cv_path_MAKEINFO if test -n "$MAKEINFO"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MAKEINFO" >&5 printf "%s\n" "$MAKEINFO" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else as_fn_error $? "Cannot find 'makeinfo', required for documentation." "$LINENO" 5 fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 printf %s "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } if test ${ac_cv_lib_crypto_EVP_CIPHER_CTX_new+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lcrypto $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char EVP_CIPHER_CTX_new (void); int main (void) { return EVP_CIPHER_CTX_new (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_crypto_EVP_CIPHER_CTX_new=yes else case e in #( e) ac_cv_lib_crypto_EVP_CIPHER_CTX_new=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&5 printf "%s\n" "$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&6; } if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" = xyes then : OPENSSL_LIBFLAGS='-lcrypto' else case e in #( e) enable_openssl=no ;; esac fi fi if test x$enable_openssl = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if openssl supports the functions used by nettle benchmark programs" >&5 printf %s "checking if openssl supports the functions used by nettle benchmark programs... " >&6; } save_LIBS="$LIBS" LIBS="$LIBS $OPENSSL_LIBFLAGS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include int main (void) { EVP_MD_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *rsa_key = EVP_RSA_gen(2048); EVP_PKEY *ec_key = EVP_EC_gen("P-256"); int res = EVP_DigestSignFinal (md_ctx, NULL, NULL); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } printf "%s\n" "#define WITH_OPENSSL 1" >>confdefs.h else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } enable_openssl=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$save_LIBS fi # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5 printf %s "checking for library containing clock_gettime... " >&6; } if test ${ac_cv_search_clock_gettime+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char clock_gettime (void); int main (void) { return clock_gettime (); ; return 0; } _ACEOF for ac_lib in '' rt do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_clock_gettime=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_clock_gettime+y} then : break fi done if test ${ac_cv_search_clock_gettime+y} then : else case e in #( e) ac_cv_search_clock_gettime=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5 printf "%s\n" "$ac_cv_search_clock_gettime" >&6; } ac_res=$ac_cv_search_clock_gettime if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" printf "%s\n" "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h fi BENCH_LIBS="$LIBS" LIBS="$old_LIBS" # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi ac_config_files="$ac_config_files config.make config.m4 Makefile version.h" ac_config_files="$ac_config_files tools/Makefile testsuite/Makefile examples/Makefile" ac_config_files="$ac_config_files nettle.pc hogweed.pc libnettle.map libhogweed.map" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # 'ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* 'ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # 'set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # 'set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test ${\1+y} || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 printf "%s\n" "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 printf "%s\n" "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`printf "%s\n" "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 printf "%s\n" "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case e in #( e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else case e in #( e) as_fn_append () { eval $1=\$$1\$2 } ;; esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else case e in #( e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } ;; esac fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" as_tr_sh="eval sed '$as_sed_sh'" # deprecated exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by nettle $as_me 4.0, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" config_links="$ac_config_links" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ '$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Configuration links: $config_links Report bugs to ." _ACEOF ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ nettle config.status 4.0 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" Copyright (C) 2023 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) printf "%s\n" "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) printf "%s\n" "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: '$1' Try '$0 --help' for more information.";; --help | --hel | -h ) printf "%s\n" "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: '$1' Try '$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \printf "%s\n" "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX printf "%s\n" "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "$tmp_f") CONFIG_LINKS="$CONFIG_LINKS $tmp_f:$asm_dir/$tmp_f" ;; "$tmp_n") CONFIG_LINKS="$CONFIG_LINKS $tmp_n:$asm_dir/$tmp_n" ;; "$tmp_h") CONFIG_LINKS="$CONFIG_LINKS $tmp_h:$asm_dir/$tmp_h" ;; "config.make") CONFIG_FILES="$CONFIG_FILES config.make" ;; "config.m4") CONFIG_FILES="$CONFIG_FILES config.m4" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "version.h") CONFIG_FILES="$CONFIG_FILES version.h" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; "testsuite/Makefile") CONFIG_FILES="$CONFIG_FILES testsuite/Makefile" ;; "examples/Makefile") CONFIG_FILES="$CONFIG_FILES examples/Makefile" ;; "nettle.pc") CONFIG_FILES="$CONFIG_FILES nettle.pc" ;; "hogweed.pc") CONFIG_FILES="$CONFIG_FILES hogweed.pc" ;; "libnettle.map") CONFIG_FILES="$CONFIG_FILES libnettle.map" ;; "libhogweed.map") CONFIG_FILES="$CONFIG_FILES libhogweed.map" ;; *) as_fn_error $? "invalid argument: '$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test ${CONFIG_FILES+y} || CONFIG_FILES=$config_files test ${CONFIG_HEADERS+y} || CONFIG_HEADERS=$config_headers test ${CONFIG_LINKS+y} || CONFIG_LINKS=$config_links fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to '$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with './config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with './config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script 'defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :L $CONFIG_LINKS " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag '$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain ':'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: '$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is 'configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 printf "%s\n" "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`printf "%s\n" "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 printf "%s\n" "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when '$srcdir' = '.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&5 printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 printf "%s\n" "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; :L) # # CONFIG_LINK # if test "$ac_source" = "$ac_file" && test "$srcdir" = '.'; then : else # Prefer the file from the source tree if names are identical. if test "$ac_source" = "$ac_file" || test ! -r "$ac_source"; then ac_source=$srcdir/$ac_source fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: linking $ac_source to $ac_file" >&5 printf "%s\n" "$as_me: linking $ac_source to $ac_file" >&6;} if test ! -r "$ac_source"; then as_fn_error $? "$ac_source: file not found" "$LINENO" 5 fi rm -f "$ac_file" # Try a relative symlink, then a hard link, then a copy. case $ac_source in [\\/$]* | ?:[\\/]* ) ac_rel_source=$ac_source ;; *) ac_rel_source=$ac_top_build_prefix$ac_source ;; esac ln -s "$ac_rel_source" "$ac_file" 2>/dev/null || ln "$ac_source" "$ac_file" 2>/dev/null || cp -p "$ac_source" "$ac_file" || as_fn_error $? "cannot link or copy $ac_source to $ac_file" "$LINENO" 5 fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&5 printf "%s\n" "$as_me: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&6;} nettle-4.0/configure.ac0000644000000000000000000010514215141166424012073 0ustar00dnl -*- mode: shell-script; sh-indentation: 2; -*- dnl Process this file with autoconf to produce a configure script. AC_INIT([nettle], [4.0], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ([2.69]) AC_CONFIG_SRCDIR([nettle-types.h]) # Needed to stop autoconf from looking for files in parent directories. AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([config.h]) LIBNETTLE_MAJOR=9 LIBNETTLE_MINOR=0 LIBHOGWEED_MAJOR=7 LIBHOGWEED_MINOR=0 dnl Note double square brackets, for extra m4 quoting. MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[[^.]]*\.\([[0-9]]*\).*/\1/'` AC_SUBST([MAJOR_VERSION]) AC_SUBST([MINOR_VERSION]) AC_CANONICAL_HOST # Command line options AC_ARG_ENABLE(public-key, AS_HELP_STRING([--disable-public-key], [Disable public key algorithms]),, [enable_public_key=yes]) AC_ARG_ENABLE(assembler, AS_HELP_STRING([--disable-assembler], [Disable assembler code]),, [enable_assembler=yes]) AC_ARG_ENABLE(static, AS_HELP_STRING([--disable-static], [Do not build any static library]),, [enable_static=yes]) AC_ARG_ENABLE(shared, AS_HELP_STRING([--disable-shared], [Do not build any shared library]),, [enable_shared=yes]) AC_ARG_ENABLE(pic, AS_HELP_STRING([--disable-pic], [Do not try to compile library files as position independent code]),, [enable_pic=yes]) AC_ARG_ENABLE(openssl, AS_HELP_STRING([--disable-openssl], [Do not include openssl glue in the benchmark program]),, [enable_openssl=yes]) AC_ARG_ENABLE(gcov, AS_HELP_STRING([--enable-gcov], [Instrument for gcov (requires a modern gcc)]),, [enable_gcov=no]) AC_ARG_ENABLE(documentation, AS_HELP_STRING([--disable-documentation], [Omit building and installing the documentation. (default=auto)]),, [enable_documentation=auto]) AC_ARG_ENABLE(fat, AS_HELP_STRING([--disable-fat], [Disable fat library build]),, [enable_fat=yes]) AC_ARG_ENABLE(arm-neon, AS_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),, [enable_arm_neon=auto]) AC_ARG_ENABLE(arm64-crypto, AS_HELP_STRING([--enable-arm64-crypto], [Enable Arm64 crypto extension. (default=no)]),, [enable_arm64_crypto=no]) AC_ARG_ENABLE(x86-aesni, AS_HELP_STRING([--enable-x86-aesni], [Enable x86_64 aes instructions. (default=no)]),, [enable_x86_aesni=no]) AC_ARG_ENABLE(x86-sha-ni, AS_HELP_STRING([--enable-x86-sha-ni], [Enable x86_64 sha_ni instructions. (default=no)]),, [enable_x86_sha_ni=no]) AC_ARG_ENABLE(x86-pclmul, AS_HELP_STRING([--enable-x86-pclmul], [Enable x86_64 pclmulqdq instructions. (default=no)]),, [enable_x86_pclmul=no]) AC_ARG_ENABLE(power-crypto-ext, AS_HELP_STRING([--enable-power-crypto-ext], [Enable POWER crypto extensions. (default=no)]),, [enable_power_crypto_ext=no]) AC_ARG_ENABLE(power-altivec, AS_HELP_STRING([--enable-power-altivec], [Enable POWER altivec and vsx extensions. (default=no)]),, [enable_altivec=no]) AC_ARG_ENABLE(power9, AS_HELP_STRING([--enable-power9], [Enable POWER ISA v3.0. (default=no)]),, [enable_power9=no]) AC_ARG_ENABLE(s390x-vf, AS_HELP_STRING([--enable-s390x-vf], [Enable vector facility on z/Architecture. (default=no)]),, [enable_s390x_vf=no]) AC_ARG_ENABLE(s390x-msa, AS_HELP_STRING([--enable-s390x-msa], [Enable message-security assist extensions on z/Architecture. (default=no)]),, [enable_s390x_msa=no]) AC_ARG_ENABLE(extra-asserts, AS_HELP_STRING([--enable-extra-asserts], [Enable additional asserts in ECC code (incompatible side-channel tests)]),, [enable_extra_asserts=no]) AC_ARG_ENABLE(mini-gmp, AS_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),, [enable_mini_gmp=no]) AC_ARG_VAR(ASM_FLAGS, [Extra flags for processing assembly source files]) if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" CFLAGS="$CFLAGS -DMINI_GMP_ENABLE_FLOAT=0" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi AC_SUBST([NETTLE_USE_MINI_GMP]) AC_SUBST([HOGWEED_EXTRA_SYMBOLS]) AH_TEMPLATE([WITH_EXTRA_ASSERTS], [Defined to enable additional asserts]) if test "$enable_extra_asserts" = yes ; then AC_DEFINE(WITH_EXTRA_ASSERTS) fi # Checks for programs. AC_PROG_CC NETTLE_CHECK_IFUNC # Used by the testsuite only AC_PROG_CXX AC_LANG_PUSH(C++) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])], [IF_CXX=''], [IF_CXX='#']) AC_SUBST([IF_CXX]) AC_LANG_POP LD_VERSION_SCRIPT AC_PROG_MAKE_SET AC_PROG_RANLIB AC_CHECK_TOOL(NM, nm, strings) # Used only for the GNU-stack configure test. AC_CHECK_TOOL(OBJDUMP, objdump, false) AC_CHECK_TOOL(AR, ar, false) AC_PROG_INSTALL # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. AC_PROG_MKDIR_P AC_PROG_LN_S # Compiler tests for the build system GMP_PROG_CC_FOR_BUILD GMP_PROG_EXEEXT_FOR_BUILD # Check if valgrind is working; expected to fail in cross builds. NETTLE_PROG_VALGRIND LSH_DEPENDENCY_TRACKING if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE AC_TYPE_UID_T AC_TYPE_SIZE_T AC_CHECK_SIZEOF(long) AC_CHECK_SIZEOF(size_t) AC_CHECK_HEADERS([openssl/evp.h openssl/ec.h openssl/rsa.h],, [enable_openssl=no break]) # For use by the testsuite AC_CHECK_HEADERS([valgrind/memcheck.h]) AC_CHECK_HEADERS([dlfcn.h]) AC_CHECK_LIB([dl], [dlopen], [AC_DEFINE([HAVE_LIBDL], 1, [Define to 1 if you have dlopen (with -ldl).])]) LSH_FUNC_ALLOCA # getenv_secure is used for fat overrides, # getline is used in the testsuite AC_CHECK_FUNCS(secure_getenv getline elf_aux_info) ASM_WORDS_BIGENDIAN=unknown AC_C_BIGENDIAN([AC_DEFINE([WORDS_BIGENDIAN], 1) ASM_WORDS_BIGENDIAN=yes], [ASM_WORDS_BIGENDIAN=no]) AC_CACHE_CHECK([for __builtin_bswap64], nettle_cv_c_builtin_bswap64, [AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ uint64_t x = 17; uint64_t y = __builtin_bswap64(x); ]])], [nettle_cv_c_builtin_bswap64=yes], [nettle_cv_c_builtin_bswap64=no])]) AH_TEMPLATE([HAVE_BUILTIN_BSWAP64], [Define if __builtin_bswap64 is available]) if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then AC_DEFINE(HAVE_BUILTIN_BSWAP64) fi LSH_GCC_ATTRIBUTES # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. AC_CACHE_CHECK([for fcntl file locking], nettle_cv_fcntl_locking, [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include ]], [[ int op = F_SETLKW; struct flock fl; ]])], [nettle_cv_fcntl_locking=yes], [nettle_cv_fcntl_locking=no])]) AH_TEMPLATE([HAVE_FCNTL_LOCKING], [Define if fcntl file locking is available]) if test "x$nettle_cv_fcntl_locking" = "xyes" ; then AC_DEFINE(HAVE_FCNTL_LOCKING) fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then # mpn_zero_p was added in GMP-6.1.0 AC_CHECK_LIB(gmp, __gmpn_zero_p,, [AC_MSG_WARN( [GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable.])] enable_public_key=no) fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then AC_MSG_CHECKING([for mini-gmp limb size]) # With mini-gmp, mp_limb_t is always unsigned long. AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [(sizeof(unsigned long) * CHAR_BIT)], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) else AC_MSG_CHECKING([for GMP limb size]) AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" AC_SUBST([NUMB_BITS]) # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi AC_SUBST([GMP_NUMB_BITS]) # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard ELFV2_ABI=no # For powerpc64 W64_ABI=no # For x86_64 windows case "$host_cpu" in [x86_64 | amd64]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *sparc*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *mips64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__mips64) || defined(__mips64__) || (defined(__sgi) && defined(__LP64__)) #error 64-bit mips #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *powerpc64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__PPC64__) #error 64-bit powerpc #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) if test "$ABI" = 64 ; then AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if _CALL_ELF == 2 #error ELFv2 ABI #endif ]], [[]])], [], [ ELFV2_ABI=yes ]) if test "$enable_assembler" = yes ; then AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__VSX__) #error VSX available #endif ]], [[]])], [ AC_MSG_WARN([VSX instructions (Power7 or later) not available, disabling use of assembly.]) enable_assembler=no ], []) fi fi ;; aarch64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__aarch64__) #error 64-bit arm #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *s390x*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__s390x__) #error 64-bit s390x #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; esac if test "x$ABI" != xstandard ; then AC_MSG_NOTICE([Compiler uses $ABI-bit ABI. To change, set CC.]) fi OPT_NETTLE_SOURCES="" FAT_OVERRIDE_LIST="" FAT_EMULATE_LIST="" ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in [x86 | i?86* | k[5-8]* | pentium* | athlon]) asm_path=x86 ;; [x86_64 | amd64]) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" # For now, not enabling aesni or sha_ni, since at least # the latter appears unavailable on the gitlab test machines. FAT_OVERRIDE_LIST="vendor:intel vendor:amd" else if test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi if test "x$enable_x86_sha_ni" = xyes ; then asm_path="x86_64/sha_ni $asm_path" fi if test "x$enable_x86_pclmul" = xyes ; then asm_path="x86_64/pclmul $asm_path" fi fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) NETTLE_CHECK_ARM_NEON asm_path="arm/v6 arm" ;; esac if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi fi ;; aarch64*) if test "$ABI" = 64 ; then asm_path=arm64 if test "x$enable_fat" = xyes ; then asm_path="arm64/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm64.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none aes pmull sha1 sha2" else if test "$enable_arm64_crypto" = yes ; then asm_path="arm64/crypto $asm_path" fi fi else # As far as I understand, Neon instructions are unlikely to be # missing. It may be omitted "only for implementations # targeting specialized markets", to quote the Armv8 reference # manual. asm_path="arm/neon arm/v6 arm" fi ;; *powerpc64*) if test "$ABI" = 64 ; then GMP_ASM_POWERPC_R_REGISTERS asm_path="powerpc64" if test "x$enable_fat" = xyes ; then asm_path="powerpc64/fat $asm_path" OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none crypto_ext altivec power9" # No debian support for power7, making it hard to test. FAT_EMULATE_LIST="power8 power9" else if test "$enable_power9" = yes ; then asm_path="powerpc64/p9 $asm_path" fi if test "$enable_power_crypto_ext" = yes ; then asm_path="powerpc64/p8 $asm_path" fi if test "$enable_power_altivec" = yes ; then asm_path="powerpc64/p7 $asm_path" fi fi fi ;; *s390x*) if test "$ABI" = 64 ; then asm_path="s390x" if test "x$enable_fat" = xyes ; then asm_path="s390x/fat $asm_path" OPT_NETTLE_SOURCES="fat-s390x.c $OPT_NETTLE_SOURCES" FAT_OVERRIDE_LIST="none vf msa msa_x1 msa_x2 msa_x4" else if test "$enable_s390x_vf" = yes ; then asm_path="s390x/vf $asm_path" fi if test "$enable_s390x_msa" = yes ; then asm_path="s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 $asm_path" fi fi fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ aes-invert-internal.asm \ aes128-set-encrypt-key.asm aes128-set-decrypt-key.asm \ aes128-encrypt.asm aes128-decrypt.asm \ aes192-set-encrypt-key.asm aes192-set-decrypt-key.asm \ aes192-encrypt.asm aes192-decrypt.asm \ aes256-set-encrypt-key.asm aes256-set-decrypt-key.asm \ aes256-encrypt.asm aes256-decrypt.asm \ cbc-aes128-encrypt.asm cbc-aes192-encrypt.asm \ cbc-aes256-encrypt.asm \ camellia-crypt-internal.asm \ memxor.asm memxor3.asm \ ghash-set-key.asm ghash-update.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress-n.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="cpuid.asm cpu-facility.asm \ memxor-2.asm memxor3-2.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm aes-invert-internal-2.asm \ aes128-set-encrypt-key-2.asm aes128-set-decrypt-key-2.asm \ aes128-encrypt-2.asm aes128-decrypt-2.asm \ aes192-set-encrypt-key-2.asm aes192-set-decrypt-key-2.asm \ aes192-encrypt-2.asm aes192-decrypt-2.asm \ aes256-set-encrypt-key-2.asm aes256-set-decrypt-key-2.asm \ aes256-encrypt-2.asm aes256-decrypt-2.asm \ cbc-aes128-encrypt-2.asm cbc-aes192-encrypt-2.asm cbc-aes256-encrypt-2.asm \ chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ poly1305-blocks.asm poly1305-internal-2.asm \ ghash-set-key-2.asm ghash-update-2.asm \ gcm-aes-encrypt.asm gcm-aes-encrypt-2.asm \ gcm-aes-decrypt.asm gcm-aes-decrypt-2.asm\ salsa20-2core.asm salsa20-core-internal-2.asm \ sha1-compress-2.asm sha256-compress-n-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then AC_MSG_NOTICE([Looking for assembler files in $asm_path.]) for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" AC_CONFIG_LINKS($tmp_f:$asm_dir/$tmp_f) break fi done done dnl Workaround for AC_CONFIG_LINKS, which complains if we use the dnl same destination argument $tmp_f multiple times. for tmp_n in $asm_nettle_optional_list ; do dnl Note extra pair of [] in sed expression tmp_b=`echo "$tmp_n" | sed 's/\.[[^.]]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" AC_CONFIG_LINKS($tmp_n:$asm_dir/$tmp_n) while read tmp_func ; do AC_DEFINE_UNQUOTED(HAVE_NATIVE_$tmp_func) eval HAVE_NATIVE_$tmp_func=yes done <conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else AC_MSG_WARN([nm does not list a_global_symbol at all]) fi], [AC_MSG_WARN([test program with a single global could not be compiled!?])])]) if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi AC_CACHE_CHECK([for ELF-style .type,%function pseudo-ops], [nettle_cv_asm_type_percent_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,%function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_percent_function=yes], [nettle_cv_asm_type_percent_function=no])]) dnl Needs double quote for the # character AC_CACHE_CHECK([[for ELF-style .type,#function pseudo-ops]], [nettle_cv_asm_type_hash_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,#function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_hash_function=yes], [nettle_cv_asm_type_hash_function=no])]) if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi AC_CACHE_CHECK([for COFF-style .type directive], [nettle_cv_asm_coff_type], [GMP_TRY_ASSEMBLE([ .text .globl _foo .def _foo .scl 2 .type 32 .endef _foo: ], [nettle_cv_asm_coff_type=yes], [nettle_cv_asm_coff_type=no])]) if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi AC_CACHE_CHECK([if we should use a .note.GNU-stack section], nettle_cv_asm_gnu_stack, [ # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&AS_MESSAGE_LOG_FD $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&AS_MESSAGE_LOG_FD echo "configure: failed program was:" >&AS_MESSAGE_LOG_FD cat conftest.s >&AS_MESSAGE_LOG_FD fi rm -f conftest.*]) if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi AC_CACHE_CHECK([if .align assembly directive is logarithmic], [nettle_cv_asm_align_log], [GMP_TRY_ASSEMBLE([ .align 3 ], [nettle_cv_asm_align_log=yes], [nettle_cv_asm_align_log=no])]) ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi dnl Define dnl 1. ASM_X86_ENDBR for endbr32/endbr64. dnl 2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark dnl Intel CET support if needed. dnl 3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET. AC_CACHE_CHECK([if Intel CET is enabled], [nettle_cv_asm_x86_intel_cet], [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifndef __CET__ #error Intel CET is not enabled #endif ]], [[]])], [nettle_cv_asm_x86_intel_cet=yes], [nettle_cv_asm_x86_intel_cet=no])]) if test "$nettle_cv_asm_x86_intel_cet" = yes; then case $ABI in 32|standard) ASM_X86_ENDBR=endbr32 ASM_X86_MARK_CET_ALIGN=2 ;; 64) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=3 ;; x32) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=2 ;; esac AC_CACHE_CHECK([if .note.gnu.property section is needed], [nettle_cv_asm_x86_gnu_property], [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if !defined __ELF__ || !defined __CET__ #error GNU property is not needed #endif ]], [[]])], [nettle_cv_asm_x86_gnu_property=yes], [nettle_cv_asm_x86_gnu_property=no])]) else nettle_cv_asm_x86_gnu_property=no fi if test "$nettle_cv_asm_x86_gnu_property" = yes; then ASM_X86_MARK_CET=' .pushsection ".note.gnu.property", "a" .p2align ASM_X86_MARK_CET_ALIGN .long 1f - 0f .long 4f - 1f .long 5 0: .asciz "GNU" 1: .p2align ASM_X86_MARK_CET_ALIGN .long 0xc0000002 .long 3f - 2f 2: .long 3 3: .p2align ASM_X86_MARK_CET_ALIGN 4: .popsection' fi AC_SUBST(ASM_SYMBOL_PREFIX) AC_SUBST(ASM_ELF_STYLE) AC_SUBST(ASM_COFF_STYLE) AC_SUBST(ASM_TYPE_FUNCTION) AC_SUBST(ASM_TYPE_PROGBITS) AC_SUBST(ASM_MARK_NOEXEC_STACK) AC_SUBST(ASM_ALIGN_LOG) AC_SUBST(ELFV2_ABI) AC_SUBST(W64_ABI) AC_SUBST(ASM_WORDS_BIGENDIAN) AC_SUBST(EMULATOR) AC_SUBST(ASM_X86_ENDBR) AC_SUBST(ASM_X86_MARK_CET) AC_SUBST(ASM_X86_MARK_CET_ALIGN) AC_SUBST(LIBNETTLE_MAJOR) AC_SUBST(LIBNETTLE_MINOR) AC_SUBST(LIBNETTLE_FORLINK) AC_SUBST(LIBNETTLE_SONAME) AC_SUBST(LIBNETTLE_FILE) AC_SUBST(LIBNETTLE_FILE_SRC) AC_SUBST(LIBNETTLE_LINK) AC_SUBST(LIBNETTLE_LIBS) AC_SUBST(LIBHOGWEED_MAJOR) AC_SUBST(LIBHOGWEED_MINOR) AC_SUBST(LIBHOGWEED_FORLINK) AC_SUBST(LIBHOGWEED_SONAME) AC_SUBST(LIBHOGWEED_FILE) AC_SUBST(LIBHOGWEED_FILE_SRC) AC_SUBST(LIBHOGWEED_LINK) AC_SUBST(LIBHOGWEED_LIBS) AC_PATH_PROG(M4, m4, m4) AH_TEMPLATE([WITH_HOGWEED], [Defined if public key features are enabled]) if test "x$enable_public_key" = xyes ; then AC_DEFINE(WITH_HOGWEED) IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then AC_PATH_PROG(MAKEINFO, makeinfo, not-found) if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes AC_SUBST(MAKEINFO) else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else AC_MSG_ERROR([Cannot find 'makeinfo', required for documentation.]) fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi AC_SUBST(IF_HOGWEED) AC_SUBST(IF_STATIC) AC_SUBST(IF_SHARED) AC_SUBST(IF_NOT_SHARED) AC_SUBST(IF_DLOPEN_TEST) AC_SUBST(IF_DOCUMENTATION) AC_SUBST(IF_DLL) AC_SUBST(IF_MINI_GMP) OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new, [OPENSSL_LIBFLAGS='-lcrypto'], [enable_openssl=no]) fi if test x$enable_openssl = xyes ; then AC_MSG_CHECKING([if openssl supports the functions used by nettle benchmark programs]) save_LIBS="$LIBS" LIBS="$LIBS $OPENSSL_LIBFLAGS" AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include #include #include ], [ EVP_MD_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *rsa_key = EVP_RSA_gen(2048); EVP_PKEY *ec_key = EVP_EC_gen("P-256"); int res = EVP_DigestSignFinal (md_ctx, NULL, NULL); ])], [ AC_MSG_RESULT([yes]) AC_DEFINE([WITH_OPENSSL], 1, [Define if you have openssl libcrypto (used for benchmarking)]) ], [ AC_MSG_RESULT([no]) enable_openssl=no ]) LIBS=$save_LIBS fi AC_SUBST(OPENSSL_LIBFLAGS) AH_BOTTOM( [#if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif ]) # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" AC_SEARCH_LIBS(clock_gettime, rt, [ AC_DEFINE([HAVE_CLOCK_GETTIME],1,[Define if clock_gettime is available])]) BENCH_LIBS="$LIBS" LIBS="$old_LIBS" AC_SUBST(BENCH_LIBS) # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi AC_CONFIG_FILES([config.make config.m4 Makefile version.h]) AC_CONFIG_FILES([tools/Makefile testsuite/Makefile examples/Makefile]) AC_CONFIG_FILES([nettle.pc hogweed.pc libnettle.map libhogweed.map]) AC_OUTPUT AC_MSG_NOTICE([summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} ]) nettle-4.0/ctr-internal.h0000644000000000000000000000320315141166424012353 0ustar00/* ctr-internal.h Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CTR_INTERNAL_H_INCLUDED #define NETTLE_CTR_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Size limit for temporary stack buffers. */ #define CTR_BUFFER_LIMIT 512 /* Fill BUFFER (n blocks) with incrementing CTR values. It would be nice if CTR was always 64-bit aligned, but it isn't when called from ctr_crypt. */ typedef void nettle_fill16_func(uint8_t *ctr, size_t n, union nettle_block16 *buffer); void _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, nettle_fill16_func *fill, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_CTR_INTERNAL_H_INCLUDED */ nettle-4.0/ctr.c0000644000000000000000000000771715141166423010551 0ustar00/* ctr.c Cipher counter mode. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ctr.h" #include "bswap-internal.h" #include "ctr-internal.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) static size_t ctr_fill (size_t block_size, uint8_t *ctr, size_t length, uint8_t *buffer) { size_t i; for (i = 0; i + block_size <= length; i += block_size) { memcpy (buffer + i, ctr, block_size); INCREMENT(block_size, ctr); } return i; } static nettle_fill16_func ctr_fill16; #if WORDS_BIGENDIAN static void ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, lo; size_t i; hi = READ_UINT64(ctr); lo = READ_UINT64(ctr + 8); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = lo; hi += !(++lo); } WRITE_UINT64(ctr, hi); WRITE_UINT64(ctr + 8, lo); } #else /* !WORDS_BIGENDIAN */ static void ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, lo; size_t i; /* Read hi in native endianness */ hi = LE_READ_UINT64(ctr); lo = READ_UINT64(ctr + 8); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = nettle_bswap64(lo); if (!++lo) hi = nettle_bswap64(nettle_bswap64(hi) + 1); } LE_WRITE_UINT64(ctr, hi); WRITE_UINT64(ctr + 8, lo); } #endif /* !WORDS_BIGENDIAN */ void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src) { if (block_size == 16) { _nettle_ctr_crypt16(ctx, f, ctr_fill16, ctr, length, dst, src); return; } if(src != dst) { size_t filled = ctr_fill (block_size, ctr, length, dst); f(ctx, filled, dst, dst); memxor(dst, src, filled); if (filled < length) { TMP_DECL(block, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(block, block_size); f(ctx, block_size, block, ctr); INCREMENT(block_size, ctr); memxor3(dst + filled, src + filled, block, length - filled); } } else { /* For in-place CTR, construct a buffer of consecutive counter values, of size at most CTR_BUFFER_LIMIT. */ TMP_DECL(buffer, uint8_t, CTR_BUFFER_LIMIT); size_t buffer_size; if (length < block_size) buffer_size = block_size; else if (length <= CTR_BUFFER_LIMIT) buffer_size = length; else buffer_size = CTR_BUFFER_LIMIT; TMP_ALLOC(buffer, buffer_size); while (length >= block_size) { size_t filled = ctr_fill (block_size, ctr, MIN(buffer_size, length), buffer); assert (filled > 0); f(ctx, filled, buffer, buffer); memxor(dst, buffer, filled); length -= filled; dst += filled; } /* Final, possibly partial, block. */ if (length > 0) { f(ctx, block_size, buffer, ctr); INCREMENT(block_size, ctr); memxor(dst, buffer, length); } } } nettle-4.0/ctr.h0000644000000000000000000000365015141166424010547 0ustar00/* ctr.h Counter mode, using an network byte order incremented counter, matching the testcases of NIST 800-38A. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CTR_H_INCLUDED #define NETTLE_CTR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ctr_crypt nettle_ctr_crypt void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src); #define CTR_CTX(type, size) \ { type ctx; uint8_t ctr[size]; } #define CTR_SET_COUNTER(ctx, data) \ memcpy((ctx)->ctr, (data), sizeof((ctx)->ctr)) #define CTR_CRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : ctr_crypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->ctr), (self)->ctr, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CTR_H_INCLUDED */ nettle-4.0/ctr16.c0000644000000000000000000000562715141166423010716 0ustar00/* ctr16.c Cipher counter mode, optimized for 16-byte blocks. Copyright (C) 2005-2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ctr.h" #include "ctr-internal.h" #include "memxor.h" #include "nettle-internal.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) void _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, nettle_fill16_func *fill, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src) { if (dst != src && !((uintptr_t) dst % alignof(union nettle_block16))) { size_t blocks = length / 16u; size_t done; fill (ctr, blocks, (union nettle_block16 *) dst); done = blocks * 16; f(ctx, done, dst, dst); memxor (dst, src, done); length -= done; if (length > 0) { /* Left-over partial block */ union nettle_block16 block; dst += done; src += done; assert (length < 16); /* Use fill, to update ctr value in the same way in all cases. */ fill (ctr, 1, &block); f (ctx, 16, block.b, block.b); memxor3 (dst, src, block.b, length); } } else { /* Construct an aligned buffer of consecutive counter values, of size at most CTR_BUFFER_LIMIT. */ TMP_DECL(buffer, union nettle_block16, CTR_BUFFER_LIMIT / 16); size_t blocks = (length + 15) / 16u; size_t i; TMP_ALLOC(buffer, MIN(blocks, CTR_BUFFER_LIMIT / 16)); for (i = 0; blocks >= CTR_BUFFER_LIMIT / 16; i += CTR_BUFFER_LIMIT, blocks -= CTR_BUFFER_LIMIT / 16) { fill (ctr, CTR_BUFFER_LIMIT / 16, buffer); f(ctx, CTR_BUFFER_LIMIT, buffer->b, buffer->b); if (length - i < CTR_BUFFER_LIMIT) goto done; memxor3 (dst + i, src + i, buffer->b, CTR_BUFFER_LIMIT); } if (blocks > 0) { assert (length - i < CTR_BUFFER_LIMIT); fill (ctr, blocks, buffer); f(ctx, blocks * 16, buffer->b, buffer->b); done: memxor3 (dst + i, src + i, buffer->b, length - i); } } } nettle-4.0/curve25519-eh-to-x.c0000644000000000000000000000430215141166424012756 0ustar00/* curve25519-x.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Transform a point on the twisted Edwards curve to the curve25519 Montgomery curve, and return the x coordinate. */ void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) { #define vp (p + ecc->p.size) #define wp (p + 2*ecc->p.size) #define t0 scratch #define t1 (scratch + ecc->p.size) #define tp (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; /* If u = U/W and v = V/W are the coordinates of the point on the Edwards curve we get the curve25519 x coordinate as x = (1+v) / (1-v) = (W + V) / (W - V) */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ ecc_mod_sub (&ecc->p, t0, wp, vp); /* Needs a total of 6*size storage. */ ecc->p.invert (&ecc->p, t1, t0, tp); ecc_mod_add (&ecc->p, t0, wp, vp); ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); #undef vp #undef wp #undef t0 #undef t1 #undef tp } nettle-4.0/curve25519-mul-g.c0000644000000000000000000000367015141166424012525 0ustar00/* curve25519-mul-g.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult_base. */ void curve25519_mul_g (uint8_t *r, const uint8_t *n) { const struct ecc_curve *ecc = &_nettle_curve25519; uint8_t t[CURVE25519_SIZE]; mp_limb_t *scratch; mp_size_t itch; #define ng scratch #define x (scratch + 3*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) memcpy (t, n, sizeof(t)); t[0] &= ~7; t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40; itch = 4*ecc->p.size + ecc->mul_g_itch; scratch = gmp_alloc_limbs (itch); mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE); ecc_mul_g_eh (ecc, ng, x, scratch_out); curve25519_eh_to_x (x, ng, scratch_out); mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size); gmp_free_limbs (scratch, itch); #undef p #undef x #undef scratch_out } nettle-4.0/curve25519-mul.c0000644000000000000000000000352215141166424012275 0ustar00/* curve25519-mul.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult. */ void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { const struct ecc_modulo *m = &_nettle_curve25519.p; mp_size_t itch; mp_limb_t *x; itch = m->size + ECC_MUL_M_ITCH(m->size); x = gmp_alloc_limbs (itch); /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x always holds at least 256 bits. */ mpn_set_base256_le (x, m->size, p, CURVE25519_SIZE); /* Clear bit 255, as required by RFC 7748. */ x[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS)); ecc_mul_m (m, 121665, 3, 253, x, n, x, x + m->size); mpn_get_base256_le (q, CURVE25519_SIZE, x, m->size); gmp_free_limbs (x, itch); } nettle-4.0/curve25519.h0000644000000000000000000000304115141166424011503 0ustar00/* curve25519.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CURVE25519_H #define NETTLE_CURVE25519_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define curve25519_mul_g nettle_curve25519_mul_g #define curve25519_mul nettle_curve25519_mul #define CURVE25519_SIZE 32 /* Indicates that curve25519_mul conforms to RFC 7748. */ #define NETTLE_CURVE25519_RFC7748 1 void curve25519_mul_g (uint8_t *q, const uint8_t *n); void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); #ifdef __cplusplus } #endif #endif /* NETTLE_CURVE25519_H */ nettle-4.0/curve448-eh-to-x.c0000644000000000000000000000360615141166424012616 0ustar00/* curve448-eh-to-x.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Transform a point on the edwards448 Edwards curve to the curve448 Montgomery curve, and return the x coordinate. */ void curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) { #define up p #define vp (p + ecc->p.size) #define t0 scratch #define tp (scratch + ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve448; /* If u = U/W and v = V/W are the coordinates of the point on edwards448 we get the curve448 x coordinate as x = v^2 / u^2 = (V/W)^2 / (U/W)^2 = (V/U)^2 */ /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t0, up, tp); ecc_mod_mul (&ecc->p, t0, t0, vp, tp); ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); #undef up #undef vp #undef t0 #undef tp } nettle-4.0/curve448-mul-g.c0000644000000000000000000000370415141166424012355 0ustar00/* curve448-mul-g.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult_base. */ void curve448_mul_g (uint8_t *r, const uint8_t *n) { const struct ecc_curve *ecc = &_nettle_curve448; uint8_t t[CURVE448_SIZE]; mp_limb_t *scratch; mp_size_t itch; #define ng scratch #define x (scratch + 3*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) memcpy (t, n, sizeof(t)); t[0] &= ~3; t[CURVE448_SIZE-1] = (t[CURVE448_SIZE-1] & 0x7f) | 0x80; itch = 5*ecc->p.size + ecc->mul_g_itch; scratch = gmp_alloc_limbs (itch); mpn_set_base256_le (x, ecc->p.size, t, CURVE448_SIZE); ecc_mul_g_eh (ecc, ng, x, scratch_out); curve448_eh_to_x (x, ng, scratch_out); mpn_get_base256_le (r, CURVE448_SIZE, x, ecc->p.size); gmp_free_limbs (scratch, itch); #undef ng #undef x #undef scratch_out } nettle-4.0/curve448-mul.c0000644000000000000000000000323615141166424012131 0ustar00/* curve448-mul.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult. */ void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { const struct ecc_modulo *m = &_nettle_curve448.p; mp_size_t itch; mp_limb_t *x; itch = m->size + ECC_MUL_M_ITCH(m->size); x = gmp_alloc_limbs (itch); mpn_set_base256_le (x, m->size, p, CURVE448_SIZE); ecc_mul_m (m, 39081, 2, 446, x, n, x, x + m->size); mpn_get_base256_le (q, CURVE448_SIZE, x, m->size); gmp_free_limbs (x, itch); } nettle-4.0/curve448.h0000644000000000000000000000271515141166424011344 0ustar00/* curve448.h Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CURVE448_H #define NETTLE_CURVE448_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define curve448_mul_g nettle_curve448_mul_g #define curve448_mul nettle_curve448_mul #define CURVE448_SIZE 56 void curve448_mul_g (uint8_t *q, const uint8_t *n); void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); #ifdef __cplusplus } #endif #endif /* NETTLE_CURVE448_H */ nettle-4.0/der-iterator.c0000644000000000000000000001576215141166424012362 0ustar00/* der-iterator.c Parsing of ASN.1 DER encoded objects. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" #include "asn1.h" #include "macros.h" /* Basic DER syntax: (reference: A Layman's Guide to a Subset of ASN.1, BER, and DER, http://luca.ntop.org/Teaching/Appunti/asn1.html) The DER header contains a tag and a length. First, the tag. cls is the class number, c is one if the object is "constructed" and zero if it is primitive. The tag is represented either using a single byte, 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_______tag_| 0 <= tag <= 30 or multiple bytes 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_1_1_1_1_1_| followed by the real tag number, in base 128, with all but the final byte having the most significant bit set. The tag must be represented with as few bytes as possible. High tag numbers are currently *not* supported. Next, the length, either a single byte with the most significant bit clear, or 7 6 5 4 3 2 1 0 _________________ |_1_|___________k_| followed by k additional bytes that give the length, in network byte order. The length must be encoded using as few bytes as possible, and k = 0 is reserved for the "indefinite length form" which is not supported. After the length comes the contets. For primitive objects (c == 0), it's depends on the type. For constructed objects, it's a concatenation of the DER encodings of zero or more other objects. */ enum { TAG_MASK = 0x1f, CLASS_MASK = 0xc0, CONSTRUCTED_MASK = 0x20, }; /* Initializes the iterator, but one has to call next to get to the * first element. */ static void asn1_der_iterator_init(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input) { iterator->buffer_length = length; iterator->buffer = input; iterator->pos = 0; iterator->type = 0; iterator->length = 0; iterator->data = NULL; } #define LEFT(i) ((i)->buffer_length - (i)->pos) #define NEXT(i) ((i)->buffer[(i)->pos++]) /* Gets type and length of the next object. */ enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *i) { uint8_t tag; if (!LEFT(i)) return ASN1_ITERATOR_END; tag = NEXT(i); if (!LEFT(i)) return ASN1_ITERATOR_ERROR; if ( (tag & TAG_MASK) == TAG_MASK) { /* FIXME: Long tags not supported */ return ASN1_ITERATOR_ERROR; } i->length = NEXT(i); if (i->length & 0x80) { unsigned k = i->length & 0x7f; unsigned j; const uint8_t *data = i->buffer + i->pos; if (k == 0) /* Indefinite encoding. Not supported. */ return ASN1_ITERATOR_ERROR; if (LEFT(i) < k) return ASN1_ITERATOR_ERROR; if (k > sizeof(i->length)) return ASN1_ITERATOR_ERROR; i->pos += k; i->length = data[0]; if (i->length == 0 || (k == 1 && i->length < 0x80)) return ASN1_ITERATOR_ERROR; for (j = 1; j < k; j++) i->length = (i->length << 8) | data[j]; } if (LEFT(i) < i->length) return ASN1_ITERATOR_ERROR; i->data = i->buffer + i->pos; i->pos += i->length; i->type = tag & TAG_MASK; i->type |= (tag & CLASS_MASK) << (ASN1_CLASS_SHIFT - 6); if (tag & CONSTRUCTED_MASK) { i->type |= ASN1_TYPE_CONSTRUCTED; return ASN1_ITERATOR_CONSTRUCTED; } else return ASN1_ITERATOR_PRIMITIVE; } enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *i, size_t length, const uint8_t *input) { asn1_der_iterator_init(i, length, input); return asn1_der_iterator_next(i); } enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type & ASN1_TYPE_CONSTRUCTED); return asn1_der_iterator_first(contents, i->length, i->data); } enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_constructed(i, i); } /* Decoding a DER object which is wrapped in a bit string. */ enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type == ASN1_BITSTRING); /* First byte is the number of padding bits, which must be zero. */ if (i->length == 0 || i->data[0] != 0) return ASN1_ITERATOR_ERROR; return asn1_der_iterator_first(contents, i->length - 1, i->data + 1); } enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_bitstring(i, i); } int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x) { /* Big endian, two's complement, minimum number of octets (except 0, which is encoded as a single octet */ uint32_t value = 0; size_t length = i->length; unsigned k; if (!length || length > 5) return 0; if (i->data[length - 1] >= 0x80) /* Signed number */ return 0; if (length > 1 && i->data[length -1] == 0 && i->data[length -2] < 0x80) /* Non-minimal number of digits */ return 0; if (length == 5) { if (i->data[4]) return 0; length--; } for (value = k = 0; k < length; k++) value = (value << 8) | i->data[k]; *x = value; return 1; } /* NOTE: This is the only function in this file which needs bignums. One could split this file in two, one in libnettle and one in libhogweed. */ int asn1_der_get_bignum(struct asn1_der_iterator *i, mpz_t x, unsigned max_bits) { if (i->length > 1 && ((i->data[0] == 0 && i->data[1] < 0x80) || (i->data[0] == 0xff && i->data[1] >= 0x80))) /* Non-minimal number of digits */ return 0; /* Allow some extra here, for leading sign octets. */ if (max_bits && (8 * i->length > (16 + max_bits))) return 0; nettle_mpz_set_str_256_s(x, i->length, i->data); /* FIXME: How to interpret a max_bits for negative numbers? */ if (max_bits && mpz_sizeinbase(x, 2) > max_bits) return 0; return 1; } nettle-4.0/der2dsa.c0000644000000000000000000000767415141166424011310 0ustar00/* der2dsa.c Decoding of DSA keys in OpenSSL and X.509.1 format. Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) /* If q_bits > 0, q is required to be of exactly this size. */ int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i) { /* Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } */ if (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, params->p, max_bits) && mpz_sgn(params->p) > 0) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, q_bits ? q_bits : p_bits) && (q_bits == 0 || mpz_sizeinbase(params->q, 2) == q_bits) && mpz_cmp (params->q, params->p) < 0 && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i) { /* DSAPublicKey ::= INTEGER */ return (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, pub, mpz_sizeinbase (params->p, 2)) && mpz_sgn(pub) > 0 && mpz_cmp(pub, params->p) < 0); } int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i) { /* DSAPrivateKey ::= SEQUENCE { version Version, p INTEGER, q INTEGER, g INTEGER, pub_key INTEGER, -- y priv_key INTEGER, -- x } */ uint32_t version; if (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version == 0 && GET(i, params->p, p_max_bits)) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, DSA_SHA1_Q_BITS) && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && GET(i, pub, p_bits) && mpz_cmp (pub, params->p) < 0 && GET(i, priv, DSA_SHA1_Q_BITS) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); return (res == ASN1_ITERATOR_CONSTRUCTED && dsa_openssl_private_key_from_der_iterator(params, pub, priv, p_max_bits, &i)); } nettle-4.0/der2rsa.c0000644000000000000000000000740415141166424011315 0ustar00/* der2rsa.c Decoding of keys in PKCS#1 format. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i) { /* RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e } */ return (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && asn1_der_get_bignum(i, pub->n, limit) && mpz_sgn(pub->n) > 0 && GET(i, pub->e, limit) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END && rsa_public_key_prepare(pub)); } int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i) { /* RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } */ uint32_t version; if (i->type != ASN1_SEQUENCE) return 0; if (asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version <= 1 && GET(i, pub->n, limit) && GET(i, pub->e, limit) && rsa_public_key_prepare(pub) && GET(i, priv->d, limit) && GET(i, priv->p, limit) && GET(i, priv->q, limit) && GET(i, priv->a, limit) && GET(i, priv->b, limit) && GET(i, priv->c, limit) && rsa_private_key_prepare(priv)) { if (version == 1) { /* otherPrimeInfos must be present. We ignore the contents */ if (!(asn1_der_iterator_next(i) == ASN1_ITERATOR_CONSTRUCTED && i->type == ASN1_SEQUENCE)) return 0; } return (asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } return 0; } int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); if (res != ASN1_ITERATOR_CONSTRUCTED) return 0; if (priv) return rsa_private_key_from_der_iterator(pub, priv, limit, &i); else return rsa_public_key_from_der_iterator(pub, limit, &i); } nettle-4.0/des.c0000644000000000000000000001653515141166423010532 0ustar00/* des.c The des block cipher. Copyright (C) 2001, 2010 Niels Möller Copyright (C) 1992 Dana L. How This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "des.h" #include "desCode.h" /* various tables */ static const uint32_t des_keymap[] = { #include "keymap.h" }; static const uint8_t rotors[] = { #include "rotors.h" }; static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) /* If parity bits are used, keys should have odd parity. We use a small table, to not waste any memory on this fairly obscure DES feature. */ static const unsigned parity_16[16] = { 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 }; #define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf]) int des_check_parity(size_t length, const uint8_t *key) { size_t i; for (i = 0; i> 1; int8_t k1 = key[1] >> 1; unsigned hash = asso_values[k1 + 1] + asso_values[k0]; const int8_t *candidate; if (hash > 25) return 0; candidate = weak_key_hash[hash]; if (k0 != candidate[0] || k1 != candidate[1]) return 0; if ( (key[2] >> 1) != k0 || (key[3] >> 1) != k1) return 0; k0 = key[4] >> 1; k1 = key[5] >> 1; if (k0 != candidate[2] || k1 != candidate[3]) return 0; if ( (key[6] >> 1) != k0 || (key[7] >> 1) != k1) return 0; return 1; } int des_set_key(struct des_ctx *ctx, const uint8_t *key) { register uint32_t n, w; register char * b0, * b1; char bits0[56], bits1[56]; uint32_t *method; const uint8_t *k; /* explode the bits */ n = 56; b0 = bits0; b1 = bits1; k = key; do { w = (256 | *k++) << 2; do { --n; b1[n] = 8 & w; w >>= 1; b0[n] = 4 & w; } while ( w >= 16 ); } while ( n ); /* put the bits in the correct places */ n = 16; k = rotors; method = ctx->key; do { w = (b1[k[ 0 ]] | b0[k[ 1 ]]) << 4; w |= (b1[k[ 2 ]] | b0[k[ 3 ]]) << 2; w |= b1[k[ 4 ]] | b0[k[ 5 ]]; w <<= 8; w |= (b1[k[ 6 ]] | b0[k[ 7 ]]) << 4; w |= (b1[k[ 8 ]] | b0[k[ 9 ]]) << 2; w |= b1[k[10 ]] | b0[k[11 ]]; w <<= 8; w |= (b1[k[12 ]] | b0[k[13 ]]) << 4; w |= (b1[k[14 ]] | b0[k[15 ]]) << 2; w |= b1[k[16 ]] | b0[k[17 ]]; w <<= 8; w |= (b1[k[18 ]] | b0[k[19 ]]) << 4; w |= (b1[k[20 ]] | b0[k[21 ]]) << 2; w |= b1[k[22 ]] | b0[k[23 ]]; method[0] = w; w = (b1[k[ 0+24]] | b0[k[ 1+24]]) << 4; w |= (b1[k[ 2+24]] | b0[k[ 3+24]]) << 2; w |= b1[k[ 4+24]] | b0[k[ 5+24]]; w <<= 8; w |= (b1[k[ 6+24]] | b0[k[ 7+24]]) << 4; w |= (b1[k[ 8+24]] | b0[k[ 9+24]]) << 2; w |= b1[k[10+24]] | b0[k[11+24]]; w <<= 8; w |= (b1[k[12+24]] | b0[k[13+24]]) << 4; w |= (b1[k[14+24]] | b0[k[15+24]]) << 2; w |= b1[k[16+24]] | b0[k[17+24]]; w <<= 8; w |= (b1[k[18+24]] | b0[k[19+24]]) << 4; w |= (b1[k[20+24]] | b0[k[21+24]]) << 2; w |= b1[k[22+24]] | b0[k[23+24]]; ROR(w, 4, 28); /* could be eliminated */ method[1] = w; k += 48; method += 2; } while ( --n ); return !des_weak_p (key); } void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsEncrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsDecrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } nettle-4.0/des.h0000644000000000000000000000555215141166424010535 0ustar00/* des.h The des block cipher. And triple des. Copyright (C) 1992 Dana L. How Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `../lib/descore.README' for the complete copyright * notice. * * Slightly edited by Niels Möller, 1997 */ #ifndef NETTLE_DES_H_INCLUDED #define NETTLE_DES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define des_set_key nettle_des_set_key #define des_encrypt nettle_des_encrypt #define des_decrypt nettle_des_decrypt #define des_check_parity nettle_des_check_parity #define des_fix_parity nettle_des_fix_parity #define des3_set_key nettle_des3_set_key #define des3_encrypt nettle_des3_encrypt #define des3_decrypt nettle_des3_decrypt #define DES_KEY_SIZE 8 #define DES_BLOCK_SIZE 8 /* Expanded key length */ #define _DES_KEY_LENGTH 32 struct des_ctx { uint32_t key[_DES_KEY_LENGTH]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des_set_key(struct des_ctx *ctx, const uint8_t *key); void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); int des_check_parity(size_t length, const uint8_t *key); void des_fix_parity(size_t length, uint8_t *dst, const uint8_t *src); #define DES3_KEY_SIZE 24 #define DES3_BLOCK_SIZE DES_BLOCK_SIZE struct des3_ctx { struct des_ctx des[3]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key); void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_DES_H_INCLUDED */ nettle-4.0/des3.c0000644000000000000000000000415515141166423010610 0ustar00/* des3.c Triple DES cipher. Three key encrypt-decrypt-encrypt. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "des.h" /* It's possible to make some more general pipe construction, like the * lsh/src/cascade.c, but as in practice it's never used for anything * like triple DES, it's not worth the effort. */ /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key) { unsigned i; int is_good = 1; for (i = 0; i<3; i++, key += DES_KEY_SIZE) if (!des_set_key(&ctx->des[i], key)) is_good = 0; return is_good; } void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_encrypt(&ctx->des[0], length, dst, src); des_decrypt(&ctx->des[1], length, dst, dst); des_encrypt(&ctx->des[2], length, dst, dst); } void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_decrypt(&ctx->des[2], length, dst, src); des_encrypt(&ctx->des[1], length, dst, dst); des_decrypt(&ctx->des[0], length, dst, dst); } nettle-4.0/desCode.h0000644000000000000000000002560615141166424011332 0ustar00/* desCode.h * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #include "des.h" /* optional customization: * the idea here is to alter the code so it will still run correctly * on any machine, but the quickest on the specific machine in mind. * note that these silly tweaks can give you a 15%-20% speed improvement * on the sparc -- it's probably even more significant on the 68000. */ /* take care of machines with incredibly few registers */ #if defined(i386) #define REGISTER /* only x, y, z will be declared register */ #else #define REGISTER register #endif /* i386 */ /* is auto inc/dec faster than 7bit unsigned indexing? */ #if defined(vax) || defined(mc68000) #define FIXR r += 32; #define FIXS s += 8; #define PREV(v,o) *--v #define NEXT(v,o) *v++ #else #define FIXR #define FIXS #define PREV(v,o) v[o] #define NEXT(v,o) v[o] #endif /* if no machine type, default is indexing, 6 registers and cheap literals */ #if !defined(i386) && !defined(vax) && !defined(mc68000) && !defined(sparc) #define vax #endif /* handle a compiler which can't reallocate registers */ /* The BYTE type is used as parameter for the encrypt/decrypt functions. * It's pretty bad to have the function prototypes depend on * a macro definition that the users of the function doesn't * know about. /Niels */ #if 0 /* didn't feel like deleting */ #define SREGFREE ; s = (uint8_t *) D #define DEST s #define D m0 #define BYTE uint32_t #else #define SREGFREE #define DEST d #define D d #define BYTE uint8_t #endif /* handle constants in the optimal way for 386 & vax */ /* 386: we declare 3 register variables (see above) and use 3 more variables; * vax: we use 6 variables, all declared register; * we assume address literals are cheap & unrestricted; * we assume immediate constants are cheap & unrestricted. */ #if defined(i386) || defined(vax) #define MQ0 des_bigmap #define MQ1 (des_bigmap + 64) #define MQ2 (des_bigmap + 128) #define MQ3 (des_bigmap + 192) #define HQ0(z) /* z |= 0x01000000L; */ #define HQ2(z) /* z |= 0x03000200L; */ #define LQ0(z) 0xFCFC & z #define LQ1(z) 0xFCFC & z #define LQ2(z) 0xFCFC & z #define LQ3(z) 0xFCFC & z #define SQ 16 #define MS0 des_keymap #define MS1 (des_keymap + 64) #define MS2 (des_keymap + 128) #define MS3 (des_keymap + 192) #define MS4 (des_keymap + 256) #define MS5 (des_keymap + 320) #define MS6 (des_keymap + 384) #define MS7 (des_keymap + 448) #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK #define SETQUICK #define REGSMALL #define SETSMALL #endif /* defined(i386) || defined(vax) */ /* handle constants in the optimal way for mc68000 */ /* in addition to the core 6 variables, we declare 3 registers holding constants * and 4 registers holding address literals. * at most 6 data values and 5 address values are actively used at once. * we assume address literals are so expensive we never use them; * we assume constant index offsets > 127 are expensive, so they are not used. * we assume all constants are expensive and put them in registers, * including shift counts greater than 8. */ #if defined(mc68000) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ k1 #define MS0 m0 #define MS1 m0 #define MS2 m1 #define MS3 m1 #define MS4 m2 #define MS5 m2 #define MS6 m3 #define MS7 m3 #define HS(z) z |= k0; #define LS0(z) k1 & z #define LS1(z) k2 & z #define LS2(z) k1 & z #define LS3(z) k2 & z #define REGQUICK \ register uint32_t k0, k1; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; k1 = 16 \ /*k2 = 28 to speed up ROL */ \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t k0, k1, k2; \ register uint32_t *m0, *m1, *m2, *m3; #define SETSMALL \ ; k0 = 0x01000100L \ ; k1 = 0x0FC \ ; k2 = 0x1FC \ ; m0 = des_keymap \ ; m1 = m0 + 128 \ ; m2 = m1 + 128 \ ; m3 = m2 + 128 #endif /* defined(mc68000) */ /* handle constants in the optimal way for sparc */ /* in addition to the core 6 variables, we either declare: * 4 registers holding address literals and 1 register holding a constant, or * 8 registers holding address literals. * up to 14 register variables are declared (sparc has %i0-%i5, %l0-%l7). * we assume address literals are so expensive we never use them; * we assume any constant with >10 bits is expensive and put it in a register, * and any other is cheap and is coded in-line. */ #if defined(sparc) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ 16 #define MS0 m0 #define MS1 m1 #define MS2 m2 #define MS3 m3 #define MS4 m4 #define MS5 m5 #define MS6 m6 #define MS7 m7 #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK \ register uint32_t k0; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t *m0, *m1, *m2, *m3, *m4, *m5, *m6, *m7; #define SETSMALL \ ; m0 = des_keymap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 \ ; m4 = m3 + 64 \ ; m5 = m4 + 64 \ ; m6 = m5 + 64 \ ; m7 = m6 + 64 #endif /* defined(sparc) */ /* some basic stuff */ /* generate addresses from a base and an index */ /* FIXME: This is used only as *ADD(msi,lsi(z)) or *ADD(mqi,lqi(z)). * Why not use plain indexing instead? /Niels */ #define ADD(b,x) (uint32_t *) ((uint8_t *)b + (x)) /* low level rotate operations */ #define NOP(d,c,o) #define ROL(d,c,o) d = d << c | d >> o #define ROR(d,c,o) d = d >> c | d << o #define ROL1(d) ROL(d, 1, 31) #define ROR1(d) ROR(d, 1, 31) /* elementary swap for doing IP/FP */ #define SWAP(x,y,m,b) \ z = ((x >> b) ^ y) & m; \ x ^= z << b; \ y ^= z /* the following macros contain all the important code fragments */ /* load input data, then setup special registers holding constants */ #define TEMPQUICK(LOAD) \ REGQUICK \ LOAD() \ SETQUICK #define TEMPSMALL(LOAD) \ REGSMALL \ LOAD() \ SETSMALL /* load data */ #define LOADDATA(x,y) \ FIXS \ y = PREV(s, 7); y<<= 8; \ y |= PREV(s, 6); y<<= 8; \ y |= PREV(s, 5); y<<= 8; \ y |= PREV(s, 4); \ x = PREV(s, 3); x<<= 8; \ x |= PREV(s, 2); x<<= 8; \ x |= PREV(s, 1); x<<= 8; \ x |= PREV(s, 0) \ SREGFREE /* load data without initial permutation and put into efficient position */ #define LOADCORE() \ LOADDATA(x, y); \ ROR1(x); \ ROR1(y) /* load data, do the initial permutation and put into efficient position */ #define LOADFIPS() \ LOADDATA(y, x); \ SWAP(x, y, 0x0F0F0F0FL, 004); \ SWAP(y, x, 0x0000FFFFL, 020); \ SWAP(x, y, 0x33333333L, 002); \ SWAP(y, x, 0x00FF00FFL, 010); \ ROR1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROR1(y) /* core encryption/decryption operations */ /* S box mapping and P perm */ #define KEYMAPSMALL(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hs(z) \ x ^= *ADD(ms3, ls3(z)); \ z>>= 8; \ x ^= *ADD(ms2, ls2(z)); \ z>>= 8; \ x ^= *ADD(ms1, ls1(z)); \ z>>= 8; \ x ^= *ADD(ms0, ls0(z)) /* alternate version: use 64k of tables */ #define KEYMAPQUICK(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hq(z) \ x ^= *ADD(mq0, lq0(z)); \ z>>= sq; \ x ^= *ADD(mq1, lq1(z)) /* apply 24 key bits and do the odd s boxes */ #define S7S1(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ KEYMAP(x,z,MQ0,MQ1,HQ0,LQ0,LQ1,SQ,MS0,MS1,MS2,MS3,HS,LS0,LS1,LS2,LS3) /* apply 24 key bits and do the even s boxes */ #define S6S0(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ ROL(z, 4, 28); \ KEYMAP(x,z,MQ2,MQ3,HQ2,LQ2,LQ3,SQ,MS4,MS5,MS6,MS7,HS,LS0,LS1,LS2,LS3) /* actual iterations. equivalent except for UPDATE & swapping m and n */ #define ENCR(x,y,z,r,m,n,KEYMAP) \ S7S1(x,y,z,r,m,KEYMAP,NEXT); \ S6S0(x,y,z,r,n,KEYMAP,NEXT) #define DECR(x,y,z,r,m,n,KEYMAP) \ S6S0(x,y,z,r,m,KEYMAP,PREV); \ S7S1(x,y,z,r,n,KEYMAP,PREV) /* write out result in correct byte order */ #define SAVEDATA(x,y) \ NEXT(DEST, 0) = x; x>>= 8; \ NEXT(DEST, 1) = x; x>>= 8; \ NEXT(DEST, 2) = x; x>>= 8; \ NEXT(DEST, 3) = x; \ NEXT(DEST, 4) = y; y>>= 8; \ NEXT(DEST, 5) = y; y>>= 8; \ NEXT(DEST, 6) = y; y>>= 8; \ NEXT(DEST, 7) = y /* write out result */ #define SAVECORE() \ ROL1(x); \ ROL1(y); \ SAVEDATA(y, x) /* do final permutation and write out result */ #define SAVEFIPS() \ ROL1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROL1(y); \ SWAP(x, y, 0x00FF00FFL, 010); \ SWAP(y, x, 0x33333333L, 002); \ SWAP(x, y, 0x0000FFFFL, 020); \ SWAP(y, x, 0x0F0F0F0FL, 004); \ SAVEDATA(x, y) /* the following macros contain the encryption/decryption skeletons */ #define ENCRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ ENCR(x,y,z,r, 0, 1,KEYMAP); \ ENCR(y,x,z,r, 2, 3,KEYMAP); \ ENCR(x,y,z,r, 4, 5,KEYMAP); \ ENCR(y,x,z,r, 6, 7,KEYMAP); \ ENCR(x,y,z,r, 8, 9,KEYMAP); \ ENCR(y,x,z,r,10,11,KEYMAP); \ ENCR(x,y,z,r,12,13,KEYMAP); \ ENCR(y,x,z,r,14,15,KEYMAP); \ ENCR(x,y,z,r,16,17,KEYMAP); \ ENCR(y,x,z,r,18,19,KEYMAP); \ ENCR(x,y,z,r,20,21,KEYMAP); \ ENCR(y,x,z,r,22,23,KEYMAP); \ ENCR(x,y,z,r,24,25,KEYMAP); \ ENCR(y,x,z,r,26,27,KEYMAP); \ ENCR(x,y,z,r,28,29,KEYMAP); \ ENCR(y,x,z,r,30,31,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } #define DECRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ FIXR \ DECR(x,y,z,r,31,30,KEYMAP); \ DECR(y,x,z,r,29,28,KEYMAP); \ DECR(x,y,z,r,27,26,KEYMAP); \ DECR(y,x,z,r,25,24,KEYMAP); \ DECR(x,y,z,r,23,22,KEYMAP); \ DECR(y,x,z,r,21,20,KEYMAP); \ DECR(x,y,z,r,19,18,KEYMAP); \ DECR(y,x,z,r,17,16,KEYMAP); \ DECR(x,y,z,r,15,14,KEYMAP); \ DECR(y,x,z,r,13,12,KEYMAP); \ DECR(x,y,z,r,11,10,KEYMAP); \ DECR(y,x,z,r, 9, 8,KEYMAP); \ DECR(x,y,z,r, 7, 6,KEYMAP); \ DECR(y,x,z,r, 5, 4,KEYMAP); \ DECR(x,y,z,r, 3, 2,KEYMAP); \ DECR(y,x,z,r, 1, 0,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } nettle-4.0/descore.README0000644000000000000000000003516615141166424012120 0ustar00des - fast & portable DES encryption & decryption. Copyright (C) 1992 Dana L. How This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA Author's address: how@isl.stanford.edu ==>> To compile after untarring/unsharring, just `make' <<== This package was designed with the following goals: 1. Highest possible encryption/decryption PERFORMANCE. 2. PORTABILITY to any byte-addressable machine with a 32bit unsigned C type 3. Plug-compatible replacement for KERBEROS's low-level routines. performance comparison to other available des code which i could compile on a SPARCStation 1 (cc -O4): this code (byte-order independent): 30us per encryption (options: 64k tables, no IP/FP) 33us per encryption (options: 64k tables, FIPS standard bit ordering) 45us per encryption (options: 2k tables, no IP/FP) 49us per encryption (options: 2k tables, FIPS standard bit ordering) 275us to set a new key (uses 1k of key tables) this has the quickest encryption/decryption routines i've seen. since i was interested in fast des filters rather than crypt(3) and password cracking, i haven't really bothered yet to speed up the key setting routine. also, i have no interest in re-implementing all the other junk in the mit kerberos des library, so i've just provided my routines with little stub interfaces so they can be used as drop-in replacements with mit's code or any of the mit- compatible packages below. (note that the first two timings above are highly variable because of cache effects). kerberos des replacement from australia: 68us per encryption (uses 2k of tables) 96us to set a new key (uses 2.25k of key tables) this is a very nice package which implements the most important of the optimizations which i did in my encryption routines. it's a bit weak on common low-level optimizations which is why it's 39%-106% slower. because he was interested in fast crypt(3) and password-cracking applications, he also used the same ideas to speed up the key-setting routines with impressive results. (at some point i may do the same in my package). he also implements the rest of the mit des library. (code from eay@psych.psy.uq.oz.au via comp.sources.misc) fast crypt(3) package from denmark: the des routine here is buried inside a loop to do the crypt function and i didn't feel like ripping it out and measuring performance. his code takes 26 sparc instructions to compute one des iteration; above, Quick (64k) takes 21 and Small (2k) takes 37. he claims to use 280k of tables but the iteration calculation seems to use only 128k. his tables and code are machine independent. (code from glad@daimi.aau.dk via alt.sources or comp.sources.misc) swedish reimplementation of Kerberos des library 108us per encryption (uses 34k worth of tables) 134us to set a new key (uses 32k of key tables to get this speed!) the tables used seem to be machine-independent; he seems to have included a lot of special case code so that, e.g., `long' loads can be used instead of 4 `char' loads when the machine's architecture allows it. (code obtained from chalmers.se:pub/des) crack 3.3c package from england: as in crypt above, the des routine is buried in a loop. it's also very modified for crypt. his iteration code uses 16k of tables and appears to be slow. (code obtained from aem@aber.ac.uk via alt.sources or comp.sources.misc) ``highly optimized'' and tweaked Kerberos/Athena code (byte-order dependent): 165us per encryption (uses 6k worth of tables) 478us to set a new key (uses <1k of key tables) so despite the comments in this code, it was possible to get faster code AND smaller tables, as well as making the tables machine-independent. (code obtained from prep.ai.mit.edu) UC Berkeley code (depends on machine-endedness): 226us per encryption 10848us to set a new key table sizes are unclear, but they don't look very small (code obtained from wuarchive.wustl.edu) motivation and history a while ago i wanted some des routines and the routines documented on sun's man pages either didn't exist or dumped core. i had heard of kerberos, and knew that it used des, so i figured i'd use its routines. but once i got it and looked at the code, it really set off a lot of pet peeves - it was too convoluted, the code had been written without taking advantage of the regular structure of operations such as IP, E, and FP (i.e. the author didn't sit down and think before coding), it was excessively slow, the author had attempted to clarify the code by adding MORE statements to make the data movement more `consistent' instead of simplifying his implementation and cutting down on all data movement (in particular, his use of L1, R1, L2, R2), and it was full of idiotic `tweaks' for particular machines which failed to deliver significant speedups but which did obfuscate everything. so i took the test data from his verification program and rewrote everything else. a while later i ran across the great crypt(3) package mentioned above. the fact that this guy was computing 2 sboxes per table lookup rather than one (and using a MUCH larger table in the process) emboldened me to do the same - it was a trivial change from which i had been scared away by the larger table size. in his case he didn't realize you don't need to keep the working data in TWO forms, one for easy use of half the sboxes in indexing, the other for easy use of the other half; instead you can keep it in the form for the first half and use a simple rotate to get the other half. this means i have (almost) half the data manipulation and half the table size. in fairness though he might be encoding something particular to crypt(3) in his tables - i didn't check. i'm glad that i implemented it the way i did, because this C version is portable (the ifdef's are performance enhancements) and it is faster than versions hand-written in assembly for the sparc! porting notes one thing i did not want to do was write an enormous mess which depended on endedness and other machine quirks, and which necessarily produced different code and different lookup tables for different machines. see the kerberos code for an example of what i didn't want to do; all their endedness-specific `optimizations' obfuscate the code and in the end were slower than a simpler machine independent approach. however, there are always some portability considerations of some kind, and i have included some options for varying numbers of register variables. perhaps some will still regard the result as a mess! 1) i assume everything is byte addressable, although i don't actually depend on the byte order, and that bytes are 8 bits. i assume word pointers can be freely cast to and from char pointers. note that 99% of C programs make these assumptions. i always use unsigned char's if the high bit could be set. 2) the typedef `word' means a 32 bit unsigned integral type. if `unsigned long' is not 32 bits, change the typedef in desCore.h. i assume sizeof(word) == 4 EVERYWHERE. the (worst-case) cost of my NOT doing endedness-specific optimizations in the data loading and storing code surrounding the key iterations is less than 12%. also, there is the added benefit that the input and output work areas do not need to be word-aligned. OPTIONAL performance optimizations 1) you should define one of `i386,' `vax,' `mc68000,' or `sparc,' whichever one is closest to the capabilities of your machine. see the start of desCode.h to see exactly what this selection implies. note that if you select the wrong one, the des code will still work; these are just performance tweaks. 2) for those with functional `asm' keywords: you should change the ROR and ROL macros to use machine rotate instructions if you have them. this will save 2 instructions and a temporary per use, or about 32 to 40 instructions per en/decryption. these optimizations are all rather persnickety, yet with them you should be able to get performance equal to assembly-coding, except that: 1) with the lack of a bit rotate operator in C, rotates have to be synthesized from shifts. so access to `asm' will speed things up if your machine has rotates, as explained above in (3). 2) if your machine has less than 12 32-bit registers i doubt your compiler will generate good code. `i386' tries to configure the code for a 386 by only declaring 3 registers (it appears that gcc can use ebx, esi and edi to hold register variables). however, if you like assembly coding, the 386 does have 7 32-bit registers, and if you use ALL of them, use `scaled by 8' address modes with displacement and other tricks, you can get reasonable routines for DesQuickCore... with about 250 instructions apiece. For DesSmall... it will help to rearrange des_keymap, i.e., now the sbox # is the high part of the index and the 6 bits of data is the low part; it helps to exchange these. since i have no way to conveniently test it i have not provided my shoehorned 386 version. coding notes the en/decryption routines each use 6 necessary register variables, with 4 being actively used at once during the inner iterations. if you don't have 4 register variables get a new machine. up to 8 more registers are used to hold constants in some configurations. i assume that the use of a constant is more expensive than using a register: a) additionally, i have tried to put the larger constants in registers. registering priority was by the following: anything more than 12 bits (bad for RISC and CISC) greater than 127 in value (can't use movq or byte immediate on CISC) 9-127 (may not be able to use CISC shift immediate or add/sub quick), 1-8 were never registered, being the cheapest constants. b) the compiler may be too stupid to realize table and table+256 should be assigned to different constant registers and instead repetitively do the arithmetic, so i assign these to explicit `m' register variables when possible and helpful. i assume that indexing is cheaper or equivalent to auto increment/decrement, where the index is 7 bits unsigned or smaller. this assumption is reversed for 68k and vax. i assume that addresses can be cheaply formed from two registers, or from a register and a small constant. i never use the `two registers and offset' form you see in some CISC machines. all index scaling is done explicitly - no hidden shifts by log2(sizeof). the code is written so that even a dumb compiler should never need more than one hidden temporary, increasing the chance that everything will fit in the registers. KEEP THIS MORE SUBTLE POINT IN MIND IF YOU REWRITE ANYTHING. special efficient data format bits are manipulated in this arrangement most of the time (S7 S5 S3 S1): 003130292827xxxx242322212019xxxx161514131211xxxx080706050403xxxx (the x bits are still there, i'm just emphasizing where the S boxes are). bits are rotated left 4 when computing S6 S4 S2 S0: 282726252423xxxx201918171615xxxx121110090807xxxx040302010031xxxx the rightmost two bits are usually cleared so the lower byte can be used as an index into an sbox mapping table. the next two x'd bits are set to various values to access different parts of the tables. how to use the routines datatypes: pointer to 8 byte area of type DesData used to hold keys and input/output blocks to des. pointer to 128 byte area of type DesKeys used to hold full 768-bit key. must be long-aligned. DesQuickInit() call this before using any other routine with `Quick' in its name. it generates the special 64k table these routines need. DesQuickDone() frees this table DesMethod(m, k) m points to a 128byte block, k points to an 8 byte des key which must have odd parity (or -1 is returned) and which must not be a (semi-)weak key (or -2 is returned). normally DesMethod() returns 0. m is filled in from k so that when one of the routines below is called with m, the routine will act like standard des en/decryption with the key k. if you use DesMethod, you supply a standard 56bit key; however, if you fill in m yourself, you will get a 768bit key - but then it won't be standard. it's 768bits not 1024 because the least significant two bits of each byte are not used. and yes, each byte controls a specific sbox during a specific iteration. NOTE: actually, every other word has been rotated right 4 bits to reduce the number of temporaries needed when the key is used. you really shouldn't use the 768bit format directly; i should provide a routine that converts 128 6-bit bytes (specified in S-box mapping order or something) into the right format for you. this would entail some byte concatenation and rotation. Des{Small|Quick}{Fips|Core}{Encrypt|Decrypt}(d, m, s) performs des on the 8 bytes at s into the 8 bytes at d. (d,s: char *). uses m as a 768bit key as explained above. the Encrypt|Decrypt choice is obvious. Fips|Core determines whether a completely standard FIPS initial and final permutation is done; if not, then the data is loaded and stored in a nonstandard bit order (FIPS w/o IP/FP). Fips slows down Quick by 10%, Small by 9%. Small|Quick determines whether you use the normal routine or the crazy quick one which gobbles up 64k more of memory. Small is 50% slower then Quick, but Quick needs 32 times as much memory. Quick is included for programs that do nothing but DES, e.g., encryption filters, etc. Getting it to compile on your machine there are no machine-dependencies in the code (see porting), except perhaps the `now()' macro in desTest.c. ALL generated tables are machine independent. you should edit the Makefile with the appropriate optimization flags for your compiler (MAX optimization). Speeding up kerberos (and/or its des library) note that i have included a kerberos-compatible interface in desUtil.c through the functions des_key_sched() and des_ecb_encrypt(). to use these with kerberos or kerberos-compatible code put desCore.a ahead of the kerberos-compatible library on your linker's command line. you should not need to #include desCore.h; just include the header file provided with the kerberos library. Other uses the macros in desCode.h would be very useful for putting inline des functions in more complicated encryption routines. nettle-4.0/desdata.c0000644000000000000000000001055515141166424011361 0ustar00/* desdata.c * * Generate tables used by des.c and desCode.h. * */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. * */ #include #include "desinfo.h" /* list of weak and semi-weak keys +0 +1 +2 +3 +4 +5 +6 +7 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0x1f 0x1f 0x1f 0x1f 0x0e 0x0e 0x0e 0x0e 0x1f 0xe0 0x1f 0xe0 0x0e 0xf1 0x0e 0xf1 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xe0 0x1f 0xe0 0x1f 0xf1 0x0e 0xf1 0x0e 0xe0 0xe0 0xe0 0xe0 0xf1 0xf1 0xf1 0xf1 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe */ /* key bit order in each method pair: bits 31->00 of 1st, bits 31->00 of 2nd */ /* this does not reflect the rotate of the 2nd word */ #define S(box,bit) (box*6+bit) int korder[] = { S(7, 5), S(7, 4), S(7, 3), S(7, 2), S(7, 1), S(7, 0), S(5, 5), S(5, 4), S(5, 3), S(5, 2), S(5, 1), S(5, 0), S(3, 5), S(3, 4), S(3, 3), S(3, 2), S(3, 1), S(3, 0), S(1, 5), S(1, 4), S(1, 3), S(1, 2), S(1, 1), S(1, 0), S(6, 5), S(6, 4), S(6, 3), S(6, 2), S(6, 1), S(6, 0), S(4, 5), S(4, 4), S(4, 3), S(4, 2), S(4, 1), S(4, 0), S(2, 5), S(2, 4), S(2, 3), S(2, 2), S(2, 1), S(2, 0), S(0, 5), S(0, 4), S(0, 3), S(0, 2), S(0, 1), S(0, 0), }; /* the order in which the algorithm accesses the s boxes */ int sorder[] = { 7, 5, 3, 1, 6, 4, 2, 0, }; int main(int argc, char **argv) { unsigned long d, i, j, k, l, m, n, s; /* Always at least 32 bits */ char b[256], ksr[56]; if (argc <= 1) return 1; switch ( argv[1][0] ) { default: return 1; /* * <<< make the key parity table >>> */ case 'p': printf( "/* automagically produced - do not fuss with this information */\n\n"); /* store parity information */ for ( i = 0; i < 256; i++ ) { j = i; j ^= j >> 4; /* bits 3-0 have pairs */ j ^= j << 2; /* bits 3-2 have quads */ j ^= j << 1; /* bit 3 has the entire eight (no cox) */ b[i] = 8 & ~j; /* 0 is okay and 8 is bad parity */ } /* only these characters can appear in a weak key */ b[0x01] = 1; b[0x0e] = 2; b[0x1f] = 3; b[0xe0] = 4; b[0xf1] = 5; b[0xfe] = 6; /* print it out */ for ( i = 0; i < 256; i++ ) { printf("%d,", b[i]); if ( (i & 31) == 31 ) printf("\n"); } break; /* * <<< make the key usage table >>> */ case 'r': printf("/* automagically made - do not fuss with this */\n\n"); /* KL specifies the initial key bit positions */ for (i = 0; i < 56; i++) ksr[i] = (KL[i] - 1) ^ 7; for (i = 0; i < 16; i++) { /* apply the appropriate number of left shifts */ for (j = 0; j < KS[i]; j++) { m = ksr[ 0]; n = ksr[28]; for (k = 0; k < 27; k++) ksr[k ] = ksr[k + 1], ksr[k + 28] = ksr[k + 29]; ksr[27] = m; ksr[55] = n; } /* output the key bit numbers */ for (j = 0; j < 48; j++) { m = ksr[KC[korder[j]] - 1]; m = (m / 8) * 7 + (m % 8) - 1; m = 55 - m; printf(" %2ld,", (long) m); if ((j % 12) == 11) printf("\n"); } printf("\n"); } break; /* * <<< make the keymap table >>> */ case 'k': printf("/* automagically made - do not fuss with this */\n\n"); for ( i = 0; i <= 7 ; i++ ) { s = sorder[i]; for ( d = 0; d <= 63; d++ ) { /* flip bits */ k = ((d << 5) & 32) | ((d << 3) & 16) | ((d << 1) & 8) | ((d >> 1) & 4) | ((d >> 3) & 2) | ((d >> 5) & 1) ; /* more bit twiddling */ l = ((k << 0) & 32) | /* overlap bit */ ((k << 4) & 16) | /* overlap bit */ ((k >> 1) & 15) ; /* unique bits */ /* look up s box value */ m = SB[s][l]; /* flip bits */ n = ((m << 3) & 8) | ((m << 1) & 4) | ((m >> 1) & 2) | ((m >> 3) & 1) ; /* put in correct nybble */ n <<= (s << 2); /* perform p permutation */ for ( m = j = 0; j < 32; j++ ) if ( n & (1 << (SP[j] - 1)) ) m |= (1UL << j); /* rotate right (alg keeps everything rotated by 1) */ m = (m >> 1) | ((m & 1) << 31); /* print it out */ printf(" 0x%08lx,", m); if ( ( d & 3 ) == 3 ) printf("\n"); } printf("\n"); } break; } return 0; } nettle-4.0/desdata.stamp0000644000000000000000000000000615141166424012251 0ustar00stamp nettle-4.0/desinfo.h0000644000000000000000000000666415141166424011416 0ustar00/* desinfo.h * * Tables describing DES rather than just this implementation. * These are used in desdata but NOT in runtime code. * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ /* the initial permutation, E selection, and final permutation are hardwired */ /* Key Load: how to load the shift register from the user key */ unsigned char KL[] = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4, }; /* Key Shift: how many times to shift the key shift register */ unsigned char KS[] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, }; /* Key Choose: which key bits from shift reg are used in the key schedule */ unsigned char KC[] = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32, }; /* S Boxes */ unsigned char SB[8][64] = { { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13, },{ 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9, },{ 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12, },{ 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14, },{ 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3, },{ 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13, },{ 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12, },{ 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; /* Sbox Permutation */ char SP[] = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25, }; nettle-4.0/drbg-ctr-aes256.c0000644000000000000000000000472415141166424012464 0ustar00/* drbg-ctr-aes256.c Copyright (C) 2023 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "drbg-ctr.h" #include #include "macros.h" #include "memxor.h" #include "block-internal.h" static void drbg_ctr_aes256_output (const struct aes256_ctx *key, union nettle_block16 *V, size_t n, uint8_t *dst) { for (; n >= AES_BLOCK_SIZE; n -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE) { INCREMENT(AES_BLOCK_SIZE, V->b); aes256_encrypt (key, AES_BLOCK_SIZE, dst, V->b); } if (n > 0) { union nettle_block16 block; INCREMENT(AES_BLOCK_SIZE, V->b); aes256_encrypt (key, AES_BLOCK_SIZE, block.b, V->b); memcpy (dst, block.b, n); } } void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *ctx, const uint8_t *provided_data) { union nettle_block16 tmp[3]; drbg_ctr_aes256_output (&ctx->key, &ctx->V, DRBG_CTR_AES256_SEED_SIZE, tmp[0].b); if (provided_data) memxor (tmp[0].b, provided_data, DRBG_CTR_AES256_SEED_SIZE); aes256_set_encrypt_key (&ctx->key, tmp[0].b); block16_set (&ctx->V, &tmp[2]); } void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material) { static const uint8_t zero_key[AES256_KEY_SIZE] = {0}; aes256_set_encrypt_key (&ctx->key, zero_key); block16_zero (&ctx->V); drbg_ctr_aes256_update (ctx, seed_material); } void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst) { drbg_ctr_aes256_output (&ctx->key, &ctx->V, n, dst); drbg_ctr_aes256_update (ctx, NULL); } nettle-4.0/drbg-ctr.h0000644000000000000000000000411015141166424011453 0ustar00/* drbg-ctr.h This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DRBG_CTR_H_INCLUDED #define NETTLE_DRBG_CTR_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define drbg_ctr_aes256_init nettle_drbg_ctr_aes256_init #define drbg_ctr_aes256_random nettle_drbg_ctr_aes256_random #define drbg_ctr_aes256_update nettle_drbg_ctr_aes256_update #define DRBG_CTR_AES256_SEED_SIZE (AES_BLOCK_SIZE + AES256_KEY_SIZE) struct drbg_ctr_aes256_ctx { struct aes256_ctx key; union nettle_block16 V; }; /* Initialize using DRBG_CTR_AES256_SEED_SIZE bytes of SEED_MATERIAL. */ void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material); /* Output N bytes of random data into DST. */ void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst); /* Update the internal state of CTX with PROVIDED_DATA. PROVIDED_DATA is either NULL or a pointer to DRBG_CTR_AES256_SEED_SIZE (= 48) bytes. */ void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *ctx, const uint8_t *provided_data); #ifdef __cplusplus } #endif #endif /* NETTLE_DRBG_CTR_H_INCLUDED */ nettle-4.0/dsa-gen-params.c0000644000000000000000000000537715141166424012561 0ustar00/* dsa-gen-params.c Generation of DSA parameters Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "bignum.h" #include "nettle-internal.h" #include "hogweed-internal.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits) { mpz_t r; unsigned p0_bits; unsigned a; if (q_bits < 30 || p_bits < q_bits + 30) return 0; mpz_init (r); nettle_random_prime (params->q, q_bits, 0, random_ctx, random, progress_ctx, progress); if (q_bits >= (p_bits + 2)/3) _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, params->q, NULL, params->q); else { mpz_t p0, p0q; mpz_init (p0); mpz_init (p0q); p0_bits = (p_bits + 3)/2; nettle_random_prime (p0, p0_bits, 0, random_ctx, random, progress_ctx, progress); if (progress) progress (progress_ctx, 'q'); /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. */ mpz_mul (p0q, p0, params->q); _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, p0, params->q, p0q); mpz_mul (r, r, p0); mpz_clear (p0); mpz_clear (p0q); } if (progress) progress (progress_ctx, 'p'); for (a = 2; ; a++) { mpz_set_ui (params->g, a); mpz_powm (params->g, params->g, r, params->p); if (mpz_cmp_ui (params->g, 1) != 0) break; } mpz_clear (r); if (progress) progress (progress_ctx, 'g'); return 1; } nettle-4.0/dsa-hash.c0000644000000000000000000000465415141166424011447 0ustar00/* dsa-hash.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "dsa-internal.h" #include "gmp-glue.h" /* Convert hash value to an integer. The general description of DSA in FIPS186-3 allows both larger and smaller q; in the the former case the hash is zero-padded at the left, in the latter case, the hash is truncated at the right. NOTE: We don't considered the hash value to be secret, so it's ok if the running time of this conversion depends on h. Output size is ceil(bit_size / GMP_NUMB_BITS). */ void _nettle_dsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest) { unsigned octet_size = (bit_size + 7) / 8; unsigned limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE (bit_size); if (length > octet_size) length = octet_size; mpn_set_base256(hp, limb_size, digest, length); if (8 * length > bit_size) /* We got a few extra bits, at the low end. Discard them. */ mpn_rshift (hp, hp, limb_size, 8*length - bit_size); } /* Uses little-endian order, and no trimming of left-over bits in the last byte (bits will instead be reduced mod q later). */ void _nettle_gostdsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest) { unsigned octet_size = (bit_size + 7) / 8; unsigned limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE (bit_size); if (length > octet_size) length = octet_size; mpn_set_base256_le(hp, limb_size, digest, length); } nettle-4.0/dsa-internal.h0000644000000000000000000000265515141166424012344 0ustar00/* dsa-internal.h The DSA publickey algorithm. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_INTERNAL_H_INCLUDED #define NETTLE_DSA_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Internal functions. */ void _nettle_dsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest); void _nettle_gostdsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest); #endif /* NETTLE_DSA_INTERNAL_H_INCLUDED */ nettle-4.0/dsa-keygen.c0000644000000000000000000000320115141166424011771 0ustar00/* dsa-keygen.c Generation of DSA keypairs Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). Currenty, we use only q_bits of 160 or 256. */ void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random) { mpz_t r; mpz_init_set(r, params->q); mpz_sub_ui(r, r, 2); nettle_mpz_random(key, random_ctx, random, r); mpz_add_ui(key, key, 1); mpz_powm(pub, params->g, key, params->p); mpz_clear (r); } nettle-4.0/dsa-sign.c0000644000000000000000000000520615141166424011456 0ustar00/* dsa-sign.c The DSA publickey algorithm. Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "dsa-internal.h" #include "bignum.h" #include "gmp-glue.h" int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature) { mpz_t k; mpz_t h; mpz_t tmp; unsigned bit_size; unsigned limb_size; int res; /* Check that p is odd, so that invalid keys don't result in a crash inside mpz_powm_sec. */ if (mpz_even_p (params->p)) return 0; /* Select k, 0q); mpz_sub_ui(tmp, tmp, 1); mpz_init(k); nettle_mpz_random(k, random_ctx, random, tmp); mpz_add_ui(k, k, 1); /* Compute r = (g^k (mod p)) (mod q) */ mpz_powm_sec(tmp, params->g, k, params->p); mpz_fdiv_r(signature->r, tmp, params->q); /* Compute hash */ bit_size = mpz_sizeinbase(params->q, 2); limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE(bit_size); mpz_init(h); _nettle_dsa_hash (mpz_limbs_write (h, limb_size), bit_size, digest_size, digest); mpz_limbs_finish (h, limb_size); /* Compute k^-1 (mod q) */ if (mpz_invert(k, k, params->q)) { /* Compute signature s = k^-1 (h + xr) (mod q) */ mpz_mul(tmp, signature->r, x); mpz_fdiv_r(tmp, tmp, params->q); mpz_add(tmp, tmp, h); mpz_mul(tmp, tmp, k); mpz_fdiv_r(signature->s, tmp, params->q); res = 1; } else /* What do we do now? The key is invalid. */ res = 0; mpz_clear(k); mpz_clear(h); mpz_clear(tmp); return res; } nettle-4.0/dsa-verify.c0000644000000000000000000000526315141166424012025 0ustar00/* dsa-verify.c The DSA publickey algorithm. Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "dsa-internal.h" #include "gmp-glue.h" int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature) { mpz_t w; mpz_t tmp; mpz_t v; unsigned bit_size; unsigned limb_size; int res; /* Check that r and s are in the proper range */ if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, params->q) >= 0) return 0; if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, params->q) >= 0) return 0; mpz_init(w); /* Compute w = s^-1 (mod q) */ /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses, * so we need gmp-3 or better. */ if (!mpz_invert(w, signature->s, params->q)) { mpz_clear(w); return 0; } mpz_init(tmp); mpz_init(v); /* The message digest */ bit_size = mpz_sizeinbase(params->q, 2); limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE(bit_size); _nettle_dsa_hash (mpz_limbs_write (tmp, limb_size), bit_size, digest_size, digest); mpz_limbs_finish (tmp, limb_size); /* v = g^{w * h (mod q)} (mod p) */ mpz_mul(tmp, tmp, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(v, params->g, tmp, params->p); /* y^{w * r (mod q) } (mod p) */ mpz_mul(tmp, signature->r, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(tmp, y, tmp, params->p); /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */ mpz_mul(v, v, tmp); mpz_fdiv_r(v, v, params->p); mpz_fdiv_r(v, v, params->q); res = !mpz_cmp(v, signature->r); mpz_clear(w); mpz_clear(tmp); mpz_clear(v); return res; } nettle-4.0/dsa.c0000644000000000000000000000314515141166424010520 0ustar00/* dsa.c The DSA publickey algorithm. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "dsa-internal.h" #include "bignum.h" void dsa_params_init (struct dsa_params *params) { mpz_init(params->p); mpz_init(params->q); mpz_init(params->g); } void dsa_params_clear (struct dsa_params *params) { mpz_clear(params->p); mpz_clear(params->q); mpz_clear(params->g); } void dsa_signature_init(struct dsa_signature *signature) { mpz_init(signature->r); mpz_init(signature->s); } void dsa_signature_clear(struct dsa_signature *signature) { mpz_clear(signature->r); mpz_clear(signature->s); } nettle-4.0/dsa.h0000644000000000000000000001300715141166424010523 0ustar00/* dsa.h The DSA publickey algorithm. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_H_INCLUDED #define NETTLE_DSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define dsa_params_init nettle_dsa_params_init #define dsa_params_clear nettle_dsa_params_clear #define dsa_signature_init nettle_dsa_signature_init #define dsa_signature_clear nettle_dsa_signature_clear #define dsa_sign nettle_dsa_sign #define dsa_verify nettle_dsa_verify #define dsa_generate_params nettle_dsa_generate_params #define dsa_generate_keypair nettle_dsa_generate_keypair #define dsa_signature_from_sexp nettle_dsa_signature_from_sexp #define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp #define dsa_keypair_from_sexp_alist nettle_dsa_keypair_from_sexp_alist #define dsa_sha1_keypair_from_sexp nettle_dsa_sha1_keypair_from_sexp #define dsa_sha256_keypair_from_sexp nettle_dsa_sha256_keypair_from_sexp #define dsa_params_from_der_iterator nettle_dsa_params_from_der_iterator #define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator #define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der /* For FIPS approved parameters */ #define DSA_SHA1_MIN_P_BITS 512 #define DSA_SHA1_Q_OCTETS 20 #define DSA_SHA1_Q_BITS 160 #define DSA_SHA256_MIN_P_BITS 1024 #define DSA_SHA256_Q_OCTETS 32 #define DSA_SHA256_Q_BITS 256 struct dsa_params { /* Modulo */ mpz_t p; /* Group order */ mpz_t q; /* Generator */ mpz_t g; }; void dsa_params_init (struct dsa_params *params); void dsa_params_clear (struct dsa_params *params); struct dsa_signature { mpz_t r; mpz_t s; }; /* Calls mpz_init to initialize bignum storage. */ void dsa_signature_init(struct dsa_signature *signature); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_signature_clear(struct dsa_signature *signature); int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature); int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature); /* Key generation */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits); void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random); /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "dsa" */ const struct dsa_params *params, const mpz_t pub, const mpz_t priv); struct sexp_iterator; int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits); int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); /* Keys in X.509 andd OpenSSL format. */ struct asn1_der_iterator; int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i); int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_DSA_H_INCLUDED */ nettle-4.0/dsa2sexp.c0000644000000000000000000000327415141166424011505 0ustar00/* dsa2sexp.c Copyright (C) 2002, 2009, 2014 Niels Möller, Magnus Holmgren This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "sexp.h" int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct dsa_params *params, const mpz_t pub, const mpz_t priv) { if (!algorithm_name) algorithm_name = "dsa"; if (priv) return sexp_format(buffer, "(private-key(%0s(p%b)(q%b)" "(g%b)(y%b)(x%b)))", algorithm_name, params->p, params->q, params->g, pub, priv); else return sexp_format(buffer, "(public-key(%0s(p%b)(q%b)" "(g%b)(y%b)))", algorithm_name, params->p, params->q, params->g, pub); } nettle-4.0/eax-aes128-meta.c0000644000000000000000000000341015141166423012445 0ustar00/* eax-aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" #include "nettle-meta.h" static nettle_set_key_func eax_aes128_set_nonce_wrapper; static void eax_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { eax_aes128_set_nonce (ctx, EAX_IV_SIZE, nonce); } const struct nettle_aead nettle_eax_aes128 = { "eax_aes128", sizeof(struct eax_aes128_ctx), EAX_BLOCK_SIZE, AES128_KEY_SIZE, EAX_IV_SIZE, EAX_DIGEST_SIZE, (nettle_set_key_func *) eax_aes128_set_key, (nettle_set_key_func *) eax_aes128_set_key, eax_aes128_set_nonce_wrapper, (nettle_hash_update_func *) eax_aes128_update, (nettle_crypt_func *) eax_aes128_encrypt, (nettle_crypt_func *) eax_aes128_decrypt, (nettle_hash_digest_func *) eax_aes128_digest }; nettle-4.0/eax-aes128.c0000644000000000000000000000370215141166423011525 0ustar00/* eax-aes128.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key) { EAX_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv) { EAX_SET_NONCE(ctx, aes128_encrypt, length, iv); } void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data) { EAX_UPDATE(ctx, aes128_encrypt, length, data); } void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_digest(struct eax_aes128_ctx *ctx, uint8_t *digest) { EAX_DIGEST(ctx, aes128_encrypt, digest); } nettle-4.0/eax.c0000644000000000000000000001044115141166423010522 0ustar00/* eax.c EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eax.h" #include "block-internal.h" #include "ctr.h" #include "memxor.h" static void omac_init (union nettle_block16 *state, unsigned t) { memset (state->b, 0, EAX_BLOCK_SIZE - 1); state->b[EAX_BLOCK_SIZE - 1] = t; } static void omac_update (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { for (; length >= EAX_BLOCK_SIZE; length -= EAX_BLOCK_SIZE, data += EAX_BLOCK_SIZE) { f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, EAX_BLOCK_SIZE); } if (length > 0) { /* Allowed only for the last call */ f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, length); state->b[length] ^= 0x80; /* XOR with (P ^ B), since the digest processing * unconditionally XORs with B */ block16_xor (state, &key->pad_partial); } } static void omac_final (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f) { block16_xor (state, &key->pad_block); f (cipher, EAX_BLOCK_SIZE, state->b, state->b); } void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); block16_mulx_be (&key->pad_block, &key->pad_block); block16_mulx_be (&key->pad_partial, &key->pad_block); block16_xor (&key->pad_partial, &key->pad_block); } void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce) { omac_init (&eax->omac_nonce, 0); omac_update (&eax->omac_nonce, key, cipher, f, nonce_length, nonce); omac_final (&eax->omac_nonce, key, cipher, f); memcpy (eax->ctr.b, eax->omac_nonce.b, EAX_BLOCK_SIZE); omac_init (&eax->omac_data, 1); omac_init (&eax->omac_message, 2); } void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data) { omac_update (&eax->omac_data, key, cipher, f, data_length, data); } void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); omac_update (&eax->omac_message, key, cipher, f, length, dst); } void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { omac_update (&eax->omac_message, key, cipher, f, length, src); ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); } void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest) { omac_final (&eax->omac_data, key, cipher, f); omac_final (&eax->omac_message, key, cipher, f); block16_xor (&eax->omac_nonce, &eax->omac_data); memxor3 (digest, eax->omac_nonce.b, eax->omac_message.b, EAX_DIGEST_SIZE); } nettle-4.0/eax.h0000644000000000000000000001311115141166424010525 0ustar00/* eax.h EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EAX_H_INCLUDED #define NETTLE_EAX_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define eax_set_key nettle_eax_set_key #define eax_set_nonce nettle_eax_set_nonce #define eax_update nettle_eax_update #define eax_encrypt nettle_eax_encrypt #define eax_decrypt nettle_eax_decrypt #define eax_digest nettle_eax_digest #define eax_aes128_set_key nettle_eax_aes128_set_key #define eax_aes128_set_nonce nettle_eax_aes128_set_nonce #define eax_aes128_update nettle_eax_aes128_update #define eax_aes128_encrypt nettle_eax_aes128_encrypt #define eax_aes128_decrypt nettle_eax_aes128_decrypt #define eax_aes128_digest nettle_eax_aes128_digest /* Restricted to block ciphers with 128 bit block size. FIXME: Reflect this in naming? */ #define EAX_BLOCK_SIZE 16 #define EAX_DIGEST_SIZE 16 /* FIXME: Reasonable default? */ #define EAX_IV_SIZE 16 /* Values independent of message and nonce */ struct eax_key { union nettle_block16 pad_block; union nettle_block16 pad_partial; }; struct eax_ctx { union nettle_block16 omac_nonce; union nettle_block16 omac_data; union nettle_block16 omac_message; union nettle_block16 ctr; }; void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f); void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce); void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data); void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest); /* Put the cipher last, to get cipher-independent offsets for the EAX * state. */ #define EAX_CTX(type) \ { struct eax_key key; struct eax_ctx eax; type cipher; } #define EAX_SET_KEY(ctx, set_key, encrypt, data) \ do { \ (set_key)(&(ctx)->cipher, (data)); \ if (0) (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ eax_set_key (&(ctx)->key, &(ctx)->cipher, (nettle_cipher_func *) encrypt); \ } while (0) #define EAX_SET_NONCE(ctx, encrypt, length, nonce) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_set_nonce (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (nonce))) #define EAX_UPDATE(ctx, encrypt, length, data) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_update (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (data))) #define EAX_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_encrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_decrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DIGEST(ctx, encrypt, digest) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_digest (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (digest))) struct eax_aes128_ctx EAX_CTX(struct aes128_ctx); void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key); void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv); void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data); void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_digest(struct eax_aes128_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_EAX_H_INCLUDED */ nettle-4.0/ecc-a-to-j.c0000644000000000000000000000317115141166424011567 0ustar00/* ecc-a-to-j.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p) { if (ecc->use_redc) { mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r, r); mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size, r + ecc->p.size); } else if (r != p) mpn_copyi (r, p, 2*ecc->p.size); mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } nettle-4.0/ecc-add-eh.c0000644000000000000000000000616215141166424011625 0ustar00/* ecc-add-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, with result and first point in homogeneous coordinates. */ void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) B = z1^2 sqr B, C, E, T F = B - E B, C, E, F, T G = B + E C, F, G, T x3 = z1*F*T 3 mul C, F, G, T y3 = z1*G*(D-C) 2 mul F, G z3 = F*G mul */ #define T scratch #define E (scratch + 1*ecc->p.size) #define G E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, T, T, z1, x3); ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, C, C, z1, x3); ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ ecc_mod_sub (&ecc->p, x3, B, E); ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-4.0/ecc-add-ehh.c0000644000000000000000000000630215141166424011771 0ustar00/* ecc-add-ehh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, in homogeneous coordinates */ void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#addition-add-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D, mul C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) A = z1*z2 mul A, C, E, T B = A^2 sqr A, B, C, E, T F = B - E A, B, C, E, F, T G = B + E A, C, F, G, T x3 = A*F*T 2 mul A, C, G y3 = A*G*(D-C) 2 mul F, G z3 = F*G mul */ #define T scratch #define E (scratch + 1*ecc->p.size) #define G E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, B, z1, z2, x3); /* C, T, E, B */ ecc_mod_mul (&ecc->p, C, C, B, x3); ecc_mod_mul (&ecc->p, T, T, B, x3); ecc_mod_sqr (&ecc->p, B, B, x3); ecc_mod_sub (&ecc->p, x3, B, E); ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-4.0/ecc-add-jja.c0000644000000000000000000000676115141166424012002 0ustar00/* ecc-add-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0 (invalid except if also q = 0) + q = 0 ==> r = invalid + p = -q ==> r = 0, correct! + p = q ==> r = 0, invalid */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables ZZ = Z_1^2 sqr ZZ H = X_2*ZZ - X_1 mul (djb: U_2) ZZ, H HH = H^2 sqr ZZ, H, HH ZZZ = ZZ*Z_1 mul ZZ, H, HH, ZZZ Z_3 = (Z_1+H)^2-ZZ-HH sqr H, HH, ZZZ W = 2 (Y_2*ZZZ - Y_1) mul (djb: S_2) H, HH, W I = 4*HH H, W, I J = H*I mul W, I, J V = X_1*I mul W, J, V X_3 = W^2-J-2*V sqr W, J, V Y_3 = W*(V-X_3)-2*Y_1*J mul, mul */ #define zz scratch #define h (scratch + ecc->p.size) #define w (scratch + 2*ecc->p.size) #define hh zz #define i zz #define v zz #define j h #define tp (scratch + 3*ecc->p.size) /* zz */ ecc_mod_sqr (&ecc->p, zz, z1, tp); /* zz */ /* h*/ ecc_mod_mul (&ecc->p, h, x2, zz, tp); /* zz, h */ ecc_mod_sub (&ecc->p, h, h, x1); /* Do z^3 early, store at w. */ ecc_mod_mul (&ecc->p, w, zz, z1, tp); /* zz, h, w */ /* z_3 */ ecc_mod_add (&ecc->p, z3, z1, h); ecc_mod_sqr (&ecc->p, z3, z3, tp); ecc_mod_sub (&ecc->p, z3, z3, zz); /* h, w */ /* hh */ ecc_mod_sqr (&ecc->p, hh, h, tp); /* h, w, hh */ ecc_mod_sub (&ecc->p, z3, z3, hh); /* w */ ecc_mod_mul (&ecc->p, w, y2, w, tp); ecc_mod_sub (&ecc->p, w, w, y1); ecc_mod_add (&ecc->p, w, w, w); /* i replaces hh */ ecc_mod_mul_1 (&ecc->p, i, hh, 4); /* h, w, i */ /* j replaces h */ ecc_mod_mul (&ecc->p, j, i, h, tp); /* w, i, j */ /* v replaces i */ ecc_mod_mul (&ecc->p, v, x1, i, tp); /* x_3 */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y_3 */ ecc_mod_mul (&ecc->p, j, y1, j, tp); ecc_mod_sub (&ecc->p, y3, v, x3); ecc_mod_mul (&ecc->p, y3, y3, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); } nettle-4.0/ecc-add-jjj.c0000644000000000000000000001000415141166424011774 0ustar00/* ecc-add-jjj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: Computation Operation Live variables Z1Z1 = Z1^2 sqr Z1Z1 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2 H = U2-U1 Z1Z1, Z2Z2, U1, H Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2 W = 2*(S2-S1) (djb: r) U1, H, S1, W I = (2*H)^2 sqr U1, H, S1, W, I J = H*I mul U1, S1, W, J, V V = U1*I mul S1, W, J, V X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ #define h scratch #define z1z1 (scratch + ecc->p.size) #define z2z2 z1z1 #define z1z2 (scratch + 2*ecc->p.size) #define w (scratch + ecc->p.size) #define i (scratch + 2*ecc->p.size) #define j h #define v i #define tp (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, z2z2, z2, tp); /* z2z2 */ /* Store u1 at x3 */ ecc_mod_mul (&ecc->p, x3, x1, z2z2, tp); /* z2z2 */ ecc_mod_add (&ecc->p, z1z2, z1, z2); /* z2z2, z1z2 */ ecc_mod_sqr (&ecc->p, z1z2, z1z2, tp); ecc_mod_sub (&ecc->p, z1z2, z1z2, z2z2); /* z2z2, z1z2 */ /* Do s1 early, store at y3 */ ecc_mod_mul (&ecc->p, z2z2, z2z2, z2, tp); /* z2z2, z1z2 */ ecc_mod_mul (&ecc->p, y3, z2z2, y1, tp); /* z1z2 */ ecc_mod_sqr (&ecc->p, z1z1, z1, tp); /* z1z1, z1z2 */ ecc_mod_sub (&ecc->p, z1z2, z1z2, z1z1); ecc_mod_mul (&ecc->p, h, x2, z1z1, tp); /* z1z1, z1z2, h */ ecc_mod_sub (&ecc->p, h, h, x3); /* z1^3 */ ecc_mod_mul (&ecc->p, z1z1, z1z1, z1, tp); /* z3 <-- h z1 z2 delayed until now, since that may clobber z1. */ ecc_mod_mul (&ecc->p, z3, z1z2, h, tp); /* z1z1, h */ /* w = 2 (s2 - s1) */ ecc_mod_mul (&ecc->p, w, z1z1, y2, tp); /* h, w */ ecc_mod_sub (&ecc->p, w, w, y3); ecc_mod_add (&ecc->p, w, w, w); /* i = (2h)^2 */ ecc_mod_add (&ecc->p, i, h, h); /* h, w, i */ ecc_mod_sqr (&ecc->p, i, i, tp); /* j and h can overlap */ ecc_mod_mul (&ecc->p, j, h, i, tp); /* j, w, i */ /* v and i can overlap */ ecc_mod_mul (&ecc->p, v, x3, i, tp); /* j, w, v */ /* x3 <-- w^2 - j - 2v */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y3 <-- w (v - x3) - 2 s1 j */ ecc_mod_mul (&ecc->p, j, j, y3, tp); ecc_mod_sub (&ecc->p, v, v, x3); ecc_mod_mul (&ecc->p, y3, v, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); } nettle-4.0/ecc-add-th.c0000644000000000000000000000643015141166424011642 0ustar00/* ecc-add-th.c Copyright (C) 2014, 2017 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on a twisted Edwards curve, with result and first point in homogeneous coordinates. */ void ecc_add_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-madd-2008-bbjlp Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)*(x2+y2) mul C, D, T - C - D E = b*C*D 2 mul C, E, T (Replace C <-- D+C) B = z1^2 sqr B, C, E, T F = B - E B, C, E, F, T G = B + E C, F, G, T x3 = z1 * F * T 2 mul C, F, G, T y3 = z1*G*(D+C) 2 mul F, G z3 = F*G mul 10M + 1S We have different sign for E, hence swapping F and G, because our ecc->b corresponds to -b above. */ #define T scratch #define E (scratch + 1*ecc->p.size) #define F E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, T, T, z1, x3); ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, C, C, z1, x3); ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ ecc_mod_add (&ecc->p, x3, B, E); ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-4.0/ecc-add-thh.c0000644000000000000000000000641415141166424012014 0ustar00/* ecc-add-thh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, in homogeneous coordinates */ void ecc_add_thh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-add-2008-bbjlp): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D, mul C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) A = z1*z2 mul A, C, E, T B = A^2 sqr A, B, C, E, T F = B - E A, B, C, E, F, T G = B + E A, C, F, G, T x3 = A*F*T 2 mul A, C, G y3 = A*G*(D+C) 2 mul F, G z3 = F*G mul 11M + S We have different sign for E, hence swapping F and G, because our ecc->b corresponds to -b above. */ #define T scratch #define E (scratch + 1*ecc->p.size) #define F E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_mul (&ecc->p, B, z1, z2, x3); ecc_mod_mul (&ecc->p, T, T, B, x3); ecc_mod_mul (&ecc->p, C, C, B, x3); ecc_mod_sqr (&ecc->p, B, B, x3); ecc_mod_add (&ecc->p, x3, B, E); ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-4.0/ecc-curve.h0000644000000000000000000000357415141166424011640 0ustar00/* ecc-curve.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_CURVE_H_INCLUDED #define NETTLE_ECC_CURVE_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* The contents of this struct is internal. */ struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_384r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_521r1(void); #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_CURVE_H_INCLUDED */ nettle-4.0/ecc-curve25519.c0000644000000000000000000002110715141166424012231 0ustar00/* ecc-curve25519.c Arithmetic and tables for curve25519, Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-curve25519.h" #define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) #if HAVE_NATIVE_ecc_curve25519_modp #define ecc_curve25519_modp _nettle_ecc_curve25519_modp void ecc_curve25519_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #if PHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_curve25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t hi, cy; cy = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, (mp_limb_t) 19 << PHIGH_BITS); hi = xp[ECC_LIMB_SIZE-1]; cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, 19 * cy); } #endif /* HAVE_NATIVE_ecc_curve25519_modp */ #define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) #if QHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_curve25519_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t n; mp_limb_t cy; /* n is the offset where we add in the next term */ for (n = ECC_LIMB_SIZE; n-- > 0;) { cy = mpn_submul_1 (xp + n, q->B_shifted, ECC_LIMB_SIZE, xp[n + ECC_LIMB_SIZE]); /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ assert_maybe (cy < 2); mpn_cnd_add_n (cy, xp+n, xp+n, q->m, ECC_LIMB_SIZE); } cy = mpn_submul_1 (xp, q->m, ECC_LIMB_SIZE, xp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); assert_maybe (cy < 2); mpn_cnd_add_n (cy, rp, xp, q->m, ECC_LIMB_SIZE); } /* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 4 * n scratch space. */ static void ecc_mod_pow_252m3 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a7 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain 2^252 - 3 = 1 + (2^252-4) = 1 + 4 (2^250-1) = 1 + 4 (2^125+1)(2^125-1) = 1 + 4 (2^125+1)(1+2(2^124-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) */ ecc_mod_pow_2kp1 (m, a7, ap, 1, tp); /* a^3 */ ecc_mod_sqr (m, a7, a7, tp); /* a^6 */ ecc_mod_mul (m, a7, a7, ap, tp); /* a^7 */ ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^63 = a^{2^6-1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7-2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14-1}*/ ecc_mod_pow_2kp1 (m, rp, t0, 14, tp); /* a^{2^28-1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^29-2} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^30-4} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^31-8} */ ecc_mod_mul (m, rp, rp, a7, tp); /* a^{2^31-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 31, tp); /* a^{2^62-1} */ ecc_mod_pow_2kp1 (m, rp, t0, 62, tp); /* a^{2^124-1}*/ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^125-2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^125-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 125, tp);/* a^{2^250-1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^251-2} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^252-4} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^252-3} */ #undef a7 #undef t0 #undef tp } /* Scratch as for ecc_mod_pow_252m3 above. */ #define ECC_25519_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_curve25519_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain p - 2 = 2^{255} - 21 = 1 + 2 (1 + 4 (2^{252}-3)) */ ecc_mod_pow_252m3 (p, rp, ap, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_mul (p, rp, ap, rp, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_mul (p, rp, ap, rp, scratch); } static int ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) { /* First, reduce to < 2p. */ #if PHIGH_BITS > 0 mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); #endif return ecc_mod_zero_p (p, xp); } /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero on failure. We use the e = 2 special case of the Shanks-Tonelli algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). To avoid a separate inversion, we also use a trick of djb's, to compute the candidate root as x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. */ #if ECC_SQRT_E != 2 #error Broken curve25519 parameters #endif /* Needs 2*n space + scratch for ecc_mod_pow_252m3. */ #define ECC_25519_SQRT_RATIO_ITCH (6*ECC_LIMB_SIZE) static int ecc_curve25519_sqrt_ratio(const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch) { int pos, neg; #define uv3 scratch #define uv7 (scratch + ECC_LIMB_SIZE) #define v2 uv7 #define uv uv3 #define v4 uv7 #define scratch_out (scratch + 2 * ECC_LIMB_SIZE) #define x2 scratch #define vx2 (scratch + ECC_LIMB_SIZE) #define t0 (scratch + 2*ECC_LIMB_SIZE) /* Live values */ ecc_mod_sqr (p, v2, vp, scratch_out); /* v2 */ ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv, v2 */ ecc_mod_mul (p, uv3, uv, v2, scratch_out); /* uv3, v2 */ ecc_mod_sqr (p, v4, v2, scratch_out); /* uv3, v4 */ ecc_mod_mul (p, uv7, uv3, v4, scratch_out); /* uv7 */ ecc_mod_pow_252m3 (p, rp, uv7, scratch_out); /* uv3, uv7p */ ecc_mod_mul (p, rp, rp, uv3, scratch_out); /* none */ /* Check sign. If square root exists, have v x^2 = ±u */ ecc_mod_sqr (p, x2, rp, t0); ecc_mod_mul (p, vx2, x2, vp, t0); ecc_mod_add (p, t0, vx2, up); neg = ecc_curve25519_zero_p (p, t0); ecc_mod_sub (p, t0, up, vx2); pos = ecc_curve25519_zero_p (p, t0); ecc_mod_mul (p, t0, rp, ecc_sqrt_z, t0); cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); return pos | neg; #undef uv3 #undef uv7 #undef v2 #undef uv #undef v4 #undef scratch_out #undef x2 #undef vx2 #undef t0 } const struct ecc_curve _nettle_curve25519 = { { 255, ECC_LIMB_SIZE, ECC_BMODP_SIZE, 0, ECC_25519_INV_ITCH, 0, ECC_25519_SQRT_RATIO_ITCH, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, NULL, ecc_pp1h, ecc_curve25519_modp, ecc_curve25519_modp, ecc_curve25519_inv, NULL, ecc_curve25519_sqrt_ratio, }, { 253, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ ecc_Bm2q, NULL, ecc_qp1h, ecc_curve25519_modq, ecc_curve25519_modq, ecc_mod_inv, NULL, NULL, }, 0, /* No redc */ ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_TH_ITCH (ECC_LIMB_SIZE), ECC_ADD_THH_ITCH (ECC_LIMB_SIZE), ECC_DUP_TH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), ecc_add_th, ecc_add_thh, ecc_dup_th, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, ecc_b, /* Edwards curve constant. */ ecc_unit, ecc_table }; nettle-4.0/ecc-curve448.c0000644000000000000000000001640715141166424012072 0ustar00/* ecc-curve448.c Arithmetic and tables for curve448, Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-curve448.h" #if HAVE_NATIVE_ecc_curve448_modp #define ecc_curve448_modp _nettle_ecc_curve448_modp void ecc_curve448_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #elif GMP_NUMB_BITS == 64 static void ecc_curve448_modp(const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { /* Let B = 2^64, b = 2^32 = sqrt(B). p = B^7 - b B^3 - 1 ==> B^7 = b B^3 + 1 We use this to reduce {r_{13}, ..., r_0} = {r_6,...,r_0} + {r_{10},...,r_7} + 2 {r_{13},r_{12}, r_{11}} B^4 + b {r_{10},...,r_7,r_{13},r_{12},r_{11} (mod p) or +----+----+----+----+----+----+----+ |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | +----+----+----+----+----+----+----+ |r_10|r_9 |r_8 |r_7 | +----+----+----+----+----+----+----+ 2 * |r_13|r_12|r_11| +----+----+----+----+----+----+----+ + b * |r_10|r_9 |r_8 |r_7 |r_13|r_12|r_11| -------+----+----+----+----+----+----+----+ c_7 |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | +----+----+----+----+----+----+----+ */ mp_limb_t c3, c4, c7; mp_limb_t *tp = xp + 7; c4 = mpn_add_n (xp, xp, xp + 7, 4); c7 = mpn_addmul_1 (xp + 4, xp + 11, 3, 2); c3 = mpn_addmul_1 (xp, xp + 11, 3, (mp_limb_t) 1 << 32); c7 += mpn_addmul_1 (xp + 3, xp + 7, 4, (mp_limb_t) 1 << 32); tp[0] = c7; tp[1] = tp[2] = 0; tp[3] = c3 + (c7 << 32); tp[4] = c4 + (c7 >> 32) + (tp[3] < c3); tp[5] = tp[6] = 0; c7 = mpn_add_n (rp, xp, tp, 7); c7 = mpn_cnd_add_n (c7, rp, rp, m->B, 7); assert_maybe (c7 == 0); } #else #define ecc_curve448_modp ecc_mod #endif /* Computes a^{(p-3)/4} = a^{2^446-2^222-1} mod m. Needs 4 * n scratch space. */ static void ecc_mod_pow_446m224m1 (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Note overlap: operations writing to t0 clobber t1. */ #define t0 scratch #define t1 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* Set t0 = a^7 */ ecc_mod_sqr (p, t0, ap, tp); /* a^2 */ ecc_mod_mul (p, t0, ap, t0, tp); /* a^3 */ ecc_mod_sqr (p, t0, t0, tp); /* a^6 */ ecc_mod_mul (p, t0, ap, t0, tp); /* a^{2^3-1} */ /* Set t0 = a^{2^18-1} */ ecc_mod_pow_2kp1 (p, rp, t0, 3, tp); /* a^{2^6-1} */ ecc_mod_pow_2k (p, rp, rp, 3, tp); /* a^{2^9-2^3} */ ecc_mod_mul (p, rp, rp, t0, tp); /* a^{2^9-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 9, tp); /* a^{2^18-1} */ /* Set t0 = a^{2^37-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^19-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^19-1} */ ecc_mod_pow_2k (p, t1, rp, 18, tp); /* a^{2^37-2^18} */ ecc_mod_mul (p, t0, t0, t1, tp); /* a^{2^37-1} */ /* Set t0 = a^{2^222-1} */ ecc_mod_pow_2kp1 (p, rp, t0, 37, tp); /* a^{2^74-1} */ ecc_mod_pow_2k (p, t1, rp, 37, tp); /* a^{2^111-2^37} */ ecc_mod_mul (p, t1, t1, t0, tp); /* a^{2^111-1} */ ecc_mod_pow_2kp1 (p, t0, t1, 111, tp);/* a^{2^222-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^223-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^223-1} */ ecc_mod_pow_2k (p, t1, rp, 223, tp); /* a^{2^446-2^223} */ ecc_mod_mul (p, rp, t1, t0, tp); /* a^{2^446-2^222-1} */ #undef t0 #undef t1 #undef tp } #define ECC_CURVE448_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_curve448_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { ecc_mod_pow_446m224m1 (p, rp, ap, tp);/* a^{2^446-2^222-1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^447-2^223-2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^448-2^224-4} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^448-2^224-3} */ } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 448 #error Unsupported limb size #endif /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero on failure. To avoid a separate inversion, we use a trick of djb's, to compute the candidate root as x = (u/v)^{(p+1)/4} = u^3 v (u^5 v^3)^{(p-3)/4}. */ /* Needs 2*n space + scratch for ecc_mod_pow_446m224m1. */ #define ECC_CURVE448_SQRT_RATIO_ITCH (6*ECC_LIMB_SIZE) static int ecc_curve448_sqrt_ratio(const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch) { #define uv scratch #define u3v (scratch + ECC_LIMB_SIZE) #define u5v3 uv #define t0 scratch #define scratch_out (scratch + 2*ECC_LIMB_SIZE) /* Live values */ ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv */ ecc_mod_sqr (p, u3v, up, scratch_out); /* uv, u3v */ ecc_mod_mul (p, u3v, u3v, uv, scratch_out); /* uv, u3v */ ecc_mod_sqr (p, u5v3, uv, scratch_out); /* u5v3, u3v */ ecc_mod_mul (p, u5v3, u5v3, u3v, scratch_out);/* u5v3, u3v */ ecc_mod_pow_446m224m1 (p, rp, u5v3, scratch_out); /* u3v */ ecc_mod_mul (p, rp, rp, u3v, scratch_out); /* If square root exists, have v x^2 = u */ ecc_mod_sqr (p, t0, rp, scratch_out); /* x^2 */ ecc_mod_mul (p, t0, t0, vp, scratch_out); /* v x^2 */ ecc_mod_sub (p, t0, t0, up); return ecc_mod_zero_p (p, t0); #undef uv #undef u3v #undef u5v3 #undef t0 #undef scratch_out } const struct ecc_curve _nettle_curve448 = { { 448, ECC_LIMB_SIZE, ECC_BMODP_SIZE, 0, ECC_CURVE448_INV_ITCH, 0, ECC_CURVE448_SQRT_RATIO_ITCH, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, NULL, ecc_pp1h, ecc_curve448_modp, ecc_curve448_modp, ecc_curve448_inv, NULL, ecc_curve448_sqrt_ratio, }, { 446, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, 0, /* No redc */ ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_EH_ITCH (ECC_LIMB_SIZE), ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), ECC_DUP_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_CURVE448_INV_ITCH), ecc_add_eh, ecc_add_ehh, ecc_dup_eh, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, ecc_b, ecc_unit, ecc_table }; nettle-4.0/ecc-dup-eh.c0000644000000000000000000000507615141166424011670 0ustar00/* ecc-dup-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Double a point on an Edwards curve, in homogeneous coordinates */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables b = (x+y)^2 sqr b c = x^2 sqr b, c d = y^2 sqr b, c, d e = c+d b, c, d, e h = z^2 sqr b, c, d, e, h j = e-2*h b, c, d, e, j x' = (b-e)*j mul c, d, e, j y' = e*(c-d) mul e, j z' = e*j mul */ #define C scratch #define D (scratch + 1*ecc->p.size) #define B (scratch + 2*ecc->p.size) #define E C ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ ecc_mod_add (&ecc->p, B, x1, y1); ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ /* c-d stored at y' */ ecc_mod_sub (&ecc->p, y2, C, D); ecc_mod_add (&ecc->p, E, C, D); /* B, E */ /* b-e stored at x' */ ecc_mod_sub (&ecc->p, x2, B, E); /* E */ /* Use D as scratch for the following multiplies. */ ecc_mod_mul (&ecc->p, y2, y2, E, D); /* h and j stored at z' */ ecc_mod_sqr (&ecc->p, z2, z1, D); ecc_mod_add (&ecc->p, z2, z2, z2); ecc_mod_sub (&ecc->p, z2, E, z2); ecc_mod_mul (&ecc->p, x2, x2, z2, D); ecc_mod_mul (&ecc->p, z2, z2, E, D); } nettle-4.0/ecc-dup-jj.c0000644000000000000000000000646615141166424011703 0ustar00/* ecc-dup-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0, correct! */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables delta = z^2 sqr delta gamma = y^2 sqr delta, gamma z' = (y+z)^2-gamma-delta sqr delta, gamma alpha = 3*(x-delta)*(x+delta) mul gamma, beta, alpha beta = x*gamma mul gamma, beta, alpha x' = alpha^2-8*beta sqr gamma, beta, alpha y' = alpha*(4*beta-x')-8*gamma^2 mul, sqr */ #define gamma scratch #define delta (scratch + ecc->p.size) #define alpha delta #define beta (scratch + 2*ecc->p.size) #define sum (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, gamma, y1, gamma); /* x, y, z, gamma */ ecc_mod_sqr (&ecc->p, delta, z1, delta); /* x, y, z, gamma, delta */ ecc_mod_add (&ecc->p, sum, z1, y1); /* x, gamma, delta, s */ ecc_mod_sqr (&ecc->p, sum, sum, y2); /* Can use y-z as scratch */ ecc_mod_sub (&ecc->p, z2, sum, delta); /* x, z, gamma, delta */ ecc_mod_sub (&ecc->p, z2, z2, gamma); ecc_mod_mul (&ecc->p, beta, x1, gamma, beta); /* x, z, gamma, delta, beta */ ecc_mod_add (&ecc->p, sum, x1, delta); /* x, sum, z', gamma, delta, beta */ ecc_mod_sub (&ecc->p, delta, x1, delta); /* sum, z', gamma, delta, beta */ /* This multiplication peaks the storage need; can use x-y for scratch. */ ecc_mod_mul (&ecc->p, alpha, sum, delta, x2); /* z', gamma, alpha, beta */ ecc_mod_mul_1 (&ecc->p, alpha, alpha, 3); ecc_mod_mul_1 (&ecc->p, y2, beta, 4); /* From now on, can use beta as scratch. */ ecc_mod_sqr (&ecc->p, x2, alpha, beta); /* alpha^2 */ ecc_mod_submul_1 (&ecc->p, x2, y2, 2); /* alpha^2 - 8 beta */ ecc_mod_sub (&ecc->p, y2, y2, x2); /* 4 beta - x' */ ecc_mod_mul (&ecc->p, y2, y2, alpha, beta); ecc_mod_sqr (&ecc->p, gamma, gamma, beta); ecc_mod_submul_1 (&ecc->p, y2, gamma, 8); } nettle-4.0/ecc-dup-th.c0000644000000000000000000000565315141166424011710 0ustar00/* ecc-dup-th.c Copyright (C) 2014, 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Double a point on a twisted Edwards curve, in homogeneous coordinates */ void ecc_dup_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-dbl-2008-bbjlp): B = (X1+Y1)^2 C = X1^2 D = Y1^2 (E = a*C = -C) F = E+D H = Z1^2 J = F-2*H X3 = (B-C-D)*J Y3 = F*(E-D) Z3 = F*J (-C+D)*(-C+D - 2Z1^2) In the formula for Y3, we have E - D = -(C+D). To avoid explicit negation, negate all of X3, Y3, Z3, and use Computation Operation Live variables B = (X1+Y1)^2 sqr B C = X1^2 sqr B, C D = Y1^2 sqr B, C, D F = -C+D B, C, D, F H = Z1^2 sqr B, C, D, F, H J = 2*H - F B, C, D, F, J X3 = (B-C-D)*J mul C, F, J (Replace C <-- C+D) Y3 = F*(C+D) mul F, J Z3 = F*J mul 3M+4S */ #define C scratch #define D (scratch + 1*ecc->p.size) #define B (scratch + 2*ecc->p.size) #define F C ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ ecc_mod_add (&ecc->p, B, x1, y1); ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ /* C+D stored at y' */ ecc_mod_add (&ecc->p, y2, C, D); /* B - C - C stored at x' */ ecc_mod_sub (&ecc->p, x2, B, y2); ecc_mod_sub (&ecc->p, F, D, C); /* F */ /* Use D as scratch for the following multiplies. */ ecc_mod_mul (&ecc->p, y2, y2, F, D); /* H and J stored at z' */ ecc_mod_sqr (&ecc->p, z2, z1, D); ecc_mod_add (&ecc->p, z2, z2, z2); ecc_mod_sub (&ecc->p, z2, z2, F); ecc_mod_mul (&ecc->p, x2, x2, z2, D); ecc_mod_mul (&ecc->p, z2, z2, F, D); } nettle-4.0/ecc-ecdsa-sign.c0000644000000000000000000000532015141166424012513 0ustar00/* ecc-ecdsa-sign.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "dsa-internal.h" /* Low-level ECDSA signing */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc_mul_g. */ assert (ecc->p.size + ecc->p.invert_itch <= 3*ecc->p.size + ECC_MUL_G_ITCH (ecc->p.size)); return ECC_ECDSA_SIGN_ITCH (ecc->p.size); } /* NOTE: Caller should check if r or s is zero. */ void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { #define P scratch #define kinv scratch #define hp (scratch + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */ #define tp (scratch + 2*ecc->p.size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. k <-- uniformly random, 0 < k < q 2. R <-- (r_x, r_y) = k g 3. s1 <-- r_x mod q 4. s2 <-- (h + z*s1)/k mod q. */ ecc_mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); /* Invert k, uses up to 7 * ecc->p.size including scratch (for secp384). */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* Process hash digest */ _nettle_dsa_hash (hp, ecc->q.bit_size, length, digest); ecc_mod_mul (&ecc->q, tp, zp, rp, tp); ecc_mod_add (&ecc->q, hp, hp, tp); ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); #undef P #undef hp #undef kinv #undef tp } nettle-4.0/ecc-ecdsa-verify.c0000644000000000000000000000717515141166424013071 0ustar00/* ecc-ecdsa-verify.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "dsa-internal.h" /* Low-level ECDSA verify */ static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { return !mpn_zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc_mul_a call. */ return 5*ecc->p.size + ECC_MUL_A_ITCH (ecc->p.size); } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. Check 0 < r, s < q. 2. s' <-- s^{-1} (mod q) 3. u1 <-- h * s' (mod q) 4. u2 <-- r * s' (mod q) 5. R = u1 G + u2 Y 6. Signature is valid if R_x = r (mod q). */ #define P2 scratch #define u1 (scratch + 3*ecc->p.size) #define u2 (scratch + 4*ecc->p.size) #define P1 (scratch + 4*ecc->p.size) #define sinv (scratch) #define hp (scratch + ecc->p.size) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) return 0; /* FIXME: Micro optimizations: Either simultaneous multiplication. Or convert to projective coordinates (can be done without division, I think), and write an ecc_add_ppp. */ /* Compute sinv */ ecc->q.invert (&ecc->q, sinv, sp, sinv + ecc->p.size); /* u1 = h / s, P1 = u1 * G */ _nettle_dsa_hash (hp, ecc->q.bit_size, length, digest); ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ECC_MUL_A_ITCH */ ecc_mul_a (ecc, P2, u2, pp, u2 + ecc->p.size); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ if (!mpn_zero_p (u1, ecc->p.size)) { /* Total storage: 7*ecc->p.size + ECC_MUL_G_ITCH */ ecc_mul_g (ecc, P1, u1, P1 + 3*ecc->p.size); /* Total storage: 6*ecc->p.size + ECC_ADD_JJJ_ITCH */ if (!ecc_nonsec_add_jjj (ecc, P2, P2, P1, P1 + 3*ecc->p.size)) /* Infinity point, not a valid signature. */ return 0; } /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, P1, P2, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P1, ecc->p.size) == 0); #undef P2 #undef P1 #undef sinv #undef u2 #undef hp #undef u1 } nettle-4.0/ecc-eh-to-a.c0000644000000000000000000000325615141166424011736 0ustar00/* ecc-eh-to-a.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Convert from homogeneous coordinates on the Edwards curve to affine coordinates. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define tp (scratch + ecc->p.size) #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) assert(op == 0); /* Needs size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp); ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); } nettle-4.0/ecc-gost-gc256b.c0000644000000000000000000000526515141166424012450 0ustar00/* ecc-gost-gc256b.c Copyright (C) 2016-2020 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-gost-gc256b.h" static void ecc_gost_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t mn = m->size; mp_limb_t hi; hi = mpn_addmul_1(xp, xp + mn, mn, 0x269); hi = sec_add_1 (xp, xp, mn, hi * 0x269); hi = sec_add_1 (rp, xp, mn, hi * 0x269); assert(hi == 0); } #define ecc_gost_gc256b_modp ecc_gost_gc256b_modp #define ecc_gost_gc256b_modq ecc_mod const struct ecc_curve _nettle_gost_gc256b = { { 256, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_gost_gc256b_modp, ecc_gost_gc256b_modp, ecc_mod_inv, NULL, NULL, }, { 256, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_gost_gc256b_modq, ecc_gost_gc256b_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_gost_gc256b(void) { return &_nettle_gost_gc256b; } nettle-4.0/ecc-gost-gc512a.c0000644000000000000000000000526515141166424012442 0ustar00/* ecc-gost-gc512a.c Copyright (C) 2016-2020 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-gost-gc512a.h" static void ecc_gost_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t mn = m->size; mp_limb_t hi; hi = mpn_addmul_1(xp, xp + mn, mn, 0x239); hi = sec_add_1 (xp, xp, mn, hi * 0x239); hi = sec_add_1 (rp, xp, mn, hi * 0x239); assert(hi == 0); } #define ecc_gost_gc512a_modp ecc_gost_gc512a_modp #define ecc_gost_gc512a_modq ecc_mod const struct ecc_curve _nettle_gost_gc512a = { { 512, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_gost_gc512a_modp, ecc_gost_gc512a_modp, ecc_mod_inv, NULL, NULL, }, { 512, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_gost_gc512a_modq, ecc_gost_gc512a_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_gost_gc512a(void) { return &_nettle_gost_gc512a; } nettle-4.0/ecc-gostdsa-sign.c0000644000000000000000000000522615141166424013105 0ustar00/* ecc-gostdsa-sign.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "dsa-internal.h" #include "ecc-internal.h" /* Low-level GOST DSA signing */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc_mul_g. */ return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); } /* NOTE: Caller should check if r or s is zero. */ void ecc_gostdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { #define P scratch #define hp (scratch + 4*ecc->p.size) #define tp (scratch + 2*ecc->p.size) #define t2p scratch /* Procedure, according to GOST 34.10. q denotes the group order. 1. k <-- uniformly random, 0 < k < q 2. C <-- (c_x, c_y) = k g 3. r <-- c_x mod q 4. s <-- (r*z + k*h) mod q. */ ecc_mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); /* Process hash digest */ _nettle_gostdsa_hash (hp, ecc->q.bit_size, length, digest); if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); ecc_mod_mul (&ecc->q, tp, rp, zp, tp); ecc_mod_mul (&ecc->q, t2p, kp, hp, t2p); ecc_mod_add (&ecc->q, sp, tp, t2p); /* Also reduce mod ecc->q. It should already be < 2*ecc->q, * so one subtraction should suffice. */ *scratch = mpn_sub_n (tp, sp, ecc->q.m, ecc->p.size); cnd_copy (is_zero_limb (*scratch), sp, tp, ecc->p.size); #undef P #undef hp #undef tp #undef t2p } nettle-4.0/ecc-gostdsa-verify.c0000644000000000000000000000653415141166424013454 0ustar00/* ecc-gostdsa-verify.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "dsa-internal.h" #include "ecc-internal.h" /* Low-level GOST DSA verify */ static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { return !mpn_zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } mp_size_t ecc_gostdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc_mul_a call. */ return 5*ecc->p.size + ECC_MUL_A_ITCH (ecc->p.size); } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_gostdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { /* Procedure, according to GOST R 34.10. q denotes the group order. 1. Check 0 < r, s < q. 2. v <-- h^{-1} (mod q) 3. z1 <-- s * v (mod q) 4. z2 <-- -r * v (mod q) 5. R = u1 G + u2 Y 6. Signature is valid if R_x = r (mod q). */ #define hp (scratch) #define vp (scratch + ecc->p.size) #define z1 (scratch + 3*ecc->p.size) #define z2 (scratch + 4*ecc->p.size) #define P1 (scratch + 4*ecc->p.size) #define P2 (scratch) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) return 0; _nettle_gostdsa_hash (hp, ecc->q.bit_size, length, digest); if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); /* Compute v */ ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); /* z1 = s / h, P1 = z1 * G */ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); /* z2 = - r / h, P2 = z2 * Y */ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); /* Total storage: 5*ecc->p.size + ECC_MUL_A_ITCH */ ecc_mul_a (ecc, P2, z2, pp, z2 + ecc->p.size); /* Total storage: 7*ecc->p.size + ECC_MUL_G_ITCH */ ecc_mul_g (ecc, P1, z1, P1 + 3*ecc->p.size); /* Total storage: 6*ecc->p.size + ECC_ADD_JJJ_ITCH */ if (!ecc_nonsec_add_jjj (ecc, P1, P1, P2, P1 + 3*ecc->p.size)) return 0; /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 #undef P1 #undef z2 #undef z1 #undef hp #undef vp } nettle-4.0/ecc-internal.h0000644000000000000000000004051215141166424012321 0ustar00/* ecc-internal.h Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_INTERNAL_H_INCLUDED #define NETTLE_ECC_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "ecc-curve.h" #include "gmp-glue.h" /* Name mangling */ #define ecc_pp1_redc _nettle_ecc_pp1_redc #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_zero_p _nettle_ecc_mod_zero_p #define ecc_mod_equal_p _nettle_ecc_mod_equal_p #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub #define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 #define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical #define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical #define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k #define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul #define ecc_mod_random _nettle_ecc_mod_random #define ecc_mod _nettle_ecc_mod #define ecc_mod_inv _nettle_ecc_mod_inv #define ecc_a_to_j _nettle_ecc_a_to_j #define ecc_j_to_a _nettle_ecc_j_to_a #define ecc_eh_to_a _nettle_ecc_eh_to_a #define ecc_dup_jj _nettle_ecc_dup_jj #define ecc_add_jja _nettle_ecc_add_jja #define ecc_add_jjj _nettle_ecc_add_jjj #define ecc_nonsec_add_jjj _nettle_ecc_nonsec_add_jjj #define ecc_dup_eh _nettle_ecc_dup_eh #define ecc_add_eh _nettle_ecc_add_eh #define ecc_add_ehh _nettle_ecc_add_ehh #define ecc_dup_th _nettle_ecc_dup_th #define ecc_add_th _nettle_ecc_add_th #define ecc_add_thh _nettle_ecc_add_thh #define ecc_mul_g _nettle_ecc_mul_g #define ecc_mul_a _nettle_ecc_mul_a #define ecc_mul_g_eh _nettle_ecc_mul_g_eh #define ecc_mul_a_eh _nettle_ecc_mul_a_eh #define ecc_mul_m _nettle_ecc_mul_m #define cnd_copy _nettle_cnd_copy #define sec_add_1 _nettle_sec_add_1 #define sec_sub_1 _nettle_sec_sub_1 #define sec_modinv _nettle_sec_modinv #define curve25519_eh_to_x _nettle_curve25519_eh_to_x #define curve448_eh_to_x _nettle_curve448_eh_to_x /* For asserts that are incompatible with sc tests. Currently used only by ECC code. */ #if WITH_EXTRA_ASSERTS # define assert_maybe(x) assert(x) #else # define assert_maybe(x) ((void)(x)) #endif extern const struct ecc_curve _nettle_secp_192r1; extern const struct ecc_curve _nettle_secp_224r1; extern const struct ecc_curve _nettle_secp_256r1; extern const struct ecc_curve _nettle_secp_384r1; extern const struct ecc_curve _nettle_secp_521r1; /* Keep this structure internal for now. It's misnamed (since it's really implementing the equivalent twisted Edwards curve, with different coordinates). And we're not quite ready to provide general ecc operations over an arbitrary type of curve. */ extern const struct ecc_curve _nettle_curve25519; extern const struct ecc_curve _nettle_curve448; /* GOST curves, visible with underscore prefix for now */ extern const struct ecc_curve _nettle_gost_gc256b; extern const struct ecc_curve _nettle_gost_gc512a; #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) /* Window size for ecc_mul_a. Using 4 bits seems like a good choice, for both Intel x86_64 and ARM Cortex A9. For the larger curves, of 384 and 521 bits, we could improve speed by a few percent if we go up to 5 bits, but I don't think that's worth doubling the storage. */ #define ECC_MUL_A_WBITS 4 /* And for ecc_mul_a_eh */ #define ECC_MUL_A_EH_WBITS 4 struct ecc_modulo; /* Reduces from 2*ecc->size to ecc->size. */ /* Required to return a result < 2q. This property is inherited by mod_mul and mod_sqr. May clobber input xp. rp may point to the start or the middle of the xp area, but no other overlap is allowed. */ typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); typedef void ecc_mod_inv_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, mp_limb_t *scratch); /* Computes the square root of ap mod p. No overlap between input and output. */ typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, mp_limb_t *scratch); /* Computes the square root of (u/v) (mod p). */ typedef int ecc_mod_sqrt_ratio_func (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch); /* Allows in-place operation with r == p, but not r == q */ typedef void ecc_add_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); typedef void ecc_dup_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); typedef void ecc_mul_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, int flags, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); struct ecc_modulo { unsigned short bit_size; unsigned short size; unsigned short B_size; unsigned short redc_size; unsigned short invert_itch; unsigned short sqrt_itch; unsigned short sqrt_ratio_itch; const mp_limb_t *m; /* B^size mod m. Expected to have at least 32 leading zeros (equality for secp_256r1). */ const mp_limb_t *B; /* 2^{bit_size} - m. When different from B above, for numbers of interest, usually B has trailing zeros and this is B shifted right. */ const mp_limb_t *B_shifted; /* For ecc_mod_sub: B^size - 2m, if that doesn't underflow. Otherwise, same as B */ const mp_limb_t *Bm2m; /* m +/- 1, for redc, excluding redc_size low limbs. */ const mp_limb_t *redc_mpm1; /* (m+1)/2 */ const mp_limb_t *mp1h; ecc_mod_func *mod; ecc_mod_func *reduce; /* For moduli where we use redc, the invert and sqrt functions work with inputs and outputs in redc form. */ ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; ecc_mod_sqrt_ratio_func *sqrt_ratio; }; /* Represents an elliptic curve of the form y^2 = x^3 - 3x + b (mod p) */ struct ecc_curve { /* The prime p. */ struct ecc_modulo p; /* Group order. Currently, many functions rely on q.size == p.size. */ struct ecc_modulo q; unsigned short use_redc; unsigned short pippenger_k; unsigned short pippenger_c; unsigned short add_hh_itch; unsigned short add_hhh_itch; unsigned short dup_itch; unsigned short mul_itch; unsigned short mul_g_itch; unsigned short h_to_a_itch; ecc_add_func *add_hh; ecc_add_func *add_hhh; ecc_dup_func *dup; ecc_mul_func *mul; ecc_mul_g_func *mul_g; ecc_h_to_a_func *h_to_a; /* Curve constant */ const mp_limb_t *b; /* For redc, same as B mod p, otherwise 1. */ const mp_limb_t *unit; /* Tables for multiplying by the generator, size determined by k and c. The first 2^c entries are defined by T[ j_0 + j_1 2 + ... + j_{c-1} 2^{c-1} ] = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g The following entries differ by powers of 2^{kc}, T[i] = 2^{kc} T[i-2^c] */ const mp_limb_t *pippenger_table; }; ecc_mod_func ecc_mod; ecc_mod_func ecc_pp1_redc; ecc_mod_func ecc_pm1_redc; ecc_mod_inv_func ecc_mod_inv; /* Side channel silent. Requires that x < 2m, so checks if x == 0 or x == p */ int ecc_mod_zero_p (const struct ecc_modulo *m, const mp_limb_t *xp); /* Requires that a < 2m, and ref < m, needs m->size limbs of scratch space. Overlap, a == scratch or ref == scratch, is allowed. */ int ecc_mod_equal_p (const struct ecc_modulo *m, const mp_limb_t *a, const mp_limb_t *ref, mp_limb_t *scratch); void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); /* If inputs are in the range 0 <= a, b < 2m, then so is the output. */ void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t b); void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); /* The mul and sqr function need 2*m->size limbs at tp. rp may overlap ap or bp, and may equal tp or tp + m->size, but no other overlap with tp is allowed. */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp); /* These mul and sqr functions produce a canonical result, 0 <= R < M. Requirements on input and output areas are similar to the above functions, except that it is *not* allowed to pass rp = tp + m->size. */ void ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); void ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp); /* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, same overlap requirements as mul and sqr above. */ void ecc_mod_pow_2k (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp); /* R <-- X^{2^k} Y mod M. Similar requirements as ecc_mod_pow_2k, but rp and yp can't overlap. */ void ecc_mod_pow_2k_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, const mp_limb_t *yp, mp_limb_t *tp); /* R <-- X^{2^k + 1}. Here, rp and xp must not overlap. */ #define ecc_mod_pow_2kp1(m, rp, xp, k, tp) \ ecc_mod_pow_2k_mul (m, rp, xp, k, xp, tp) /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch); /* Converts a point P in affine coordinates into a point R in jacobian coordinates. */ void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p); /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, produce the x coordinate only, and also reduce it modulo q. */ void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Converts a point P in homogeneous coordinates on an Edwards curve to affine coordinates. Meaning of op is the same as for ecc_j_to_a. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Group operations */ /* Point doubling, with jacobian input and output. Corner cases: Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Point addition, with jacobian output, one jacobian input and one affine input. Corner cases: Fails for the cases P = Q != 0 Duplication of non-zero point P = 0, Q != 0 or P != 0, Q = 0 One input zero Correctly gives R = 0 if P = Q = 0 or P = -Q. */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point addition with Jacobian input and output. */ void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Variant that handles the checks for the special cases P = ±Q. Returns 1 on success, 0 if result is infinite. Not side-channel silent, so must not be used with secret inputs. */ int ecc_nonsec_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point doubling on a twisted Edwards curve, with homogeneous cooordinates. */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_dup_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); void ecc_add_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_add_thh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Computes N * the group generator. N is an array of ecc_size() limbs. It must be in the range 0 < N < group order, then R != 0, and the algorithm can work without any intermediate values getting to zero. */ void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); /* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a non-zero point on the curve, in affine coordinates. Output R is a non-zero point, in Jacobian coordinates. */ void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void ecc_mul_m (const struct ecc_modulo *m, mp_limb_t a24, unsigned bit_low, unsigned bit_high, mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, mp_limb_t *scratch); /* The cnd argument must be 1 or 0. */ void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); void curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); /* Current scratch needs: */ #define ECC_MOD_INV_ITCH(size) (3*(size)) #define ECC_J_TO_A_ITCH(size, inv) ((size)+(inv)) #define ECC_EH_TO_A_ITCH(size, inv) ((size)+(inv)) #define ECC_DUP_JJ_ITCH(size) (4*(size)) #define ECC_DUP_EH_ITCH(size) (3*(size)) #define ECC_DUP_TH_ITCH(size) (3*(size)) #define ECC_ADD_JJA_ITCH(size) (5*(size)) #define ECC_ADD_JJJ_ITCH(size) (5*(size)) #define ECC_ADD_EH_ITCH(size) (4*(size)) #define ECC_ADD_EHH_ITCH(size) (4*(size)) #define ECC_ADD_TH_ITCH(size) (4*(size)) #define ECC_ADD_THH_ITCH(size) (4*(size)) #define ECC_MUL_G_ITCH(size) (8*(size)) #define ECC_MUL_G_EH_ITCH(size) (7*(size)) #if ECC_MUL_A_WBITS == 0 #define ECC_MUL_A_ITCH(size) (11*(size)) #else #define ECC_MUL_A_ITCH(size) \ (((3 << ECC_MUL_A_WBITS) + 8) * (size)) #endif #if ECC_MUL_A_EH_WBITS == 0 #define ECC_MUL_A_EH_ITCH(size) (10*(size)) #else #define ECC_MUL_A_EH_ITCH(size) \ (((3 << ECC_MUL_A_EH_WBITS) + 7) * (size)) #endif #define ECC_MUL_M_ITCH(size) (8*(size)) #define ECC_ECDSA_SIGN_ITCH(size) (11*(size)) #define ECC_GOSTDSA_SIGN_ITCH(size) (11*(size)) #define ECC_MOD_RANDOM_ITCH(size) (size) #define ECC_HASH_ITCH(size) (1+(size)) #endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */ nettle-4.0/ecc-j-to-a.c0000644000000000000000000000447115141166424011573 0ustar00/* ecc-j-to-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define iz2p (scratch + ecc->p.size) #define iz3p (scratch + 2*ecc->p.size) #define tp scratch ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); if (ecc->use_redc) { /* Divide this common factor by B, instead of applying redc to both x and y outputs. */ mpn_zero (iz2p + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, iz2p, iz2p); } /* r_x <-- x / z^2 */ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); if (op) { /* Skip y coordinate */ if (op > 1) { mp_limb_t cy; /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ cy = mpn_sub_n (scratch, r, ecc->q.m, ecc->p.size); cnd_copy (1 - cy, r, scratch, ecc->p.size); } return; } ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, tp); #undef izp #undef iz2p #undef iz3p #undef tp } nettle-4.0/ecc-mod-arith.c0000644000000000000000000001317415141166424012370 0ustar00/* ecc-mod-arith.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Routines for modp arithmetic. All values are ecc->size limbs, but not necessarily < p. */ int ecc_mod_zero_p (const struct ecc_modulo *m, const mp_limb_t *xp_in) { volatile mp_limb_t is_non_zero, is_not_p; const volatile mp_limb_t *xp; mp_size_t i; for (xp = xp_in, i = 0, is_non_zero = is_not_p = 0; i < m->size; i++) { is_non_zero |= xp[i]; is_not_p |= (xp[i] ^ m->m[i]); } return is_zero_limb (is_non_zero) | is_zero_limb (is_not_p); } int ecc_mod_equal_p (const struct ecc_modulo *m, const mp_limb_t *a, const mp_limb_t *ref, mp_limb_t *scratch) { mp_limb_t cy; cy = mpn_sub_n (scratch, a, ref, m->size); /* If cy > 0, i.e., a < ref, then they can't be equal mod m. */ return (1 - cy) & ecc_mod_zero_p (m, scratch); } void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_add_n (rp, ap, bp, m->size); cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); assert_maybe (cy == 0); } void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_sub_n (rp, ap, bp, m->size); /* The adjustments for this function work differently depending on the value of the most significant bit of m. If m has a most significant bit of zero, then the first adjustment step conditionally adds 2m. If in addition, inputs are in the 0 <= a,b < 2m range, then the first adjustment guarantees that result is in that same range. The second adjustment step is needed only if b > 2m, it then ensures output is correct modulo m, but nothing more. If m has a most significant bit of one, Bm2m and B are the same, and this function works analogously to ecc_mod_add. */ cy = mpn_cnd_sub_n (cy, rp, rp, m->Bm2m, m->size); cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size); assert_maybe (cy == 0); } void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_mul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_addmul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_submul_1 (rp, ap, m->size, b); hi = mpn_submul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_sub_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) { mpn_mul_n (tp, ap, bp, m->size); m->reduce (m, rp, tp); } void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { mpn_sqr (tp, ap, m->size); m->reduce (m, rp, tp); } void ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) { mp_limb_t cy; mpn_mul_n (tp, ap, bp, m->size); m->reduce (m, tp + m->size, tp); cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); cnd_copy (cy, rp, tp + m->size, m->size); } void ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { mp_limb_t cy; mpn_sqr (tp, ap, m->size); m->reduce (m, tp + m->size, tp); cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); cnd_copy (cy, rp, tp + m->size, m->size); } void ecc_mod_pow_2k (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp) { ecc_mod_sqr (m, rp, xp, tp); while (--k > 0) ecc_mod_sqr (m, rp, rp, tp); } void ecc_mod_pow_2k_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, const mp_limb_t *yp, mp_limb_t *tp) { ecc_mod_pow_2k (m, rp, xp, k, tp); ecc_mod_mul (m, rp, rp, yp, tp); } nettle-4.0/ecc-mod-inv.c0000644000000000000000000000733715141166424012061 0ustar00/* ecc-mod-inv.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" static void cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t cy = (cnd != 0); mp_limb_t mask = -cy; mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = (ap[i] ^ mask) + cy; cy = r < cy; rp[i] = r; } } /* Compute a^{-1} mod m, with running time depending only on the size. Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}. Also needs (m+1)/2, and m must be odd. Needs 3n limbs of scratch space. */ /* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more scratch need since it doesn't precompute (m+1)/2. */ void ecc_mod_inv (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *in_ap, mp_limb_t *scratch) { #define ap scratch #define bp (scratch + n) #define up (scratch + 2*n) mp_size_t n = m->size; mp_bitcnt_t i; /* Maintain a = u * orig_a (mod m) b = v * orig_a (mod m) and b odd at all times. Initially, a = a_orig, u = 1 b = m, v = 0 */ assert (ap != vp); up[0] = 1; mpn_zero (up+1, n - 1); mpn_copyi (bp, m->m, n); mpn_zero (vp, n); mpn_copyi (ap, in_ap, n); for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; ) { mp_limb_t odd, swap, cy; /* Always maintain b odd. The logic of the iteration is as follows. For a, b: odd = a & 1 a -= odd * b if (underflow from a-b) { b += a, assigns old a a = B^n-a } a /= 2 For u, v: if (underflow from a - b) swap u, v u -= odd * v if (underflow from u - v) u += m u /= 2 if (a one bit was shifted out) u += (m+1)/2 As long as a > 0, the quantity (bitsize of a) + (bitsize of b) is reduced by at least one bit per iteration, hence after (bit_size of orig_a) + (bit_size of m) - 1 iterations we surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then also v = orig_a^{-1} (mod m) */ assert_maybe (bp[0] & 1); odd = ap[0] & 1; swap = mpn_cnd_sub_n (odd, ap, ap, bp, n); mpn_cnd_add_n (swap, bp, bp, ap, n); cnd_neg (swap, ap, ap, n); mpn_cnd_swap (swap, up, vp, n); cy = mpn_cnd_sub_n (odd, up, up, vp, n); cy -= mpn_cnd_add_n (cy, up, up, m->m, n); assert_maybe (cy == 0); cy = mpn_rshift (ap, ap, n, 1); assert_maybe (cy == 0); cy = mpn_rshift (up, up, n, 1); cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n); assert_maybe (cy == 0); } assert_maybe ( (ap[0] | ap[n-1]) == 0); #undef ap #undef bp #undef up } nettle-4.0/ecc-mod.c0000644000000000000000000000624615141166424011265 0ustar00/* ecc-mod.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Computes r <-- x mod m, input 2*m->size, output m->size. It's * allowed to have rp == xp or rp == xp + m->size, but no other kind * of overlap is allowed. */ void ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t hi; mp_size_t mn = m->size; mp_size_t bn = m->B_size; mp_size_t sn = mn - bn; mp_size_t rn = 2*mn; mp_size_t i; unsigned shift; assert (bn < mn); /* FIXME: Could use mpn_addmul_2. */ /* Eliminate sn limbs at a time */ if (m->B[bn-1] < ((mp_limb_t) 1 << (GMP_NUMB_BITS - 1))) { /* Multiply sn + 1 limbs at a time, so we get a mn+1 limb product. Then we can absorb the carry in the high limb */ while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i <= sn; i++) xp[rn+i-1] = mpn_addmul_1 (xp + rn - mn - 1 + i, m->B, bn, xp[rn+i-1]); xp[rn-1] = xp[rn+sn-1] + mpn_add_n (xp + rn - sn - 1, xp + rn - sn - 1, xp + rn - 1, sn); } } else { while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i < sn; i++) xp[rn+i] = mpn_addmul_1 (xp + rn - mn + i, m->B, bn, xp[rn+i]); hi = mpn_add_n (xp + rn - sn, xp + rn - sn, xp + rn, sn); hi = mpn_cnd_add_n (hi, xp + rn - mn, xp + rn - mn, m->B, mn); assert_maybe (hi == 0); } } assert (rn > mn); rn -= mn; assert (rn <= sn); for (i = 0; i < rn; i++) xp[mn+i] = mpn_addmul_1 (xp + i, m->B, bn, xp[mn+i]); hi = mpn_add_n (xp + bn, xp + bn, xp + mn, rn); if (rn < sn) hi = sec_add_1 (xp + bn + rn, xp + bn + rn, sn - rn, hi); shift = m->size * GMP_NUMB_BITS - m->bit_size; if (shift > 0) { /* Combine hi with top bits, add in */ hi = (hi << shift) | (xp[mn-1] >> (GMP_NUMB_BITS - shift)); xp[mn-1] = (xp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (xp, m->B_shifted, mn-1, hi); /* FIXME: Can this copying be eliminated? */ if (rp != xp) mpn_copyi (rp, xp, mn); } else { hi = mpn_cnd_add_n (hi, rp, xp, m->B, mn); assert_maybe (hi == 0); } } nettle-4.0/ecc-mul-a-eh.c0000644000000000000000000001041715141166424012106 0ustar00/* ecc-mul-a-eh.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, total 10 ecc->p.size Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_ehh. */ #if ECC_MUL_A_EH_WBITS == 0 void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define pe scratch #define tp (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) unsigned i; ecc_a_to_j (ecc, pe, p); /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = ecc->p.size; i-- > 0; ) { mp_limb_t w = np[i] << (GMP_LIMB_BITS - GMP_NUMB_BITS); unsigned j; for (j = 0; j < GMP_NUMB_BITS; j++, w <<= 1) { int bit; ecc->dup (ecc, r, r, scratch_out); ecc->add_hh (ecc, tp, r, pe, scratch_out); bit = w >> (GMP_LIMB_BITS - 1); /* If we had a one-bit, use the sum. */ cnd_copy (bit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_EH_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_EH_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); TABLE(0)[ecc->p.size] = TABLE(0)[2*ecc->p.size] = 1; ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc->dup (ecc, TABLE(j), TABLE(j/2), scratch); ecc->add_hh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_EH_WBITS); mp_bitcnt_t blocks = (ecc->p.bit_size + ECC_MUL_A_EH_WBITS - 1) / ECC_MUL_A_EH_WBITS; mp_bitcnt_t bit_index = (blocks-1) * ECC_MUL_A_EH_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_EH_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); mpn_sec_tabselect (r, table, 3*ecc->p.size, TABLE_SIZE, bits); for (;;) { unsigned j; if (shift >= ECC_MUL_A_EH_WBITS) { shift -= ECC_MUL_A_EH_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_EH_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_EH_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_EH_WBITS; j++) ecc->dup (ecc, r, r, scratch_out); bits &= TABLE_MASK; mpn_sec_tabselect (tp, table, 3*ecc->p.size, TABLE_SIZE, bits); ecc->add_hhh (ecc, r, r, tp, scratch_out); } #undef table #undef tp } #endif /* ECC_MUL_A_EH_WBITS > 1 */ nettle-4.0/ecc-mul-a.c0000644000000000000000000001140215141166424011507 0ustar00/* ecc-mul-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_jja. Current total is 12 ecc->p.size, at most 864 bytes. Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_jjj. */ #if ECC_MUL_A_WBITS == 0 void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define pj (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) int is_zero; unsigned i; ecc_a_to_j (ecc, pj, p); mpn_zero (r, 3*ecc->p.size); for (i = ecc->p.size, is_zero = 1; i-- > 0; ) { mp_limb_t w = np[i] << (GMP_LIMB_BITS - GMP_NUMB_BITS); unsigned j; for (j = 0; j < GMP_NUMB_BITS; j++, w <<= 1) { int bit; ecc_dup_jj (ecc, r, r, scratch_out); ecc_add_jja (ecc, tp, r, pj, scratch_out); bit = w >> (GMP_LIMB_BITS - 1); /* If is_zero is set, r is the zero point, and ecc_add_jja produced garbage. */ cnd_copy (is_zero, tp, pj, 3*ecc->p.size); is_zero &= 1 - bit; /* If we had a one-bit, use the sum. */ cnd_copy (bit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc_dup_jj (ecc, TABLE(j), TABLE(j/2), scratch); ecc_add_jja (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_WBITS); int is_zero = 0; mp_bitcnt_t blocks = (ecc->p.bit_size + ECC_MUL_A_WBITS - 1) / ECC_MUL_A_WBITS; mp_bitcnt_t bit_index = (blocks-1) * ECC_MUL_A_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); mpn_sec_tabselect (r, table, 3*ecc->p.size, TABLE_SIZE, bits); is_zero = IS_ZERO_SMALL (bits); for (;;) { int bits_is_zero; unsigned j; if (shift >= ECC_MUL_A_WBITS) { shift -= ECC_MUL_A_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_WBITS; j++) ecc_dup_jj (ecc, r, r, scratch_out); bits &= TABLE_MASK; mpn_sec_tabselect (tp, table, 3*ecc->p.size, TABLE_SIZE, bits); cnd_copy (is_zero, r, tp, 3*ecc->p.size); ecc_add_jjj (ecc, tp, tp, r, scratch_out); bits_is_zero = IS_ZERO_SMALL (bits); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero or bits_is_zero. */ cnd_copy (1 - (bits_is_zero | is_zero), r, tp, 3*ecc->p.size); is_zero &= bits_is_zero; } #undef table #undef tp } #endif /* ECC_MUL_A_WBITS > 1 */ nettle-4.0/ecc-mul-g-eh.c0000644000000000000000000000511015141166424012106 0ustar00/* ecc-mul-g-eh.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_eh call. Current total is 7 * ecc->p.size, at most 392 bytes (for curve448). */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = k; i-- > 0; ) { ecc->dup (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; mp_bitcnt_t bit_index; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } mpn_sec_tabselect (tp, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 2*ecc->p.size, 1<add_hh (ecc, r, r, tp, scratch_out); } } #undef tp #undef scratch_out } nettle-4.0/ecc-mul-g.c0000644000000000000000000000562215141166424011524 0ustar00/* ecc-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_jja call. Current total is 8 * ecc->p.size, at most 576 bytes. */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; int is_zero; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; mpn_zero (r, 3*ecc->p.size); for (i = k, is_zero = 1; i-- > 0; ) { ecc_dup_jj (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; mp_bitcnt_t bit_index; int bits_is_zero; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } mpn_sec_tabselect (tp, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 2*ecc->p.size, 1<p.size); cnd_copy (is_zero, r + 2*ecc->p.size, ecc->unit, ecc->p.size); ecc_add_jja (ecc, tp, r, tp, scratch_out); bits_is_zero = IS_ZERO_SMALL (bits); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero or bits_is_zero. */ cnd_copy (1 - (bits_is_zero | is_zero), r, tp, 3*ecc->p.size); is_zero &= bits_is_zero; } } #undef tp #undef scratch_out } nettle-4.0/ecc-mul-m.c0000644000000000000000000001022115141166424011521 0ustar00/* ecc-mul-m.c Point multiplication using Montgomery curve representation. Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_mul_m (const struct ecc_modulo *m, mp_limb_t a24, unsigned bit_low, unsigned bit_high, mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, mp_limb_t *scratch) { unsigned i; mp_limb_t swap; #define x2 (scratch) #define z2 (scratch + m->size) #define x3 (scratch + 2*m->size) #define z3 (scratch + 3*m->size) /* Formulas from RFC 7748: A = x_2 + z_2 AA = A^2 B = x_2 - z_2 BB = B^2 E = AA - BB C = x_3 + z_3 D = x_3 - z_3 DA = D * A CB = C * B x_3 = (DA + CB)^2 z_3 = x_1 * (DA - CB)^2 x_2 = AA * BB z_2 = E * (AA + a24 * E) For pure doubling, we use: A = x_2 + z_2 AA = A^2 B = x_2 - z_2 BB = B^2 E = AA - BB x3 = AA * BB z3 = E * (AA + a24 * E) */ #define A (scratch + 4*m->size) #define AA A #define D (scratch + 5*m->size) #define DA D #define tp (scratch + 6*m->size) /* For the doubling formulas. */ #define B D #define BB D #define E D /* Initialize, x2 = px, z2 = 1 */ mpn_copyi (x2, px, m->size); z2[0] = 1; mpn_zero (z2+1, m->size - 1); /* Get x3, z3 from doubling. Since most significant bit is forced to 1. */ ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, B, x2, z2); ecc_mod_sqr (m, AA, A, tp); ecc_mod_sqr (m, BB, B, tp); ecc_mod_mul (m, x3, AA, BB, tp); ecc_mod_sub (m, E, AA, BB); ecc_mod_addmul_1 (m, AA, E, a24); ecc_mod_mul (m, z3, E, AA, tp); for (i = bit_high, swap = 0; i >= bit_low; i--) { mp_limb_t bit = (n[i/8] >> (i & 7)) & 1; mpn_cnd_swap (swap ^ bit, x2, x3, 2*m->size); swap = bit; ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, D, x3, z3); ecc_mod_mul (m, DA, D, A, tp); ecc_mod_sqr (m, AA, A, tp); /* Store B, BB and E at z2 */ ecc_mod_sub (m, z2, x2, z2); /* B */ /* Store C and CB at z3 */ ecc_mod_add (m, z3, x3, z3); /* C */ ecc_mod_mul (m, z3, z3, z2, tp); /* CB */ ecc_mod_sqr (m, z2, z2, tp); /* BB */ /* Finish x2 */ ecc_mod_mul (m, x2, AA, z2, tp); ecc_mod_sub (m, z2, AA, z2); /* E */ /* Finish z2 */ ecc_mod_addmul_1 (m, AA, z2, a24); ecc_mod_mul (m, z2, z2, AA, tp); /* Finish x3 */ ecc_mod_add (m, x3, DA, z3); ecc_mod_sqr (m, x3, x3, tp); /* Finish z3 */ ecc_mod_sub (m, z3, DA, z3); /* DA - CB */ ecc_mod_sqr (m, z3, z3, tp); ecc_mod_mul (m, z3, z3, px, tp); } mpn_cnd_swap (swap, x2, x3, 2*m->size); /* Do the low zero bits, just duplicating x2 */ for (i = 0; i < bit_low; i++) { ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, B, x2, z2); ecc_mod_sqr (m, AA, A, tp); ecc_mod_sqr (m, BB, B, tp); ecc_mod_mul (m, x2, AA, BB, tp); ecc_mod_sub (m, E, AA, BB); ecc_mod_addmul_1 (m, AA, E, a24); ecc_mod_mul (m, z2, E, AA, tp); } assert (m->invert_itch <= 7 * m->size); m->invert (m, x3, z2, z3 + m->size); ecc_mod_mul_canonical (m, qx, x2, x3, z3); } nettle-4.0/ecc-nonsec-add-jjj.c0000644000000000000000000001152615141166424013271 0ustar00/* ecc-non-sec-add-jjj.c Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Similar to ecc_add_jjj, but checks if x coordinates are equal (H = 0) below, and if so, performs doubling if also y coordinates are equal, or returns 0 (failure) indicating that the result is the infinity point. */ int ecc_nonsec_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: Computation Operation Live variables Z1Z1 = Z1^2 sqr Z1Z1 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2 H = U2-U1 Z1Z1, Z2Z2, U1, H Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2 W = 2*(S2-S1) (djb: r) U1, H, S1, W I = (2*H)^2 sqr U1, H, S1, W, I J = H*I mul U1, S1, W, J, V V = U1*I mul S1, W, J, V X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ #define h scratch #define z1z1 (scratch + ecc->p.size) #define z2z2 z1z1 #define z1z2 (scratch + 2*ecc->p.size) #define w (scratch + ecc->p.size) #define i (scratch + 2*ecc->p.size) #define j h #define v i #define tp (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, z2z2, z2, tp); /* z2z2 */ /* Store u1 at x3 */ ecc_mod_mul (&ecc->p, x3, x1, z2z2, tp); /* z2z2 */ ecc_mod_add (&ecc->p, z1z2, z1, z2); /* z2z2, z1z2 */ ecc_mod_sqr (&ecc->p, z1z2, z1z2, tp); ecc_mod_sub (&ecc->p, z1z2, z1z2, z2z2); /* z2z2, z1z2 */ /* Do s1 early, store at y3 */ ecc_mod_mul (&ecc->p, z2z2, z2z2, z2, tp); /* z2z2, z1z2 */ ecc_mod_mul (&ecc->p, y3, z2z2, y1, tp); /* z1z2 */ ecc_mod_sqr (&ecc->p, z1z1, z1, tp); /* z1z1, z1z2 */ ecc_mod_sub (&ecc->p, z1z2, z1z2, z1z1); ecc_mod_mul (&ecc->p, h, x2, z1z1, tp); /* z1z1, z1z2, h */ ecc_mod_sub (&ecc->p, h, h, x3); /* z1^3 */ ecc_mod_mul (&ecc->p, z1z1, z1z1, z1, tp); /* z3 <-- h z1 z2 delayed until now, since that may clobber z1. */ ecc_mod_mul (&ecc->p, z3, z1z2, h, tp); /* z1z1, h */ /* w = 2 (s2 - s1) */ ecc_mod_mul (&ecc->p, w, z1z1, y2, tp); /* h, w */ ecc_mod_sub (&ecc->p, w, w, y3); /* Note that use of ecc_mod_zero_p depends 0 <= h,w < 2p. */ if (ecc_mod_zero_p (&ecc->p, h)) { /* X1 == X2 */ if (ecc_mod_zero_p (&ecc->p, w)) { /* Y1 == Y2. Do point duplication. Note that q input is unclobbered, and that scratch need is smaller. Implies some unnecessary recomputation, but performance it not so important for this very unlikely corner case. */ ecc_dup_jj (ecc, r, q, scratch); return 1; } /* We must have Y1 == -Y2, and then the result is the infinity point, */ mpn_zero (r, 3*ecc->p.size); return 0; } ecc_mod_add (&ecc->p, w, w, w); /* i = (2h)^2 */ ecc_mod_add (&ecc->p, i, h, h); /* h, w, i */ ecc_mod_sqr (&ecc->p, i, i, tp); /* j and h can overlap */ ecc_mod_mul (&ecc->p, j, h, i, tp); /* j, w, i */ /* v and i can overlap */ ecc_mod_mul (&ecc->p, v, x3, i, tp); /* j, w, v */ /* x3 <-- w^2 - j - 2v */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y3 <-- w (v - x3) - 2 s1 j */ ecc_mod_mul (&ecc->p, j, j, y3, tp); ecc_mod_sub (&ecc->p, v, v, x3); ecc_mod_mul (&ecc->p, y3, v, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); return 1; } nettle-4.0/ecc-pm1-redc.c0000644000000000000000000000400415141166424012104 0ustar00/* ecc-pm1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = - (p - 1) (mod p), and that at least one low limb of p - 1 is zero. */ void ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) xp[i] = mpn_submul_1 (xp + i + k, m->redc_mpm1, m->size - k, xp[i]); hi = mpn_sub_n (xp, xp + m->size, xp, m->size); cy = mpn_cnd_add_n (hi, rp, xp, m->m, m->size); assert_maybe (cy == hi); if (shift > 0) { /* Result is always < 2p, provided that 2^shift * Bmodp_shifted <= p */ hi = (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } } nettle-4.0/ecc-point-mul-g.c0000644000000000000000000000325015141166424012646 0ustar00/* ecc-point-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_g_itch; mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_g_itch); ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } nettle-4.0/ecc-point-mul.c0000644000000000000000000000330415141166424012422 0ustar00/* ecc-point-mul.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p) { const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_itch; mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); assert (p->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_itch); ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } nettle-4.0/ecc-point.c0000644000000000000000000000651015141166424011631 0ustar00/* ecc-point.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc) { p->ecc = ecc; p->p = gmp_alloc_limbs (2*ecc->p.size); } void ecc_point_clear (struct ecc_point *p) { gmp_free_limbs (p->p, 2*p->ecc->p.size); } int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) { mp_size_t size; mpz_t m, lhs, rhs; mpz_t t; int res; size = p->ecc->p.size; mpz_roinit_n (m, p->ecc->p.m, size); if (mpz_sgn (x) < 0 || mpz_cmp (x, m) >= 0 || mpz_sgn (y) < 0 || mpz_cmp (y, m) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_mul (lhs, y, y); if (p->ecc->p.bit_size == 255) { /* ed25519 special case. FIXME: Do in some cleaner way? */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); mpz_mul (rhs, x2, lhs); /* Check that -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 or 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_sub (lhs, x2, lhs); mpz_add_ui (lhs, lhs, 1); mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else if (p->ecc->p.bit_size == 448) { /* curve448 special case. FIXME: Do in some cleaner way? */ mpz_t x2, d; mpz_init (x2); mpz_init_set_ui (d, 39081); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (d, d, x2); /* 39081 x^2 */ mpz_set_ui (rhs, 1); mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ /* Check that x^2 + y^2 = 1 - 39081 x^2 y^2 */ mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ mpz_clear (d); mpz_clear (x2); } else { /* Check that y^2 = x^3 - 3*x + b (mod p) */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); if (!res) return 0; mpz_limbs_copy (p->p, x, size); mpz_limbs_copy (p->p + size, y, size); return 1; } void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y) { mp_size_t size = p->ecc->p.size; if (x) mpz_set_n (x, p->p, size); if (y) mpz_set_n (y, p->p + size, size); } nettle-4.0/ecc-pp1-redc.c0000644000000000000000000000373615141166424012122 0ustar00/* ecc-pp1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = p + 1 (mod p), and that at least one low limb of p + 1 is zero. */ void ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) xp[i] = mpn_addmul_1 (xp + i + k, m->redc_mpm1, m->size - k, xp[i]); hi = mpn_add_n (rp, xp, xp + m->size, m->size); if (shift > 0) { hi = (hi << shift) | (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } else { cy = mpn_cnd_sub_n (hi, rp, rp, m->m, m->size); assert_maybe (cy == hi); } } nettle-4.0/ecc-random.c0000644000000000000000000000446015141166424011762 0ustar00/* ecc-random.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" static int ecdsa_in_range (const struct ecc_modulo *m, const mp_limb_t *xp, mp_limb_t *scratch) { /* Check if 0 < x < q, with data independent timing. */ return !sec_zero_p (xp, m->size) & (mpn_sub_n (scratch, xp, m->m, m->size) != 0); } void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch) { uint8_t *buf = (uint8_t *) scratch; unsigned nbytes = (m->bit_size + 7)/8; /* The bytes ought to fit in the scratch area, unless we have very unusual limb and byte sizes. */ assert (nbytes <= m->size * sizeof (mp_limb_t)); do { random (ctx, nbytes, buf); buf[0] &= 0xff >> (nbytes * 8 - m->bit_size); mpn_set_base256 (xp, m->size, buf, nbytes); } while (!ecdsa_in_range (m, xp, scratch)); } void ecc_scalar_random (struct ecc_scalar *x, void *random_ctx, nettle_random_func *random) { TMP_DECL (scratch, mp_limb_t, ECC_MOD_RANDOM_ITCH (ECC_MAX_SIZE)); TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size)); ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch); } nettle-4.0/ecc-scalar.c0000644000000000000000000000334715141166424011752 0ustar00/* ecc-scalar.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc) { s->ecc = ecc; s->p = gmp_alloc_limbs (ecc->p.size); } void ecc_scalar_clear (struct ecc_scalar *s) { gmp_free_limbs (s->p, s->ecc->p.size); } int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z) { mp_size_t size = s->ecc->p.size; mpz_t t; if (mpz_sgn (z) <= 0 || mpz_cmp (z, mpz_roinit_n(t, s->ecc->q.m, size)) >= 0) return 0; mpz_limbs_copy (s->p, z, size); return 1; } void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z) { mpz_set_n (z, s->p, s->ecc->p.size); } nettle-4.0/ecc-secp192r1.c0000644000000000000000000002101415141166424012125 0ustar00/* ecc-secp192r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014, 2019, 2021 Niels Möller Copyright (C) 2019 Wim Lewis This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp192r1.h" #if HAVE_NATIVE_ecc_secp192r1_modp #define ecc_secp192r1_modp _nettle_ecc_secp192r1_modp void ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); /* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ #elif GMP_NUMB_BITS == 32 /* p is 6 limbs, p = B^6 - B^2 - 1 */ static void ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy; /* Reduce from 12 to 9 limbs (top limb small)*/ cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); cy = sec_add_1 (xp + 6, xp + 6, 2, cy); cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); assert_maybe (cy <= 2); xp[8] = cy; /* Reduce from 9 to 6 limbs */ cy = mpn_add_n (xp, xp, xp + 6, 3); cy = sec_add_1 (xp + 3, xp + 3, 2, cy); cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); cy = sec_add_1 (xp + 5, xp + 5, 1, cy); assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 6); assert_maybe (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 3 limbs, p = B^3 - B - 1 */ static void ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy; /* Reduce from 6 to 5 limbs (top limb small)*/ cy = mpn_add_n (xp + 1, xp + 1, xp + 4, 2); cy = sec_add_1 (xp + 3, xp + 3, 1, cy); cy += mpn_add_n (xp + 2, xp + 2, xp + 4, 2); assert_maybe (cy <= 2); xp[4] = cy; /* Reduce from 5 to 4 limbs (high limb small) */ cy = mpn_add_n (xp, xp, xp + 3, 2); cy = sec_add_1 (xp + 2, xp + 2, 1, cy); cy += mpn_add_n (xp + 1, xp + 1, xp + 3, 2); assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 3); assert_maybe (cy == 0); } #else #define ecc_secp192r1_modp ecc_mod #endif #define ECC_SECP192R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp192r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a62m1 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* Addition chain p - 2 = 2^{192} - 2^{64} - 3 = 1 + 2^{192} - 2^{64} - 4 = 1 + 2^2 (2^{190} - 2^{62} - 1) = 1 + 2^2 (2^{62} - 1 + 2^{190} - 2^63) = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{126} - 1))) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(2^{63} - 1))) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(1 + 2(2^{62} - 1)))) 2^{62} - 1 = (2^{31}+1)(2^{31}-1) = (2^{31}+1)(1 + 2(2^{30} - 1)) = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(1 + 2 (2+1)))))) This addition chain needs 191 squarings and 14 multiplies. Could be improved sligthly as: a^7 = 1 + 2 * (2 + 1) 2^{62} - 1 = (2^{31}+1)(2^{31}-1) = (2^{31}+1)(1 + 2(2^{30} - 1)) = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) 2^{65} - 1 = 2^3 (2^{62} - 1) + 2^3 - 1 2^{127} - 1 = 2^{62} (2^{65} - 1) + 2^{62} - 1 p - 2 = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) This needs 191 squarings and 13 multiplies, i.e., saving one multiply, at the cost of additional temporary storage for a^7. */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ ecc_mod_sqr (p, rp, rp, tp); /* a^6 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^3-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 3, tp); /* a^{2^6-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^7-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^7-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^15-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^15-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 15, tp); /* a^{2^30-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^31-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^31-1} */ ecc_mod_pow_2kp1 (p, a62m1, rp, 31, tp); /* a^{2^62-1} Overlaps t0 */ ecc_mod_sqr (p, rp, a62m1, tp); /* a^{2^63-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^63-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 63, tp); /* a^{2^126-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^127-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^127-1} Clobbers t1 */ ecc_mod_pow_2k_mul (p, rp, rp, 63, a62m1, tp); /* a^{2^190 - 2^62 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^191 - 2^63 - 2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^192 - 2^64 - 4} */ ecc_mod_mul (p, rp, rp, ap, tp); #undef a62m1 #undef t0 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 192 #error Unsupported limb size #endif #define ECC_SECP192R1_SQRT_ITCH (3*ECC_LIMB_SIZE) static int ecc_secp192r1_sqrt (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p192 using the identity: sqrt(c) = c^(2^190 - 2^62) (mod P-192) which can be seen as a special case of Tonelli-Shanks with e=1. */ /* We need one t0 (and use clobbering rp) and scratch space for mul and sqr. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr(p, rp, cp, tp); /* c^2 */ ecc_mod_mul(p, rp, rp, cp, tp); /* c^3 */ ecc_mod_pow_2kp1(p, t0, rp, 2, tp); /* c^(2^4 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 4, tp); /* c^(2^8 - 1) */ ecc_mod_pow_2kp1(p, t0, rp, 8, tp); /* c^(2^16 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 16, tp); /* c^(2^32 - 1) */ ecc_mod_pow_2kp1(p, t0, rp, 32, tp); /* c^(2^64 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 64, tp); /* c^(2^128 - 1) */ ecc_mod_pow_2k (p, rp, rp, 62, tp); /* c^(2^190 - 2^62) */ /* Check that input was a square, R^2 = C, for non-squares we'd get R^2 = -C. */ ecc_mod_sqr(p, t0, rp, tp); ecc_mod_sub(p, t0, t0, cp); return ecc_mod_zero_p (p, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_192r1 = { { 192, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP192R1_INV_ITCH, ECC_SECP192R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp192r1_modp, ecc_secp192r1_modp, ecc_secp192r1_inv, ecc_secp192r1_sqrt, NULL, }, { 192, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP192R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_192r1(void) { return &_nettle_secp_192r1; } nettle-4.0/ecc-secp224r1.c0000644000000000000000000001661615141166424012135 0ustar00/* ecc-secp224r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #if HAVE_NATIVE_ecc_secp224r1_modp #define USE_REDC 0 #define ecc_secp224r1_modp _nettle_ecc_secp224r1_modp void ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #define USE_REDC (ECC_REDC_SIZE != 0) #define ecc_secp224r1_modp ecc_mod #endif #include "ecc-secp224r1.h" #if ECC_REDC_SIZE < 0 # define ecc_secp224r1_redc ecc_pm1_redc #elif ECC_REDC_SIZE == 0 # define ecc_secp224r1_redc NULL #else # error Configuration error #endif /* Computes a^{2^{127} - 1} mod m. Also produces the intermediate value a^{2^{96} - 1}. Needs 3*ECC_LIMB_SIZE scratch. */ static void ecc_mod_pow_127m1 (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *a96m1, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for 2^127 - 1: 7 = 1 + 2 (2+1) 2 S + 2 M 2^{31} - 1 = 1 + 2 (2^{15} + 1)(1 + 2 (2^7 + 1) (1 + 2 (2^3+1) * 7)) 28 S + 6 M 2^{34} - 1 = 2^3 (2^{31} - 1) + 7 3 S + M 2^{65} - 1 = 2^{31}(2^{34} - 1) + 2^{31} - 1 31 S + M 2^{96} - 1 = 2^{31}(2^{65} - 1) + 2^{31} - 1 31 S + M 2^{127} - 1 = 2^{31}(2^{96} - 1) + 2^{31} - 1 31 S + M This addition chain needs 126 squarings and 12 multiplies. */ #define a7 a96m1 #define t0 scratch #define a31m1 t0 #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr (m, rp, ap, tp); /* a^2 */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^3 */ ecc_mod_sqr (m, rp, rp, tp); /* a^6 */ ecc_mod_mul (m, a7, rp, ap, tp); /* a^{2^3-1} a7 */ ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^{2^6 - 1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7 - 2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7 - 1} */ ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14 - 1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^15 - 2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^15 - 1} */ ecc_mod_pow_2kp1 (m, t0, rp, 15, tp); /* a^{2^30 - 1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^31 - 2} */ ecc_mod_mul (m, a31m1, rp, ap, tp); /* a^{2^31 - 1} a7, a31m1 */ ecc_mod_pow_2k_mul (m, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */ ecc_mod_pow_2k_mul (m, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */ ecc_mod_pow_2k_mul (m, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */ ecc_mod_pow_2k_mul (m, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */ #undef a7 #undef t0 #undef a31m1 #undef tp } #define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp224r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a96m1 scratch #define tp (scratch + ECC_LIMB_SIZE) /* Compute a^{p - 2}, with p-2 = 2^{224} - 2^{96} - 1 = 2^{97}(2^{127} - 1) + 2^{96} - 1 This addition chain needs 97 squarings and one multiply in addition to ecc_mod_pow_127m1, for a total of 223 squarings and 13 multiplies. */ ecc_mod_pow_127m1 (p, rp, a96m1, ap, tp); ecc_mod_pow_2k_mul (p, rp, rp, 97, a96m1, tp); /* a^{2^{224} - 2^{96} - 1 */ #undef a96m1 #undef tp } #define ECC_SECP224R1_SQRT_ITCH (5*ECC_LIMB_SIZE) static int ecc_secp224r1_sqrt (const struct ecc_modulo *p, mp_limb_t *xp, const mp_limb_t *cp, mp_limb_t *scratch) { unsigned r; #define bp scratch #define yp (scratch + ECC_LIMB_SIZE) #define t0 (scratch + 2*ECC_LIMB_SIZE) #define tp (scratch + 3*ECC_LIMB_SIZE) /* Uses Tonnelli-Shanks' algorithm, and which isn't side-channel silent. We have p - 1 = 2^e q, with e = 2^{96} and q = 2^{128} - 1. Initially, we need b = c^q and x = c^{(q+1)/2}, and to get both, we start with c^{(q-1)/2} = a^{2^{127}-1} */ /* Needs total 4 * ECC_LIMB_SIZE scratch space */ ecc_mod_pow_127m1 (p, xp, scratch, cp, scratch + ECC_LIMB_SIZE); ecc_mod_sqr (p, bp, xp, tp); /* b <-- c^{2^{128} - 2 */ ecc_mod_mul (p, bp, bp, cp, tp); /* b <-- c^{2^{128} - 1 */ ecc_mod_mul (p, xp, xp, cp, tp); /* x <-- c^{2^{127}} */ mpn_copyi (yp, ecc_sqrt_z, p->size); r = ECC_SQRT_E; /* The algoritm maintains x^2 = c b; when b == 1, we are done. We also have the invariants b^{2^{r-1}} = 1 (assuming square root exists), and y^{2^{r-1}} = -1. */ for (;;) { unsigned m; if (ecc_mod_equal_p (p, bp, ecc_unit, tp)) return 1; ecc_mod_sqr (p, t0, bp, tp); for (m = 1; m < r && !ecc_mod_equal_p (p, t0, ecc_unit, tp); m++) ecc_mod_sqr (p, t0, t0, tp); if (m == r) { /* We get here if there is no square root, or input is zero. Will always be detected on first round in the outer loop. */ assert (r == ECC_SQRT_E); return ecc_mod_zero_p (p, xp); } if (m < r - 1) ecc_mod_pow_2k (p, yp, yp, r - m - 1, tp); r = m; ecc_mod_mul (p, xp, xp, yp, tp); /* x' <-- x y^{2^{r-m-1} */ ecc_mod_sqr (p, yp, yp, tp); /* y' <-- y^{2^{r-m}} */ ecc_mod_mul (p, bp, bp, yp, tp); /* b' <-- b y^{2^{r-m}} */ } #undef bp #undef yp #undef tp } const struct ecc_curve _nettle_secp_224r1 = { { 224, ECC_LIMB_SIZE, ECC_BMODP_SIZE, -ECC_REDC_SIZE, ECC_SECP224R1_INV_ITCH, ECC_SECP224R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp224r1_modp, USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, ecc_secp224r1_inv, ecc_secp224r1_sqrt, NULL, }, { 224, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP224R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_224r1(void) { return &_nettle_secp_224r1; } nettle-4.0/ecc-secp256r1.c0000644000000000000000000002557515141166424012146 0ustar00/* ecc-secp256r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #if HAVE_NATIVE_ecc_secp256r1_redc # define USE_REDC 1 #else # define USE_REDC (ECC_REDC_SIZE != 0) #endif #include "ecc-secp256r1.h" #if HAVE_NATIVE_ecc_secp256r1_redc # define ecc_secp256r1_redc _nettle_ecc_secp256r1_redc void ecc_secp256r1_redc (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp); #else /* !HAVE_NATIVE_ecc_secp256r1_redc */ # if ECC_REDC_SIZE > 0 # define ecc_secp256r1_redc ecc_pp1_redc # elif ECC_REDC_SIZE == 0 # define ecc_secp256r1_redc NULL # else # error Configuration error # endif #endif /* !HAVE_NATIVE_ecc_secp256r1_redc */ #if ECC_BMODP_SIZE < ECC_LIMB_SIZE #define ecc_secp256r1_modp ecc_mod #define ecc_secp256r1_modq ecc_mod #elif GMP_NUMB_BITS == 64 static void ecc_secp256r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t d1, u1, cy; mp_size_t n; /* Reduce to < B^4 p up front, to avoid first quotient overflowing a limb. */ cy = mpn_sub_n (xp + 4, xp + 4, p->m, p->size); mpn_cnd_add_n (cy, xp + 4, xp + 4, p->m, p->size); d1 = UINT64_C(0xffffffff00000001); for (n = 2*p->size, u1 = xp[--n] ;; n--) { mp_limb_t u0, q1, q0, qmax, r, t, mask; u0 = xp[n-1]; /* Since d0 == 0, 2/1 division gives a good enough quotient approximation. = v * u1 + , with v = 2^32 - 1: +---+---+ | u1| u0| +---+---+ |-u1| +-+-+-+ | u1| +-+-+-+-+ | q1| q0| +---+---+ */ q1 = u1 - (u1 > u0); q0 = u0 - u1; t = u1 << 32; q0 += t; q1 += (u1 >> 32) + (q0 < t) + 1; /* Force q = B-1 when u1 == d1 */ qmax = - (mp_limb_t) (u1 >= d1); /* Candidate remainder r = u0 - q d1 (mod B), and 2/1 division adjustments. */ r = u0 + (q1 << 32) - q1; mask = - (mp_limb_t) (r > q0); q1 += mask; r += (mask & d1); mask = - (mp_limb_t) (r >= d1); q1 -= mask; r -= (mask & d1); /* In the case that u1 == d1, we get q1 == 0, r == 0 here (and correct 2/1 quotient would be B). Replace with q1 = B-1, r = d1. */ q1 |= qmax; r += d1 & qmax; cy = mpn_submul_1 (xp + n - 4, p->m, 3, q1); mask = - (mp_limb_t) (r < cy); if (n == p->size) { rp[3] = r - cy + (mask & d1) + mpn_cnd_add_n (mask, rp, xp, p->m, 3); return; } u1 = r - cy + (mask & d1) + mpn_cnd_add_n (mask, xp + n - 4, xp + n- 4, p->m, 3); } } static void ecc_secp256r1_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t d1, cy; mp_size_t n; /* Reduce to < B^4 p up front, to avoid first quotient overflowing a limb. */ cy = mpn_sub_n (xp + 4, xp + 4, q->m, q->size); mpn_cnd_add_n (cy, xp + 4, xp + 4, q->m, q->size); d1 = UINT64_C(0xffffffff00000000); n = 2*q->size; for (;;) { mp_limb_t u1, u0, q1, q0, r, t, qmax, mask; u1 = xp[--n]; u0 = xp[n-1]; /* divappr2, specialized for d1 = 2^64 - 2^32, d0 = 2^64-1. = v * u1 + , with v = 2^32 - 1: +---+---+ | u1| u0| +---+---+ |-u1| +-+-+-+ | u1| +-+-+-+-+ | q1| q0| +---+---+ */ q1 = u1 - (u1 > u0); q0 = u0 - u1; t = u1 << 32; q0 += t; q1 += (q0 < t); t = u1 >> 32; /* The divappr2 algorithm handles only q < B - 1. If we check for u1 >= d1 = 2^{64}-2^{32}, we cover all cases where q = 2^64-1, and some when q = 2^64-2. The latter case is corrected by the final adjustment. */ qmax = - (mp_limb_t) (t == 0xffffffff); q1 += t + 1; /* Candidate remainder r = u0 - q (d1 + 1) (mod B), and divappr2 adjustments. For general divappr2, the expression is r = u_0 - q1 d1 - floor(q1 d0 / B) - 1 but in our case floor(q1 d0 / B) simplifies to q1 - 1. */ r = u0 + (q1 << 32) - q1; mask = - (mp_limb_t) (r >= q0); q1 += mask; r += (mask & (d1 + 1)); q1 += (r >= d1 - 1); /* Replace by qmax, when that is needed */ q1 |= qmax; /* Subtract, may underflow. */ cy = mpn_submul_1 (xp + n - 4, q->m, 4, q1); if (n == q->size) { mpn_cnd_add_n (cy > u1, rp, xp, q->m, 4); return; } mpn_cnd_add_n (cy > u1, xp + n - 4, xp + n- 4, q->m, 4); } } #else #error Unsupported parameters #endif #define ECC_SECP256R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp256r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a5m1 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define a15m1 t0 #define a32m1 a5m1 #define tp (scratch + 2*ECC_LIMB_SIZE) /* Addition chain for p - 2 = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 3 2^5 - 1 = 1 + 2 (2^4 - 1) = 1 + 2 (2^2+1)(2 + 1) 4 S + 3 M 2^{15} - 1 = (2^5 - 1) (1 + 2^5 (1 + 2^5) 10 S + 2 M 2^{16} - 1 = 1 + 2 (2^{15} - 1) S + M 2^{32} - 1 = (2^{16} + 1) (2^{16} - 1) 16 S + M 2^{64} - 2^{32} + 1 = 2^{32} (2^{32} - 1) + 1 32 S + M 2^{192} - 2^{160} + 2^{128} + 2^{32} - 1 = 2^{128} (2^{64} - 2^{32} + 1) + 2^{32} - 1 128 S + M 2^{224} - 2^{192} + 2^{160} + 2^{64} - 1 = 2^{32} (...) + 2^{32} - 1 32 S + M 2^{239} - 2^{207} + 2^{175} + 2^{79} - 1 = 2^{15} (...) + 2^{15} - 1 15 S + M 2^{254} - 2^{222} + 2^{190} + 2^{94} - 1 = 2^{15} (...) + 2^{15} - 1 15 S + M p - 2 = 2^2 (...) + 1 2 S M --------------- 255 S + 13 M */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^{2^4 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^5 - 2} */ ecc_mod_mul (p, a5m1, rp, ap, tp); /* a^{2^5 - 1}, a5m1 */ ecc_mod_pow_2kp1 (p, rp, a5m1, 5, tp); /* a^{2^{10} - 1, a5m1*/ ecc_mod_pow_2k_mul (p, a15m1, rp, 5, a5m1, tp); /* a^{2^{15} - 1}, a5m1 a15m1 */ ecc_mod_sqr (p, rp, a15m1, tp); /* a^{2^{16} - 2}, a15m1 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^{16} - 1}, a15m1 */ ecc_mod_pow_2kp1 (p, a32m1, rp, 16, tp); /* a^{2^{32} - 1}, a15m1, a32m1 */ ecc_mod_pow_2k_mul (p, rp, a32m1, 32, ap, tp);/* a^{2^{64} - 2^{32} + 1 */ ecc_mod_pow_2k_mul (p, rp, rp, 128, a32m1, tp); /* a^{2^{192} - 2^{160} + 2^{128} + 2^{32} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 32, a32m1, tp);/* a^{2^{224} - 2^{192} + 2^{160} + 2^{64} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{239} - 2^{207} + 2^{175} + 2^{79} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{254} - 2^{222} + 2^{190} + 2^{94} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); /* a^{2^{256} - 2^{224} + 2^{192} + 2^{96} - 3} */ #undef a5m1 #undef t0 #undef a15m1 #undef a32m1 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 256 #error Unsupported limb size #endif #define ECC_SECP256R1_SQRT_ITCH (3*ECC_LIMB_SIZE) static int ecc_secp256r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p256 using the identity: sqrt(c) = c^(2^254 − 2^222 + 2^190 + 2^94) (mod P-256) which can be seen as a special case of Tonelli-Shanks with e=1. It would be nice to share part of the addition chain between inverse and sqrt. We need p-2 = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 3 (inverse) and (p+1)/4 = 2^{254} − 2^{222} + 2^{190} + 2^{94} (sqrt) which we can both get conveniently from (p-3)/4 = 2^{254} − 2^{222} + 2^{190} + 2^{94} - 1 But addition chain for 2^{94} - 1 appears to cost a few more mul operations than the current, separate, chains. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr (m, rp, cp, tp); /* c^2 */ ecc_mod_mul (m, t0, rp, cp, tp); /* c^3 */ ecc_mod_pow_2kp1 (m, rp, t0, 2, tp); /* c^(2^4 - 1) */ ecc_mod_pow_2kp1 (m, t0, rp, 4, tp); /* c^(2^8 - 1) */ ecc_mod_pow_2kp1 (m, rp, t0, 8, tp); /* c^(2^16 - 1) */ ecc_mod_pow_2kp1 (m, t0, rp, 16, tp); /* c^(2^32 - 1) */ ecc_mod_pow_2k_mul (m, rp, t0, 32, cp, tp); /* c^(2^64 - 2^32 + 1) */ ecc_mod_pow_2k_mul (m, t0, rp, 96, cp, tp); /* c^(2^160 - 2^128 + 2^96 + 1) */ ecc_mod_pow_2k (m, rp, t0, 94, tp); /* c^(2^254 - 2^222 + 2^190 + 2^94) */ ecc_mod_sqr (m, t0, rp, tp); ecc_mod_sub (m, t0, t0, cp); return ecc_mod_zero_p (m, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_256r1 = { { 256, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP256R1_INV_ITCH, ECC_SECP256R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp256r1_modp, USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, ecc_secp256r1_inv, ecc_secp256r1_sqrt, NULL, }, { 256, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_secp256r1_modq, ecc_secp256r1_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP256R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_256r1(void) { return &_nettle_secp_256r1; } nettle-4.0/ecc-secp384r1.c0000644000000000000000000002324215141166424012135 0ustar00/* ecc-secp384r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp384r1.h" #if HAVE_NATIVE_ecc_secp384r1_modp #define ecc_secp384r1_modp _nettle_ecc_secp384r1_modp void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #elif GMP_NUMB_BITS == 32 /* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 bits at a time. We can get carry == 2 in the first iteration, and I think *only* in the first iteration. */ /* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate almost 8 at a time. Do only 7, to avoid additional carry propagation, followed by 5. */ static void ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy, bw; /* Reduce from 24 to 17 limbs. */ cy = mpn_add_n (xp + 4, xp + 4, xp + 16, 8); cy = sec_add_1 (xp + 12, xp + 12, 3, cy); bw = mpn_sub_n (xp + 5, xp + 5, xp + 16, 8); bw = sec_sub_1 (xp + 13, xp + 13, 3, bw); cy += mpn_add_n (xp + 7, xp + 7, xp + 16, 8); cy = sec_add_1 (xp + 15, xp + 15, 1, cy); cy += mpn_add_n (xp + 8, xp + 8, xp + 16, 8); assert_maybe (bw <= cy); cy -= bw; assert_maybe (cy <= 2); xp[16] = cy; /* Reduce from 17 to 12 limbs */ cy = mpn_add_n (xp, xp, xp + 12, 5); cy = sec_add_1 (xp + 5, xp + 5, 3, cy); bw = mpn_sub_n (xp + 1, xp + 1, xp + 12, 5); bw = sec_sub_1 (xp + 6, xp + 6, 6, bw); cy += mpn_add_n (xp + 3, xp + 3, xp + 12, 5); cy = sec_add_1 (xp + 8, xp + 8, 1, cy); cy += mpn_add_n (xp + 4, xp + 4, xp + 12, 5); cy = sec_add_1 (xp + 9, xp + 9, 3, cy); assert_maybe (cy >= bw); cy -= bw; assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, p->B, ECC_LIMB_SIZE); assert_maybe (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 (almost 4) limbs at a time. */ static void ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t tp[6]; mp_limb_t cy; /* Reduce from 12 to 9 limbs */ tp[0] = 0; /* FIXME: Could use mpn_sub_nc */ mpn_copyi (tp + 1, xp + 8, 3); tp[4] = xp[11] - mpn_sub_n (tp, tp, xp + 8, 4); tp[5] = mpn_lshift (tp, tp, 5, 32); cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); cy = sec_add_1 (xp + 6, xp + 6, 2, cy); cy += mpn_add_n (xp + 2, xp + 2, tp, 6); cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); assert_maybe (cy <= 2); xp[8] = cy; /* Reduce from 9 to 6 limbs */ tp[0] = 0; mpn_copyi (tp + 1, xp + 6, 2); tp[3] = xp[8] - mpn_sub_n (tp, tp, xp + 6, 3); tp[4] = mpn_lshift (tp, tp, 4, 32); cy = mpn_add_n (xp, xp, xp + 6, 3); cy = sec_add_1 (xp + 3, xp + 3, 2, cy); cy += mpn_add_n (xp, xp, tp, 5); cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); cy = sec_add_1 (xp + 5, xp + 5, 1, cy); assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, xp, xp, p->B, ECC_LIMB_SIZE); assert_maybe (cy == 0); mpn_copyi (rp, xp, ECC_LIMB_SIZE); } #else #define ecc_secp384r1_modp ecc_mod #endif /* Computes a^{2^{288} -2^{32} - 1} mod m. Also produces the intermediate value a^{2^{30} - 1}. Needs 5*ECC_LIMB_SIZE scratch. */ static void ecc_mod_pow_288m32m1 (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *a30m1, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for 2^{288} - 2^{32} - 1: 2^2 - 1 = 1 + 2 2^4 - 1 = (2^2 + 1) * (2^2 - 1) 2^5 - 1 = 1 + 2(2^4 - 1) 2^{10} - 1 = (2^5 + 1) (2^5 - 1) 2^{15} - 1 = 2^5 (2^{10} - 1) + (2^5-1) 2^{30} - 1 = (2^{15} + 1) (2^{15} - 1) 2^{32} - 4 = 2^2 (2^{30} - 1) 2^{32} - 1 = (2^{32} - 4) + 3 2^{60} - 1 = 2^{28}(2^{32} - 4) + (2^{30} - 1) 2^{120} - 1 = (2^{60} + 1) (2^{60} - 1) 2^{240} - 1 = (2^{120} + 1)(2^{120} - 1) 2^{255} - 1 = 2^{15} (2^{240} - 1) + 2^{15} - 1 2^{288} - 2^{32} - 1 = 2^{33} (2^{255} - 1) + 2^{32} - 1 Total 287 squarings, and 12 multiplies. The specific sqr/mul schedule is from Routine 3.2.12 of "Mathematical routines for the NIST prime elliptic curves", April 5, 2010, author unknown. */ #define t0 scratch #define a3 (scratch + ECC_LIMB_SIZE) #define a5m1 a30m1 #define a15m1 (scratch + 2*ECC_LIMB_SIZE) #define a32m1 a3 #define tp (scratch + 3*ECC_LIMB_SIZE) ecc_mod_sqr (m, t0, ap, tp); /* a^2 */ ecc_mod_mul (m, a3, t0, ap, tp); /* a^3 */ ecc_mod_pow_2kp1 (m, rp, a3, 2, tp); /* a^(2^4 - 1) */ ecc_mod_sqr (m, t0, rp, tp); /* a^(2^5 - 2) */ ecc_mod_mul (m, a5m1, t0, ap, tp); /* a^(2^5 - 1) */ ecc_mod_pow_2kp1 (m, t0, a5m1, 5, tp); /* a^(2^10 - 1) */ ecc_mod_pow_2k_mul (m, a15m1, t0, 5, a5m1, tp); /* a^(2^15 - 1) a5m1*/ ecc_mod_pow_2kp1 (m, a30m1, a15m1, 15, tp); /* a^(2^30 - 1) */ ecc_mod_pow_2k (m, t0, a30m1, 2, tp); /* a^(2^32 - 4) */ ecc_mod_mul (m, a32m1, t0, a3, tp); /* a^(2^32 - 1) a3 */ ecc_mod_pow_2k_mul (m, rp, t0, 28, a30m1, tp); /* a^(2^60 - 1) a32m4 */ ecc_mod_pow_2kp1 (m, t0, rp, 60, tp); /* a^(2^120 - 1) */ ecc_mod_pow_2kp1 (m, rp, t0, 120, tp); /* a^(2^240 - 1) */ ecc_mod_pow_2k_mul (m, t0, rp, 15, a15m1, tp); /* a^(2^255 - 1) a15m1 */ ecc_mod_pow_2k_mul (m, rp, t0, 33, a32m1, tp); /* a^(2^288 - 2^32 - 1) a32m1 */ #undef t0 #undef a3 #undef a5m1 #undef a15m1 #undef a32m1 #undef tp } #define ECC_SECP384R1_INV_ITCH (6*ECC_LIMB_SIZE) static void ecc_secp384r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for p - 2 = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3 Start with a^{2^{288} - 2^{32} - 1} and then use 2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 = 2^{94} (2^{288} - 2^{32} - 1) + 2^{30} - 1 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3 = 2^2 (2^{382} - 2^{126} - 2^{94} + 2^{30} - 1) + 1 This addition chain needs 96 additional squarings and 2 multiplies, for a total of 383 squarings and 14 multiplies. */ #define a30m1 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_pow_288m32m1 (p, rp, a30m1, ap, tp); ecc_mod_pow_2k_mul (p, rp, rp, 94, a30m1, tp); /* a^{2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 */ ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); #undef a30m1 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 384 #error Unsupported limb size #endif #define ECC_SECP384R1_SQRT_ITCH (6*ECC_LIMB_SIZE) static int ecc_secp384r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p384 using the identity: sqrt(c) = c^(2^382 − 2^126 - 2^94 + 2^30) (mod P-384) which can be seen as a special case of Tonelli-Shanks with e=1. Starting with a^{2^{288} - 2^{32} - 1} and then use 2^352 - 2^96 - 2^64 + 1 = 2^64 (2^{288} - 2^{32} - 1) + 1 2^382 − 2^126 - 2^94 + 2^30 = 2^30 (2^352 - 2^96 - 2^64 + 1) An additional 94 squarings and 2 multiplies, for a total of for a total of 381 squarings and 14 multiplies. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_pow_288m32m1 (m, rp, t0, cp, tp); ecc_mod_pow_2k_mul (m, t0, rp, 64, cp, tp); /* c^(2^352 - 2^96 - 2^64 + 1) */ ecc_mod_pow_2k (m, rp, t0, 30, tp); /* c^(2^382 - 2^126 - 2^94 + 2^30) */ ecc_mod_sqr (m, t0, rp, tp); ecc_mod_sub (m, t0, t0, cp); return ecc_mod_zero_p (m, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_384r1 = { { 384, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP384R1_INV_ITCH, ECC_SECP384R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp384r1_modp, ecc_secp384r1_modp, ecc_secp384r1_inv, ecc_secp384r1_sqrt, NULL, }, { 384, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP384R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_384r1(void) { return &_nettle_secp_384r1; } nettle-4.0/ecc-secp521r1.c0000644000000000000000000001371715141166424012134 0ustar00/* ecc-secp521r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp521r1.h" #define B_SHIFT (521 % GMP_NUMB_BITS) #if HAVE_NATIVE_ecc_secp521r1_modp #define ecc_secp521r1_modp _nettle_ecc_secp521r1_modp void ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #define BMODP_SHIFT (GMP_NUMB_BITS - B_SHIFT) #define BMODP ((mp_limb_t) 1 << BMODP_SHIFT) /* Result may be *slightly* larger than 2^521 */ static void ecc_secp521r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { /* FIXME: Should use mpn_addlsh_n_ip1 */ mp_limb_t hi; /* Reduce from 2*ECC_LIMB_SIZE to ECC_LIMB_SIZE + 1 */ xp[ECC_LIMB_SIZE] = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, BMODP); hi = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, 1, BMODP); hi = sec_add_1 (xp + 1, xp + 1, ECC_LIMB_SIZE - 1, hi); /* Combine hi with top bits, and add in. */ hi = (hi << BMODP_SHIFT) | (xp[ECC_LIMB_SIZE-1] >> B_SHIFT); rp[ECC_LIMB_SIZE-1] = (xp[ECC_LIMB_SIZE-1] & (((mp_limb_t) 1 << B_SHIFT)-1)) + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, hi); } #endif #define ECC_SECP521R1_INV_ITCH (3*ECC_LIMB_SIZE) static void ecc_secp521r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) /* Addition chain for p - 2: 2^{521} - 3 = 1 + 2^2(2^519 - 1) = 1 + 2^2(1 + 2 (2^518 - 1) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^258 - 1))) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (2^129 - 1))) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (1 + 2 (2^128 - 1)))) where 2^{128} - 1 = (2^64 + 1) (2^32+1) (2^16 + 1) (2^8 + 1) (2^4 + 1) (2^2 + 1) (2 + 1) This addition chain needs 520 squarings and 13 multiplies. */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^3 = a^{2^2 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^15 = a^{2^4 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 4, tp); /* a^{2^8 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 8, tp); /* a^{2^16 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 16, tp); /* a^{2^32 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 32, tp); /* a^{2^64 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 64, tp); /* a^{2^128 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^129 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^129 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 129, tp);/* a^{2^258 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^259 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^259 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 259, tp);/* a^{2^518 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^519 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^519 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^520 - 2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^521 - 4} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^521 - 3} */ } #define ECC_SECP521R1_SQRT_ITCH (2*ECC_LIMB_SIZE) static int ecc_secp521r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { mp_limb_t hi; /* This computes the square root modulo p256 using the identity: sqrt(c) = c^(2^519) (mod P-521) which can be seen as a special case of Tonelli-Shanks with e=1. */ ecc_mod_pow_2k (m, rp, cp, 519, scratch); /* Check result. */ ecc_mod_sqr (m, scratch, rp, scratch); ecc_mod_sub (m, scratch, scratch, cp); /* Reduce top bits, since ecc_mod_zero_p requires input < 2p */ hi = scratch[ECC_LIMB_SIZE-1] >> B_SHIFT; scratch[ECC_LIMB_SIZE-1] = (scratch[ECC_LIMB_SIZE-1] & (((mp_limb_t) 1 << B_SHIFT)-1)) + sec_add_1 (scratch, scratch, ECC_LIMB_SIZE - 1, hi); return ecc_mod_zero_p (m, scratch); } const struct ecc_curve _nettle_secp_521r1 = { { 521, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP521R1_INV_ITCH, ECC_SECP521R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp521r1_modp, ecc_secp521r1_modp, ecc_secp521r1_inv, ecc_secp521r1_sqrt, NULL, }, { 521, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP521R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_521r1(void) { return &_nettle_secp_521r1; } nettle-4.0/ecc-size.c0000644000000000000000000000274215141166424011455 0ustar00/* ecc-size.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" unsigned ecc_bit_size (const struct ecc_curve *ecc) { return ecc->p.bit_size; } mp_size_t ecc_size (const struct ecc_curve *ecc) { return ecc->p.size; } mp_size_t ecc_size_a (const struct ecc_curve *ecc) { return 2*ecc->p.size; } mp_size_t ecc_size_j (const struct ecc_curve *ecc) { return 3*ecc->p.size; } nettle-4.0/ecc.h0000644000000000000000000001127215141166424010510 0ustar00/* ecc.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_H_INCLUDED #define NETTLE_ECC_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecc_point_init nettle_ecc_point_init #define ecc_point_clear nettle_ecc_point_clear #define ecc_point_set nettle_ecc_point_set #define ecc_point_get nettle_ecc_point_get #define ecc_point_mul nettle_ecc_point_mul #define ecc_point_mul_g nettle_ecc_point_mul_g #define ecc_scalar_init nettle_ecc_scalar_init #define ecc_scalar_clear nettle_ecc_scalar_clear #define ecc_scalar_set nettle_ecc_scalar_set #define ecc_scalar_get nettle_ecc_scalar_get #define ecc_scalar_random nettle_ecc_scalar_random #define ecc_point_mul nettle_ecc_point_mul #define ecc_bit_size nettle_ecc_bit_size #define ecc_size nettle_ecc_size #define ecc_size_a nettle_ecc_size_a #define ecc_size_j nettle_ecc_size_j struct ecc_curve; /* High level interface, for ECDSA, DH, etc */ /* Represents a point on the ECC curve */ struct ecc_point { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; /* Represents a non-zero scalar, an element of Z_q^*, where q is the group order of the curve. */ struct ecc_scalar { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc); void ecc_point_clear (struct ecc_point *p); /* Fails and returns zero if the point is not on the curve. */ int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y); void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y); void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc); void ecc_scalar_clear (struct ecc_scalar *s); /* Fails and returns zero if the scalar is not in the proper range. */ int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z); void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z); /* Generates a random scalar, suitable as an ECDSA private key or a ECDH exponent. */ void ecc_scalar_random (struct ecc_scalar *s, void *random_ctx, nettle_random_func *random); /* Computes r = n p */ void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p); /* Computes r = n g */ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n); /* Low-level interface */ /* Points on a curve are represented as arrays of mp_limb_t, with curve-specific representation. For the secp curves, we use Jacobian coordinates (possibly in Montgomery form for mod multiplication). For curve25519 we use homogeneous coordinates on an equivalent Edwards curve. The suffix "_h" denotes this internal representation. Since we use additive notation for the groups, the infinity point on the curve is denoted 0. The infinity point can be represented with x = y = 0 in affine coordinates, and Z = 0 in Jacobian coordinates. However, note that most of the ECC functions do *not* support infinity as an input or output. */ /* Returns the bit size of a single coordinate (and of the prime p). */ unsigned ecc_bit_size (const struct ecc_curve *ecc); /* Returns the size of a single coordinate. */ mp_size_t ecc_size (const struct ecc_curve *ecc); /* Size of a point, using affine coordinates x, y. */ mp_size_t ecc_size_a (const struct ecc_curve *ecc); /* Size of a point, using jacobian coordinates X, Y and Z. */ mp_size_t ecc_size_j (const struct ecc_curve *ecc); /* FIXME: Define a generic ecc_dup, ecc_add, for any type of curve. Do they need to handle infinity points? */ #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_H_INCLUDED */ nettle-4.0/eccdata.c0000644000000000000000000011266515141166424011345 0ustar00/* eccdata.c Generate compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014, 2017 Niels Möller Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #include #include #include #include #include "mini-gmp.c" /* Affine coordinates, for simplicity. Infinity point, i.e., te neutral group element, is represented using the is_zero flag. */ struct ecc_point { int is_zero; mpz_t x; mpz_t y; }; enum ecc_type { /* y^2 = x^3 - 3x + b (mod p) */ ECC_TYPE_WEIERSTRASS, /* x^2 + y^2 = 1 - d x^2 y^2 */ ECC_TYPE_EDWARDS, /* -x^2 + y^2 = 1 - d x^2 y^2 */ ECC_TYPE_TWISTED_EDWARDS, }; struct ecc_curve { unsigned bit_size; unsigned pippenger_k; unsigned pippenger_c; enum ecc_type type; /* Prime */ mpz_t p; /* Curve constant */ mpz_t b; /* Curve order */ mpz_t q; struct ecc_point g; /* Table for pippenger's algorithm. Element i 2^c + j_0 + j_1 2 + j_2 2^2 + ... + j_{c-1} 2^{c-1} holds 2^{ikc} ( j_0 + j_1 2^k + j_2 2^{2k} + ... + j_{c-1} 2^{(c-1)k}) g */ mp_size_t table_size; struct ecc_point *table; /* If non-NULL, holds 2g, 3g, 4g */ struct ecc_point *ref; }; static void ecc_init (struct ecc_point *p) { mpz_init (p->x); mpz_init (p->y); } static void ecc_clear (struct ecc_point *p) { mpz_clear (p->x); mpz_clear (p->y); } static int ecc_zero_p (const struct ecc_point *p) { return p->is_zero; } static int ecc_equal_p (const struct ecc_point *p, const struct ecc_point *q) { return p->is_zero ? q->is_zero : !q->is_zero && mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0; } static void ecc_set_zero (const struct ecc_curve *ecc, struct ecc_point *r) { r->is_zero = 1; mpz_set_ui (r->x, 0); mpz_set_ui (r->y, ecc->type != ECC_TYPE_WEIERSTRASS); } static void ecc_set (struct ecc_point *r, const struct ecc_point *p) { r->is_zero = p->is_zero; mpz_set (r->x, p->x); mpz_set (r->y, p->y); } static void ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q); /* Needs to support in-place operation. */ static void ecc_dup (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p) { if (ecc->type != ECC_TYPE_WEIERSTRASS) { ecc_add (ecc, r, p, p); return; } if (ecc_zero_p (p)) ecc_set_zero (ecc, r); else { mpz_t m, t, x, y; mpz_init (m); mpz_init (t); mpz_init (x); mpz_init (y); /* m = (2 y)^-1 */ mpz_mul_ui (m, p->y, 2); mpz_invert (m, m, ecc->p); /* t = 3 (x^2 - 1) * m */ mpz_mul (t, p->x, p->x); mpz_mod (t, t, ecc->p); mpz_sub_ui (t, t, 1); mpz_mul_ui (t, t, 3); mpz_mul (t, t, m); mpz_mod (t, t, ecc->p); /* x' = t^2 - 2 x */ mpz_mul (x, t, t); mpz_submul_ui (x, p->x, 2); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (m); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q) { if (ecc->type == ECC_TYPE_WEIERSTRASS) { if (ecc_zero_p (p)) ecc_set (r, q); else if (ecc_zero_p (q)) ecc_set (r, p); else if (mpz_cmp (p->x, q->x) == 0) { if (mpz_cmp (p->y, q->y) == 0) ecc_dup (ecc, r, p); else ecc_set_zero (ecc, r); } else { mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = (q_y - p_y) / (q_x - p_x) */ mpz_sub (t, q->x, p->x); mpz_invert (t, t, ecc->p); mpz_sub (s, q->y, p->y); mpz_mul (t, t, s); mpz_mod (t, t, ecc->p); /* x' = t^2 - p_x - q_x */ mpz_mul (x, t, t); mpz_sub (x, x, p->x); mpz_sub (x, x, q->x); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } else if (ecc->type == ECC_TYPE_EDWARDS) { mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = d p_x p_y q_x q_y */ mpz_mul (t, ecc->b, p->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, p->y); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->y); mpz_mod (t, t, ecc->p); /* x' = (p_x q_y + q_x p_y) / (1 + t) */ mpz_mul (x, p->x, q->y); mpz_mod (x, x, ecc->p); mpz_addmul (x, q->x, p->y); mpz_mod (x, x, ecc->p); mpz_add_ui (s, t, 1); mpz_invert (s, s, ecc->p); mpz_mul (x, x, s); mpz_mod (x, x, ecc->p); /* y' = (p_y q_y - p_x q_x) / (1 - t) */ mpz_mul (y, p->y, q->y); mpz_mod (y, y, ecc->p); mpz_submul (y, p->x, q->x); mpz_mod (y, y, ecc->p); mpz_set_ui (s, 1); mpz_sub (s, s, t); mpz_invert (s, s, ecc->p); mpz_mul (y, y, s); mpz_mod (y, y, ecc->p); mpz_swap (x, r->x); mpz_swap (y, r->y); r->is_zero = mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0; mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } else { /* Untwisted: x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) y = (p_y q_y - p_x q_x) / (1 + d p_x p_y q_x q_y) Twisted: x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) y = (p_y q_y + p_x q_x) / (1 + d p_x p_y q_x q_y) So they differ only by a sign in the expression for the new y coordinate. */ mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = d p_x p_y q_x q_y */ mpz_mul (t, ecc->b, p->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, p->y); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->y); mpz_mod (t, t, ecc->p); /* x' = (p_x q_y + q_x p_y) / (1 - t) */ mpz_mul (x, p->x, q->y); mpz_mod (x, x, ecc->p); mpz_addmul (x, q->x, p->y); mpz_mod (x, x, ecc->p); mpz_ui_sub (s, 1, t); mpz_invert (s, s, ecc->p); mpz_mul (x, x, s); mpz_mod (x, x, ecc->p); /* y' = (p_y q_y - p_x q_x) / (1 + t) */ mpz_mul (y, p->y, q->y); mpz_mod (y, y, ecc->p); mpz_addmul (y, p->x, q->x); mpz_mod (y, y, ecc->p); mpz_add_ui (s, t, 1); mpz_invert (s, s, ecc->p); mpz_mul (y, y, s); mpz_mod (y, y, ecc->p); mpz_swap (x, r->x); mpz_swap (y, r->y); r->is_zero = (mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0); mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_mul_binary (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n, const struct ecc_point *p) { mp_bitcnt_t k; assert (r != p); assert (mpz_sgn (n) > 0); ecc_set (r, p); /* Index of highest one bit */ for (k = mpz_sizeinbase (n, 2) - 1; k-- > 0; ) { ecc_dup (ecc, r, r); if (mpz_tstbit (n, k)) ecc_add (ecc, r, r, p); } } static struct ecc_point * ecc_alloc (size_t n) { struct ecc_point *p = malloc (n * sizeof(*p)); size_t i; if (!p) { fprintf (stderr, "Virtual memory exhausted.\n"); exit (EXIT_FAILURE); } for (i = 0; i < n; i++) ecc_init (&p[i]); return p; } static void ecc_set_str (struct ecc_point *p, const char *x, const char *y) { p->is_zero = 0; mpz_set_str (p->x, x, 16); mpz_set_str (p->y, y, 16); } static void ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, const char *p, const char *b, const char *q, const char *gx, const char *gy) { ecc->type = type; mpz_init_set_str (ecc->p, p, 16); mpz_init_set_str (ecc->b, b, 16); mpz_init_set_str (ecc->q, q, 16); ecc_init (&ecc->g); ecc_set_str (&ecc->g, gx, gy); ecc->pippenger_k = 0; ecc->pippenger_c = 0; ecc->table = NULL; ecc->ref = NULL; } static void ecc_curve_init (struct ecc_curve *ecc, const char *curve) { if (!strcmp (curve, "secp192r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" "FFFFFFFFFFFFFFFF", "64210519e59c80e70fa7e9ab72243049" "feb8deecc146b9b1", "ffffffffffffffffffffffff99def836" "146bc9b1b4d22831", "188da80eb03090f67cbf20eb43a18800" "f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd5" "73f977a11e794811"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab"); ecc_set_str (&ecc->ref[1], /* 3 g */ "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32"); } else if (!strcmp (curve, "secp224r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" "000000000000000000000001", "b4050a850c04b3abf54132565044b0b7" "d7bfd8ba270b39432355ffb4", "ffffffffffffffffffffffffffff16a2" "e0b8f03e13dd29455c5c2a3d", "b70e0cbd6bb4bf7f321390b94a03c1d3" "56c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a0" "5a07476444d5819985007e34"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb"); ecc_set_str (&ecc->ref[1], /* 3 g */ "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925"); ecc_set_str (&ecc->ref[2], /* 4 g */ "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9"); } else if (!strcmp (curve, "secp256r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" "00000000FFFFFFFFFFFFFFFFFFFFFFFF", "5AC635D8AA3A93E7B3EBBD55769886BC" "651D06B0CC53B0F63BCE3C3E27D2604B", "FFFFFFFF00000000FFFFFFFFFFFFFFFF" "BCE6FAADA7179E84F3B9CAC2FC632551", "6B17D1F2E12C4247F8BCE6E563A440F2" "77037D812DEB33A0F4A13945D898C296", "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" "2BCE33576B315ECECBB6406837BF51F5"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1"); ecc_set_str (&ecc->ref[1], /* 3 g */ "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032"); ecc_set_str (&ecc->ref[2], /* 4 g */ "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6"); } else if (!strcmp (curve, "secp384r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffe" "ffffffff0000000000000000ffffffff", "b3312fa7e23ee7e4988e056be3f82d19" "181d9c6efe8141120314088f5013875a" "c656398d8a2ed19d2a85c8edd3ec2aef", "ffffffffffffffffffffffffffffffff" "ffffffffffffffffc7634d81f4372ddf" "581a0db248b0a77aecec196accc52973", "aa87ca22be8b05378eb1c71ef320ad74" "6e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "3617de4a96262c6f5d9e98bf9292dc29" "f8f41dbd289a147ce9da3113b5f0b8c0" "0a60b1ce1d7e819d7a431d7c90ea0e5f"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab4255ffd43e94d39e22d61501e700a940e80"); ecc_set_str (&ecc->ref[1], /* 3 g */ "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eacc24abd6be4b5d298b65f28600a2f1df1"); ecc_set_str (&ecc->ref[2], /* 4 g */ "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67"); } else if (!strcmp (curve, "secp521r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff", "051" "953eb9618e1c9a1f929a21a0b68540ee" "a2da725b99b315f3b8b489918ef109e1" "56193951ec7e937b1652c0bd3bb1bf07" "3573df883d2c34f1ef451fd46b503f00", "1ff" "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffa" "51868783bf2f966b7fcc0148f709a5d0" "3bb5c9b8899c47aebb6fb71e91386409", "c6" "858e06b70404e9cd9e3ecb662395b442" "9c648139053fb521f828af606b4d3dba" "a14b5e77efe75928fe1dc127a2ffa8de" "3348b3c1856a429bf97e7e31c2e5bd66", "118" "39296a789a3bc0045c8a5fb42c7d1bd9" "98f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761" "353c7086a272c24088be94769fd16650"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "433c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbbb3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02"); ecc_set_str (&ecc->ref[1], /* 3 g */ "1a73d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); } else if (!strcmp (curve, "curve25519")) { /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. According to http://cr.yp.to/papers.html#newelliptic, this is birationally equivalent to the Edwards curve x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). But instead of using this curve, we use a twisted curve, following RFC 7748, -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 (mod p) (this is possible because -1 is a square modulo p). The generator is x = 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a y = 0x6666666666666666666666666666666666666666666666666666666666666658 */ ecc_curve_init_str (ecc, ECC_TYPE_TWISTED_EDWARDS, "7fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffed", /* (121665/121666) mod p, from PARI/GP c = Mod(121665, p); c / (c+1) */ "2dfc9311d490018c7338bf8688861767" "ff8ff5b2bebe27548a14b235eca6874a", /* Order of the subgroup is 2^252 + q_0, where q_0 = 27742317777372353535851937790883648493, 125 bits. */ "10000000000000000000000000000000" "14def9dea2f79cd65812631a5cf5d3ed", /* Generator */ "216936d3cd6e53fec0a4e231fdd6dc5c" "692cc7609525a7b2c9562d608f25d51a", "66666666666666666666666666666666" "66666666666666666666666666666658"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "36ab384c9f5a046c3d043b7d1833e7ac" "080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f56" "97390f51643851560e5f46ae6af8a3c9"); ecc_set_str (&ecc->ref[1], /* 3 g */ "67ae9c4a22928f491ff4ae743edac83a" "6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef7" "9f16ec176724030402c3684878f5b4d4"); ecc_set_str (&ecc->ref[2], /* 4 g */ "203da8db56cff1468325d4b87a3520f9" "1a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c" "4cf22832ea2f0ff0df38ab61ca32112f"); } else if (!strcmp (curve, "gost_gc256b")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffd97", "00000000000000000000000000000000" "000000000000000000000000000000a6", "ffffffffffffffffffffffffffffffff" "6c611070995ad10045841b09b761b893", "00000000000000000000000000000000" "00000000000000000000000000000001", "8d91e471e0989cda27df505a453f2b76" "35294f2ddf23e3b122acc99c9e9f1e14"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83"); ecc_set_str (&ecc->ref[1], /* 3 g */ "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51"); ecc_set_str (&ecc->ref[2], /* 4 g */ "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741"); } else if (!strcmp (curve, "gost_gc512a")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffdc7", "e8c2505dedfc86ddc1bd0b2b6667f1da" "34b82574761cb0e879bd081cfd0b6265" "ee3cb090f30d27614cb4574010da90dd" "862ef9d4ebee4761503190785a71c760", "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "27e69532f48d89116ff22b8d4e056060" "9b4b38abfad2b85dcacdb1411f10b275", "00000000000000000000000000000000" "00000000000000000000000000000000" "00000000000000000000000000000000" "00000000000000000000000000000003", "7503cfe87a836ae3a61b8816e25450e6" "ce5e1c93acf1abc1778064fdcbefa921" "df1626be4fd036e93d75e6a50e3a41e9" "8028fe5fc235f5b889a589cb5215f2a4"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051"); ecc_set_str (&ecc->ref[1], /* 3 g */ "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba543d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb311d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6"); ecc_set_str (&ecc->ref[2], /* 4 g */ "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef257452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929"); } else if (!strcmp (curve, "curve448")) { /* curve448, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^{448} - 2^{224} - 1. According to RFC 7748, this is 4-isogenious to the Edwards curve called "edwards448" x^2 + y^2 = 1 - 39081 x^2 y^2 (mod p). And since the constant is not a square, the Edwards formulas should be "complete", with no special cases needed for doubling, neutral element, negatives, etc. Generator is x = 5, with y coordinate 355293926785568175264127502063783334808976399387714271831880898435169088786967410002932673765864550910142774147268105838985595290606362, according to x = Mod(5, 2^448-2^224-1); sqrt(x^3 + 156326*x^2 + x) in PARI/GP. Also, in PARI notation, curve448 = Mod([0, 156326, 0, 1, 0], 2^448-2^224-1) */ ecc_curve_init_str (ecc, ECC_TYPE_EDWARDS, "fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffeffffff" "fffffffffffffffffffffffffffffff" "fffffffffffffffffff", /* -39081 mod p, from PARI/GP c = Mod(-39081, p) */ "fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffeffffff" "fffffffffffffffffffffffffffffff" "fffffffffffffff6756", /* Order of the subgroup is 2^446 - q_0, where q_0 = 13818066809895115352007386748515426880336692474882178609894547503885, 224 bits. */ "3ffffffffffffffffffffffffffffff" "fffffffffffffffffffffffff7cca23" "e9c44edb49aed63690216cc2728dc58" "f552378c292ab5844f3", "4f1970c66bed0ded221d15a622bf36d" "a9e146570470f1767ea6de324a3d3a4" "6412ae1af72ab66511433b80e18b009" "38e2626a82bc70cc05e", "693f46716eb6bc248876203756c9c76" "24bea73736ca3984087789c1e05a0c2" "d73ad3ff1ce67c39c4fdbd132c4ed7c" "8ad9808795bf230fa14"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaa955555555" "55555555555555555555555555555555" "5555555555555555", "ae05e9634ad7048db359d6205086c2b0" "036ed7a035884dd7b7e36d728ad8c4b8" "0d6565833a2a3098bbbcb2bed1cda06b" "daeafbcdea9386ed"); ecc_set_str (&ecc->ref[1], /* 3 g */ "865886b9108af6455bd64316cb694333" "2241b8b8cda82c7e2ba077a4a3fcfe8d" "aa9cbf7f6271fd6e862b769465da8575" "728173286ff2f8f", "e005a8dbd5125cf706cbda7ad43aa644" "9a4a8d952356c3b9fce43c82ec4e1d58" "bb3a331bdb6767f0bffa9a68fed02daf" "b822ac13588ed6fc"); ecc_set_str (&ecc->ref[2], /* 4 g */ "49dcbc5c6c0cce2c1419a17226f929ea" "255a09cf4e0891c693fda4be70c74cc3" "01b7bdf1515dd8ba21aee1798949e120" "e2ce42ac48ba7f30", "d49077e4accde527164b33a5de021b97" "9cb7c02f0457d845c90dc3227b8a5bc1" "c0d8f97ea1ca9472b5d444285d0d4f5b" "32e236f86de51839"); } else { fprintf (stderr, "No known curve with name %s\n", curve); exit(EXIT_FAILURE); } ecc->bit_size = mpz_sizeinbase (ecc->p, 2); } static void ecc_curve_clear (struct ecc_curve *ecc) { mpz_clear (ecc->p); mpz_clear (ecc->b); mpz_clear (ecc->q); ecc_clear (&ecc->g); if (ecc->table) { size_t i; for (i = 0; i < ecc->table_size; i++) ecc_clear (&ecc->table[i]); free (ecc->table); } if (ecc->ref) { size_t i; for (i = 0; i < 3; i++) ecc_clear (&ecc->ref[i]); free (ecc->ref); } } static unsigned ecc_table_size(unsigned bits, unsigned k, unsigned c) { unsigned p = (bits + k-1) / k; unsigned M = (p + c-1)/c; return M; } static void ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) { unsigned M = ecc_table_size (ecc->bit_size, k, c); unsigned i, j; if (M < 2) { fprintf (stderr, "Invalid parameters, implies M = %u\n", M); exit (EXIT_FAILURE); } if (M == ecc_table_size (ecc->bit_size, k-1, c)) fprintf(stderr, "warn: Parameters k = %u, c = %d are suboptimal, could use smaller k\n", k, c); ecc->pippenger_k = k; ecc->pippenger_c = c; ecc->table_size = M << c; assert (ecc->table_size >= 2); ecc->table = ecc_alloc (ecc->table_size); /* Compute the first 2^c entries */ ecc_set_zero (ecc, &ecc->table[0]); ecc_set (&ecc->table[1], &ecc->g); for (j = 2; j < (1U<table_size); ecc_dup (ecc, &ecc->table[j], &ecc->table[j/2]); for (i = 1; i < k; i++) ecc_dup (ecc, &ecc->table[j], &ecc->table[j]); for (i = 1; i < j; i++) { assert (j + i < ecc->table_size); ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]); } } for (j = 1<table_size; j++) { /* T[j] = 2^{kc} T[j-2^c] */ ecc_dup (ecc, &ecc->table[j], &ecc->table[j - (1<table[j], &ecc->table[j]); } } static void ecc_mul_pippenger (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n_input) { mpz_t n; unsigned k, c; unsigned i, j; unsigned bit_rows; mpz_init (n); mpz_mod (n, n_input, ecc->q); ecc_set_zero (ecc, r); k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->bit_size + k - 1) / k; for (i = k; i-- > 0; ) { ecc_dup (ecc, r, r); for (j = 0; j * c < bit_rows; j++) { unsigned bits; mp_size_t bit_index; /* Extract c bits of the exponent, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { bit_index -= k; bits = (bits << 1) | mpz_tstbit (n, bit_index); } ecc_add (ecc, r, r, &ecc->table[(j << c) | bits]); } } mpz_clear (n); } static void ecc_point_out (FILE *f, const struct ecc_point *p) { if (p->is_zero) fprintf (f, "zero"); else { fprintf (f, "("); mpz_out_str (f, 16, p->x); fprintf (f, ",\n "); mpz_out_str (f, 16, (p)->y); fprintf (f, ")"); } } #define ASSERT_EQUAL(p, q) do { \ if (!ecc_equal_p (p, q)) \ { \ fprintf (stderr, "%s:%d: ASSERT_EQUAL (%s, %s) failed.\n", \ __FILE__, __LINE__, #p, #q); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\nq = "); \ ecc_point_out (stderr, (q)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) #define ASSERT_ZERO(p) do { \ if (!ecc_zero_p (p)) \ { \ fprintf (stderr, "%s:%d: ASSERT_ZERO (%s) failed.\n", \ __FILE__, __LINE__, #p); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) static void ecc_curve_check (const struct ecc_curve *ecc) { struct ecc_point p, q; mpz_t n; ecc_init (&p); ecc_init (&q); mpz_init (n); ecc_dup (ecc, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&p, &ecc->ref[0]); else { fprintf (stderr, "g2 = "); mpz_out_str (stderr, 16, p.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, p.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[1]); else { fprintf (stderr, "g3 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &q, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_dup (ecc, &q, &p); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_mul_binary (ecc, &p, ecc->q, &ecc->g); ASSERT_ZERO (&p); ecc_mul_pippenger (ecc, &q, ecc->q); ASSERT_ZERO (&q); ecc_clear (&p); ecc_clear (&q); mpz_clear (n); } static void output_digits (const mpz_t x, unsigned size, unsigned bits_per_limb) { mpz_t t; mpz_t mask; mpz_t limb; unsigned i; const char *suffix; mpz_init_set (t, x); mpz_init (mask); mpz_init (limb); mpz_setbit (mask, bits_per_limb); mpz_sub_ui (mask, mask, 1); suffix = bits_per_limb > 32 ? "ULL" : "UL"; for (i = 0; i < size; i++) { if ( (i % 8) == 0) printf("\n "); mpz_and (limb, mask, t); printf (" 0x"); mpz_out_str (stdout, 16, limb); printf ("%s,", suffix); mpz_tdiv_q_2exp (t, t, bits_per_limb); } mpz_clear (t); mpz_clear (mask); mpz_clear (limb); } static void output_bignum (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { printf ("static const mp_limb_t %s[%d] = {", name, size); output_digits (x, size, bits_per_limb); printf("\n};\n"); } static void output_bignum_redc (const char *name, const mpz_t x, const mpz_t p, unsigned size, unsigned bits_per_limb) { mpz_t t; mpz_init (t); mpz_mul_2exp (t, x, size * bits_per_limb); mpz_mod (t, t, p); output_bignum (name, t, size, bits_per_limb); mpz_clear (t); } static void output_point (const struct ecc_curve *ecc, const struct ecc_point *p, int use_redc, unsigned size, unsigned bits_per_limb) { mpz_t x, y, t; mpz_init (x); mpz_init (y); mpz_init (t); mpz_set (x, p->x); mpz_set (y, p->y); if (use_redc) { mpz_mul_2exp (x, x, size * bits_per_limb); mpz_mod (x, x, ecc->p); mpz_mul_2exp (y, y, size * bits_per_limb); mpz_mod (y, y, ecc->p); } output_digits (x, size, bits_per_limb); output_digits (y, size, bits_per_limb); mpz_clear (x); mpz_clear (y); mpz_clear (t); } static void string_toupper (char *buf, size_t size, const char *s) { size_t i; for (i = 0; i < size; i++) { buf[i] = toupper ((int)s[i]); if (!buf[i]) return; } fprintf (stderr, "string '%s' too large for buffer of size %u.\n", s, (unsigned) size); abort(); } static void output_modulo (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { unsigned bit_size; int shift; char buf[20]; mpz_t t; snprintf (buf, sizeof (buf), "ecc_%s", name); output_bignum (buf, x, size, bits_per_limb); mpz_init (t); mpz_setbit (t, bits_per_limb * size); mpz_mod (t, t, x); snprintf (buf, sizeof (buf), "ecc_Bmod%s", name); output_bignum (buf, t, size, bits_per_limb); string_toupper (buf, sizeof (buf), name); printf ("#define ECC_BMOD%s_SIZE %u\n", buf, (unsigned) ((mpz_sizeinbase (t, 2) + bits_per_limb - 1) / bits_per_limb)); bit_size = mpz_sizeinbase (x, 2); shift = size * bits_per_limb - bit_size; assert (shift >= 0); if (shift > 0) { mpz_set_ui (t, 0); mpz_setbit (t, size * bits_per_limb); mpz_submul_ui (t, x, 2); snprintf (buf, sizeof (buf), "ecc_Bm2%s", name); output_bignum (buf, t, size, bits_per_limb); if (bit_size == 253) { /* For curve25519, with q = 2^k + q', with a much smaller q' */ unsigned mbits; unsigned shift; /* Shift to align the one bit at B */ shift = bits_per_limb * size + 1 - bit_size; mpz_set (t, x); mpz_clrbit (t, bit_size-1); mbits = mpz_sizeinbase (t, 2); /* The shifted value must be a limb smaller than q. */ assert (mbits + shift + bits_per_limb <= bit_size); /* q of the form 2^k + q', with q' a limb smaller */ mpz_mul_2exp (t, t, shift); snprintf (buf, sizeof (buf), "ecc_mBmod%s_shifted", name); output_bignum (buf, t, size, bits_per_limb); } else { mpz_set_ui (t, 0); mpz_setbit (t, bit_size); mpz_sub (t, t, x); snprintf (buf, sizeof (buf), "ecc_Bmod%s_shifted", name); output_bignum (buf, t, size, bits_per_limb); /* Check condition for reducing hi limbs. If s is the normalization shift and n is the bit size (so that s + n = limb_size * bits_per_limb), then we need (2^n - 1) + (2^s - 1) (2^n - p) < 2p or equivalently, 2^s (2^n - p) <= p To a allow a carry limb to be added in at the same time, substitute s+1 for s. */ /* FIXME: For ecdsa verify, we actually need the stricter inequality < 2 q. */ mpz_mul_2exp (t, t, shift + 1); if (mpz_cmp (t, x) > 0) { fprintf (stderr, "Reduction condition failed for %u-bit %s.\n", bit_size, name); exit (EXIT_FAILURE); } } } else { printf ("#define ecc_Bm2%s ecc_Bmod%s\n", name, name); printf ("#define ecc_Bmod%s_shifted ecc_Bmod%s\n", name, name); } mpz_clear (t); } static void output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) { unsigned limb_size = (ecc->bit_size + bits_per_limb - 1)/bits_per_limb; unsigned i; int redc_limbs; mpz_t t; mpz_t z; mpz_init (t); mpz_init (z); printf ("/* For NULL. */\n#include \n"); printf ("#define ECC_LIMB_SIZE %u\n", limb_size); printf ("#define ECC_PIPPENGER_K %u\n", ecc->pippenger_k); printf ("#define ECC_PIPPENGER_C %u\n", ecc->pippenger_c); output_modulo ("p", ecc->p, limb_size, bits_per_limb); output_modulo ("q", ecc->q, limb_size, bits_per_limb); output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb); mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_pp1h", t, limb_size, bits_per_limb); mpz_add_ui (t, ecc->q, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb); /* Trailing zeros in p+1 correspond to trailing ones in p. */ redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb; if (redc_limbs > 0) { mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, redc_limbs * bits_per_limb); output_bignum ("ecc_redc_ppm1", t, limb_size - redc_limbs, bits_per_limb); } else { /* Trailing zeros in p-1 correspond to zeros just above the low bit of p */ redc_limbs = mpz_scan1 (ecc->p, 1) / bits_per_limb; if (redc_limbs > 0) { printf ("#define ecc_redc_ppm1 (ecc_p + %d)\n", redc_limbs); redc_limbs = -redc_limbs; } else printf ("#define ecc_redc_ppm1 NULL\n"); } printf ("#define ECC_REDC_SIZE %d\n", redc_limbs); /* For mod p square root computation. */ if (mpz_fdiv_ui (ecc->p, 4) == 3) { /* x = a^{(p+1)/4} gives square root of a (if it exists, otherwise the square root of -a). We use no precomputed values for this. */ } else { /* p-1 = 2^e s, s odd, t = (s-1)/2*/ unsigned g, i, e; mpz_t s; mpz_init (s); mpz_sub_ui (s, ecc->p, 1); e = mpz_scan1 (s, 0); assert (e > 1); mpz_fdiv_q_2exp (s, s, e); /* Find a non-square g, g^{(p-1)/2} = -1, and z = g^{(p-1)/4 */ for (g = 2; ; g++) { mpz_set_ui (z, g); mpz_powm (z, z, s, ecc->p); mpz_mul (t, z, z); mpz_mod (t, t, ecc->p); for (i = 2; i < e; i++) { mpz_mul (t, t, t); mpz_mod (t, t, ecc->p); } if (mpz_cmp_ui (t, 1) != 0) break; } mpz_add_ui (t, t, 1); assert (mpz_cmp (t, ecc->p) == 0); mpz_fdiv_q_2exp (t, s, 1); mpz_clear (s); printf ("#define ECC_SQRT_E %u\n", e); } printf ("#if USE_REDC\n"); printf ("#define ecc_unit ecc_Bmodp\n"); if (mpz_sgn(z) > 0) output_bignum_redc ("ecc_sqrt_z", z, ecc->p, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (ecc, &ecc->table[i], 1, limb_size, bits_per_limb); printf("\n};\n"); printf ("#else\n"); mpz_set_ui (t, 1); output_bignum ("ecc_unit", t, limb_size, bits_per_limb); if (mpz_sgn(z) > 0) output_bignum ("ecc_sqrt_z", z, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (ecc, &ecc->table[i], 0, limb_size, bits_per_limb); printf("\n};\n"); printf ("#endif\n"); mpz_clear (t); mpz_clear (z); } int main (int argc, char **argv) { struct ecc_curve ecc; if (argc < 4) { fprintf (stderr, "Usage: %s CURVE K C [BITS-PER-LIMB]\n", argv[0]); return EXIT_FAILURE; } ecc_curve_init (&ecc, argv[1]); ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3])); fprintf (stderr, "Table size: %lu entries\n", (unsigned long) ecc.table_size); ecc_curve_check (&ecc); if (argc > 4) output_curve (&ecc, atoi(argv[4])); ecc_curve_clear (&ecc); return EXIT_SUCCESS; } nettle-4.0/ecdsa-keygen.c0000644000000000000000000000344515141166424012313 0ustar00/* ecdsa-keygen.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random) { TMP_DECL(p, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = pub->ecc; mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; assert (key->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_g_itch); TMP_ALLOC (p, itch); ecc_mod_random (&ecc->q, key->p, random_ctx, random, p); ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size); ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size); } nettle-4.0/ecdsa-sign.c0000644000000000000000000000427315141166424011771 0ustar00/* ecdsa-sign.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_ECDSA_SIGN_ITCH (ECC_MAX_SIZE)); mp_limb_t size = key->ecc->p.size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); TMP_ALLOC (k, size + ECC_ECDSA_SIGN_ITCH (size)); /* Timing reveals the number of rounds through this loop, but the timing is still independent of the secret k finally used. */ do { ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); ecc_ecdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); mpz_limbs_finish (signature->s, size); } while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); } nettle-4.0/ecdsa-verify.c0000644000000000000000000000427115141166424012333 0ustar00/* ecc-ecdsa-verify.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "gmp-glue.h" int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature) { mp_limb_t size = ecc_size (pub->ecc); mp_size_t itch = 2*size + ecc_ecdsa_verify_itch (pub->ecc); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ mp_limb_t *scratch; int res; #define rp scratch #define sp (scratch + size) #define scratch_out (scratch + 2*size) if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) return 0; scratch = gmp_alloc_limbs (itch); mpz_limbs_copy (rp, signature->r, size); mpz_limbs_copy (sp, signature->s, size); res = ecc_ecdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); gmp_free_limbs (scratch, itch); return res; #undef rp #undef sp #undef scratch_out } nettle-4.0/ecdsa.h0000644000000000000000000000551515141166424011040 0ustar00/* ecdsa.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECDSA_H_INCLUDED #define NETTLE_ECDSA_H_INCLUDED #include "ecc.h" #include "dsa.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecdsa_sign nettle_ecdsa_sign #define ecdsa_verify nettle_ecdsa_verify #define ecdsa_generate_keypair nettle_ecdsa_generate_keypair #define ecc_ecdsa_sign nettle_ecc_ecdsa_sign #define ecc_ecdsa_sign_itch nettle_ecc_ecdsa_sign_itch #define ecc_ecdsa_verify nettle_ecc_ecdsa_verify #define ecc_ecdsa_verify_itch nettle_ecc_ecdsa_verify_itch /* High level ECDSA functions. * * A public key is represented as a struct ecc_point, and a private * key as a struct ecc_scalar. */ void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature); int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random); /* Low-level ECDSA functions. */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc); void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc); int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_ECDSA_H_INCLUDED */ nettle-4.0/ed25519-sha512-pubkey.c0000644000000000000000000000332015141166424013240 0ustar00/* ed25519-sha512-pubkey.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv) { const struct ecc_curve *ecc = &_nettle_curve25519; struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k scratch #define scratch_out (scratch + ecc->q.size) sha512_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); #undef k #undef scratch_out } nettle-4.0/ed25519-sha512-sign.c0000644000000000000000000000357715141166424012717 0ustar00/* ed25519-sha512-sign.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k2 scratch #define scratch_out (scratch + ecc->q.size) struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; sha512_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k2); _eddsa_sign (ecc, &_nettle_ed25519_sha512, &ctx, pub, digest + ED25519_KEY_SIZE, k2, length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 #undef k2 #undef scratch_out } nettle-4.0/ed25519-sha512-verify.c0000644000000000000000000000351515141166424013253 0ustar00/* ed25519-sha512-verify.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); struct sha512_ctx ctx; int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) sha512_init (&ctx); res = (_eddsa_decompress (ecc, A, pub, scratch_out) && _eddsa_verify (ecc, &_nettle_ed25519_sha512, pub, A, &ctx, length, msg, signature, scratch_out)); gmp_free_limbs (scratch, itch); return res; #undef A #undef scratch_out } nettle-4.0/ed25519-sha512.c0000644000000000000000000000267115141166424011753 0ustar00/* ed25519-sha512.c Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa-internal.h" #include "nettle-types.h" #include "sha2.h" static nettle_eddsa_dom_func ed25519_dom; static void ed25519_dom(void *ctx UNUSED) {} const struct ecc_eddsa _nettle_ed25519_sha512 = { (nettle_hash_update_func *) sha512_update, (nettle_hash_digest_func *) sha512_digest, ed25519_dom, ~(mp_limb_t) 7, (mp_limb_t) 1 << (254 % GMP_NUMB_BITS), }; nettle-4.0/ed448-shake256-pubkey.c0000644000000000000000000000334715141166424013430 0ustar00/* ed448-shake256-pubkey.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv) { const struct ecc_curve *ecc = &_nettle_curve448; struct sha3_ctx ctx; uint8_t digest[ED448_SIGNATURE_SIZE]; mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k scratch #define scratch_out (scratch + ecc->q.size) sha3_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed448_shake256, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); #undef k #undef scratch_out } nettle-4.0/ed448-shake256-sign.c0000644000000000000000000000365315141166424013071 0ustar00/* ed448-shake256-sign.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve448; const struct ecc_eddsa *eddsa = &_nettle_ed448_shake256; mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k2 scratch #define scratch_out (scratch + ecc->q.size) struct sha3_ctx ctx; uint8_t digest[ED448_SIGNATURE_SIZE]; sha3_init (&ctx); _eddsa_expand_key (ecc, eddsa, &ctx, priv, digest, k2); _eddsa_sign (ecc, eddsa, &ctx, pub, digest + ED448_KEY_SIZE, k2, length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 #undef k2 #undef scratch_out } nettle-4.0/ed448-shake256-verify.c0000644000000000000000000000402215141166424013424 0ustar00/* ed448-shake256-verify.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve448; mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); struct sha3_ctx ctx; int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) sha3_init (&ctx); /* By RFC 8032, the final octet of the signature must be always zero. Checked here, and ignored by the internal _eddsa_verify. */ res = (signature[ED448_SIGNATURE_SIZE - 1] == 0 && _eddsa_decompress (ecc, A, pub, scratch_out) && _eddsa_verify (ecc, &_nettle_ed448_shake256, pub, A, &ctx, length, msg, signature, scratch_out)); gmp_free_limbs (scratch, itch); return res; #undef A #undef scratch_out } nettle-4.0/ed448-shake256.c0000644000000000000000000000332015141166424012122 0ustar00/* ed448-shake256.c Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "nettle-types.h" #include "sha3.h" #define DOM_SIZE 10 static nettle_eddsa_dom_func ed448_dom; static void ed448_dom(void *ctx) { static const uint8_t dom[DOM_SIZE] = { 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0}; sha3_256_update (ctx, DOM_SIZE, dom); } static void ed448_digest(struct sha3_ctx *ctx, uint8_t *digest) { sha3_256_shake(ctx, 2*ED448_KEY_SIZE, digest); } const struct ecc_eddsa _nettle_ed448_shake256 = { (nettle_hash_update_func *) sha3_256_update, (nettle_hash_digest_func *) ed448_digest, ed448_dom, ~(mp_limb_t) 3, (mp_limb_t) 1 << (447 % GMP_NUMB_BITS), }; nettle-4.0/eddsa-compress.c0000644000000000000000000000344315141166424012663 0ustar00/* eddsa-compress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc) { return 2*ecc->p.size + ecc->h_to_a_itch; } void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch) { #define xp scratch #define yp (scratch + ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size) size_t nbytes = 1 + ecc->p.bit_size / 8; ecc->h_to_a (ecc, 0, xp, p, scratch_out); /* Encoding is the y coordinate and an appended "sign" bit, which is the low bit of x. The sign bit is stored as the most significant bit of the last byte. */ mpn_get_base256_le (r, nbytes, yp, ecc->p.size); r[nbytes - 1] += (xp[0] & 1) << 7; } nettle-4.0/eddsa-decompress.c0000644000000000000000000000611615141166424013174 0ustar00/* eddsa-decompress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc) { return 4*ecc->p.size + ecc->p.sqrt_ratio_itch; } int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch) { mp_limb_t sign, cy; mp_size_t nlimbs; size_t nbytes; int res; #define xp p #define yp (p + ecc->p.size) #define y2 scratch #define vp (scratch + ecc->p.size) #define up scratch #define tp (scratch + 2*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) nbytes = 1 + ecc->p.bit_size / 8; /* By RFC 8032, sign bit is always the most significant bit of the last byte. */ sign = cp[nbytes-1] >> 7; /* May need an extra limb. */ nlimbs = (nbytes * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; assert (nlimbs <= ecc->p.size + 1); mpn_set_base256_le (scratch, nlimbs, cp, nbytes); /* Clear out the sign bit */ scratch[nlimbs - 1] &= ((mp_limb_t) 1 << ((nbytes * 8 - 1) % GMP_NUMB_BITS)) - 1; mpn_copyi (yp, scratch, ecc->p.size); /* Check range. */ if (nlimbs > ecc->p.size) res = is_zero_limb (scratch[nlimbs - 1]); else res = 1; /* For a valid input, y < p, so subtraction should underflow. */ res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size); ecc_mod_sqr (&ecc->p, y2, yp, y2); ecc_mod_mul (&ecc->p, vp, y2, ecc->b, vp); ecc_mod_sub (&ecc->p, vp, vp, ecc->unit); /* The sign is different between curve25519 and curve448. */ if (ecc->p.bit_size == 255) ecc_mod_sub (&ecc->p, up, ecc->unit, y2); else ecc_mod_sub (&ecc->p, up, y2, ecc->unit); res &= ecc->p.sqrt_ratio (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, tp, ecc->p.size); sign ^= xp[0] & 1; mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size); /* Fails if the square root is zero but (original) sign was 1 */ res &= mpn_sub_n (tp, xp, ecc->p.m, ecc->p.size); return res; } nettle-4.0/eddsa-expand.c0000644000000000000000000000373415141166424012312 0ustar00/* eddsa-expand.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" /* Expands a private key, generating the secret scalar K2 and leaving the key K1 for nonce generation, at the end of the digest. */ void _eddsa_expand_key (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2) { size_t nbytes = 1 + ecc->p.bit_size / 8; eddsa->update (ctx, nbytes, key); eddsa->digest (ctx, digest); /* For ed448, ignores the most significant byte. */ mpn_set_base256_le (k2, ecc->p.size, digest, (ecc->p.bit_size + 7) / 8); /* Clear low c bits */ k2[0] &= eddsa->low_mask; /* Clear higher bits. */ k2[ecc->p.size - 1] &= eddsa->high_bit - 1; /* Set bit number bit_size - 1 (bit 254 for curve25519, bit 447 for curve448) */ k2[ecc->p.size - 1] |= eddsa->high_bit; } nettle-4.0/eddsa-hash.c0000644000000000000000000000447415141166424011760 0ustar00/* eddsa-hash.c Copyright (C) 2014, 2019 Niels Möller Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" /* Convert hash digest to integer, and reduce canonically modulo q. Needs space for 2*m->size + 1 at rp. */ void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, size_t digest_size, const uint8_t *digest) { mp_size_t nlimbs = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (digest_size); mp_limb_t cy; mpn_set_base256_le (rp, nlimbs, digest, digest_size); if (nlimbs > 2*m->size) { /* Special case for Ed448: reduce rp to 2*m->size limbs. After decoding rp from a hash of size 2*rn: rp = r2 || r1 || r0 where r0 and r1 have m->size limbs. Reduce this to: rp = r1' || r0 where r1' has m->size limbs. */ mp_limb_t hi = rp[2*m->size]; assert (nlimbs == 2*m->size + 1); hi = mpn_addmul_1 (rp + m->size, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size); assert_maybe (hi == 0); } m->mod (m, rp + m->size , rp); /* Ensure canonical reduction. */ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); cnd_copy (cy, rp, rp + m->size, m->size); } nettle-4.0/eddsa-internal.h0000644000000000000000000000725215141166424012653 0ustar00/* eddsa.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EDDSA_INTERNAL_H #define NETTLE_EDDSA_INTERNAL_H #include "nettle-types.h" #include "bignum.h" #define _eddsa_compress _nettle_eddsa_compress #define _eddsa_compress_itch _nettle_eddsa_compress_itch #define _eddsa_decompress _nettle_eddsa_decompress #define _eddsa_decompress_itch _nettle_eddsa_decompress_itch #define _eddsa_hash _nettle_eddsa_hash #define _eddsa_expand_key _nettle_eddsa_expand_key #define _eddsa_sign _nettle_eddsa_sign #define _eddsa_sign_itch _nettle_eddsa_sign_itch #define _eddsa_verify _nettle_eddsa_verify #define _eddsa_verify_itch _nettle_eddsa_verify_itch #define _eddsa_public_key_itch _nettle_eddsa_public_key_itch #define _eddsa_public_key _nettle_eddsa_public_key /* Low-level internal functions */ struct ecc_curve; struct ecc_modulo; typedef void nettle_eddsa_dom_func(void *ctx); struct ecc_eddsa { /* Hash function to use, digest size must be 2*key-size. */ nettle_hash_update_func *update; nettle_hash_digest_func *digest; nettle_eddsa_dom_func *dom; /* For generating the secret scalar */ mp_limb_t low_mask; mp_limb_t high_bit; }; extern const struct ecc_eddsa _nettle_ed25519_sha512; extern const struct ecc_eddsa _nettle_ed448_shake256; mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc); void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch); mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc); int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch); void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, size_t digest_size, const uint8_t *digest); mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc); void _eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const uint8_t *k1, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch); mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc); int _eddsa_verify (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch); void _eddsa_expand_key (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2); mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc); void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); #endif /* NETTLE_EDDSA_INTERNAL_H */ nettle-4.0/eddsa-pubkey.c0000644000000000000000000000314415141166424012325 0ustar00/* eddsa-pubkey.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc) { assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); return 3*ecc->p.size + _eddsa_compress_itch (ecc); } void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch) { #define P scratch #define scratch_out (scratch + 3*ecc->p.size) ecc->mul_g (ecc, P, k, scratch_out); _eddsa_compress (ecc, pub, P, scratch_out); #undef P #undef scratch_out } nettle-4.0/eddsa-sign.c0000644000000000000000000000666315141166424011777 0ustar00/* eddsa-sign.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc) { assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); return 5*ecc->p.size + _eddsa_compress_itch (ecc); } void _eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const uint8_t *k1, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch) { mp_size_t size; size_t nbytes; mp_limb_t q, cy; #define rp scratch #define hp (scratch + size) #define P (scratch + 2*size) #define sp (scratch + 2*size) #define hash ((uint8_t *) (scratch + 3*size)) #define scratch_out (scratch + 5*size) size = ecc->p.size; nbytes = 1 + ecc->p.bit_size / 8; eddsa->dom (ctx); eddsa->update (ctx, nbytes, k1); eddsa->update (ctx, length, msg); eddsa->digest (ctx, hash); _eddsa_hash (&ecc->q, rp, 2*nbytes, hash); ecc->mul_g (ecc, P, rp, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out); eddsa->dom (ctx); eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, length, msg); eddsa->digest (ctx, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); ecc_mod_mul (&ecc->q, sp, hp, k2, sp); ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */ if (ecc->p.bit_size == 255) { /* FIXME: Special code duplicated in ecc_curve25519_modq Define a suitable method for canonical reduction? */ /* q is slightly larger than 2^252, underflow from below mpn_submul_1 is unlikely. */ unsigned shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); q = sp[ecc->p.size-1] >> shift; } else { unsigned shift; assert (ecc->p.bit_size == 448); /* q is slightly smaller than 2^446 */ shift = 446 - GMP_NUMB_BITS * (ecc->p.size - 1); /* Add one, then it's possible but unlikely that below mpn_submul_1 does *not* underflow. */ q = (sp[ecc->p.size-1] >> shift) + 1; } cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q); assert_maybe (cy < 2); cy -= mpn_cnd_add_n (cy, sp, sp, ecc->q.m, ecc->p.size); assert_maybe (cy == 0); mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size); #undef rp #undef hp #undef P #undef sp #undef hash } nettle-4.0/eddsa-verify.c0000644000000000000000000000712415141166424012334 0ustar00/* eddsa-verify.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" /* Checks if x1/z1 == x2/z2 (mod p). Assumes z1 and z2 are non-zero. */ static int equal_h (const struct ecc_modulo *p, const mp_limb_t *x1, const mp_limb_t *z1, const mp_limb_t *x2, const mp_limb_t *z2, mp_limb_t *scratch) { #define t0 scratch #define t1 (scratch + p->size) ecc_mod_mul_canonical (p, t0, x1, z2, t0); ecc_mod_mul_canonical (p, t1, x2, z1, t1); return mpn_cmp (t0, t1, p->size) == 0; #undef t0 #undef t1 } mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc) { assert (_eddsa_decompress_itch (ecc) <= ecc->mul_itch); return 8*ecc->p.size + ecc->mul_itch; } int _eddsa_verify (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch) { size_t nbytes; #define R scratch #define sp (scratch + 2*ecc->p.size) #define hp (scratch + 3*ecc->p.size) #define P (scratch + 5*ecc->p.size) #define scratch_out (scratch + 8*ecc->p.size) #define S R #define hash ((uint8_t *) P) nbytes = 1 + ecc->p.bit_size / 8; /* Could maybe save some storage by delaying the R and S operations, but it makes sense to check them for validity up front. */ if (!_eddsa_decompress (ecc, R, signature, R+2*ecc->p.size)) return 0; /* For Ed448, this conversion reads only the significant 56 octets of the encoding of S. By RFC 8032, S is encoded with a redundant always-zero byte at the end, which should be checked by the caller. */ mpn_set_base256_le (sp, ecc->q.size, signature + nbytes, nbytes); /* Check that s < q */ if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) return 0; eddsa->dom (ctx); eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, length, msg); eddsa->digest (ctx, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); /* Compute h A + R - s G, which should be the neutral point */ ecc->mul (ecc, P, hp, A, scratch_out); ecc->add_hh (ecc, P, P, R, scratch_out); /* Move out of the way. */ mpn_copyi (hp, sp, ecc->q.size); ecc->mul_g (ecc, S, hp, scratch_out); return equal_h (&ecc->p, P, P + 2*ecc->p.size, S, S + 2*ecc->p.size, scratch_out) && equal_h (&ecc->p, P + ecc->p.size, P + 2*ecc->p.size, S + ecc->p.size, S + 2*ecc->p.size, scratch_out); #undef R #undef sp #undef hp #undef P #undef S } nettle-4.0/eddsa.h0000644000000000000000000000466615141166424011047 0ustar00/* eddsa.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EDDSA_H #define NETTLE_EDDSA_H #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key #define ed25519_sha512_public_key nettle_ed25519_sha512_public_key #define ed25519_sha512_sign nettle_ed25519_sha512_sign #define ed25519_sha512_verify nettle_ed25519_sha512_verify #define ed448_shake256_public_key nettle_ed448_shake256_public_key #define ed448_shake256_sign nettle_ed448_shake256_sign #define ed448_shake256_verify nettle_ed448_shake256_verify #define ED25519_KEY_SIZE 32 #define ED25519_SIGNATURE_SIZE 64 void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv); void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); #define ED448_KEY_SIZE 57 #define ED448_SIGNATURE_SIZE 114 void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv); void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); #ifdef __cplusplus } #endif #endif /* NETTLE_EDDSA_H */ nettle-4.0/examples/0000755000000000000000000000000015141166425011421 5ustar00nettle-4.0/examples/Makefile.in0000644000000000000000000001116515141166425013472 0ustar00@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. OPENSSL_LIBFLAGS = @OPENSSL_LIBFLAGS@ BENCH_LIBS = @BENCH_LIBS@ -lm HOGWEED_TARGETS = rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT) \ rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT) \ random-prime$(EXEEXT) \ hogweed-benchmark$(EXEEXT) ecc-benchmark$(EXEEXT) ENC_TARGETS = base16enc$(EXEEXT) base16dec$(EXEEXT) \ base64enc$(EXEEXT) base64dec$(EXEEXT) TARGETS = nettle-benchmark$(EXEEXT) \ $(ENC_TARGETS) @IF_HOGWEED@ $(HOGWEED_TARGETS) SOURCES = nettle-benchmark.c hogweed-benchmark.c ecc-benchmark.c \ random-prime.c \ nettle-openssl.c \ io.c read_rsa_key.c \ rsa-encrypt.c rsa-decrypt.c rsa-keygen.c rsa-sign.c rsa-verify.c \ base16enc.c base16dec.c base64enc.c base64dec.c timing.c GETOPT_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) TS_ALL = rsa-sign-test rsa-verify-test rsa-encrypt-test DISTFILES= $(SOURCES) Makefile.in $(TS_ALL) setup-env teardown-env \ io.h rsa-session.h timing.h all: $(TARGETS) %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) ../non-nettle.$(OBJEXT): ( cd .. && $(MAKE) non-nettle.$(OBJEXT)) # For Solaris and BSD make, we have to use an explicit rule for each executable random-prime$(EXEEXT): random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o random-prime$(EXEEXT) rsa-keygen$(EXEEXT): rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT): rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-sign$(EXEEXT) rsa-verify$(EXEEXT): rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT): rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT): rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-decrypt$(EXEEXT) base16enc$(EXEEXT): base16enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base16enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16enc$(EXEEXT) base16dec$(EXEEXT): base16dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base16dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16dec$(EXEEXT) base64enc$(EXEEXT): base64enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base64enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64enc$(EXEEXT) base64dec$(EXEEXT): base64dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base64dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64dec$(EXEEXT) BENCH_OBJS = nettle-benchmark.$(OBJEXT) nettle-openssl.$(OBJEXT) \ $(GETOPT_OBJS) ../non-nettle.$(OBJEXT) timing.$(OBJEXT) nettle-benchmark$(EXEEXT): $(BENCH_OBJS) $(LINK) $(BENCH_OBJS) -lnettle $(BENCH_LIBS) $(OPENSSL_LIBFLAGS) -o nettle-benchmark$(EXEEXT) ECC_BENCH_OBJS = ecc-benchmark.$(OBJEXT) timing.$(OBJEXT) ecc-benchmark$(EXEEXT): $(ECC_BENCH_OBJS) $(LINK) $(ECC_BENCH_OBJS) -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) \ -o ecc-benchmark$(EXEEXT) HOGWEED_BENCH_OBJS = hogweed-benchmark.$(OBJEXT) timing.$(OBJEXT) hogweed-benchmark$(EXEEXT): $(HOGWEED_BENCH_OBJS) $(LINK) $(HOGWEED_BENCH_OBJS) \ -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) $(OPENSSL_LIBFLAGS) \ -o hogweed-benchmark$(EXEEXT) $(TARGETS) : io.$(OBJEXT) ../libnettle.stamp $(HOGWEED_TARGETS): ../libhogweed.stamp check: $(TS_ALL) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ "$(top_srcdir)"/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status examples/$@ install uninstall: true # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -include $(SOURCES:.c=.$(OBJEXT).d) nettle-4.0/examples/base16dec.c0000644000000000000000000000564715141166425013336 0ustar00/* base16dec -- an decoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE16_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-16 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base16 context for decoding: */ struct base16_decode_ctx b16_ctx; /* Init the context: */ base16_decode_init (&b16_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t result_size = DECODED_SIZE; nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base16_decode_update(&b16_ctx, &result_size, result, nbytes, buffer)) { werror ("Error decoding input (not base16?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, result_size, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base16_decode_final(&b16_ctx)) { werror("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-4.0/examples/base16enc.c0000644000000000000000000000543715141166425013345 0ustar00/* base16enc -- an encoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 36 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE16_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { #ifdef WIN32 _setmode(0, O_BINARY); #endif /* There is no context to initialize. */ for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" will hold bytes before output: */ char result[ENCODED_SIZE + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* Total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ base16_encode_update(result, nbytes, buffer); encoded_bytes = BASE16_ENCODE_LENGTH(nbytes); result[encoded_bytes++] = '\n'; if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is printed */ if (!write_data(stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-4.0/examples/base64dec.c0000644000000000000000000000571115141166425013331 0ustar00/* base64dec -- an decoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE64_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-64 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base64 context for decoding: */ struct base64_decode_ctx b64_ctx; /* Init the context: */ base64_decode_init(&b64_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base64_decode_update(&b64_ctx, &decoded_bytes, result, nbytes, buffer)) { werror ("Error decoding input (not base64?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, decoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base64_decode_final(&b64_ctx)) { werror ("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-4.0/examples/base64enc.c0000644000000000000000000000565415141166425013351 0ustar00/* base64enc -- an encoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 54 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE64_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { struct base64_encode_ctx b64_ctx; /* Init the context: */ base64_encode_init(&b64_ctx); #ifdef WIN32 _setmode(0, O_BINARY); #endif for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" is the result vector: */ char result[ENCODED_SIZE + BASE64_ENCODE_FINAL_LENGTH + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ encoded_bytes = base64_encode_update(&b64_ctx, result, nbytes, buffer); if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } encoded_bytes += base64_encode_final(&b64_ctx,result + encoded_bytes); result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is written */ result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-4.0/examples/ecc-benchmark.c0000644000000000000000000001744115141166425014256 0ustar00/* ecc-benchmark.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include "timing.h" #include "../ecc.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #define BENCH_INTERVAL 0.1 static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static mp_limb_t * xalloc_limbs (mp_size_t size) { return xalloc (size * sizeof(mp_limb_t)); } /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } #if !NETTLE_USE_MINI_GMP static int modinv_gcd (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, mp_limb_t *tp) { mp_size_t size = ecc->p.size; mp_limb_t *up = tp; mp_limb_t *vp = tp + size+1; mp_limb_t *gp = tp + 2*(size+1); mp_limb_t *sp = tp + 3*(size+1); mp_size_t gn, sn; mpn_copyi (up, ap, size); mpn_copyi (vp, ecc->p.m, size); gn = mpn_gcdext (gp, sp, &sn, up, size, vp, size); if (gn != 1 || gp[0] != 1) return 0; if (sn < 0) mpn_sub (sp, ecc->p.m, size, sp, -sn); else if (sn < size) /* Zero-pad. */ mpn_zero (sp + sn, size - sn); mpn_copyi (rp, sp, size); return 1; } #endif struct ecc_ctx { const struct ecc_curve *ecc; mp_limb_t *rp; mp_limb_t *ap; mp_limb_t *bp; mp_limb_t *tp; }; static void bench_modp (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp, ctx->rp); } static void bench_reduce (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp, ctx->rp); } static void bench_modq (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp, ctx->rp); } static void bench_pinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->p.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); } static void bench_qinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->q.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); } #if !NETTLE_USE_MINI_GMP static void bench_modinv_gcd (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp + ctx->ecc->p.size, ctx->ap, ctx->ecc->p.size); modinv_gcd (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->p.size, ctx->tp); } #endif #ifdef mpn_sec_powm static void bench_modinv_powm (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; const struct ecc_curve *ecc = ctx->ecc; mp_size_t size = ecc->p.size; mpn_sub_1 (ctx->rp + size, ecc->p.m, size, 2); mpn_sec_powm (ctx->rp, ctx->ap, size, ctx->rp + size, ecc->p.bit_size, ecc->p.m, size, ctx->tp); } #endif static void bench_dup_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->dup (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_add_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->add_hh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_add_hhh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->add_hhh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_mul_g (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul_g (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_mul_a (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } #if NETTLE_USE_MINI_GMP static void mpn_random (mp_limb_t *xp, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) xp[i] = rand(); } #endif static void bench_curve (const struct ecc_curve *ecc) { struct ecc_ctx ctx; double modp, reduce, modq, pinv, qinv, modinv_gcd, modinv_powm, dup_hh, add_hh, add_hhh, mul_g, mul_a; mp_limb_t mask; mp_size_t itch; ctx.ecc = ecc; ctx.rp = xalloc_limbs (3*ecc->p.size); ctx.ap = xalloc_limbs (3*ecc->p.size); ctx.bp = xalloc_limbs (3*ecc->p.size); itch = ecc->mul_itch; #ifdef mpn_sec_powm { mp_size_t powm_itch = mpn_sec_powm_itch (ecc->p.size, ecc->p.bit_size, ecc->p.size); if (powm_itch > itch) itch = powm_itch; } #endif ctx.tp = xalloc_limbs (itch); mpn_random (ctx.ap, 3*ecc->p.size); mpn_random (ctx.bp, 3*ecc->p.size); mask = (~(mp_limb_t) 0) >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); ctx.ap[ecc->p.size - 1] &= mask; ctx.ap[2*ecc->p.size - 1] &= mask; ctx.ap[3*ecc->p.size - 1] &= mask; ctx.bp[ecc->p.size - 1] &= mask; ctx.bp[2*ecc->p.size - 1] &= mask; ctx.bp[3*ecc->p.size - 1] &= mask; modp = time_function (bench_modp, &ctx); reduce = time_function (bench_reduce, &ctx); modq = time_function (bench_modq, &ctx); pinv = time_function (bench_pinv, &ctx); qinv = time_function (bench_qinv, &ctx); #if !NETTLE_USE_MINI_GMP modinv_gcd = time_function (bench_modinv_gcd, &ctx); #else modinv_gcd = 0; #endif #ifdef mpn_sec_powm modinv_powm = time_function (bench_modinv_powm, &ctx); #else modinv_powm = 0; #endif dup_hh = time_function (bench_dup_hh, &ctx); add_hh = time_function (bench_add_hh, &ctx); add_hhh = time_function (bench_add_hhh, &ctx); mul_g = time_function (bench_mul_g, &ctx); mul_a = time_function (bench_mul_a, &ctx); free (ctx.rp); free (ctx.ap); free (ctx.bp); free (ctx.tp); printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.2f %6.3f %6.2f %6.3f %6.3f %6.3f %6.1f %6.1f\n", ecc->p.bit_size, 1e6 * modp, 1e6 * reduce, 1e6 * modq, 1e6 * pinv, 1e6 * qinv, 1e6 * modinv_gcd, 1e6 * modinv_powm, 1e6 * dup_hh, 1e6 * add_hh, 1e6 * add_hhh, 1e6 * mul_g, 1e6 * mul_a); } const struct ecc_curve * const curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_curve25519, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_curve448, &_nettle_secp_521r1, &_nettle_gost_gc256b, &_nettle_gost_gc512a, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc UNUSED, char **argv UNUSED) { unsigned i; time_init(); printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", "size", "modp", "reduce", "modq", "pinv", "qinv", "mi_gcd", "mi_pow", "dup_hh", "add_hh", "ad_hhh", "mul_g", "mul_a"); for (i = 0; i < numberof (curves); i++) bench_curve (curves[i]); return EXIT_SUCCESS; } nettle-4.0/examples/hogweed-benchmark.c0000644000000000000000000007154115141166425015147 0ustar00/* hogweed-benchmark.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include "timing.h" #include "dsa.h" #include "rsa.h" #include "eddsa.h" #include "gostdsa.h" #include "curve25519.h" #include "curve448.h" #include "slh-dsa.h" #include "nettle-meta.h" #include "sexp.h" #include "knuth-lfib.h" #include "../ecdsa.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #if WITH_OPENSSL #include #include #include #endif #define BENCH_INTERVAL 0.1 static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static uint8_t * hash_string (const struct nettle_hash *hash, const char *s) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); hash->init (ctx); hash->update (ctx, strlen(s), (const uint8_t *) s); hash->digest (ctx, digest); free (ctx); return digest; } struct alg { const char *name; unsigned size; void *(*init) (unsigned size); void (*sign) (void *); void (*verify)(void *); void (*clear) (void *); }; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } static void bench_alg (const struct alg *alg) { double sign; double verify; void *ctx; ctx = alg->init(alg->size); if (ctx == NULL) { printf("%16s %4d N/A\n", alg->name, alg->size); return; } sign = time_function (alg->sign, ctx); verify = time_function (alg->verify, ctx); alg->clear (ctx); if (sign < 0.02) printf ("%16s %4d %9.1f %9.1f\n", alg->name, alg->size, 1.0/sign, 1.0/verify); else printf ("%16s %4d %9.2f %9.2f\n", alg->name, alg->size, 1.0/sign, 1.0/verify); } struct rsa_ctx { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; uint8_t *digest; mpz_t s; }; static void * bench_rsa_init (unsigned size) { unsigned char rsa1024[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjEyOToA90+K5EmjbFJBeJD" " xP2KD2Df+0Twc9425uB+vhqTrVijtd2PnwEQDfR2VoducgkKcXJzYYyCNILQJbFAi2Km/sD" " jImERBqDtaI217Ze+tOKEmImexYTAgFuqEptp2F3M4DqgRQ7s/3nJQ/bPE5Hfi1OZhJSShu" " I80ATTU4fUgrPspKDE6ZTM6AQABKSgxOmQxMjk6APAhKckzvxxkWfHJOpXDACWnaSKcbbvo" " vtWK3pGr/F2ya7CrLtE+uOx5F1sLs9G+/7flCy5k4uNILIYg4VTirZ1zQ8fNKPrjK1VMRls" " JiRRU/0VAs9d7HdncJfs6rbvRQbCRSRYURo4hWir3Lq8V3UUQVBprc4dO+uWmplvwQ5qxKS" " gxOnA2NToA+8aIVkdbk8Jg8dJOuzc7m/hZnwkKSs6eVDw4N/2T0CJKGJYT+B3Ct+fPkxhUR" " ggd2DQ9OpkTra7SXHTNkzdPVSkoMTpxNjU6APt11P8vXNnGYF0OC/cPsR8zhSYuFmtRuX6G" " ES+DdG0VCU07UeNQkok1UoW5sXqY0IGr1jkJq8AMSgKoNbLQ6w8pKDE6YTY0Ohzkxsan/8F" " wQDHgQbrIduXKVXaj0fONzKu8EXOTfUAYf0pdBsOlnq/+QVsPIrS6v7oNHK253YFEG84SdX" " kcktUpKDE6YjY1OgCR+cRtY3RWY+f6/TWK9gwPndv03xpasLWrMm71ky1aSbT9pasS9+opR" " tAiGzthfSbFsBiLQgb3VOr+AeIybT+XKSgxOmM2NDojigqARWN5u1CVDVuD2L2ManpoGiM6" " kQ6FaJjqRjxeRRKFrQxGJa9tM1hqStxokC1oJidgaOLGnn60iwzToug9KSkp}"; unsigned char rsa2048[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjI1NzoAtxWXiglIdunDK48" " 8I0vW0wTqnh/riW9pLk8n1F8MUPBFdhvkkl0bDQqSJPUvSHy+w4fLVwcEzeI4qFyo3b2Avz" " JK20MFbt/WfHD1TbxuK8rNqXyqmqjJ9vgjtV9nPzAz7CM9ogs3/RJHpcfZPQF15ifizleUZ" " aQT0GAXHZL7cePj10yGI2u3hgTkokVzdNC/1T34guKYpErg0pt0B/KejWpsFTb84z3tkR+B" " YVx07p/OoByZwoABgncS/uALl31fRS8jyJ2JqUiZOqe7XoO9hkDHYNCWUGUfNGQ7ZgVp9+e" " NQpracSjrp6Jnrj7r/oxJUx5ZDVNi18AzQadE/oKOrSkoMTplMzoBAAEpKDE6ZDI1NjogBT" " C5vaHk2kF+LtDvw2XRBj0aZq7FHK0ioklvBSicR0l+vKYfSxVeFIk22YLphJfAjtFraRjYA" " Uaze3E1Rt1rkxoweupKV++lWAQvElOaaR/LErirz/Vysjdck1D1ZjLOi+NNofSq2DWbsvY1" " iznZhQRP3lVf6XBls0iXrYs4gb0pBZqXLQW+j9Ihx6eantf1/6ZMKPgCkzcAZ0ABsCfaFSg" " ouNCzilblsgFEspEbb8QqrNQoStS3F/gMwWgDsr3+vQzBqt+7ykWoCJ9wctbYy9kEPq+hX3" " GP0hG6HdS81r9E8pgdf3wloNNMzYUHwn7poXGpOi8tG0pmR56TqD/BKSgxOnAxMjk6AN4AJ" " TiGPm9We2ga3Y0jpTfA3mWpUbhYgaXYLWA1/riniwq16fqxRIkWQT/O2KKpBVe6WSvNYq9u" " lM8N6bdPtDytJs6AOXy0X5vtJ953ZYVMhHbhmUxhIL9I+s0O1+LxMF8b9U4CrFyaTxd8Un/" " FXP1BvYJRrkoup6HYvOlGx36lKSgxOnExMjk6ANMfrfH6z/3o7K56aW6kSiloDDbKZQ0+W5" " 8LzP2ZOBLf6LX6jLhN3olU1Z0KGTM0S/1AxvwGjuRqhu+LcOJ7oUCUH3uusR5c5nSnArYPq" " +0wbco4BQngot/HmGN7U0EDsIWqPt/qoa/b8bCk+TOwJlknNq/PnZU26SPj48XS05lpKSgx" " OmExMjk6AJM2n3gLNW3ZeH5BindkktQU9qWNkV5geqDCaNyrEZ3bpI1WsrEGSj9p3Zz1ipz" " a3msdbLJqQS26c72WKUzg8tFltR0s1HJInjolGtIgdNbfNdwrn9+RbQjL2VyPokOg0wXO4W" " 14wlmqDhax33dRJmfe50964MvaglkGA8fhorrtKSgxOmIxMjk6AKMe+vrX2xRHf3dfxU5jS" " ZmsdqNuxZzx7UB5kazvUU/kCJ1yNH/CSoq5LULkpovVgFDwV84qEwWQ+SjkCBg1hWWsDJc3" " ZkobZUQENigM+72LiYiQt/PlyHI2eRuEEdNN0nm0DFhdpQeHXLoq/RBerYJ8tdgpBYxgnMn" " KLhaOykbhKSgxOmMxMjg6MVlKj2bjb7qFQVkLO1OPg28jSrtRpnQCR+qegN4ZmNam/qbest" " 8yn0JQ6gxX7PvP382+jx7uHHWHYYqPq/Flf8gqtOOcjqS5TJgVHz3F3xHWquo1ZofGtCMro" " Dd2c0xjRjIVGvLV6Ngs+HRdljRav40vRpTyEoEdlzHBQiILesopKSk=}"; struct rsa_ctx *ctx; struct sexp_iterator i; int res; ctx = xalloc(sizeof(*ctx)); rsa_public_key_init (&ctx->pub); rsa_private_key_init (&ctx->key); mpz_init (ctx->s); knuth_lfib_init (&ctx->lfib, 1); /* NOTE: Base64-decodes the strings in-place */ if (size == 1024) res = sexp_transport_iterator_first (&i, sizeof(rsa1024) - 1, rsa1024); else if (size == 2048) res = sexp_transport_iterator_first (&i, sizeof(rsa2048) - 1, rsa2048); else die ("Internal error.\n"); if (! (res && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "rsa-pkcs1-sha1") && rsa_keypair_from_sexp_alist (&ctx->pub, &ctx->key, 0, &i))) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha256, "foo"); rsa_sha256_sign_digest (&ctx->key, ctx->digest, ctx->s); return ctx; } static void bench_rsa_sign (void *p) { struct rsa_ctx *ctx = p; mpz_t s; mpz_init (s); rsa_sha256_sign_digest (&ctx->key, ctx->digest, s); mpz_clear (s); } static void bench_rsa_sign_tr (void *p) { struct rsa_ctx *ctx = p; mpz_t s; mpz_init (s); rsa_sha256_sign_digest_tr (&ctx->pub, &ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, ctx->digest, s); mpz_clear (s); } static void bench_rsa_verify (void *p) { struct rsa_ctx *ctx = p; if (! rsa_sha256_verify_digest (&ctx->pub, ctx->digest, ctx->s)) die ("Internal error, rsa_sha256_verify_digest failed.\n"); } static void bench_rsa_clear (void *p) { struct rsa_ctx *ctx = p; rsa_public_key_clear (&ctx->pub); rsa_private_key_clear (&ctx->key); mpz_clear (ctx->s); free (ctx->digest); free (ctx); } struct dsa_ctx { struct dsa_params params; mpz_t pub; mpz_t key; struct knuth_lfib_ctx lfib; struct dsa_signature s; uint8_t *digest; }; static void * bench_dsa_init (unsigned size) { struct dsa_ctx *ctx; struct sexp_iterator i; unsigned char dsa1024[] = "{KDExOnByaXZhdGUta2V5KDM6ZHNhKDE6cDEyOToA2q4hOXEClLMXXMOl9xaPcGC/GeGmCMv" " VCaaW0uWc50DvvmJDPQPdCehyfZr/1dv2UDbx06TC7ls/IFd+BsDzGBRxqIQ44J20cn+0gt" " NMIXAocE1QhCCFaT5gXrk8zMlqBEGaP3RdpgxNanEXkTj2Wma8r1GtrLX3HPafio62jicpK" " DE6cTIxOgDN9pcW3exdVAesC9WsxwCGoJK24ykoMTpnMTI5OgCJr9DmKdiE0WJZB7HACESv" " Tpg1qZgc8E15byQ+OsHUyOTRrJRTcrgKZJW7dFRJ9cXmyi7XYCd3bJtu/2HRHLY1vd4qMvU" " 7Y8x08ooCoABGV7nGqcmdQfEho1OY6TZh2NikmPKZLeur3PZFpcZ8Dl+KVWtwC55plNC7Om" " iAQy8MaCkoMTp5MTI5OgDakk0LOUQwzOKt9FHOBmBKrWsvTm7549eScTUqH4OMm3btjUsXz" " MmlqEe+imwQCOW/AE3Xw9pXZeETWK0jlLe8k5vnKcNskerFwZ1eQKtOPPQty8IqQ9PEfF6B" " 0oVQiJg2maHUDWFnDkIBd7ZR1z8FnZMUxH9mH4kEUo6YQgtCdykoMTp4MjA6cOl3ijiiMjI" " pesFD8jxESWb2mn8pKSk=}"; ctx = xalloc(sizeof(*ctx)); dsa_params_init (&ctx->params); mpz_init (ctx->pub); mpz_init (ctx->key); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 1); if (size != 1024) die ("Internal error.\n"); if (! (sexp_transport_iterator_first (&i, sizeof(dsa1024) - 1, dsa1024) && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "dsa") && dsa_keypair_from_sexp_alist (&ctx->params, ctx->pub, ctx->key, 0, DSA_SHA1_Q_BITS, &i)) ) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha1, "foo"); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s); return ctx; } static void bench_dsa_sign (void *p) { struct dsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_dsa_verify (void *p) { struct dsa_ctx *ctx = p; if (! dsa_verify (&ctx->params, ctx->pub, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s)) die ("Internal error, dsa_sha1_verify_digest failed.\n"); } static void bench_dsa_clear (void *p) { struct dsa_ctx *ctx = p; dsa_params_clear (&ctx->params); mpz_clear (ctx->pub); mpz_clear (ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } struct ecdsa_ctx { struct ecc_point pub; struct ecc_scalar key; struct knuth_lfib_ctx lfib; unsigned digest_size; uint8_t *digest; struct dsa_signature s; }; static void * bench_ecdsa_init (unsigned size) { struct ecdsa_ctx *ctx; const struct ecc_curve *ecc; const char *xs; const char *ys; const char *zs; mpz_t x, y, z; ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 17); switch (size) { case 192: ecc = &_nettle_secp_192r1; xs = "8e8e07360350fb6b7ad8370cfd32fa8c6bba785e6e200599"; ys = "7f82ddb58a43d59ff8dc66053002b918b99bd01bd68d6736"; zs = "f2e620e086d658b4b507996988480917640e4dc107808bdd"; ctx->digest = hash_string (&nettle_sha1, "abc"); ctx->digest_size = 20; break; case 224: ecc = &_nettle_secp_224r1; xs = "993bf363f4f2bc0f255f22563980449164e9c894d9efd088d7b77334"; ys = "b75fff9849997d02d135140e4d0030944589586e22df1fc4b629082a"; zs = "cdfd01838247f5de3cc70b688418046f10a2bfaca6de9ec836d48c27"; ctx->digest = hash_string (&nettle_sha224, "abc"); ctx->digest_size = 28; break; /* From RFC 4754 */ case 256: ecc = &_nettle_secp_256r1; xs = "2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970"; ys = "6FC98BD7 E50211A4 A27102FA 3549DF79 EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D"; zs = "DC51D386 6A15BACD E33D96F9 92FCA99D A7E6EF09 34E70975 59C27F16 14C88A7F"; ctx->digest = hash_string (&nettle_sha256, "abc"); ctx->digest_size = 32; break; case 384: ecc = &_nettle_secp_384r1; xs = "96281BF8 DD5E0525 CA049C04 8D345D30 82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922"; ys = "447688BA 94708EB6 E2E4D59F 6AB6D7ED FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA"; zs = "0BEB6466 34BA8773 5D77AE48 09A0EBEA 865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F"; ctx->digest = hash_string (&nettle_sha384, "abc"); ctx->digest_size = 48; break; case 521: ecc = &_nettle_secp_521r1; xs = "0151518F 1AF0F563 517EDD54 85190DF9 5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018 8901CECD 650699C9 B5E456AE A5ADD190" "52A8"; ys = "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF 6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF 4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643"; zs = "0065FDA3 409451DC AB0A0EAD 45495112 A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1"; ctx->digest = hash_string (&nettle_sha512, "abc"); ctx->digest_size = 64; break; default: die ("Internal error.\n"); } ecc_point_init (&ctx->pub, ecc); ecc_scalar_init (&ctx->key, ecc); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); mpz_init_set_str (z, zs, 16); ecc_point_set (&ctx->pub, x, y); ecc_scalar_set (&ctx->key, z); mpz_clear (x); mpz_clear (y); mpz_clear (z); ecdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); return ctx; } static void bench_ecdsa_sign (void *p) { struct ecdsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); ecdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_ecdsa_verify (void *p) { struct ecdsa_ctx *ctx = p; if (! ecdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) die ("Internal error, ecdsa_verify failed.\n"); } static void bench_ecdsa_clear (void *p) { struct ecdsa_ctx *ctx = p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } struct eddsa_ctx { uint8_t pub[ED448_KEY_SIZE]; uint8_t key[ED448_KEY_SIZE]; uint8_t signature[ED448_SIGNATURE_SIZE]; void (*sign)(const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int (*verify)(const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); }; static void * bench_eddsa_init (unsigned size) { struct knuth_lfib_ctx lfib; struct eddsa_ctx *ctx; knuth_lfib_init (&lfib, 17); ctx = xalloc (sizeof(*ctx)); switch (size) { case 255: ctx->sign = ed25519_sha512_sign; ctx->verify = ed25519_sha512_verify; knuth_lfib_random (&lfib, ED25519_KEY_SIZE, ctx->key); ed25519_sha512_public_key (ctx->pub, ctx->key); break; case 448: ctx->sign = ed448_shake256_sign; ctx->verify = ed448_shake256_verify; knuth_lfib_random (&lfib, ED448_KEY_SIZE, ctx->key); ed448_shake256_public_key (ctx->pub, ctx->key); break; default: abort (); } ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); return ctx; } static void bench_eddsa_sign (void *p) { struct eddsa_ctx *ctx = p; ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); } static void bench_eddsa_verify (void *p) { struct eddsa_ctx *ctx = p; if (!ctx->verify (ctx->pub, 3, (const uint8_t *) "abc", ctx->signature)) die ("Internal error, eddsa_verify failed.\n"); } static void bench_eddsa_clear (void *p) { free (p); } static void * bench_gostdsa_init (unsigned size) { struct ecdsa_ctx *ctx; const struct ecc_curve *ecc; const char *xs; const char *ys; const char *zs; mpz_t x, y, z; ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 17); switch (size) { case 256: ecc = &_nettle_gost_gc256b; xs = "971566ceda436ee7678f7e07e84ebb7217406c0b4747aa8fd2ab1453c3d0dfba"; ys = "ad58736965949f8e59830f8de20fc6c0d177f6ab599874f1e2e24ff71f9ce643"; zs = "bfcf1d623e5cdd3032a7c6eabb4a923c46e43d640ffeaaf2c3ed39a8fa399924"; ctx->digest = hash_string (&nettle_sha256, "abc"); ctx->digest_size = 32; break; case 512: ecc = &_nettle_gost_gc512a; xs = "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40"; ys = "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73"; zs = "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B"; ctx->digest = hash_string (&nettle_sha512, "abc"); ctx->digest_size = 64; break; default: die ("Internal error.\n"); } ecc_point_init (&ctx->pub, ecc); ecc_scalar_init (&ctx->key, ecc); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); mpz_init_set_str (z, zs, 16); ecc_point_set (&ctx->pub, x, y); ecc_scalar_set (&ctx->key, z); mpz_clear (x); mpz_clear (y); mpz_clear (z); gostdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); return ctx; } static void bench_gostdsa_sign (void *p) { struct ecdsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); gostdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_gostdsa_verify (void *p) { struct ecdsa_ctx *ctx = p; if (! gostdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) die ("Internal error, _gostdsa_verify failed.\n"); } static void bench_gostdsa_clear (void *p) { struct ecdsa_ctx *ctx = p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } #if WITH_OPENSSL struct openssl_ctx { EVP_PKEY *key; const EVP_MD *md; EVP_MD_CTX *md_ctx; unsigned char *signature; size_t sig_alloc; size_t sig_size; }; static void * bench_openssl_init (EVP_PKEY *key, const EVP_MD *md) { struct openssl_ctx *ctx = xalloc (sizeof (*ctx)); if (!key) die ("OpenSSL key eneration failed.\n"); ctx->key = key; ctx->md = md; ctx->md_ctx = EVP_MD_CTX_new(); if (!ctx->md_ctx) die ("OpenSSL EVP_MD_CTX_create failed."); if (EVP_DigestSignInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestSignInit failed."); if (EVP_DigestSignUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestSignUpdate failed."); if (EVP_DigestSignFinal (ctx->md_ctx, NULL, &ctx->sig_alloc) <= 0) die ("OpenSSL EVP_DigestSignFinal (... NULL ...) failed.\n"); ctx->signature = xalloc (ctx->sig_alloc); ctx->sig_size = ctx->sig_alloc; if (EVP_DigestSignFinal (ctx->md_ctx, ctx->signature, &ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestSignFinal failed.\n"); return ctx; } static void * bench_openssl_rsa_init (unsigned size) { /* Always uses e = 65537? */ return bench_openssl_init (EVP_RSA_gen(size), EVP_sha256()); } static void bench_openssl_sign (void *p) { struct openssl_ctx *ctx = p; if (EVP_DigestSignInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestSignInit failed."); if (EVP_DigestSignUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestSignUpdate failed."); ctx->sig_size = ctx->sig_alloc; if (EVP_DigestSignFinal (ctx->md_ctx, ctx->signature, &ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestSignFinal failed.\n"); } static void bench_openssl_verify (void *p) { const struct openssl_ctx *ctx = p; if (EVP_DigestVerifyInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestVerifyInit failed.\n"); if (EVP_DigestVerifyUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestVerifyUpdate failed."); if (EVP_DigestVerifyFinal (ctx->md_ctx, ctx->signature, ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestVerifyFinal failed.\n"); } static void bench_openssl_clear (void *p) { struct openssl_ctx *ctx = p; EVP_PKEY_free (ctx->key); EVP_MD_CTX_free (ctx->md_ctx); free (ctx->signature); free (ctx); } static void * bench_openssl_ecdsa_init (unsigned size) { struct openssl_ctx *ctx = xalloc (sizeof (*ctx)); switch (size) { case 192: /* Larger hash is truncated? */ return bench_openssl_init (EVP_EC_gen ("P-192"), EVP_sha256()); case 224: return bench_openssl_init (EVP_EC_gen ("P-224"), EVP_sha224()); case 256: return bench_openssl_init (EVP_EC_gen ("P-256"), EVP_sha256()); case 384: return bench_openssl_init (EVP_EC_gen ("P-384"), EVP_sha384()); case 521: return bench_openssl_init (EVP_EC_gen ("P-521"), EVP_sha512()); default: die ("Internal error.\n"); } } #endif struct curve_ctx { uint8_t x[CURVE448_SIZE]; uint8_t s[CURVE448_SIZE]; void (*mul_g)(uint8_t *q, const uint8_t *n); void (*mul)(uint8_t *q, const uint8_t *n, const uint8_t *p); }; static void * bench_curve_init (unsigned size) { struct knuth_lfib_ctx lfib; struct curve_ctx *ctx = xalloc (sizeof (*ctx)); knuth_lfib_init (&lfib, 17); switch (size) { case 255: ctx->mul = curve25519_mul; ctx->mul_g = curve25519_mul_g; knuth_lfib_random (&lfib, CURVE25519_SIZE, ctx->s); break; case 448: ctx->mul = curve448_mul; ctx->mul_g = curve448_mul_g; knuth_lfib_random (&lfib, CURVE448_SIZE, ctx->s); break; default: abort (); } ctx->mul_g (ctx->x, ctx->s); return ctx; } static void bench_curve_mul_g (void *p) { struct curve_ctx *ctx = p; uint8_t q[CURVE448_SIZE]; ctx->mul_g (q, ctx->s); } static void bench_curve_mul (void *p) { struct curve_ctx *ctx = p; uint8_t q[CURVE448_SIZE]; ctx->mul (q, ctx->s, ctx->x); } static void bench_curve_clear (void *p) { free (p); } struct slh_dsa_ctx { uint8_t pub[SLH_DSA_128_KEY_SIZE]; uint8_t key[SLH_DSA_128_KEY_SIZE]; uint8_t msg[10]; uint8_t *sig; void (*sign)(const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int (*verify)(const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); }; static void * bench_slh_dsa_init_shake_s (unsigned size) { struct slh_dsa_ctx *ctx; assert (size == 128); ctx = xalloc (sizeof (*ctx)); memset (ctx->key, 1, SLH_DSA_128_KEY_SIZE); memset (ctx->pub, 2, SLH_DSA_128_SEED_SIZE); slh_dsa_shake_128s_root (ctx->pub, ctx->key, ctx->pub + SLH_DSA_128_SEED_SIZE); memset (ctx->msg, 3, sizeof (ctx->msg)); ctx->sig = xalloc (SLH_DSA_128S_SIGNATURE_SIZE); slh_dsa_shake_128s_sign (ctx->pub, ctx->key, sizeof (ctx->msg), ctx->msg, ctx->sig); ctx->sign = slh_dsa_shake_128s_sign; ctx->verify = slh_dsa_shake_128s_verify; return ctx; } static void * bench_slh_dsa_init_shake_f (unsigned size) { struct slh_dsa_ctx *ctx; assert (size == 128); ctx = xalloc (sizeof (*ctx)); memset (ctx->key, 1, SLH_DSA_128_KEY_SIZE); memset (ctx->pub, 2, SLH_DSA_128_SEED_SIZE); slh_dsa_shake_128f_root (ctx->pub, ctx->key, ctx->pub + SLH_DSA_128_SEED_SIZE); memset (ctx->msg, 3, sizeof (ctx->msg)); ctx->sig = xalloc (SLH_DSA_128F_SIGNATURE_SIZE); slh_dsa_shake_128f_sign (ctx->pub, ctx->key, sizeof (ctx->msg), ctx->msg, ctx->sig); ctx->sign = slh_dsa_shake_128f_sign; ctx->verify = slh_dsa_shake_128f_verify; return ctx; } static void * bench_slh_dsa_init_sha2_s (unsigned size) { struct slh_dsa_ctx *ctx; assert (size == 128); ctx = xalloc (sizeof (*ctx)); memset (ctx->key, 1, SLH_DSA_128_KEY_SIZE); memset (ctx->pub, 2, SLH_DSA_128_SEED_SIZE); slh_dsa_sha2_128s_root (ctx->pub, ctx->key, ctx->pub + SLH_DSA_128_SEED_SIZE); memset (ctx->msg, 3, sizeof (ctx->msg)); ctx->sig = xalloc (SLH_DSA_128S_SIGNATURE_SIZE); slh_dsa_sha2_128s_sign (ctx->pub, ctx->key, sizeof (ctx->msg), ctx->msg, ctx->sig); ctx->sign = slh_dsa_sha2_128s_sign; ctx->verify = slh_dsa_sha2_128s_verify; return ctx; } static void * bench_slh_dsa_init_sha2_f (unsigned size) { struct slh_dsa_ctx *ctx; assert (size == 128); ctx = xalloc (sizeof (*ctx)); memset (ctx->key, 1, SLH_DSA_128_KEY_SIZE); memset (ctx->pub, 2, SLH_DSA_128_SEED_SIZE); slh_dsa_sha2_128f_root (ctx->pub, ctx->key, ctx->pub + SLH_DSA_128_SEED_SIZE); memset (ctx->msg, 3, sizeof (ctx->msg)); ctx->sig = xalloc (SLH_DSA_128F_SIGNATURE_SIZE); slh_dsa_sha2_128f_sign (ctx->pub, ctx->key, sizeof (ctx->msg), ctx->msg, ctx->sig); ctx->sign = slh_dsa_sha2_128f_sign; ctx->verify = slh_dsa_sha2_128f_verify; return ctx; } static void bench_slh_dsa_sign (void *p) { struct slh_dsa_ctx *ctx = p; ctx->sign (ctx->pub, ctx->key, sizeof (ctx->msg), ctx->msg, ctx->sig); } static void bench_slh_dsa_verify (void *p) { struct slh_dsa_ctx *ctx = p; if (!ctx->verify (ctx->pub, sizeof (ctx->msg), ctx->msg, ctx->sig)) die ("Internal error, slh_dsa_shake_128s_verify failed.\n"); } static void bench_slh_dsa_clear (void *p) { struct slh_dsa_ctx *ctx = p; free (ctx->sig); free (ctx); } struct alg alg_list[] = { { "rsa", 1024, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa", 2048, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa-tr", 1024, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, { "rsa-tr", 2048, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, #if WITH_OPENSSL { "rsa (openssl)", 1024, bench_openssl_rsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "rsa (openssl)", 2048, bench_openssl_rsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, #endif { "dsa", 1024, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #if 0 { "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #endif { "ecdsa", 192, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 224, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 256, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 521, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, #if WITH_OPENSSL { "ecdsa (openssl)", 192, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 224, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 256, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, #endif { "eddsa", 255, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, { "eddsa", 448, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, { "curve", 255, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear}, { "curve", 448, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear }, { "gostdsa", 256, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, { "gostdsa", 512, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, { "slh-dsa-shake-s", 128, bench_slh_dsa_init_shake_s, bench_slh_dsa_sign, bench_slh_dsa_verify, bench_slh_dsa_clear }, { "slh-dsa-shake-f", 128, bench_slh_dsa_init_shake_f, bench_slh_dsa_sign, bench_slh_dsa_verify, bench_slh_dsa_clear }, { "slh-dsa-sha2-s", 128, bench_slh_dsa_init_sha2_s, bench_slh_dsa_sign, bench_slh_dsa_verify, bench_slh_dsa_clear }, { "slh-dsa-sha2-f", 128, bench_slh_dsa_init_sha2_f, bench_slh_dsa_sign, bench_slh_dsa_verify, bench_slh_dsa_clear }, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc, char **argv) { const char *filter = NULL; unsigned i; if (argc > 1) filter = argv[1]; time_init(); printf ("%16s %4s %9s %9s\n", "name", "size", "sign/s", "verify/s"); for (i = 0; i < numberof(alg_list); i++) if (!filter || strstr (alg_list[i].name, filter)) bench_alg (&alg_list[i]); return EXIT_SUCCESS; } nettle-4.0/examples/io.c0000644000000000000000000000720315141166425012176 0ustar00/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include /* For errno and strerror */ #include #include #include "io.h" #define RANDOM_DEVICE "/dev/urandom" #define BUFSIZE 1000 int quiet_flag = 0; void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } void werror(const char *format, ...) { if (!quiet_flag) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } } size_t read_file(const char *name, size_t max_size, uint8_t **contents) { size_t size, done; uint8_t *buffer; FILE *f; f = fopen(name, "rb"); if (!f) { werror("Opening `%s' failed: %s\n", name, strerror(errno)); return 0; } size = 100; for (buffer = NULL, done = 0;; size *= 2) { uint8_t *p; if (max_size && size > max_size) size = max_size; /* Space for terminating NUL */ p = realloc(buffer, size + 1); if (!p) { fail: fclose(f); free(buffer); *contents = NULL; return 0; } buffer = p; done += fread(buffer + done, 1, size - done, f); if (done < size) { /* Short count means EOF or read error */ if (ferror(f)) { fprintf (stderr, "Reading `%s' failed: %s\n", name, strerror(errno)); goto fail; } if (done == 0) /* Treat empty file as error */ goto fail; break; } if (size == max_size) break; } fclose(f); /* NUL-terminate the data. */ buffer[done] = '\0'; *contents = buffer; return done; } int write_data(FILE *f, size_t size, const void *buffer) { size_t res = fwrite(buffer, 1, size, f); return res == size; } int write_file(const char *name, size_t size, const void *buffer) { FILE *f = fopen(name, "wb"); int res; if (!f) return 0; res = write_data(f, size, buffer); return fclose(f) == 0 && res; } int simple_random(struct yarrow256_ctx *ctx, const char *name) { unsigned length; uint8_t *buffer; if (name) length = read_file(name, 0, &buffer); else length = read_file(RANDOM_DEVICE, 20, &buffer); if (!length) return 0; yarrow256_seed(ctx, length, buffer); free(buffer); return 1; } int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } nettle-4.0/examples/io.h0000644000000000000000000000415315141166425012204 0ustar00/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_IO_H_INCLUDED #define NETTLE_EXAMPLES_IO_H_INCLUDED #include "nettle-meta.h" #include "yarrow.h" #include extern int quiet_flag; void * xalloc(size_t size); void werror(const char *format, ...) PRINTF_STYLE(1, 2); /* If size is > 0, read at most that many bytes. If size == 0, read * until EOF. Allocates the buffer dynamically. An empty file is * treated as an error; return value is zero, and no space is * allocated. The returned data is NUL-terminated, for convenience. */ size_t read_file(const char *name, size_t size, uint8_t **buffer); int write_file(const char *name, size_t size, const void *data); int write_data(FILE *f, size_t size, const void *data); int simple_random(struct yarrow256_ctx *ctx, const char *name); int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f); #if WITH_HOGWEED struct rsa_public_key; struct rsa_private_key; int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv); #endif /* WITH_HOGWEED */ #endif /* NETTLE_EXAMPLES_IO_H_INCLUDED */ nettle-4.0/examples/nettle-benchmark.c0000644000000000000000000005572415141166425015025 0ustar00/* nettle-benchmark.c Tests the performance of the various algorithms. Copyright (C) 2001, 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include #include "timing.h" #include "aes.h" #include "arcfour.h" #include "blowfish.h" #include "cast128.h" #include "cbc.h" #include "ctr.h" #include "des.h" #include "eax.h" #include "gcm.h" #include "ghash-internal.h" #include "memxor.h" #include "salsa20.h" #include "salsa20-internal.h" #include "serpent.h" #include "sha1.h" #include "sha2.h" #include "sha3.h" #include "sm4.h" #include "twofish.h" #include "umac.h" #include "cmac.h" #include "poly1305.h" #include "hmac.h" #include "nettle-meta.h" #include "nettle-internal.h" #include "non-nettle.h" #include "getopt.h" static double frequency = 0.0; /* Process BENCH_BLOCK bytes at a time, for BENCH_INTERVAL seconds. */ #define BENCH_BLOCK 10240 #define BENCH_INTERVAL 0.1 /* FIXME: Proper configure test for rdtsc? */ #ifndef WITH_CYCLE_COUNTER # if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) # define WITH_CYCLE_COUNTER 1 # else # define WITH_CYCLE_COUNTER 0 # endif #endif #if WITH_CYCLE_COUNTER # if defined(__i386__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__ volatile ("xorl %%eax,%%eax\n" \ "movl %%ebx, %%edi\n" \ "cpuid\n" \ "rdtsc\n" \ "movl %%edi, %%ebx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%edi", "%ecx", "cc") # elif defined(__x86_64__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__ volatile ("xorl %%eax,%%eax\n" \ "mov %%rbx, %%r10\n" \ "cpuid\n" \ "rdtsc\n" \ "mov %%r10, %%rbx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%r10", "%rcx", "cc") # endif #define BENCH_ITERATIONS 10 #endif static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static double overhead = 0.0; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls - overhead; } struct bench_memxor_info { void *dst; const void *src; const void *other; }; static void bench_memxor(void *arg) { struct bench_memxor_info *info = arg; memxor (info->dst, info->src, BENCH_BLOCK); } static void bench_memxor3(void *arg) { struct bench_memxor_info *info = arg; memxor3 (info->dst, info->src, info->other, BENCH_BLOCK); } struct bench_hash_info { void *ctx; nettle_hash_update_func *update; const uint8_t *data; }; static void bench_hash(void *arg) { struct bench_hash_info *info = arg; info->update(info->ctx, BENCH_BLOCK, info->data); } struct bench_cipher_info { void *ctx; nettle_cipher_func *crypt; uint8_t *data; }; static void bench_cipher(void *arg) { struct bench_cipher_info *info = arg; info->crypt(info->ctx, BENCH_BLOCK, info->data, info->data); } struct bench_cbc_info { void *ctx; nettle_cipher_func *crypt; const uint8_t *src; uint8_t *dst; unsigned block_size; uint8_t *iv; }; static void bench_cbc_encrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_encrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } static void bench_cbc_decrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_decrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } static void bench_ctr(void *arg) { struct bench_cbc_info *info = arg; ctr_crypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } struct bench_aead_info { void *ctx; nettle_crypt_func *crypt; nettle_hash_update_func *update; uint8_t *data; }; static void bench_aead_crypt(void *arg) { const struct bench_aead_info *info = arg; info->crypt (info->ctx, BENCH_BLOCK, info->data, info->data); } static void bench_aead_update(void *arg) { const struct bench_aead_info *info = arg; info->update (info->ctx, BENCH_BLOCK, info->data); } /* Set data[i] = floor(sqrt(i)) */ static void init_data(uint8_t *data) { unsigned i,j; for (i = j = 0; i 0.0 ? " cycles/byte cycles/block" : ""); } static void display(const char *name, const char *mode, unsigned block_size, double time) { printf("%18s %12s %7.2f", name, mode, BENCH_BLOCK / (time * 1048576.0)); if (frequency > 0.0) { printf(" %11.2f", time * frequency / BENCH_BLOCK); if (block_size > 0) printf(" %12.2f", time * frequency * block_size / BENCH_BLOCK); } printf("\n"); } static void * xalloc(size_t size) { void *p = malloc(size); if (!p) die("Virtual memory exhausted.\n"); return p; } static void time_memxor(void) { struct bench_memxor_info info; unsigned long src[BENCH_BLOCK / sizeof(long) + 2]; unsigned long other[BENCH_BLOCK / sizeof(long) + 2]; unsigned long dst[BENCH_BLOCK / sizeof(long) + 1]; info.src = src; info.dst = dst; display ("memxor", "aligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = (const char *) src + 1; display ("memxor", "unaligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = src; info.other = other; display ("memxor3", "aligned", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 1; display ("memxor3", "unaligned01", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.src = (const char *) src + 1; display ("memxor3", "unaligned11", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 2; display ("memxor3", "unaligned12", sizeof(unsigned long), time_function(bench_memxor3, &info)); } static void time_hash(const struct nettle_hash *hash) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; info.ctx = xalloc(hash->context_size); info.update = hash->update; info.data = data; init_data(data); hash->init(info.ctx); display(hash->name, "update", hash->block_size, time_function(bench_hash, &info)); free(info.ctx); } static void time_umac(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t key[UMAC_KEY_SIZE]; init_key (sizeof(key), key); umac32_set_key (&ctx32, key); info.ctx = &ctx32; info.update = (nettle_hash_update_func *) umac32_update; info.data = data; display("umac32", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac64_set_key (&ctx64, key); info.ctx = &ctx64; info.update = (nettle_hash_update_func *) umac64_update; info.data = data; display("umac64", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac96_set_key (&ctx96, key); info.ctx = &ctx96; info.update = (nettle_hash_update_func *) umac96_update; info.data = data; display("umac96", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac128_set_key (&ctx128, key); info.ctx = &ctx128; info.update = (nettle_hash_update_func *) umac128_update; info.data = data; display("umac128", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); } static void time_cmac(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct cmac_aes128_ctx ctx; uint8_t key[AES128_KEY_SIZE]; init_key (sizeof(key), key); cmac_aes128_set_key (&ctx, key); info.ctx = &ctx; info.update = (nettle_hash_update_func *) cmac_aes128_update; info.data = data; display("cmac-aes128", "update", AES_BLOCK_SIZE, time_function(bench_hash, &info)); } static void time_poly1305_aes(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct poly1305_aes_ctx ctx; uint8_t key[POLY1305_AES_KEY_SIZE]; init_key (sizeof(key), key); poly1305_aes_set_key (&ctx, key); info.ctx = &ctx; info.update = (nettle_hash_update_func *) poly1305_aes_update; info.data = data; display("poly1305-aes", "update", 1024, time_function(bench_hash, &info)); } struct bench_hmac_info { void *ctx; nettle_hash_update_func *update; nettle_hash_digest_func *digest; size_t length; const uint8_t *data; }; static void bench_hmac(void *arg) { struct bench_hmac_info *info = arg; uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; size_t pos, length; length = info->length; for (pos = 0; pos < BENCH_BLOCK; pos += length) { size_t single = pos + length < BENCH_BLOCK ? length : BENCH_BLOCK - pos; info->update(info->ctx, single, info->data + pos); info->digest(info->ctx, digest); } } static const struct { size_t length; const char *msg; } hmac_tests[] = { { 64, "64 bytes" }, { 256, "256 bytes" }, { 1024, "1024 bytes" }, { 4096, "4096 bytes" }, { BENCH_BLOCK, "single msg" }, { 0, NULL }, }; static void time_hmac_md5(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_md5_ctx md5_ctx; unsigned int pos; init_data(data); info.data = data; hmac_md5_set_key(&md5_ctx, MD5_BLOCK_SIZE, data); info.ctx = &md5_ctx; info.update = (nettle_hash_update_func *) hmac_md5_update; info.digest = (nettle_hash_digest_func *) hmac_md5_digest; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-md5", hmac_tests[pos].msg, MD5_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha1(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha1_ctx sha1_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha1_set_key(&sha1_ctx, SHA1_BLOCK_SIZE, data); info.ctx = &sha1_ctx; info.update = (nettle_hash_update_func *) hmac_sha1_update; info.digest = (nettle_hash_digest_func *) hmac_sha1_digest; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha1", hmac_tests[pos].msg, SHA1_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha256(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha256_ctx sha256_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha256_set_key(&sha256_ctx, SHA256_BLOCK_SIZE, data); info.ctx = &sha256_ctx; info.update = (nettle_hash_update_func *) hmac_sha256_update; info.digest = (nettle_hash_digest_func *) hmac_sha256_digest; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha256", hmac_tests[pos].msg, SHA256_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha512(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha512_ctx sha512_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha512_set_key(&sha512_ctx, SHA512_BLOCK_SIZE, data); info.ctx = &sha512_ctx; info.update = (nettle_hash_update_func *) hmac_sha512_update; info.digest = (nettle_hash_digest_func *) hmac_sha512_digest; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha512", hmac_tests[pos].msg, SHA512_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static int prefix_p(const char *prefix, const char *s) { size_t i; for (i = 0; prefix[i]; i++) if (prefix[i] != s[i]) return 0; return 1; } static int block_cipher_p(const struct nettle_cipher *cipher) { /* Don't use nettle cbc and ctr for openssl ciphers. */ return cipher->block_size > 0 && !prefix_p("openssl", cipher->name); } static void time_cipher(const struct nettle_cipher *cipher) { void *ctx = xalloc(cipher->context_size); uint8_t *key = xalloc(cipher->key_size); static uint8_t src_data[BENCH_BLOCK]; static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); init_data(src_data); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_encrypt_key(ctx, key); display(cipher->name, "ECB encrypt", cipher->block_size, time_function(bench_cipher, &info)); } { struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_decrypt_key(ctx, key); display(cipher->name, "ECB decrypt", cipher->block_size, time_function(bench_cipher, &info)); } if (block_cipher_p(cipher)) { uint8_t *iv = xalloc(cipher->block_size); /* Do CBC mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CBC encrypt", cipher->block_size, time_function(bench_cbc_encrypt, &info)); } { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_decrypt_key(ctx, key); display(cipher->name, "CBC decrypt", cipher->block_size, time_function(bench_cbc_decrypt, &info)); memset(iv, 0, cipher->block_size); info.src = data; display(cipher->name, " (in-place)", cipher->block_size, time_function(bench_cbc_decrypt, &info)); } /* Do CTR mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CTR", cipher->block_size, time_function(bench_ctr, &info)); memset(iv, 0, cipher->block_size); info.src = data; display(cipher->name, " (in-place)", cipher->block_size, time_function(bench_ctr, &info)); } free(iv); } free(ctx); free(key); } static void time_aead(const struct nettle_aead *aead) { void *ctx = xalloc(aead->context_size); uint8_t *key = xalloc(aead->key_size); uint8_t *nonce = xalloc(aead->nonce_size); static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); if (aead->set_nonce) init_nonce (aead->nonce_size, nonce); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->encrypt; info.data = data; init_key(aead->key_size, key); aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "encrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } if (aead->decrypt) { struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->decrypt; info.data = data; init_key(aead->key_size, key); aead->set_decrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "decrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } if (aead->update) { struct bench_aead_info info; info.ctx = ctx; info.update = aead->update; info.data = data; aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "update", aead->block_size, time_function(bench_aead_update, &info)); } free(ctx); free(key); free(nonce); } /* Try to get accurate cycle times for assembler functions. */ #if WITH_CYCLE_COUNTER static int compare_double(const void *ap, const void *bp) { double a = *(const double *) ap; double b = *(const double *) bp; if (a < b) return -1; else if (a > b) return 1; else return 0; } #define TIME_CYCLES(t, code) do { \ double tc_count[5]; \ uint32_t tc_start_lo, tc_start_hi, tc_end_lo, tc_end_hi; \ unsigned tc_i, tc_j; \ for (tc_j = 0; tc_j < 5; tc_j++) \ { \ tc_i = 0; \ GET_CYCLE_COUNTER(tc_start_hi, tc_start_lo); \ for (; tc_i < BENCH_ITERATIONS; tc_i++) \ { code; } \ \ GET_CYCLE_COUNTER(tc_end_hi, tc_end_lo); \ \ tc_end_hi -= (tc_start_hi + (tc_start_lo > tc_end_lo)); \ tc_end_lo -= tc_start_lo; \ \ tc_count[tc_j] = ldexp(tc_end_hi, 32) + tc_end_lo; \ } \ qsort(tc_count, 5, sizeof(double), compare_double); \ (t) = tc_count[2] / BENCH_ITERATIONS; \ } while (0) static void bench_sha1_compress(void) { uint32_t state[_SHA1_DIGEST_LENGTH]; uint8_t data[SHA1_BLOCK_SIZE]; double t; TIME_CYCLES (t, nettle_sha1_compress(state, data)); printf("sha1_compress: %.2f cycles\n", t); } static void bench_salsa20_core(void) { uint32_t state[_SALSA20_INPUT_LENGTH]; double t; TIME_CYCLES (t, _nettle_salsa20_core(state, state, 20)); printf("salsa20_core: %.2f cycles\n", t); } static void bench_sha3_permute(void) { struct sha3_state state; double t; TIME_CYCLES (t, sha3_permute (&state)); printf("sha3_permute: %.2f cycles (%.2f / round)\n", t, t / 24.0); } static void bench_ghash_update(void) { struct gcm_key key; union nettle_block16 state; const uint8_t data[160]; double t; TIME_CYCLES (t, _ghash_update (&key, &state, 10, data)); printf("ghash_update: %.2f cycles / block\n", t / 10.0); } #else #define bench_sha1_compress() #define bench_salsa20_core() #define bench_sha3_permute() #define bench_ghash_update() #endif #if WITH_OPENSSL # define OPENSSL(x) x, #else # define OPENSSL(x) #endif int main(int argc, char **argv) { unsigned i; int c; const char *alg; const struct nettle_hash *hashes[] = { &nettle_md2, &nettle_md4, &nettle_md5, OPENSSL(&nettle_openssl_md5) &nettle_sha1, OPENSSL(&nettle_openssl_sha1) &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, &nettle_gosthash94cp, &nettle_streebog256, &nettle_streebog512, &nettle_sm3, NULL }; const struct nettle_cipher *ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, OPENSSL(&nettle_openssl_aes128) OPENSSL(&nettle_openssl_aes192) OPENSSL(&nettle_openssl_aes256) &nettle_blowfish128, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, &nettle_des, &nettle_des3, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, &nettle_sm4, NULL }; const struct nettle_aead *aeads[] = { /* Stream ciphers */ &nettle_arcfour128, &nettle_salsa20, &nettle_salsa20r12, &nettle_chacha, /* CBC encrypt */ &nettle_cbc_aes128, &nettle_cbc_aes192, &nettle_cbc_aes256, /* Proper AEAD algorithme. */ &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, OPENSSL(&nettle_openssl_gcm_aes128) OPENSSL(&nettle_openssl_gcm_aes192) OPENSSL(&nettle_openssl_gcm_aes256) &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_eax_aes128, &nettle_chacha_poly1305, &nettle_ocb_aes128, NULL }; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "clock-frequency", required_argument, NULL, 'f' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "f:", options, NULL)) != -1) switch (c) { case 'f': frequency = atof(optarg); if (frequency > 0.0) break; /* Fall through */ case OPT_HELP: printf("Usage: nettle-benchmark [-f clock frequency] [alg...]\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } time_init(); bench_sha1_compress(); bench_salsa20_core(); bench_sha3_permute(); bench_ghash_update(); printf("\n"); header(); do { alg = argv[optind]; if (!alg || strstr ("memxor", alg)) { time_memxor(); printf("\n"); } for (i = 0; hashes[i]; i++) if (!alg || strstr(hashes[i]->name, alg)) time_hash(hashes[i]); if (!alg || strstr ("umac", alg)) time_umac(); if (!alg || strstr ("cmac", alg)) time_cmac(); if (!alg || strstr ("poly1305-aes", alg)) time_poly1305_aes(); for (i = 0; ciphers[i]; i++) if (!alg || strstr(ciphers[i]->name, alg)) time_cipher(ciphers[i]); for (i = 0; aeads[i]; i++) if (!alg || strstr(aeads[i]->name, alg)) time_aead(aeads[i]); if (!alg || strstr ("hmac-md5", alg)) time_hmac_md5(); if (!alg || strstr ("hmac-sha1", alg)) time_hmac_sha1(); if (!alg || strstr ("hmac-sha256", alg)) time_hmac_sha256(); if (!alg || strstr ("hmac-sha512", alg)) time_hmac_sha512(); optind++; } while (alg && argv[optind]); return 0; } nettle-4.0/examples/nettle-openssl.c0000644000000000000000000002135015141166425014542 0ustar00/* nettle-openssl.c Glue that's used only by the benchmark, and subject to change. Copyright (C) 2002, 2017 Niels Möller Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif /* Openssl glue, for comparative benchmarking only */ #if WITH_OPENSSL #include #include #include "non-nettle.h" #include "md5.h" #include "sha1.h" /* We use Openssl's EVP api for all openssl ciphers. This API selects platform-specific implementations if appropriate, e.g., using x86 AES-NI instructions. */ struct openssl_cipher_ctx { EVP_CIPHER_CTX *evp; }; /* We use Openssl's EVP api for all openssl hashes. This API selects platform-specific implementations if appropriate, e.g., using x86 AES-NI instructions. */ struct openssl_hash_ctx { EVP_MD_CTX *evp; }; static void openssl_evp_set_encrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; int ret; ctx->evp = EVP_CIPHER_CTX_new(); ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 1); assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_set_decrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; int ret; ctx->evp = EVP_CIPHER_CTX_new(); ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 0); assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_encrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_decrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_set_nonce(void *p, const uint8_t *nonce) { const struct openssl_cipher_ctx *ctx = p; int ret = EVP_CipherInit_ex(ctx->evp, NULL, NULL, NULL, nonce, -1); assert(ret == 1); } static void openssl_evp_update(void *p, size_t length, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, NULL, &len, src, length); assert(ret == 1); } /* This will work for encryption only! */ static void openssl_evp_gcm_digest(void *p, uint8_t *dst) { const struct openssl_cipher_ctx *ctx = p; int ret = EVP_CIPHER_CTX_ctrl(ctx->evp, EVP_CTRL_GCM_GET_TAG, 16, dst); assert(ret == 1); } static void openssl_evp_aead_encrypt(void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_aead_decrypt(void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } /* AES */ static nettle_set_key_func openssl_aes128_set_encrypt_key; static nettle_set_key_func openssl_aes128_set_decrypt_key; static nettle_set_key_func openssl_aes192_set_encrypt_key; static nettle_set_key_func openssl_aes192_set_decrypt_key; static nettle_set_key_func openssl_aes256_set_encrypt_key; static nettle_set_key_func openssl_aes256_set_decrypt_key; static void openssl_aes128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes192_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes256_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_ecb()); } static void openssl_aes256_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_ecb()); } const struct nettle_cipher nettle_openssl_aes128 = { "openssl aes128", sizeof(struct openssl_cipher_ctx), 16, 16, openssl_aes128_set_encrypt_key, openssl_aes128_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes192 = { "openssl aes192", sizeof(struct openssl_cipher_ctx), 16, 24, openssl_aes192_set_encrypt_key, openssl_aes192_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes256 = { "openssl aes256", sizeof(struct openssl_cipher_ctx), 16, 32, openssl_aes256_set_encrypt_key, openssl_aes256_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* AES-GCM */ static void openssl_gcm_aes128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_gcm()); } static void openssl_gcm_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_gcm()); } static void openssl_gcm_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_gcm()); } static void openssl_gcm_aes192_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_gcm()); } static void openssl_gcm_aes256_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_gcm()); } static void openssl_gcm_aes256_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_gcm()); } const struct nettle_aead nettle_openssl_gcm_aes128 = { "openssl gcm_aes128", sizeof(struct openssl_cipher_ctx), 16, 16, 12, 16, openssl_gcm_aes128_set_encrypt_key, openssl_gcm_aes128_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; const struct nettle_aead nettle_openssl_gcm_aes192 = { "openssl gcm_aes192", sizeof(struct openssl_cipher_ctx), 16, 24, 12, 16, openssl_gcm_aes192_set_encrypt_key, openssl_gcm_aes192_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; const struct nettle_aead nettle_openssl_gcm_aes256 = { "openssl gcm_aes256", sizeof(struct openssl_cipher_ctx), 16, 32, 12, 16, openssl_gcm_aes256_set_encrypt_key, openssl_gcm_aes256_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; /* Hash functions */ static void openssl_hash_update(void *p, size_t length, const uint8_t *src) { struct openssl_hash_ctx *ctx = p; EVP_DigestUpdate(ctx->evp, src, length); } #define OPENSSL_HASH(NAME, name) \ static void \ openssl_##name##_init(void *p) \ { \ struct openssl_hash_ctx *ctx = p; \ if ((ctx->evp = EVP_MD_CTX_new()) == NULL) \ return; \ \ EVP_DigestInit(ctx->evp, EVP_##name()); \ } \ \ static void \ openssl_##name##_digest(void *p, uint8_t *dst) \ { \ struct openssl_hash_ctx *ctx = p; \ \ EVP_DigestFinal(ctx->evp, dst, NULL); \ EVP_DigestInit(ctx->evp, EVP_##name()); \ } \ \ const struct nettle_hash \ nettle_openssl_##name = { \ "openssl " #name, sizeof(struct openssl_hash_ctx), \ NAME##_DIGEST_SIZE, NAME##_BLOCK_SIZE, \ openssl_##name##_init, \ openssl_hash_update, \ openssl_##name##_digest \ }; OPENSSL_HASH(MD5, md5) OPENSSL_HASH(SHA1, sha1) #endif /* WITH_OPENSSL */ nettle-4.0/examples/random-prime.c0000644000000000000000000000632615141166425014166 0ustar00/* random-prime.c Command line tool for prime generation. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "bignum.h" #include "yarrow.h" #include "io.h" #include "getopt.h" static void usage(void) { fprintf(stderr, "Usage: random-prime [OPTIONS] bits\n\n" "Options:\n" " --help Display this message.\n" " -v, --verbose Display timing information.\n" " -r, --random FILE Random data to use for seeding.\n"); } int main(int argc, char **argv) { long bits; mpz_t p; struct yarrow256_ctx yarrow; int verbose = 0; const char *random_file = NULL; int c; char *arg_end; clock_t start; clock_t end; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "verbose", no_argument, NULL, 'v' }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "vr:", options, NULL)) != -1) switch (c) { case 'v': verbose = 1; break; case 'r': random_file = optarg; break; case OPT_HELP: usage(); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } argc -= optind; argv += optind; if (argc != 1) { usage(); return EXIT_FAILURE; } bits = strtol(argv[0], &arg_end, 0); if (*arg_end || bits < 0) { fprintf(stderr, "Invalid number.\n"); return EXIT_FAILURE; } if (bits < 3) { fprintf(stderr, "Bitsize must be at least 3.\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_file)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } mpz_init(p); start = clock(); nettle_random_prime(p, bits, 0, &yarrow, (nettle_random_func *) yarrow256_random, NULL, NULL); end = clock(); mpz_out_str(stdout, 10, p); printf("\n"); if (verbose) fprintf(stderr, "time: %.3g s\n", (double)(end - start) / CLOCKS_PER_SEC); return EXIT_SUCCESS; } nettle-4.0/examples/read_rsa_key.c0000644000000000000000000000301215141166425014211 0ustar00/* read_rsa_key.c Used by the rsa example programs. Copyright (C) 2002, 2007 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "io.h" #include "rsa.h" /* Split out from io.c, since it depends on hogweed. */ int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv) { unsigned length; uint8_t *buffer; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = rsa_keypair_from_sexp(pub, priv, 0, length, buffer); free(buffer); return res; } nettle-4.0/examples/rsa-decrypt.c0000644000000000000000000001267515141166425014035 0ustar00/* rsa-decrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "aes.h" #include "bignum.h" #include "buffer.h" #include "cbc.h" #include "hmac.h" #include "macros.h" #include "memops.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes256_set_decrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int read_uint32(FILE *f, uint32_t *n) { uint8_t buf[4]; if (fread(buf, 1, sizeof(buf), f) != sizeof(buf)) return 0; *n = READ_UINT32(buf); return 1; } static int read_version(FILE *f) { uint32_t version; return read_uint32(f, &version) && version == RSA_VERSION; } static int read_bignum(FILE *f, mpz_t x) { uint32_t size; if (read_uint32(f, &size) && size < 1000) { uint8_t *p = xalloc(size); if (fread(p, 1, size, f) != size) { free(p); return 0; } nettle_mpz_set_str_256_u(x, size, p); free(p); return 1; } return 0; } #define BUF_SIZE (100 * AES_BLOCK_SIZE) /* Trailing data that needs special processing */ #define BUF_FINAL (AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BUF_SIZE + BUF_FINAL]; uint8_t digest[SHA1_DIGEST_SIZE]; size_t size; unsigned padding; size = fread(buffer, 1, BUF_FINAL, in); if (size < BUF_FINAL) { if (ferror(in)) werror("Reading input failed: %s\n", strerror(errno)); else werror("Unexpected EOF on input.\n"); return 0; } do { size = fread(buffer + BUF_FINAL, 1, BUF_SIZE, in); if (size < BUF_SIZE && ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } if (size % AES_BLOCK_SIZE != 0) { werror("Unexpected EOF on input.\n"); return 0; } if (size) { CBC_DECRYPT(&ctx->aes, aes256_decrypt, size, buffer, buffer); hmac_sha1_update(&ctx->hmac, size, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } memmove(buffer, buffer + size, BUF_FINAL); } } while (size == BUF_SIZE); /* Decrypt final block */ CBC_DECRYPT(&ctx->aes, aes256_decrypt, AES_BLOCK_SIZE, buffer, buffer); padding = buffer[AES_BLOCK_SIZE - 1]; if (padding > AES_BLOCK_SIZE) { werror("Decryption failed: Invalid padding.\n"); return 0; } if (padding < AES_BLOCK_SIZE) { unsigned leftover = AES_BLOCK_SIZE - padding; hmac_sha1_update(&ctx->hmac, leftover, buffer); if (!write_data(out, leftover, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } hmac_sha1_digest(&ctx->hmac, digest); if (!memeql_sec(digest, buffer + AES_BLOCK_SIZE, SHA1_DIGEST_SIZE)) { werror("Decryption failed: Invalid mac.\n"); return 0; } return 1; } int main(int argc, char **argv) { struct rsa_private_key key; struct rsa_session ctx; struct rsa_session_info session; size_t length; mpz_t x; mpz_init(x); if (argc != 2) { werror("Usage: rsa-decrypt PRIVATE-KEY < ciphertext\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif if (!read_version(stdin)) { werror("Bad version number in input file.\n"); return EXIT_FAILURE; } if (!read_bignum(stdin, x)) { werror("Bad rsa header in input file.\n"); return EXIT_FAILURE; } length = sizeof(session.key); if (!rsa_decrypt(&key, &length, session.key, x) || length != sizeof(session.key)) { werror("Failed to decrypt rsa header in input file.\n"); return EXIT_FAILURE; } mpz_clear(x); rsa_session_set_decrypt_key(&ctx, &session); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-4.0/examples/rsa-encrypt-test0000755000000000000000000000072115141166425014573 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-encrypt$EXEEXT ] ; then if $EMULATOR ./rsa-encrypt$EXEEXT -r rsa-decrypt$EXEEXT testkey.pub < "$data" > testciphertext ; then : else exit 1 fi if $EMULATOR ./rsa-decrypt$EXEEXT testkey < testciphertext > testcleartext ; then : else exit 1 fi if cmp "$data" testcleartext ; then exit 0 else exit 1 fi else exit 77 fi nettle-4.0/examples/rsa-encrypt.c0000644000000000000000000001320215141166425014032 0ustar00/* rsa-encrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "bignum.h" #include "buffer.h" #include "macros.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" #include "getopt.h" void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes256_set_encrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int write_uint32(FILE *f, uint32_t n) { uint8_t buffer[4]; WRITE_UINT32(buffer, n); return write_data(f, sizeof(buffer), buffer); } static int write_version(FILE *f) { return write_uint32(f, 1); } static int write_bignum(FILE *f, mpz_t x) { unsigned size = nettle_mpz_sizeinbase_256_u(x); uint8_t *p; int res; if (!write_uint32(f, size)) return 0; p = xalloc(size); nettle_mpz_get_str_256(size, p, x); res = write_data(f, size, p); free(p); return res; } #define BLOCK_SIZE (AES_BLOCK_SIZE * 100) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BLOCK_SIZE + SHA1_DIGEST_SIZE]; for (;;) { size_t size = fread(buffer, 1, BLOCK_SIZE, in); hmac_sha1_update(&ctx->hmac, size, buffer); if (size < BLOCK_SIZE) { unsigned leftover; unsigned padding; if (ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } leftover = size % AES_BLOCK_SIZE; padding = AES_BLOCK_SIZE - leftover; assert (size + padding <= BLOCK_SIZE); if (padding > 1) yarrow256_random(&ctx->yarrow, padding - 1, buffer + size); size += padding; buffer[size - 1] = padding; CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); assert (size + SHA1_DIGEST_SIZE <= sizeof(buffer)); hmac_sha1_digest(&ctx->hmac, buffer + size); size += SHA1_DIGEST_SIZE; if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } return 1; } CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } } static void usage (FILE *out) { fprintf (out, "Usage: rsa-encrypt [OPTIONS] PUBLIC-KEY < cleartext\n" "Options:\n" " -r, --random=FILE seed file for randomness generator\n" " --help display this help\n"); } int main(int argc, char **argv) { struct rsa_session ctx; struct rsa_session_info info; struct rsa_public_key key; mpz_t x; int c; const char *random_name = NULL; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:", options, NULL)) != -1) switch (c) { case 'r': random_name = optarg; break; case '?': return EXIT_FAILURE; case OPT_HELP: usage(stdout); return EXIT_SUCCESS; default: abort(); } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[0], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&ctx.yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&ctx.yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } WRITE_UINT32(SESSION_VERSION(&info), RSA_VERSION); yarrow256_random(&ctx.yarrow, sizeof(info.key) - 4, info.key + 4); rsa_session_set_encrypt_key(&ctx, &info); #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif write_version(stdout); mpz_init(x); if (!rsa_encrypt(&key, &ctx.yarrow, (nettle_random_func *) yarrow256_random, sizeof(info.key), info.key, x)) { werror("RSA encryption failed.\n"); return EXIT_FAILURE; } write_bignum(stdout, x); mpz_clear (x); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-4.0/examples/rsa-keygen.c0000644000000000000000000001107515141166425013636 0ustar00/* rsa-keygen.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "buffer.h" #include "rsa.h" #include "sexp.h" #include "yarrow.h" #include "io.h" #include "getopt.h" #define DEFAULT_KEYSIZE 2048 #define ESIZE 30 static void progress(void *ctx, int c) { (void) ctx; fputc(c, stderr); } static unsigned long uint_arg (char c, const char *arg) { unsigned long val; char *end; val = strtoul(arg, &end, 0); if (*arg == '\0' || *end != '\0') { werror ("Invalid integer argument for -%c option.\n", c); exit (EXIT_FAILURE); } return val; } int main(int argc, char **argv) { struct yarrow256_ctx yarrow; struct rsa_public_key pub; struct rsa_private_key priv; int c; char *pub_name = NULL; const char *priv_name = NULL; const char *random_name = NULL; struct nettle_buffer pub_buffer; struct nettle_buffer priv_buffer; unsigned long key_size = DEFAULT_KEYSIZE; unsigned long key_e = 0; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:e:s:", options, NULL)) != -1) switch (c) { case 'o': priv_name = optarg; break; case 'r': random_name = optarg; break; case 's': key_size = uint_arg ('s', optarg); break; case 'e': key_e = uint_arg ('e', optarg); break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } if (!priv_name) { werror("No filename provided.\n"); return EXIT_FAILURE; } pub_name = xalloc(strlen(priv_name) + 5); sprintf(pub_name, "%s.pub", priv_name); /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (key_e) mpz_set_ui (pub.e, key_e); if (!rsa_generate_keypair (&pub, &priv, (void *) &yarrow, (nettle_random_func *) yarrow256_random, NULL, progress, key_size, key_e == 0 ? ESIZE : 0)) { werror("Key generation failed.\n"); return EXIT_FAILURE; } nettle_buffer_init(&priv_buffer); nettle_buffer_init(&pub_buffer); if (!rsa_keypair_to_sexp(&pub_buffer, "rsa-pkcs1-sha1", &pub, NULL)) { werror("Formatting public key failed.\n"); return EXIT_FAILURE; } if (!rsa_keypair_to_sexp(&priv_buffer, "rsa-pkcs1-sha1", &pub, &priv)) { werror("Formatting private key failed.\n"); return EXIT_FAILURE; } if (!write_file(pub_name, pub_buffer.size, pub_buffer.contents)) { werror("Failed to write public key: %s\n", strerror(errno)); return EXIT_FAILURE; } /* NOTE: This doesn't set up paranoid access restrictions on the * private key file, like a serious key generation tool would do. */ if (!write_file(priv_name, priv_buffer.size, priv_buffer.contents)) { werror("Failed to write private key: %s\n", strerror(errno)); return EXIT_FAILURE; } nettle_buffer_clear(&priv_buffer); nettle_buffer_clear(&pub_buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); free (pub_name); return EXIT_SUCCESS; } nettle-4.0/examples/rsa-session.h0000644000000000000000000000327315141166425014045 0ustar00/* Session key definitions for the rsa-encrypt and rsa-decrypt programs. */ #ifndef NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #define NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #include "aes.h" #include "cbc.h" #include "hmac.h" #define RSA_VERSION 1 /* Encryption program using the following file format: uint32_t version = 1; uint32_t nsize; uint8_t x[nsize]; uint8_t encrypted[n]; uint8_t hmac[SHA1_DIGEST_SIZE]; where x is the data uint32_t version = 1; uint8_t aes_key[AES_KEY_SIZE]; uint8_t iv[AES_BLOCK_SIZE]; uint8_t hmac_key[SHA1_DIGEST_SIZE]; of size (4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) = 72 bytes, encrypted using rsa-pkcs1. The cleartext input is encrypted using aes256-cbc. The final block is padded as | data | random octets | padding length | where the last octet is the padding length, a number between 1 and AES_BLOCK_SIZE (inclusive). */ struct rsa_session { struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; struct hmac_sha1_ctx hmac; struct yarrow256_ctx yarrow; }; struct rsa_session_info { /* Version followed by aes key, iv and mac key */ uint8_t key[4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE]; }; #define SESSION_VERSION(s) ((s)->key) #define SESSION_AES_KEY(s) ((s)->key + 4) #define SESSION_IV(s) ((s)->key + 4 + AES256_KEY_SIZE) #define SESSION_HMAC_KEY(s) ((s)->key + 4 + AES256_KEY_SIZE + AES_BLOCK_SIZE) void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); #endif /* NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED */ nettle-4.0/examples/rsa-sign-test0000755000000000000000000000037515141166425014054 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-sign$EXEEXT ] ; then if $EMULATOR ./rsa-sign$EXEEXT testkey < "$data" > testsignature ; then exit 0; else exit 1 fi else exit 77 fi nettle-4.0/examples/rsa-sign.c0000644000000000000000000000405415141166425013313 0ustar00/* rsa-sign.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include /* string.h must be included before gmp.h */ #include "rsa.h" #include "io.h" int main(int argc, char **argv) { struct rsa_private_key key; struct sha1_ctx hash; mpz_t s; if (argc != 2) { werror("Usage: rsa-sign PRIVATE-KEY < file\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } mpz_init(s); if (!rsa_sha1_sign(&key, &hash, s)) { werror("RSA key too small\n"); return 0; } if (!mpz_out_str(stdout, 16, s)) { werror("Failed writing signature: %s\n", strerror(errno)); return 0; } putchar('\n'); mpz_clear(s); rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-4.0/examples/rsa-verify-test0000755000000000000000000000124015141166425014410 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-verify$EXEEXT ] ; then $EMULATOR ./rsa-sign$EXEEXT testkey < "$data" > testsignature \ && $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature < "$data" \ || exit 1; # Try modifying the data sed s/128/129/ < "$data" >testdata if $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature < testdata 2>/dev/null; then exit 1 fi # Try modifying the signature sed s/1/2/ testsignature2 if $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature2 < "$data" 2>/dev/null; then exit 1; fi exit 0 else exit 77 fi nettle-4.0/examples/rsa-verify.c0000644000000000000000000000444515141166425013663 0ustar00/* rsa-verify.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "rsa.h" #include "io.h" static int read_signature(const char *name, mpz_t s) { uint8_t *buffer; unsigned length; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = (mpz_set_str(s, (const char *) buffer, 16) == 0); free(buffer); return res; } int main(int argc, char **argv) { struct rsa_public_key key; struct sha1_ctx hash; mpz_t s; if (argc != 3) { werror("Usage: rsa-verify PUBLIC-KEY SIGNATURE-FILE < FILE\n"); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[1], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } mpz_init(s); if (!read_signature(argv[2], s)) { werror("Failed to read signature file `%s'\n", argv[2]); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } if (!rsa_sha1_verify(&key, &hash, s)) { werror("Invalid signature!\n"); return EXIT_FAILURE; } mpz_clear(s); rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-4.0/examples/setup-env0000755000000000000000000000020515141166425013272 0ustar00#! /bin/sh set -e if [ -x rsa-keygen$EXEEXT ] ; then $EMULATOR ./rsa-keygen$EXEEXT -r rsa-decrypt$EXEEXT -o testkey || exit 1 fi nettle-4.0/examples/teardown-env0000755000000000000000000000017615141166425013764 0ustar00#! /bin/sh rm -rf testkey testkey.pub testsignature testsignature2 \ testdata testtmp \ testciphertext testcleartext nettle-4.0/examples/timing.c0000644000000000000000000000522415141166425013057 0ustar00/* timing.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "timing.h" #include #include #include #include #include #include #if HAVE_CLOCK_GETTIME && defined CLOCK_PROCESS_CPUTIME_ID #define TRY_CLOCK_GETTIME 1 struct timespec cgt_start; static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static int cgt_works_p(void) { struct timespec now; return clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &now) == 0; } static void cgt_time_start(void) { if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &cgt_start) < 0) die("clock_gettime failed: %s\n", strerror(errno)); } static double cgt_time_end(void) { struct timespec end; if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &end) < 0) die("clock_gettime failed: %s\n", strerror(errno)); return end.tv_sec - cgt_start.tv_sec + 1e-9 * (end.tv_nsec - cgt_start.tv_nsec); } #endif /* !HAVE_CLOCK_GETTIME */ static clock_t clock_start; static void clock_time_start(void) { clock_start = clock(); } static double clock_time_end(void) { return (double) (clock() - (clock_start)) / CLOCKS_PER_SEC; } void (*time_start)(void) = clock_time_start; double (*time_end)(void) = clock_time_end; void time_init(void) { /* Choose timing function */ #if TRY_CLOCK_GETTIME if (cgt_works_p()) { time_start = cgt_time_start; time_end = cgt_time_end; } else { fprintf(stderr, "clock_gettime not working, falling back to clock\n"); time_start = clock_time_start; time_end = clock_time_end; } #endif } nettle-4.0/examples/timing.h0000644000000000000000000000232415141166425013062 0ustar00/* timing.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_TIMING_H_INCLUDED #define NETTLE_EXAMPLES_TIMING_H_INCLUDED void time_init(void); extern void (*time_start)(void); extern double (*time_end)(void); #endif /* NETTLE_EXAMPLES_TIMING_H_INCLUDED */ nettle-4.0/fat-arm.c0000644000000000000000000002172315141166424011302 0ustar00/* fat-arm.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "chacha-internal.h" #include "salsa20-internal.h" #include "fat-setup.h" struct arm_features { /* /proc/cpuinfo "CPU Architecture" doesn't correspond exactly to ARM architecture version, but it's good enough for our purposes. Will be set to 5, 6, 7 or 8. */ unsigned arch_version; int have_neon; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_arm_features (struct arm_features *features) { const char *s; features->arch_version = 5; features->have_neon = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "arch:", 5)) { if (length == 1 && *s >= '0' && *s <= '9') features->arch_version = *s - '0'; } else if (MATCH (s, length, "neon", 4)) features->have_neon = 1; if (!sep) break; s = sep + 1; } else { FILE *f; char line[200]; int seen_arch = 0; int seen_features = 0; f = fopen ("/proc/cpuinfo", "r"); if (!f) return; while (seen_features + seen_arch < 2 && fgets (line, sizeof(line), f)) { char *sep; char *p; sep = strchr (line, ':'); if (!sep) continue; for (p = sep; p - line > 0 && p[-1] == '\t'; p--) ; *p = '\0'; p = sep+1; if (strcmp (line, "Features") == 0) { features->have_neon = (strstr (p, " neon ") != NULL); seen_features = 1; } else if (strcmp (line, "CPU architecture") == 0) { /* Don't use strtol, since it's locale dependent. */ while (p[0] == ' ') p++; if (p[0] > '5' && p[0] <= '9') features->arch_version = p[0] - '0'; else if (strcmp (p, "AArch64") == 0) features->arch_version = 8; seen_arch = 1; } } if (features->arch_version >= 8) { /* Neon is not required, and maybe not listed in feature flags */ features->have_neon = 1; } fclose (f); } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_salsa20_crypt, salsa20_crypt_func) DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 2core) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, armv6) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, armv6) DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, neon) DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, neon) DECLARE_FAT_FUNC(_nettle_umac_nh, umac_nh_func) DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, c) DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, neon) DECLARE_FAT_FUNC(_nettle_umac_nh_n, umac_nh_n_func) DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, c) DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, neon) DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) static void CONSTRUCTOR fat_init (void) { struct arm_features features; int verbose; get_arm_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features: arch:%d%s\n", features.arch_version, features.have_neon ? ",neon" : ""); if (features.arch_version >= 6) { if (verbose) fprintf (stderr, "libnettle: enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_armv6; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_armv6; nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_armv6; } else { if (verbose) fprintf (stderr, "libnettle: not enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_arm; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_arm; nettle_sha1_compress_vec = _nettle_sha1_compress_c; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } if (features.have_neon) { if (verbose) fprintf (stderr, "libnettle: enabling neon code.\n"); _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_2core; _nettle_sha512_compress_vec = _nettle_sha512_compress_neon; nettle_sha3_permute_vec = _nettle_sha3_permute_neon; _nettle_umac_nh_vec = _nettle_umac_nh_neon; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_neon; nettle_chacha_crypt_vec = _nettle_chacha_crypt_3core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_3core; } else { if (verbose) fprintf (stderr, "libnettle: not enabling neon code.\n"); _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_1core; _nettle_sha512_compress_vec = _nettle_sha512_compress_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_umac_nh_vec = _nettle_umac_nh_c; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_salsa20_crypt, void, (struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src), (ctx, rounds, length, dst, src)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) DEFINE_FAT_FUNC(_nettle_sha512_compress, void, (uint64_t *state, const uint8_t *input, const uint64_t *k), (state, input, k)) DEFINE_FAT_FUNC(nettle_sha3_permute, void, (struct sha3_state *state), (state)) DEFINE_FAT_FUNC(_nettle_umac_nh, uint64_t, (const uint32_t *key, unsigned length, const uint8_t *msg), (key, length, msg)) DEFINE_FAT_FUNC(_nettle_umac_nh_n, void, (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg), (out, n, key, length, msg)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) nettle-4.0/fat-arm64.c0000644000000000000000000002504715141166424011457 0ustar00/* fat-arm64.c Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(__linux__) && defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # endif #elif __ANDROID_API__ >= 18 # define USE_GETAUXVAL 1 #endif #if USE_GETAUXVAL # include # include #elif defined(HAVE_ELF_AUX_INFO) # include #elif defined(__OpenBSD__) # include # include # include #elif defined(__APPLE__) # include #endif #include "nettle-types.h" #include "aes.h" #include "ghash-internal.h" #include "fat-setup.h" /* Defines from arch/arm64/include/uapi/asm/hwcap.h in Linux kernel */ #ifndef HWCAP_ASIMD #define HWCAP_ASIMD (1 << 1) #endif #ifndef HWCAP_AES #define HWCAP_AES (1 << 3) #endif #ifndef HWCAP_PMULL #define HWCAP_PMULL (1 << 4) #endif #ifndef HWCAP_SHA1 #define HWCAP_SHA1 (1 << 5) #endif #ifndef HWCAP_SHA2 #define HWCAP_SHA2 (1 << 6) #endif struct arm64_features { int have_aes; int have_pmull; int have_sha1; int have_sha2; }; #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) #if defined(__APPLE__) static int check_sysctlbyname(const char* name) { int val; size_t s = sizeof(val); return sysctlbyname(name, &val, &s, NULL, 0) ? 0 : val; } #endif static void get_arm64_features (struct arm64_features *features) { const char *s; features->have_aes = 0; features->have_pmull = 0; features->have_sha1 = 0; features->have_sha2 = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "aes", 3)) features->have_aes = 1; else if (MATCH (s, length, "pmull", 5)) features->have_pmull = 1; else if (MATCH (s, length, "sha1", 4)) features->have_sha1 = 1; else if (MATCH (s, length, "sha2", 4)) features->have_sha2 = 1; if (!sep) break; s = sep + 1; } else { #if USE_GETAUXVAL || defined(HAVE_ELF_AUX_INFO) unsigned long hwcap = 0; #if USE_GETAUXVAL hwcap = getauxval(AT_HWCAP); #elif defined(HAVE_ELF_AUX_INFO) elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); #endif features->have_aes = ((hwcap & (HWCAP_ASIMD | HWCAP_AES)) == (HWCAP_ASIMD | HWCAP_AES)); features->have_pmull = ((hwcap & (HWCAP_ASIMD | HWCAP_PMULL)) == (HWCAP_ASIMD | HWCAP_PMULL)); features->have_sha1 = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA1)) == (HWCAP_ASIMD | HWCAP_SHA1)); features->have_sha2 = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA2)) == (HWCAP_ASIMD | HWCAP_SHA2)); #elif defined(__OpenBSD__) const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; uint64_t isar0; size_t len = sizeof(isar0); if (sysctl(isar0_mib, 2, &isar0, &len, NULL, 0) < 0) return; features->have_aes = (ID_AA64ISAR0_AES(isar0) >= ID_AA64ISAR0_AES_BASE); features->have_pmull = (ID_AA64ISAR0_AES(isar0) >= ID_AA64ISAR0_AES_PMULL); features->have_sha1 = (ID_AA64ISAR0_SHA1(isar0) >= ID_AA64ISAR0_SHA1_BASE); features->have_sha2 = (ID_AA64ISAR0_SHA2(isar0) >= ID_AA64ISAR0_SHA2_BASE); #elif defined(__APPLE__) /* See https://developer.apple.com/documentation/kernel/1387446-sysctlbyname/determining_instruction_set_characteristics */ features->have_aes = check_sysctlbyname("hw.optional.arm.FEAT_AES"); features->have_pmull = check_sysctlbyname("hw.optional.arm.FEAT_PMULL"); features->have_sha1 = check_sysctlbyname("hw.optional.arm.FEAT_SHA1"); features->have_sha2 = check_sysctlbyname("hw.optional.arm.FEAT_SHA256"); #endif } } DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, arm64) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, arm64) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, arm64) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, arm64) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, arm64) static void CONSTRUCTOR fat_init (void) { struct arm64_features features; int verbose; get_arm64_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features:%s%s%s%s\n", features.have_aes ? " aes instructions" : "", features.have_pmull ? " polynomial multiply long instructions (PMULL/PMULL2)" : "", features.have_sha1 ? " sha1 instructions" : "", features.have_sha2 ? " sha2 instructions" : ""); if (features.have_aes) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES encrypt/decrypt code.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_arm64; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_arm64; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_arm64; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_arm64; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_arm64; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_arm64; } else { nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; } if (features.have_pmull) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated polynomial multiply code.\n"); /* Make sure _nettle_ghash_set_key_vec function is compatible with _nettle_ghash_update_vec function e.g. _nettle_ghash_key_c() fills gcm_key table with values that are incompatible with _nettle_ghash_update_arm64() */ _nettle_ghash_set_key_vec = _nettle_ghash_set_key_arm64; _nettle_ghash_update_vec = _nettle_ghash_update_arm64; } else { _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; } if (features.have_sha1) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated sha1 compress code.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_arm64; } else { nettle_sha1_compress_vec = _nettle_sha1_compress_c; } if (features.have_sha2) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated sha256 compress code.\n"); _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_arm64; } else { _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } } DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) nettle-4.0/fat-ppc.c0000644000000000000000000003015715141166424011306 0ustar00/* fat-ppc.c Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(_AIX) # include #elif defined(__linux__) && defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # include # include # endif #elif defined(__FreeBSD__) || defined(__OpenBSD__) # include # ifdef PPC_FEATURE2_HAS_VEC_CRYPTO # define PPC_FEATURE2_VEC_CRYPTO PPC_FEATURE2_HAS_VEC_CRYPTO # endif # ifdef HAVE_ELF_AUX_INFO # include # elif defined(__FreeBSD__) # include # endif #endif #include "nettle-types.h" #include "aes-internal.h" #include "chacha-internal.h" #include "ghash-internal.h" #include "poly1305.h" #include "fat-setup.h" /* Defines from arch/powerpc/include/uapi/asm/cputable.h in Linux kernel */ #ifndef PPC_FEATURE_HAS_ALTIVEC #define PPC_FEATURE_HAS_ALTIVEC 0x10000000 #endif #ifndef PPC_FEATURE_HAS_VSX #define PPC_FEATURE_HAS_VSX 0x00000080 #endif #ifndef PPC_FEATURE2_VEC_CRYPTO #define PPC_FEATURE2_VEC_CRYPTO 0x02000000 #endif #ifndef PPC_FEATURE2_ARCH_3_00 #define PPC_FEATURE2_ARCH_3_00 0x00800000 #endif struct ppc_features { int have_crypto_ext; int have_altivec; int have_power9; }; #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_ppc_features (struct ppc_features *features) { const char *s; features->have_crypto_ext = 0; features->have_altivec = 0; features->have_power9 = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "crypto_ext", 10)) features->have_crypto_ext = 1; else if (MATCH(s, length, "altivec", 7)) features->have_altivec = 1; else if (MATCH(s, length, "power9", 6)) features->have_power9 = 1; if (!sep) break; s = sep + 1; } else { #if defined(_AIX) features->have_crypto_ext = _system_configuration.implementation >= 0x10000u; features->have_altivec = _system_configuration.vmx_version > 1; #else unsigned long hwcap = 0; unsigned long hwcap2 = 0; # if USE_GETAUXVAL hwcap = getauxval(AT_HWCAP); hwcap2 = getauxval(AT_HWCAP2); # elif defined(HAVE_ELF_AUX_INFO) elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); elf_aux_info(AT_HWCAP2, &hwcap2, sizeof(hwcap2)); # elif defined(__FreeBSD__) size_t len; len = sizeof(hwcap); sysctlbyname("hw.cpu_features", &hwcap, &len, NULL, 0); len = sizeof(hwcap2); sysctlbyname("hw.cpu_features2", &hwcap2, &len, NULL, 0); # endif features->have_crypto_ext = ((hwcap2 & PPC_FEATURE2_VEC_CRYPTO) == PPC_FEATURE2_VEC_CRYPTO); features->have_power9 = ((hwcap2 & PPC_FEATURE2_ARCH_3_00) == PPC_FEATURE2_ARCH_3_00); /* We also need VSX instructions, mainly for load and store. */ features->have_altivec = ((hwcap & (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)) == (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)); #endif } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_aes_invert, aes_invert_internal_func) DECLARE_FAT_FUNC_VAR(aes_invert, aes_invert_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_invert, aes_invert_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, ppc64) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, ppc64) DECLARE_FAT_FUNC(_nettle_gcm_aes_encrypt, gcm_aes_crypt_func) DECLARE_FAT_FUNC_VAR(gcm_aes_encrypt, gcm_aes_crypt_func, c) DECLARE_FAT_FUNC_VAR(gcm_aes_encrypt, gcm_aes_crypt_func, ppc64) DECLARE_FAT_FUNC(_nettle_gcm_aes_decrypt, gcm_aes_crypt_func) DECLARE_FAT_FUNC_VAR(gcm_aes_decrypt, gcm_aes_crypt_func, c) DECLARE_FAT_FUNC_VAR(gcm_aes_decrypt, gcm_aes_crypt_func, ppc64) DECLARE_FAT_FUNC(_nettle_chacha_core, chacha_core_func) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, c) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, altivec) DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(_nettle_poly1305_set_key, poly1305_set_key_func) DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, c) DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_block, poly1305_block_func) DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, c) DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_digest, poly1305_digest_func) DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, c) DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_blocks, poly1305_blocks_func) DECLARE_FAT_FUNC_VAR(poly1305_blocks, poly1305_blocks_func, c) DECLARE_FAT_FUNC_VAR(poly1305_blocks, poly1305_blocks_func, ppc64) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, ppc64) /* Nop implementation for _gcm_aes_encrypt and _gcm_aes_decrypt. */ static size_t gcm_aes_crypt_c (struct gcm_key *key UNUSED, unsigned rounds UNUSED, size_t size UNUSED, uint8_t *dst UNUSED, const uint8_t *src UNUSED) { return 0; } static void CONSTRUCTOR fat_init (void) { struct ppc_features features; int verbose; get_ppc_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features: %s\n", features.have_crypto_ext ? "crypto extensions" : ""); if (features.have_crypto_ext) { if (verbose) fprintf (stderr, "libnettle: enabling arch 2.07 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_ppc64; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_ppc64; _nettle_aes_invert_vec = _nettle_aes_invert_ppc64; /* Make sure _nettle_ghash_set_key_vec function is compatible with _nettle_ghash_update_vec function e.g. _nettle_ghash_key_c() fills gcm_key table with values that are incompatible with _nettle_ghash_update_arm64() */ _nettle_ghash_set_key_vec = _nettle_ghash_set_key_ppc64; _nettle_ghash_update_vec = _nettle_ghash_update_ppc64; _nettle_gcm_aes_encrypt_vec = _nettle_gcm_aes_encrypt_ppc64; _nettle_gcm_aes_decrypt_vec = _nettle_gcm_aes_decrypt_ppc64; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_ppc64; } else { _nettle_aes_encrypt_vec = _nettle_aes_encrypt_c; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_c; _nettle_aes_invert_vec = _nettle_aes_invert_c; _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; _nettle_gcm_aes_encrypt_vec = gcm_aes_crypt_c; _nettle_gcm_aes_decrypt_vec = gcm_aes_crypt_c; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } if (features.have_altivec) { if (verbose) fprintf (stderr, "libnettle: enabling altivec code.\n"); _nettle_chacha_core_vec = _nettle_chacha_core_altivec; nettle_chacha_crypt_vec = _nettle_chacha_crypt_4core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_4core; } else { _nettle_chacha_core_vec = _nettle_chacha_core_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } if (features.have_power9) { if (verbose) fprintf (stderr, "libnettle: enabling arch 3.00 code.\n"); _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_ppc64; _nettle_poly1305_block_vec = _nettle_poly1305_block_ppc64; _nettle_poly1305_digest_vec = _nettle_poly1305_digest_ppc64; _nettle_poly1305_blocks_vec = _nettle_poly1305_blocks_ppc64; } else { _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_c; _nettle_poly1305_block_vec = _nettle_poly1305_block_c; _nettle_poly1305_digest_vec = _nettle_poly1305_digest_c; _nettle_poly1305_blocks_vec = _nettle_poly1305_blocks_c; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_invert, void, (unsigned rounds, uint32_t *dst, const uint32_t *src), (rounds, dst, src)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) DEFINE_FAT_FUNC(_nettle_gcm_aes_encrypt, size_t, (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src), (key, rounds, len, dst, src)) DEFINE_FAT_FUNC(_nettle_gcm_aes_decrypt, size_t, (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src), (key, rounds, len, dst, src)) DEFINE_FAT_FUNC(_nettle_chacha_core, void, (uint32_t *dst, const uint32_t *src, unsigned rounds), (dst, src, rounds)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(_nettle_poly1305_set_key, void, (struct poly1305_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_poly1305_block, void, (struct poly1305_ctx *ctx, const uint8_t *m, unsigned high), (ctx, m, high)) DEFINE_FAT_FUNC(_nettle_poly1305_digest, void, (struct poly1305_ctx *ctx, union nettle_block16 *s), (ctx, s)) DEFINE_FAT_FUNC(_nettle_poly1305_blocks, const uint8_t *, (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m), (ctx, blocks, m)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) nettle-4.0/fat-s390x.c0000644000000000000000000004424215141166424011412 0ustar00/* fat-s390x.c Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # include # endif #endif #include "nettle-types.h" #include "memxor.h" #include "aes-internal.h" #include "chacha-internal.h" #include "ghash-internal.h" #include "fat-setup.h" /* Max number of doublewords returned by STFLE */ #define FACILITY_DOUBLEWORDS_MAX 3 #define FACILITY_INDEX(bit) ((bit) / 64) /* STFLE and cipher query store doublewords as bit-reversed. reverse facility bit or function code in doubleword */ #define FACILITY_BIT(bit) (1ULL << (63 - (bit) % 64)) /* Define from arch/s390/include/asm/elf.h in Linux kernel */ #ifndef HWCAP_S390_STFLE #define HWCAP_S390_STFLE 4 #endif /* Facility bits */ #define FAC_VF 129 /* vector facility */ #define FAC_MSA 17 /* message-security assist */ #define FAC_MSA_X4 77 /* message-security-assist extension 4 */ /* Function codes */ #define AES_128_CODE 18 #define AES_192_CODE 19 #define AES_256_CODE 20 #define SHA_1_CODE 1 #define SHA_256_CODE 2 #define SHA_512_CODE 3 #define GHASH_CODE 65 struct s390x_features { int have_vector_facility; int have_km_aes128; int have_km_aes192; int have_km_aes256; int have_kimd_sha_1; int have_kimd_sha_256; int have_kimd_sha_512; int have_kimd_ghash; }; void _nettle_stfle(uint64_t *facility, uint64_t facility_size); void _nettle_km_status(uint64_t *status); void _nettle_kimd_status(uint64_t *status); #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_s390x_features (struct s390x_features *features) { features->have_vector_facility = 0; features->have_km_aes128 = 0; features->have_km_aes192 = 0; features->have_km_aes256 = 0; features->have_kimd_sha_1 = 0; features->have_kimd_sha_256 = 0; features->have_kimd_sha_512 = 0; features->have_kimd_ghash = 0; const char *s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "vf", 2)) features->have_vector_facility = 1; else if (MATCH (s, length, "msa", 3)) features->have_kimd_sha_1 = 1; else if (MATCH (s, length, "msa_x1", 6)) { features->have_km_aes128 = 1; features->have_kimd_sha_256 = 1; } else if (MATCH (s, length, "msa_x2", 6)) { features->have_km_aes192 = 1; features->have_km_aes256 = 1; features->have_kimd_sha_512 = 1; } else if (MATCH (s, length, "msa_x4", 6)) features->have_kimd_ghash = 1; if (!sep) break; s = sep + 1; } else { #if USE_GETAUXVAL unsigned long hwcap = getauxval(AT_HWCAP); if (hwcap & HWCAP_S390_STFLE) { uint64_t facilities[FACILITY_DOUBLEWORDS_MAX] = {0}; _nettle_stfle(facilities, FACILITY_DOUBLEWORDS_MAX); if (facilities[FACILITY_INDEX(FAC_VF)] & FACILITY_BIT(FAC_VF)) features->have_vector_facility = 1; if (facilities[FACILITY_INDEX(FAC_MSA)] & FACILITY_BIT(FAC_MSA)) { uint64_t query_status[2] = {0}; _nettle_km_status(query_status); if (query_status[FACILITY_INDEX(AES_128_CODE)] & FACILITY_BIT(AES_128_CODE)) features->have_km_aes128 = 1; if (query_status[FACILITY_INDEX(AES_192_CODE)] & FACILITY_BIT(AES_192_CODE)) features->have_km_aes192 = 1; if (query_status[FACILITY_INDEX(AES_256_CODE)] & FACILITY_BIT(AES_256_CODE)) features->have_km_aes256 = 1; memset(query_status, 0, sizeof(query_status)); _nettle_kimd_status(query_status); if (query_status[FACILITY_INDEX(SHA_1_CODE)] & FACILITY_BIT(SHA_1_CODE)) features->have_kimd_sha_1 = 1; if (query_status[FACILITY_INDEX(SHA_256_CODE)] & FACILITY_BIT(SHA_256_CODE)) features->have_kimd_sha_256 = 1; if (query_status[FACILITY_INDEX(SHA_512_CODE)] & FACILITY_BIT(SHA_512_CODE)) features->have_kimd_sha_512 = 1; } if (facilities[FACILITY_INDEX(FAC_MSA_X4)] & FACILITY_BIT(FAC_MSA_X4)) { uint64_t query_status[2] = {0}; _nettle_kimd_status(query_status); if (query_status[FACILITY_INDEX(GHASH_CODE)] & FACILITY_BIT(GHASH_CODE)) features->have_kimd_ghash = 1; } } #endif } } /* MEMXOR3 */ DECLARE_FAT_FUNC(nettle_memxor3, memxor3_func) DECLARE_FAT_FUNC_VAR(memxor3, memxor3_func, c) DECLARE_FAT_FUNC_VAR(memxor3, memxor3_func, s390x) /* AES128 */ DECLARE_FAT_FUNC(nettle_aes128_set_encrypt_key, aes128_set_key_func) DECLARE_FAT_FUNC_VAR(aes128_set_encrypt_key, aes128_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_set_encrypt_key, aes128_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_set_decrypt_key, aes128_set_key_func) DECLARE_FAT_FUNC_VAR(aes128_set_decrypt_key, aes128_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_set_decrypt_key, aes128_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_invert_key, aes128_invert_key_func) DECLARE_FAT_FUNC_VAR(aes128_invert_key, aes128_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_invert_key, aes128_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, s390x) /* AES192 */ DECLARE_FAT_FUNC(nettle_aes192_set_encrypt_key, aes192_set_key_func) DECLARE_FAT_FUNC_VAR(aes192_set_encrypt_key, aes192_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_set_encrypt_key, aes192_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_set_decrypt_key, aes192_set_key_func) DECLARE_FAT_FUNC_VAR(aes192_set_decrypt_key, aes192_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_set_decrypt_key, aes192_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_invert_key, aes192_invert_key_func) DECLARE_FAT_FUNC_VAR(aes192_invert_key, aes192_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_invert_key, aes192_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, s390x) /* AES256 */ DECLARE_FAT_FUNC(nettle_aes256_set_encrypt_key, aes256_set_key_func) DECLARE_FAT_FUNC_VAR(aes256_set_encrypt_key, aes256_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_set_encrypt_key, aes256_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_set_decrypt_key, aes256_set_key_func) DECLARE_FAT_FUNC_VAR(aes256_set_decrypt_key, aes256_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_set_decrypt_key, aes256_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_invert_key, aes256_invert_key_func) DECLARE_FAT_FUNC_VAR(aes256_invert_key, aes256_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_invert_key, aes256_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, s390x) /* GHASH */ DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, s390x) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, s390x) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, s390x) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, s390x) DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, s390x) DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, s390x) DECLARE_FAT_FUNC(_nettle_chacha_core, chacha_core_func) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, c) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, s390x) DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 4core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 4core) static void CONSTRUCTOR fat_init (void) { struct s390x_features features; int verbose; get_s390x_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; /* MEMXOR3 */ if (features.have_vector_facility) { if (verbose) fprintf (stderr, "libnettle: enabling vector facility code.\n"); nettle_memxor3_vec = _nettle_memxor3_s390x; nettle_sha3_permute_vec = _nettle_sha3_permute_s390x; _nettle_chacha_core_vec = _nettle_chacha_core_s390x; nettle_chacha_crypt_vec = _nettle_chacha_crypt_4core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_4core; } else { nettle_memxor3_vec = _nettle_memxor3_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_chacha_core_vec = _nettle_chacha_core_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } /* AES128 */ if (features.have_km_aes128) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES128 EBC mode.\n"); nettle_aes128_set_encrypt_key_vec = _nettle_aes128_set_encrypt_key_s390x; nettle_aes128_set_decrypt_key_vec = _nettle_aes128_set_decrypt_key_s390x; nettle_aes128_invert_key_vec = _nettle_aes128_invert_key_s390x; nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_s390x; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_s390x; } else { nettle_aes128_set_encrypt_key_vec = _nettle_aes128_set_encrypt_key_c; nettle_aes128_set_decrypt_key_vec = _nettle_aes128_set_decrypt_key_c; nettle_aes128_invert_key_vec = _nettle_aes128_invert_key_c; nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; } /* AES192 */ if (features.have_km_aes192) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES192 EBC mode.\n"); nettle_aes192_set_encrypt_key_vec = _nettle_aes192_set_encrypt_key_s390x; nettle_aes192_set_decrypt_key_vec = _nettle_aes192_set_decrypt_key_s390x; nettle_aes192_invert_key_vec = _nettle_aes192_invert_key_s390x; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_s390x; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_s390x; } else { nettle_aes192_set_encrypt_key_vec = _nettle_aes192_set_encrypt_key_c; nettle_aes192_set_decrypt_key_vec = _nettle_aes192_set_decrypt_key_c; nettle_aes192_invert_key_vec = _nettle_aes192_invert_key_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; } /* AES256 */ if (features.have_km_aes256) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES256 EBC mode.\n"); nettle_aes256_set_encrypt_key_vec = _nettle_aes256_set_encrypt_key_s390x; nettle_aes256_set_decrypt_key_vec = _nettle_aes256_set_decrypt_key_s390x; nettle_aes256_invert_key_vec = _nettle_aes256_invert_key_s390x; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_s390x; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_s390x; } else { nettle_aes256_set_encrypt_key_vec = _nettle_aes256_set_encrypt_key_c; nettle_aes256_set_decrypt_key_vec = _nettle_aes256_set_decrypt_key_c; nettle_aes256_invert_key_vec = _nettle_aes256_invert_key_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; } /* GHASH */ if (features.have_kimd_ghash) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated GHASH.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_s390x; _nettle_ghash_update_vec = _nettle_ghash_update_s390x; } else { _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; } /* SHA1 */ if (features.have_kimd_sha_1) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA1 compress code.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_s390x; } else { nettle_sha1_compress_vec = _nettle_sha1_compress_c; } /* SHA256 */ if (features.have_kimd_sha_256) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA256 compress code.\n"); _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_s390x; } else { _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } /* SHA512 */ if (features.have_kimd_sha_512) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA512 compress code.\n"); _nettle_sha512_compress_vec = _nettle_sha512_compress_s390x; } else { _nettle_sha512_compress_vec = _nettle_sha512_compress_c; } } /* MEMXOR3 */ DEFINE_FAT_FUNC(nettle_memxor3, void *, (void *dst_in, const void *a_in, const void *b_in, size_t n), (dst_in, a_in, b_in, n)) /* AES128 */ DEFINE_FAT_FUNC(nettle_aes128_set_encrypt_key, void, (struct aes128_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes128_set_decrypt_key, void, (struct aes128_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes128_invert_key, void, (struct aes128_ctx *dst, const struct aes128_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* AES192 */ DEFINE_FAT_FUNC(nettle_aes192_set_encrypt_key, void, (struct aes192_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes192_set_decrypt_key, void, (struct aes192_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes192_invert_key, void, (struct aes192_ctx *dst, const struct aes192_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* AES256 */ DEFINE_FAT_FUNC(nettle_aes256_set_encrypt_key, void, (struct aes256_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes256_set_decrypt_key, void, (struct aes256_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes256_invert_key, void, (struct aes256_ctx *dst, const struct aes256_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* GHASH */ DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) /* SHA1 */ DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) /* SHA256 */ DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) /* SHA512 */ DEFINE_FAT_FUNC(_nettle_sha512_compress, void, (uint64_t *state, const uint8_t *input, const uint64_t *k), (state, input, k)) /* SHA3 */ DEFINE_FAT_FUNC(nettle_sha3_permute, void, (struct sha3_state *state), (state)) DEFINE_FAT_FUNC(_nettle_chacha_core, void, (uint32_t *dst, const uint32_t *src, unsigned rounds), (dst, src, rounds)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) nettle-4.0/fat-setup.h0000644000000000000000000002141615141166424011667 0ustar00/* fat-setup.h Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Fat library initialization works as follows. The main function is fat_init. We try to do initialization only once, but since it is idempotent, there's no harm if it is in some cases called multiple times from several threads. For correctness, we rely on atomic writes, but not on memory barriers or any other synchronization mechanism. The fat_init function checks the cpuid flags, and sets function pointers, e.g, _nettle_aes_encrypt_vec, to point to the appropriate implementation. To get everything hooked in, we use a belt-and-suspenders approach. We try to register fat_init as a constructor function to be called at load time. If this is unavailable or non-working, we instead arrange fat_init to be called lazily. For the actual indirection, there are two cases. * If ifunc support is available, function pointers are statically initialized to NULL, and we register resolver functions, e.g., _nettle_aes_encrypt_resolve, which call fat_init, and then return the function pointer, e.g., the value of _nettle_aes_encrypt_vec. * If ifunc is not available, we have to define a wrapper function to jump via the function pointer. (FIXME: For internal calls, we could do this as a macro). We statically initialize each function pointer to point to a special initialization function, e.g., _nettle_aes_encrypt_init, which calls fat_init, and then invokes the right function. This way, all pointers are setup correctly at the first call to any fat function. And atomic writes are required for correctness in the case that several threads do "first call to any fat function" at the same time. */ #if HAVE_GCC_ATTRIBUTE # define CONSTRUCTOR __attribute__ ((constructor)) #else # define CONSTRUCTOR # if defined (__sun) # pragma init(fat_init) # endif #endif /* Disable use of ifunc for now. Problem is, there's no guarantee that one can call any libc functions from the ifunc resolver. On x86 and x86_64, the corresponding IRELATIVE relocs are supposed to be processed last, but that doesn't seem to happen, and its a platform-specific feature. To trigger problems, simply try dlopen ("libnettle.so", RTLD_NOW), which crashes in an uninitialized plt entry. */ #undef HAVE_LINK_IFUNC #if !HAVE_SECURE_GETENV #define secure_getenv(s) NULL #endif #define ENV_VERBOSE "NETTLE_FAT_VERBOSE" #define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE" struct chacha_ctx; struct salsa20_ctx; /* DECLARE_FAT_FUNC(name, ftype) * * name is the public function, e.g., _nettle_aes_encrypt. * ftype is its type, e.g., aes_crypt_internal_func. * * DECLARE_FAT_VAR(name, type, var) * * name is name without _nettle prefix. * type is its type. * var is the variant, used as a suffix on the symbol name. * * DEFINE_FAT_FUNC(name, rtype, prototype, args) * * name is the public function. * rtype its return type. * prototype is the list of formal arguments, with types. * args contain the argument list without any types. */ #if HAVE_LINK_IFUNC #define IFUNC(resolve) __attribute__ ((ifunc (resolve))) #define DECLARE_FAT_FUNC(name, ftype) \ ftype name IFUNC(#name"_resolve"); \ static ftype *name##_vec = NULL; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ static void_func * name##_resolve(void) \ { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_resolve\n"); \ if (!name##_vec) \ fat_init(); \ return (void_func *) name##_vec; \ } #else /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC(name, ftype) \ ftype name; \ static ftype name##_init; \ static ftype *name##_vec = name##_init; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ rtype name prototype \ { \ return name##_vec args; \ } \ static rtype name##_init prototype { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_init\n"); \ if (name##_vec == name##_init) \ fat_init(); \ assert (name##_vec != name##_init); \ return name##_vec args; \ } #endif /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC_VAR(name, type, var) \ type _nettle_##name##_##var; typedef void void_func (void); struct aes_table; typedef void aes_crypt_internal_func (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); typedef void aes_invert_internal_func (unsigned rounds, uint32_t *dst, const uint32_t *src); struct gcm_key; typedef void ghash_set_key_func (struct gcm_key *ctx, const union nettle_block16 *key); typedef const uint8_t * ghash_update_func (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); typedef size_t gcm_aes_crypt_func (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src); typedef void *(memxor_func)(void *dst, const void *src, size_t n); typedef void *(memxor3_func)(void *dst_in, const void *a_in, const void *b_in, size_t n); typedef void salsa20_core_func (uint32_t *dst, const uint32_t *src, unsigned rounds); typedef void salsa20_crypt_func (struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); typedef void sha1_compress_func(uint32_t *state, const uint8_t *input); typedef const uint8_t * sha256_compress_n_func(uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input); struct sha3_state; typedef void sha3_permute_func (struct sha3_state *state); typedef void sha512_compress_func (uint64_t *state, const uint8_t *input, const uint64_t *k); typedef uint64_t umac_nh_func (const uint32_t *key, unsigned length, const uint8_t *msg); typedef void umac_nh_n_func (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); typedef void chacha_core_func(uint32_t *dst, const uint32_t *src, unsigned rounds); typedef void chacha_crypt_func(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct poly1305_ctx; typedef void poly1305_set_key_func(struct poly1305_ctx *ctx, const uint8_t *key); typedef void poly1305_digest_func(struct poly1305_ctx *ctx, union nettle_block16 *s); typedef void poly1305_block_func(struct poly1305_ctx *ctx, const uint8_t *m, unsigned high); typedef const uint8_t * poly1305_blocks_func(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); struct aes128_ctx; typedef void aes128_set_key_func (struct aes128_ctx *ctx, const uint8_t *key); typedef void aes128_invert_key_func (struct aes128_ctx *dst, const struct aes128_ctx *src); typedef void aes128_crypt_func (const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes192_ctx; typedef void aes192_set_key_func (struct aes192_ctx *ctx, const uint8_t *key); typedef void aes192_invert_key_func (struct aes192_ctx *dst, const struct aes192_ctx *src); typedef void aes192_crypt_func (const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes256_ctx; typedef void aes256_set_key_func (struct aes256_ctx *ctx, const uint8_t *key); typedef void aes256_invert_key_func (struct aes256_ctx *dst, const struct aes256_ctx *src); typedef void aes256_crypt_func (const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes128_encrypt_func (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes192_encrypt_func (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes256_encrypt_func (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); nettle-4.0/fat-x86_64.c0000644000000000000000000002627615141166424011471 0ustar00/* fat-x86_64.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "ghash-internal.h" #include "memxor.h" #include "fat-setup.h" void _nettle_cpuid (uint32_t input, uint32_t regs[4]); struct x86_features { enum x86_vendor { X86_OTHER, X86_INTEL, X86_AMD } vendor; int have_aesni; int have_sha_ni; int have_pclmul; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_x86_features (struct x86_features *features) { const char *s; features->vendor = X86_OTHER; features->have_aesni = 0; features->have_sha_ni = 0; features->have_pclmul = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "vendor:", 7)) { if (MATCH(s, length, "intel", 5)) features->vendor = X86_INTEL; else if (MATCH(s, length, "amd", 3)) features->vendor = X86_AMD; } else if (MATCH (s, length, "aesni", 5)) features->have_aesni = 1; else if (MATCH (s, length, "sha_ni", 6)) features->have_sha_ni = 1; else if (MATCH (s, length, "pclmul", 6)) features->have_pclmul = 1; if (!sep) break; s = sep + 1; } else { uint32_t cpuid_data[4]; _nettle_cpuid (0, cpuid_data); if (memcmp (cpuid_data + 1, "Genu" "ntel" "ineI", 12) == 0) features->vendor = X86_INTEL; else if (memcmp (cpuid_data + 1, "Auth" "cAMD" "enti", 12) == 0) features->vendor = X86_AMD; _nettle_cpuid (1, cpuid_data); if (cpuid_data[2] & 0x2) features->have_pclmul = 1; if (cpuid_data[2] & 0x02000000) features->have_aesni = 1; _nettle_cpuid (7, cpuid_data); if (cpuid_data[1] & 0x20000000) features->have_sha_ni = 1; } } DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_cbc_aes128_encrypt, cbc_aes128_encrypt_func) DECLARE_FAT_FUNC_VAR(cbc_aes128_encrypt, cbc_aes128_encrypt_func, c) DECLARE_FAT_FUNC_VAR(cbc_aes128_encrypt, cbc_aes128_encrypt_func, aesni) DECLARE_FAT_FUNC(nettle_cbc_aes192_encrypt, cbc_aes192_encrypt_func) DECLARE_FAT_FUNC_VAR(cbc_aes192_encrypt, cbc_aes192_encrypt_func, c) DECLARE_FAT_FUNC_VAR(cbc_aes192_encrypt, cbc_aes192_encrypt_func, aesni) DECLARE_FAT_FUNC(nettle_cbc_aes256_encrypt, cbc_aes256_encrypt_func) DECLARE_FAT_FUNC_VAR(cbc_aes256_encrypt, cbc_aes256_encrypt_func, c) DECLARE_FAT_FUNC_VAR(cbc_aes256_encrypt, cbc_aes256_encrypt_func, aesni) DECLARE_FAT_FUNC(nettle_memxor, memxor_func) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, x86_64) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, sse2) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, x86_64) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, sha_ni) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, x86_64) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, sha_ni) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, pclmul) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, table) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, pclmul) /* This function should usually be called only once, at startup. But it is idempotent, and on x86, pointer updates are atomic, so there's no danger if it is called simultaneously from multiple threads. */ static void CONSTRUCTOR fat_init (void) { struct x86_features features; int verbose; /* FIXME: Replace all getenv calls by getenv_secure? */ verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: fat library initialization.\n"); get_x86_features (&features); if (verbose) { const char * const vendor_names[3] = { "other", "intel", "amd" }; fprintf (stderr, "libnettle: cpu features: vendor:%s%s%s%s\n", vendor_names[features.vendor], features.have_aesni ? ",aesni" : "", features.have_sha_ni ? ",sha_ni" : "", features.have_pclmul ? ",pclmul" : ""); } if (features.have_aesni) { if (verbose) fprintf (stderr, "libnettle: using aes instructions.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_aesni; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_aesni; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_aesni; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_aesni; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_aesni; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_aesni; nettle_cbc_aes128_encrypt_vec = _nettle_cbc_aes128_encrypt_aesni; nettle_cbc_aes192_encrypt_vec = _nettle_cbc_aes192_encrypt_aesni; nettle_cbc_aes256_encrypt_vec = _nettle_cbc_aes256_encrypt_aesni; } else { if (verbose) fprintf (stderr, "libnettle: not using aes instructions.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; nettle_cbc_aes128_encrypt_vec = _nettle_cbc_aes128_encrypt_c; nettle_cbc_aes192_encrypt_vec = _nettle_cbc_aes192_encrypt_c; nettle_cbc_aes256_encrypt_vec = _nettle_cbc_aes256_encrypt_c; } if (features.have_sha_ni) { if (verbose) fprintf (stderr, "libnettle: using sha_ni instructions.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_sha_ni; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_sha_ni; } else { if (verbose) fprintf (stderr, "libnettle: not using sha_ni instructions.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_x86_64; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_x86_64; } if (features.have_pclmul) { if (verbose) fprintf (stderr, "libnettle: using pclmulqdq instructions.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_pclmul; _nettle_ghash_update_vec = _nettle_ghash_update_pclmul; } else { if (verbose) fprintf (stderr, "libnettle: not using pclmulqdq instructions.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_table; } if (features.vendor == X86_INTEL) { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_sse2; } else { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will not be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_x86_64; } } DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes128_encrypt, void, (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes192_encrypt, void, (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes256_encrypt, void, (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_memxor, void *, (void *dst, const void *src, size_t n), (dst, src, n)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) nettle-4.0/gcm-aes128-meta.c0000644000000000000000000000342615141166423012445 0ustar00/* gcm-aes128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes128_set_nonce_wrapper; static void gcm_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes128 = { "gcm_aes128", sizeof(struct gcm_aes128_ctx), GCM_BLOCK_SIZE, AES128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes128_set_key, (nettle_set_key_func *) gcm_aes128_set_key, gcm_aes128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes128_update, (nettle_crypt_func *) gcm_aes128_encrypt, (nettle_crypt_func *) gcm_aes128_decrypt, (nettle_hash_digest_func *) gcm_aes128_digest, }; nettle-4.0/gcm-aes128.c0000644000000000000000000000452715141166423011524 0ustar00/* gcm-aes128.c Galois counter mode using AES128 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES128_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES128_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, aes128_encrypt, digest); } nettle-4.0/gcm-aes192-meta.c0000644000000000000000000000342615141166423012446 0ustar00/* gcm-aes192-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes192_set_nonce_wrapper; static void gcm_aes192_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes192_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes192 = { "gcm_aes192", sizeof(struct gcm_aes192_ctx), GCM_BLOCK_SIZE, AES192_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes192_set_key, (nettle_set_key_func *) gcm_aes192_set_key, gcm_aes192_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes192_update, (nettle_crypt_func *) gcm_aes192_encrypt, (nettle_crypt_func *) gcm_aes192_decrypt, (nettle_hash_digest_func *) gcm_aes192_digest, }; nettle-4.0/gcm-aes192.c0000644000000000000000000000452715141166423011525 0ustar00/* gcm-aes192.c Galois counter mode using AES192 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes192_set_encrypt_key, aes192_encrypt, key); } void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES192_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES192_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, aes192_encrypt, digest); } nettle-4.0/gcm-aes256-meta.c0000644000000000000000000000342615141166423012447 0ustar00/* gcm-aes256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes256_set_nonce_wrapper; static void gcm_aes256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes256 = { "gcm_aes256", sizeof(struct gcm_aes256_ctx), GCM_BLOCK_SIZE, AES256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes256_set_key, (nettle_set_key_func *) gcm_aes256_set_key, gcm_aes256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes256_update, (nettle_crypt_func *) gcm_aes256_encrypt, (nettle_crypt_func *) gcm_aes256_decrypt, (nettle_hash_digest_func *) gcm_aes256_digest, }; nettle-4.0/gcm-aes256.c0000644000000000000000000000452415141166423011523 0ustar00/* gcm-aes256.c Galois counter mode using AES256 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); } void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES256_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES256_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, aes256_encrypt, digest); } nettle-4.0/gcm-camellia128-meta.c0000644000000000000000000000354115141166423013442 0ustar00/* gcm-camellia128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia128_set_nonce_wrapper; static void gcm_camellia128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia128 = { "gcm_camellia128", sizeof(struct gcm_camellia128_ctx), GCM_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia128_set_key, (nettle_set_key_func *) gcm_camellia128_set_key, gcm_camellia128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia128_update, (nettle_crypt_func *) gcm_camellia128_encrypt, (nettle_crypt_func *) gcm_camellia128_decrypt, (nettle_hash_digest_func *) gcm_camellia128_digest, }; nettle-4.0/gcm-camellia128.c0000644000000000000000000000377115141166423012523 0ustar00/* gcm-camellia128.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia128_set_encrypt_key, camellia128_crypt, key); } void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, camellia128_crypt, digest); } nettle-4.0/gcm-camellia256-meta.c0000644000000000000000000000354115141166423013444 0ustar00/* gcm-camellia256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia256_set_nonce_wrapper; static void gcm_camellia256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia256 = { "gcm_camellia256", sizeof(struct gcm_camellia256_ctx), GCM_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia256_set_key, (nettle_set_key_func *) gcm_camellia256_set_key, gcm_camellia256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia256_update, (nettle_crypt_func *) gcm_camellia256_encrypt, (nettle_crypt_func *) gcm_camellia256_decrypt, (nettle_hash_digest_func *) gcm_camellia256_digest, }; nettle-4.0/gcm-camellia256.c0000644000000000000000000000377115141166423012525 0ustar00/* gcm-camellia256.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia256_set_encrypt_key, camellia256_crypt, key); } void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, camellia256_crypt, digest); } nettle-4.0/gcm-internal.h0000644000000000000000000000365215141166424012341 0ustar00/* gcm-internal.h Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GCM_INTERNAL_H_INCLUDED #define NETTLE_GCM_INTERNAL_H_INCLUDED #include "gcm.h" #if HAVE_NATIVE_gcm_aes_encrypt /* Name mangling */ #define _gcm_aes_encrypt _nettle_gcm_aes_encrypt #define _gcm_aes_decrypt _nettle_gcm_aes_decrypt /* To reduce the number of arguments (e.g., maximum of 6 register arguments on x86_64), pass a pointer to gcm_key, which really is a pointer to the first member of the appropriate gcm_aes*_ctx struct. */ size_t _gcm_aes_encrypt (struct gcm_key *key, unsigned rounds, size_t size, uint8_t *dst, const uint8_t *src); size_t _gcm_aes_decrypt (struct gcm_key *CTX, unsigned rounds, size_t size, uint8_t *dst, const uint8_t *src); #else /* !HAVE_NATIVE_gcm_aes_encrypt */ #define _gcm_aes_encrypt(key, rounds, size, dst, src) 0 #define _gcm_aes_decrypt(key, rounds, size, dst, src) 0 #endif /* !HAVE_NATIVE_gcm_aes_encrypt */ #endif /* NETTLE_GCM_INTERNAL_H_INCLUDED */ nettle-4.0/gcm-sm4-meta.c0000644000000000000000000000341315141166423012141 0ustar00/* gcm-sm4-meta.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_sm4_set_nonce_wrapper; static void gcm_sm4_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_sm4_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_sm4 = { "gcm_sm4", sizeof(struct gcm_sm4_ctx), GCM_BLOCK_SIZE, SM4_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_sm4_set_key, (nettle_set_key_func *) gcm_sm4_set_key, gcm_sm4_set_nonce_wrapper, (nettle_hash_update_func *) gcm_sm4_update, (nettle_crypt_func *) gcm_sm4_encrypt, (nettle_crypt_func *) gcm_sm4_decrypt, (nettle_hash_digest_func *) gcm_sm4_digest, }; nettle-4.0/gcm-sm4.c0000644000000000000000000000370615141166423011222 0ustar00/* gcm-sm4.c Galois counter mode using SM4 as the underlying cipher. Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_sm4_set_key(struct gcm_sm4_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, sm4_set_encrypt_key, sm4_crypt, key); } void gcm_sm4_set_iv(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_sm4_update(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_sm4_encrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, sm4_crypt, length, dst, src); } void gcm_sm4_decrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, sm4_crypt, length, dst, src); } void gcm_sm4_digest(struct gcm_sm4_ctx *ctx, uint8_t *digest) { GCM_DIGEST(ctx, sm4_crypt, digest); } nettle-4.0/gcm.c0000644000000000000000000001431215141166423010514 0ustar00/* gcm.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "gcm.h" #include "ghash-internal.h" #include "memxor.h" #include "nettle-internal.h" #include "macros.h" #include "ctr-internal.h" #include "block-internal.h" #include "bswap-internal.h" /* Initialization of GCM. * @ctx: The context of GCM * @cipher: The context of the underlying block cipher * @f: The underlying cipher encryption function */ void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; union nettle_block16 key_block; f (cipher, GCM_BLOCK_SIZE, key_block.b, zero_block.b); _ghash_set_key (key, &key_block); } /* Call _ghash_update, with zero padding of any partial final block. */ static void gcm_hash (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data) { data = _ghash_update (key, x, length / GCM_BLOCK_SIZE, data); length &= (GCM_BLOCK_SIZE - 1); if (length > 0) { union nettle_block16 block; block16_zero (&block); memcpy (block.b, data, length); _ghash_update (key, x, 1, block.b); } } static void gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, uint64_t auth_size, uint64_t data_size) { union nettle_block16 buffer; data_size *= 8; auth_size *= 8; buffer.u64[0] = bswap64_if_le (auth_size); buffer.u64[1] = bswap64_if_le (data_size); _ghash_update (key, x, 1, buffer.b); } /* NOTE: The key is needed only if length != GCM_IV_SIZE */ void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv) { if (length == GCM_IV_SIZE) { memcpy (ctx->iv.b, iv, GCM_BLOCK_SIZE - 4); ctx->iv.b[GCM_BLOCK_SIZE - 4] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 3] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 2] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 1] = 1; } else { block16_zero(&ctx->iv); gcm_hash(key, &ctx->iv, length, iv); gcm_hash_sizes(key, &ctx->iv, 0, length); } ctx->ctr = ctx->iv; /* Increment the rightmost 32 bits. */ INCREMENT (4, ctx->ctr.b + GCM_BLOCK_SIZE - 4); /* Reset the rest of the message-dependent state. */ block16_zero(&ctx->x); ctx->auth_size = ctx->data_size = 0; } void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data) { assert(ctx->auth_size % GCM_BLOCK_SIZE == 0); assert(ctx->data_size == 0); gcm_hash(key, &ctx->x, length, data); ctx->auth_size += length; } static nettle_fill16_func gcm_fill; #if WORDS_BIGENDIAN static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, mid; uint32_t lo; size_t i; hi = READ_UINT64(ctr); mid = (uint64_t) READ_UINT32(ctr + 8) << 32; lo = READ_UINT32(ctr + 12); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = mid + lo++; } WRITE_UINT32(ctr + 12, lo); } #elif HAVE_BUILTIN_BSWAP64 /* Assume __builtin_bswap32 is also available */ static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, mid; uint32_t lo; size_t i; hi = LE_READ_UINT64(ctr); mid = LE_READ_UINT32(ctr + 8); lo = READ_UINT32(ctr + 12); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = mid + ((uint64_t)__builtin_bswap32(lo) << 32); lo++; } WRITE_UINT32(ctr + 12, lo); } #else static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint32_t c; c = READ_UINT32(ctr + GCM_BLOCK_SIZE - 4); for (; blocks-- > 0; buffer++, c++) { memcpy(buffer->b, ctr, GCM_BLOCK_SIZE - 4); WRITE_UINT32(buffer->b + GCM_BLOCK_SIZE - 4, c); } WRITE_UINT32(ctr + GCM_BLOCK_SIZE - 4, c); } #endif void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); gcm_hash(key, &ctx->x, length, dst); ctx->data_size += length; } void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); gcm_hash(key, &ctx->x, length, src); _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); ctx->data_size += length; } void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest) { /* FIXME: Reuse digest area? */ union nettle_block16 buffer; gcm_hash_sizes(key, &ctx->x, ctx->auth_size, ctx->data_size); f (cipher, GCM_BLOCK_SIZE, buffer.b, ctx->iv.b); block16_xor (&buffer, &ctx->x); memcpy (digest, buffer.b, GCM_DIGEST_SIZE); return; } nettle-4.0/gcm.h0000644000000000000000000002461515141166424010531 0ustar00/* gcm.h Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2014 Niels Möller Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GCM_H_INCLUDED #define NETTLE_GCM_H_INCLUDED #include "aes.h" #include "camellia.h" #include "sm4.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define gcm_set_key nettle_gcm_set_key #define gcm_set_iv nettle_gcm_set_iv #define gcm_update nettle_gcm_update #define gcm_encrypt nettle_gcm_encrypt #define gcm_decrypt nettle_gcm_decrypt #define gcm_digest nettle_gcm_digest #define gcm_aes128_set_key nettle_gcm_aes128_set_key #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv #define gcm_aes128_update nettle_gcm_aes128_update #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt #define gcm_aes128_digest nettle_gcm_aes128_digest #define gcm_aes192_set_key nettle_gcm_aes192_set_key #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv #define gcm_aes192_update nettle_gcm_aes192_update #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt #define gcm_aes192_digest nettle_gcm_aes192_digest #define gcm_aes256_set_key nettle_gcm_aes256_set_key #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv #define gcm_aes256_update nettle_gcm_aes256_update #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt #define gcm_aes256_digest nettle_gcm_aes256_digest #define gcm_aes_set_key nettle_gcm_aes_set_key #define gcm_aes_set_iv nettle_gcm_aes_set_iv #define gcm_aes_update nettle_gcm_aes_update #define gcm_aes_encrypt nettle_gcm_aes_encrypt #define gcm_aes_decrypt nettle_gcm_aes_decrypt #define gcm_aes_digest nettle_gcm_aes_digest #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv #define gcm_camellia128_update nettle_gcm_camellia128_update #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt #define gcm_camellia128_digest nettle_gcm_camellia128_digest #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv #define gcm_camellia256_update nettle_gcm_camellia256_update #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt #define gcm_camellia256_digest nettle_gcm_camellia256_digest #define gcm_sm4_set_key nettle_gcm_sm4_set_key #define gcm_sm4_set_iv nettle_gcm_sm4_set_iv #define gcm_sm4_update nettle_gcm_sm4_update #define gcm_sm4_encrypt nettle_gcm_sm4_encrypt #define gcm_sm4_decrypt nettle_gcm_sm4_decrypt #define gcm_sm4_digest nettle_gcm_sm4_digest #define GCM_BLOCK_SIZE 16 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) #define GCM_DIGEST_SIZE 16 /* Hashing subkey */ struct gcm_key { union nettle_block16 h[0x80]; }; /* Per-message state, depending on the iv */ struct gcm_ctx { /* Original counter block */ union nettle_block16 iv; /* Updated for each block. */ union nettle_block16 ctr; /* Hashing state */ union nettle_block16 x; uint64_t auth_size; uint64_t data_size; }; void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f); void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv); void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data); void gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest); /* Convenience macrology (not sure how useful it is) */ /* All-in-one context, with hash subkey, message state, and cipher. */ #define GCM_CTX(type) \ { struct gcm_key key; struct gcm_ctx gcm; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \ do { \ (set_key)(&(ctx)->cipher, (gcm_key)); \ if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt)); \ } while (0) #define GCM_SET_IV(ctx, length, data) \ gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_UPDATE(ctx, length, data) \ gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DIGEST(ctx, encrypt, digest) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (digest))) struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key); /* FIXME: Define _update and _set_iv as some kind of aliaes, there's nothing aes-specific. */ void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, uint8_t *digest); struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx); void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key); void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, uint8_t *digest); struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx); void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key); void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, uint8_t *digest); struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key); void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, uint8_t *digest); struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx); void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key); void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, uint8_t *digest); struct gcm_sm4_ctx GCM_CTX(struct sm4_ctx); void gcm_sm4_set_key(struct gcm_sm4_ctx *ctx, const uint8_t *key); void gcm_sm4_set_iv(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv); void gcm_sm4_update(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data); void gcm_sm4_encrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_sm4_decrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_sm4_digest(struct gcm_sm4_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_GCM_H_INCLUDED */ nettle-4.0/getopt.c0000644000000000000000000000267115141166424011256 0ustar00/* Wrapper for gnulib getopt.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Must include some C library header file for definition of __GLIBC__ */ #include #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 # include # if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION # define ELIDE_CODE # endif #endif #ifndef ELIDE_CODE # define _(msg) msg # define _GL_UNUSED UNUSED # include "lib/getopt.c" #endif /* !ELIDE_CODE */ nettle-4.0/getopt.h0000644000000000000000000000304415141166424011256 0ustar00/* Wrapper for gnulib getopt headers Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GETOPT_H #define NETTLE_GETOPT_H #ifndef __BEGIN_DECLS # ifdef __cplusplus # define __BEGIN_DECLS extern "C" { # else # define __BEGIN_DECLS /* nothing */ # endif #endif #ifndef __END_DECLS # ifdef __cplusplus # define __END_DECLS } # else # define __END_DECLS /* nothing */ # endif #endif #ifndef __THROW # define __THROW #endif #ifndef __getopt_argv_const # define __getopt_argv_const #endif #define _GL_ARG_NONNULL(x) #include "lib/getopt-core.h" #include "lib/getopt-ext.h" #endif /* NETTLE_GETOPT_H */ nettle-4.0/getopt1.c0000644000000000000000000000261415141166424011334 0ustar00/* Wrapper for gnulib getopt1.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Must include some C library header file for definition of __GLIBC__ */ #include #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 # include # if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION # define ELIDE_CODE # endif #endif #ifndef ELIDE_CODE # include "lib/getopt1.c" #endif /* !ELIDE_CODE */ nettle-4.0/ghash-internal.h0000644000000000000000000000472215141166424012664 0ustar00/* ghash-internal.h Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GHASH_INTERNAL_H_INCLUDED #define NETTLE_GHASH_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "gcm.h" /* Name mangling */ #define _ghash_set_key _nettle_ghash_set_key #define _ghash_update _nettle_ghash_update #define _siv_ghash_set_key _nettle_siv_ghash_set_key #define _siv_ghash_update _nettle_siv_ghash_update #ifdef __cplusplus extern "C" { #endif /* The CTX a struct gcm_key (even if struct ghash_key might be a more * appropriate name). An array of blocks, exact contents depends on * the implementation. STATE is only a single block. */ /* Expands KEY as needed, for corresponding _ghash_update */ void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key); /* Updates STATE by hashing DATA, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. */ const uint8_t * _ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); /* Expands KEY as needed, for corresponding _siv_ghash_update */ void _siv_ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key); /* Updates STATE by hashing DATA, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. */ const uint8_t * _siv_ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_GHASH_INTERNAL_H_INCLUDED */ nettle-4.0/ghash-set-key.c0000644000000000000000000000571415141166423012425 0ustar00/* ghash-set-key.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" /* For fat builds */ #if HAVE_NATIVE_ghash_set_key void _nettle_ghash_set_key_c (struct gcm_key *ctx, const union nettle_block16 *key); #define _nettle_ghash_set_key _nettle_ghash_set_key_c #endif /* Implements a lookup table for processors without carryless-mul instruction. */ void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) { /* Table elements hold the key, premultiplied by all needed powers of x. Element ordering follows the order bits are processed in _ghash_update, alternating u64[0] and u64[1] bits, starting from the least significant end. In the gcm bit order, bits (left to right) correspond to x powers (the numbers) like |0...7|8...15|...|56...63|64...71|72...79|...|120...127| where | indicates the byte boundaries. On little endian, these bits are in u64 like u64[0]: | 56...63 48...55 40...47 32...39 24...31 16...23 8...15 0...7| u64[1]: |120...127 112...129 104...111 96...103 88...95 80...87 72...79 64...71| With big-endian, we instead get u64[0]: |0...63| u64[1]: |64...127| */ #if WORDS_BIGENDIAN # define INDEX_PERMUTE 63 #else # define INDEX_PERMUTE 7 #endif unsigned i; block16_set (&ctx->h[2*INDEX_PERMUTE], key); for (i = 1; i < 64; i++) block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)]); block16_mulx_ghash(&ctx->h[2*INDEX_PERMUTE + 1], &ctx->h[2*(63^INDEX_PERMUTE)]); for (i = 1; i < 64; i++) block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)+1], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)+1]); } nettle-4.0/ghash-update.c0000644000000000000000000000463315141166423012325 0ustar00/* ghash-update.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" /* For fat builds */ #if HAVE_NATIVE_ghash_update const uint8_t * _nettle_ghash_update_c (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); #define _nettle_ghash_update _nettle_ghash_update_c #endif static void gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) { uint64_t x0 = x->u64[0]; uint64_t x1 = x->u64[1]; uint64_t r0 = 0; uint64_t r1 = 0; unsigned i; for (i = 0; i < 64; i++, x0 >>= 1, x1 >>= 1) { uint64_t m0 = -(x0 & 1); uint64_t m1 = -(x1 & 1); r0 ^= m0 & table[2*i].u64[0]; r1 ^= m0 & table[2*i].u64[1]; r0 ^= m1 & table[2*i+1].u64[0]; r1 ^= m1 & table[2*i+1].u64[1]; } x->u64[0] = r0; x->u64[1] = r1; } const uint8_t * _ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data) { for (; blocks-- > 0; data += GCM_BLOCK_SIZE) { memxor (state->b, data, GCM_BLOCK_SIZE); gcm_gf_mul (state, ctx->h); } return data; } nettle-4.0/gmp-glue.c0000644000000000000000000001415015141166424011464 0ustar00/* gmp-glue.c Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gmp-glue.h" #if NETTLE_USE_MINI_GMP mp_limb_t mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { mp_limb_t cy, mask; mp_size_t i; mask = -(mp_limb_t) (cnd != 0); for (i = 0, cy = 0; i < n; i++) { mp_limb_t rl = ap[i] + cy; mp_limb_t bl = bp[i] & mask; cy = (rl < cy); rl += bl; cy += (rl < bl); rp[i] = rl; } return cy; } mp_limb_t mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { mp_limb_t cy, mask; mp_size_t i; mask = -(mp_limb_t) (cnd != 0); for (i = 0, cy = 0; i < n; i++) { mp_limb_t al = ap[i]; mp_limb_t bl = bp[i] & mask; mp_limb_t sl; sl = al - cy; cy = (al < cy) + (sl < bl); sl -= bl; rp[i] = sl; } return cy; } void mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n) { volatile mp_limb_t mask = - (mp_limb_t) (cnd != 0); mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a, b, t; a = ap[i]; b = bp[i]; t = (a ^ b) & mask; ap[i] = a ^ t; bp[i] = b ^ t; } } /* Copy the k'th element of the table out tn elements, each of size rn. Always read complete table. Similar to gmp's mpn_tabselect. */ void mpn_sec_tabselect (volatile mp_limb_t *rp, volatile const mp_limb_t *table, mp_size_t rn, unsigned tn, unsigned k) { volatile const mp_limb_t *end = table + tn * rn; volatile const mp_limb_t *p; mp_size_t i; assert (k < tn); for (p = table; p < end; p += rn, k--) { mp_limb_t mask = - (mp_limb_t) (k == 0); for (i = 0; i < rn; i++) rp[i] = (~mask & rp[i]) | (mask & p[i]); } } #endif /* NETTLE_USE_MINI_GMP */ int sec_zero_p (const mp_limb_t *ap, mp_size_t n) { volatile mp_limb_t w; mp_size_t i; for (i = 0, w = 0; i < n; i++) w |= ap[i]; return is_zero_limb (w); } /* Additional convenience functions. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n) { mp_size_t xn = mpz_size (x); assert (xn <= n); mpn_copyi (xp, mpz_limbs_read (x), xn); if (xn < n) mpn_zero (xp + xn, n - xn); } void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn) { mpn_copyi (mpz_limbs_write (r, xn), xp, xn); mpz_limbs_finish (r, xn); } void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) { mp_limb_t in = xp[--xi]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = 0, out = bits = 0; xi < xn && rn > 0; ) { mp_limb_t in = xp[xi++]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { rp[--rn] = in; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; rp[--rn] = old | (in << bits); in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { rp[--rn] = in; in >>= 8; } } void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { *rp++ = in; rn--; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; *rp++ = old | (in << bits); rn--; in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { *rp++ = in; rn--; in >>= 8; } } mp_limb_t * gmp_alloc_limbs (mp_size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions (&alloc_func, NULL, NULL); return (mp_limb_t *) alloc_func ( (size_t) n * sizeof(mp_limb_t)); } void gmp_free_limbs (mp_limb_t *p, mp_size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n * sizeof(mp_limb_t)); } void * gmp_alloc(size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions(&alloc_func, NULL, NULL); return alloc_func (n); } void gmp_free(void *p, size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n); } nettle-4.0/gmp-glue.h0000644000000000000000000000745615141166424011504 0ustar00/* gmp-glue.h Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GMP_GLUE_H_INCLUDED #define NETTLE_GMP_GLUE_H_INCLUDED #include "bignum.h" #define mpz_limbs_copy _nettle_mpz_limbs_copy #define mpz_set_n _nettle_mpz_set_n #define sec_zero_p _nettle_sec_zero_p #define mpn_set_base256 _nettle_mpn_set_base256 #define mpn_set_base256_le _nettle_mpn_set_base256_le #define mpn_get_base256 _nettle_mpn_get_base256 #define mpn_get_base256_le _nettle_mpn_get_base256_le #define gmp_alloc_limbs _nettle_gmp_alloc_limbs #define gmp_free_limbs _nettle_gmp_free_limbs #define gmp_free _nettle_gmp_free #define gmp_alloc _nettle_gmp_alloc #define TMP_GMP_DECL(name, type) type *name; \ size_t tmp_##name##_size #define TMP_GMP_ALLOC(name, size) do { \ tmp_##name##_size = (size); \ (name) = gmp_alloc(sizeof (*name) * (size)); \ } while (0) #define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) #if NETTLE_USE_MINI_GMP #define GMP_LIMB_BITS GMP_NUMB_BITS mp_limb_t mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); mp_limb_t mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); void mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n); void mpn_sec_tabselect (volatile mp_limb_t *rp, volatile const mp_limb_t *table, mp_size_t rn, unsigned tn, unsigned k); #endif static inline int is_zero_limb (mp_limb_t x) { x |= (x << 1); return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1); } /* Side-channel silent variant of mpn_zero_p. */ int sec_zero_p (const mp_limb_t *ap, mp_size_t n); #define NETTLE_BIT_SIZE_TO_LIMB_SIZE(n) \ (((n) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \ (NETTLE_BIT_SIZE_TO_LIMB_SIZE((n) * 8)) /* Convenience functions */ /* Copy limbs, with zero-padding. */ /* FIXME: Reorder arguments, on the theory that the first argument of an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs, with argument order consistent with mpz_get_*. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n); void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn); /* Like mpn_set_str, but always writes rn limbs. If input is larger, higher bits are ignored. */ void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * gmp_alloc_limbs (mp_size_t n); void gmp_free_limbs (mp_limb_t *p, mp_size_t n); void *gmp_alloc(size_t n); void gmp_free(void *p, size_t n); #endif /* NETTLE_GMP_GLUE_H_INCLUDED */ nettle-4.0/gost28147-internal.h0000644000000000000000000000311015141166424013142 0ustar00/* gost28147-internal.h The GOST 28147-89 cipher function, described in RFC 5831. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED #define NETTLE_GOST28147_INTERNAL_H_INCLUDED #include extern const struct gost28147_param _nettle_gost28147_param_test_3411; extern const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411; struct gost28147_param { uint32_t sbox[4][256]; }; void _nettle_gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out); #endif /* NETTLE_GOST28147_INTERNAL_H_INCLUDED */ nettle-4.0/gost28147.c0000644000000000000000000007501315141166423011335 0ustar00/* gost28147.c - GOST 28147-89 cipher implementation * * based on Russian standard GOST 28147-89 * For English description, check RFC 5830. * S-Boxes are expanded from the tables defined in RFC4357: * https://tools.ietf.org/html/rfc4357 * * Copyright: 2019 Dmitry Eremin-Solenikov * Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "macros.h" #include "gost28147-internal.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ const struct gost28147_param _nettle_gost28147_param_test_3411 = { { { /* 0 */ 0x00072000, 0x00075000, 0x00074800, 0x00071000, 0x00076800, 0x00074000, 0x00070000, 0x00077000, 0x00073000, 0x00075800, 0x00070800, 0x00076000, 0x00073800, 0x00077800, 0x00072800, 0x00071800, 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, 0x00022000, 0x00025000, 0x00024800, 0x00021000, 0x00026800, 0x00024000, 0x00020000, 0x00027000, 0x00023000, 0x00025800, 0x00020800, 0x00026000, 0x00023800, 0x00027800, 0x00022800, 0x00021800, 0x00062000, 0x00065000, 0x00064800, 0x00061000, 0x00066800, 0x00064000, 0x00060000, 0x00067000, 0x00063000, 0x00065800, 0x00060800, 0x00066000, 0x00063800, 0x00067800, 0x00062800, 0x00061800, 0x00032000, 0x00035000, 0x00034800, 0x00031000, 0x00036800, 0x00034000, 0x00030000, 0x00037000, 0x00033000, 0x00035800, 0x00030800, 0x00036000, 0x00033800, 0x00037800, 0x00032800, 0x00031800, 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, 0x00052000, 0x00055000, 0x00054800, 0x00051000, 0x00056800, 0x00054000, 0x00050000, 0x00057000, 0x00053000, 0x00055800, 0x00050800, 0x00056000, 0x00053800, 0x00057800, 0x00052800, 0x00051800, 0x00012000, 0x00015000, 0x00014800, 0x00011000, 0x00016800, 0x00014000, 0x00010000, 0x00017000, 0x00013000, 0x00015800, 0x00010800, 0x00016000, 0x00013800, 0x00017800, 0x00012800, 0x00011800, 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, 0x00042000, 0x00045000, 0x00044800, 0x00041000, 0x00046800, 0x00044000, 0x00040000, 0x00047000, 0x00043000, 0x00045800, 0x00040800, 0x00046000, 0x00043800, 0x00047800, 0x00042800, 0x00041800, 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, 0x00002000, 0x00005000, 0x00004800, 0x00001000, 0x00006800, 0x00004000, 0x00000000, 0x00007000, 0x00003000, 0x00005800, 0x00000800, 0x00006000, 0x00003800, 0x00007800, 0x00002800, 0x00001800, 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, }, { /* 1 */ 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, 0x05280000, 0x05400000, 0x05080000, 0x05680000, 0x05500000, 0x05180000, 0x05200000, 0x05100000, 0x05700000, 0x05780000, 0x05600000, 0x05380000, 0x05300000, 0x05000000, 0x05480000, 0x05580000, 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, 0x00280000, 0x00400000, 0x00080000, 0x00680000, 0x00500000, 0x00180000, 0x00200000, 0x00100000, 0x00700000, 0x00780000, 0x00600000, 0x00380000, 0x00300000, 0x00000000, 0x00480000, 0x00580000, 0x04280000, 0x04400000, 0x04080000, 0x04680000, 0x04500000, 0x04180000, 0x04200000, 0x04100000, 0x04700000, 0x04780000, 0x04600000, 0x04380000, 0x04300000, 0x04000000, 0x04480000, 0x04580000, 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, 0x07280000, 0x07400000, 0x07080000, 0x07680000, 0x07500000, 0x07180000, 0x07200000, 0x07100000, 0x07700000, 0x07780000, 0x07600000, 0x07380000, 0x07300000, 0x07000000, 0x07480000, 0x07580000, 0x02280000, 0x02400000, 0x02080000, 0x02680000, 0x02500000, 0x02180000, 0x02200000, 0x02100000, 0x02700000, 0x02780000, 0x02600000, 0x02380000, 0x02300000, 0x02000000, 0x02480000, 0x02580000, 0x03280000, 0x03400000, 0x03080000, 0x03680000, 0x03500000, 0x03180000, 0x03200000, 0x03100000, 0x03700000, 0x03780000, 0x03600000, 0x03380000, 0x03300000, 0x03000000, 0x03480000, 0x03580000, 0x06280000, 0x06400000, 0x06080000, 0x06680000, 0x06500000, 0x06180000, 0x06200000, 0x06100000, 0x06700000, 0x06780000, 0x06600000, 0x06380000, 0x06300000, 0x06000000, 0x06480000, 0x06580000, 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, 0x01280000, 0x01400000, 0x01080000, 0x01680000, 0x01500000, 0x01180000, 0x01200000, 0x01100000, 0x01700000, 0x01780000, 0x01600000, 0x01380000, 0x01300000, 0x01000000, 0x01480000, 0x01580000, 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, }, { /* 2 */ 0x30000002, 0x60000002, 0x38000002, 0x08000002, 0x28000002, 0x78000002, 0x68000002, 0x40000002, 0x20000002, 0x50000002, 0x48000002, 0x70000002, 0x00000002, 0x18000002, 0x58000002, 0x10000002, 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, 0x80000005, 0x98000005, 0xd8000005, 0x90000005, 0x30000005, 0x60000005, 0x38000005, 0x08000005, 0x28000005, 0x78000005, 0x68000005, 0x40000005, 0x20000005, 0x50000005, 0x48000005, 0x70000005, 0x00000005, 0x18000005, 0x58000005, 0x10000005, 0x30000000, 0x60000000, 0x38000000, 0x08000000, 0x28000000, 0x78000000, 0x68000000, 0x40000000, 0x20000000, 0x50000000, 0x48000000, 0x70000000, 0x00000000, 0x18000000, 0x58000000, 0x10000000, 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, 0x80000003, 0x98000003, 0xd8000003, 0x90000003, 0x30000001, 0x60000001, 0x38000001, 0x08000001, 0x28000001, 0x78000001, 0x68000001, 0x40000001, 0x20000001, 0x50000001, 0x48000001, 0x70000001, 0x00000001, 0x18000001, 0x58000001, 0x10000001, 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, 0x80000000, 0x98000000, 0xd8000000, 0x90000000, 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, 0x80000006, 0x98000006, 0xd8000006, 0x90000006, 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, 0x80000001, 0x98000001, 0xd8000001, 0x90000001, 0x30000003, 0x60000003, 0x38000003, 0x08000003, 0x28000003, 0x78000003, 0x68000003, 0x40000003, 0x20000003, 0x50000003, 0x48000003, 0x70000003, 0x00000003, 0x18000003, 0x58000003, 0x10000003, 0x30000004, 0x60000004, 0x38000004, 0x08000004, 0x28000004, 0x78000004, 0x68000004, 0x40000004, 0x20000004, 0x50000004, 0x48000004, 0x70000004, 0x00000004, 0x18000004, 0x58000004, 0x10000004, 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, 0x80000002, 0x98000002, 0xd8000002, 0x90000002, 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, 0x80000004, 0x98000004, 0xd8000004, 0x90000004, 0x30000006, 0x60000006, 0x38000006, 0x08000006, 0x28000006, 0x78000006, 0x68000006, 0x40000006, 0x20000006, 0x50000006, 0x48000006, 0x70000006, 0x00000006, 0x18000006, 0x58000006, 0x10000006, 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, 0x80000007, 0x98000007, 0xd8000007, 0x90000007, 0x30000007, 0x60000007, 0x38000007, 0x08000007, 0x28000007, 0x78000007, 0x68000007, 0x40000007, 0x20000007, 0x50000007, 0x48000007, 0x70000007, 0x00000007, 0x18000007, 0x58000007, 0x10000007, }, { /* 3 */ 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, 0x00000068, 0x00000058, 0x00000020, 0x00000008, 0x00000018, 0x00000078, 0x00000028, 0x00000048, 0x00000000, 0x00000050, 0x00000070, 0x00000038, 0x00000030, 0x00000040, 0x00000010, 0x00000060, 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, 0x00000568, 0x00000558, 0x00000520, 0x00000508, 0x00000518, 0x00000578, 0x00000528, 0x00000548, 0x00000500, 0x00000550, 0x00000570, 0x00000538, 0x00000530, 0x00000540, 0x00000510, 0x00000560, 0x00000268, 0x00000258, 0x00000220, 0x00000208, 0x00000218, 0x00000278, 0x00000228, 0x00000248, 0x00000200, 0x00000250, 0x00000270, 0x00000238, 0x00000230, 0x00000240, 0x00000210, 0x00000260, 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, 0x00000168, 0x00000158, 0x00000120, 0x00000108, 0x00000118, 0x00000178, 0x00000128, 0x00000148, 0x00000100, 0x00000150, 0x00000170, 0x00000138, 0x00000130, 0x00000140, 0x00000110, 0x00000160, 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, 0x00000768, 0x00000758, 0x00000720, 0x00000708, 0x00000718, 0x00000778, 0x00000728, 0x00000748, 0x00000700, 0x00000750, 0x00000770, 0x00000738, 0x00000730, 0x00000740, 0x00000710, 0x00000760, 0x00000368, 0x00000358, 0x00000320, 0x00000308, 0x00000318, 0x00000378, 0x00000328, 0x00000348, 0x00000300, 0x00000350, 0x00000370, 0x00000338, 0x00000330, 0x00000340, 0x00000310, 0x00000360, 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, 0x00000468, 0x00000458, 0x00000420, 0x00000408, 0x00000418, 0x00000478, 0x00000428, 0x00000448, 0x00000400, 0x00000450, 0x00000470, 0x00000438, 0x00000430, 0x00000440, 0x00000410, 0x00000460, 0x00000668, 0x00000658, 0x00000620, 0x00000608, 0x00000618, 0x00000678, 0x00000628, 0x00000648, 0x00000600, 0x00000650, 0x00000670, 0x00000638, 0x00000630, 0x00000640, 0x00000610, 0x00000660, } } }; const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411 = { { { /* 0 */ 0x0002d000, 0x0002a000, 0x0002a800, 0x0002b000, 0x0002c000, 0x00028800, 0x00029800, 0x0002b800, 0x0002e800, 0x0002e000, 0x0002f000, 0x00028000, 0x0002c800, 0x00029000, 0x0002d800, 0x0002f800, 0x0007d000, 0x0007a000, 0x0007a800, 0x0007b000, 0x0007c000, 0x00078800, 0x00079800, 0x0007b800, 0x0007e800, 0x0007e000, 0x0007f000, 0x00078000, 0x0007c800, 0x00079000, 0x0007d800, 0x0007f800, 0x00025000, 0x00022000, 0x00022800, 0x00023000, 0x00024000, 0x00020800, 0x00021800, 0x00023800, 0x00026800, 0x00026000, 0x00027000, 0x00020000, 0x00024800, 0x00021000, 0x00025800, 0x00027800, 0x00005000, 0x00002000, 0x00002800, 0x00003000, 0x00004000, 0x00000800, 0x00001800, 0x00003800, 0x00006800, 0x00006000, 0x00007000, 0x00000000, 0x00004800, 0x00001000, 0x00005800, 0x00007800, 0x00015000, 0x00012000, 0x00012800, 0x00013000, 0x00014000, 0x00010800, 0x00011800, 0x00013800, 0x00016800, 0x00016000, 0x00017000, 0x00010000, 0x00014800, 0x00011000, 0x00015800, 0x00017800, 0x0006d000, 0x0006a000, 0x0006a800, 0x0006b000, 0x0006c000, 0x00068800, 0x00069800, 0x0006b800, 0x0006e800, 0x0006e000, 0x0006f000, 0x00068000, 0x0006c800, 0x00069000, 0x0006d800, 0x0006f800, 0x0005d000, 0x0005a000, 0x0005a800, 0x0005b000, 0x0005c000, 0x00058800, 0x00059800, 0x0005b800, 0x0005e800, 0x0005e000, 0x0005f000, 0x00058000, 0x0005c800, 0x00059000, 0x0005d800, 0x0005f800, 0x0004d000, 0x0004a000, 0x0004a800, 0x0004b000, 0x0004c000, 0x00048800, 0x00049800, 0x0004b800, 0x0004e800, 0x0004e000, 0x0004f000, 0x00048000, 0x0004c800, 0x00049000, 0x0004d800, 0x0004f800, 0x0000d000, 0x0000a000, 0x0000a800, 0x0000b000, 0x0000c000, 0x00008800, 0x00009800, 0x0000b800, 0x0000e800, 0x0000e000, 0x0000f000, 0x00008000, 0x0000c800, 0x00009000, 0x0000d800, 0x0000f800, 0x0003d000, 0x0003a000, 0x0003a800, 0x0003b000, 0x0003c000, 0x00038800, 0x00039800, 0x0003b800, 0x0003e800, 0x0003e000, 0x0003f000, 0x00038000, 0x0003c800, 0x00039000, 0x0003d800, 0x0003f800, 0x00035000, 0x00032000, 0x00032800, 0x00033000, 0x00034000, 0x00030800, 0x00031800, 0x00033800, 0x00036800, 0x00036000, 0x00037000, 0x00030000, 0x00034800, 0x00031000, 0x00035800, 0x00037800, 0x0001d000, 0x0001a000, 0x0001a800, 0x0001b000, 0x0001c000, 0x00018800, 0x00019800, 0x0001b800, 0x0001e800, 0x0001e000, 0x0001f000, 0x00018000, 0x0001c800, 0x00019000, 0x0001d800, 0x0001f800, 0x00065000, 0x00062000, 0x00062800, 0x00063000, 0x00064000, 0x00060800, 0x00061800, 0x00063800, 0x00066800, 0x00066000, 0x00067000, 0x00060000, 0x00064800, 0x00061000, 0x00065800, 0x00067800, 0x00075000, 0x00072000, 0x00072800, 0x00073000, 0x00074000, 0x00070800, 0x00071800, 0x00073800, 0x00076800, 0x00076000, 0x00077000, 0x00070000, 0x00074800, 0x00071000, 0x00075800, 0x00077800, 0x00055000, 0x00052000, 0x00052800, 0x00053000, 0x00054000, 0x00050800, 0x00051800, 0x00053800, 0x00056800, 0x00056000, 0x00057000, 0x00050000, 0x00054800, 0x00051000, 0x00055800, 0x00057800, 0x00045000, 0x00042000, 0x00042800, 0x00043000, 0x00044000, 0x00040800, 0x00041800, 0x00043800, 0x00046800, 0x00046000, 0x00047000, 0x00040000, 0x00044800, 0x00041000, 0x00045800, 0x00047800, }, { /* 1 */ 0x02380000, 0x02780000, 0x02600000, 0x02700000, 0x02480000, 0x02200000, 0x02080000, 0x02000000, 0x02180000, 0x02580000, 0x02280000, 0x02100000, 0x02300000, 0x02500000, 0x02400000, 0x02680000, 0x05380000, 0x05780000, 0x05600000, 0x05700000, 0x05480000, 0x05200000, 0x05080000, 0x05000000, 0x05180000, 0x05580000, 0x05280000, 0x05100000, 0x05300000, 0x05500000, 0x05400000, 0x05680000, 0x03b80000, 0x03f80000, 0x03e00000, 0x03f00000, 0x03c80000, 0x03a00000, 0x03880000, 0x03800000, 0x03980000, 0x03d80000, 0x03a80000, 0x03900000, 0x03b00000, 0x03d00000, 0x03c00000, 0x03e80000, 0x06380000, 0x06780000, 0x06600000, 0x06700000, 0x06480000, 0x06200000, 0x06080000, 0x06000000, 0x06180000, 0x06580000, 0x06280000, 0x06100000, 0x06300000, 0x06500000, 0x06400000, 0x06680000, 0x00380000, 0x00780000, 0x00600000, 0x00700000, 0x00480000, 0x00200000, 0x00080000, 0x00000000, 0x00180000, 0x00580000, 0x00280000, 0x00100000, 0x00300000, 0x00500000, 0x00400000, 0x00680000, 0x07b80000, 0x07f80000, 0x07e00000, 0x07f00000, 0x07c80000, 0x07a00000, 0x07880000, 0x07800000, 0x07980000, 0x07d80000, 0x07a80000, 0x07900000, 0x07b00000, 0x07d00000, 0x07c00000, 0x07e80000, 0x01380000, 0x01780000, 0x01600000, 0x01700000, 0x01480000, 0x01200000, 0x01080000, 0x01000000, 0x01180000, 0x01580000, 0x01280000, 0x01100000, 0x01300000, 0x01500000, 0x01400000, 0x01680000, 0x04380000, 0x04780000, 0x04600000, 0x04700000, 0x04480000, 0x04200000, 0x04080000, 0x04000000, 0x04180000, 0x04580000, 0x04280000, 0x04100000, 0x04300000, 0x04500000, 0x04400000, 0x04680000, 0x07380000, 0x07780000, 0x07600000, 0x07700000, 0x07480000, 0x07200000, 0x07080000, 0x07000000, 0x07180000, 0x07580000, 0x07280000, 0x07100000, 0x07300000, 0x07500000, 0x07400000, 0x07680000, 0x00b80000, 0x00f80000, 0x00e00000, 0x00f00000, 0x00c80000, 0x00a00000, 0x00880000, 0x00800000, 0x00980000, 0x00d80000, 0x00a80000, 0x00900000, 0x00b00000, 0x00d00000, 0x00c00000, 0x00e80000, 0x03380000, 0x03780000, 0x03600000, 0x03700000, 0x03480000, 0x03200000, 0x03080000, 0x03000000, 0x03180000, 0x03580000, 0x03280000, 0x03100000, 0x03300000, 0x03500000, 0x03400000, 0x03680000, 0x02b80000, 0x02f80000, 0x02e00000, 0x02f00000, 0x02c80000, 0x02a00000, 0x02880000, 0x02800000, 0x02980000, 0x02d80000, 0x02a80000, 0x02900000, 0x02b00000, 0x02d00000, 0x02c00000, 0x02e80000, 0x06b80000, 0x06f80000, 0x06e00000, 0x06f00000, 0x06c80000, 0x06a00000, 0x06880000, 0x06800000, 0x06980000, 0x06d80000, 0x06a80000, 0x06900000, 0x06b00000, 0x06d00000, 0x06c00000, 0x06e80000, 0x05b80000, 0x05f80000, 0x05e00000, 0x05f00000, 0x05c80000, 0x05a00000, 0x05880000, 0x05800000, 0x05980000, 0x05d80000, 0x05a80000, 0x05900000, 0x05b00000, 0x05d00000, 0x05c00000, 0x05e80000, 0x04b80000, 0x04f80000, 0x04e00000, 0x04f00000, 0x04c80000, 0x04a00000, 0x04880000, 0x04800000, 0x04980000, 0x04d80000, 0x04a80000, 0x04900000, 0x04b00000, 0x04d00000, 0x04c00000, 0x04e80000, 0x01b80000, 0x01f80000, 0x01e00000, 0x01f00000, 0x01c80000, 0x01a00000, 0x01880000, 0x01800000, 0x01980000, 0x01d80000, 0x01a80000, 0x01900000, 0x01b00000, 0x01d00000, 0x01c00000, 0x01e80000, }, { /* 2 */ 0xb8000003, 0xb0000003, 0xa0000003, 0xd8000003, 0xc8000003, 0xe0000003, 0x90000003, 0xd0000003, 0x88000003, 0xc0000003, 0x80000003, 0xf0000003, 0xf8000003, 0xe8000003, 0x98000003, 0xa8000003, 0x38000003, 0x30000003, 0x20000003, 0x58000003, 0x48000003, 0x60000003, 0x10000003, 0x50000003, 0x08000003, 0x40000003, 0x00000003, 0x70000003, 0x78000003, 0x68000003, 0x18000003, 0x28000003, 0x38000001, 0x30000001, 0x20000001, 0x58000001, 0x48000001, 0x60000001, 0x10000001, 0x50000001, 0x08000001, 0x40000001, 0x00000001, 0x70000001, 0x78000001, 0x68000001, 0x18000001, 0x28000001, 0x38000002, 0x30000002, 0x20000002, 0x58000002, 0x48000002, 0x60000002, 0x10000002, 0x50000002, 0x08000002, 0x40000002, 0x00000002, 0x70000002, 0x78000002, 0x68000002, 0x18000002, 0x28000002, 0xb8000006, 0xb0000006, 0xa0000006, 0xd8000006, 0xc8000006, 0xe0000006, 0x90000006, 0xd0000006, 0x88000006, 0xc0000006, 0x80000006, 0xf0000006, 0xf8000006, 0xe8000006, 0x98000006, 0xa8000006, 0xb8000004, 0xb0000004, 0xa0000004, 0xd8000004, 0xc8000004, 0xe0000004, 0x90000004, 0xd0000004, 0x88000004, 0xc0000004, 0x80000004, 0xf0000004, 0xf8000004, 0xe8000004, 0x98000004, 0xa8000004, 0xb8000007, 0xb0000007, 0xa0000007, 0xd8000007, 0xc8000007, 0xe0000007, 0x90000007, 0xd0000007, 0x88000007, 0xc0000007, 0x80000007, 0xf0000007, 0xf8000007, 0xe8000007, 0x98000007, 0xa8000007, 0x38000000, 0x30000000, 0x20000000, 0x58000000, 0x48000000, 0x60000000, 0x10000000, 0x50000000, 0x08000000, 0x40000000, 0x00000000, 0x70000000, 0x78000000, 0x68000000, 0x18000000, 0x28000000, 0x38000005, 0x30000005, 0x20000005, 0x58000005, 0x48000005, 0x60000005, 0x10000005, 0x50000005, 0x08000005, 0x40000005, 0x00000005, 0x70000005, 0x78000005, 0x68000005, 0x18000005, 0x28000005, 0xb8000000, 0xb0000000, 0xa0000000, 0xd8000000, 0xc8000000, 0xe0000000, 0x90000000, 0xd0000000, 0x88000000, 0xc0000000, 0x80000000, 0xf0000000, 0xf8000000, 0xe8000000, 0x98000000, 0xa8000000, 0xb8000002, 0xb0000002, 0xa0000002, 0xd8000002, 0xc8000002, 0xe0000002, 0x90000002, 0xd0000002, 0x88000002, 0xc0000002, 0x80000002, 0xf0000002, 0xf8000002, 0xe8000002, 0x98000002, 0xa8000002, 0xb8000005, 0xb0000005, 0xa0000005, 0xd8000005, 0xc8000005, 0xe0000005, 0x90000005, 0xd0000005, 0x88000005, 0xc0000005, 0x80000005, 0xf0000005, 0xf8000005, 0xe8000005, 0x98000005, 0xa8000005, 0x38000004, 0x30000004, 0x20000004, 0x58000004, 0x48000004, 0x60000004, 0x10000004, 0x50000004, 0x08000004, 0x40000004, 0x00000004, 0x70000004, 0x78000004, 0x68000004, 0x18000004, 0x28000004, 0x38000007, 0x30000007, 0x20000007, 0x58000007, 0x48000007, 0x60000007, 0x10000007, 0x50000007, 0x08000007, 0x40000007, 0x00000007, 0x70000007, 0x78000007, 0x68000007, 0x18000007, 0x28000007, 0x38000006, 0x30000006, 0x20000006, 0x58000006, 0x48000006, 0x60000006, 0x10000006, 0x50000006, 0x08000006, 0x40000006, 0x00000006, 0x70000006, 0x78000006, 0x68000006, 0x18000006, 0x28000006, 0xb8000001, 0xb0000001, 0xa0000001, 0xd8000001, 0xc8000001, 0xe0000001, 0x90000001, 0xd0000001, 0x88000001, 0xc0000001, 0x80000001, 0xf0000001, 0xf8000001, 0xe8000001, 0x98000001, 0xa8000001, }, { /* 3 */ 0x000000e8, 0x000000f0, 0x000000a0, 0x00000088, 0x000000b8, 0x00000080, 0x000000a8, 0x000000d0, 0x00000098, 0x000000e0, 0x000000c0, 0x000000f8, 0x000000b0, 0x00000090, 0x000000c8, 0x000000d8, 0x000001e8, 0x000001f0, 0x000001a0, 0x00000188, 0x000001b8, 0x00000180, 0x000001a8, 0x000001d0, 0x00000198, 0x000001e0, 0x000001c0, 0x000001f8, 0x000001b0, 0x00000190, 0x000001c8, 0x000001d8, 0x00000568, 0x00000570, 0x00000520, 0x00000508, 0x00000538, 0x00000500, 0x00000528, 0x00000550, 0x00000518, 0x00000560, 0x00000540, 0x00000578, 0x00000530, 0x00000510, 0x00000548, 0x00000558, 0x000004e8, 0x000004f0, 0x000004a0, 0x00000488, 0x000004b8, 0x00000480, 0x000004a8, 0x000004d0, 0x00000498, 0x000004e0, 0x000004c0, 0x000004f8, 0x000004b0, 0x00000490, 0x000004c8, 0x000004d8, 0x000002e8, 0x000002f0, 0x000002a0, 0x00000288, 0x000002b8, 0x00000280, 0x000002a8, 0x000002d0, 0x00000298, 0x000002e0, 0x000002c0, 0x000002f8, 0x000002b0, 0x00000290, 0x000002c8, 0x000002d8, 0x000005e8, 0x000005f0, 0x000005a0, 0x00000588, 0x000005b8, 0x00000580, 0x000005a8, 0x000005d0, 0x00000598, 0x000005e0, 0x000005c0, 0x000005f8, 0x000005b0, 0x00000590, 0x000005c8, 0x000005d8, 0x00000268, 0x00000270, 0x00000220, 0x00000208, 0x00000238, 0x00000200, 0x00000228, 0x00000250, 0x00000218, 0x00000260, 0x00000240, 0x00000278, 0x00000230, 0x00000210, 0x00000248, 0x00000258, 0x000007e8, 0x000007f0, 0x000007a0, 0x00000788, 0x000007b8, 0x00000780, 0x000007a8, 0x000007d0, 0x00000798, 0x000007e0, 0x000007c0, 0x000007f8, 0x000007b0, 0x00000790, 0x000007c8, 0x000007d8, 0x00000468, 0x00000470, 0x00000420, 0x00000408, 0x00000438, 0x00000400, 0x00000428, 0x00000450, 0x00000418, 0x00000460, 0x00000440, 0x00000478, 0x00000430, 0x00000410, 0x00000448, 0x00000458, 0x00000368, 0x00000370, 0x00000320, 0x00000308, 0x00000338, 0x00000300, 0x00000328, 0x00000350, 0x00000318, 0x00000360, 0x00000340, 0x00000378, 0x00000330, 0x00000310, 0x00000348, 0x00000358, 0x000003e8, 0x000003f0, 0x000003a0, 0x00000388, 0x000003b8, 0x00000380, 0x000003a8, 0x000003d0, 0x00000398, 0x000003e0, 0x000003c0, 0x000003f8, 0x000003b0, 0x00000390, 0x000003c8, 0x000003d8, 0x00000768, 0x00000770, 0x00000720, 0x00000708, 0x00000738, 0x00000700, 0x00000728, 0x00000750, 0x00000718, 0x00000760, 0x00000740, 0x00000778, 0x00000730, 0x00000710, 0x00000748, 0x00000758, 0x000006e8, 0x000006f0, 0x000006a0, 0x00000688, 0x000006b8, 0x00000680, 0x000006a8, 0x000006d0, 0x00000698, 0x000006e0, 0x000006c0, 0x000006f8, 0x000006b0, 0x00000690, 0x000006c8, 0x000006d8, 0x00000068, 0x00000070, 0x00000020, 0x00000008, 0x00000038, 0x00000000, 0x00000028, 0x00000050, 0x00000018, 0x00000060, 0x00000040, 0x00000078, 0x00000030, 0x00000010, 0x00000048, 0x00000058, 0x00000168, 0x00000170, 0x00000120, 0x00000108, 0x00000138, 0x00000100, 0x00000128, 0x00000150, 0x00000118, 0x00000160, 0x00000140, 0x00000178, 0x00000130, 0x00000110, 0x00000148, 0x00000158, 0x00000668, 0x00000670, 0x00000620, 0x00000608, 0x00000638, 0x00000600, 0x00000628, 0x00000650, 0x00000618, 0x00000660, 0x00000640, 0x00000678, 0x00000630, 0x00000610, 0x00000648, 0x00000658, } } }; /* * A macro that performs a full encryption round of GOST 28147-89. */ #define GOST_ENCRYPT_ROUND(l, r, key1, key2, sbox) \ do { \ uint32_t round_tmp; \ \ round_tmp = (key1) + r; \ l ^= (sbox)[0][(round_tmp & 0xff)] ^ \ (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ (sbox)[3][(round_tmp >> 24)]; \ round_tmp = (key2) + l; \ r ^= (sbox)[0][(round_tmp & 0xff)] ^ \ (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ (sbox)[3][(round_tmp >> 24)]; \ } while (0) /* encrypt a block with the given key */ void _nettle_gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out) { uint32_t l, r; r = in[0], l = in[1]; GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox); GOST_ENCRYPT_ROUND(l, r, key[5], key[4], sbox); GOST_ENCRYPT_ROUND(l, r, key[3], key[2], sbox); GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox); *out = l, *(out + 1) = r; } nettle-4.0/gostdsa-sign.c0000644000000000000000000000434215141166424012353 0ustar00/* gostdsa-sign.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_GOSTDSA_SIGN_ITCH (ECC_MAX_SIZE)); mp_limb_t size = key->ecc->p.size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); TMP_ALLOC (k, size + ECC_GOSTDSA_SIGN_ITCH (size)); /* Timing reveals the number of rounds through this loop, but the timing is still independent of the secret k finally used. */ do { do { ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); } while (mpn_zero_p(k, size)); ecc_gostdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); mpz_limbs_finish (signature->s, size); } while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); } nettle-4.0/gostdsa-verify.c0000644000000000000000000000423315141166424012716 0ustar00/* gostdsa-verify.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "gmp-glue.h" int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature) { mp_limb_t size = ecc_size (pub->ecc); mp_size_t itch = 2*size + ecc_gostdsa_verify_itch (pub->ecc); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ mp_limb_t *scratch; int res; #define rp scratch #define sp (scratch + size) #define scratch_out (scratch + 2*size) if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) return 0; scratch = gmp_alloc_limbs (itch); mpz_limbs_copy (rp, signature->r, size); mpz_limbs_copy (sp, signature->s, size); res = ecc_gostdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); gmp_free_limbs (scratch, itch); return res; #undef rp #undef sp #undef scratch_out } nettle-4.0/gostdsa-vko.c0000644000000000000000000000566015141166424012216 0ustar00/* gostdsa-vko.c Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecc-internal.h" #include "gostdsa.h" /* * Shared key derivation/key agreement for GOST DSA algorithm. * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 * * output is 2 * curve size: * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones * * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This * function does multiplication. Caller should do hashing on his own. * * UKM is not a secret value (consider it as a nonce). * * For supported GOST curves cofactor is equal to 1. */ void gostdsa_vko (const struct ecc_scalar *priv, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out) { const struct ecc_curve *ecc = priv->ecc; unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; mp_size_t size = ecc->p.size; mp_size_t itch = 4*size + ecc->mul_itch; mp_limb_t *scratch; if (itch < 5*size + ecc->h_to_a_itch) itch = 5*size + ecc->h_to_a_itch; assert (pub->ecc == ecc); assert (priv->ecc == ecc); assert (ukm_length <= bsize); scratch = gmp_alloc_limbs (itch); #define UKM scratch #define TEMP (scratch + 3*size) #define XYZ scratch #define TEMP_Y (scratch + 4*size) mpn_set_base256_le (UKM, size, ukm, ukm_length); /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, * no matter what private and public keys are. See RFC 4357 referencing GOST * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ if (mpn_zero_p (UKM, size)) UKM[0] = 1; ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ mpn_get_base256_le (out, bsize, TEMP, size); mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); gmp_free_limbs (scratch, itch); } nettle-4.0/gostdsa.h0000644000000000000000000000574215141166424011427 0ustar00/* gostdsa.h Copyright (C) 2015 Dmity Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GOSTDSA_H_INCLUDED #define NETTLE_GOSTDSA_H_INCLUDED #include "ecc.h" #include "dsa.h" #include "ecdsa.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify #define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify #define ecc_gostdsa_verify_itch nettle_ecc_gostdsa_verify_itch /* Just use ECDSA function for key generation */ #define gostdsa_generate_keypair ecdsa_generate_keypair /* High level GOST DSA functions. * * A public key is represented as a struct ecc_point, and a private * key as a struct ecc_scalar. */ void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature); int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); void gostdsa_vko (const struct ecc_scalar *key, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out); /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); void ecc_gostdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); mp_size_t ecc_gostdsa_verify_itch (const struct ecc_curve *ecc); int ecc_gostdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_GOSTDSA_H_INCLUDED */ nettle-4.0/gosthash94-meta.c0000644000000000000000000000245015141166423012667 0ustar00/* gosthash94-meta.c Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "gosthash94.h" const struct nettle_hash nettle_gosthash94 = _NETTLE_HASH(gosthash94, GOSTHASH94); const struct nettle_hash nettle_gosthash94cp = _NETTLE_HASH(gosthash94cp, GOSTHASH94CP); nettle-4.0/gosthash94.c0000644000000000000000000003455015141166423011751 0ustar00/* gosthash94.c - an implementation of GOST Hash Function * * based on the Russian Standard GOST R 34.11-94. * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko * Copyright: 2019 Dmitry Eremin-Solenikov * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" #include "gost28147-internal.h" /** * Initialize algorithm context before calculating hash * with test parameters set. * * @param ctx context to initalize */ void gosthash94_init (struct gosthash94_ctx *ctx) { memset (ctx, 0, offsetof (struct gosthash94_ctx, block)); } /** * The core transformation. Process a 512-bit block. * * @param hash intermediate message hash * @param block the message block to process */ static void gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block, const uint32_t sbox[4][256]) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); memcpy (v, block, sizeof (v)); /* w := u xor v */ w[0] = u[0] ^ v[0], w[1] = u[1] ^ v[1]; w[2] = u[2] ^ v[2], w[3] = u[3] ^ v[3]; w[4] = u[4] ^ v[4], w[5] = u[5] ^ v[5]; w[6] = u[6] ^ v[6], w[7] = u[7] ^ v[7]; /* calculate keys, encrypt hash and store result to the s[] array */ for (i = 0;; i += 2) { /* key generation: key_i := P(w) */ key[0] = (w[0] & 0x000000ff) | ((w[2] & 0x000000ff) << 8) | ((w[4] & 0x000000ff) << 16) | ((w[6] & 0x000000ff) << 24); key[1] = ((w[0] & 0x0000ff00) >> 8) | (w[2] & 0x0000ff00) | ((w[4] & 0x0000ff00) << 8) | ((w[6] & 0x0000ff00) << 16); key[2] = ((w[0] & 0x00ff0000) >> 16) | ((w[2] & 0x00ff0000) >> 8) | (w[4] & 0x00ff0000) | ((w[6] & 0x00ff0000) << 8); key[3] = ((w[0] & 0xff000000) >> 24) | ((w[2] & 0xff000000) >> 16) | ((w[4] & 0xff000000) >> 8) | (w[6] & 0xff000000); key[4] = (w[1] & 0x000000ff) | ((w[3] & 0x000000ff) << 8) | ((w[5] & 0x000000ff) << 16) | ((w[7] & 0x000000ff) << 24); key[5] = ((w[1] & 0x0000ff00) >> 8) | (w[3] & 0x0000ff00) | ((w[5] & 0x0000ff00) << 8) | ((w[7] & 0x0000ff00) << 16); key[6] = ((w[1] & 0x00ff0000) >> 16) | ((w[3] & 0x00ff0000) >> 8) | (w[5] & 0x00ff0000) | ((w[7] & 0x00ff0000) << 8); key[7] = ((w[1] & 0xff000000) >> 24) | ((w[3] & 0xff000000) >> 16) | ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ _nettle_gost28147_encrypt_block (key, sbox, &ctx->hash[i], &s[i]); if (i == 0) { /* w:= A(u) ^ A^2(v) */ w[0] = u[2] ^ v[4], w[1] = u[3] ^ v[5]; w[2] = u[4] ^ v[6], w[3] = u[5] ^ v[7]; w[4] = u[6] ^ (v[0] ^= v[2]); w[5] = u[7] ^ (v[1] ^= v[3]); w[6] = (u[0] ^= u[2]) ^ (v[2] ^= v[4]); w[7] = (u[1] ^= u[3]) ^ (v[3] ^= v[5]); } else if ((i & 2) != 0) { if (i == 6) break; /* w := A^2(u) xor A^4(v) xor C_3; u := A(u) xor C_3 */ /* C_3=0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00 */ u[2] ^= u[4] ^ 0x000000ff; u[3] ^= u[5] ^ 0xff00ffff; u[4] ^= 0xff00ff00; u[5] ^= 0xff00ff00; u[6] ^= 0x00ff00ff; u[7] ^= 0x00ff00ff; u[0] ^= 0x00ffff00; u[1] ^= 0xff0000ff; w[0] = u[4] ^ v[0]; w[2] = u[6] ^ v[2]; w[4] = u[0] ^ (v[4] ^= v[6]); w[6] = u[2] ^ (v[6] ^= v[0]); w[1] = u[5] ^ v[1]; w[3] = u[7] ^ v[3]; w[5] = u[1] ^ (v[5] ^= v[7]); w[7] = u[3] ^ (v[7] ^= v[1]); } else { /* i==4 here */ /* w:= A( A^2(u) xor C_3 ) xor A^6(v) */ w[0] = u[6] ^ v[4], w[1] = u[7] ^ v[5]; w[2] = u[0] ^ v[6], w[3] = u[1] ^ v[7]; w[4] = u[2] ^ (v[0] ^= v[2]); w[5] = u[3] ^ (v[1] ^= v[3]); w[6] = (u[4] ^= u[6]) ^ (v[2] ^= v[4]); w[7] = (u[5] ^= u[7]) ^ (v[3] ^= v[5]); } } /* step hash function: x(block, hash) := psi^61(hash xor psi(block xor psi^12(S))) */ /* 12 rounds of the LFSR and xor in */ u[0] = block[0] ^ s[6]; u[1] = block[1] ^ s[7]; u[2] = block[2] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff) ^ (s[1] & 0xffff) ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[7] & 0xffff0000) ^ (s[7] >> 16); u[3] = block[3] ^ (s[0] & 0xffff) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[4] = block[4] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[1] & 0xffff0000) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[5] = block[5] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff0000) ^ (s[1] & 0xffff) ^ s[2] ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff0000) ^ (s[7] << 16) ^ (s[7] >> 16); u[6] = block[6] ^ s[0] ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[3] ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] << 16); u[7] = block[7] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[4] ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); /* 1 round of the LFSR (a mixing transformation) and xor with */ v[0] = ctx->hash[0] ^ (u[1] << 16) ^ (u[0] >> 16); v[1] = ctx->hash[1] ^ (u[2] << 16) ^ (u[1] >> 16); v[2] = ctx->hash[2] ^ (u[3] << 16) ^ (u[2] >> 16); v[3] = ctx->hash[3] ^ (u[4] << 16) ^ (u[3] >> 16); v[4] = ctx->hash[4] ^ (u[5] << 16) ^ (u[4] >> 16); v[5] = ctx->hash[5] ^ (u[6] << 16) ^ (u[5] >> 16); v[6] = ctx->hash[6] ^ (u[7] << 16) ^ (u[6] >> 16); v[7] = ctx-> hash[7] ^ (u[0] & 0xffff0000) ^ (u[0] << 16) ^ (u[1] & 0xffff0000) ^ (u[1] << 16) ^ (u[6] << 16) ^ (u[7] & 0xffff0000) ^ (u[7] >> 16); /* 61 rounds of LFSR, mixing up hash */ ctx->hash[0] = (v[0] & 0xffff0000) ^ (v[0] << 16) ^ (v[0] >> 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] >> 16) ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff); ctx->hash[1] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff) ^ v[2] ^ (v[2] >> 16) ^ (v[3] << 16) ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[6] << 16) ^ v[6] ^ (v[7] & 0xffff0000) ^ (v[7] >> 16); ctx->hash[2] = (v[0] & 0xffff) ^ (v[0] << 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[6] ^ (v[6] >> 16) ^ (v[7] & 0xffff) ^ (v[7] << 16) ^ (v[7] >> 16); ctx->hash[3] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff0000) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[7] & 0xffff) ^ (v[7] >> 16); ctx->hash[4] = (v[0] >> 16) ^ (v[1] << 16) ^ v[1] ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16); ctx->hash[5] = (v[0] << 16) ^ (v[0] & 0xffff0000) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ v[2] ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff0000); ctx->hash[6] = v[0] ^ v[2] ^ (v[2] >> 16) ^ v[3] ^ (v[3] << 16) ^ v[4] ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ v[7]; ctx->hash[7] = v[0] ^ (v[0] >> 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ v[4] ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16) ^ v[7]; } /** * This function calculates hash value by 256-bit blocks. * It updates 256-bit check sum as follows: * *(uint256_t)(ctx->sum) += *(uint256_t*)block; * and then updates intermediate hash value ctx->hash * by calling gost_block_compress(). * * @param ctx algorithm context * @param block the 256-bit message block to process */ static void gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block, const uint32_t sbox[4][256]) { uint32_t block_le[8]; unsigned i, carry; /* compute the 256-bit sum */ for (i = carry = 0; i < 8; i++, block += 4) { block_le[i] = LE_READ_UINT32(block); ctx->sum[i] += carry; carry = (ctx->sum[i] < carry); ctx->sum[i] += block_le[i]; carry += (ctx->sum[i] < block_le[i]); } /* update message hash */ gost_block_compress (ctx, block_le, sbox); } #define COMPRESS(ctx, block) gost_compute_sum_and_hash((ctx), (block), sbox); /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ static void gosthash94_update_int (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg, const uint32_t sbox[4][256]) { MD_UPDATE(ctx, length, msg, COMPRESS, ctx->count++); } /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, _nettle_gost28147_param_test_3411.sbox); } /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ void gosthash94cp_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, _nettle_gost28147_param_CryptoPro_3411.sbox); } /** * Finish hashing and store message digest into given array. * * @param ctx the algorithm context containing current hashing state * @param result calculated hash in binary form */ static void gosthash94_write_digest (struct gosthash94_ctx *ctx, uint8_t *result, const uint32_t sbox[4][256]) { uint32_t msg32[GOSTHASH94_BLOCK_SIZE / 4]; /* pad the last block with zeroes and hash it */ if (ctx->index > 0) { memset (ctx->block + ctx->index, 0, GOSTHASH94_BLOCK_SIZE - ctx->index); gost_compute_sum_and_hash (ctx, ctx->block, sbox); } /* hash the message length and the sum */ msg32[0] = (ctx->count << 8) | (ctx->index << 3); msg32[1] = ctx->count >> 24; memset (msg32 + 2, 0, sizeof (uint32_t) * 6); gost_block_compress (ctx, msg32, sbox); gost_block_compress (ctx, ctx->sum, sbox); /* convert hash state to result bytes */ _nettle_write_le32(GOSTHASH94_DIGEST_SIZE, result, ctx->hash); gosthash94_init (ctx); } void gosthash94_digest (struct gosthash94_ctx *ctx, uint8_t *result) { gosthash94_write_digest (ctx, result, _nettle_gost28147_param_test_3411.sbox); } void gosthash94cp_digest (struct gosthash94_ctx *ctx, uint8_t *result) { gosthash94_write_digest (ctx, result, _nettle_gost28147_param_CryptoPro_3411.sbox); } nettle-4.0/gosthash94.h0000644000000000000000000000730615141166424011756 0ustar00/* gosthash94.h The GOST R 34.11-94 hash function, described in RFC 5831. Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on rhash gost.h. */ /* Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #ifndef NETTLE_GOSTHASH94_H_INCLUDED #define NETTLE_GOSTHASH94_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif #define gosthash94_init nettle_gosthash94_init #define gosthash94_update nettle_gosthash94_update #define gosthash94_digest nettle_gosthash94_digest #define gosthash94cp_update nettle_gosthash94cp_update #define gosthash94cp_digest nettle_gosthash94cp_digest #define GOSTHASH94_BLOCK_SIZE 32 #define GOSTHASH94_DIGEST_SIZE 32 #define GOSTHASH94CP_BLOCK_SIZE GOSTHASH94_BLOCK_SIZE #define GOSTHASH94CP_DIGEST_SIZE GOSTHASH94_DIGEST_SIZE struct gosthash94_ctx { uint32_t hash[8]; /* algorithm 256-bit state */ uint32_t sum[8]; /* sum of processed message blocks */ uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ }; #define gosthash94cp_ctx gosthash94_ctx void gosthash94_init(struct gosthash94_ctx *ctx); void gosthash94_update(struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg); void gosthash94_digest(struct gosthash94_ctx *ctx, uint8_t *result); #define gosthash94cp_init gosthash94_init void gosthash94cp_update(struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg); void gosthash94cp_digest(struct gosthash94_ctx *ctx, uint8_t *result); #ifdef __cplusplus } #endif #endif /* NETTLE_GOSTHASH94_H_INCLUDED */ nettle-4.0/hkdf.c0000644000000000000000000000434115141166424010664 0ustar00/* hkdf.c Copyright (C) 2017 Red Hat, Inc. Author: Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Functions for the HKDF handling. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "hkdf.h" #include "nettle-internal.h" /* hkdf_extract: Outputs a PRK of digest_size */ void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t secret_size, const uint8_t *secret, uint8_t *dst) { update(mac_ctx, secret_size, secret); digest(mac_ctx, dst); } /* hkdf_expand: Outputs an arbitrary key of size specified by length */ void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) { TMP_DECL(buf, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); uint8_t i = 1; if (!length) return; for (;; dst += digest_size, length -= digest_size, i++) { update(mac_ctx, info_size, info); update(mac_ctx, 1, &i); if (length < digest_size) break; digest(mac_ctx, dst); if (length == digest_size) return; update(mac_ctx, digest_size, dst); } TMP_ALLOC (buf, digest_size); digest(mac_ctx, buf); memcpy (dst, buf, length); } nettle-4.0/hkdf.h0000644000000000000000000000332415141166424010671 0ustar00/* hkdf.h TLS PRF code (RFC-5246, RFC-2246). Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HKDF_H_INCLUDED #define NETTLE_HKDF_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hkdf_extract nettle_hkdf_extract #define hkdf_expand nettle_hkdf_expand void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t secret_size, const uint8_t *secret, uint8_t *dst); void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_HKDF_H_INCLUDED */ nettle-4.0/hmac-gosthash94-meta.c0000644000000000000000000000310415141166424013573 0ustar00/* hmac-gosthash94-meta.c Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_gosthash94_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_gosthash94_set_key (ctx, GOSTHASH94_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_gosthash94 = _NETTLE_HMAC(hmac_gosthash94, GOSTHASH94); static void hmac_gosthash94cp_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_gosthash94cp_set_key (ctx, GOSTHASH94CP_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_gosthash94cp = _NETTLE_HMAC(hmac_gosthash94cp, GOSTHASH94CP); nettle-4.0/hmac-gosthash94.c0000644000000000000000000000514315141166424012654 0ustar00/* hmac-gosthash94.c HMAC-GOSTHASH94 message authentication code. Copyright (C) 2016 Dmitry Eremin-Solenikov Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_gosthash94, key_length, key); } void hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, size_t length, const uint8_t *data) { gosthash94_update(&ctx->state, length, data); } void hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, uint8_t *digest) { /* Needs a call to gosthash94_update, since GOSTHASH94_DIGEST_SIZE == GOSTHASH94_BLOCK_SIZE. */ _NETTLE_HMAC_DIGEST_U (ctx->outer, ctx->inner, &ctx->state, gosthash94_digest, gosthash94_update, digest); } void hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_gosthash94cp, key_length, key); } void hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, size_t length, const uint8_t *data) { gosthash94cp_update(&ctx->state, length, data); } void hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, uint8_t *digest) { /* Needs a call to gosthash94cp_update, since GOSTHASH94CP_DIGEST_SIZE == GOSTHASH94CP_BLOCK_SIZE. */ _NETTLE_HMAC_DIGEST_U (ctx->outer, ctx->inner, &ctx->state, gosthash94cp_digest, gosthash94cp_update, digest); } nettle-4.0/hmac-internal.c0000644000000000000000000000406615141166424012476 0ustar00/* hmac-internal.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "hmac-internal.h" #include "memxor.h" static void memxor_byte (uint8_t *p, uint8_t b, size_t n) { size_t i; for (i = 0; i < n; i++) p[i] ^= b; } void _nettle_hmac_set_key (size_t state_size, void *outer, void *inner, void *ctx, uint8_t *block, const struct nettle_hash *hash, size_t key_size, const uint8_t *key) { hash->init (ctx); if (key_size > hash->block_size) { hash->update (ctx, key_size, key); hash->digest (ctx, block); key_size = hash->digest_size; memxor_byte (block, OPAD, key_size); memset (block + key_size, OPAD, hash->block_size - key_size); } else { memset (block, OPAD, hash->block_size); memxor (block, key, key_size); } hash->update (ctx, hash->block_size, block); memcpy (outer, ctx, state_size); memxor_byte (block, OPAD ^ IPAD, hash->block_size); hash->init (ctx); hash->update (ctx, hash->block_size, block); memcpy (inner, ctx, state_size); } nettle-4.0/hmac-internal.h0000644000000000000000000000433615141166424012503 0ustar00/* hmac-internal.h Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HMAC_INTERNAL_H_INCLUDED #define NETTLE_HMAC_INTERNAL_H_INCLUDED #include #include "nettle-types.h" #include "nettle-meta.h" #define IPAD 0x36 #define OPAD 0x5c void _nettle_hmac_set_key (size_t state_size, void *outer, void *inner, void *ctx, uint8_t *block, const struct nettle_hash *hash, size_t key_size, const uint8_t *key); /* Digest operation for the common case that digest_size < block_size. */ #define _NETTLE_HMAC_DIGEST(outer, inner, ctx, digest, digest_size, out) do { \ digest((ctx), (ctx)->block); \ memcpy ((ctx), (outer), sizeof (outer)); \ (ctx)->index = (digest_size); \ digest ((ctx), (out)); \ memcpy ((ctx), (inner), sizeof (inner)); \ } while (0) /* Digest operation for the corner case that digest_size == block_size (e.g, ghosthash and streebog512). */ #define _NETTLE_HMAC_DIGEST_U(outer, inner, ctx, digest, update, out) do { \ digest((ctx), (ctx)->block); \ memcpy ((ctx), (outer), sizeof (outer)); \ update ((ctx), sizeof( (ctx)->block), (ctx)->block); \ digest ((ctx), (out)); \ memcpy ((ctx), (inner), sizeof (inner)); \ } while (0) #endif /* NETTLE_HMAC_INTERNAL_H_INCLUDED */ nettle-4.0/hmac-md5-meta.c0000644000000000000000000000243015141166424012264 0ustar00/* hmac-md5-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_md5_set_key (ctx, MD5_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_md5 = _NETTLE_HMAC(hmac_md5, MD5); nettle-4.0/hmac-md5.c0000644000000000000000000000323615141166424011345 0ustar00/* hmac-md5.c HMAC-MD5 message authentication code. Copyright (C) 2002, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_md5, key_length, key); } void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data) { md5_update(&ctx->state, length, data); } void hmac_md5_digest(struct hmac_md5_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, md5_digest, MD5_DIGEST_SIZE, digest); } nettle-4.0/hmac-ripemd160-meta.c0000644000000000000000000000250215141166424013306 0ustar00/* hmac-ripemd160-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_ripemd160_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_ripemd160_set_key (ctx, RIPEMD160_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_ripemd160 = _NETTLE_HMAC(hmac_ripemd160, RIPEMD160); nettle-4.0/hmac-ripemd160.c0000644000000000000000000000337015141166424012366 0ustar00/* hmac-ripemd160.c HMAC-RIPEMD160 message authentication code. Copyright (C) 2011, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_ripemd160, key_length, key); } void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data) { ripemd160_update(&ctx->state, length, data); } void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, ripemd160_digest, RIPEMD160_DIGEST_SIZE, digest); } nettle-4.0/hmac-sha1-meta.c0000644000000000000000000000243715141166424012442 0ustar00/* hmac-sha1-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha1_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha1_set_key (ctx, SHA1_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha1 = _NETTLE_HMAC(hmac_sha1, SHA1); nettle-4.0/hmac-sha1.c0000644000000000000000000000325515141166424011515 0ustar00/* hmac-sha1.c HMAC-SHA1 message authentication code. Copyright (C) 2002, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sha1, key_length, key); } void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data) { sha1_update(&ctx->state, length, data); } void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sha1_digest, SHA1_DIGEST_SIZE, digest); } nettle-4.0/hmac-sha224-meta.c0000644000000000000000000000245515141166424012611 0ustar00/* hmac-sha224-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha224_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha224_set_key (ctx, SHA224_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha224 = _NETTLE_HMAC(hmac_sha224, SHA224); nettle-4.0/hmac-sha224.c0000644000000000000000000000310215141166424011653 0ustar00/* hmac-sha224.c HMAC-SHA224 message authentication code. Copyright (C) 2003, 2010, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sha224, key_length, key); } void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sha224_digest, SHA224_DIGEST_SIZE, digest); } nettle-4.0/hmac-sha256-meta.c0000644000000000000000000000245515141166424012616 0ustar00/* hmac-sha256-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha256_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha256_set_key (ctx, SHA256_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha256 = _NETTLE_HMAC(hmac_sha256, SHA256); nettle-4.0/hmac-sha256.c0000644000000000000000000000331315141166424011664 0ustar00/* hmac-sha256.c HMAC-SHA256 message authentication code. Copyright (C) 2003, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sha256, key_length, key); } void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data) { sha256_update(&ctx->state, length, data); } void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sha256_digest, SHA256_DIGEST_SIZE, digest); } nettle-4.0/hmac-sha384-meta.c0000644000000000000000000000245515141166424012620 0ustar00/* hmac-sha384-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha384_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha384_set_key (ctx, SHA384_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha384 = _NETTLE_HMAC(hmac_sha384, SHA384); nettle-4.0/hmac-sha384.c0000644000000000000000000000310215141166424011662 0ustar00/* hmac-sha384.c HMAC-SHA384 message authentication code. Copyright (C) 2003, 2010, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sha384, key_length, key); } void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sha384_digest, SHA384_DIGEST_SIZE, digest); } nettle-4.0/hmac-sha512-meta.c0000644000000000000000000000245515141166424012611 0ustar00/* hmac-sha512-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha512_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha512_set_key (ctx, SHA512_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha512 = _NETTLE_HMAC(hmac_sha512, SHA512); nettle-4.0/hmac-sha512.c0000644000000000000000000000332115141166424011656 0ustar00/* hmac-sha512.c HMAC-SHA512 message authentication code. Copyright (C) 2003, 2010, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sha512, key_length, key); } void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data) { sha512_update(&ctx->state, length, data); } void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sha512_digest, SHA512_DIGEST_SIZE, digest); } nettle-4.0/hmac-sm3-meta.c0000644000000000000000000000247515141166424012312 0ustar00/* hmac-sm3-meta.c Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sm3_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sm3_set_key (ctx, SM3_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sm3 = _NETTLE_HMAC(hmac_sm3, SM3); nettle-4.0/hmac-sm3.c0000644000000000000000000000333615141166424011363 0ustar00/* hmac-sm3.c HMAC-SM3 message authentication code. Copyright (C) 2021 Tianjia Zhang Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_sm3_set_key(struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_sm3, key_length, key); } void hmac_sm3_update(struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data) { sm3_update(&ctx->state, length, data); } void hmac_sm3_digest(struct hmac_sm3_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, sm3_digest, SM3_DIGEST_SIZE, digest); } nettle-4.0/hmac-streebog-meta.c0000644000000000000000000000310515141166424013411 0ustar00/* hmac-streebog-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_streebog256_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_streebog256_set_key (ctx, STREEBOG256_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_streebog256 = _NETTLE_HMAC(hmac_streebog256, STREEBOG256); static void hmac_streebog512_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_streebog512_set_key (ctx, STREEBOG512_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_streebog512 = _NETTLE_HMAC(hmac_streebog512, STREEBOG512); nettle-4.0/hmac-streebog.c0000644000000000000000000000452515141166424012474 0ustar00/* hmac-streebog.c HMAC-Streebog message authentication code. Copyright (C) 2016 Dmitry Eremin-Solenikov Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" #include "hmac-internal.h" void hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_streebog512, key_length, key); } void hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, size_t length, const uint8_t *data) { streebog512_update(&ctx->state, length, data); } void hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, uint8_t *digest) { /* Needs a call to streebog512_update, since STREEBOG512_DIGEST_SIZE == STREEBOG512_BLOCK_SIZE. */ _NETTLE_HMAC_DIGEST_U (ctx->outer, ctx->inner, &ctx->state, streebog512_digest, streebog512_update, digest); } void hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, size_t key_length, const uint8_t *key) { _nettle_hmac_set_key (sizeof(ctx->outer), ctx->outer, ctx->inner, &ctx->state, ctx->state.block, &nettle_streebog256, key_length, key); } void hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, uint8_t *digest) { _NETTLE_HMAC_DIGEST (ctx->outer, ctx->inner, &ctx->state, streebog256_digest, STREEBOG256_DIGEST_SIZE, digest); } nettle-4.0/hmac.h0000644000000000000000000001664515141166424010677 0ustar00/* hmac.h HMAC message authentication code (RFC-2104). Copyright (C) 2001, 2002, 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HMAC_H_INCLUDED #define NETTLE_HMAC_H_INCLUDED #include #include "nettle-meta.h" #include "gosthash94.h" #include "md5.h" #include "ripemd160.h" #include "sha1.h" #include "sha2.h" #include "streebog.h" #include "sm3.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hmac_md5_set_key nettle_hmac_md5_set_key #define hmac_md5_update nettle_hmac_md5_update #define hmac_md5_digest nettle_hmac_md5_digest #define hmac_ripemd160_set_key nettle_hmac_ripemd160_set_key #define hmac_ripemd160_update nettle_hmac_ripemd160_update #define hmac_ripemd160_digest nettle_hmac_ripemd160_digest #define hmac_sha1_set_key nettle_hmac_sha1_set_key #define hmac_sha1_update nettle_hmac_sha1_update #define hmac_sha1_digest nettle_hmac_sha1_digest #define hmac_sha224_set_key nettle_hmac_sha224_set_key #define hmac_sha224_digest nettle_hmac_sha224_digest #define hmac_sha256_set_key nettle_hmac_sha256_set_key #define hmac_sha256_update nettle_hmac_sha256_update #define hmac_sha256_digest nettle_hmac_sha256_digest #define hmac_sha384_set_key nettle_hmac_sha384_set_key #define hmac_sha384_digest nettle_hmac_sha384_digest #define hmac_sha512_set_key nettle_hmac_sha512_set_key #define hmac_sha512_update nettle_hmac_sha512_update #define hmac_sha512_digest nettle_hmac_sha512_digest #define hmac_gosthash94_set_key nettle_hmac_gosthash94_set_key #define hmac_gosthash94_update nettle_hmac_gosthash94_update #define hmac_gosthash94_digest nettle_hmac_gosthash94_digest #define hmac_gosthash94cp_set_key nettle_hmac_gosthash94cp_set_key #define hmac_gosthash94cp_update nettle_hmac_gosthash94cp_update #define hmac_gosthash94cp_digest nettle_hmac_gosthash94cp_digest #define hmac_streebog256_set_key nettle_hmac_streebog256_set_key #define hmac_streebog256_digest nettle_hmac_streebog256_digest #define hmac_streebog512_set_key nettle_hmac_streebog512_set_key #define hmac_streebog512_update nettle_hmac_streebog512_update #define hmac_streebog512_digest nettle_hmac_streebog512_digest #define hmac_sm3_set_key nettle_hmac_sm3_set_key #define hmac_sm3_update nettle_hmac_sm3_update #define hmac_sm3_digest nettle_hmac_sm3_digest #define _NETTLE_HMAC_CTX(type) { \ alignas(type) char outer[offsetof (type, index)]; \ alignas(type) char inner[offsetof (type, index)]; \ type state; \ } /* hmac-md5 */ struct hmac_md5_ctx _NETTLE_HMAC_CTX (struct md5_ctx); void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data); void hmac_md5_digest(struct hmac_md5_ctx *ctx, uint8_t *digest); /* hmac-ripemd160 */ struct hmac_ripemd160_ctx _NETTLE_HMAC_CTX (struct ripemd160_ctx); void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data); void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, uint8_t *digest); /* hmac-sha1 */ struct hmac_sha1_ctx _NETTLE_HMAC_CTX (struct sha1_ctx); void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, uint8_t *digest); /* hmac-sha256 */ struct hmac_sha256_ctx _NETTLE_HMAC_CTX (struct sha256_ctx); void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, uint8_t *digest); /* hmac-sha224 */ #define hmac_sha224_ctx hmac_sha256_ctx void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha224_update nettle_hmac_sha256_update void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, uint8_t *digest); /* hmac-sha512 */ struct hmac_sha512_ctx _NETTLE_HMAC_CTX (struct sha512_ctx); void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, uint8_t *digest); /* hmac-sha384 */ #define hmac_sha384_ctx hmac_sha512_ctx void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha384_update nettle_hmac_sha512_update void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, uint8_t *digest); /* hmac-gosthash94 */ struct hmac_gosthash94_ctx _NETTLE_HMAC_CTX (struct gosthash94_ctx); void hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, size_t length, const uint8_t *data); void hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, uint8_t *digest); #define hmac_gosthash94cp_ctx hmac_gosthash94_ctx void hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, size_t length, const uint8_t *data); void hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, uint8_t *digest); /* hmac-streebog */ struct hmac_streebog512_ctx _NETTLE_HMAC_CTX (struct streebog512_ctx); void hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, size_t length, const uint8_t *data); void hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, uint8_t *digest); #define hmac_streebog256_ctx hmac_streebog512_ctx void hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_streebog256_update hmac_streebog512_update void hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, uint8_t *digest); /* hmac-sm3 */ struct hmac_sm3_ctx _NETTLE_HMAC_CTX (struct sm3_ctx); void hmac_sm3_set_key(struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sm3_update(struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data); void hmac_sm3_digest(struct hmac_sm3_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_HMAC_H_INCLUDED */ nettle-4.0/hogweed-internal.h0000644000000000000000000000314515141166424013212 0ustar00/* hogweed-internal.h Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HOGWEED_INTERNAL_H_INCLUDED #define NETTLE_HOGWEED_INTERNAL_H_INCLUDED void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q); #define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size); #endif /* NETTLE_HOGWEED_INTERNAL_H_INCLUDED */ nettle-4.0/hogweed.pc.in0000644000000000000000000000111615141166424012154 0ustar00prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ # Uses Requires.private and Libs.private, under the assumption that # when using shared libraries, the ELF dependencies from libhogweed.so # to nettle and gmp work. Name: Hogweed Description: Nettle low-level cryptographic library (public-key algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Requires: @IF_NOT_SHARED@ nettle Requires.private: @IF_SHARED@ nettle Libs: -L${libdir} -lhogweed @IF_NOT_SHARED@ @LIBS@ Libs.private: @IF_SHARED@ @LIBS@ Cflags: -I${includedir} nettle-4.0/install-sh0000755000000000000000000003577615141166424011630 0ustar00#!/bin/sh # install - install a program, script, or datafile scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. tab=' ' nl=' ' IFS=" $tab$nl" # Set DOITPROG to "echo" to test this script. doit=${DOITPROG-} doit_exec=${doit:-exec} # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_mkdir= # Desired mode of installed file. mode=0755 # Create dirs (including intermediate dirs) using mode 755. # This is like GNU 'install' as of coreutils 8.32 (2020). mkdir_umask=22 backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false is_target_a_directory=possibly usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -p pass -p to $cpprog. -s $stripprog installed files. -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG By default, rm is invoked with -f; when overridden with RMPROG, it's up to you to specify -f if you want it. If -S is not specified, no backups are attempted. Email bug reports to bug-automake@gnu.org. Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -p) cpprog="$cpprog -p";; -s) stripcmd=$stripprog;; -S) backupsuffix="$2" shift;; -t) is_target_a_directory=always dst_arg=$2 # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac shift;; -T) is_target_a_directory=never;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done # We allow the use of options -d and -T together, by making -d # take the precedence; this is for compatibility with GNU install. if test -n "$dir_arg"; then if test -n "$dst_arg"; then echo "$0: target directory not allowed when installing a directory." >&2 exit 1 fi fi if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then if test $# -gt 1 || test "$is_target_a_directory" = always; then if test ! -d "$dst_arg"; then echo "$0: $dst_arg: Is not a directory." >&2 exit 1 fi fi fi if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names problematic for 'test' and other utilities. case $src in -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? # Don't chown directories that already exist. if test $dstdir_status = 0; then chowncmd="" fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # If destination is a directory, append the input filename. if test -d "$dst"; then if test "$is_target_a_directory" = never; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dstbase=`basename "$src"` case $dst in */) dst=$dst$dstbase;; *) dst=$dst/$dstbase;; esac dstdir_status=0 else dstdir=`dirname "$dst"` test -d "$dstdir" dstdir_status=$? fi fi case $dstdir in */) dstdirslash=$dstdir;; *) dstdirslash=$dstdir/;; esac obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false # The $RANDOM variable is not portable (e.g., dash). Use it # here however when possible just to lower collision chance. tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap ' ret=$? rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null exit $ret ' 0 # Because "mkdir -p" follows existing symlinks and we likely work # directly in world-writeable /tmp, make sure that the '$tmpdir' # directory is successfully created first before we actually test # 'mkdir -p'. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. test_tmpdir="$tmpdir/a" ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; [-=\(\)!]*) prefix='./';; *) prefix='';; esac oIFS=$IFS IFS=/ set -f set fnord $dstdir shift set +f IFS=$oIFS prefixes= for d do test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=${dstdirslash}_inst.$$_ rmtmp=${dstdirslash}_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && { test -z "$stripcmd" || { # Create $dsttmp read-write so that cp doesn't create it read-only, # which would cause strip to fail. if test -z "$doit"; then : >"$dsttmp" # No need to fork-exec 'touch'. else $doit touch "$dsttmp" fi } } && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # If $backupsuffix is set, and the file being installed # already exists, attempt a backup. Don't worry if it fails, # e.g., if mv doesn't support -f. if test -n "$backupsuffix" && test -f "$dst"; then $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null fi # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: nettle-4.0/keymap.h0000644000000000000000000001427215141166424011247 0ustar00/* automagically made - do not fuss with this */ 0x02080008, 0x02082000, 0x00002008, 0x00000000, 0x02002000, 0x00080008, 0x02080000, 0x02082008, 0x00000008, 0x02000000, 0x00082000, 0x00002008, 0x00082008, 0x02002008, 0x02000008, 0x02080000, 0x00002000, 0x00082008, 0x00080008, 0x02002000, 0x02082008, 0x02000008, 0x00000000, 0x00082000, 0x02000000, 0x00080000, 0x02002008, 0x02080008, 0x00080000, 0x00002000, 0x02082000, 0x00000008, 0x00080000, 0x00002000, 0x02000008, 0x02082008, 0x00002008, 0x02000000, 0x00000000, 0x00082000, 0x02080008, 0x02002008, 0x02002000, 0x00080008, 0x02082000, 0x00000008, 0x00080008, 0x02002000, 0x02082008, 0x00080000, 0x02080000, 0x02000008, 0x00082000, 0x00002008, 0x02002008, 0x02080000, 0x00000008, 0x02082000, 0x00082008, 0x00000000, 0x02000000, 0x02080008, 0x00002000, 0x00082008, 0x08000004, 0x00020004, 0x00000000, 0x08020200, 0x00020004, 0x00000200, 0x08000204, 0x00020000, 0x00000204, 0x08020204, 0x00020200, 0x08000000, 0x08000200, 0x08000004, 0x08020000, 0x00020204, 0x00020000, 0x08000204, 0x08020004, 0x00000000, 0x00000200, 0x00000004, 0x08020200, 0x08020004, 0x08020204, 0x08020000, 0x08000000, 0x00000204, 0x00000004, 0x00020200, 0x00020204, 0x08000200, 0x00000204, 0x08000000, 0x08000200, 0x00020204, 0x08020200, 0x00020004, 0x00000000, 0x08000200, 0x08000000, 0x00000200, 0x08020004, 0x00020000, 0x00020004, 0x08020204, 0x00020200, 0x00000004, 0x08020204, 0x00020200, 0x00020000, 0x08000204, 0x08000004, 0x08020000, 0x00020204, 0x00000000, 0x00000200, 0x08000004, 0x08000204, 0x08020200, 0x08020000, 0x00000204, 0x00000004, 0x08020004, 0x80040100, 0x01000100, 0x80000000, 0x81040100, 0x00000000, 0x01040000, 0x81000100, 0x80040000, 0x01040100, 0x81000000, 0x01000000, 0x80000100, 0x81000000, 0x80040100, 0x00040000, 0x01000000, 0x81040000, 0x00040100, 0x00000100, 0x80000000, 0x00040100, 0x81000100, 0x01040000, 0x00000100, 0x80000100, 0x00000000, 0x80040000, 0x01040100, 0x01000100, 0x81040000, 0x81040100, 0x00040000, 0x81040000, 0x80000100, 0x00040000, 0x81000000, 0x00040100, 0x01000100, 0x80000000, 0x01040000, 0x81000100, 0x00000000, 0x00000100, 0x80040000, 0x00000000, 0x81040000, 0x01040100, 0x00000100, 0x01000000, 0x81040100, 0x80040100, 0x00040000, 0x81040100, 0x80000000, 0x01000100, 0x80040100, 0x80040000, 0x00040100, 0x01040000, 0x81000100, 0x80000100, 0x01000000, 0x81000000, 0x01040100, 0x04010801, 0x00000000, 0x00010800, 0x04010000, 0x04000001, 0x00000801, 0x04000800, 0x00010800, 0x00000800, 0x04010001, 0x00000001, 0x04000800, 0x00010001, 0x04010800, 0x04010000, 0x00000001, 0x00010000, 0x04000801, 0x04010001, 0x00000800, 0x00010801, 0x04000000, 0x00000000, 0x00010001, 0x04000801, 0x00010801, 0x04010800, 0x04000001, 0x04000000, 0x00010000, 0x00000801, 0x04010801, 0x00010001, 0x04010800, 0x04000800, 0x00010801, 0x04010801, 0x00010001, 0x04000001, 0x00000000, 0x04000000, 0x00000801, 0x00010000, 0x04010001, 0x00000800, 0x04000000, 0x00010801, 0x04000801, 0x04010800, 0x00000800, 0x00000000, 0x04000001, 0x00000001, 0x04010801, 0x00010800, 0x04010000, 0x04010001, 0x00010000, 0x00000801, 0x04000800, 0x04000801, 0x00000001, 0x04010000, 0x00010800, 0x00000400, 0x00000020, 0x00100020, 0x40100000, 0x40100420, 0x40000400, 0x00000420, 0x00000000, 0x00100000, 0x40100020, 0x40000020, 0x00100400, 0x40000000, 0x00100420, 0x00100400, 0x40000020, 0x40100020, 0x00000400, 0x40000400, 0x40100420, 0x00000000, 0x00100020, 0x40100000, 0x00000420, 0x40100400, 0x40000420, 0x00100420, 0x40000000, 0x40000420, 0x40100400, 0x00000020, 0x00100000, 0x40000420, 0x00100400, 0x40100400, 0x40000020, 0x00000400, 0x00000020, 0x00100000, 0x40100400, 0x40100020, 0x40000420, 0x00000420, 0x00000000, 0x00000020, 0x40100000, 0x40000000, 0x00100020, 0x00000000, 0x40100020, 0x00100020, 0x00000420, 0x40000020, 0x00000400, 0x40100420, 0x00100000, 0x00100420, 0x40000000, 0x40000400, 0x40100420, 0x40100000, 0x00100420, 0x00100400, 0x40000400, 0x00800000, 0x00001000, 0x00000040, 0x00801042, 0x00801002, 0x00800040, 0x00001042, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00001040, 0x00800042, 0x00801002, 0x00801040, 0x00000000, 0x00001040, 0x00800000, 0x00001002, 0x00000042, 0x00800040, 0x00001042, 0x00000000, 0x00800002, 0x00000002, 0x00800042, 0x00801042, 0x00001002, 0x00801000, 0x00000040, 0x00000042, 0x00801040, 0x00801040, 0x00800042, 0x00001002, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00800040, 0x00800000, 0x00001040, 0x00801042, 0x00000000, 0x00001042, 0x00800000, 0x00000040, 0x00001002, 0x00800042, 0x00000040, 0x00000000, 0x00801042, 0x00801002, 0x00801040, 0x00000042, 0x00001000, 0x00001040, 0x00801002, 0x00800040, 0x00000042, 0x00000002, 0x00001042, 0x00801000, 0x00800002, 0x10400000, 0x00404010, 0x00000010, 0x10400010, 0x10004000, 0x00400000, 0x10400010, 0x00004010, 0x00400010, 0x00004000, 0x00404000, 0x10000000, 0x10404010, 0x10000010, 0x10000000, 0x10404000, 0x00000000, 0x10004000, 0x00404010, 0x00000010, 0x10000010, 0x10404010, 0x00004000, 0x10400000, 0x10404000, 0x00400010, 0x10004010, 0x00404000, 0x00004010, 0x00000000, 0x00400000, 0x10004010, 0x00404010, 0x00000010, 0x10000000, 0x00004000, 0x10000010, 0x10004000, 0x00404000, 0x10400010, 0x00000000, 0x00404010, 0x00004010, 0x10404000, 0x10004000, 0x00400000, 0x10404010, 0x10000000, 0x10004010, 0x10400000, 0x00400000, 0x10404010, 0x00004000, 0x00400010, 0x10400010, 0x00004010, 0x00400010, 0x00000000, 0x10404000, 0x10000010, 0x10400000, 0x10004010, 0x00000010, 0x00404000, 0x00208080, 0x00008000, 0x20200000, 0x20208080, 0x00200000, 0x20008080, 0x20008000, 0x20200000, 0x20008080, 0x00208080, 0x00208000, 0x20000080, 0x20200080, 0x00200000, 0x00000000, 0x20008000, 0x00008000, 0x20000000, 0x00200080, 0x00008080, 0x20208080, 0x00208000, 0x20000080, 0x00200080, 0x20000000, 0x00000080, 0x00008080, 0x20208000, 0x00000080, 0x20200080, 0x20208000, 0x00000000, 0x00000000, 0x20208080, 0x00200080, 0x20008000, 0x00208080, 0x00008000, 0x20000080, 0x00200080, 0x20208000, 0x00000080, 0x00008080, 0x20200000, 0x20008080, 0x20000000, 0x20200000, 0x00208000, 0x20208080, 0x00008080, 0x00208000, 0x20200080, 0x00200000, 0x20000080, 0x20008000, 0x00000000, 0x00008000, 0x00200000, 0x20200080, 0x00208080, 0x20000000, 0x20208000, 0x00000080, 0x20008080, nettle-4.0/knuth-lfib.c0000644000000000000000000001001315141166424012004 0ustar00/* knuth-lfib.c The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file includes code copied verbatim from Knuth's TAoCP. Technically, doing that probably requires asking for the author's explicit permission. I'd expect such a request to be granted, but I haven't asked, because I don't want to distract him from more important and interesting work. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "knuth-lfib.h" #include "macros.h" #define KK _KNUTH_LFIB_KK #define LL 37 #define MM (1UL << 30) #define TT 70 void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed) { uint32_t t,j; uint32_t x[2*KK - 1]; uint32_t ss = (seed + 2) & (MM-2); for (j = 0; j= MM) ss -= (MM-2); } for (;j< 2*KK-1; j++) x[j] = 0; x[1]++; ss = seed & (MM-1); for (t = TT-1; t; ) { for (j = KK-1; j>0; j--) x[j+j] = x[j]; for (j = 2*KK-2; j > KK-LL; j-= 2) x[2*KK-1-j] = x[j] & ~1; for (j = 2*KK-2; j>=KK; j--) if (x[j] & 1) { x[j-(KK-LL)] = (x[j - (KK-LL)] - x[j]) & (MM-1); x[j-KK] = (x[j-KK] - x[j]) & (MM-1); } if (ss & 1) { for (j=KK; j>0; j--) x[j] = x[j-1]; x[0] = x[KK]; if (x[KK] & 1) x[LL] = (x[LL] - x[KK]) & (MM-1); } if (ss) ss >>= 1; else t--; } for (j=0; jx[j+KK-LL] = x[j]; for (; jx[j-LL] = x[j]; ctx->index = 0; } /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx) { uint32_t value; assert(ctx->index < KK); value = ctx->x[ctx->index]; ctx->x[ctx->index] -= ctx->x[(ctx->index + KK - LL) % KK]; ctx->x[ctx->index] &= (MM-1); ctx->index = (ctx->index + 1) % KK; return value; } /* NOTE: Not at all optimized. */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a) { unsigned i; for (i = 0; i= 3; n-=3, dst += 3) { uint32_t value = knuth_lfib_get(ctx); /* Xor the most significant octet (containing 6 significant bits) * into the lower octet. */ value ^= (value >> 24); WRITE_UINT24(dst, value); } if (n) { /* We need one or two octets more */ uint32_t value = knuth_lfib_get(ctx); switch (n) { case 1: *dst++ = value & 0xff; break; case 2: WRITE_UINT16(dst, value); break; default: abort(); } } } nettle-4.0/knuth-lfib.h0000644000000000000000000000424615141166424012024 0ustar00/* knuth-lfib.h The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #ifndef NETTLE_KNUTH_LFIB_H_INCLUDED #define NETTLE_KNUTH_LFIB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define knuth_lfib_init nettle_knuth_lfib_init #define knuth_lfib_get nettle_knuth_lfib_get #define knuth_lfib_get_array nettle_knuth_lfib_get_array #define knuth_lfib_random nettle_knuth_lfib_random #define _KNUTH_LFIB_KK 100 struct knuth_lfib_ctx { uint32_t x[_KNUTH_LFIB_KK]; unsigned index; }; void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed); /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx); /* Get an array of numbers */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a); /* Get an array of octets. */ void knuth_lfib_random(struct knuth_lfib_ctx *ctx, size_t n, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_KNUTH_LFIB_H_INCLUDED */ nettle-4.0/lib/0000755000000000000000000000000015141166424010350 5ustar00nettle-4.0/lib/getopt-core.h0000644000000000000000000000713215141166424012754 0ustar00/* Declarations for getopt (basic, portable features only). Copyright (C) 1989-2025 Free Software Foundation, Inc. This file is part of the GNU C Library and is also part of gnulib. Patches to this file should be submitted to both projects. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_CORE_H #define _GETOPT_CORE_H 1 /* This header should not be used directly; include getopt.h or unistd.h instead. Unlike most bits headers, it does not have a protective #error, because the guard macro for getopt.h in gnulib is not fixed. */ __BEGIN_DECLS /* For communication from 'getopt' to the caller. When 'getopt' finds an option that takes an argument, the argument value is returned here. Also, when 'ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ extern char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to 'getopt'. On entry to 'getopt', zero means this is the first call; initialize. When 'getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, 'optind' communicates from one call to the next how much of ARGV has been scanned so far. */ extern int optind; /* Callers store zero here to inhibit the error message 'getopt' prints for unrecognized options. */ extern int opterr; /* Set to an option character which was unrecognized. */ extern int optopt; /* Get definitions and prototypes for functions to process the arguments in ARGV (ARGC of them, minus the program name) for options given in OPTS. Return the option character from OPTS just read. Return -1 when there are no more options. For unrecognized options, or options missing arguments, 'optopt' is set to the option letter, and '?' is returned. The OPTS string is a list of characters which are recognized option letters, optionally followed by colons, specifying that that letter takes an argument, to be placed in 'optarg'. If a letter in OPTS is followed by two colons, its argument is optional. This behavior is specific to the GNU 'getopt'. The argument '--' causes premature termination of argument scanning, explicitly telling 'getopt' that there are no more options. If OPTS begins with '-', then non-option arguments are treated as arguments to the option '\1'. This behavior is specific to the GNU 'getopt'. If OPTS begins with '+', or POSIXLY_CORRECT is set in the environment, then do not permute arguments. For standards compliance, the 'argv' argument has the type char *const *, but this is inaccurate; if argument permutation is enabled, the argv array (not the strings it points to) must be writable. */ extern int getopt (int ___argc, char *const *___argv, const char *__shortopts) __THROW _GL_ARG_NONNULL ((2, 3)); __END_DECLS #endif /* _GETOPT_CORE_H */ nettle-4.0/lib/getopt-ext.h0000644000000000000000000000575315141166424012633 0ustar00/* Declarations for getopt (GNU extensions). Copyright (C) 1989-2025 Free Software Foundation, Inc. This file is part of the GNU C Library and is also part of gnulib. Patches to this file should be submitted to both projects. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_EXT_H #define _GETOPT_EXT_H 1 /* This header should not be used directly; include getopt.h instead. Unlike most bits headers, it does not have a protective #error, because the guard macro for getopt.h in gnulib is not fixed. */ __BEGIN_DECLS /* Describe the long-named options requested by the application. The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector of 'struct option' terminated by an element containing a name which is zero. The field 'has_arg' is: no_argument (or 0) if the option does not take an argument, required_argument (or 1) if the option requires an argument, optional_argument (or 2) if the option takes an optional argument. If the field 'flag' is not NULL, it points to a variable that is set to the value given in the field 'val' when the option is found, but left unchanged if the option is not found. To have a long-named option do something other than set an 'int' to a compiled-in constant, such as set a value from 'optarg', set the option's 'flag' field to zero and its 'val' field to a nonzero value (the equivalent single-letter option character, if there is one). For long options that have a zero 'flag' field, 'getopt' returns the contents of the 'val' field. */ struct option { const char *name; /* has_arg can't be an enum because some compilers complain about type mismatches in all the code that assumes it is an int. */ int has_arg; int *flag; int val; }; /* Names for the values of the 'has_arg' field of 'struct option'. */ #define no_argument 0 #define required_argument 1 #define optional_argument 2 extern int getopt_long (int ___argc, char *__getopt_argv_const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW _GL_ARG_NONNULL ((2, 3)); extern int getopt_long_only (int ___argc, char *__getopt_argv_const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW _GL_ARG_NONNULL ((2, 3)); __END_DECLS #endif /* _GETOPT_EXT_H */ nettle-4.0/lib/getopt.c0000644000000000000000000005750615141166424012033 0ustar00/* Getopt for GNU. Copyright (C) 1987-2025 Free Software Foundation, Inc. This file is part of the GNU C Library and is also part of gnulib. Patches to this file should be submitted to both projects. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _LIBC # include #endif #include #include #include #include #include #ifdef _LIBC /* When used as part of glibc, error printing must be done differently for standards compliance. getopt is not a cancellation point, so it must not call functions that are, and it is specified by an older standard than stdio locking, so it must not refer to functions in the "user namespace" related to stdio locking. Finally, it must use glibc's internal message translation so that the messages are looked up in the proper text domain. */ # include # define fprintf __fxprintf_nocancel # define flockfile(fp) _IO_flockfile (fp) # define funlockfile(fp) _IO_funlockfile (fp) #else # ifndef _ # include "gettext.h" # define _(msgid) dgettext (GNULIB_TEXT_DOMAIN, msgid) # endif /* When used standalone, flockfile and funlockfile might not be available. */ # if (!defined _POSIX_THREAD_SAFE_FUNCTIONS \ || (defined _WIN32 && ! defined __CYGWIN__)) # define flockfile(fp) /* nop */ # define funlockfile(fp) /* nop */ # endif /* When used standalone, do not attempt to use alloca. */ # define __libc_use_alloca(size) 0 # undef alloca # define alloca(size) (abort (), (void *)0) #endif /* This implementation of 'getopt' has three modes for handling options interspersed with non-option arguments. It can stop scanning for options at the first non-option argument encountered, as POSIX specifies. It can continue scanning for options after the first non-option argument, but permute 'argv' as it goes so that, after 'getopt' is done, all the options precede all the non-option arguments and 'optind' points to the first non-option argument. Or, it can report non-option arguments as if they were arguments to the option character '\x01'. The default behavior of 'getopt_long' is to permute the argument list. When this implementation is used standalone, the default behavior of 'getopt' is to stop at the first non-option argument, but when it is used as part of GNU libc it also permutes the argument list. In both cases, setting the environment variable POSIXLY_CORRECT to any value disables permutation. If the first character of the OPTSTRING argument to 'getopt' or 'getopt_long' is '+', both functions will stop at the first non-option argument. If it is '-', both functions will report non-option arguments as arguments to the option character '\x01'. */ #include "getopt_int.h" /* For communication from 'getopt' to the caller. When 'getopt' finds an option that takes an argument, the argument value is returned here. Also, when 'ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to 'getopt'. On entry to 'getopt', zero means this is the first call; initialize. When 'getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, 'optind' communicates from one call to the next how much of ARGV has been scanned so far. */ /* 1003.2 says this must be 1 before any call. */ int optind = 1; /* Callers store zero here to inhibit the error message for unrecognized options. */ int opterr = 1; /* Set to an option character which was unrecognized. This must be initialized on some systems to avoid linking in the system's own getopt implementation. */ int optopt = '?'; /* Keep a global copy of all internal members of getopt_data. */ static struct _getopt_data getopt_data; /* Exchange two adjacent subsequences of ARGV. One subsequence is elements [first_nonopt,last_nonopt) which contains all the non-options that have been skipped so far. The other is elements [last_nonopt,optind), which contains all the options processed since those non-options were skipped. 'first_nonopt' and 'last_nonopt' are relocated so that they describe the new indices of the non-options in ARGV after they are moved. */ static void exchange (char **argv, struct _getopt_data *d) { int bottom = d->__first_nonopt; int middle = d->__last_nonopt; int top = d->optind; char *tem; /* Exchange the shorter segment with the far end of the longer segment. That puts the shorter segment into the right place. It leaves the longer segment in the right place overall, but it consists of two parts that need to be swapped next. */ while (top > middle && middle > bottom) { if (top - middle > middle - bottom) { /* Bottom segment is the short one. */ int len = middle - bottom; int i; /* Swap it with the top part of the top segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[top - (middle - bottom) + i]; argv[top - (middle - bottom) + i] = tem; } /* Exclude the moved bottom segment from further swapping. */ top -= len; } else { /* Top segment is the short one. */ int len = top - middle; int i; /* Swap it with the bottom part of the bottom segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[middle + i]; argv[middle + i] = tem; } /* Exclude the moved top segment from further swapping. */ bottom += len; } } /* Update records for the slots the non-options now occupy. */ d->__first_nonopt += (d->optind - d->__last_nonopt); d->__last_nonopt = d->optind; } /* Process the argument starting with d->__nextchar as a long option. d->optind should *not* have been advanced over this argument. If the value returned is -1, it was not actually a long option, the state is unchanged, and the argument should be processed as a set of short options (this can only happen when long_only is true). Otherwise, the option (and its argument, if any) have been consumed and the return value is the value to return from _getopt_internal_r. */ static int process_long_option (int argc, char **argv, const char *optstring, const struct option *longopts, int *longind, int long_only, struct _getopt_data *d, int print_errors, const char *prefix) { char *nameend; size_t namelen; const struct option *p; const struct option *pfound = NULL; int n_options; int option_index; for (nameend = d->__nextchar; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; namelen = nameend - d->__nextchar; /* First look for an exact match, counting the options as a side effect. */ for (p = longopts, n_options = 0; p->name; p++, n_options++) if (!strncmp (p->name, d->__nextchar, namelen) && namelen == strlen (p->name)) { /* Exact match found. */ pfound = p; option_index = n_options; break; } if (pfound == NULL) { /* Didn't find an exact match, so look for abbreviations. */ unsigned char *ambig_set = NULL; /* Use simpler fallback diagnostic if ambig_set == &ambig_fallback. */ unsigned char ambig_fallback; void *ambig_malloced = NULL; int indfound = -1; for (p = longopts, option_index = 0; p->name; p++, option_index++) if (!strncmp (p->name, d->__nextchar, namelen)) { if (pfound == NULL) { /* First nonexact match found. */ pfound = p; indfound = option_index; } else if (long_only || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) { /* Second or later nonexact match found. */ if (ambig_set != &ambig_fallback) { if (!print_errors) /* Don't waste effort tracking the ambig set if we're not going to print it anyway. */ ambig_set = &ambig_fallback; else if (!ambig_set) { if (__libc_use_alloca (n_options)) ambig_set = alloca (n_options); else { ambig_malloced = malloc (n_options); /* Fall back to simpler diagnostic if memory allocation fails. */ ambig_set = (ambig_malloced ? ambig_malloced : &ambig_fallback); } if (ambig_set != &ambig_fallback) { memset (ambig_set, 0, n_options); ambig_set[indfound] = 1; } } if (ambig_set && ambig_set != &ambig_fallback) ambig_set[option_index] = 1; } } } if (ambig_set) { if (print_errors) { if (ambig_set == &ambig_fallback) fprintf (stderr, _("%s: option '%s%s' is ambiguous\n"), argv[0], prefix, d->__nextchar); else { flockfile (stderr); fprintf (stderr, _("%s: option '%s%s' is ambiguous; possibilities:"), argv[0], prefix, d->__nextchar); for (option_index = 0; option_index < n_options; option_index++) if (ambig_set[option_index]) fprintf (stderr, " '%s%s'", prefix, longopts[option_index].name); /* This must use 'fprintf' even though it's only printing a single character, so that it goes through __fxprintf_nocancel when compiled as part of glibc. */ fprintf (stderr, "\n"); funlockfile (stderr); } } free (ambig_malloced); d->__nextchar += strlen (d->__nextchar); d->optind++; d->optopt = 0; return '?'; } option_index = indfound; } if (pfound == NULL) { /* Can't find it as a long option. If this is not getopt_long_only, or the option starts with '--' or is not a valid short option, then it's an error. */ if (!long_only || argv[d->optind][1] == '-' || strchr (optstring, *d->__nextchar) == NULL) { if (print_errors) fprintf (stderr, _("%s: unrecognized option '%s%s'\n"), argv[0], prefix, d->__nextchar); d->__nextchar = NULL; d->optind++; d->optopt = 0; return '?'; } /* Otherwise interpret it as a short option. */ return -1; } /* We have found a matching long option. Consume it. */ d->optind++; d->__nextchar = NULL; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) d->optarg = nameend + 1; else { if (print_errors) fprintf (stderr, _("%s: option '%s%s' doesn't allow an argument\n"), argv[0], prefix, pfound->name); d->optopt = pfound->val; return '?'; } } else if (pfound->has_arg == 1) { if (d->optind < argc) d->optarg = argv[d->optind++]; else { if (print_errors) fprintf (stderr, _("%s: option '%s%s' requires an argument\n"), argv[0], prefix, pfound->name); d->optopt = pfound->val; return optstring[0] == ':' ? ':' : '?'; } } if (longind != NULL) *longind = option_index; if (pfound->flag) { *(pfound->flag) = pfound->val; return 0; } return pfound->val; } /* Initialize internal data upon the first call to getopt. */ static const char * _getopt_initialize (_GL_UNUSED int argc, _GL_UNUSED char **argv, const char *optstring, struct _getopt_data *d, int posixly_correct) { /* Start processing options with ARGV-element 1 (since ARGV-element 0 is the program name); the sequence of previously skipped non-option ARGV-elements is empty. */ if (d->optind == 0) d->optind = 1; d->__first_nonopt = d->__last_nonopt = d->optind; d->__nextchar = NULL; /* Determine how to handle the ordering of options and nonoptions. */ if (optstring[0] == '-') { d->__ordering = RETURN_IN_ORDER; ++optstring; } else if (optstring[0] == '+') { d->__ordering = REQUIRE_ORDER; ++optstring; } else if (posixly_correct || !!getenv ("POSIXLY_CORRECT")) d->__ordering = REQUIRE_ORDER; else d->__ordering = PERMUTE; d->__initialized = 1; return optstring; } /* Scan elements of ARGV (whose length is ARGC) for option characters given in OPTSTRING. If an element of ARGV starts with '-', and is not exactly "-" or "--", then it is an option element. The characters of this element (aside from the initial '-') are option characters. If 'getopt' is called repeatedly, it returns successively each of the option characters from each of the option elements. If 'getopt' finds another option character, it returns that character, updating 'optind' and 'nextchar' so that the next call to 'getopt' can resume the scan with the following option character or ARGV-element. If there are no more option characters, 'getopt' returns -1. Then 'optind' is the index in ARGV of the first ARGV-element that is not an option. (The ARGV-elements have been permuted so that those that are not options now come last.) OPTSTRING is a string containing the legitimate option characters. If an option character is seen that is not listed in OPTSTRING, return '?' after printing an error message. If you set 'opterr' to zero, the error message is suppressed but we still return '?'. If a char in OPTSTRING is followed by a colon, that means it wants an arg, so the following text in the same ARGV-element, or the text of the following ARGV-element, is returned in 'optarg'. Two colons mean an option that wants an optional arg; if there is text in the current ARGV-element, it is returned in 'optarg', otherwise 'optarg' is set to zero. If OPTSTRING starts with '-' or '+', it requests different methods of handling the non-option ARGV-elements. See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above. Long-named options begin with '--' instead of '-'. Their names may be abbreviated as long as the abbreviation is unique or is an exact match for some defined option. If they have an argument, it follows the option name in the same ARGV-element, separated from the option name by a '=', or else the in next ARGV-element. When 'getopt' finds a long-named option, it returns 0 if that option's 'flag' field is nonzero, the value of the option's 'val' field if the 'flag' field is zero. The elements of ARGV aren't really const, because we permute them. But we pretend they're const in the prototype to be compatible with other systems. LONGOPTS is a vector of 'struct option' terminated by an element containing a name which is zero. LONGIND returns the index in LONGOPT of the long-named option found. It is only valid when a long-named option has been found by the most recent call. If LONG_ONLY is nonzero, '-' as well as '--' can introduce long-named options. */ int _getopt_internal_r (int argc, char **argv, const char *optstring, const struct option *longopts, int *longind, int long_only, struct _getopt_data *d, int posixly_correct) { int print_errors = d->opterr; if (argc < 1) return -1; d->optarg = NULL; if (d->optind == 0 || !d->__initialized) optstring = _getopt_initialize (argc, argv, optstring, d, posixly_correct); else if (optstring[0] == '-' || optstring[0] == '+') optstring++; if (optstring[0] == ':') print_errors = 0; /* Test whether ARGV[optind] points to a non-option argument. */ #define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0') if (d->__nextchar == NULL || *d->__nextchar == '\0') { /* Advance to the next ARGV-element. */ /* Give FIRST_NONOPT & LAST_NONOPT rational values if OPTIND has been moved back by the user (who may also have changed the arguments). */ if (d->__last_nonopt > d->optind) d->__last_nonopt = d->optind; if (d->__first_nonopt > d->optind) d->__first_nonopt = d->optind; if (d->__ordering == PERMUTE) { /* If we have just processed some options following some non-options, exchange them so that the options come first. */ if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange (argv, d); else if (d->__last_nonopt != d->optind) d->__first_nonopt = d->optind; /* Skip any additional non-options and extend the range of non-options previously skipped. */ while (d->optind < argc && NONOPTION_P) d->optind++; d->__last_nonopt = d->optind; } /* The special ARGV-element '--' means premature end of options. Skip it like a null option, then exchange with previous non-options as if it were an option, then skip everything else like a non-option. */ if (d->optind != argc && !strcmp (argv[d->optind], "--")) { d->optind++; if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange (argv, d); else if (d->__first_nonopt == d->__last_nonopt) d->__first_nonopt = d->optind; d->__last_nonopt = argc; d->optind = argc; } /* If we have done all the ARGV-elements, stop the scan and back over any non-options that we skipped and permuted. */ if (d->optind == argc) { /* Set the next-arg-index to point at the non-options that we previously skipped, so the caller will digest them. */ if (d->__first_nonopt != d->__last_nonopt) d->optind = d->__first_nonopt; return -1; } /* If we have come to a non-option and did not permute it, either stop the scan or describe it to the caller and pass it by. */ if (NONOPTION_P) { if (d->__ordering == REQUIRE_ORDER) return -1; d->optarg = argv[d->optind++]; return 1; } /* We have found another option-ARGV-element. Check whether it might be a long option. */ if (longopts) { if (argv[d->optind][1] == '-') { /* "--foo" is always a long option. The special option "--" was handled above. */ d->__nextchar = argv[d->optind] + 2; return process_long_option (argc, argv, optstring, longopts, longind, long_only, d, print_errors, "--"); } /* If long_only and the ARGV-element has the form "-f", where f is a valid short option, don't consider it an abbreviated form of a long option that starts with f. Otherwise there would be no way to give the -f short option. On the other hand, if there's a long option "fubar" and the ARGV-element is "-fu", do consider that an abbreviation of the long option, just like "--fu", and not "-f" with arg "u". This distinction seems to be the most useful approach. */ if (long_only && (argv[d->optind][2] || !strchr (optstring, argv[d->optind][1]))) { int code; d->__nextchar = argv[d->optind] + 1; code = process_long_option (argc, argv, optstring, longopts, longind, long_only, d, print_errors, "-"); if (code != -1) return code; } } /* It is not a long option. Skip the initial punctuation. */ d->__nextchar = argv[d->optind] + 1; } /* Look at and handle the next short option-character. */ { char c = *d->__nextchar++; const char *temp = strchr (optstring, c); /* Increment 'optind' when we start to process its last character. */ if (*d->__nextchar == '\0') ++d->optind; if (temp == NULL || c == ':' || c == ';') { if (print_errors) fprintf (stderr, _("%s: invalid option -- '%c'\n"), argv[0], c); d->optopt = c; return '?'; } /* Convenience. Treat POSIX -W foo same as long option --foo */ if (temp[0] == 'W' && temp[1] == ';' && longopts != NULL) { /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') d->optarg = d->__nextchar; else if (d->optind == argc) { if (print_errors) fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; return c; } else d->optarg = argv[d->optind]; d->__nextchar = d->optarg; d->optarg = NULL; return process_long_option (argc, argv, optstring, longopts, longind, 0 /* long_only */, d, print_errors, "-W "); } if (temp[1] == ':') { if (temp[2] == ':') { /* This is an option that accepts an argument optionally. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; d->optind++; } else d->optarg = NULL; d->__nextchar = NULL; } else { /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ d->optind++; } else if (d->optind == argc) { if (print_errors) fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; } else /* We already incremented 'optind' once; increment it again when taking next ARGV-elt as argument. */ d->optarg = argv[d->optind++]; d->__nextchar = NULL; } } return c; } } int _getopt_internal (int argc, char **argv, const char *optstring, const struct option *longopts, int *longind, int long_only, int posixly_correct) { int result; getopt_data.optind = optind; getopt_data.opterr = opterr; result = _getopt_internal_r (argc, argv, optstring, longopts, longind, long_only, &getopt_data, posixly_correct); optind = getopt_data.optind; optarg = getopt_data.optarg; optopt = getopt_data.optopt; return result; } /* glibc gets a LSB-compliant getopt and a POSIX-compliant __posix_getopt. Standalone applications just get a POSIX-compliant getopt. POSIX and LSB both require these functions to take 'char *const *argv' even though this is incorrect (because of the permutation). */ #define GETOPT_ENTRY(NAME, POSIXLY_CORRECT) \ int \ NAME (int argc, char *const *argv, const char *optstring) \ { \ return _getopt_internal (argc, (char **)argv, optstring, \ NULL, NULL, 0, POSIXLY_CORRECT); \ } #ifdef _LIBC GETOPT_ENTRY(getopt, 0) GETOPT_ENTRY(__posix_getopt, 1) #else GETOPT_ENTRY(getopt, 1) #endif #ifdef TEST /* Compile with -DTEST to make an executable for use in testing the above definition of 'getopt'. */ int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; c = getopt (argc, argv, "abc:d:0123456789"); if (c == -1) break; switch (c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value '%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-4.0/lib/getopt1.c0000644000000000000000000000736015141166424012105 0ustar00/* getopt_long and getopt_long_only entry points for GNU getopt. Copyright (C) 1987-2025 Free Software Foundation, Inc. This file is part of the GNU C Library and is also part of gnulib. Patches to this file should be submitted to both projects. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _LIBC # include #endif #include #include "getopt_int.h" int getopt_long (int argc, char *__getopt_argv_const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, (char **) argv, options, long_options, opt_index, 0, 0); } int _getopt_long_r (int argc, char **argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 0, d, 0); } /* Like getopt_long, but '-' as well as '--' can indicate a long option. If an option that starts with '-' (not '--') doesn't match a long option, but does match a short option, it is parsed as a short option instead. */ int getopt_long_only (int argc, char *__getopt_argv_const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, (char **) argv, options, long_options, opt_index, 1, 0); } int _getopt_long_only_r (int argc, char **argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 1, d, 0); } #ifdef TEST #include #include int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; int option_index = 0; static const struct option long_options[] = { {"add", 1, 0, 0}, {"append", 0, 0, 0}, {"delete", 1, 0, 0}, {"verbose", 0, 0, 0}, {"create", 0, 0, 0}, {"file", 1, 0, 0}, {0, 0, 0, 0} }; c = getopt_long (argc, argv, "abc:d:0123456789", long_options, &option_index); if (c == -1) break; switch (c) { case 0: printf ("option %s", long_options[option_index].name); if (optarg) printf (" with arg %s", optarg); printf ("\n"); break; case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value '%s'\n", optarg); break; case 'd': printf ("option d with value '%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-4.0/lib/getopt_int.h0000644000000000000000000001011215141166424012670 0ustar00/* Internal declarations for getopt. Copyright (C) 1989-2025 Free Software Foundation, Inc. This file is part of the GNU C Library and is also part of gnulib. Patches to this file should be submitted to both projects. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_INT_H #define _GETOPT_INT_H 1 #include extern int _getopt_internal (int ___argc, char **___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, int __posixly_correct); /* Reentrant versions which can handle parsing multiple argument vectors at the same time. */ /* Describe how to deal with options that follow non-option ARGV-elements. REQUIRE_ORDER means don't recognize them as options; stop option processing when the first non-option is seen. This is what POSIX specifies should happen. PERMUTE means permute the contents of ARGV as we scan, so that eventually all the non-options are at the end. This allows options to be given in any order, even with programs that were not written to expect this. RETURN_IN_ORDER is an option available to programs that were written to expect options and other ARGV-elements in any order and that care about the ordering of the two. We describe each non-option ARGV-element as if it were the argument of an option with character code 1. The special argument '--' forces an end of option-scanning regardless of the value of 'ordering'. In the case of RETURN_IN_ORDER, only '--' can cause 'getopt' to return -1 with 'optind' != ARGC. */ enum __ord { REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER }; /* Data type for reentrant functions. */ struct _getopt_data { /* These have exactly the same meaning as the corresponding global variables, except that they are used for the reentrant versions of getopt. */ int optind; int opterr; int optopt; char *optarg; /* Internal members. */ /* True if the internal members have been initialized. */ int __initialized; /* The next char to be scanned in the option-element in which the last option character we returned was found. This allows us to pick up the scan where we left off. If this is zero, or a null string, it means resume the scan by advancing to the next ARGV-element. */ char *__nextchar; /* See __ord above. */ enum __ord __ordering; /* Handle permutation of arguments. */ /* Describe the part of ARGV that contains non-options that have been skipped. 'first_nonopt' is the index in ARGV of the first of them; 'last_nonopt' is the index after the last of them. */ int __first_nonopt; int __last_nonopt; }; /* The initializer is necessary to set OPTIND and OPTERR to their default values and to clear the initialization flag. */ #define _GETOPT_DATA_INITIALIZER { 1, 1 } extern int _getopt_internal_r (int ___argc, char **___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, struct _getopt_data *__data, int __posixly_correct); extern int _getopt_long_r (int ___argc, char **___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); extern int _getopt_long_only_r (int ___argc, char **___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); #endif /* getopt_int.h */ nettle-4.0/libhogweed.map.in0000644000000000000000000000102315141166424013013 0ustar00# libhogweed.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every hogweed # library major number change. That is taken care by # auto-generating the file. HOGWEED_@LIBHOGWEED_MAJOR@ { global: @HOGWEED_EXTRA_SYMBOLS@ nettle_*; local: *; }; # Internal symbols which are to be used only for unit or other # testing. Compatibility may break across releases. HOGWEED_INTERNAL_@LIBHOGWEED_MAJOR@_@LIBNETTLE_MINOR@ { global: _nettle_*; local: *; }; nettle-4.0/libnettle.map.in0000644000000000000000000000076115141166424012674 0ustar00# libnettle.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every nettle # library major number change. That is taken care by # auto-generating the file. NETTLE_@LIBNETTLE_MAJOR@ { global: nettle_*; local: *; }; # Internal symbols which are to be used only for unit or other # testing. Compatibility may break across releases. NETTLE_INTERNAL_@LIBNETTLE_MAJOR@_@LIBNETTLE_MINOR@ { global: _nettle_*; local: *; }; nettle-4.0/m4-utils.m40000644000000000000000000004120115141166424011520 0ustar00divert(-1) dnl dnl m4 macros for gmp assembly code, shared by all CPUs. From gmp/mpn/asm-defs.m4 dnl Copyright 1999-2006, 2011 Free Software Foundation, Inc. dnl This file is part of the GNU MP Library. dnl dnl The GNU MP Library is free software; you can redistribute it and/or modify dnl it under the terms of either: dnl dnl * the GNU Lesser General Public License as published by the Free dnl Software Foundation; either version 3 of the License, or (at your dnl option) any later version. dnl dnl or dnl dnl * the GNU General Public License as published by the Free Software dnl Foundation; either version 2 of the License, or (at your option) any dnl later version. dnl dnl or both in parallel, as here. dnl dnl The GNU MP Library is distributed in the hope that it will be useful, but dnl WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY dnl or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License dnl for more details. dnl dnl You should have received copies of the GNU General Public License and the dnl GNU Lesser General Public License along with the GNU MP Library. If not, dnl see https://www.gnu.org/licenses/. dnl These macros are designed for use with any m4 and have been used on dnl GNU, FreeBSD, NetBSD, OpenBSD and SysV. dnl dnl GNU m4 and OpenBSD 2.7 m4 will give filenames and line numbers in error dnl messages. dnl dnl dnl Macros: dnl dnl Most new m4 specific macros have an "m4_" prefix to emphasise they're dnl m4 expansions. But new defining things like deflit() and defreg() are dnl named like the builtin define(), and forloop() is named following the dnl GNU m4 example on which it's based. dnl dnl GNU m4 with the -P option uses "m4_" as a prefix for builtins, but that dnl option isn't going to be used, so there's no conflict or confusion. dnl dnl dnl Comments in output: dnl dnl The m4 comment delimiters are left at # and \n, the normal assembler dnl commenting for most CPUs. m4 passes comment text through without dnl expanding macros in it, which is generally a good thing since it stops dnl unexpected expansions and possible resultant errors. dnl dnl But note that when a quoted string is being read, a # isn't special, so dnl apostrophes in comments in quoted strings must be avoided or they'll be dnl interpreted as a closing quote mark. But when the quoted text is dnl re-read # will still act like a normal comment, suppressing macro dnl expansion. dnl dnl For example, dnl dnl # apostrophes in comments that're outside quotes are ok dnl # and using macro names like PROLOGUE is ok too dnl ... dnl ifdef(`PIC',` dnl # but apostrophes aren't ok inside quotes dnl # ^--wrong dnl ... dnl # though macro names like PROLOGUE are still ok dnl ... dnl ') dnl dnl If macro expansion in a comment is wanted, use `#' in the .asm (ie. a dnl quoted hash symbol), which will turn into # in the .s but get dnl expansions done on that line. This can make the .s more readable to dnl humans, but it won't make a blind bit of difference to the assembler. dnl dnl All the above applies, mutatis mutandis, when changecom() is used to dnl select @ ! ; or whatever other commenting. dnl dnl dnl Variations in m4 affecting gmp: dnl dnl $# - When a macro is called as "foo" with no brackets, BSD m4 sets $# dnl to 1, whereas GNU or SysV m4 set it to 0. In all cases though dnl "foo()" sets $# to 1. This is worked around in various places. dnl dnl len() - When "len()" is given an empty argument, BSD m4 evaluates to dnl nothing, whereas GNU, SysV, and the new OpenBSD, evaluate to 0. dnl See m4_length() below which works around this. dnl dnl translit() - GNU m4 accepts character ranges like A-Z, and the new dnl OpenBSD m4 does under option -g, but basic BSD and SysV don't. dnl dnl popdef() - in BSD and SysV m4 popdef() takes multiple arguments and dnl pops each, but GNU m4 only takes one argument. dnl dnl push back - BSD m4 has some limits on the amount of text that can be dnl pushed back. The limit is reasonably big and so long as macros dnl don't gratuitously duplicate big arguments it isn't a problem. dnl Normally an error message is given, but sometimes it just hangs. dnl dnl eval() &,|,^ - GNU and SysV m4 have bitwise operators &,|,^ available, dnl but BSD m4 doesn't (contrary to what the man page suggests) and dnl instead ^ is exponentiation. dnl dnl eval() ?: - The C ternary operator "?:" is available in BSD m4, but not dnl in SysV or GNU m4 (as of GNU m4 1.4 and betas of 1.5). dnl dnl eval() -2^31 - BSD m4 has a bug where an eval() resulting in -2^31 dnl (ie. -2147483648) gives "-(". Using -2147483648 within an dnl expression is ok, it just can't be a final result. "-(" will of dnl course upset parsing, with all sorts of strange effects. dnl dnl eval() <<,>> - SysV m4 doesn't support shift operators in eval() (on dnl Solaris 7 /usr/xpg4/m4 has them but /usr/ccs/m4 doesn't). See dnl m4_lshift() and m4_rshift() below for workarounds. dnl dnl ifdef() - OSF 4.0 m4 considers a macro defined to a zero value `0' or dnl `00' etc as not defined. See m4_ifdef below for a workaround. dnl dnl m4wrap() sequence - in BSD m4, m4wrap() replaces any previous m4wrap() dnl string, in SysV m4 it appends to it, and in GNU m4 it prepends. dnl See m4wrap_prepend() below which brings uniformity to this. dnl dnl m4wrap() 0xFF - old versions of BSD m4 store EOF in a C "char" under an dnl m4wrap() and on systems where char is unsigned by default a dnl spurious 0xFF is output. This has been observed on recent Cray dnl Unicos Alpha, Apple MacOS X, and HPUX 11 systems. An autoconf dnl test is used to check for this, see the m4wrap handling below. It dnl might work to end the m4wrap string with a dnl to consume the dnl 0xFF, but that probably induces the offending m4's to read from an dnl already closed "FILE *", which could be bad on a glibc style dnl stdio. dnl dnl __file__,__line__ - GNU m4 and OpenBSD 2.7 m4 provide these, and dnl they're used here to make error messages more informative. GNU m4 dnl gives an unhelpful "NONE 0" in an m4wrap(), but that's worked dnl around. dnl dnl __file__ quoting - OpenBSD m4, unlike GNU m4, doesn't quote the dnl filename in __file__, so care should be taken that no macro has dnl the same name as a file, or an unwanted expansion will occur when dnl printing an error or warning. dnl dnl changecom() - BSD m4 changecom doesn't quite work like the man page dnl suggests, in particular "changecom" or "changecom()" doesn't dnl disable the comment feature, and multi-character comment sequences dnl don't seem to work. If the default `#' and newline aren't dnl suitable it's necessary to change it to something else, dnl eg. changecom(;). dnl dnl OpenBSD 2.6 m4 - in this m4, eval() rejects decimal constants containing dnl an 8 or 9, making it pretty much unusable. The bug is confined to dnl version 2.6 (it's not in 2.5, and was fixed in 2.7). dnl dnl SunOS /usr/bin/m4 - this m4 lacks a number of desired features, dnl including $# and $@, defn(), m4exit(), m4wrap(), pushdef(), dnl popdef(). /usr/5bin/m4 is a SysV style m4 which should always be dnl available, and "configure" will reject /usr/bin/m4 in favour of dnl /usr/5bin/m4 (if necessary). dnl dnl The sparc code actually has modest m4 requirements currently and dnl could manage with /usr/bin/m4, but there's no reason to put our dnl macros through contortions when /usr/5bin/m4 is available or GNU dnl m4 can be installed. dnl -------------------------------------------------------------------------- dnl Basic error handling things. dnl Usage: m4_dollarhash_1_if_noparen_p dnl dnl Expand to 1 if a call "foo" gives $# set to 1 (as opposed to 0 like GNU dnl and SysV m4 give). define(m4_dollarhash_1_if_noparen_test,`$#') define(m4_dollarhash_1_if_noparen_p, eval(m4_dollarhash_1_if_noparen_test==1)) undefine(`m4_dollarhash_1_if_noparen_test') define(m4_error, `errprint($@ )m4exit(1)') dnl Usage: m4_assert_numargs(num) dnl dnl Put this unquoted on a line on its own at the start of a macro dnl definition to add some code to check that num many arguments get passed dnl to the macro. For example, dnl dnl define(foo, dnl m4_assert_numargs(2) dnl `something `$1' and `$2' blah blah') dnl dnl Then a call like foo(one,two,three) will provoke an error like dnl dnl file:10: foo expected 2 arguments, got 3 arguments dnl dnl Here are some calls and how many arguments they're interpreted as passing. dnl dnl foo(abc,def) 2 dnl foo(xyz) 1 dnl foo() 0 dnl foo -1 dnl dnl The -1 for no parentheses at all means a macro that's meant to be used dnl that way can be checked with m4_assert_numargs(-1). For example, dnl dnl define(SPECIAL_SUFFIX, dnl m4_assert_numargs(-1) dnl `ifdef(`FOO',`_foo',`_bar')') dnl dnl But as an alternative see also deflit() below where parenthesized dnl expressions following a macro are passed through to the output. dnl dnl Note that in BSD m4 there's no way to differentiate calls "foo" and dnl "foo()", so in BSD m4 the distinction between the two isn't enforced. dnl (In GNU and SysV m4 it can be checked, and is.) dnl m4_assert_numargs is able to check its own arguments by calling dnl assert_numargs_internal directly. dnl dnl m4_doublequote($`'0) expands to ``$0'', whereas ``$`'0'' would expand dnl to `$`'0' and do the wrong thing, and likewise for $1. The same is dnl done in other assert macros. dnl dnl $`#' leaves $# in the new macro being defined, and stops # being dnl interpreted as a comment character. dnl dnl `dnl ' means an explicit dnl isn't necessary when m4_assert_numargs is dnl used. The space means that if there is a dnl it'll still work. dnl Usage: m4_doublequote(x) expands to ``x'' define(m4_doublequote, `m4_assert_numargs_internal(`$0',1,$#,len(`$1'))``$1''') define(m4_assert_numargs, `m4_assert_numargs_internal(`$0',1,$#,len(`$1'))dnl `m4_assert_numargs_internal'(m4_doublequote($`'0),$1,$`#',`len'(m4_doublequote($`'1)))`dnl '') dnl Called: m4_assert_numargs_internal(`macroname',wantargs,$#,len(`$1')) define(m4_assert_numargs_internal, `m4_assert_numargs_internal_check(`$1',`$2',m4_numargs_count(`$3',`$4'))') dnl Called: m4_assert_numargs_internal_check(`macroname',wantargs,gotargs) dnl dnl If m4_dollarhash_1_if_noparen_p (BSD m4) then gotargs can be 0 when it dnl should be -1. If wantargs is -1 but gotargs is 0 and the two can't be dnl distinguished then it's allowed to pass. dnl define(m4_assert_numargs_internal_check, `ifelse(eval($2 == $3 || ($2==-1 && $3==0 && m4_dollarhash_1_if_noparen_p)),0, `m4_error(`$1 expected 'm4_Narguments(`$2')`, got 'm4_Narguments(`$3') )')') dnl Called: m4_numargs_count($#,len(`$1')) dnl If $#==0 then -1 args, if $#==1 but len(`$1')==0 then 0 args, otherwise dnl $# args. define(m4_numargs_count, `ifelse($1,0, -1, `ifelse(eval($1==1 && $2-0==0),1, 0, $1)')') dnl Usage: m4_Narguments(N) dnl "$1 argument" or "$1 arguments" with the plural according to $1. define(m4_Narguments, `$1 argument`'ifelse(`$1',1,,s)') dnl -------------------------------------------------------------------------- dnl Additional error checking things. dnl Usage: m4_assert_onearg() dnl dnl Put this, unquoted, at the start of a macro definition to add some code dnl to check that one argument is passed to the macro, but with that dnl argument allowed to be empty. For example, dnl dnl define(foo, dnl m4_assert_onearg() dnl `blah blah $1 blah blah') dnl dnl Calls "foo(xyz)" or "foo()" are accepted. A call "foo(xyz,abc)" fails. dnl A call "foo" fails too, but BSD m4 can't detect this case (GNU and SysV dnl m4 can). define(m4_assert_onearg, m4_assert_numargs(0) `m4_assert_onearg_internal'(m4_doublequote($`'0),$`#')`dnl ') dnl Called: m4_assert_onearg(`macroname',$#) define(m4_assert_onearg_internal, `ifelse($2,1,, `m4_error(`$1 expected 1 argument, got 'm4_Narguments(`$2') )')') dnl -------------------------------------------------------------------------- dnl Various generic m4 things. dnl Usage: m4_unquote(macro) dnl dnl Allow the argument text to be re-evaluated. This is useful for "token dnl pasting" like m4_unquote(foo`'bar). define(m4_unquote, m4_assert_onearg() `$1') dnl Usage: m4_length(string) dnl dnl Determine the length of a string. This is the same as len(), but dnl always expands to a number, working around the BSD len() which dnl evaluates to nothing given an empty argument. define(m4_length, m4_assert_onearg() `eval(len(`$1')-0)') dnl Usage: m4_incr_or_decr(n,last) dnl dnl Do an incr(n) or decr(n), whichever is in the direction of "last". dnl Both n and last must be numbers of course. define(m4_incr_or_decr, m4_assert_numargs(2) `ifelse(eval($1<$2),1,incr($1),decr($1))') dnl Usage: forloop(i, first, last, statement) dnl dnl Based on GNU m4 examples/forloop.m4, but extended. dnl dnl statement is expanded repeatedly, with i successively defined as dnl dnl first, first+1, ..., last-1, last dnl dnl Or if first > last, then it's dnl dnl first, first-1, ..., last+1, last dnl dnl If first == last, then one expansion is done. dnl dnl A pushdef/popdef of i is done to preserve any previous definition (or dnl lack of definition). first and last are eval()ed and so can be dnl expressions. dnl dnl forloop_first is defined to 1 on the first iteration, 0 on the rest. dnl forloop_last is defined to 1 on the last iteration, 0 on the others. dnl Nested forloops are allowed, in which case forloop_first and dnl forloop_last apply to the innermost loop that's open. dnl dnl A simple example, dnl dnl forloop(i, 1, 2*2+1, `dnl dnl iteration number i ... ifelse(forloop_first,1,FIRST) dnl ') dnl "i" and "statement" are carefully quoted, but "first" and "last" are dnl just plain numbers once eval()ed. define(`forloop', m4_assert_numargs(4) `pushdef(`$1',eval(`$2'))dnl pushdef(`forloop_first',1)dnl pushdef(`forloop_last',0)dnl forloop_internal(`$1',eval(`$3'),`$4')`'dnl popdef(`forloop_first')dnl popdef(`forloop_last')dnl popdef(`$1')') dnl Called: forloop_internal(`var',last,statement) define(`forloop_internal', m4_assert_numargs(3) `ifelse($1,$2, `define(`forloop_last',1)$3', `$3`'dnl define(`forloop_first',0)dnl define(`$1',m4_incr_or_decr($1,$2))dnl forloop_internal(`$1',$2,`$3')')') dnl Usage: deflit(name,value) dnl dnl Like define(), but "name" expands like a literal, rather than taking dnl arguments. For example "name(%eax)" expands to "value(%eax)". dnl dnl Limitations: dnl dnl $ characters in the value part must have quotes to stop them looking dnl like macro parameters. For example, deflit(reg,`123+$`'4+567'). See dnl defreg() below for handling simple register definitions like $7 etc. dnl dnl "name()" is turned into "name", unfortunately. In GNU and SysV m4 an dnl error is generated when this happens, but in BSD m4 it will happen dnl silently. The problem is that in BSD m4 $# is 1 in both "name" or dnl "name()", so there's no way to differentiate them. Because we want dnl plain "name" to turn into plain "value", we end up with "name()" dnl turning into plain "value" too. dnl dnl "name(foo)" will lose any whitespace after commas in "foo", for example dnl "disp(%eax, %ecx)" would become "128(%eax,%ecx)". dnl dnl These parentheses oddities shouldn't matter in assembler text, but if dnl they do the suggested workaround is to write "name ()" or "name (foo)" dnl to stop the parentheses looking like a macro argument list. If a space dnl isn't acceptable in the output, then write "name`'()" or "name`'(foo)". dnl The `' is stripped when read, but again stops the parentheses looking dnl like parameters. dnl Quoting for deflit_emptyargcheck is similar to m4_assert_numargs. The dnl stuff in the ifelse gives a $#, $1 and $@ evaluated in the new macro dnl created, not in deflit. define(deflit, m4_assert_numargs(2) `define(`$1', `deflit_emptyargcheck'(``$1'',$`#',m4_doublequote($`'1))`dnl $2`'dnl ifelse(eval($'`#>1 || m4_length('m4_doublequote($`'1)`)!=0),1,($'`@))')') dnl Called: deflit_emptyargcheck(macroname,$#,`$1') define(deflit_emptyargcheck, `ifelse(eval($2==1 && !m4_dollarhash_1_if_noparen_p && m4_length(`$3')==0),1, `m4_error(`dont use a deflit as $1() because it loses the brackets (see deflit in asm-defs.m4 for more information) ')')') divert`'dnl nettle-4.0/macros.h0000644000000000000000000001626415141166424011250 0ustar00/* macros.h Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MACROS_H_INCLUDED #define NETTLE_MACROS_H_INCLUDED /* Reads a 64-bit integer, in network, big-endian, byte order */ #define READ_UINT64(p) \ ( (((uint64_t) (p)[0]) << 56) \ | (((uint64_t) (p)[1]) << 48) \ | (((uint64_t) (p)[2]) << 40) \ | (((uint64_t) (p)[3]) << 32) \ | (((uint64_t) (p)[4]) << 24) \ | (((uint64_t) (p)[5]) << 16) \ | (((uint64_t) (p)[6]) << 8) \ | ((uint64_t) (p)[7])) #define WRITE_UINT64(p, i) \ do { \ (p)[0] = ((i) >> 56) & 0xff; \ (p)[1] = ((i) >> 48) & 0xff; \ (p)[2] = ((i) >> 40) & 0xff; \ (p)[3] = ((i) >> 32) & 0xff; \ (p)[4] = ((i) >> 24) & 0xff; \ (p)[5] = ((i) >> 16) & 0xff; \ (p)[6] = ((i) >> 8) & 0xff; \ (p)[7] = (i) & 0xff; \ } while(0) /* Reads a 32-bit integer, in network, big-endian, byte order */ #define READ_UINT32(p) \ ( (((uint32_t) (p)[0]) << 24) \ | (((uint32_t) (p)[1]) << 16) \ | (((uint32_t) (p)[2]) << 8) \ | ((uint32_t) (p)[3])) #define WRITE_UINT32(p, i) \ do { \ (p)[0] = ((i) >> 24) & 0xff; \ (p)[1] = ((i) >> 16) & 0xff; \ (p)[2] = ((i) >> 8) & 0xff; \ (p)[3] = (i) & 0xff; \ } while(0) /* Analogous macros, for 24 and 16 bit numbers */ #define READ_UINT24(p) \ ( (((uint32_t) (p)[0]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[2])) #define WRITE_UINT24(p, i) \ do { \ (p)[0] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[2] = (i) & 0xff; \ } while(0) #define READ_UINT16(p) \ ( (((uint32_t) (p)[0]) << 8) \ | ((uint32_t) (p)[1])) #define WRITE_UINT16(p, i) \ do { \ (p)[0] = ((i) >> 8) & 0xff; \ (p)[1] = (i) & 0xff; \ } while(0) /* And the other, little-endian, byteorder */ #define LE_READ_UINT64(p) \ ( (((uint64_t) (p)[7]) << 56) \ | (((uint64_t) (p)[6]) << 48) \ | (((uint64_t) (p)[5]) << 40) \ | (((uint64_t) (p)[4]) << 32) \ | (((uint64_t) (p)[3]) << 24) \ | (((uint64_t) (p)[2]) << 16) \ | (((uint64_t) (p)[1]) << 8) \ | ((uint64_t) (p)[0])) #define LE_WRITE_UINT64(p, i) \ do { \ (p)[7] = ((i) >> 56) & 0xff; \ (p)[6] = ((i) >> 48) & 0xff; \ (p)[5] = ((i) >> 40) & 0xff; \ (p)[4] = ((i) >> 32) & 0xff; \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while (0) #define LE_READ_UINT32(p) \ ( (((uint32_t) (p)[3]) << 24) \ | (((uint32_t) (p)[2]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT32(p, i) \ do { \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Analogous macros, for 16 bit numbers */ #define LE_READ_UINT16(p) \ ( (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT16(p, i) \ do { \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Macro to make it easier to loop over several blocks. */ #define FOR_BLOCKS(length, dst, src, blocksize) \ assert( !((length) % (blocksize))); \ for (; (length); ((length) -= (blocksize), \ (dst) += (blocksize), \ (src) += (blocksize)) ) /* The masking of the right shift is needed to allow n == 0 (using just 32 - n and 64 - n results in undefined behaviour). Most uses of these macros use a constant and non-zero rotation count. */ #define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) #define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63))) /* Requires that size > 0 */ #define INCREMENT(size, ctr) \ do { \ unsigned increment_i = (size) - 1; \ if (++(ctr)[increment_i] == 0) \ while (increment_i > 0 \ && ++(ctr)[--increment_i] == 0 ) \ ; \ } while (0) /* Helper macro for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ /* Currently used by sha512 (and sha384) only. */ #define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low) /* Takes the compression function f as argument. NOTE: also clobbers length and data. */ #define MD_UPDATE(ctx, length, data, f, incr) \ do { \ if (!length) goto __md_done; \ if ((ctx)->index) \ { \ /* Try to fill partial block */ \ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ if ((length) < __md_left) \ { \ memcpy((ctx)->block + (ctx)->index, (data), (length)); \ (ctx)->index += (length); \ goto __md_done; /* Finished */ \ } \ else \ { \ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ \ f((ctx), (ctx)->block); \ (incr); \ \ (data) += __md_left; \ (length) -= __md_left; \ } \ } \ while ((length) >= sizeof((ctx)->block)) \ { \ f((ctx), (data)); \ (incr); \ \ (data) += sizeof((ctx)->block); \ (length) -= sizeof((ctx)->block); \ } \ memcpy ((ctx)->block, (data), (length)); \ (ctx)->index = (length); \ __md_done: \ ; \ } while (0) /* Pads the block to a block boundary with the bit pattern 1 0*, leaving size octets for the length field at the end. If needed, compresses the block and starts a new one. */ #define MD_PAD(ctx, size, f) \ do { \ unsigned __md_i; \ __md_i = (ctx)->index; \ \ /* Set the first char of padding to 0x80. This is safe since there \ is always at least one byte free */ \ \ assert(__md_i < sizeof((ctx)->block)); \ (ctx)->block[__md_i++] = 0x80; \ \ if (__md_i > (sizeof((ctx)->block) - (size))) \ { /* No room for length in this block. Process it and \ pad with another one */ \ memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ \ f((ctx), (ctx)->block); \ __md_i = 0; \ } \ memset((ctx)->block + __md_i, 0, \ sizeof((ctx)->block) - (size) - __md_i); \ \ } while (0) #endif /* NETTLE_MACROS_H_INCLUDED */ nettle-4.0/md-internal.h0000644000000000000000000000435015141166424012167 0ustar00/* md-internal.h Copyright (C) 2001, 2010, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD_INTERNAL_H_INCLUDED #define NETTLE_MD_INTERNAL_H_INCLUDED #include /* Internal helper macros for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ #define MD_FILL_OR_RETURN(ctx, length, data) \ do { \ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ if ((length) < __md_left) \ { \ memcpy((ctx)->block + (ctx)->index, (data), (length)); \ (ctx)->index += (length); \ return; \ } \ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ (data) += __md_left; \ (length) -= __md_left; \ } while(0) #define MD_FILL_OR_RETURN_INDEX(block_size, block, index, length, data) \ do { \ unsigned __md_left = (block_size) - (index); \ if ((length) < __md_left) \ { \ memcpy(block + (index), (data), (length)); \ return (index) + (length); \ } \ memcpy((block) + (index), (data), __md_left); \ (data) += __md_left; \ (length) -= __md_left; \ } while(0) #endif /* NETTLE_MD_INTERNAL_H_INCLUDED */ nettle-4.0/md2-meta.c0000644000000000000000000000222215141166424011352 0ustar00/* md2-meta.c Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md2.h" const struct nettle_hash nettle_md2 = _NETTLE_HASH(md2, MD2); nettle-4.0/md2.c0000644000000000000000000001044215141166424010431 0ustar00/* md2.c The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller, Andreas Sigfridsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This code originates from the Python Cryptography Toolkit, version 1.0.1. Further hacked by Andreas Sigfridsson and Niels Möller. Original license: =================================================================== Distribute and use freely; there are no restrictions on further dissemination and usage except those imposed by the laws of your country of residence. This software is provided "as is" without warranty of fitness for use or suitability for any purpose, express or implied. Use at your own risk or not at all. =================================================================== Incorporating the code into commercial products is permitted; you do not have to make source available or contribute your changes back (though that would be nice). --amk (www.amk.ca) */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md2.h" #include "macros.h" static const uint8_t S[256] = { 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20 }; static void md2_transform(struct md2_ctx *ctx, const uint8_t *data) { unsigned i; uint8_t t; memcpy(ctx->X + 16, data, MD2_BLOCK_SIZE); for (i = 0, t = ctx->C[15]; iX[2 * MD2_BLOCK_SIZE + i] = ctx->X[i] ^ ctx->X[MD2_BLOCK_SIZE + i]; t = (ctx->C[i] ^= S[data[i]^t]); } for (i = t = 0; i< MD2_BLOCK_SIZE + 2; t = (t + i) & 0xff, i++) { unsigned j; for (j = 0; j < 3 * MD2_BLOCK_SIZE; j++) t = (ctx->X[j] ^= S[t]); } } void md2_init(struct md2_ctx *ctx) { memset(ctx, 0, offsetof (struct md2_ctx, block)); } void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md2_transform, (void)0); } void md2_digest(struct md2_ctx *ctx, uint8_t *digest) { unsigned left; left = MD2_BLOCK_SIZE - ctx->index; memset(ctx->block + ctx->index, left, left); md2_transform(ctx, ctx->block); md2_transform(ctx, ctx->C); memcpy(digest, ctx->X, MD2_DIGEST_SIZE); md2_init(ctx); } nettle-4.0/md2.h0000644000000000000000000000341315141166424010436 0ustar00/* md2.h The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD2_H_INCLUDED #define NETTLE_MD2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md2_init nettle_md2_init #define md2_update nettle_md2_update #define md2_digest nettle_md2_digest #define MD2_DIGEST_SIZE 16 #define MD2_BLOCK_SIZE 16 struct md2_ctx { uint8_t C[MD2_BLOCK_SIZE]; uint8_t X[3 * MD2_BLOCK_SIZE]; unsigned index; /* Into buffer */ uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ }; void md2_init(struct md2_ctx *ctx); void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data); void md2_digest(struct md2_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD2_H_INCLUDED */ nettle-4.0/md4-meta.c0000644000000000000000000000222215141166424011354 0ustar00/* md4-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md4.h" const struct nettle_hash nettle_md4 = _NETTLE_HASH(md4, MD4); nettle-4.0/md4.c0000644000000000000000000001305615141166424010437 0ustar00/* md4.c The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller, Marcus Comstedt This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on the public domain md5 code, and modified by Marcus Comstedt */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md4.h" #include "macros.h" #include "nettle-write.h" /* A block, treated as a sequence of 32-bit words. */ #define MD4_DATA_LENGTH 16 static void md4_transform(uint32_t *digest, const uint32_t *data); static void md4_compress(struct md4_ctx *ctx, const uint8_t *block); /* FIXME: Could be an alias for md5_init */ void md4_init(struct md4_ctx *ctx) { /* Same constants as for md5. */ const uint32_t iv[_MD4_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md4_compress, ctx->count++); } void md4_digest(struct md4_ctx *ctx, uint8_t *digest) { uint64_t bit_count; uint32_t data[MD4_DATA_LENGTH]; unsigned i; MD_PAD(ctx, 8, md4_compress); for (i = 0; i < MD4_DATA_LENGTH - 2; i++) data[i] = LE_READ_UINT32(ctx->block + 4*i); /* There are 512 = 2^9 bits in one block * Little-endian order => Least significant word first */ bit_count = (ctx->count << 9) | (ctx->index << 3); data[MD4_DATA_LENGTH-2] = bit_count; data[MD4_DATA_LENGTH-1] = bit_count >> 32; md4_transform(ctx->state, data); _nettle_write_le32(MD4_DIGEST_SIZE, digest, ctx->state); md4_init(ctx); } /* MD4 functions */ #define F(x, y, z) (((y) & (x)) | ((z) & ~(x))) #define G(x, y, z) (((y) & (x)) | ((z) & (x)) | ((y) & (z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s) ) /* Perform the MD4 transformation on one full block of 16 32-bit words. */ static void md4_transform(uint32_t *digest, const uint32_t *data) { uint32_t a, b, c, d; a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; ROUND(F, a, b, c, d, data[ 0], 3); ROUND(F, d, a, b, c, data[ 1], 7); ROUND(F, c, d, a, b, data[ 2], 11); ROUND(F, b, c, d, a, data[ 3], 19); ROUND(F, a, b, c, d, data[ 4], 3); ROUND(F, d, a, b, c, data[ 5], 7); ROUND(F, c, d, a, b, data[ 6], 11); ROUND(F, b, c, d, a, data[ 7], 19); ROUND(F, a, b, c, d, data[ 8], 3); ROUND(F, d, a, b, c, data[ 9], 7); ROUND(F, c, d, a, b, data[10], 11); ROUND(F, b, c, d, a, data[11], 19); ROUND(F, a, b, c, d, data[12], 3); ROUND(F, d, a, b, c, data[13], 7); ROUND(F, c, d, a, b, data[14], 11); ROUND(F, b, c, d, a, data[15], 19); ROUND(G, a, b, c, d, data[ 0] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 4] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 8] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[12] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 1] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 5] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 9] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[13] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 2] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 6] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[10] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[14] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 3] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 7] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[11] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[15] + 0x5a827999, 13); ROUND(H, a, b, c, d, data[ 0] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 8] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 4] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[12] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 2] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[10] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 6] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[14] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 1] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 9] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 5] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[13] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 3] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[11] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 7] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[15] + 0x6ed9eba1, 15); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; } static void md4_compress(struct md4_ctx *ctx, const uint8_t *block) { uint32_t data[MD4_DATA_LENGTH]; unsigned i; /* Endian independent conversion */ for (i = 0; i<16; i++, block += 4) data[i] = LE_READ_UINT32(block); md4_transform(ctx->state, data); } nettle-4.0/md4.h0000644000000000000000000000357715141166424010453 0ustar00/* md4.h The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD4_H_INCLUDED #define NETTLE_MD4_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md4_init nettle_md4_init #define md4_update nettle_md4_update #define md4_digest nettle_md4_digest #define MD4_DIGEST_SIZE 16 #define MD4_BLOCK_SIZE 64 /* Digest is kept internally as 4 32-bit words. */ #define _MD4_DIGEST_LENGTH 4 /* FIXME: Identical to md5_ctx */ struct md4_ctx { uint32_t state[_MD4_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ }; void md4_init(struct md4_ctx *ctx); void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data); void md4_digest(struct md4_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD4_H_INCLUDED */ nettle-4.0/md5-meta.c0000644000000000000000000000222215141166424011355 0ustar00/* md5-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md5.h" const struct nettle_hash nettle_md5 = _NETTLE_HASH(md5, MD5); nettle-4.0/md5.c0000644000000000000000000001442115141166424010435 0ustar00/* md5.c The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md5.h" #include "macros.h" #include "nettle-write.h" void md5_init(struct md5_ctx *ctx) { const uint32_t iv[_MD5_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (nettle_md5_compress((ctx)->state, (data))) void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void md5_digest(struct md5_ctx *ctx, uint8_t *digest) { uint64_t bit_count; MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); LE_WRITE_UINT64(ctx->block + (MD5_BLOCK_SIZE - 8), bit_count); nettle_md5_compress(ctx->state, ctx->block); _nettle_write_le32(MD5_DIGEST_SIZE, digest, ctx->state); md5_init(ctx); } /* A block, treated as a sequence of 32-bit words. */ #define MD5_DATA_LENGTH 16 /* MD5 functions */ #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) #define F2(x, y, z) F1((z), (x), (y)) #define F3(x, y, z) ((x) ^ (y) ^ (z)) #define F4(x, y, z) ((y) ^ ((x) | ~(z))) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) /* Perform the MD5 transformation on one full block of 16 32-bit * words. * * Compresses 20 (_MD5_DIGEST_LENGTH + MD5_DATA_LENGTH) words into 4 * (_MD5_DIGEST_LENGTH) words. */ void nettle_md5_compress(uint32_t *digest, const uint8_t *input) { uint32_t data[MD5_DATA_LENGTH]; uint32_t a, b, c, d; unsigned i; for (i = 0; i < MD5_DATA_LENGTH; i++, input += 4) data[i] = LE_READ_UINT32(input); a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; ROUND(F1, a, b, c, d, data[ 0] + 0xd76aa478, 7); ROUND(F1, d, a, b, c, data[ 1] + 0xe8c7b756, 12); ROUND(F1, c, d, a, b, data[ 2] + 0x242070db, 17); ROUND(F1, b, c, d, a, data[ 3] + 0xc1bdceee, 22); ROUND(F1, a, b, c, d, data[ 4] + 0xf57c0faf, 7); ROUND(F1, d, a, b, c, data[ 5] + 0x4787c62a, 12); ROUND(F1, c, d, a, b, data[ 6] + 0xa8304613, 17); ROUND(F1, b, c, d, a, data[ 7] + 0xfd469501, 22); ROUND(F1, a, b, c, d, data[ 8] + 0x698098d8, 7); ROUND(F1, d, a, b, c, data[ 9] + 0x8b44f7af, 12); ROUND(F1, c, d, a, b, data[10] + 0xffff5bb1, 17); ROUND(F1, b, c, d, a, data[11] + 0x895cd7be, 22); ROUND(F1, a, b, c, d, data[12] + 0x6b901122, 7); ROUND(F1, d, a, b, c, data[13] + 0xfd987193, 12); ROUND(F1, c, d, a, b, data[14] + 0xa679438e, 17); ROUND(F1, b, c, d, a, data[15] + 0x49b40821, 22); ROUND(F2, a, b, c, d, data[ 1] + 0xf61e2562, 5); ROUND(F2, d, a, b, c, data[ 6] + 0xc040b340, 9); ROUND(F2, c, d, a, b, data[11] + 0x265e5a51, 14); ROUND(F2, b, c, d, a, data[ 0] + 0xe9b6c7aa, 20); ROUND(F2, a, b, c, d, data[ 5] + 0xd62f105d, 5); ROUND(F2, d, a, b, c, data[10] + 0x02441453, 9); ROUND(F2, c, d, a, b, data[15] + 0xd8a1e681, 14); ROUND(F2, b, c, d, a, data[ 4] + 0xe7d3fbc8, 20); ROUND(F2, a, b, c, d, data[ 9] + 0x21e1cde6, 5); ROUND(F2, d, a, b, c, data[14] + 0xc33707d6, 9); ROUND(F2, c, d, a, b, data[ 3] + 0xf4d50d87, 14); ROUND(F2, b, c, d, a, data[ 8] + 0x455a14ed, 20); ROUND(F2, a, b, c, d, data[13] + 0xa9e3e905, 5); ROUND(F2, d, a, b, c, data[ 2] + 0xfcefa3f8, 9); ROUND(F2, c, d, a, b, data[ 7] + 0x676f02d9, 14); ROUND(F2, b, c, d, a, data[12] + 0x8d2a4c8a, 20); ROUND(F3, a, b, c, d, data[ 5] + 0xfffa3942, 4); ROUND(F3, d, a, b, c, data[ 8] + 0x8771f681, 11); ROUND(F3, c, d, a, b, data[11] + 0x6d9d6122, 16); ROUND(F3, b, c, d, a, data[14] + 0xfde5380c, 23); ROUND(F3, a, b, c, d, data[ 1] + 0xa4beea44, 4); ROUND(F3, d, a, b, c, data[ 4] + 0x4bdecfa9, 11); ROUND(F3, c, d, a, b, data[ 7] + 0xf6bb4b60, 16); ROUND(F3, b, c, d, a, data[10] + 0xbebfbc70, 23); ROUND(F3, a, b, c, d, data[13] + 0x289b7ec6, 4); ROUND(F3, d, a, b, c, data[ 0] + 0xeaa127fa, 11); ROUND(F3, c, d, a, b, data[ 3] + 0xd4ef3085, 16); ROUND(F3, b, c, d, a, data[ 6] + 0x04881d05, 23); ROUND(F3, a, b, c, d, data[ 9] + 0xd9d4d039, 4); ROUND(F3, d, a, b, c, data[12] + 0xe6db99e5, 11); ROUND(F3, c, d, a, b, data[15] + 0x1fa27cf8, 16); ROUND(F3, b, c, d, a, data[ 2] + 0xc4ac5665, 23); ROUND(F4, a, b, c, d, data[ 0] + 0xf4292244, 6); ROUND(F4, d, a, b, c, data[ 7] + 0x432aff97, 10); ROUND(F4, c, d, a, b, data[14] + 0xab9423a7, 15); ROUND(F4, b, c, d, a, data[ 5] + 0xfc93a039, 21); ROUND(F4, a, b, c, d, data[12] + 0x655b59c3, 6); ROUND(F4, d, a, b, c, data[ 3] + 0x8f0ccc92, 10); ROUND(F4, c, d, a, b, data[10] + 0xffeff47d, 15); ROUND(F4, b, c, d, a, data[ 1] + 0x85845dd1, 21); ROUND(F4, a, b, c, d, data[ 8] + 0x6fa87e4f, 6); ROUND(F4, d, a, b, c, data[15] + 0xfe2ce6e0, 10); ROUND(F4, c, d, a, b, data[ 6] + 0xa3014314, 15); ROUND(F4, b, c, d, a, data[13] + 0x4e0811a1, 21); ROUND(F4, a, b, c, d, data[ 4] + 0xf7537e82, 6); ROUND(F4, d, a, b, c, data[11] + 0xbd3af235, 10); ROUND(F4, c, d, a, b, data[ 2] + 0x2ad7d2bb, 15); ROUND(F4, b, c, d, a, data[ 9] + 0xeb86d391, 21); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; } nettle-4.0/md5.h0000644000000000000000000000413415141166424010442 0ustar00/* md5.h The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD5_H_INCLUDED #define NETTLE_MD5_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md5_init nettle_md5_init #define md5_update nettle_md5_update #define md5_digest nettle_md5_digest #define md5_compress nettle_md5_compress #define MD5_DIGEST_SIZE 16 #define MD5_BLOCK_SIZE 64 /* Digest is kept internally as 4 32-bit words. */ #define _MD5_DIGEST_LENGTH 4 struct md5_ctx { uint32_t state[_MD5_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ }; void md5_init(struct md5_ctx *ctx); void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data); void md5_digest(struct md5_ctx *ctx, uint8_t *digest); /* MD5 compression function. STATE points to 4 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void md5_compress(uint32_t *state, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_MD5_H_INCLUDED */ nettle-4.0/memeql-sec.c0000644000000000000000000000264315141166424012003 0ustar00/* memeql-sec.c Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" #include "nettle-internal.h" int memeql_sec (const void *a, const void *b, size_t n) { volatile const unsigned char *ap = (const unsigned char *) a; volatile const unsigned char *bp = (const unsigned char *) b; volatile unsigned char diff; size_t i; for (i = diff = 0; i < n; i++) diff |= (ap[i] ^ bp[i]); return IS_ZERO_SMALL (diff); } nettle-4.0/memops.h0000644000000000000000000000277015141166424011261 0ustar00/* memops.h Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMOPS_H_INCLUDED #define NETTLE_MEMOPS_H_INCLUDED #include "memxor.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cnd_memcpy nettle_cnd_memcpy #define memeql_sec nettle_memeql_sec int memeql_sec (const void *a, const void *b, size_t n); /* Side-channel silent conditional memcpy. cnd must be 0 (nop) or 1 (copy). */ void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMOPS_H_INCLUDED */ nettle-4.0/memxor-internal.h0000644000000000000000000000422715141166424013101 0ustar00/* memxor-internal.h Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMXOR_INTERNAL_H_INCLUDED #define NETTLE_MEMXOR_INTERNAL_H_INCLUDED #include "nettle-types.h" /* The word_t type is intended to be the native word size. */ #if defined(__x86_64__) || defined(__arch64__) /* Including on M$ windows, where unsigned long is only 32 bits */ typedef uint64_t word_t; #else typedef unsigned long int word_t; #endif #define ALIGN_OFFSET(p) ((uintptr_t) (p) % sizeof(word_t)) #ifndef WORDS_BIGENDIAN #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) >> (sh_1)) | ((w1) << (sh_2))) #else #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) << (sh_1)) | ((w1) >> (sh_2))) #endif #ifndef WORDS_BIGENDIAN #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_i = (n), _rp_x = (p)[--_rp_i]; _rp_i > 0;) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[--_rp_i]; \ (r) = _rp_x; \ } while (0) #else #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_x = (p)[0], _rp_i = 1; _rp_i < (n); _rp_i++) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[_rp_i]; \ (r) = _rp_x; \ } while (0) #endif #endif /* NETTLE_MEMXOR_INTERNAL_H_INCLUDED */ nettle-4.0/memxor.c0000644000000000000000000000776415141166424011273 0ustar00/* memxor.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor_common_alignment (word_t *dst, const word_t *src, size_t n) { /* FIXME: Require n > 0? */ /* FIXME: Unroll four times, like memcmp? Probably not worth the effort. */ if (n & 1) { n--; dst[n] ^= src[n]; } while (n >= 2) { n -= 2; dst[n+1] ^= src[n+1]; dst[n] ^= src[n]; } } /* XOR *un-aligned* src-area onto aligned dst area. n is number of words, not bytes. Assumes we can read complete words at the start and end of the src operand. */ static void memxor_different_alignment (word_t *dst, const unsigned char *src, size_t n) { int shl, shr; const word_t *src_word; unsigned offset = ALIGN_OFFSET (src); word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); src_word = (const word_t *) ((uintptr_t) src & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &src_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; /* FIXME: Eliminate this shift? */ #endif /* Do n-1 regular iterations */ if (n & 1) s1 = s0; else { n--; s1 = src_word[n]; dst[n] ^= MERGE (s1, shl, s0, shr); } assert (n & 1); while (n > 2) { n -= 2; s0 = src_word[n+1]; dst[n+1] ^= MERGE(s0, shl, s1, shr); s1 = src_word[n]; /* FIXME: Overread on last iteration */ dst[n] ^= MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, src, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; /* FIXME: eliminate shift? */ #endif /* !WORDS_BIGENDIAN */ dst[0] ^= MERGE(s0, shl, s1, shr); } /* Performance, Intel SU1400 (x86_64): 0.25 cycles/byte aligned, 0.45 cycles/byte unaligned. */ /* XOR LEN bytes starting at SRCADDR onto DESTADDR. Result undefined if the source overlaps with the destination. Return DESTADDR. */ void * memxor(void *dst_in, const void *src_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *src = src_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned offset; size_t nwords; /* There are at least some bytes to compare. No need to test for N == 0 in this alignment loop. */ for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] ^= src[n]; } offset = ALIGN_OFFSET(src + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (offset) memxor_different_alignment ((word_t *) (dst+n), src+n, nwords); else memxor_common_alignment ((word_t *) (dst+n), (const word_t *) (src+n), nwords); } while (n > 0) { n--; dst[n] ^= src[n]; } return dst; } nettle-4.0/memxor.h0000644000000000000000000000063715141166424011270 0ustar00/* memxor.h * */ #ifndef NETTLE_MEMXOR_H_INCLUDED #define NETTLE_MEMXOR_H_INCLUDED #include #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define memxor nettle_memxor #define memxor3 nettle_memxor3 void *memxor(void *dst, const void *src, size_t n); void *memxor3(void *dst, const void *a, const void *b, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMXOR_H_INCLUDED */ nettle-4.0/memxor3.c0000644000000000000000000001621515141166424011345 0ustar00/* memxor3.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* For fat builds */ #if HAVE_NATIVE_memxor3 void * _nettle_memxor3_c(void *dst_in, const void *a_in, const void *b_in, size_t n); # define nettle_memxor3 _nettle_memxor3_c #endif /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor3_common_alignment (word_t *dst, const word_t *a, const word_t *b, size_t n) { /* FIXME: Require n > 0? */ if (n & 1) { n--; dst[n] = a[n] ^ b[n]; } while (n > 0) { n -= 2; dst[n+1] = a[n+1] ^ b[n+1]; dst[n] = a[n] ^ b[n]; } } static void memxor3_different_alignment_b (word_t *dst, const word_t *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *b_word; word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &b_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = b_word[n]; dst[n] = a[n] ^ MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = b_word[n+1]; dst[n+1] = a[n+1] ^ MERGE(s0, shl, s1, shr); s1 = b_word[n]; dst[n] = a[n] ^ MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, b, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = a[0] ^ MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_ab (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *a_word; const word_t *b_word; word_t s0, s1, t; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &a_word[n], offset); READ_PARTIAL (t, (unsigned char *) &b_word[n], offset); s0 ^= t; #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = a_word[n+1] ^ b_word[n+1]; dst[n+1] = MERGE(s0, shl, s1, shr); s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, a, sizeof(word_t) - offset); READ_PARTIAL (t, b, sizeof(word_t) - offset); s0 ^= t; #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_all (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned a_offset, unsigned b_offset, size_t n) { int al, ar, bl, br; const word_t *a_word; const word_t *b_word; word_t a0, a1, b0, b1; al = CHAR_BIT * a_offset; ar = CHAR_BIT * (sizeof(word_t) - a_offset); bl = CHAR_BIT * b_offset; br = CHAR_BIT * (sizeof(word_t) - b_offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (a0, (unsigned char *) &a_word[n], a_offset); READ_PARTIAL (b0, (unsigned char *) &b_word[n], b_offset); #ifdef WORDS_BIGENDIAN a0 <<= ar; b0 <<= br; #endif if (n & 1) { a1 = a0; b1 = b0; } else { n--; a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE (a1, al, a0, ar) ^ MERGE (b1, bl, b0, br); } while (n > 2) { n -= 2; a0 = a_word[n+1]; b0 = b_word[n+1]; dst[n+1] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE(a1, al, a0, ar) ^ MERGE(b1, bl, b0, br); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (a0, a, sizeof(word_t) - a_offset); READ_PARTIAL (b0, b, sizeof(word_t) - b_offset); #ifndef WORDS_BIGENDIAN a0 <<= al; b0 <<= bl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); } /* Current implementation processes data in descending order, to support overlapping operation with one of the sources overlapping the start of the destination area. This feature is used only internally by cbc decrypt, and it is not advertised or documented to nettle users. */ void * nettle_memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *a = a_in; const unsigned char *b = b_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned a_offset; unsigned b_offset; size_t nwords; for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] = a[n] ^ b[n]; } a_offset = ALIGN_OFFSET(a + n); b_offset = ALIGN_OFFSET(b + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (a_offset == b_offset) { if (!a_offset) memxor3_common_alignment((word_t *) (dst + n), (const word_t *) (a + n), (const word_t *) (b + n), nwords); else memxor3_different_alignment_ab((word_t *) (dst + n), a + n, b + n, a_offset, nwords); } else if (!a_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (a + n), b + n, b_offset, nwords); else if (!b_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (b + n), a + n, a_offset, nwords); else memxor3_different_alignment_all((word_t *) (dst + n), a + n, b + n, a_offset, b_offset, nwords); } while (n-- > 0) dst[n] = a[n] ^ b[n]; return dst; } nettle-4.0/mini-gmp.c0000644000000000000000000026456015141166424011500 0ustar00/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Contributed to the GNU project by Niels Möller Additional functionalities and improvements by Marco Bodrato. Copyright 1991-1997, 1999-2022 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* NOTE: All functions in this file which are not declared in mini-gmp.h are internal, and are not intended to be compatible with GMP or with future versions of mini-gmp. */ /* Much of the material copied from GMP files, including: gmp-impl.h, longlong.h, mpn/generic/add_n.c, mpn/generic/addmul_1.c, mpn/generic/lshift.c, mpn/generic/mul_1.c, mpn/generic/mul_basecase.c, mpn/generic/rshift.c, mpn/generic/sbpi1_div_qr.c, mpn/generic/sub_n.c, mpn/generic/submul_1.c. */ #include #include #include #include #include #include #include "mini-gmp.h" #ifndef MINI_GMP_ENABLE_FLOAT #define MINI_GMP_ENABLE_FLOAT 1 #endif #if MINI_GMP_ENABLE_FLOAT #include #endif /* Macros */ #define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT) #define GMP_LIMB_MAX ((mp_limb_t) ~ (mp_limb_t) 0) #define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1)) #define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2)) #define GMP_LLIMB_MASK (GMP_HLIMB_BIT - 1) #define GMP_ULONG_BITS (sizeof(unsigned long) * CHAR_BIT) #define GMP_ULONG_HIGHBIT ((unsigned long) 1 << (GMP_ULONG_BITS - 1)) #define GMP_ABS(x) ((x) >= 0 ? (x) : -(x)) #define GMP_NEG_CAST(T,x) (-((T)((x) + 1) - 1)) #define GMP_MIN(a, b) ((a) < (b) ? (a) : (b)) #define GMP_MAX(a, b) ((a) > (b) ? (a) : (b)) #define GMP_CMP(a,b) (((a) > (b)) - ((a) < (b))) #if defined(DBL_MANT_DIG) && FLT_RADIX == 2 #define GMP_DBL_MANT_BITS DBL_MANT_DIG #else #define GMP_DBL_MANT_BITS (53) #endif /* Return non-zero if xp,xsize and yp,ysize overlap. If xp+xsize<=yp there's no overlap, or if yp+ysize<=xp there's no overlap. If both these are false, there's an overlap. */ #define GMP_MPN_OVERLAP_P(xp, xsize, yp, ysize) \ ((xp) + (xsize) > (yp) && (yp) + (ysize) > (xp)) #define gmp_assert_nocarry(x) do { \ mp_limb_t __cy = (x); \ assert (__cy == 0); \ (void) (__cy); \ } while (0) #define gmp_clz(count, x) do { \ mp_limb_t __clz_x = (x); \ unsigned __clz_c = 0; \ int LOCAL_SHIFT_BITS = 8; \ if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) \ for (; \ (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ __clz_c += 8) \ { __clz_x <<= LOCAL_SHIFT_BITS; } \ for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \ __clz_x <<= 1; \ (count) = __clz_c; \ } while (0) #define gmp_ctz(count, x) do { \ mp_limb_t __ctz_x = (x); \ unsigned __ctz_c = 0; \ gmp_clz (__ctz_c, __ctz_x & - __ctz_x); \ (count) = GMP_LIMB_BITS - 1 - __ctz_c; \ } while (0) #define gmp_add_ssaaaa(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) + (bl); \ (sh) = (ah) + (bh) + (__x < (al)); \ (sl) = __x; \ } while (0) #define gmp_sub_ddmmss(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) - (bl); \ (sh) = (ah) - (bh) - ((al) < (bl)); \ (sl) = __x; \ } while (0) #define gmp_umul_ppmm(w1, w0, u, v) \ do { \ int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; \ if (sizeof(unsigned int) * CHAR_BIT >= 2 * GMP_LIMB_BITS) \ { \ unsigned int __ww = (unsigned int) (u) * (v); \ w0 = (mp_limb_t) __ww; \ w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ } \ else if (GMP_ULONG_BITS >= 2 * GMP_LIMB_BITS) \ { \ unsigned long int __ww = (unsigned long int) (u) * (v); \ w0 = (mp_limb_t) __ww; \ w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ } \ else { \ mp_limb_t __x0, __x1, __x2, __x3; \ unsigned __ul, __vl, __uh, __vh; \ mp_limb_t __u = (u), __v = (v); \ assert (sizeof (unsigned) * 2 >= sizeof (mp_limb_t)); \ \ __ul = __u & GMP_LLIMB_MASK; \ __uh = __u >> (GMP_LIMB_BITS / 2); \ __vl = __v & GMP_LLIMB_MASK; \ __vh = __v >> (GMP_LIMB_BITS / 2); \ \ __x0 = (mp_limb_t) __ul * __vl; \ __x1 = (mp_limb_t) __ul * __vh; \ __x2 = (mp_limb_t) __uh * __vl; \ __x3 = (mp_limb_t) __uh * __vh; \ \ __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ __x1 += __x2; /* but this indeed can */ \ if (__x1 < __x2) /* did we get it? */ \ __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ \ (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ } \ } while (0) /* If mp_limb_t is of size smaller than int, plain u*v implies automatic promotion to *signed* int, and then multiply may overflow and cause undefined behavior. Explicitly cast to unsigned int for that case. */ #define gmp_umullo_limb(u, v) \ ((sizeof(mp_limb_t) >= sizeof(int)) ? (u)*(v) : (unsigned int)(u) * (v)) #define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \ do { \ mp_limb_t _qh, _ql, _r, _mask; \ gmp_umul_ppmm (_qh, _ql, (nh), (di)); \ gmp_add_ssaaaa (_qh, _ql, _qh, _ql, (nh) + 1, (nl)); \ _r = (nl) - gmp_umullo_limb (_qh, (d)); \ _mask = -(mp_limb_t) (_r > _ql); /* both > and >= are OK */ \ _qh += _mask; \ _r += _mask & (d); \ if (_r >= (d)) \ { \ _r -= (d); \ _qh++; \ } \ \ (r) = _r; \ (q) = _qh; \ } while (0) #define gmp_udiv_qr_3by2(q, r1, r0, n2, n1, n0, d1, d0, dinv) \ do { \ mp_limb_t _q0, _t1, _t0, _mask; \ gmp_umul_ppmm ((q), _q0, (n2), (dinv)); \ gmp_add_ssaaaa ((q), _q0, (q), _q0, (n2), (n1)); \ \ /* Compute the two most significant limbs of n - q'd */ \ (r1) = (n1) - gmp_umullo_limb ((d1), (q)); \ gmp_sub_ddmmss ((r1), (r0), (r1), (n0), (d1), (d0)); \ gmp_umul_ppmm (_t1, _t0, (d0), (q)); \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), _t1, _t0); \ (q)++; \ \ /* Conditionally adjust q and the remainders */ \ _mask = - (mp_limb_t) ((r1) >= _q0); \ (q) += _mask; \ gmp_add_ssaaaa ((r1), (r0), (r1), (r0), _mask & (d1), _mask & (d0)); \ if ((r1) >= (d1)) \ { \ if ((r1) > (d1) || (r0) >= (d0)) \ { \ (q)++; \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), (d1), (d0)); \ } \ } \ } while (0) /* Swap macros. */ #define MP_LIMB_T_SWAP(x, y) \ do { \ mp_limb_t __mp_limb_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_limb_t_swap__tmp; \ } while (0) #define MP_SIZE_T_SWAP(x, y) \ do { \ mp_size_t __mp_size_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_size_t_swap__tmp; \ } while (0) #define MP_BITCNT_T_SWAP(x,y) \ do { \ mp_bitcnt_t __mp_bitcnt_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_bitcnt_t_swap__tmp; \ } while (0) #define MP_PTR_SWAP(x, y) \ do { \ mp_ptr __mp_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_ptr_swap__tmp; \ } while (0) #define MP_SRCPTR_SWAP(x, y) \ do { \ mp_srcptr __mp_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_srcptr_swap__tmp; \ } while (0) #define MPN_PTR_SWAP(xp,xs, yp,ys) \ do { \ MP_PTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPN_SRCPTR_SWAP(xp,xs, yp,ys) \ do { \ MP_SRCPTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPZ_PTR_SWAP(x, y) \ do { \ mpz_ptr __mpz_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_ptr_swap__tmp; \ } while (0) #define MPZ_SRCPTR_SWAP(x, y) \ do { \ mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_srcptr_swap__tmp; \ } while (0) const int mp_bits_per_limb = GMP_LIMB_BITS; /* Memory allocation and other helper functions. */ static void gmp_die (const char *msg) { fprintf (stderr, "%s\n", msg); abort(); } static void * gmp_default_alloc (size_t size) { void *p; assert (size > 0); p = malloc (size); if (!p) gmp_die("gmp_default_alloc: Virtual memory exhausted."); return p; } static void * gmp_default_realloc (void *old, size_t unused_old_size, size_t new_size) { void * p; p = realloc (old, new_size); if (!p) gmp_die("gmp_default_realloc: Virtual memory exhausted."); return p; } static void gmp_default_free (void *p, size_t unused_size) { free (p); } static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc; static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc; static void (*gmp_free_func) (void *, size_t) = gmp_default_free; void mp_get_memory_functions (void *(**alloc_func) (size_t), void *(**realloc_func) (void *, size_t, size_t), void (**free_func) (void *, size_t)) { if (alloc_func) *alloc_func = gmp_allocate_func; if (realloc_func) *realloc_func = gmp_reallocate_func; if (free_func) *free_func = gmp_free_func; } void mp_set_memory_functions (void *(*alloc_func) (size_t), void *(*realloc_func) (void *, size_t, size_t), void (*free_func) (void *, size_t)) { if (!alloc_func) alloc_func = gmp_default_alloc; if (!realloc_func) realloc_func = gmp_default_realloc; if (!free_func) free_func = gmp_default_free; gmp_allocate_func = alloc_func; gmp_reallocate_func = realloc_func; gmp_free_func = free_func; } #define gmp_alloc(size) ((*gmp_allocate_func)((size))) #define gmp_free(p, size) ((*gmp_free_func) ((p), (size))) #define gmp_realloc(ptr, old_size, size) ((*gmp_reallocate_func)(ptr, old_size, size)) static mp_ptr gmp_alloc_limbs (mp_size_t size) { return (mp_ptr) gmp_alloc (size * sizeof (mp_limb_t)); } static mp_ptr gmp_realloc_limbs (mp_ptr old, mp_size_t old_size, mp_size_t size) { assert (size > 0); return (mp_ptr) gmp_realloc (old, old_size * sizeof (mp_limb_t), size * sizeof (mp_limb_t)); } static void gmp_free_limbs (mp_ptr old, mp_size_t size) { gmp_free (old, size * sizeof (mp_limb_t)); } /* MPN interface */ void mpn_copyi (mp_ptr d, mp_srcptr s, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) d[i] = s[i]; } void mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n) { while (--n >= 0) d[n] = s[n]; } int mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) { while (--n >= 0) { if (ap[n] != bp[n]) return ap[n] > bp[n] ? 1 : -1; } return 0; } static int mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { if (an != bn) return an < bn ? -1 : 1; else return mpn_cmp (ap, bp, an); } static mp_size_t mpn_normalized_size (mp_srcptr xp, mp_size_t n) { while (n > 0 && xp[n-1] == 0) --n; return n; } int mpn_zero_p(mp_srcptr rp, mp_size_t n) { return mpn_normalized_size (rp, n) == 0; } void mpn_zero (mp_ptr rp, mp_size_t n) { while (--n >= 0) rp[n] = 0; } mp_limb_t mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t r = ap[i] + b; /* Carry out */ b = (r < b); rp[i] = r; } while (++i < n); return b; } mp_limb_t mpn_add_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b, r; a = ap[i]; b = bp[i]; r = a + cy; cy = (r < cy); r += b; cy += (r < b); rp[i] = r; } return cy; } mp_limb_t mpn_add (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_add_n (rp, ap, bp, bn); if (an > bn) cy = mpn_add_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t a = ap[i]; /* Carry out */ mp_limb_t cy = a < b; rp[i] = a - b; b = cy; } while (++i < n); return b; } mp_limb_t mpn_sub_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b; a = ap[i]; b = bp[i]; b += cy; cy = (b < cy); cy += (a < b); rp[i] = a - b; } return cy; } mp_limb_t mpn_sub (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_sub_n (rp, ap, bp, bn); if (an > bn) cy = mpn_sub_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_mul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_addmul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl + lpl; cl += lpl < rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_submul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl - lpl; cl += lpl > rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_mul (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) { assert (un >= vn); assert (vn >= 1); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, up, un)); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, vp, vn)); /* We first multiply by the low order limb. This result can be stored, not added, to rp. We also avoid a loop for zeroing this way. */ rp[un] = mpn_mul_1 (rp, up, un, vp[0]); /* Now accumulate the product of up[] and the next higher limb from vp[]. */ while (--vn >= 1) { rp += 1, vp += 1; rp[un] = mpn_addmul_1 (rp, up, un, vp[0]); } return rp[un]; } void mpn_mul_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mpn_mul (rp, ap, n, bp, n); } void mpn_sqr (mp_ptr rp, mp_srcptr ap, mp_size_t n) { mpn_mul (rp, ap, n, ap, n); } mp_limb_t mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); up += n; rp += n; tnc = GMP_LIMB_BITS - cnt; low_limb = *--up; retval = low_limb >> tnc; high_limb = (low_limb << cnt); while (--n != 0) { low_limb = *--up; *--rp = high_limb | (low_limb >> tnc); high_limb = (low_limb << cnt); } *--rp = high_limb; return retval; } mp_limb_t mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); tnc = GMP_LIMB_BITS - cnt; high_limb = *up++; retval = (high_limb << tnc); low_limb = high_limb >> cnt; while (--n != 0) { high_limb = *up++; *rp++ = low_limb | (high_limb << tnc); low_limb = high_limb >> cnt; } *rp = low_limb; return retval; } static mp_bitcnt_t mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un, mp_limb_t ux) { unsigned cnt; assert (ux == 0 || ux == GMP_LIMB_MAX); assert (0 <= i && i <= un ); while (limb == 0) { i++; if (i == un) return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); limb = ux ^ up[i]; } gmp_ctz (cnt, limb); return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; } mp_bitcnt_t mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, 0); } mp_bitcnt_t mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, GMP_LIMB_MAX); } void mpn_com (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (--n >= 0) *rp++ = ~ *up++; } mp_limb_t mpn_neg (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (*up == 0) { *rp = 0; if (!--n) return 0; ++up; ++rp; } *rp = - *up; mpn_com (++rp, ++up, --n); return 1; } /* MPN division interface. */ /* The 3/2 inverse is defined as m = floor( (B^3-1) / (B u1 + u0)) - B */ mp_limb_t mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) { mp_limb_t r, m; { mp_limb_t p, ql; unsigned ul, uh, qh; assert (sizeof (unsigned) * 2 >= sizeof (mp_limb_t)); /* For notation, let b denote the half-limb base, so that B = b^2. Split u1 = b uh + ul. */ ul = u1 & GMP_LLIMB_MASK; uh = u1 >> (GMP_LIMB_BITS / 2); /* Approximation of the high half of quotient. Differs from the 2/1 inverse of the half limb uh, since we have already subtracted u0. */ qh = (u1 ^ GMP_LIMB_MAX) / uh; /* Adjust to get a half-limb 3/2 inverse, i.e., we want qh' = floor( (b^3 - 1) / u) - b = floor ((b^3 - b u - 1) / u = floor( (b (~u) + b-1) / u), and the remainder r = b (~u) + b-1 - qh (b uh + ul) = b (~u - qh uh) + b-1 - qh ul Subtraction of qh ul may underflow, which implies adjustments. But by normalization, 2 u >= B > qh ul, so we need to adjust by at most 2. */ r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; p = (mp_limb_t) qh * ul; /* Adjustment steps taken from udiv_qrnnd_c */ if (r < p) { qh--; r += u1; if (r >= u1) /* i.e. we didn't get carry when adding to r */ if (r < p) { qh--; r += u1; } } r -= p; /* Low half of the quotient is ql = floor ( (b r + b-1) / u1). This is a 3/2 division (on half-limbs), for which qh is a suitable inverse. */ p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; /* Unlike full-limb 3/2, we can add 1 without overflow. For this to work, it is essential that ql is a full mp_limb_t. */ ql = (p >> (GMP_LIMB_BITS / 2)) + 1; /* By the 3/2 trick, we don't need the high half limb. */ r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; if (r >= (GMP_LIMB_MAX & (p << (GMP_LIMB_BITS / 2)))) { ql--; r += u1; } m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; if (r >= u1) { m++; r -= u1; } } /* Now m is the 2/1 inverse of u1. If u0 > 0, adjust it to become a 3/2 inverse. */ if (u0 > 0) { mp_limb_t th, tl; r = ~r; r += u0; if (r < u0) { m--; if (r >= u1) { m--; r -= u1; } r -= u1; } gmp_umul_ppmm (th, tl, u0, m); r += th; if (r < th) { m--; m -= ((r > u1) | ((r == u1) & (tl > u0))); } } return m; } struct gmp_div_inverse { /* Normalization shift count. */ unsigned shift; /* Normalized divisor (d0 unused for mpn_div_qr_1) */ mp_limb_t d1, d0; /* Inverse, for 2/1 or 3/2. */ mp_limb_t di; }; static void mpn_div_qr_1_invert (struct gmp_div_inverse *inv, mp_limb_t d) { unsigned shift; assert (d > 0); gmp_clz (shift, d); inv->shift = shift; inv->d1 = d << shift; inv->di = mpn_invert_limb (inv->d1); } static void mpn_div_qr_2_invert (struct gmp_div_inverse *inv, mp_limb_t d1, mp_limb_t d0) { unsigned shift; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 <<= shift; } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } static void mpn_div_qr_invert (struct gmp_div_inverse *inv, mp_srcptr dp, mp_size_t dn) { assert (dn > 0); if (dn == 1) mpn_div_qr_1_invert (inv, dp[0]); else if (dn == 2) mpn_div_qr_2_invert (inv, dp[1], dp[0]); else { unsigned shift; mp_limb_t d1, d0; d1 = dp[dn-1]; d0 = dp[dn-2]; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 = (d0 << shift) | (dp[dn-3] >> (GMP_LIMB_BITS - shift)); } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } } /* Not matching current public gmp interface, rather corresponding to the sbpi1_div_* functions. */ static mp_limb_t mpn_div_qr_1_preinv (mp_ptr qp, mp_srcptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { mp_limb_t d, di; mp_limb_t r; mp_ptr tp = NULL; mp_size_t tn = 0; if (inv->shift > 0) { /* Shift, reusing qp area if possible. In-place shift if qp == np. */ tp = qp; if (!tp) { tn = nn; tp = gmp_alloc_limbs (tn); } r = mpn_lshift (tp, np, nn, inv->shift); np = tp; } else r = 0; d = inv->d1; di = inv->di; while (--nn >= 0) { mp_limb_t q; gmp_udiv_qrnnd_preinv (q, r, r, np[nn], d, di); if (qp) qp[nn] = q; } if (tn) gmp_free_limbs (tp, tn); return r >> inv->shift; } static void mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { unsigned shift; mp_size_t i; mp_limb_t d1, d0, di, r1, r0; assert (nn >= 2); shift = inv->shift; d1 = inv->d1; d0 = inv->d0; di = inv->di; if (shift > 0) r1 = mpn_lshift (np, np, nn, shift); else r1 = 0; r0 = np[nn - 1]; i = nn - 2; do { mp_limb_t n0, q; n0 = np[i]; gmp_udiv_qr_3by2 (q, r1, r0, r1, r0, n0, d1, d0, di); if (qp) qp[i] = q; } while (--i >= 0); if (shift > 0) { assert ((r0 & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - shift))) == 0); r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift)); r1 >>= shift; } np[1] = r1; np[0] = r0; } static void mpn_div_qr_pi1 (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_limb_t n1, mp_srcptr dp, mp_size_t dn, mp_limb_t dinv) { mp_size_t i; mp_limb_t d1, d0; mp_limb_t cy, cy1; mp_limb_t q; assert (dn > 2); assert (nn >= dn); d1 = dp[dn - 1]; d0 = dp[dn - 2]; assert ((d1 & GMP_LIMB_HIGHBIT) != 0); /* Iteration variable is the index of the q limb. * * We divide * by */ i = nn - dn; do { mp_limb_t n0 = np[dn-1+i]; if (n1 == d1 && n0 == d0) { q = GMP_LIMB_MAX; mpn_submul_1 (np+i, dp, dn, q); n1 = np[dn-1+i]; /* update n1, last loop's value will now be invalid */ } else { gmp_udiv_qr_3by2 (q, n1, n0, n1, n0, np[dn-2+i], d1, d0, dinv); cy = mpn_submul_1 (np + i, dp, dn-2, q); cy1 = n0 < cy; n0 = n0 - cy; cy = n1 < cy1; n1 = n1 - cy1; np[dn-2+i] = n0; if (cy != 0) { n1 += d1 + mpn_add_n (np + i, np + i, dp, dn - 1); q--; } } if (qp) qp[i] = q; } while (--i >= 0); np[dn - 1] = n1; } static void mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn, const struct gmp_div_inverse *inv) { assert (dn > 0); assert (nn >= dn); if (dn == 1) np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv); else if (dn == 2) mpn_div_qr_2_preinv (qp, np, nn, inv); else { mp_limb_t nh; unsigned shift; assert (inv->d1 == dp[dn-1]); assert (inv->d0 == dp[dn-2]); assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0); shift = inv->shift; if (shift > 0) nh = mpn_lshift (np, np, nn, shift); else nh = 0; mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di); if (shift > 0) gmp_assert_nocarry (mpn_rshift (np, np, dn, shift)); } } static void mpn_div_qr (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn) { struct gmp_div_inverse inv; mp_ptr tp = NULL; assert (dn > 0); assert (nn >= dn); mpn_div_qr_invert (&inv, dp, dn); if (dn > 2 && inv.shift > 0) { tp = gmp_alloc_limbs (dn); gmp_assert_nocarry (mpn_lshift (tp, dp, dn, inv.shift)); dp = tp; } mpn_div_qr_preinv (qp, np, nn, dp, dn, &inv); if (tp) gmp_free_limbs (tp, dn); } /* MPN base conversion. */ static unsigned mpn_base_power_of_two_p (unsigned b) { switch (b) { case 2: return 1; case 4: return 2; case 8: return 3; case 16: return 4; case 32: return 5; case 64: return 6; case 128: return 7; case 256: return 8; default: return 0; } } struct mpn_base_info { /* bb is the largest power of the base which fits in one limb, and exp is the corresponding exponent. */ unsigned exp; mp_limb_t bb; }; static void mpn_get_base_info (struct mpn_base_info *info, mp_limb_t b) { mp_limb_t m; mp_limb_t p; unsigned exp; m = GMP_LIMB_MAX / b; for (exp = 1, p = b; p <= m; exp++) p *= b; info->exp = exp; info->bb = p; } static mp_bitcnt_t mpn_limb_size_in_base_2 (mp_limb_t u) { unsigned shift; assert (u > 0); gmp_clz (shift, u); return GMP_LIMB_BITS - shift; } static size_t mpn_get_str_bits (unsigned char *sp, unsigned bits, mp_srcptr up, mp_size_t un) { unsigned char mask; size_t sn, j; mp_size_t i; unsigned shift; sn = ((un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]) + bits - 1) / bits; mask = (1U << bits) - 1; for (i = 0, j = sn, shift = 0; j-- > 0;) { unsigned char digit = up[i] >> shift; shift += bits; if (shift >= GMP_LIMB_BITS && ++i < un) { shift -= GMP_LIMB_BITS; digit |= up[i] << (bits - shift); } sp[j] = digit & mask; } return sn; } /* We generate digits from the least significant end, and reverse at the end. */ static size_t mpn_limb_get_str (unsigned char *sp, mp_limb_t w, const struct gmp_div_inverse *binv) { mp_size_t i; for (i = 0; w > 0; i++) { mp_limb_t h, l, r; h = w >> (GMP_LIMB_BITS - binv->shift); l = w << binv->shift; gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di); assert ((r & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - binv->shift))) == 0); r >>= binv->shift; sp[i] = r; } return i; } static size_t mpn_get_str_other (unsigned char *sp, int base, const struct mpn_base_info *info, mp_ptr up, mp_size_t un) { struct gmp_div_inverse binv; size_t sn; size_t i; mpn_div_qr_1_invert (&binv, base); sn = 0; if (un > 1) { struct gmp_div_inverse bbinv; mpn_div_qr_1_invert (&bbinv, info->bb); do { mp_limb_t w; size_t done; w = mpn_div_qr_1_preinv (up, up, un, &bbinv); un -= (up[un-1] == 0); done = mpn_limb_get_str (sp + sn, w, &binv); for (sn += done; done < info->exp; done++) sp[sn++] = 0; } while (un > 1); } sn += mpn_limb_get_str (sp + sn, up[0], &binv); /* Reverse order */ for (i = 0; 2*i + 1 < sn; i++) { unsigned char t = sp[i]; sp[i] = sp[sn - i - 1]; sp[sn - i - 1] = t; } return sn; } size_t mpn_get_str (unsigned char *sp, int base, mp_ptr up, mp_size_t un) { unsigned bits; assert (un > 0); assert (up[un-1] > 0); bits = mpn_base_power_of_two_p (base); if (bits) return mpn_get_str_bits (sp, bits, up, un); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_get_str_other (sp, base, &info, up, un); } } static mp_size_t mpn_set_str_bits (mp_ptr rp, const unsigned char *sp, size_t sn, unsigned bits) { mp_size_t rn; mp_limb_t limb; unsigned shift; for (limb = 0, rn = 0, shift = 0; sn-- > 0; ) { limb |= (mp_limb_t) sp[sn] << shift; shift += bits; if (shift >= GMP_LIMB_BITS) { shift -= GMP_LIMB_BITS; rp[rn++] = limb; /* Next line is correct also if shift == 0, bits == 8, and mp_limb_t == unsigned char. */ limb = (unsigned int) sp[sn] >> (bits - shift); } } if (limb != 0) rp[rn++] = limb; else rn = mpn_normalized_size (rp, rn); return rn; } /* Result is usually normalized, except for all-zero input, in which case a single zero limb is written at *RP, and 1 is returned. */ static mp_size_t mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn, mp_limb_t b, const struct mpn_base_info *info) { mp_size_t rn; mp_limb_t w; unsigned k; size_t j; assert (sn > 0); k = 1 + (sn - 1) % info->exp; j = 0; w = sp[j++]; while (--k != 0) w = w * b + sp[j++]; rp[0] = w; for (rn = 1; j < sn;) { mp_limb_t cy; w = sp[j++]; for (k = 1; k < info->exp; k++) w = w * b + sp[j++]; cy = mpn_mul_1 (rp, rp, rn, info->bb); cy += mpn_add_1 (rp, rp, rn, w); if (cy > 0) rp[rn++] = cy; } assert (j == sn); return rn; } mp_size_t mpn_set_str (mp_ptr rp, const unsigned char *sp, size_t sn, int base) { unsigned bits; if (sn == 0) return 0; bits = mpn_base_power_of_two_p (base); if (bits) return mpn_set_str_bits (rp, sp, sn, bits); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_set_str_other (rp, sp, sn, base, &info); } } /* MPZ interface */ void mpz_init (mpz_t r) { static const mp_limb_t dummy_limb = GMP_LIMB_MAX & 0xc1a0; r->_mp_alloc = 0; r->_mp_size = 0; r->_mp_d = (mp_ptr) &dummy_limb; } /* The utility of this function is a bit limited, since many functions assigns the result variable using mpz_swap. */ void mpz_init2 (mpz_t r, mp_bitcnt_t bits) { mp_size_t rn; bits -= (bits != 0); /* Round down, except if 0 */ rn = 1 + bits / GMP_LIMB_BITS; r->_mp_alloc = rn; r->_mp_size = 0; r->_mp_d = gmp_alloc_limbs (rn); } void mpz_clear (mpz_t r) { if (r->_mp_alloc) gmp_free_limbs (r->_mp_d, r->_mp_alloc); } static mp_ptr mpz_realloc (mpz_t r, mp_size_t size) { size = GMP_MAX (size, 1); if (r->_mp_alloc) r->_mp_d = gmp_realloc_limbs (r->_mp_d, r->_mp_alloc, size); else r->_mp_d = gmp_alloc_limbs (size); r->_mp_alloc = size; if (GMP_ABS (r->_mp_size) > size) r->_mp_size = 0; return r->_mp_d; } /* Realloc for an mpz_t WHAT if it has less than NEEDED limbs. */ #define MPZ_REALLOC(z,n) ((n) > (z)->_mp_alloc \ ? mpz_realloc(z,n) \ : (z)->_mp_d) /* MPZ assignment and basic conversions. */ void mpz_set_si (mpz_t r, signed long int x) { if (x >= 0) mpz_set_ui (r, x); else /* (x < 0) */ if (GMP_LIMB_BITS < GMP_ULONG_BITS) { mpz_set_ui (r, GMP_NEG_CAST (unsigned long int, x)); mpz_neg (r, r); } else { r->_mp_size = -1; MPZ_REALLOC (r, 1)[0] = GMP_NEG_CAST (unsigned long int, x); } } void mpz_set_ui (mpz_t r, unsigned long int x) { if (x > 0) { r->_mp_size = 1; MPZ_REALLOC (r, 1)[0] = x; if (GMP_LIMB_BITS < GMP_ULONG_BITS) { int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; while (x >>= LOCAL_GMP_LIMB_BITS) { ++ r->_mp_size; MPZ_REALLOC (r, r->_mp_size)[r->_mp_size - 1] = x; } } } else r->_mp_size = 0; } void mpz_set (mpz_t r, const mpz_t x) { /* Allow the NOP r == x */ if (r != x) { mp_size_t n; mp_ptr rp; n = GMP_ABS (x->_mp_size); rp = MPZ_REALLOC (r, n); mpn_copyi (rp, x->_mp_d, n); r->_mp_size = x->_mp_size; } } void mpz_init_set_si (mpz_t r, signed long int x) { mpz_init (r); mpz_set_si (r, x); } void mpz_init_set_ui (mpz_t r, unsigned long int x) { mpz_init (r); mpz_set_ui (r, x); } void mpz_init_set (mpz_t r, const mpz_t x) { mpz_init (r); mpz_set (r, x); } int mpz_fits_slong_p (const mpz_t u) { return mpz_cmp_si (u, LONG_MAX) <= 0 && mpz_cmp_si (u, LONG_MIN) >= 0; } static int mpn_absfits_ulong_p (mp_srcptr up, mp_size_t un) { int ulongsize = GMP_ULONG_BITS / GMP_LIMB_BITS; mp_limb_t ulongrem = 0; if (GMP_ULONG_BITS % GMP_LIMB_BITS != 0) ulongrem = (mp_limb_t) (ULONG_MAX >> GMP_LIMB_BITS * ulongsize) + 1; return un <= ulongsize || (up[ulongsize] < ulongrem && un == ulongsize + 1); } int mpz_fits_ulong_p (const mpz_t u) { mp_size_t us = u->_mp_size; return us >= 0 && mpn_absfits_ulong_p (u->_mp_d, us); } int mpz_fits_sint_p (const mpz_t u) { return mpz_cmp_si (u, INT_MAX) <= 0 && mpz_cmp_si (u, INT_MIN) >= 0; } int mpz_fits_uint_p (const mpz_t u) { return u->_mp_size >= 0 && mpz_cmpabs_ui (u, UINT_MAX) <= 0; } int mpz_fits_sshort_p (const mpz_t u) { return mpz_cmp_si (u, SHRT_MAX) <= 0 && mpz_cmp_si (u, SHRT_MIN) >= 0; } int mpz_fits_ushort_p (const mpz_t u) { return u->_mp_size >= 0 && mpz_cmpabs_ui (u, USHRT_MAX) <= 0; } long int mpz_get_si (const mpz_t u) { unsigned long r = mpz_get_ui (u); unsigned long c = -LONG_MAX - LONG_MIN; if (u->_mp_size < 0) /* This expression is necessary to properly handle -LONG_MIN */ return -(long) c - (long) ((r - c) & LONG_MAX); else return (long) (r & LONG_MAX); } unsigned long int mpz_get_ui (const mpz_t u) { if (GMP_LIMB_BITS < GMP_ULONG_BITS) { int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; unsigned long r = 0; mp_size_t n = GMP_ABS (u->_mp_size); n = GMP_MIN (n, 1 + (mp_size_t) (GMP_ULONG_BITS - 1) / GMP_LIMB_BITS); while (--n >= 0) r = (r << LOCAL_GMP_LIMB_BITS) + u->_mp_d[n]; return r; } return u->_mp_size == 0 ? 0 : u->_mp_d[0]; } size_t mpz_size (const mpz_t u) { return GMP_ABS (u->_mp_size); } mp_limb_t mpz_getlimbn (const mpz_t u, mp_size_t n) { if (n >= 0 && n < GMP_ABS (u->_mp_size)) return u->_mp_d[n]; else return 0; } void mpz_realloc2 (mpz_t x, mp_bitcnt_t n) { mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS); } mp_srcptr mpz_limbs_read (mpz_srcptr x) { return x->_mp_d; } mp_ptr mpz_limbs_modify (mpz_t x, mp_size_t n) { assert (n > 0); return MPZ_REALLOC (x, n); } mp_ptr mpz_limbs_write (mpz_t x, mp_size_t n) { return mpz_limbs_modify (x, n); } void mpz_limbs_finish (mpz_t x, mp_size_t xs) { mp_size_t xn; xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs)); x->_mp_size = xs < 0 ? -xn : xn; } static mpz_srcptr mpz_roinit_normal_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { x->_mp_alloc = 0; x->_mp_d = (mp_ptr) xp; x->_mp_size = xs; return x; } mpz_srcptr mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { mpz_roinit_normal_n (x, xp, xs); mpz_limbs_finish (x, xs); return x; } #if MINI_GMP_ENABLE_FLOAT /* Conversions and comparison to double. */ void mpz_set_d (mpz_t r, double x) { int sign; mp_ptr rp; mp_size_t rn, i; double B; double Bi; mp_limb_t f; /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is zero or infinity. */ if (x != x || x == x * 0.5) { r->_mp_size = 0; return; } sign = x < 0.0 ; if (sign) x = - x; if (x < 1.0) { r->_mp_size = 0; return; } B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; for (rn = 1; x >= B; rn++) x *= Bi; rp = MPZ_REALLOC (r, rn); f = (mp_limb_t) x; x -= f; assert (x < 1.0); i = rn-1; rp[i] = f; while (--i >= 0) { x = B * x; f = (mp_limb_t) x; x -= f; assert (x < 1.0); rp[i] = f; } r->_mp_size = sign ? - rn : rn; } void mpz_init_set_d (mpz_t r, double x) { mpz_init (r); mpz_set_d (r, x); } double mpz_get_d (const mpz_t u) { int m; mp_limb_t l; mp_size_t un; double x; double B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); un = GMP_ABS (u->_mp_size); if (un == 0) return 0.0; l = u->_mp_d[--un]; gmp_clz (m, l); m = m + GMP_DBL_MANT_BITS - GMP_LIMB_BITS; if (m < 0) l &= GMP_LIMB_MAX << -m; for (x = l; --un >= 0;) { x = B*x; if (m > 0) { l = u->_mp_d[un]; m -= GMP_LIMB_BITS; if (m < 0) l &= GMP_LIMB_MAX << -m; x += l; } } if (u->_mp_size < 0) x = -x; return x; } int mpz_cmpabs_d (const mpz_t x, double d) { mp_size_t xn; double B, Bi; mp_size_t i; xn = x->_mp_size; d = GMP_ABS (d); if (xn != 0) { xn = GMP_ABS (xn); B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; /* Scale d so it can be compared with the top limb. */ for (i = 1; i < xn; i++) d *= Bi; if (d >= B) return -1; /* Compare floor(d) to top limb, subtract and cancel when equal. */ for (i = xn; i-- > 0;) { mp_limb_t f, xl; f = (mp_limb_t) d; xl = x->_mp_d[i]; if (xl > f) return 1; else if (xl < f) return -1; d = B * (d - f); } } return - (d > 0.0); } int mpz_cmp_d (const mpz_t x, double d) { if (x->_mp_size < 0) { if (d >= 0.0) return -1; else return -mpz_cmpabs_d (x, d); } else { if (d < 0.0) return 1; else return mpz_cmpabs_d (x, d); } } #endif /* MINI_GMP_ENABLE_FLOAT */ /* MPZ comparisons and the like. */ int mpz_sgn (const mpz_t u) { return GMP_CMP (u->_mp_size, 0); } int mpz_cmp_si (const mpz_t u, long v) { mp_size_t usize = u->_mp_size; if (v >= 0) return mpz_cmp_ui (u, v); else if (usize >= 0) return 1; else return - mpz_cmpabs_ui (u, GMP_NEG_CAST (unsigned long int, v)); } int mpz_cmp_ui (const mpz_t u, unsigned long v) { mp_size_t usize = u->_mp_size; if (usize < 0) return -1; else return mpz_cmpabs_ui (u, v); } int mpz_cmp (const mpz_t a, const mpz_t b) { mp_size_t asize = a->_mp_size; mp_size_t bsize = b->_mp_size; if (asize != bsize) return (asize < bsize) ? -1 : 1; else if (asize >= 0) return mpn_cmp (a->_mp_d, b->_mp_d, asize); else return mpn_cmp (b->_mp_d, a->_mp_d, -asize); } int mpz_cmpabs_ui (const mpz_t u, unsigned long v) { mp_size_t un = GMP_ABS (u->_mp_size); if (! mpn_absfits_ulong_p (u->_mp_d, un)) return 1; else { unsigned long uu = mpz_get_ui (u); return GMP_CMP(uu, v); } } int mpz_cmpabs (const mpz_t u, const mpz_t v) { return mpn_cmp4 (u->_mp_d, GMP_ABS (u->_mp_size), v->_mp_d, GMP_ABS (v->_mp_size)); } void mpz_abs (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = GMP_ABS (r->_mp_size); } void mpz_neg (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = -r->_mp_size; } void mpz_swap (mpz_t u, mpz_t v) { MP_SIZE_T_SWAP (u->_mp_alloc, v->_mp_alloc); MPN_PTR_SWAP (u->_mp_d, u->_mp_size, v->_mp_d, v->_mp_size); } /* MPZ addition and subtraction */ void mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b) { mpz_t bb; mpz_init_set_ui (bb, b); mpz_add (r, a, bb); mpz_clear (bb); } void mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b) { mpz_ui_sub (r, b, a); mpz_neg (r, r); } void mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b) { mpz_neg (r, b); mpz_add_ui (r, r, a); } static mp_size_t mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); mp_ptr rp; mp_limb_t cy; if (an < bn) { MPZ_SRCPTR_SWAP (a, b); MP_SIZE_T_SWAP (an, bn); } rp = MPZ_REALLOC (r, an + 1); cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); rp[an] = cy; return an + cy; } static mp_size_t mpz_abs_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); int cmp; mp_ptr rp; cmp = mpn_cmp4 (a->_mp_d, an, b->_mp_d, bn); if (cmp > 0) { rp = MPZ_REALLOC (r, an); gmp_assert_nocarry (mpn_sub (rp, a->_mp_d, an, b->_mp_d, bn)); return mpn_normalized_size (rp, an); } else if (cmp < 0) { rp = MPZ_REALLOC (r, bn); gmp_assert_nocarry (mpn_sub (rp, b->_mp_d, bn, a->_mp_d, an)); return -mpn_normalized_size (rp, bn); } else return 0; } void mpz_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_add (r, a, b); else rn = mpz_abs_sub (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } void mpz_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_sub (r, a, b); else rn = mpz_abs_add (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } /* MPZ multiplication */ void mpz_mul_si (mpz_t r, const mpz_t u, long int v) { if (v < 0) { mpz_mul_ui (r, u, GMP_NEG_CAST (unsigned long int, v)); mpz_neg (r, r); } else mpz_mul_ui (r, u, v); } void mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t vv; mpz_init_set_ui (vv, v); mpz_mul (r, u, vv); mpz_clear (vv); return; } void mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) { int sign; mp_size_t un, vn, rn; mpz_t t; mp_ptr tp; un = u->_mp_size; vn = v->_mp_size; if (un == 0 || vn == 0) { r->_mp_size = 0; return; } sign = (un ^ vn) < 0; un = GMP_ABS (un); vn = GMP_ABS (vn); mpz_init2 (t, (un + vn) * GMP_LIMB_BITS); tp = t->_mp_d; if (un >= vn) mpn_mul (tp, u->_mp_d, un, v->_mp_d, vn); else mpn_mul (tp, v->_mp_d, vn, u->_mp_d, un); rn = un + vn; rn -= tp[rn-1] == 0; t->_mp_size = sign ? - rn : rn; mpz_swap (r, t); mpz_clear (t); } void mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits) { mp_size_t un, rn; mp_size_t limbs; unsigned shift; mp_ptr rp; un = GMP_ABS (u->_mp_size); if (un == 0) { r->_mp_size = 0; return; } limbs = bits / GMP_LIMB_BITS; shift = bits % GMP_LIMB_BITS; rn = un + limbs + (shift > 0); rp = MPZ_REALLOC (r, rn); if (shift > 0) { mp_limb_t cy = mpn_lshift (rp + limbs, u->_mp_d, un, shift); rp[rn-1] = cy; rn -= (cy == 0); } else mpn_copyd (rp + limbs, u->_mp_d, un); mpn_zero (rp, limbs); r->_mp_size = (u->_mp_size < 0) ? - rn : rn; } void mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init_set_ui (t, v); mpz_mul (t, u, t); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init_set_ui (t, v); mpz_mul (t, u, t); mpz_sub (r, r, t); mpz_clear (t); } void mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_sub (r, r, t); mpz_clear (t); } /* MPZ division */ enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC }; /* Allows q or r to be zero. Returns 1 iff remainder is non-zero. */ static int mpz_div_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d, enum mpz_div_round_mode mode) { mp_size_t ns, ds, nn, dn, qs; ns = n->_mp_size; ds = d->_mp_size; if (ds == 0) gmp_die("mpz_div_qr: Divide by zero."); if (ns == 0) { if (q) q->_mp_size = 0; if (r) r->_mp_size = 0; return 0; } nn = GMP_ABS (ns); dn = GMP_ABS (ds); qs = ds ^ ns; if (nn < dn) { if (mode == GMP_DIV_CEIL && qs >= 0) { /* q = 1, r = n - d */ if (r) mpz_sub (r, n, d); if (q) mpz_set_ui (q, 1); } else if (mode == GMP_DIV_FLOOR && qs < 0) { /* q = -1, r = n + d */ if (r) mpz_add (r, n, d); if (q) mpz_set_si (q, -1); } else { /* q = 0, r = d */ if (r) mpz_set (r, n); if (q) q->_mp_size = 0; } return 1; } else { mp_ptr np, qp; mp_size_t qn, rn; mpz_t tq, tr; mpz_init_set (tr, n); np = tr->_mp_d; qn = nn - dn + 1; if (q) { mpz_init2 (tq, qn * GMP_LIMB_BITS); qp = tq->_mp_d; } else qp = NULL; mpn_div_qr (qp, np, nn, d->_mp_d, dn); if (qp) { qn -= (qp[qn-1] == 0); tq->_mp_size = qs < 0 ? -qn : qn; } rn = mpn_normalized_size (np, dn); tr->_mp_size = ns < 0 ? - rn : rn; if (mode == GMP_DIV_FLOOR && qs < 0 && rn != 0) { if (q) mpz_sub_ui (tq, tq, 1); if (r) mpz_add (tr, tr, d); } else if (mode == GMP_DIV_CEIL && qs >= 0 && rn != 0) { if (q) mpz_add_ui (tq, tq, 1); if (r) mpz_sub (tr, tr, d); } if (q) { mpz_swap (tq, q); mpz_clear (tq); } if (r) mpz_swap (tr, r); mpz_clear (tr); return rn != 0; } } void mpz_cdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_CEIL); } void mpz_fdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_TRUNC); } void mpz_mod (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL); } static void mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t un, qn; mp_size_t limb_cnt; mp_ptr qp; int adjust; un = u->_mp_size; if (un == 0) { q->_mp_size = 0; return; } limb_cnt = bit_index / GMP_LIMB_BITS; qn = GMP_ABS (un) - limb_cnt; bit_index %= GMP_LIMB_BITS; if (mode == ((un > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* un != 0 here. */ /* Note: Below, the final indexing at limb_cnt is valid because at that point we have qn > 0. */ adjust = (qn <= 0 || !mpn_zero_p (u->_mp_d, limb_cnt) || (u->_mp_d[limb_cnt] & (((mp_limb_t) 1 << bit_index) - 1))); else adjust = 0; if (qn <= 0) qn = 0; else { qp = MPZ_REALLOC (q, qn); if (bit_index != 0) { mpn_rshift (qp, u->_mp_d + limb_cnt, qn, bit_index); qn -= qp[qn - 1] == 0; } else { mpn_copyi (qp, u->_mp_d + limb_cnt, qn); } } q->_mp_size = qn; if (adjust) mpz_add_ui (q, q, 1); if (un < 0) mpz_neg (q, q); } static void mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t us, un, rn; mp_ptr rp; mp_limb_t mask; us = u->_mp_size; if (us == 0 || bit_index == 0) { r->_mp_size = 0; return; } rn = (bit_index + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; assert (rn > 0); rp = MPZ_REALLOC (r, rn); un = GMP_ABS (us); mask = GMP_LIMB_MAX >> (rn * GMP_LIMB_BITS - bit_index); if (rn > un) { /* Quotient (with truncation) is zero, and remainder is non-zero */ if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* Have to negate and sign extend. */ mp_size_t i; gmp_assert_nocarry (! mpn_neg (rp, u->_mp_d, un)); for (i = un; i < rn - 1; i++) rp[i] = GMP_LIMB_MAX; rp[rn-1] = mask; us = -us; } else { /* Just copy */ if (r != u) mpn_copyi (rp, u->_mp_d, un); rn = un; } } else { if (r != u) mpn_copyi (rp, u->_mp_d, rn - 1); rp[rn-1] = u->_mp_d[rn-1] & mask; if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* If r != 0, compute 2^{bit_count} - r. */ mpn_neg (rp, rp, rn); rp[rn-1] &= mask; /* us is not used for anything else, so we can modify it here to indicate flipped sign. */ us = -us; } } rn = mpn_normalized_size (rp, rn); r->_mp_size = us < 0 ? -rn : rn; } void mpz_cdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_cdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_divexact (mpz_t q, const mpz_t n, const mpz_t d) { gmp_assert_nocarry (mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_p (const mpz_t n, const mpz_t d) { return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } int mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m) { mpz_t t; int res; /* a == b (mod 0) iff a == b */ if (mpz_sgn (m) == 0) return (mpz_cmp (a, b) == 0); mpz_init (t); mpz_sub (t, a, b); res = mpz_divisible_p (t, m); mpz_clear (t); return res; } static unsigned long mpz_div_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) { unsigned long ret; mpz_t rr, dd; mpz_init (rr); mpz_init_set_ui (dd, d); mpz_div_qr (q, rr, n, dd, mode); mpz_clear (dd); ret = mpz_get_ui (rr); if (r) mpz_swap (r, rr); mpz_clear (rr); return ret; } unsigned long mpz_cdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_mod_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_divexact_ui (mpz_t q, const mpz_t n, unsigned long d) { gmp_assert_nocarry (mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_ui_p (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } /* GCD */ static mp_limb_t mpn_gcd_11 (mp_limb_t u, mp_limb_t v) { unsigned shift; assert ( (u | v) > 0); if (u == 0) return v; else if (v == 0) return u; gmp_ctz (shift, u | v); u >>= shift; v >>= shift; if ( (u & 1) == 0) MP_LIMB_T_SWAP (u, v); while ( (v & 1) == 0) v >>= 1; while (u != v) { if (u > v) { u -= v; do u >>= 1; while ( (u & 1) == 0); } else { v -= u; do v >>= 1; while ( (v & 1) == 0); } } return u << shift; } mp_size_t mpn_gcd (mp_ptr rp, mp_ptr up, mp_size_t un, mp_ptr vp, mp_size_t vn) { assert (un >= vn); assert (vn > 0); assert (!GMP_MPN_OVERLAP_P (up, un, vp, vn)); assert (vp[vn-1] > 0); assert ((up[0] | vp[0]) & 1); if (un > vn) mpn_div_qr (NULL, up, un, vp, vn); un = mpn_normalized_size (up, vn); if (un == 0) { mpn_copyi (rp, vp, vn); return vn; } if (!(vp[0] & 1)) MPN_PTR_SWAP (up, un, vp, vn); while (un > 1 || vn > 1) { int shift; assert (vp[0] & 1); while (up[0] == 0) { up++; un--; } gmp_ctz (shift, up[0]); if (shift > 0) { gmp_assert_nocarry (mpn_rshift(up, up, un, shift)); un -= (up[un-1] == 0); } if (un < vn) MPN_PTR_SWAP (up, un, vp, vn); else if (un == vn) { int c = mpn_cmp (up, vp, un); if (c == 0) { mpn_copyi (rp, up, un); return un; } else if (c < 0) MP_PTR_SWAP (up, vp); } gmp_assert_nocarry (mpn_sub (up, up, un, vp, vn)); un = mpn_normalized_size (up, un); } rp[0] = mpn_gcd_11 (up[0], vp[0]); return 1; } unsigned long mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) { mpz_t t; mpz_init_set_ui(t, v); mpz_gcd (t, u, t); if (v > 0) v = mpz_get_ui (t); if (g) mpz_swap (t, g); mpz_clear (t); return v; } static mp_bitcnt_t mpz_make_odd (mpz_t r) { mp_bitcnt_t shift; assert (r->_mp_size > 0); /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ shift = mpn_scan1 (r->_mp_d, 0); mpz_tdiv_q_2exp (r, r, shift); return shift; } void mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) { mpz_t tu, tv; mp_bitcnt_t uz, vz, gz; if (u->_mp_size == 0) { mpz_abs (g, v); return; } if (v->_mp_size == 0) { mpz_abs (g, u); return; } mpz_init (tu); mpz_init (tv); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); if (tu->_mp_size < tv->_mp_size) mpz_swap (tu, tv); tu->_mp_size = mpn_gcd (tu->_mp_d, tu->_mp_d, tu->_mp_size, tv->_mp_d, tv->_mp_size); mpz_mul_2exp (g, tu, gz); mpz_clear (tu); mpz_clear (tv); } void mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) { mpz_t tu, tv, s0, s1, t0, t1; mp_bitcnt_t uz, vz, gz; mp_bitcnt_t power; int cmp; if (u->_mp_size == 0) { /* g = 0 u + sgn(v) v */ signed long sign = mpz_sgn (v); mpz_abs (g, v); if (s) s->_mp_size = 0; if (t) mpz_set_si (t, sign); return; } if (v->_mp_size == 0) { /* g = sgn(u) u + 0 v */ signed long sign = mpz_sgn (u); mpz_abs (g, u); if (s) mpz_set_si (s, sign); if (t) t->_mp_size = 0; return; } mpz_init (tu); mpz_init (tv); mpz_init (s0); mpz_init (s1); mpz_init (t0); mpz_init (t1); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); uz -= gz; vz -= gz; /* Cofactors corresponding to odd gcd. gz handled later. */ if (tu->_mp_size < tv->_mp_size) { mpz_swap (tu, tv); MPZ_SRCPTR_SWAP (u, v); MPZ_PTR_SWAP (s, t); MP_BITCNT_T_SWAP (uz, vz); } /* Maintain * * u = t0 tu + t1 tv * v = s0 tu + s1 tv * * where u and v denote the inputs with common factors of two * eliminated, and det (s0, t0; s1, t1) = 2^p. Then * * 2^p tu = s1 u - t1 v * 2^p tv = -s0 u + t0 v */ /* After initial division, tu = q tv + tu', we have * * u = 2^uz (tu' + q tv) * v = 2^vz tv * * or * * t0 = 2^uz, t1 = 2^uz q * s0 = 0, s1 = 2^vz */ mpz_tdiv_qr (t1, tu, tu, tv); mpz_mul_2exp (t1, t1, uz); mpz_setbit (s1, vz); power = uz + vz; if (tu->_mp_size > 0) { mp_bitcnt_t shift; shift = mpz_make_odd (tu); mpz_setbit (t0, uz + shift); power += shift; for (;;) { int c; c = mpz_cmp (tu, tv); if (c == 0) break; if (c < 0) { /* tv = tv' + tu * * u = t0 tu + t1 (tv' + tu) = (t0 + t1) tu + t1 tv' * v = s0 tu + s1 (tv' + tu) = (s0 + s1) tu + s1 tv' */ mpz_sub (tv, tv, tu); mpz_add (t0, t0, t1); mpz_add (s0, s0, s1); shift = mpz_make_odd (tv); mpz_mul_2exp (t1, t1, shift); mpz_mul_2exp (s1, s1, shift); } else { mpz_sub (tu, tu, tv); mpz_add (t1, t0, t1); mpz_add (s1, s0, s1); shift = mpz_make_odd (tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); } power += shift; } } else mpz_setbit (t0, uz); /* Now tv = odd part of gcd, and -s0 and t0 are corresponding cofactors. */ mpz_mul_2exp (tv, tv, gz); mpz_neg (s0, s0); /* 2^p g = s0 u + t0 v. Eliminate one factor of two at a time. To adjust cofactors, we need u / g and v / g */ mpz_divexact (s1, v, tv); mpz_abs (s1, s1); mpz_divexact (t1, u, tv); mpz_abs (t1, t1); while (power-- > 0) { /* s0 u + t0 v = (s0 - v/g) u - (t0 + u/g) v */ if (mpz_odd_p (s0) || mpz_odd_p (t0)) { mpz_sub (s0, s0, s1); mpz_add (t0, t0, t1); } assert (mpz_even_p (t0) && mpz_even_p (s0)); mpz_tdiv_q_2exp (s0, s0, 1); mpz_tdiv_q_2exp (t0, t0, 1); } /* Choose small cofactors (they should generally satify |s| < |u| / 2g and |t| < |v| / 2g, with some documented exceptions). Always choose the smallest s, if there are two choices for s with same absolute value, choose the one with smallest corresponding t (this asymmetric condition is needed to prefer s = 0, |t| = 1 when g = |a| = |b|). */ mpz_add (s1, s0, s1); mpz_sub (t1, t0, t1); cmp = mpz_cmpabs (s0, s1); if (cmp > 0 || (cmp == 0 && mpz_cmpabs (t0, t1) > 0)) { mpz_swap (s0, s1); mpz_swap (t0, t1); } if (u->_mp_size < 0) mpz_neg (s0, s0); if (v->_mp_size < 0) mpz_neg (t0, t0); mpz_swap (g, tv); if (s) mpz_swap (s, s0); if (t) mpz_swap (t, t0); mpz_clear (tu); mpz_clear (tv); mpz_clear (s0); mpz_clear (s1); mpz_clear (t0); mpz_clear (t1); } void mpz_lcm (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t g; if (u->_mp_size == 0 || v->_mp_size == 0) { r->_mp_size = 0; return; } mpz_init (g); mpz_gcd (g, u, v); mpz_divexact (g, u, g); mpz_mul (r, g, v); mpz_clear (g); mpz_abs (r, r); } void mpz_lcm_ui (mpz_t r, const mpz_t u, unsigned long v) { if (v == 0 || u->_mp_size == 0) { r->_mp_size = 0; return; } v /= mpz_gcd_ui (NULL, u, v); mpz_mul_ui (r, u, v); mpz_abs (r, r); } int mpz_invert (mpz_t r, const mpz_t u, const mpz_t m) { mpz_t g, tr; int invertible; if (u->_mp_size == 0 || mpz_cmpabs_ui (m, 1) <= 0) return 0; mpz_init (g); mpz_init (tr); mpz_gcdext (g, tr, NULL, u, m); invertible = (mpz_cmp_ui (g, 1) == 0); if (invertible) { if (tr->_mp_size < 0) { if (m->_mp_size >= 0) mpz_add (tr, tr, m); else mpz_sub (tr, tr, m); } mpz_swap (r, tr); } mpz_clear (g); mpz_clear (tr); return invertible; } /* Higher level operations (sqrt, pow and root) */ void mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e) { unsigned long bit; mpz_t tr; mpz_init_set_ui (tr, 1); bit = GMP_ULONG_HIGHBIT; do { mpz_mul (tr, tr, tr); if (e & bit) mpz_mul (tr, tr, b); bit >>= 1; } while (bit > 0); mpz_swap (r, tr); mpz_clear (tr); } void mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e) { mpz_t b; mpz_init_set_ui (b, blimb); mpz_pow_ui (r, b, e); mpz_clear (b); } void mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) { mpz_t tr; mpz_t base; mp_size_t en, mn; mp_srcptr mp; struct gmp_div_inverse minv; unsigned shift; mp_ptr tp = NULL; en = GMP_ABS (e->_mp_size); mn = GMP_ABS (m->_mp_size); if (mn == 0) gmp_die ("mpz_powm: Zero modulo."); if (en == 0) { mpz_set_ui (r, mpz_cmpabs_ui (m, 1)); return; } mp = m->_mp_d; mpn_div_qr_invert (&minv, mp, mn); shift = minv.shift; if (shift > 0) { /* To avoid shifts, we do all our reductions, except the final one, using a *normalized* m. */ minv.shift = 0; tp = gmp_alloc_limbs (mn); gmp_assert_nocarry (mpn_lshift (tp, mp, mn, shift)); mp = tp; } mpz_init (base); if (e->_mp_size < 0) { if (!mpz_invert (base, b, m)) gmp_die ("mpz_powm: Negative exponent and non-invertible base."); } else { mp_size_t bn; mpz_abs (base, b); bn = base->_mp_size; if (bn >= mn) { mpn_div_qr_preinv (NULL, base->_mp_d, base->_mp_size, mp, mn, &minv); bn = mn; } /* We have reduced the absolute value. Now take care of the sign. Note that we get zero represented non-canonically as m. */ if (b->_mp_size < 0) { mp_ptr bp = MPZ_REALLOC (base, mn); gmp_assert_nocarry (mpn_sub (bp, mp, mn, bp, bn)); bn = mn; } base->_mp_size = mpn_normalized_size (base->_mp_d, bn); } mpz_init_set_ui (tr, 1); while (--en >= 0) { mp_limb_t w = e->_mp_d[en]; mp_limb_t bit; bit = GMP_LIMB_HIGHBIT; do { mpz_mul (tr, tr, tr); if (w & bit) mpz_mul (tr, tr, base); if (tr->_mp_size > mn) { mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } bit >>= 1; } while (bit > 0); } /* Final reduction */ if (tr->_mp_size >= mn) { minv.shift = shift; mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } if (tp) gmp_free_limbs (tp, mn); mpz_swap (r, tr); mpz_clear (tr); mpz_clear (base); } void mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m) { mpz_t e; mpz_init_set_ui (e, elimb); mpz_powm (r, b, e, m); mpz_clear (e); } /* x=trunc(y^(1/z)), r=y-x^z */ void mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) { int sgn; mp_bitcnt_t bc; mpz_t t, u; sgn = y->_mp_size < 0; if ((~z & sgn) != 0) gmp_die ("mpz_rootrem: Negative argument, with even root."); if (z == 0) gmp_die ("mpz_rootrem: Zeroth root."); if (mpz_cmpabs_ui (y, 1) <= 0) { if (x) mpz_set (x, y); if (r) r->_mp_size = 0; return; } mpz_init (u); mpz_init (t); bc = (mpz_sizeinbase (y, 2) - 1) / z + 1; mpz_setbit (t, bc); if (z == 2) /* simplify sqrt loop: z-1 == 1 */ do { mpz_swap (u, t); /* u = x */ mpz_tdiv_q (t, y, u); /* t = y/x */ mpz_add (t, t, u); /* t = y/x + x */ mpz_tdiv_q_2exp (t, t, 1); /* x'= (y/x + x)/2 */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ else /* z != 2 */ { mpz_t v; mpz_init (v); if (sgn) mpz_neg (t, t); do { mpz_swap (u, t); /* u = x */ mpz_pow_ui (t, u, z - 1); /* t = x^(z-1) */ mpz_tdiv_q (t, y, t); /* t = y/x^(z-1) */ mpz_mul_ui (v, u, z - 1); /* v = x*(z-1) */ mpz_add (t, t, v); /* t = y/x^(z-1) + x*(z-1) */ mpz_tdiv_q_ui (t, t, z); /* x'=(y/x^(z-1) + x*(z-1))/z */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ mpz_clear (v); } if (r) { mpz_pow_ui (t, u, z); mpz_sub (r, y, t); } if (x) mpz_swap (x, u); mpz_clear (u); mpz_clear (t); } int mpz_root (mpz_t x, const mpz_t y, unsigned long z) { int res; mpz_t r; mpz_init (r); mpz_rootrem (x, r, y, z); res = r->_mp_size == 0; mpz_clear (r); return res; } /* Compute s = floor(sqrt(u)) and r = u - s^2. Allows r == NULL */ void mpz_sqrtrem (mpz_t s, mpz_t r, const mpz_t u) { mpz_rootrem (s, r, u, 2); } void mpz_sqrt (mpz_t s, const mpz_t u) { mpz_rootrem (s, NULL, u, 2); } int mpz_perfect_square_p (const mpz_t u) { if (u->_mp_size <= 0) return (u->_mp_size == 0); else return mpz_root (NULL, u, 2); } int mpn_perfect_square_p (mp_srcptr p, mp_size_t n) { mpz_t t; assert (n > 0); assert (p [n-1] != 0); return mpz_root (NULL, mpz_roinit_normal_n (t, p, n), 2); } mp_size_t mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n) { mpz_t s, r, u; mp_size_t res; assert (n > 0); assert (p [n-1] != 0); mpz_init (r); mpz_init (s); mpz_rootrem (s, r, mpz_roinit_normal_n (u, p, n), 2); assert (s->_mp_size == (n+1)/2); mpn_copyd (sp, s->_mp_d, s->_mp_size); mpz_clear (s); res = r->_mp_size; if (rp) mpn_copyd (rp, r->_mp_d, res); mpz_clear (r); return res; } /* Combinatorics */ void mpz_mfac_uiui (mpz_t x, unsigned long n, unsigned long m) { mpz_set_ui (x, n + (n == 0)); if (m + 1 < 2) return; while (n > m + 1) mpz_mul_ui (x, x, n -= m); } void mpz_2fac_ui (mpz_t x, unsigned long n) { mpz_mfac_uiui (x, n, 2); } void mpz_fac_ui (mpz_t x, unsigned long n) { mpz_mfac_uiui (x, n, 1); } void mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k) { mpz_t t; mpz_set_ui (r, k <= n); if (k > (n >> 1)) k = (k <= n) ? n - k : 0; mpz_init (t); mpz_fac_ui (t, k); for (; k > 0; --k) mpz_mul_ui (r, r, n--); mpz_divexact (r, r, t); mpz_clear (t); } /* Primality testing */ /* Computes Kronecker (a/b) with odd b, a!=0 and GCD(a,b) = 1 */ /* Adapted from JACOBI_BASE_METHOD==4 in mpn/generic/jacbase.c */ static int gmp_jacobi_coprime (mp_limb_t a, mp_limb_t b) { int c, bit = 0; assert (b & 1); assert (a != 0); /* assert (mpn_gcd_11 (a, b) == 1); */ /* Below, we represent a and b shifted right so that the least significant one bit is implicit. */ b >>= 1; gmp_ctz(c, a); a >>= 1; for (;;) { a >>= c; /* (2/b) = -1 if b = 3 or 5 mod 8 */ bit ^= c & (b ^ (b >> 1)); if (a < b) { if (a == 0) return bit & 1 ? -1 : 1; bit ^= a & b; a = b - a; b -= a; } else { a -= b; assert (a != 0); } gmp_ctz(c, a); ++c; } } static void gmp_lucas_step_k_2k (mpz_t V, mpz_t Qk, const mpz_t n) { mpz_mod (Qk, Qk, n); /* V_{2k} <- V_k ^ 2 - 2Q^k */ mpz_mul (V, V, V); mpz_submul_ui (V, Qk, 2); mpz_tdiv_r (V, V, n); /* Q^{2k} = (Q^k)^2 */ mpz_mul (Qk, Qk, Qk); } /* Computes V_k, Q^k (mod n) for the Lucas' sequence */ /* with P=1, Q=Q; k = (n>>b0)|1. */ /* Requires an odd n > 4; b0 > 0; -2*Q must not overflow a long */ /* Returns (U_k == 0) and sets V=V_k and Qk=Q^k. */ static int gmp_lucas_mod (mpz_t V, mpz_t Qk, long Q, mp_bitcnt_t b0, const mpz_t n) { mp_bitcnt_t bs; mpz_t U; int res; assert (b0 > 0); assert (Q <= - (LONG_MIN / 2)); assert (Q >= - (LONG_MAX / 2)); assert (mpz_cmp_ui (n, 4) > 0); assert (mpz_odd_p (n)); mpz_init_set_ui (U, 1); /* U1 = 1 */ mpz_set_ui (V, 1); /* V1 = 1 */ mpz_set_si (Qk, Q); for (bs = mpz_sizeinbase (n, 2) - 1; --bs >= b0;) { /* U_{2k} <- U_k * V_k */ mpz_mul (U, U, V); /* V_{2k} <- V_k ^ 2 - 2Q^k */ /* Q^{2k} = (Q^k)^2 */ gmp_lucas_step_k_2k (V, Qk, n); /* A step k->k+1 is performed if the bit in $n$ is 1 */ /* mpz_tstbit(n,bs) or the bit is 0 in $n$ but */ /* should be 1 in $n+1$ (bs == b0) */ if (b0 == bs || mpz_tstbit (n, bs)) { /* Q^{k+1} <- Q^k * Q */ mpz_mul_si (Qk, Qk, Q); /* U_{k+1} <- (U_k + V_k) / 2 */ mpz_swap (U, V); /* Keep in V the old value of U_k */ mpz_add (U, U, V); /* We have to compute U/2, so we need an even value, */ /* equivalent (mod n) */ if (mpz_odd_p (U)) mpz_add (U, U, n); mpz_tdiv_q_2exp (U, U, 1); /* V_{k+1} <-(D*U_k + V_k) / 2 = U_{k+1} + (D-1)/2*U_k = U_{k+1} - 2Q*U_k */ mpz_mul_si (V, V, -2*Q); mpz_add (V, U, V); mpz_tdiv_r (V, V, n); } mpz_tdiv_r (U, U, n); } res = U->_mp_size == 0; mpz_clear (U); return res; } /* Performs strong Lucas' test on x, with parameters suggested */ /* for the BPSW test. Qk is only passed to recycle a variable. */ /* Requires GCD (x,6) = 1.*/ static int gmp_stronglucas (const mpz_t x, mpz_t Qk) { mp_bitcnt_t b0; mpz_t V, n; mp_limb_t maxD, D; /* The absolute value is stored. */ long Q; mp_limb_t tl; /* Test on the absolute value. */ mpz_roinit_normal_n (n, x->_mp_d, GMP_ABS (x->_mp_size)); assert (mpz_odd_p (n)); /* assert (mpz_gcd_ui (NULL, n, 6) == 1); */ if (mpz_root (Qk, n, 2)) return 0; /* A square is composite. */ /* Check Ds up to square root (in case, n is prime) or avoid overflows */ maxD = (Qk->_mp_size == 1) ? Qk->_mp_d [0] - 1 : GMP_LIMB_MAX; D = 3; /* Search a D such that (D/n) = -1 in the sequence 5,-7,9,-11,.. */ /* For those Ds we have (D/n) = (n/|D|) */ do { if (D >= maxD) return 1 + (D != GMP_LIMB_MAX); /* (1 + ! ~ D) */ D += 2; tl = mpz_tdiv_ui (n, D); if (tl == 0) return 0; } while (gmp_jacobi_coprime (tl, D) == 1); mpz_init (V); /* n-(D/n) = n+1 = d*2^{b0}, with d = (n>>b0) | 1 */ b0 = mpn_common_scan (~ n->_mp_d[0], 0, n->_mp_d, n->_mp_size, GMP_LIMB_MAX); /* b0 = mpz_scan0 (n, 0); */ /* D= P^2 - 4Q; P = 1; Q = (1-D)/4 */ Q = (D & 2) ? (long) (D >> 2) + 1 : -(long) (D >> 2); if (! gmp_lucas_mod (V, Qk, Q, b0, n)) /* If Ud != 0 */ while (V->_mp_size != 0 && --b0 != 0) /* while Vk != 0 */ /* V <- V ^ 2 - 2Q^k */ /* Q^{2k} = (Q^k)^2 */ gmp_lucas_step_k_2k (V, Qk, n); mpz_clear (V); return (b0 != 0); } static int gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, const mpz_t q, mp_bitcnt_t k) { assert (k > 0); /* Caller must initialize y to the base. */ mpz_powm (y, y, q, n); if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0) return 1; while (--k > 0) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp (y, nm1) == 0) return 1; } return 0; } /* This product is 0xc0cfd797, and fits in 32 bits. */ #define GMP_PRIME_PRODUCT \ (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL) /* Bit (p+1)/2 is set, for each odd prime <= 61 */ #define GMP_PRIME_MASK 0xc96996dcUL int mpz_probab_prime_p (const mpz_t n, int reps) { mpz_t nm1; mpz_t q; mpz_t y; mp_bitcnt_t k; int is_prime; int j; /* Note that we use the absolute value of n only, for compatibility with the real GMP. */ if (mpz_even_p (n)) return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0; /* Above test excludes n == 0 */ assert (n->_mp_size != 0); if (mpz_cmpabs_ui (n, 64) < 0) return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2; if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1) return 0; /* All prime factors are >= 31. */ if (mpz_cmpabs_ui (n, 31*31) < 0) return 2; mpz_init (nm1); mpz_init (q); /* Find q and k, where q is odd and n = 1 + 2**k * q. */ mpz_abs (nm1, n); nm1->_mp_d[0] -= 1; /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ k = mpn_scan1 (nm1->_mp_d, 0); mpz_tdiv_q_2exp (q, nm1, k); /* BPSW test */ mpz_init_set_ui (y, 2); is_prime = gmp_millerrabin (n, nm1, y, q, k) && gmp_stronglucas (n, y); reps -= 24; /* skip the first 24 repetitions */ /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = j^2 + j + 41 using Euler's polynomial. We potentially stop early, if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > 30 (a[30] == 971 > 31*31 == 961). */ for (j = 0; is_prime & (j < reps); j++) { mpz_set_ui (y, (unsigned long) j*j+j+41); if (mpz_cmp (y, nm1) >= 0) { /* Don't try any further bases. This "early" break does not affect the result for any reasonable reps value (<=5000 was tested) */ assert (j >= 30); break; } is_prime = gmp_millerrabin (n, nm1, y, q, k); } mpz_clear (nm1); mpz_clear (q); mpz_clear (y); return is_prime; } /* Logical operations and bit manipulation. */ /* Numbers are treated as if represented in two's complement (and infinitely sign extended). For a negative values we get the two's complement from -x = ~x + 1, where ~ is bitwise complement. Negation transforms xxxx10...0 into yyyy10...0 where yyyy is the bitwise complement of xxxx. So least significant bits, up to and including the first one bit, are unchanged, and the more significant bits are all complemented. To change a bit from zero to one in a negative number, subtract the corresponding power of two from the absolute value. This can never underflow. To change a bit from one to zero, add the corresponding power of two, and this might overflow. E.g., if x = -001111, the two's complement is 110001. Clearing the least significant bit, we get two's complement 110000, and -010000. */ int mpz_tstbit (const mpz_t d, mp_bitcnt_t bit_index) { mp_size_t limb_index; unsigned shift; mp_size_t ds; mp_size_t dn; mp_limb_t w; int bit; ds = d->_mp_size; dn = GMP_ABS (ds); limb_index = bit_index / GMP_LIMB_BITS; if (limb_index >= dn) return ds < 0; shift = bit_index % GMP_LIMB_BITS; w = d->_mp_d[limb_index]; bit = (w >> shift) & 1; if (ds < 0) { /* d < 0. Check if any of the bits below is set: If so, our bit must be complemented. */ if (shift > 0 && (mp_limb_t) (w << (GMP_LIMB_BITS - shift)) > 0) return bit ^ 1; while (--limb_index >= 0) if (d->_mp_d[limb_index] > 0) return bit ^ 1; } return bit; } static void mpz_abs_add_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_limb_t bit; mp_ptr dp; dn = GMP_ABS (d->_mp_size); limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); if (limb_index >= dn) { mp_size_t i; /* The bit should be set outside of the end of the number. We have to increase the size of the number. */ dp = MPZ_REALLOC (d, limb_index + 1); dp[limb_index] = bit; for (i = dn; i < limb_index; i++) dp[i] = 0; dn = limb_index + 1; } else { mp_limb_t cy; dp = d->_mp_d; cy = mpn_add_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit); if (cy > 0) { dp = MPZ_REALLOC (d, dn + 1); dp[dn++] = cy; } } d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } static void mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_ptr dp; mp_limb_t bit; dn = GMP_ABS (d->_mp_size); dp = d->_mp_d; limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); assert (limb_index < dn); gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit)); dn = mpn_normalized_size (dp, dn); d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } void mpz_setbit (mpz_t d, mp_bitcnt_t bit_index) { if (!mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_add_bit (d, bit_index); else mpz_abs_sub_bit (d, bit_index); } } void mpz_clrbit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } } void mpz_combit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index) ^ (d->_mp_size < 0)) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } void mpz_com (mpz_t r, const mpz_t u) { mpz_add_ui (r, u, 1); mpz_neg (r, r); } void mpz_and (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { r->_mp_size = 0; return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc & vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is positive, higher limbs don't matter. */ rn = vx ? un : vn; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul & vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul & vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc | vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is negative, by sign extension higher limbs don't matter. */ rn = vx ? vn : un; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul | vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul | vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc ^ vc; ux = -uc; vx = -vc; rx = -rc; rp = MPZ_REALLOC (r, un + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = (ul ^ vl ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = (ul ^ ux) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[un++] = rc; else un = mpn_normalized_size (rp, un); r->_mp_size = rx ? -un : un; } static unsigned gmp_popcount_limb (mp_limb_t x) { unsigned c; /* Do 16 bits at a time, to avoid limb-sized constants. */ int LOCAL_SHIFT_BITS = 16; for (c = 0; x > 0;) { unsigned w = x - ((x >> 1) & 0x5555); w = ((w >> 2) & 0x3333) + (w & 0x3333); w = (w >> 4) + w; w = ((w >> 8) & 0x000f) + (w & 0x000f); c += w; if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) x >>= LOCAL_SHIFT_BITS; else x = 0; } return c; } mp_bitcnt_t mpn_popcount (mp_srcptr p, mp_size_t n) { mp_size_t i; mp_bitcnt_t c; for (c = 0, i = 0; i < n; i++) c += gmp_popcount_limb (p[i]); return c; } mp_bitcnt_t mpz_popcount (const mpz_t u) { mp_size_t un; un = u->_mp_size; if (un < 0) return ~(mp_bitcnt_t) 0; return mpn_popcount (u->_mp_d, un); } mp_bitcnt_t mpz_hamdist (const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_limb_t uc, vc, ul, vl, comp; mp_srcptr up, vp; mp_bitcnt_t c; un = u->_mp_size; vn = v->_mp_size; if ( (un ^ vn) < 0) return ~(mp_bitcnt_t) 0; comp = - (uc = vc = (un < 0)); if (uc) { assert (vn < 0); un = -un; vn = -vn; } up = u->_mp_d; vp = v->_mp_d; if (un < vn) MPN_SRCPTR_SWAP (up, un, vp, vn); for (i = 0, c = 0; i < vn; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; vl = (vp[i] ^ comp) + vc; vc = vl < vc; c += gmp_popcount_limb (ul ^ vl); } assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; c += gmp_popcount_limb (ul ^ comp); } return c; } mp_bitcnt_t mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* Past the end there's no 1 bits for u>=0, or an immediate 1 bit for u<0. Notice this test picks up any u==0 too. */ if (i >= un) return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit); up = u->_mp_d; ux = 0; limb = up[i]; if (starting_bit != 0) { if (us < 0) { ux = mpn_zero_p (up, i); limb = ~ limb + ux; ux = - (mp_limb_t) (limb >= ux); } /* Mask to 0 all bits before starting_bit, thus ignoring them. */ limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); } return mpn_common_scan (limb, i, up, un, ux); } mp_bitcnt_t mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; ux = - (mp_limb_t) (us >= 0); un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for u<0. Notice this test picks up all cases of u==0 too. */ if (i >= un) return (ux ? starting_bit : ~(mp_bitcnt_t) 0); up = u->_mp_d; limb = up[i] ^ ux; if (ux == 0) limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ /* Mask all bits before starting_bit, thus ignoring them. */ limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); return mpn_common_scan (limb, i, up, un, ux); } /* MPZ base conversion. */ size_t mpz_sizeinbase (const mpz_t u, int base) { mp_size_t un, tn; mp_srcptr up; mp_ptr tp; mp_bitcnt_t bits; struct gmp_div_inverse bi; size_t ndigits; assert (base >= 2); assert (base <= 62); un = GMP_ABS (u->_mp_size); if (un == 0) return 1; up = u->_mp_d; bits = (un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]); switch (base) { case 2: return bits; case 4: return (bits + 1) / 2; case 8: return (bits + 2) / 3; case 16: return (bits + 3) / 4; case 32: return (bits + 4) / 5; /* FIXME: Do something more clever for the common case of base 10. */ } tp = gmp_alloc_limbs (un); mpn_copyi (tp, up, un); mpn_div_qr_1_invert (&bi, base); tn = un; ndigits = 0; do { ndigits++; mpn_div_qr_1_preinv (tp, tp, tn, &bi); tn -= (tp[tn-1] == 0); } while (tn > 0); gmp_free_limbs (tp, un); return ndigits; } char * mpz_get_str (char *sp, int base, const mpz_t u) { unsigned bits; const char *digits; mp_size_t un; size_t i, sn, osn; digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; if (base > 1) { if (base <= 36) digits = "0123456789abcdefghijklmnopqrstuvwxyz"; else if (base > 62) return NULL; } else if (base >= -1) base = 10; else { base = -base; if (base > 36) return NULL; } sn = 1 + mpz_sizeinbase (u, base); if (!sp) { osn = 1 + sn; sp = (char *) gmp_alloc (osn); } else osn = 0; un = GMP_ABS (u->_mp_size); if (un == 0) { sp[0] = '0'; sn = 1; goto ret; } i = 0; if (u->_mp_size < 0) sp[i++] = '-'; bits = mpn_base_power_of_two_p (base); if (bits) /* Not modified in this case. */ sn = i + mpn_get_str_bits ((unsigned char *) sp + i, bits, u->_mp_d, un); else { struct mpn_base_info info; mp_ptr tp; mpn_get_base_info (&info, base); tp = gmp_alloc_limbs (un); mpn_copyi (tp, u->_mp_d, un); sn = i + mpn_get_str_other ((unsigned char *) sp + i, base, &info, tp, un); gmp_free_limbs (tp, un); } for (; i < sn; i++) sp[i] = digits[(unsigned char) sp[i]]; ret: sp[sn] = '\0'; if (osn && osn != sn + 1) sp = (char*) gmp_realloc (sp, osn, sn + 1); return sp; } int mpz_set_str (mpz_t r, const char *sp, int base) { unsigned bits, value_of_a; mp_size_t rn, alloc; mp_ptr rp; size_t dn, sn; int sign; unsigned char *dp; assert (base == 0 || (base >= 2 && base <= 62)); while (isspace( (unsigned char) *sp)) sp++; sign = (*sp == '-'); sp += sign; if (base == 0) { if (sp[0] == '0') { if (sp[1] == 'x' || sp[1] == 'X') { base = 16; sp += 2; } else if (sp[1] == 'b' || sp[1] == 'B') { base = 2; sp += 2; } else base = 8; } else base = 10; } if (!*sp) { r->_mp_size = 0; return -1; } sn = strlen(sp); dp = (unsigned char *) gmp_alloc (sn); value_of_a = (base > 36) ? 36 : 10; for (dn = 0; *sp; sp++) { unsigned digit; if (isspace ((unsigned char) *sp)) continue; else if (*sp >= '0' && *sp <= '9') digit = *sp - '0'; else if (*sp >= 'a' && *sp <= 'z') digit = *sp - 'a' + value_of_a; else if (*sp >= 'A' && *sp <= 'Z') digit = *sp - 'A' + 10; else digit = base; /* fail */ if (digit >= (unsigned) base) { gmp_free (dp, sn); r->_mp_size = 0; return -1; } dp[dn++] = digit; } if (!dn) { gmp_free (dp, sn); r->_mp_size = 0; return -1; } bits = mpn_base_power_of_two_p (base); if (bits > 0) { alloc = (dn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_bits (rp, dp, dn, bits); } else { struct mpn_base_info info; mpn_get_base_info (&info, base); alloc = (dn + info.exp - 1) / info.exp; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_other (rp, dp, dn, base, &info); /* Normalization, needed for all-zero input. */ assert (rn > 0); rn -= rp[rn-1] == 0; } assert (rn <= alloc); gmp_free (dp, sn); r->_mp_size = sign ? - rn : rn; return 0; } int mpz_init_set_str (mpz_t r, const char *sp, int base) { mpz_init (r); return mpz_set_str (r, sp, base); } size_t mpz_out_str (FILE *stream, int base, const mpz_t x) { char *str; size_t len, n; str = mpz_get_str (NULL, base, x); if (!str) return 0; len = strlen (str); n = fwrite (str, 1, len, stream); gmp_free (str, len + 1); return n; } static int gmp_detect_endian (void) { static const int i = 2; const unsigned char *p = (const unsigned char *) &i; return 1 - *p; } /* Import and export. Does not support nails. */ void mpz_import (mpz_t r, size_t count, int order, size_t size, int endian, size_t nails, const void *src) { const unsigned char *p; ptrdiff_t word_step; mp_ptr rp; mp_size_t rn; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes already copied to this limb (starting from the low end). */ size_t bytes; /* The index where the limb should be stored, when completed. */ mp_size_t i; if (nails != 0) gmp_die ("mpz_import: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); if (count == 0) { r->_mp_size = 0; return; } if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) src; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); rn = (size * count + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); rp = MPZ_REALLOC (r, rn); for (limb = 0, bytes = 0, i = 0; count > 0; count--, p += word_step) { size_t j; for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) { limb |= (mp_limb_t) *p << (bytes++ * CHAR_BIT); if (bytes == sizeof(mp_limb_t)) { rp[i++] = limb; bytes = 0; limb = 0; } } } assert (i + (bytes > 0) == rn); if (limb != 0) rp[i++] = limb; else i = mpn_normalized_size (rp, i); r->_mp_size = i; } void * mpz_export (void *r, size_t *countp, int order, size_t size, int endian, size_t nails, const mpz_t u) { size_t count; mp_size_t un; if (nails != 0) gmp_die ("mpz_export: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); assert (size > 0 || u->_mp_size == 0); un = u->_mp_size; count = 0; if (un != 0) { size_t k; unsigned char *p; ptrdiff_t word_step; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes left to do in this limb. */ size_t bytes; /* The index where the limb was read. */ mp_size_t i; un = GMP_ABS (un); /* Count bytes in top limb. */ limb = u->_mp_d[un-1]; assert (limb != 0); k = (GMP_LIMB_BITS <= CHAR_BIT); if (!k) { do { int LOCAL_CHAR_BIT = CHAR_BIT; k++; limb >>= LOCAL_CHAR_BIT; } while (limb != 0); } /* else limb = 0; */ count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; if (!r) r = gmp_alloc (count * size); if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) r; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) { size_t j; for (j = 0; j < size; ++j, p -= (ptrdiff_t) endian) { if (sizeof (mp_limb_t) == 1) { if (i < un) *p = u->_mp_d[i++]; else *p = 0; } else { int LOCAL_CHAR_BIT = CHAR_BIT; if (bytes == 0) { if (i < un) limb = u->_mp_d[i++]; bytes = sizeof (mp_limb_t); } *p = limb; limb >>= LOCAL_CHAR_BIT; bytes--; } } } assert (i == un); assert (k == count); } if (countp) *countp = count; return r; } nettle-4.0/mini-gmp.h0000644000000000000000000002706015141166424011475 0ustar00/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Copyright 2011-2015, 2017, 2019-2021 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* About mini-gmp: This is a minimal implementation of a subset of the GMP interface. It is intended for inclusion into applications which have modest bignums needs, as a fallback when the real GMP library is not installed. This file defines the public interface. */ #ifndef __MINI_GMP_H__ #define __MINI_GMP_H__ /* For size_t */ #include #if defined (__cplusplus) extern "C" { #endif void mp_set_memory_functions (void *(*) (size_t), void *(*) (void *, size_t, size_t), void (*) (void *, size_t)); void mp_get_memory_functions (void *(**) (size_t), void *(**) (void *, size_t, size_t), void (**) (void *, size_t)); #ifndef MINI_GMP_LIMB_TYPE #define MINI_GMP_LIMB_TYPE long #endif typedef unsigned MINI_GMP_LIMB_TYPE mp_limb_t; typedef long mp_size_t; typedef unsigned long mp_bitcnt_t; typedef mp_limb_t *mp_ptr; typedef const mp_limb_t *mp_srcptr; typedef struct { int _mp_alloc; /* Number of *limbs* allocated and pointed to by the _mp_d field. */ int _mp_size; /* abs(_mp_size) is the number of limbs the last field points to. If _mp_size is negative this is a negative number. */ mp_limb_t *_mp_d; /* Pointer to the limbs. */ } __mpz_struct; typedef __mpz_struct mpz_t[1]; typedef __mpz_struct *mpz_ptr; typedef const __mpz_struct *mpz_srcptr; extern const int mp_bits_per_limb; void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t); void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t); void mpn_zero (mp_ptr, mp_size_t); int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t); int mpn_zero_p (mp_srcptr, mp_size_t); mp_limb_t mpn_add_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_add_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_add (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_sub_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_sub_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_sub (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_mul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_addmul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t); int mpn_perfect_square_p (mp_srcptr, mp_size_t); mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t); mp_size_t mpn_gcd (mp_ptr, mp_ptr, mp_size_t, mp_ptr, mp_size_t); mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t); mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t); void mpn_com (mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_neg (mp_ptr, mp_srcptr, mp_size_t); mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t); mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t); #define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0) size_t mpn_get_str (unsigned char *, int, mp_ptr, mp_size_t); mp_size_t mpn_set_str (mp_ptr, const unsigned char *, size_t, int); void mpz_init (mpz_t); void mpz_init2 (mpz_t, mp_bitcnt_t); void mpz_clear (mpz_t); #define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0]) #define mpz_even_p(z) (! mpz_odd_p (z)) int mpz_sgn (const mpz_t); int mpz_cmp_si (const mpz_t, long); int mpz_cmp_ui (const mpz_t, unsigned long); int mpz_cmp (const mpz_t, const mpz_t); int mpz_cmpabs_ui (const mpz_t, unsigned long); int mpz_cmpabs (const mpz_t, const mpz_t); int mpz_cmp_d (const mpz_t, double); int mpz_cmpabs_d (const mpz_t, double); void mpz_abs (mpz_t, const mpz_t); void mpz_neg (mpz_t, const mpz_t); void mpz_swap (mpz_t, mpz_t); void mpz_add_ui (mpz_t, const mpz_t, unsigned long); void mpz_add (mpz_t, const mpz_t, const mpz_t); void mpz_sub_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_sub (mpz_t, unsigned long, const mpz_t); void mpz_sub (mpz_t, const mpz_t, const mpz_t); void mpz_mul_si (mpz_t, const mpz_t, long int); void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_mul (mpz_t, const mpz_t, const mpz_t); void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_addmul (mpz_t, const mpz_t, const mpz_t); void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_submul (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_cdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_mod (mpz_t, const mpz_t, const mpz_t); void mpz_divexact (mpz_t, const mpz_t, const mpz_t); int mpz_divisible_p (const mpz_t, const mpz_t); int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t); unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_ui (const mpz_t, unsigned long); unsigned long mpz_fdiv_ui (const mpz_t, unsigned long); unsigned long mpz_tdiv_ui (const mpz_t, unsigned long); unsigned long mpz_mod_ui (mpz_t, const mpz_t, unsigned long); void mpz_divexact_ui (mpz_t, const mpz_t, unsigned long); int mpz_divisible_ui_p (const mpz_t, unsigned long); unsigned long mpz_gcd_ui (mpz_t, const mpz_t, unsigned long); void mpz_gcd (mpz_t, const mpz_t, const mpz_t); void mpz_gcdext (mpz_t, mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_lcm_ui (mpz_t, const mpz_t, unsigned long); void mpz_lcm (mpz_t, const mpz_t, const mpz_t); int mpz_invert (mpz_t, const mpz_t, const mpz_t); void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t); void mpz_sqrt (mpz_t, const mpz_t); int mpz_perfect_square_p (const mpz_t); void mpz_pow_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long); void mpz_powm (mpz_t, const mpz_t, const mpz_t, const mpz_t); void mpz_powm_ui (mpz_t, const mpz_t, unsigned long, const mpz_t); void mpz_rootrem (mpz_t, mpz_t, const mpz_t, unsigned long); int mpz_root (mpz_t, const mpz_t, unsigned long); void mpz_fac_ui (mpz_t, unsigned long); void mpz_2fac_ui (mpz_t, unsigned long); void mpz_mfac_uiui (mpz_t, unsigned long, unsigned long); void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); int mpz_probab_prime_p (const mpz_t, int); int mpz_tstbit (const mpz_t, mp_bitcnt_t); void mpz_setbit (mpz_t, mp_bitcnt_t); void mpz_clrbit (mpz_t, mp_bitcnt_t); void mpz_combit (mpz_t, mp_bitcnt_t); void mpz_com (mpz_t, const mpz_t); void mpz_and (mpz_t, const mpz_t, const mpz_t); void mpz_ior (mpz_t, const mpz_t, const mpz_t); void mpz_xor (mpz_t, const mpz_t, const mpz_t); mp_bitcnt_t mpz_popcount (const mpz_t); mp_bitcnt_t mpz_hamdist (const mpz_t, const mpz_t); mp_bitcnt_t mpz_scan0 (const mpz_t, mp_bitcnt_t); mp_bitcnt_t mpz_scan1 (const mpz_t, mp_bitcnt_t); int mpz_fits_slong_p (const mpz_t); int mpz_fits_ulong_p (const mpz_t); int mpz_fits_sint_p (const mpz_t); int mpz_fits_uint_p (const mpz_t); int mpz_fits_sshort_p (const mpz_t); int mpz_fits_ushort_p (const mpz_t); long int mpz_get_si (const mpz_t); unsigned long int mpz_get_ui (const mpz_t); double mpz_get_d (const mpz_t); size_t mpz_size (const mpz_t); mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t); void mpz_realloc2 (mpz_t, mp_bitcnt_t); mp_srcptr mpz_limbs_read (mpz_srcptr); mp_ptr mpz_limbs_modify (mpz_t, mp_size_t); mp_ptr mpz_limbs_write (mpz_t, mp_size_t); void mpz_limbs_finish (mpz_t, mp_size_t); mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t); #define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }} void mpz_set_si (mpz_t, signed long int); void mpz_set_ui (mpz_t, unsigned long int); void mpz_set (mpz_t, const mpz_t); void mpz_set_d (mpz_t, double); void mpz_init_set_si (mpz_t, signed long int); void mpz_init_set_ui (mpz_t, unsigned long int); void mpz_init_set (mpz_t, const mpz_t); void mpz_init_set_d (mpz_t, double); size_t mpz_sizeinbase (const mpz_t, int); char *mpz_get_str (char *, int, const mpz_t); int mpz_set_str (mpz_t, const char *, int); int mpz_init_set_str (mpz_t, const char *, int); /* This long list taken from gmp.h. */ /* For reference, "defined(EOF)" cannot be used here. In g++ 2.95.4, defines EOF but not FILE. */ #if defined (FILE) \ || defined (H_STDIO) \ || defined (_H_STDIO) /* AIX */ \ || defined (_STDIO_H) /* glibc, Sun, SCO */ \ || defined (_STDIO_H_) /* BSD, OSF */ \ || defined (__STDIO_H) /* Borland */ \ || defined (__STDIO_H__) /* IRIX */ \ || defined (_STDIO_INCLUDED) /* HPUX */ \ || defined (__dj_include_stdio_h_) /* DJGPP */ \ || defined (_FILE_DEFINED) /* Microsoft */ \ || defined (__STDIO__) /* Apple MPW MrC */ \ || defined (_MSL_STDIO_H) /* Metrowerks */ \ || defined (_STDIO_H_INCLUDED) /* QNX4 */ \ || defined (_ISO_STDIO_ISO_H) /* Sun C++ */ \ || defined (__STDIO_LOADED) /* VMS */ \ || defined (_STDIO) /* HPE NonStop */ \ || defined (__DEFINED_FILE) /* musl */ size_t mpz_out_str (FILE *, int, const mpz_t); #endif void mpz_import (mpz_t, size_t, int, size_t, int, size_t, const void *); void *mpz_export (void *, size_t *, int, size_t, int, size_t, const mpz_t); #if defined (__cplusplus) } #endif #endif /* __MINI_GMP_H__ */ nettle-4.0/nettle-internal.h0000644000000000000000000000626415141166424013070 0ustar00/* nettle-internal.h Misc internal definitions. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_INTERNAL_H_INCLUDED #define NETTLE_INTERNAL_H_INCLUDED #include /* Needed for alloca on bsd systems. */ #include /* For definition of NETTLE_MAX_HASH_CONTEXT_SIZE. */ #include "streebog.h" /* Temporary allocation, for systems that don't support alloca. Note * that the allocation requests should always be reasonably small, so * that they can fit on the stack. For non-alloca systems, we use a * fix maximum size + an assert. * * TMP_DECL and TMP_ALLOC allocate an array of the given type, and * take the array size (not byte size) as argument. * * TMP_DECL_ALIGN and TMP_ALLOC_ALIGN are intended for context * structs, which need proper alignment. They take the size in bytes, * and produce a void *. On systems without alloca, implemented as an * array of uint64_t, to ensure alignment. Since it is used as void * * argument, no type casts are needed. */ #if HAVE_ALLOCA # define TMP_DECL(name, type, max) type *name # define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size))) # define TMP_DECL_ALIGN(name, max) void *name # define TMP_ALLOC_ALIGN(name, size) (name = alloca(size)) #else /* !HAVE_ALLOCA */ # define TMP_DECL(name, type, max) type name[max] # define TMP_ALLOC(name, size) \ do { assert((size_t)(size) <= (sizeof(name) / sizeof(name[0]))); } while (0) # define TMP_DECL_ALIGN(name, max) \ uint64_t name[((max) + (sizeof(uint64_t) - 1))/ sizeof(uint64_t)] # define TMP_ALLOC_ALIGN(name, size) \ do { assert((size_t)(size) <= (sizeof(name))); } while (0) #endif /* Limits that apply to systems that don't have alloca */ #define NETTLE_MAX_HASH_BLOCK_SIZE 144 /* For sha3_224*/ #define NETTLE_MAX_HASH_DIGEST_SIZE 64 #define NETTLE_MAX_HASH_CONTEXT_SIZE (sizeof(struct streebog512_ctx)) #define NETTLE_MAX_SEXP_ASSOC 17 #define NETTLE_MAX_CIPHER_BLOCK_SIZE 32 #define NETTLE_MAX_CIPHER_KEY_SIZE 32 /* Equivalent to x == 0, but with an expression that should compile to branch free code on all compilers. Requires that x is at most 31 bits. */ #define IS_ZERO_SMALL(x) (((uint32_t) (x) - 1U) >> 31) extern const struct nettle_hash * const _nettle_hashes[]; #endif /* NETTLE_INTERNAL_H_INCLUDED */ nettle-4.0/nettle-lookup-hash.c0000644000000000000000000000255415141166424013477 0ustar00/* nettle-lookup-hash.c Copyright (C) 2016 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "nettle-meta.h" #include "nettle-internal.h" const struct nettle_hash * nettle_lookup_hash (const char *name) { unsigned i; for (i = 0; _nettle_hashes[i]; i++) if (!strcmp (name, _nettle_hashes[i]->name)) return _nettle_hashes[i]; return NULL; } nettle-4.0/nettle-meta-aeads.c0000644000000000000000000000266315141166424013247 0ustar00/* nettle-meta-aeads.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_aead * const _nettle_aeads[] = { &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_gcm_sm4, &nettle_eax_aes128, &nettle_chacha_poly1305, NULL }; const struct nettle_aead * const * nettle_get_aeads (void) { return _nettle_aeads; } nettle-4.0/nettle-meta-ciphers.c0000644000000000000000000000320315141166424013616 0ustar00/* nettle-meta-ciphers.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_cipher * const _nettle_ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, &nettle_serpent128, &nettle_serpent192, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, &nettle_arctwo40, &nettle_arctwo64, &nettle_arctwo128, &nettle_arctwo_gutmann128, &nettle_sm4, NULL }; const struct nettle_cipher * const * nettle_get_ciphers (void) { return _nettle_ciphers; } nettle-4.0/nettle-meta-hashes.c0000644000000000000000000000320215141166424013433 0ustar00/* nettle-meta-hashes.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_hash * const _nettle_hashes[] = { &nettle_gosthash94, &nettle_gosthash94cp, &nettle_md2, &nettle_md4, &nettle_md5, &nettle_ripemd160, &nettle_sha1, &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_streebog256, &nettle_streebog512, &nettle_sm3, NULL }; const struct nettle_hash * const * nettle_get_hashes (void) { return _nettle_hashes; } nettle-4.0/nettle-meta-macs.c0000644000000000000000000000312415141166424013106 0ustar00/* nettle-meta-macs.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_mac * const _nettle_macs[] = { &nettle_cmac_aes128, &nettle_cmac_aes256, &nettle_cmac_des3, &nettle_hmac_gosthash94, &nettle_hmac_gosthash94cp, &nettle_hmac_md5, &nettle_hmac_ripemd160, &nettle_hmac_sha1, &nettle_hmac_sha224, &nettle_hmac_sha256, &nettle_hmac_sha384, &nettle_hmac_sha512, &nettle_hmac_streebog256, &nettle_hmac_streebog512, &nettle_hmac_sm3, NULL }; const struct nettle_mac * const * nettle_get_macs (void) { return _nettle_macs; } nettle-4.0/nettle-meta.h0000644000000000000000000001616515141166424012203 0ustar00/* nettle-meta.h Information about algorithms. Copyright (C) 2002, 2014, 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_META_H_INCLUDED #define NETTLE_META_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif struct nettle_cipher { const char *name; unsigned context_size; /* Zero for stream ciphers */ unsigned block_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_cipher_func *encrypt; nettle_cipher_func *decrypt; }; /* null-terminated list of ciphers implemented by this version of nettle */ const struct nettle_cipher * const * _NETTLE_ATTRIBUTE_PURE nettle_get_ciphers (void); #define nettle_ciphers (nettle_get_ciphers()) extern const struct nettle_cipher nettle_aes128; extern const struct nettle_cipher nettle_aes192; extern const struct nettle_cipher nettle_aes256; extern const struct nettle_cipher nettle_camellia128; extern const struct nettle_cipher nettle_camellia192; extern const struct nettle_cipher nettle_camellia256; extern const struct nettle_cipher nettle_cast128; extern const struct nettle_cipher nettle_serpent128; extern const struct nettle_cipher nettle_serpent192; extern const struct nettle_cipher nettle_serpent256; extern const struct nettle_cipher nettle_twofish128; extern const struct nettle_cipher nettle_twofish192; extern const struct nettle_cipher nettle_twofish256; extern const struct nettle_cipher nettle_arctwo40; extern const struct nettle_cipher nettle_arctwo64; extern const struct nettle_cipher nettle_arctwo128; extern const struct nettle_cipher nettle_arctwo_gutmann128; extern const struct nettle_cipher nettle_sm4; struct nettle_hash { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Internal block size */ unsigned block_size; nettle_hash_init_func *init; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; #define _NETTLE_HASH(name, NAME) { \ #name, \ sizeof(struct name##_ctx), \ NAME##_DIGEST_SIZE, \ NAME##_BLOCK_SIZE, \ (nettle_hash_init_func *) name##_init, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest \ } /* null-terminated list of digests implemented by this version of nettle */ const struct nettle_hash * const * _NETTLE_ATTRIBUTE_PURE nettle_get_hashes (void); #define nettle_hashes (nettle_get_hashes()) const struct nettle_hash * nettle_lookup_hash (const char *name); extern const struct nettle_hash nettle_md2; extern const struct nettle_hash nettle_md4; extern const struct nettle_hash nettle_md5; extern const struct nettle_hash nettle_gosthash94; extern const struct nettle_hash nettle_gosthash94cp; extern const struct nettle_hash nettle_ripemd160; extern const struct nettle_hash nettle_sha1; extern const struct nettle_hash nettle_sha224; extern const struct nettle_hash nettle_sha256; extern const struct nettle_hash nettle_sha384; extern const struct nettle_hash nettle_sha512; extern const struct nettle_hash nettle_sha512_224; extern const struct nettle_hash nettle_sha512_256; extern const struct nettle_hash nettle_sha3_224; extern const struct nettle_hash nettle_sha3_256; extern const struct nettle_hash nettle_sha3_384; extern const struct nettle_hash nettle_sha3_512; extern const struct nettle_hash nettle_streebog256; extern const struct nettle_hash nettle_streebog512; extern const struct nettle_hash nettle_sm3; struct nettle_mac { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Key size */ unsigned key_size; nettle_set_key_func *set_key; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; struct nettle_aead { const char *name; unsigned context_size; /* Block size for encrypt and decrypt. */ unsigned block_size; unsigned key_size; unsigned nonce_size; unsigned digest_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_set_key_func *set_nonce; nettle_hash_update_func *update; nettle_crypt_func *encrypt; nettle_crypt_func *decrypt; nettle_hash_digest_func *digest; }; /* null-terminated list of aead constructions implemented by this version of nettle */ const struct nettle_aead * const * _NETTLE_ATTRIBUTE_PURE nettle_get_aeads (void); #define nettle_aeads (nettle_get_aeads()) extern const struct nettle_aead nettle_gcm_aes128; extern const struct nettle_aead nettle_gcm_aes192; extern const struct nettle_aead nettle_gcm_aes256; extern const struct nettle_aead nettle_gcm_camellia128; extern const struct nettle_aead nettle_gcm_camellia256; extern const struct nettle_aead nettle_gcm_sm4; extern const struct nettle_aead nettle_eax_aes128; extern const struct nettle_aead nettle_chacha_poly1305; #define _NETTLE_HMAC(name, HASH) { \ #name, \ sizeof(struct name##_ctx), \ HASH##_DIGEST_SIZE, \ HASH##_DIGEST_SIZE, \ name##_set_key_wrapper, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest, \ } /* null-terminated list of macs implemented by this version of nettle */ const struct nettle_mac * const * _NETTLE_ATTRIBUTE_PURE nettle_get_macs (void); #define nettle_macs (nettle_get_macs()) extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256; extern const struct nettle_mac nettle_cmac_des3; /* HMAC variants with key size = digest size */ extern const struct nettle_mac nettle_hmac_gosthash94; extern const struct nettle_mac nettle_hmac_gosthash94cp; extern const struct nettle_mac nettle_hmac_md5; extern const struct nettle_mac nettle_hmac_ripemd160; extern const struct nettle_mac nettle_hmac_sha1; extern const struct nettle_mac nettle_hmac_sha224; extern const struct nettle_mac nettle_hmac_sha256; extern const struct nettle_mac nettle_hmac_sha384; extern const struct nettle_mac nettle_hmac_sha512; extern const struct nettle_mac nettle_hmac_streebog256; extern const struct nettle_mac nettle_hmac_streebog512; extern const struct nettle_mac nettle_hmac_sm3; #ifdef __cplusplus } #endif #endif /* NETTLE_META_H_INCLUDED */ nettle-4.0/nettle-types.h0000644000000000000000000000646115141166424012417 0ustar00/* nettle-types.h Copyright (C) 2005, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TYPES_H #define NETTLE_TYPES_H /* For size_t */ #include #include #include /* Attributes we want to use in installed header files, and hence can't rely on config.h. */ #ifdef __GNUC__ #define _NETTLE_ATTRIBUTE_PURE __attribute__((pure)) #ifndef _NETTLE_ATTRIBUTE_DEPRECATED /* Variant without message is supported since gcc-3.1 or so. */ #define _NETTLE_ATTRIBUTE_DEPRECATED __attribute__((deprecated)) #endif #else /* !__GNUC__ */ #define _NETTLE_ATTRIBUTE_PURE #define _NETTLE_ATTRIBUTE_DEPRECATED #endif /* !__GNUC__ */ #ifdef __cplusplus extern "C" { #endif /* On 64-bit platforms where uint64_t requires 8 byte alignment, use twice the alignment. To work for both C and C++, needs to be placed before the type, see example for nettle_block16 below. */ #define _NETTLE_ALIGN16 alignas(alignof(uint64_t) == 8 ? 16 : 0) /* An aligned 16-byte block. */ union nettle_block16 { uint8_t b[16]; _NETTLE_ALIGN16 uint64_t u64[2]; }; union nettle_block8 { uint8_t b[8]; uint64_t u64; }; /* Used for generating randomness, as well as for extendable output functions like shake. */ typedef void nettle_output_func(void *ctx, size_t length, uint8_t *dst); /* Old name used for key generation and (ec)dsa signature creation. */ typedef nettle_output_func nettle_random_func; /* Progress report function, mainly for key generation. */ typedef void nettle_progress_func(void *ctx, int c); /* Realloc function, used by struct nettle_buffer. */ typedef void *nettle_realloc_func(void *ctx, void *p, size_t length); /* Ciphers */ typedef void nettle_set_key_func(void *ctx, const uint8_t *key); /* For block ciphers, const context. */ typedef void nettle_cipher_func(const void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Uses a void * for cipher contexts. Used for crypt operations where the internal state changes during the encryption. */ typedef void nettle_crypt_func(void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Hash algorithms */ typedef void nettle_hash_init_func(void *ctx); typedef void nettle_hash_update_func(void *ctx, size_t length, const uint8_t *src); typedef void nettle_hash_digest_func(void *ctx, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_TYPES_H */ nettle-4.0/nettle-write.h0000644000000000000000000000327415141166424012404 0ustar00/* nettle-write.h Internal functions to write out word-sized data to byte arrays. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_WRITE_H_INCLUDED #define NETTLE_WRITE_H_INCLUDED /* For size_t */ #include #include /* Write the word array at SRC to the byte array at DST, using little endian (le) or big endian (be) byte order, and truncating the result to LENGTH bytes. */ /* FIXME: Use a macro shortcut to memcpy for native endianness. */ void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src); #endif /* NETTLE_WRITE_H_INCLUDED */ nettle-4.0/nettle.html0000644000000000000000000320441615141166424011775 0ustar00 Nettle: a low-level cryptographic library

Next:   [Contents][Index]

Nettle

This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application.

This manual is for the Nettle library (version 4.0), a low-level cryptographic library.

Originally written 2001 by Niels Möller, updated 2026.

This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required.

Table of Contents

Next: , Previous: , Up: Nettle   [Contents][Index]

1 Introduction

Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement.

And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around.

Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn’t do algorithm selection. It doesn’t do memory allocation. It doesn’t do any I/O.

The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library.

This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.

Next: , Previous: , Up: Nettle   [Contents][Index]

3 Using Nettle

Next: , Up: Using Nettle   [Contents][Index]

3.1 Example

A simple example program that reads a file from standard input and writes its SHA256 checksum on standard output should give the flavor of Nettle. 

#include <stdio.h>
#include <stdlib.h>

#include <nettle/sha2.h>

#define BUF_SIZE 1000

static void
display_hex(unsigned length, uint8_t *data)
{
  unsigned i;

  for (i = 0; i<length; i++)
    printf("%02x ", data[i]);

  printf("\n");
}

int
main(int argc, char **argv)
{
  struct sha256_ctx ctx;
  uint8_t buffer[BUF_SIZE];
  uint8_t digest[SHA256_DIGEST_SIZE];
  
  sha256_init(&ctx);
  for (;;)
  {
    int done = fread(buffer, 1, sizeof(buffer), stdin);
    sha256_update(&ctx, done, buffer);
    if (done < sizeof(buffer))
      break;
  }
  if (ferror(stdin))
    return EXIT_FAILURE;

  sha256_digest(&ctx, digest);

  display_hex(SHA256_DIGEST_SIZE, digest);
  return EXIT_SUCCESS;  
}

On a typical Unix system, this program can be compiled and linked with the command line 

gcc sha-example.c -o sha-example -lnettle

Next: , Previous: , Up: Using Nettle   [Contents][Index]

3.2 Conventions

For each supported algorithm, there is an include file that defines a context struct, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects.

For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don’t show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application.

If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle.

By convention, for an algorithm named foo, the struct tag for the context struct is foo_ctx, constants and functions uses prefixes like FOO_BLOCK_SIZE (a constant) and foo_set_key (a function).

In all functions, strings are represented with an explicit length, of type size_t, and a pointer of type uint8_t * or const uint8_t *. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for ccm_encrypt_message, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas must not overlap in any other way.

Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.

Next: , Previous: , Up: Using Nettle   [Contents][Index]

3.3 Linking

Nettle actually consists of two libraries, libnettle and libhogweed. The libhogweed library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries.

If an application uses only the symmetric crypto algorithms of Nettle (i.e., block ciphers, hash functions, and the like), it’s sufficient to link with -lnettle. If an application also uses public-key algorithms, the recommended linker flags are -lhogweed -lnettle -lgmp. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just -lhogweed, and the loader will resolve the dependencies automatically.

To the linker, all external symbols in the libnettle and libhogweed libraries are prefixed with nettle_ (or _nettle_ for library internals). This reduces the risk of link-time name collisions with other libraries you want to link in the same program. However, you rarely see these prefixes, since header files define shorter preprocessor aliases. E.g., nettle/sha2.h, which declares sha256_init among other functions, also includes a #define sha256_init nettle_sha256_init. You can used either name, but the shorter names are recommended, and those are the ones used in this documentation.

Previous: , Up: Using Nettle   [Contents][Index]

3.4 Compatibility

When you write a program using the Nettle library, it’s desirable to have it work together not only with exactly the same version of Nettle you had at hand, but with other current and future versions. If a different version of Nettle is used at compile time, i.e., you recompile it using the header and library files belonging to a different version, we talk about API compatibility (for Application Programming Interface). If a different version of Nettle isn’t used until link time, we talk about ABI compatibility (Application Binary Interface) or binary compatibility. ABI compatibility matters mainly when using dynamic linking with a shared library. E.g., a user has an executable linking at run-time with libnettle.so, and then updates to a later version of the shared library, without updating or recompiling the executable.

Nettle aims to provide backwards compatibility, i.e., a program written for a particular version of the Nettle library should usually work fine with later version of the library. Note that the opposite is not supported: The program should not be expected to work with older versions of the Nettle library; and ABI breakage can be unobvious. E.g, the later version may define a new library symbol, and let header files redefine an old API name as an alias for the new symbol. If the later version ensures that the old symbol is still defined in the library, this change is backwards compatible: A program compiled using headers from the older version can be successfully linked with either version of the library. But if you compile the same program using headers from the later version of the library, and attempt to link with the older version, you’ll get an undefined reference to the new symbol.

API compatibility is rarely broken; exceptions are noted in the NEWS file. For example, the key size argument to the function cast128_set_key was dropped in the Nettle-3.0 release, and all programs using that function had to be updated to work with the new version.

ABI compatibility is broken occasionally. This is also noted in the NEWS file, and the name of the shared library is updated to prevent accidental run-time linking with the wrong version. All programs have to be recompiled before they can link with the new version. Since names are different, multiple versions can be installed on the same system, with a mix of programs linking to one version or the other.

Under some circumstances, it is possible to have a single program linking dynamically with two binary incompatible versions of the Nettle library, thanks to the use of symbol versioning. Consider a program calling functions in both Nettle and GnuTLS. For the direct dependency on Nettle, the program is linked with a particular version of the Nettle shared library. GnuTLS uses Nettle internally, but does not expose any Nettle data structures or the like in its own ABI. In this situation, the GnuTLS shared library may link with a different version of the Nettle library. Then both versions of the Nettle library will be loaded into the program’s address space, and each reference to a symbol will be resolved to the correct version.

Finally, some of Nettle’s symbols are internal. They carry a leading underscore, and are not declared in installed header files. They can be used for local or experimental purposes, but programs referring directly to those symbols get neither API nor ABI compatibility, not even between minor versions.

Next: , Previous: , Up: Nettle   [Contents][Index]

4 Reference

This chapter describes all the Nettle functions, grouped by family.

Next: , Up: Reference   [Contents][Index]

4.1 Hash functions

A cryptographic hash function is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function H should have the following properties:

One-way

Given a hash value H(x) it is hard to find a string x that hashes to that value.

Collision-resistant

It is hard to find two different strings, x and y, such that H(x) = H(y).

Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things.

The SHA1 hash function is still quite commonly used, even though it fails the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512) and SHA3 (several variants, including SHA3-256, SHAKE256 and SHA3-512).

Next: , Previous: , Up: Hash functions   [Contents][Index]

4.1.2 Miscellaneous hash functions

4.1.2.1 STREEBOG512

STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in <nettle/streebog.h>.

Context struct: struct streebog512_ctx
Constant: STREEBOG512_DIGEST_SIZE

The size of a STREEBOG512 digest, i.e. 64.

Constant: STREEBOG512_BLOCK_SIZE

The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512.

Function: void streebog512_init (struct streebog512_ctx *ctx)

Initialize the STREEBOG512 state.

Function: void streebog512_update (struct streebog512_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void streebog512_digest (struct streebog512_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing STREEBOG512_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as streebog512_init.

4.1.2.2 STREEBOG256

STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in <nettle/streebog.h>.

Context struct: struct streebog256_ctx
Constant: STREEBOG256_DIGEST_SIZE

The size of a STREEBOG256 digest, i.e. 32.

Constant: STREEBOG256_BLOCK_SIZE

The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256.

Function: void streebog256_init (struct streebog256_ctx *ctx)

Initialize the STREEBOG256 state.

Function: void streebog256_update (struct streebog256_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void streebog256_digest (struct streebog256_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing STREEBOG256_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as streebog256_init.

4.1.2.3 SM3

SM3 is a cryptographic hash function standard adopted by the government of the People’s Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 “SM3 Cryptographic Hash Algorithm”.

SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256.

Nettle defines SM3 in <nettle/sm3.h>.

Context struct: struct sm3_ctx
Constant: SM3_DIGEST_SIZE

The size of a SM3 digest, i.e. 32.

Constant: SM3_BLOCK_SIZE

The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3.

Function: void sm3_init (struct sm3_ctx *ctx)

Initialize the SM3 state.

Function: void sm3_update (struct sm3_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sm3_digest (struct sm3_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing SM3_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as sm3_init.

Next: , Previous: , Up: Hash functions   [Contents][Index]

4.1.3 Legacy hash functions

The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model.

4.1.3.1 MD5

MD5 is a message digest function constructed by Ronald Rivest, and described in RFC 1321. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in <nettle/md5.h>.

Context struct: struct md5_ctx
Constant: MD5_DIGEST_SIZE

The size of an MD5 digest, i.e. 16.

Constant: MD5_BLOCK_SIZE

The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5.

Function: void md5_init (struct md5_ctx *ctx)

Initialize the MD5 state.

Function: void md5_update (struct md5_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md5_digest (struct md5_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing MD5_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as md5_init.

Function: void md5_compress (const uint32_t *state, uint8_t *input)

Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from input using state as IV (an array of 4 uint32_t). The output is stored in state. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5).

The normal way to use MD5 is to call the functions in order: First md5_init, then md5_update zero or more times, and finally md5_digest. After md5_digest, the context is reset to its initial state, so you can start over calling md5_update to hash new data.

To start over, you can call md5_init at any time.

4.1.3.2 MD2

MD2 is another hash function of Ronald Rivest’s, described in RFC 1319. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in <nettle/md2.h>.

Context struct: struct md2_ctx
Constant: MD2_DIGEST_SIZE

The size of an MD2 digest, i.e. 16.

Constant: MD2_BLOCK_SIZE

The internal block size of MD2.

Function: void md2_init (struct md2_ctx *ctx)

Initialize the MD2 state.

Function: void md2_update (struct md2_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md2_digest (struct md2_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing MD2_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as md2_init.

4.1.3.3 MD4

MD4 is a predecessor of MD5, described in RFC 1320. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in <nettle/md4.h>. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols.

Context struct: struct md4_ctx
Constant: MD4_DIGEST_SIZE

The size of an MD4 digest, i.e. 16.

Constant: MD4_BLOCK_SIZE

The internal block size of MD4.

Function: void md4_init (struct md4_ctx *ctx)

Initialize the MD4 state.

Function: void md4_update (struct md4_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md4_digest (struct md4_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing MD4_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as md4_init.

4.1.3.4 RIPEMD160

RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in nettle/ripemd160.h.

Context struct: struct ripemd160_ctx
Constant: RIPEMD160_DIGEST_SIZE

The size of a RIPEMD160 digest, i.e. 20.

Constant: RIPEMD160_BLOCK_SIZE

The internal block size of RIPEMD160.

Function: void ripemd160_init (struct ripemd160_ctx *ctx)

Initialize the RIPEMD160 state.

Function: void ripemd160_update (struct ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void ripemd160_digest (struct ripemd160_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing RIPEMD160_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as ripemd160_init.

4.1.3.5 SHA1

SHA1 is a hash function specified by NIST (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in <nettle/sha1.h>.

Context struct: struct sha1_ctx
Constant: SHA1_DIGEST_SIZE

The size of a SHA1 digest, i.e. 20.

Constant: SHA1_BLOCK_SIZE

The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1.

Function: void sha1_init (struct sha1_ctx *ctx)

Initialize the SHA1 state.

Function: void sha1_update (struct sha1_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha1_digest (struct sha1_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing SHA1_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as sha1_init.

Function: void sha1_compress (const uint32_t *state, uint8_t *input)

Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from input using state as IV (an array of 5 uint32_t). The output is stored in state. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1).

4.1.3.6 GOSTHASH94 and GOSTHASH94CP

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see RFC 4357). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in <nettle/gosthash94.h>.

Context struct: struct gosthash94_ctx
Constant: GOSTHASH94_DIGEST_SIZE

The size of a GOSTHASH94 digest, i.e. 32.

Constant: GOSTHASH94_BLOCK_SIZE

The internal block size of GOSTHASH94, i.e., 32.

Function: void gosthash94_init (struct gosthash94_ctx *ctx)

Initialize the GOSTHASH94 state.

Function: void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void gosthash94_digest (struct gosthash94_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing GOSTHASH94_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as gosthash94_init.

Context struct: struct gosthash94cp_ctx
Constant: GOSTHASH94CP_DIGEST_SIZE

The size of a GOSTHASH94CP digest, i.e. 32.

Constant: GOSTHASH94CP_BLOCK_SIZE

The internal block size of GOSTHASH94CP, i.e., 32.

Function: void gosthash94cp_init (struct gosthash94cp_ctx *ctx)

Initialize the GOSTHASH94CP state.

Function: void gosthash94cp_update (struct gosthash94cp_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void gosthash94cp_digest (struct gosthash94cp_ctx *ctx, uint8_t *digest)

Performs final processing and extracts the message digest, writing GOSTHASH94CP_DIGEST_SIZE octets to digest.

This function also resets the context in the same way as gosthash94cp_init.

Previous: , Up: Hash functions   [Contents][Index]

4.1.4 The struct nettle_hash abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>, and is used by Nettle’s implementation of HMAC (see Keyed Hash Functions).

Meta struct: struct nettle_hash name context_size digest_size block_size init update digest

The last three attributes are function pointers, of types nettle_hash_init_func *, nettle_hash_update_func *, and nettle_hash_digest_func *. The first argument to these functions is void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_hash nettle_md2
Constant Struct: struct nettle_hash nettle_md4
Constant Struct: struct nettle_hash nettle_md5
Constant Struct: struct nettle_hash nettle_ripemd160
Constant Struct: struct nettle_hash nettle_sha1
Constant Struct: struct nettle_hash nettle_sha224
Constant Struct: struct nettle_hash nettle_sha256
Constant Struct: struct nettle_hash nettle_sha384
Constant Struct: struct nettle_hash nettle_sha512
Constant Struct: struct nettle_hash nettle_sha3_256
Constant Struct: struct nettle_hash nettle_gosthash94
Constant Struct: struct nettle_hash nettle_gosthash94cp
Constant Struct: struct nettle_hash nettle_sm3

These are all the hash functions that Nettle implements.

Nettle also exports a list of all these hashes.

Function: const struct nettle_hash ** nettle_get_hashes (void)

Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_hashes

A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., nettle_hashes[0]->name for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.

Next: , Previous: , Up: Reference   [Contents][Index]

4.2 Cipher functions

A cipher is a function that takes a message or plaintext and a secret key and transforms it to a ciphertext. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key.

There are two main classes of ciphers: Block ciphers and stream ciphers.

A block cipher can process data only in fixed size chunks, called blocks. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called ECB, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some “feedback mode”, CBC (Cipher Block Chaining) and CTR (Counter mode) being two of of the most popular. See See Cipher modes, for information on how to apply CBC and CTR with Nettle.

A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of n octets, you key the generator, generate n octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered.

Caution: The first rule for this kind of cipher is the same as for a One Time Pad: never ever use the same key twice.

A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you’re reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can’t decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message.

It is recommended to always use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (see Keyed Hash Functions), or digital signatures like RSA.

Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don’t have any weak keys.

To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as key setup. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption.

Next: , Up: Cipher functions   [Contents][Index]

4.2.1 AES

AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen.

Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in <nettle/aes.h>, and there is one context struct for each key size.

Context struct: struct aes128_ctx
Context struct: struct aes192_ctx
Context struct: struct aes256_ctx
Constant: AES_BLOCK_SIZE

The AES block-size, 16.

Constant: AES128_KEY_SIZE
Constant: AES192_KEY_SIZE
Constant: AES256_KEY_SIZE
Constant: AES_KEY_SIZE

Default AES key size, 32.

Function: void aes128_set_encrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes128_set_decrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes192_set_encrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes192_set_decrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes256_set_encrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
Function: void aes256_set_decrypt_key (struct aes256_ctx *ctx, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src)
Function: void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src)
Function: void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key, because calling, e.g., aes128_set_encrypt_key and aes128_invert_key, is more efficient than calling aes128_set_encrypt_key and aes128_set_decrypt_key.

Function: void aes128_encrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_encrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_encrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void aes128_decrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_decrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_decrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to the encryption functions above.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.2 Arcfour

ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher.

We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards.

One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like “secret:1”, “secret:2”, .... If you have keys that don’t look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR.

Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. 

/* A more robust key setup function for ARCFOUR */
void
arcfour_set_key_hashed(struct arcfour_ctx *ctx,
                       size_t length, const uint8_t *key)
{
  struct sha256_ctx hash;
  uint8_t digest[SHA256_DIGEST_SIZE];
  uint8_t buffer[0x200];

  sha256_init(&hash);
  sha256_update(&hash, length, key);
  sha256_digest(&hash, digest);

  arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
  arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
}

Nettle defines ARCFOUR in <nettle/arcfour.h>.

Context struct: struct arcfour_ctx
Constant: ARCFOUR_MIN_KEY_SIZE

Minimum key size, 1.

Constant: ARCFOUR_MAX_KEY_SIZE

Maximum key size, 256.

Constant: ARCFOUR_KEY_SIZE

Default ARCFOUR key size, 16.

Function: void arcfour_set_key (struct arcfour_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void arcfour_crypt (struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called arcfour_crypt only once with all the data.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.3 Arctwo

ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to sci.crypt by Peter Gutmann.

ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ekb. This parameter can be used to artificially reduce the key size. In practice, ekb is usually set equal to the input key size. Nettle defines ARCTWO in <nettle/arctwo.h>.

We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards.

Context struct: struct arctwo_ctx
Constant: ARCTWO_BLOCK_SIZE

The ARCTWO block-size, 8.

Constant: ARCTWO_MIN_KEY_SIZE
Constant: ARCTWO_MAX_KEY_SIZE
Constant: ARCTWO_KEY_SIZE

Default ARCTWO key size, 8.

Function: void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb)
Function: void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)
Function: void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for ekb is 1024, and for convenience, ekb = 0 has the same effect as ekb = 1024.

arctwo_set_key(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 8*length), and arctwo_set_key_gutmann(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 1024)

Function: void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to arctwo_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.4 Blowfish

BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in <nettle/blowfish.h>.

Context struct: struct blowfish_ctx
Constant: BLOWFISH_BLOCK_SIZE

The BLOWFISH block-size, 8.

Constant: BLOWFISH_MIN_KEY_SIZE

Minimum BLOWFISH key size, 8.

Constant: BLOWFISH_MAX_KEY_SIZE

Maximum BLOWFISH key size, 56.

Constant: BLOWFISH_KEY_SIZE

Default BLOWFISH key size, 16.

Function: int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

blowfish_encrypt or blowfish_decrypt with a weak key will crash with an assert violation.

Function: void blowfish_encrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void blowfish_decrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to blowfish_encrypt

Function: int blowfish_bcrypt_hash (char *dst, size_t lenkey, const char *key, size_t lenscheme, const char *scheme, int log2rounds, const uint8_t *salt)

Compute the bcrypt password hash. The function will return 0 if the hash cannot be computed due to invalid input. The function will return 1 and store the computed hash in the array pointed to by dst. The hash is computed based on the chosen scheme, number of rounds log2rounds and specified salt.

dst must point to a character array of at least BLOWFISH_BCRYPT_HASH_SIZE bytes.

key contains the plaintext password string of size lenkey.

scheme is of size lenscheme and contains either just the chosen scheme (valid schemes are: 2a, 2b, 2x or 2y), or (the prefix of) an existing hashed password (typically $2b$10$...).

log2rounds contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is -1 the value will be extracted from scheme.

salt should point to an array of BLOWFISH_BCRYPT_BINSALT_SIZE random bytes to be used to perturb the hash computation. If it is NULL the salt will be extracted from scheme.

Sample code to generate a bcrypt hash: 

char password[] = "ExamplePassword";
char scheme[] = "2b";
uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE];
...
/* Make sure that salt is filled with random bytes */
...
char hash[BLOWFISH_BCRYPT_HASH_SIZE];
int result = blowfish_bcrypt(hash,
                             sizeof(password) - 1, password,
                             sizeof(scheme) - 1, scheme, 10, salt);
if (result)
  printf("%s\n", hash);
Function: int blowfish_bcrypt_verify (size_t lenkey, const char *key, size_t lenhashed, const char *hashed)

Verifies the bcrypt password hash against the supplied plaintext password. The function will return 0 if the password does not match. The function will return 1 if the password matches.

key contains the plaintext password string of size lenkey.

hashed contains the hashed string of size lenhashed to compare with.

Sample code to verify a bcrypt hash: 

char password[] = "ExamplePassword";
char hash[] =
  "$2y$"  /* Hash algorithm version */
  "10"   /* 2^10 hash rounds (strength) */
  "$"   /* separator */
  "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */
  "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */
if (blowfish_bcrypt_verify(sizeof(password) - 1, password,
                           sizeof(hash) - 1, hash))
  printf("Password is correct.");
else
  printf("Password is incorrect.");

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.5 Camellia

Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in RFC3713. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at https://www.ntt.co.jp/news/news01e/0104/010417.html, but this statement has some limitations which seem problematic for free software.

Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in <nettle/camellia.h>, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, struct camellia_ctx, for all key sizes. This interface kept for backwards compatibility).

Context struct: struct camellia128_ctx
Context struct: struct camellia192_ctx
Context struct: struct camellia256_ctx

Contexts structs. Actually, camellia192_ctx is an alias for camellia256_ctx.

Context struct: struct camellia_ctx

Alternative struct, for the old Camellia interface.

Constant: CAMELLIA_BLOCK_SIZE

The CAMELLIA block-size, 16.

Constant: CAMELLIA128_KEY_SIZE
Constant: CAMELLIA192_KEY_SIZE
Constant: CAMELLIA256_KEY_SIZE
Constant: CAMELLIA_MIN_KEY_SIZE
Constant: CAMELLIA_MAX_KEY_SIZE
Constant: CAMELLIA_KEY_SIZE

Default CAMELLIA key size, 32.

Function: void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia128_set_decrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_encrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_decrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_encrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_decrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia_set_encrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)
Function: void camellia_set_decrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void camellia128_invert_key (struct camellia128_ctx *dst, const struct camellia128_ctx *src)
Function: void camellia192_invert_key (struct camellia192_ctx *dst, const struct camellia192_ctx *src)
Function: void camellia256_invert_key (struct camellia256_ctx *dst, const struct camellia256_ctx *src)
Function: void camellia_invert_key (struct camellia_ctx *dst, const struct camellia_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key.

Function: void camellia128_crypt (struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia192_crypt (struct camellia192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia256_crypt (struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia_crypt (struct camellia_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

The same function is used for both encryption and decryption. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.6 CAST128

CAST-128 is a block cipher, specified in RFC 2144. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in <nettle/cast128.h>.

Context struct: struct cast128_ctx
Constant: CAST128_BLOCK_SIZE

The CAST128 block-size, 8.

Constant: CAST128_KEY_SIZE

The CAST128 key size, 16.

Constant: CAST5_MIN_KEY_SIZE

Minimum CAST5 key size, 5.

Constant: CAST5_MAX_KEY_SIZE

Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128.

Function: void cast128_set_key (struct cast128_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void cast128_encrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void cast128_decrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to cast128_encrypt

Function: void cast5_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.7 ChaCha

ChaCha is a variant of the stream cipher Salsa20 (see Salsa20), below, also designed by D. J. Bernstein. Nettle defines ChaCha in <nettle/chacha.h>.

Context struct: struct chacha_ctx
Constant: CHACHA_KEY_SIZE

ChaCha key size, 32.

Constant: CHACHA_BLOCK_SIZE

ChaCha block size, 64.

Constant: CHACHA_NONCE_SIZE

Size of the nonce, 8.

Constant: CHACHA_COUNTER_SIZE

Size of the counter, 8.

Function: void chacha_set_key (struct chacha_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you must also call chacha_set_nonce, see below.

Function: void chacha_set_nonce (struct chacha_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size CHACHA_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void chacha_set_counter (struct chacha_ctx *ctx, const uint8_t *counter)

Sets the block counter. It is always of size CHACHA_COUNTER_SIZE, 8 octets. This is rarely needed since chacha_set_nonce initializes the block counter to zero. When it is still necessary, this function must be called after chacha_set_nonce.

Function: void chacha_crypt (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to chacha_crypt, all but the last call must use a length that is a multiple of CHACHA_BLOCK_SIZE.

4.2.7.1 32-bit counter variant

While the original paper uses 64-bit counter value, the variant defined in RFC 8439 uses 32-bit counter value. This variant is particularly useful for see ChaCha-Poly1305 AEAD construction, which supports 12-octet nonces.

Constant: CHACHA_NONCE96_SIZE

Size of the nonce, 12.

Constant: CHACHA_COUNTER32_SIZE

Size of the counter, 4.

Function: void chacha_set_nonce96 (struct chacha_ctx *ctx, const uint8_t *nonce)

Sets the nonce. This is similar to the above chacha_set_nonce, but the input is always of size CHACHA_NONCE96_SIZE, 12 octets.

Function: void chacha_set_counter32 (struct chacha_ctx *ctx, const uint8_t *counter)

Sets the block counter. This is similar to the above chacha_set_counter, but the input is always of size CHACHA_COUNTER32_SIZE, 4 octets.

Function: void chacha_crypt32 (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above chacha_crypt, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.8 DES

DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key.

The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn’t be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below.

DES also has some weak keys. Nettle defines DES in <nettle/des.h>.

Context struct: struct des_ctx
Constant: DES_BLOCK_SIZE

The DES block-size, 8.

Constant: DES_KEY_SIZE

DES key size, 8.

Function: int des_set_key (struct des_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

Function: void des_encrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des_decrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

Function: int des_check_parity (size_t length, const uint8_t *key)

Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity.

Function: void des_fix_parity (size_t length, uint8_t *dst, const uint8_t *src)

Adjusts the parity bits to match DES’s requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. dst and src may be equal.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.9 DES3

The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits.

The standard way to increase DES’s key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then decrypt it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”.

The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3.

DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force.

Naturally, it’s simple to implement triple-DES on top of Nettle’s DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, <nettle/des.h>.

Context struct: struct des3_ctx
Constant: DES3_BLOCK_SIZE

The DES3 block-size is the same as DES_BLOCK_SIZE, 8.

Constant: DES3_KEY_SIZE

DES key size, 24.

Function: int des3_set_key (struct des3_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don’t care about weak keys can ignore the return value.

For random-looking strings, you can use des_fix_parity to adjust the parity bits before calling des3_set_key.

Function: void des3_encrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des3_decrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.10 Salsa20

Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, see Counter mode). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions.

Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It’s also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets).

Caution: The hash function used in Salsa20 is not directly applicable for use as a general hash function. It’s not collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size.

When using Salsa20 to process a message, one specifies both a key and a nonce, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in <nettle/salsa20.h>.

Context struct: struct salsa20_ctx
Constant: SALSA20_128_KEY_SIZE
Constant: SALSA20_256_KEY_SIZE

The two supported key sizes, 16 and 32 octets.

Constant: SALSA20_KEY_SIZE

Recommended key size, 32.

Constant: SALSA20_BLOCK_SIZE

Salsa20 block size, 64.

Constant: SALSA20_NONCE_SIZE

Size of the nonce, 8.

Function: void salsa20_128_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_256_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_set_key (struct salsa20_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. salsa20_128_set_key and salsa20_128_set_key use a fix key size each, 16 and 32 octets, respectively. The function salsa20_set_key is provided for backwards compatibility, and the length argument must be either 16 or 32. Before using the cipher, you must also call salsa20_set_nonce, see below.

Function: void salsa20_set_nonce (struct salsa20_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size SALSA20_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void salsa20_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to salsa20_crypt, all but the last call must use a length that is a multiple of SALSA20_BLOCK_SIZE.

The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see https://www.ecrypt.eu.org/stream/finallist.html. Nettle calls this variant salsa20r12. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption.

Function: void salsa20r12_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.11 Serpent

SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES’. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in <nettle/serpent.h>.

Context struct: struct serpent_ctx
Constant: SERPENT_BLOCK_SIZE

The SERPENT block-size, 16.

Constant: SERPENT_MIN_KEY_SIZE

Minimum SERPENT key size, 16.

Constant: SERPENT_MAX_KEY_SIZE

Maximum SERPENT key size, 32.

Constant: SERPENT_KEY_SIZE

Default SERPENT key size, 32.

Function: void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void serpent_encrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void serpent_decrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to serpent_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.12 SM4

SM4 is a block cipher standard adopted by the government of the People’s Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 “SM4 block cipher algorithm”. Nettle defines it in <nettle/sm4.h>.

Context struct: struct sm4_ctx
Constant: SM4_BLOCK_SIZE

The SM4 block-size, 16.

Constant: SM4_KEY_SIZE

Default SM4 key size, 16.

Function: void sm4_set_encrypt_key (struct sm4_ctx *ctx, const uint8_t *key)

Initialize the cipher. The function is used for encryption.

Function: void sm4_set_decrypt_key (struct sm4_ctx *ctx, const uint8_t *key)

Initialize the cipher. The function is used for decryption.

Function: void sm4_crypt (const struct sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Cryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

4.2.13 Twofish

Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in <nettle/twofish.h>.

Context struct: struct twofish_ctx
Constant: TWOFISH_BLOCK_SIZE

The TWOFISH block-size, 16.

Constant: TWOFISH_MIN_KEY_SIZE

Minimum TWOFISH key size, 16.

Constant: TWOFISH_MAX_KEY_SIZE

Maximum TWOFISH key size, 32.

Constant: TWOFISH_KEY_SIZE

Default TWOFISH key size, 32.

Function: void twofish_set_key (struct twofish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void twofish_encrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void twofish_decrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to twofish_encrypt

Previous: , Up: Cipher functions   [Contents][Index]

4.2.14 The struct nettle_cipher abstraction

Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in <nettle/nettle-meta.h>.

Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt

The last four attributes are function pointers, of types nettle_set_key_func * and nettle_cipher_func *. The first argument to these functions is a const void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_cipher nettle_aes128
Constant Struct: struct nettle_cipher nettle_aes192
Constant Struct: struct nettle_cipher nettle_aes256
Constant Struct: struct nettle_cipher nettle_arctwo40
Constant Struct: struct nettle_cipher nettle_arctwo64
Constant Struct: struct nettle_cipher nettle_arctwo128
Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128
Constant Struct: struct nettle_cipher nettle_arcfour128
Constant Struct: struct nettle_cipher nettle_camellia128
Constant Struct: struct nettle_cipher nettle_camellia192
Constant Struct: struct nettle_cipher nettle_camellia256
Constant Struct: struct nettle_cipher nettle_cast128
Constant Struct: struct nettle_cipher nettle_serpent128
Constant Struct: struct nettle_cipher nettle_serpent192
Constant Struct: struct nettle_cipher nettle_serpent256
Constant Struct: struct nettle_cipher nettle_twofish128
Constant Struct: struct nettle_cipher nettle_twofish192
Constant Struct: struct nettle_cipher nettle_twofish256

Nettle includes such structs for all the regular ciphers, i.e. ones without weak keys or other oddities.

Nettle also exports a list of all these ciphers without weak keys or other oddities.

Function: const struct nettle_cipher ** nettle_get_ciphers (void)

Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_ciphers

A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

4.3 Cipher modes

Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher’s block size. As explained in See Cipher functions, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information.

Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB and CFB8), XEX-based tweaked-codebook mode with ciphertext stealing (XTS) and a couple of AEAD modes (see Authenticated encryption with associated data). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability. Today, CTR is usually preferred over CBC.

Modes like CBC, CTR, CFB and CFB8 provide no message authentication, and should always be used together with a MAC (see Keyed Hash Functions) or signature to authenticate the message.

Next: , Up: Cipher modes   [Contents][Index]

4.3.1 Cipher Block Chaining

When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an IV, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data.

In symbols, if E_k is the encryption function of a block cipher, and IV is the initialization vector, then n plaintext blocks M_1,… M_n are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV  XOR M_1)
C_2 = E_k(C_1 XOR M_2)

...

C_n = E_k(C_(n-1) XOR M_n)

Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses const void * to pass cipher contexts around. The CBC interface is defined in <nettle/cbc.h>.

Function: void cbc_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CBC mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cbc_encrypt. The function f is of type

void f (const void *ctx, size_t length, uint8_t dst, const uint8_t *src),

and the cbc_encrypt and cbc_decrypt functions pass their argument ctx on to f.

4.3.1.1 Utility macros

There are also some macros to help use these functions correctly.

Macro: CBC_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}

It can be used to define a CBC context struct, either directly, 

struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) ctx;

or to give it a struct tag, 

struct aes256_cbc_ctx CBC_CTX (struct aes256_ctx, AES_BLOCK_SIZE);
Macro: CBC_SET_IV (ctx, iv)

First argument is a pointer to a context struct as defined by CBC_CTX, and the second is a pointer to an Initialization Vector (IV) that is copied into that context.

Macro: CBC_ENCRYPT (ctx, f, length, dst, src)
Macro: CBC_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cbc_encrypt and cbc_decrypt. The first argument is a pointer to a context struct as defined by CBC_CTX, and the second argument is an encryption or decryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

These macros use some tricks to make the compiler display a warning if the types of f and ctx don’t match, e.g. if you try to use an struct aes256_ctx context with the des_encrypt function.

4.3.1.2 Cipher-specific functions

Encryption in CBC mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher’s encrypt function. Optimizations to process several blocks in parallel can’t be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, cbc_encrypt can be considerably slower than both cbc_decrypt and CTR mode. The second reason for poor performance can be addressed by having a combined CBC and encrypt function, for ciphers where the overhead is significant.

Nettle currently includes such special functions only for AES.

Function: void cbc_aes128_encrypt (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_aes192_encrypt (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_aes256_encrypt (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Calling cbc_aes128_encrypt(ctx, iv, length, dst, src) does the same thing as calling cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src), but is more efficient on certain platforms.

Next: , Previous: , Up: Cipher modes   [Contents][Index]

4.3.2 Counter mode

Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IC is the initial counter, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IC) XOR M_1
C_2 = E_k(IC + 1) XOR M_2

...

C_(n-1) = E_k(IC + n - 2) XOR M_(n-1)
C_n = E_k(IC + n - 1) [1..m] XOR M_n

The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, IC + x, IC is interpreted as an integer, in network byte order. For the last block, E_k(IC + n - 1) [1..m] means that the cipher output is truncated to m bytes.

Function: void ctr_crypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption function f in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to ctr_crypt, all but the last call must use a length that is a multiple of the block size.

Like for CBC, there are also a couple of helper macros.

Macro: CTR_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t ctr[block_size];
}
Macro: CTR_SET_COUNTER (ctx, iv)

First argument is a pointer to a context struct as defined by CTR_CTX, and the second is a pointer to an initial counter that is copied into that context.

Macro: CTR_CRYPT (ctx, f, length, dst, src)

A simpler way to invoke ctr_crypt. The first argument is a pointer to a context struct as defined by CTR_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Next: , Previous: , Up: Cipher modes   [Contents][Index]

4.3.3 Cipher Feedback mode

Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode (CFB8) being close relatives to both CBC mode and CTR mode borrow some characteristics from stream ciphers.

For CFB the message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IV is the initialization vector, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV) XOR M_1
C_2 = E_k(C_1) XOR M_2

...

C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1)
C_n = E_k(C_(n - 1)) [1..m] XOR M_n

Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding.

If E_k is the encryption function of a block cipher, b is E_k block size, IV is the initialization vector, then the n plaintext bytes are transformed into n ciphertext bytes C_1,… C_n as follows: 

I_1 = IV
C_1 = E_k(I_1) [1..8] XOR M_1
I_2 = I_1 [9..b] << 8 | C_1
C_2 = E_k(I_2) [1..8] XOR M_2

...

I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2)
C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1)
I_n = I_(n-1) [9..b] << 8 | C_(n-1)
C_n = E_k(I_n) [1..8] XOR M_n

Nettle’s includes functions for applying a block cipher in Cipher Feedback (CFB) and Cipher Feedback 8-bit (CFB8) modes. These functions uses void * to pass cipher contexts around.

Function: void cfb_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cfb_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CFB mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cfb_encrypt. Note that for CFB mode internally uses encryption only function and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to cfb_encrypt, all but the last call must use a length that is a multiple of the block size.

Function: void cfb8_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cfb8_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CFB8 mode. The final IV block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cfb8_encrypt. Note that for CFB8 mode internally uses encryption only function and hence f should always be the encryption function for the underlying block cipher.

Like for CBC, there are also a couple of helper macros.

Macro: CFB_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}
Macro: CFB_SET_IV(ctx, iv)

First argument is a pointer to a context struct as defined by CFB_CTX, and the second is a pointer to an initialization vector that is copied into that context.

Macro: CFB_ENCRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_encrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_decrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB8_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}
Macro: CFB8_SET_IV (ctx, iv)

First argument is a pointer to a context struct as defined by CFB8_CTX, and the second is a pointer to an initialization vector that is copied into that context.

Macro: CFB8_ENCRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb8_encrypt. The first argument is a pointer to a context struct as defined by CFB8_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB8_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb8_decrypt. The first argument is a pointer to a context struct as defined by CFB8_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Previous: , Up: Cipher modes   [Contents][Index]

4.3.4 XEX-based tweaked-codebook mode with ciphertext stealing

XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is a block mode like (CBC) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length.

Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256).

XTS encryption mode operates given:

  • A multiplication by a primitive element alpha. MUL a^j here represents the multiplication, where j is the power of alpha, and the input value is converted into a 16 bytes array a_0[k], k = 0,1,..,15. The multiplication is calculated as a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128) a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15 Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte.
  • The encryption key is provided as the Key = K1 | K2, where | denotes string concatenation. E_k1 is the encryption function of the block cipher using K1 as the key, and E_k2 is the same encryption function using K2
  • A 128 bit tweak value is provided as input and is denoted as IV

The n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows.

For a plaintext length that is a perfect multiple of the XTS block size: 

T_1 = E_k2(IV)
C_1 = E_k1(P_1 XOR T_1) XOR T_1

...

T_n = T_(n-1) MUL a
C_n = E_k1(P_n XOR T_n) XOR T_n

For any other plaintext lengths: 

T_1 = E_k2(IV)
C_1 = E_k1(P_1 XOR T_1) XOR T_1

...

T_(n-2) = T_(n-3) MUL a
C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2)

T_(n-1) = T_(n-2) MUL a
CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1)

T_n = T_(n-1) MUL a
PP = [1..m]Pn | [m+1..128]CC_(n-1)
C_(n-1) = E_k1(PP XOR T_n) XOR T_n

C_n = [1..m]CC_(n-1)

4.3.4.1 General (XTS) interface.

The two general functions to encrypt and decrypt using the XTS block cipher mode are the following:

Function: void xts_encrypt_message (const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_decrypt_message (const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption function encf or the decryption function decf in XTS mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal.

The functions encf decf are of type

void f (const void *ctx, size_t length, uint8_t *dst, const uint8_t *src),

and the xts_encrypt_message and xts_decrypt_message functions pass their arguments enc_ctx, twk_ctx and dec_ctx to the functions encf, decf as ctx.

4.3.4.2 XTS-AES interface

The AES XTS functions provide an API for using the XTS mode with the AES block ciphers. The parameters all have the same meaning as the general interface, except that the enc_ctx, dec_ctx, twk_ctx, encf and decf are replaced with an AES context structure called ctx, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface.

Context struct: struct xts_aes128_key

Holds state corresponding to the AES-128 block cipher.

Context struct: struct xts_aes256_key

Holds state corresponding to the AES-256 block cipher.

Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)
Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)

Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions.

Function: void xts_aes128_encrypt_message (struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes256_encrypt_message (struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes128_decrypt_message (struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes256_decrypt_message (struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)

These are identical to xts_encrypt_message and xts_decrypt_message, except that enc_ctx, dec_ctx, twk_ctx, encf and decf are replaced by the ctx context structure.

Next: , Previous: , Up: Reference   [Contents][Index]

4.4 Authenticated encryption with associated data

There are some subtle design choices to be made when combining a block cipher mode without authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the “associated data”, which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data.

The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step.

For encryption, the inputs are:

  • The key, which can be used for many messages.
  • A nonce, which must be unique for each message using the same key.
  • Additional associated data to be authenticated, but not included in the message.
  • The cleartext message to be encrypted.

The outputs are:

  • The ciphertext, of the same size as the cleartext.
  • A digest or “authentication tag”.

Decryption works the same, but with cleartext and ciphertext interchanged. Most of the currently supported AEAD algorithms use the encryption function of the underlying block cipher, for both encryption and decryption (OCB being a notable exception).

Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle’s low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption.

Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don’t have this restriction.

Of the supported AEAD constructions in Nettle, Galois/Counter mode (GCM) is widely used, and was originally designed for high performance in hardware implementations. Software performance is rather poor unless there’s an efficient “carry-less multiplication” instruction that can be used. Both CCM and EAX use the same building blocks, CTR and CMAC, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The ChaCha-Poly1305 scheme is designed for high performance, also on machines without specialized crypto acceleration instructions. The Synthetic Initialization Vector (SIV) modes are designed to not fail catastrophically if a nonce is reused.

Next: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.1 EAX

The EAX mode is an AEAD mode which combines CTR mode encryption, See Counter mode, with a message authentication based on CBC, See Cipher Block Chaining. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, See Counter with CBC-MAC mode, which uses the same primitives but has some undesirable and inelegant properties.

EAX supports arbitrary nonce size; it’s even possible to use an empty nonce in case only a single message is encrypted for each key.

Nettle’s support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in <nettle/eax.h>

4.4.1.1 General EAX interface

Context struct: struct eax_key

EAX state which depends only on the key, but not on the nonce or the message.

Context struct: struct eax_ctx

Holds state corresponding to a particular message.

Constant: EAX_BLOCK_SIZE

EAX’s block size, 16.

Constant: EAX_DIGEST_SIZE

Size of the EAX digest, also 16.

Function: void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce.

Function: void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it’s not necessary to complete the processing of all associated data before encrypting or decrypting the message data.

Function: void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes EAX_DIGEST_SIZE octets to digest.

4.4.1.2 EAX helper macros

The following macros are defined.

Macro: EAX_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to 

{
   struct eax_key key;
   struct eax_ctx eax;
   context_type cipher;
}

For all these macros, ctx, is a context struct as defined by EAX_CTX, and encrypt is the encryption function of the underlying cipher.

Macro: EAX_SET_KEY (ctx, set_key, encrypt, key)

set_key is the function for setting the encryption key for the underlying cipher, and key is the key.

Macro: EAX_SET_NONCE (ctx, encrypt, length, nonce)

Sets the nonce to be used for the message.

Macro: EAX_UPDATE (ctx, encrypt, length, data)

Process associated data for authentication.

Macro: EAX_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: EAX_DECRYPT (ctx, encrypt, length, dst, src)

Process message data for encryption or decryption.

Macro: EAX_DIGEST (ctx, encrypt, digest)

Extract the authentication tag for the message.

4.4.1.3 EAX-AES128 interface

The following functions implement EAX using AES-128 as the underlying cipher.

Context struct: struct eax_aes128_ctx

The context struct, defined using EAX_CTX.

Function: void eax_aes128_set_key (struct eax_aes128_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given nonce.

Function: void eax_aes128_update (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_encrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_aes128_decrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_digest (struct eax_aes128_ctx *ctx, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes EAX_DIGEST_SIZE octets to digest.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.2 Galois counter mode

Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (see Keyed Hash Functions) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D. It is constructed on top of a block cipher which must have a block size of 128 bits.

The authentication in GCM has some known weaknesses, see https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. In particular, don’t use GCM with short authentication tags.

Nettle’s support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in <nettle/gcm.h>

4.4.2.1 General GCM interface

Context struct: struct gcm_key

Message independent hash sub-key, and related tables.

Context struct: struct gcm_ctx

Holds state corresponding to a particular message.

Constant: GCM_BLOCK_SIZE

GCM’s block size, 16.

Constant: GCM_DIGEST_SIZE

Size of the GCM digest, also 16.

Constant: GCM_IV_SIZE

Recommended size of the IV, 12. Arbitrary sizes are allowed.

Function: void gcm_set_key (struct gcm_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void gcm_set_iv (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv)

Initializes ctx using the given IV. The key argument is actually needed only if length differs from GCM_IV_SIZE.

Function: void gcm_update (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_encrypt or gcm_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_decrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_digest (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes GCM_DIGEST_SIZE octets to digest.

To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: gcm_set_key, gcm_set_iv, gcm_update, gcm_encrypt, gcm_digest. The decryption procedure is analogous, just calling gcm_decrypt instead of gcm_encrypt (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call gcm_set_iv with a new iv.

4.4.2.2 GCM helper macros

The following macros are defined.

Macro: GCM_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to 

{
   struct gcm_key key; 
   struct gcm_ctx gcm;
   context_type cipher;
}

Example use: 

struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);

The following macros operate on context structs of this form.

Macro: GCM_SET_KEY (ctx, set_key, encrypt, key)

First argument, ctx, is a context struct as defined by GCM_CTX. set_key and encrypt are functions for setting the encryption key and for encrypting data using the underlying cipher.

Macro: GCM_SET_IV (ctx, length, data)

First argument is a context struct as defined by GCM_CTX. length and data give the initialization vector (IV).

Macro: GCM_UPDATE (ctx, length, data)

Simpler way to call gcm_update. First argument is a context struct as defined by GCM_CTX

Macro: GCM_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DECRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DIGEST (ctx, encrypt, digest)

Simpler way to call gcm_encrypt, gcm_decrypt or gcm_digest. First argument is a context struct as defined by GCM_CTX. Second argument, encrypt, is the encryption function of the underlying cipher.

4.4.2.3 GCM-AES interface

The following functions implement the common case of GCM using AES as the underlying cipher.

Context struct: struct gcm_aes128_ctx
Context struct: struct gcm_aes192_ctx
Context struct: struct gcm_aes256_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *ctx, const uint8_t *key)
Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *ctx, const uint8_t *key)
Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_aes_encrypt or gcm_aes_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_digest (struct gcm_aes128_ctx *ctx, uint8_t *digest)
Function: void gcm_aes192_digest (struct gcm_aes192_ctx *ctx, uint8_t *digest)
Function: void gcm_aes256_digest (struct gcm_aes256_ctx *ctx, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes GCM_DIGEST_SIZE octets to digest.

4.4.2.4 GCM-Camellia interface

The following functions implement the case of GCM using Camellia as the underlying cipher.

Context struct: struct gcm_camellia128_ctx
Context struct: struct gcm_camellia256_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *ctx, const uint8_t *key)
Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_camellia_encrypt or gcm_camellia_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *ctx, uint8_t *digest)
Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *ctx, uint8_t *digest)
Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *ctx, uint8_t *digest)
Function: void gcm_camellia_digest (struct gcm_camellia_ctx *ctx, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes GCM_DIGEST_SIZE octets to digest.

4.4.2.5 GCM-SM4 interface

The following functions implement the case of GCM using SM4 as the underlying cipher.

Context struct: struct gcm_sm4_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_sm4_set_key (struct gcm_sm4_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_sm4_set_iv (struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_sm4_update (struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_sm4_encrypt or gcm_sm4_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_sm4_encrypt (struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_sm4_decrypt (struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_sm4_digest (struct gcm_sm4_ctx *ctx, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes GCM_DIGEST_SIZE octets to digest.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.3 Counter with CBC-MAC mode

CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, see EAX. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C. Nettle’s support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in <nettle/ccm.h>.

In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets.

CCM mode encryption operates as follows:

  • The nonce and message length are concatenated to create B_0 = flags | nonce | mlength
  • The authenticated data and plaintext is formatted into the string B = L(adata) | adata | padding | plaintext | padding with padding being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and L(adata) is an encoding of the length of adata.
  • The string B is separated into blocks B_1 ... B_n
  • The authentication tag T is calculated as T=0, for i=0 to n, do T = E_k(B_i XOR T)
  • An initial counter is then initialized from the nonce to create IC = flags | nonce | padding, where padding is the shortest string of zero bytes such that IC is exactly one block in length.
  • The authentication tag is encrypted using using CTR mode: MAC = E_k(IC) XOR T. The tag size must be even, at least 4, and at most 16. The intended tag size is encoded into IC via the flags field.
  • The plaintext is then encrypted using CTR mode with an initial counter of IC+1.

CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity.

4.4.3.1 General CCM interface

For all of the functions in the CCM interface, cipher is the context struct for the underlying cipher and f is the encryption function. The cipher’s encryption key must be set before calling any of the CCM functions. The cipher’s decryption function and key are never used.

Context struct: struct ccm_ctx

Holds state corresponding to a particular message.

Constant: CCM_BLOCK_SIZE

CCM’s block size, 16.

Constant: CCM_DIGEST_SIZE

Recommended size of the CCM digest, 16.

Constant: CCM_MIN_DIGEST_SIZE

Smallest size of the CCM digest, 4.

Constant: CCM_MIN_NONCE_SIZE
Constant: CCM_MAX_NONCE_SIZE

The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively.

Macro: CCM_MAX_MSG_SIZE (nonce_size)

The largest allowed plaintext length, when using CCM with a nonce of the given size.

Function: void ccm_set_nonce (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

Initializes ctx using the given nonce and the sizes of the authenticated data, message, and MAC to be processed.

Function: void ccm_update (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)

Provides associated data to be authenticated. Must be called after ccm_set_nonce, and before ccm_encrypt, ccm_decrypt, or ccm_digest.

Function: void ccm_encrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_decrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the message data. Must be called after ccm_set_nonce and before ccm_digest. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ccm_digest (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It writes taglen octets to the digest area, where taglen is the parameter supplied to ccm_set_nonce earlier. A buffer of size CCM_DIGEST_SIZE, i.e., 16, is always sufficient.

To encrypt a message using the general CCM interface, set the message nonce and length using ccm_set_nonce and then call ccm_update to generate the digest of any authenticated data. After all of the authenticated data has been digested use ccm_encrypt to encrypt the plaintext. Finally, use ccm_digest to return the encrypted MAC.

To decrypt a message, use ccm_set_nonce and ccm_update the same as you would for encryption, and then call ccm_decrypt to decrypt the ciphertext. After decrypting the ciphertext ccm_digest will return the encrypted MAC which should be identical to the MAC in the received message.

4.4.3.2 CCM message interface

The CCM message functions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by mlength and the length of the ciphertext is given by clength, always exactly tlength bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, clength for the encryption functions, and mlength for the decryption functions.

Function: void ccm_encrypt_message (const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the encrypted MAC to ciphertext and outputs it to dst.

Function: int ccm_decrypt_message (const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the MAC from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

4.4.3.3 CCM-AES interface

The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface.

Context struct: struct ccm_aes128_ctx

Holds state corresponding to a particular message encrypted using the AES-128 block cipher.

Context struct: struct ccm_aes192_ctx

Holds state corresponding to a particular message encrypted using the AES-192 block cipher.

Context struct: struct ccm_aes256_ctx

Holds state corresponding to a particular message encrypted using the AES-256 block cipher.

Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *ctx, const uint8_t *key)
Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *ctx, const uint8_t *key)
Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *ctx, const uint8_t *key)

Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface.

Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

These are identical to ccm_set_nonce, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes192_update (struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes256_update (struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data)

These are identical to ccm_update, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

These are identical to ccm_encrypt and ccm_decrypt, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_digest (struct ccm_aes128_ctx *ctx, uint8_t *digest)
Function: void ccm_aes192_digest (struct ccm_aes192_ctx *ctx, uint8_t *digest)
Function: void ccm_aes256_digest (struct ccm_aes256_ctx *ctx, uint8_t *digest)

These are identical to ccm_digest, except that cipher, f, and ctx are replaced with a context structure. The number of octets written to the digest area is determined by the taglen parameter supplied to the corresponding _set_nonce function earlier.

Function: void ccm_aes128_encrypt_message (const struct aes128_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt_message (const struct aes192_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt_message (const struct aes256_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes128_decrypt_message (const struct aes128_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes192_decrypt_message (const struct aes192_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes256_decrypt_message (const struct aes256_ctx *cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

These are identical to ccm_encrypt_message and ccm_decrypt_message except that cipher is an AES context and the encryption function f is implied.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.4 ChaCha-Poly1305

ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (see Poly1305). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha.

Nettle’s implementation of ChaCha-Poly1305 follows RFC 8439, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce.

For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver’s behaviour) that the forgery succeeded.

The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in <nettle/chacha-poly1305.h>.

Constant: CHACHA_POLY1305_BLOCK_SIZE

Same as the ChaCha block size, 64.

Constant: CHACHA_POLY1305_KEY_SIZE

ChaCha-Poly1305 key size, 32.

Constant: CHACHA_POLY1305_NONCE_SIZE

ChaCha-Poly1305 nonce size, 12.

Constant: CHACHA_POLY1305_DIGEST_SIZE

Digest size, 16.

Context struct: struct chacha_poly1305_ctx
Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key. Before using the context, you must also call chacha_poly1305_set_nonce, see below.

Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce)

Initializes the per-message state, using the given nonce.

Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication.

Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, uint8_t *digest)

Extracts the message digest (also known “authentication tag”), and writes CHACHA_POLY1305_DIGEST_SIZE octets to digest.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.5 OCB (Offset Code Book) Mode

The OCB mode is an AEAD construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits.

There have been several versions of the OCB scheme, the implementation in Nettle follows RFC 7253, which is almost the same as the scheme OCB3.

4.4.5.1 General interface

Context struct: struct ocb_key

OCB state which depends only on the key, but not on the nonce or the message.

Context struct: struct ocb_ctx

Holds state corresponding to a particular message.

Constant: OCB_BLOCK_SIZE

The block size for OCB’s block size, 16.

Constant: OCB_MAX_NONCE_SIZE

The maximum nonce size for OCB, 15.

Constant: OCB_DIGEST_SIZE

Recommended size of the OCB authentication tag, 16.

Function: void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f)

Initializes the key struct. The cipher context must be initialized for encryption, and f should be the corresponding encryption function.

Function: void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce. The cipher must be initialized for encryption, and f should be the corresponding encryption function. The tag_length (non-zero, and at most 16) is included when initializing the state. Nonce is optional, and length at most 15 bytes.

Function: void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src)

Decrypts the data of a message. encrypt_ctx and encrypt define the encryption operation of the underlying cipher, while decrypt_ctx and decrypt represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It writes tag_length octets to the digest area, where tag_length is the parameter supplied to ocb_set_nonce earlier. A buffer of size OCB_DIGEST_SIZE, i.e., 16, is always sufficient.

Function: void ocb_encrypt_message (const struct ocb_key *ocb_key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the tag to the ciphertext and writes it to dst. The clength variable must be equal to the length of src plus tlength.

Function: int ocb_decrypt_message (const struct ocb_key *ocb_key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst. Like ocb_decrypt, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

4.4.5.2 OCB-AES interface

Context struct: struct ocb_aes128_encrypt_key

Key-dependent state for encryption using OCB-AES128. For decryption, a separate struct aes128_ctx, initialized for decryption, is needed as well.

Function: void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb, const uint8_t *key)

Initializes ocb and the underlying AES cipher with the given key.

Function: void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb, struct aes128_ctx *decrypt, const uint8_t *key)

Initializes ocb and the underlying AES cipher with the given key. In addition, initialize decrypt for decryption using the same key; this is needed for ocb_aes128_decrypt and ocb_aes128_decrypt_message.

Function: void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce and key. The tag_length (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ocb_digest. Nonce is optional, and length at most 15 bytes.

Function: void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_encrypt (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_decrypt (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src)

Decrypts the data of a message. decrypt is an AES context initialized for decryption using the same key. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_digest (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. The number of octets written to the digest area is determined by the tag_length parameter supplied to the ocb_aes128_set_nonce function earlier.

Function: void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the tag to the ciphertext and writes it to dst. The clength variable must be equal to the length of src plus tlength.

Function: int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst. Like ocb_aes128_decrypt, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.6 Synthetic Initialization Vector AEAD

SIV-CMAC mode is a combination of counter mode with message authentication based on CMAC. Unlike other counter AEAD modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle’s support for SIV-CMAC consists of a message encryption and authentication interface, for SIV-CMAC using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in <nettle/siv-cmac.h>.

Unlike other AEAD mode in SIV-CMAC the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext.

Note also, that the SIV-CMAC algorithm, as specified in RFC 5297, introduces the notion of authenticated data which consist of multiple components. For example with SIV-CMAC the authentication tag of data X followed by Y, is different than the concatenated data X || Y. The interfaces described below follow the AEAD paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext.

4.4.6.1 General interface

Constant: SIV_BLOCK_SIZE

SIV-CMAC’s block size, 16.

Constant: SIV_DIGEST_SIZE

Size of the SIV-CMAC digest or initialization vector, 16.

Constant: SIV_MIN_NONCE_SIZE

The the minimum size for an SIV-CMAC nonce, 1.

4.4.6.2 SIV-CMAC-AES interface

The AES SIV-CMAC functions provide an API for using SIV-CMAC mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface.

Context struct: struct siv_cmac_aes128_ctx

Holds state corresponding to a particular message encrypted using the AES-128 block cipher.

Context struct: struct siv_cmac_aes256_ctx

Holds state corresponding to a particular message encrypted using the AES-256 block cipher.

Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *ctx, const uint8_t *key)
Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *ctx, const uint8_t *key)

Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES SIV-CMAC interface.

Function: void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, prepends the initialization vector to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_DIGEST_SIZE.

Function: int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.7 SIV-GCM

SIV-GCM, described in RFC 8452, is an AEAD construction similar to AES-GCM, but provides protection against accidental nonce misuse like SIV-CMAC mode.

It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle’s support for SIV-GCM consists of a message encryption and authentication interface, for SIV-GCM using AES as the underlying block cipher. These interfaces are defined in <nettle/siv-gcm.h>.

Unlike other AEAD mode in SIV-GCM the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext.

4.4.7.1 General interface

Constant: SIV_GCM_BLOCK_SIZE

SIV-GCM’s block size, 16.

Constant: SIV_GCM_DIGEST_SIZE

Size of the SIV-GCM digest for tags, 16.

Constant: SIV_GCM_NONCE_SIZE

Size of the SIV-GCM nonce, 12.

Function: void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the authentication tag to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_GCM_DIGEST_SIZE.

Function: int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

In the above interface, nc must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The ctx context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the ctr_ctx context structure must have the same size as ctx, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *ctx is destroyed by the call.

For convenience, Nettle provides wrapper functions that works with AES described in the following section.

4.4.7.2 SIV-GCM-AES interface

The SIV-GCM functions provide an API for using SIV-GCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure. The AES context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface.

Function: void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the authentication tag to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_GCM_DIGEST_SIZE.

Function: int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

4.4.8 The struct nettle_aead abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>.

Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest

The last seven attributes are function pointers.

Constant Struct: struct nettle_aead nettle_gcm_aes128
Constant Struct: struct nettle_aead nettle_gcm_aes192
Constant Struct: struct nettle_aead nettle_gcm_aes256
Constant Struct: struct nettle_aead nettle_gcm_camellia128
Constant Struct: struct nettle_aead nettle_gcm_camellia256
Constant Struct: struct nettle_aead nettle_eax_aes128
Constant Struct: struct nettle_aead nettle_chacha_poly1305

These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the nettle_aead abstraction.

Nettle also exports a list of all these constructions.

Function: const struct nettle_aead ** nettle_get_aeads (void)

Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_aeads

A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

4.5 Keyed Hash Functions

A keyed hash function, or Message Authentication Code (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs.

Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice’s value. If they match, Bob can be assured that the message has not been modified on its way from Alice.

However, unlike digital signatures, this assurance is not transferable. Bob can’t show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the same key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn’t attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can’t distinguish between a MAC created by Alice and one created by Bob.

Keyed hash functions are typically a lot faster than digital signatures as well.

Next: , Up: Keyed Hash Functions   [Contents][Index]

4.5.1 HMAC

One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in RFC 2104.

For an underlying hash function H, with digest size l and internal block size b, HMAC-H is constructed as follows: From a given key k, two distinct subkeys k_i and k_o are constructed, both of length b. The HMAC-H of a message m is then computed as H(k_o | H(k_i | m)), where | denotes string concatenation.

HMAC keys can be of any length, but it is recommended to use keys of length l, the digest size of the underlying hash function H. Keys that are longer than b are shortened to length l by hashing with H, so arbitrarily long keys aren’t very useful.

Nettle’s HMAC functions are defined in <nettle/hmac.h>.

4.5.1.1 HMAC-MD5

Context struct: struct hmac_md5_ctx
Function: void hmac_md5_set_key (struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_md5_update (struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_md5_digest (struct hmac_md5_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing MD5_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

4.5.1.2 HMAC-RIPEMD160

Context struct: struct hmac_ripemd160_ctx
Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing RIPEMD160_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

4.5.1.3 HMAC-SHA1

Context struct: struct hmac_sha1_ctx
Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha1_update (struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha1_digest (struct hmac_sha1_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing SHA1_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

4.5.1.4 HMAC-SHA256

Context struct: struct hmac_sha256_ctx
Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha256_update (struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha256_digest (struct hmac_sha256_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing SHA256_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

4.5.1.5 HMAC-SHA512

Context struct: struct hmac_sha512_ctx
Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha512_update (struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha512_digest (struct hmac_sha512_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing SHA512_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

4.5.1.6 HMAC-SM3

Context struct: struct hmac_sm3_ctx
Function: void hmac_sm3_set_key (struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sm3_update (struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sm3_digest (struct hmac_sm3_ctx *ctx, uint8_t *digest)

Extracts the MAC, writing SM3_DIGEST_SIZE octets to digest.

This function also resets the context for processing new messages, with the same key.

Next: , Previous: , Up: Keyed Hash Functions   [Contents][Index]

4.5.2 UMAC

UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, See Galois counter mode, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in RFC 4418.

The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret.

The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle’s implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets.

UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle’s _digest functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size.

The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle.

Nettle defines UMAC in <nettle/umac.h>.

Context struct: struct umac32_ctx
Context struct: struct umac64_ctx
Context struct: struct umac96_ctx
Context struct: struct umac128_ctx

Each UMAC variant uses its own context struct.

Constant: UMAC_KEY_SIZE

The UMAC key size, 16.

Constant: UMAC_MIN_NONCE_SIZE
Constant: UMAC_MAX_NONCE_SIZE

The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively.

Constant: UMAC32_DIGEST_SIZE

The size of an UMAC32 digest, 4.

Constant: UMAC64_DIGEST_SIZE

The size of an UMAC64 digest, 8.

Constant: UMAC96_DIGEST_SIZE

The size of an UMAC96 digest, 12.

Constant: UMAC128_DIGEST_SIZE

The size of an UMAC128 digest, 16.

Constant: UMAC_BLOCK_SIZE

The internal block size of UMAC.

Function: void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
Function: void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key)
Function: void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
Function: void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)

These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment).

Function: void umac32_set_nonce (struct umac32_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac64_set_nonce (struct umac64_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac96_set_nonce (struct umac96_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac128_set_nonce (struct umac128_ctx *ctx, size_t length, const uint8_t *nonce)

Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called before the first _update call for the message.

Function: void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data)

These functions are called zero or more times to process the message.

Function: void umac32_digest (struct umac32_ctx *ctx, uint8_t *digest)
Function: void umac64_digest (struct umac64_ctx *ctx, uint8_t *digest)
Function: void umac96_digest (struct umac96_ctx *ctx, uint8_t *digest)
Function: void umac128_digest (struct umac128_ctx *ctx, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the _set_nonce function explicitly for each message.

Next: , Previous: , Up: Keyed Hash Functions   [Contents][Index]

4.5.3 CMAC

CMAC is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. CMAC-128 is specified in RFC4493. The block size is always 128 bits (16 octets). CMAC-64 is specified by NIST Special Publication 800-38B. The block size is always 64 bits (8 octets).

Nettle provides helper functions for CMAC-128 with the AES block cipher and for CMAC-64 with the Tripple-DES block cipher.

Nettle defines CMAC in <nettle/cmac.h>.

Context struct: struct cmac_aes128_ctx
Context struct: struct cmac_aes256_ctx
Constant: CMAC128_DIGEST_SIZE

The size of an CMAC-128 digest, 16.

Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for AES-128.

Function: void cmac_aes128_update (struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_aes128_digest (struct cmac_aes128_ctx *ctx, uint8_t *digest)

Extracts the MAC of the message, writing CMAC128_DIGEST_SIZE octets to digest. This function resets the context for processing of a new message with the same key.

Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for AES-256.

Function: void cmac_aes256_update (struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_aes256_digest (struct cmac_aes256_ctx *ctx, uint8_t *digest)

Extracts the MAC of the message, writing CMAC128_DIGEST_SIZE octets to digest. This function resets the context for processing of a new message with the same key.

Context struct: struct cmac_des3_ctx
Constant: CMAC64_DIGEST_SIZE

The size of an CMAC-64 digest, 8.

Function: void cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for Tripple-DES.

Function: void cmac_des3_update (struct cmac_des3_ctx *ctx,size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_des3_digest (struct cmac_des3_ctx *ctx, uint8_t *digest)

Extracts the MAC of the message, writing CMAC64_DIGEST_SIZE octets to digest. This function resets the context for processing of a new message with the same key.

Previous: , Up: Keyed Hash Functions   [Contents][Index]

4.5.4 Poly1305

Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5.

The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point r. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that’s the only thing AES is used for.

The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point r. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See https://cr.yp.to/mac/poly1305-20050329.pdf for further details.

Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (see ChaCha-Poly1305). Nettle defines Poly1305-AES in nettle/poly1305.h.

Constant: POLY1305_AES_KEY_SIZE

Key size, 32 octets.

Constant: POLY1305_AES_DIGEST_SIZE

Size of the digest or “authenticator”, 16 octets.

Constant: POLY1305_AES_NONCE_SIZE

Nonce size, 16 octets.

Context struct: struct poly1305_aes_ctx

The poly1305-aes context struct.

Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key)

Initialize the context struct. Also sets the nonce to zero.

Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce)

Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message.

Function: void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data)

Process more data.

Function: void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, uint8_t *digest)

Extracts the digest, writing POLY1305_AES_DIGEST_SIZE octets to digest. Also increments the nonce, and prepares the context for processing a new message.

Next: , Previous: , Up: Reference   [Contents][Index]

4.6 Key derivation Functions

A key derivation function (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the password-based key derivation functions (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation.

4.6.1 HKDF: HMAC-based Extract-and-Expand

HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in RFC 5869, and is split into two logical modules, called “extract” and “expand”. The extract module takes an initial secret and a random salt to extract a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys.

Nettle’s HKDF functions are defined in <nettle/hkdf.h>. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the nettle_hash_update_func, and nettle_hash_digest_func interfaces.

Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst)

Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the secret secret of length secret_length. The output length is fixed to digest_size octets, thus the output buffer dst must have room for at least digest_size octets.

Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst)

Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the info info of length info_length, and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

4.6.2 PBKDF2

The most well known PBKDF is the PKCS #5 PBKDF2 described in RFC 2898 which uses a pseudo-random function such as HMAC-SHA1.

Nettle’s PBKDF2 functions are defined in <nettle/pbkdf2.h>. There is an abstract function that operate on any PRF implemented via the nettle_hash_update_func, nettle_hash_digest_func interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function:

Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

Like for CBC and HMAC, there is a macro to help use the function correctly.

Macro: PBKDF2 (ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst)

ctx is a pointer to a context struct passed to the update and digest functions (of the types nettle_hash_update_func and nettle_hash_digest_func respectively) to implement the underlying PRF with digest size of digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

4.6.3 Concrete PBKDF2 functions

Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function.

4.6.3.1 PBKDF2-HMAC-SHA1

Function: void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA1. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

4.6.3.2 PBKDF2-HMAC-SHA256

Function: void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA256. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

4.6.3.3 PBKDF2-HMAC-SHA384

Function: void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA384. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

4.6.3.4 PBKDF2-HMAC-SHA512

Function: void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA512. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

4.6.4 BALLOON

Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf

Nettle’s definition of the BALLOON algorithm can be found in <nettle/balloon.h>. There is a general BALLOON function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs.

Each BALLOON function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter s_cost determines how many blocks of working space the algorithm will require during its computation. It is common to set s_cost to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter t_cost determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer scratch is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function balloon_itch. Output of BALLOON algorithm will be written into the output buffer dst that has to be at least digest_size bytes long. Note that it is safe to use the same buffer for both scratch and dst. Next follows the description of the general BALLOON function.

Function: void balloon (void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

Compute hash of given password passwd of length passwd_length salted with salt of length salt_length and write digest_size bytes into the output buffer dst. Parameter hash_ctx is a context for the underlying hash function, which much be initialized by the caller. update and digest are the update and digest functions of the chosen hash algorithm. digest_size is the digest size of the chosen hash algorithm and determines the size of the output.

Function: size_t balloon_itch (size_t digest_size, size_t s_cost)

Compute the size of the scratch buffer scratch. digest_size is the digest size of the chosen hash algorithm. s_cost is the space parameter used by the balloon function.

4.6.5 Concrete BALLOON functions

Here follows a list of the specialized BALLOON functions, which are more user-friendly variants of the general function.

4.6.5.1 BALLOON-SHA1

Function: void balloon_sha1 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA1 as the underlying hash function.

4.6.5.2 BALLOON-SHA256

Function: void balloon_sha256 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA256 as the underlying hash function.

4.6.5.3 BALLOON-SHA384

Function: void balloon_sha384 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA384 as the underlying hash function.

4.6.5.4 BALLOON-SHA512

Function: void balloon_sha512 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA512 as the underlying hash function.

Next: , Previous: , Up: Reference   [Contents][Index]

4.7 Public-key algorithms

Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle (with the exception of SLH-DSA), you must install GMP, at least version 6.1.0, before compiling Nettle, and you need to link your programs with -lhogweed -lnettle -lgmp.

The concept of Public-key cryptography and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same key, and this key must be distributed in a secure way. And if there are many users or entities that need to communicate, each pair needs a shared secret key known by nobody else. In public key cryptography, each user needs a “key pair”, consisting of a private key which is kept secret, and corresponding public key that is distributed to all other users.

Public and private keys can be uses in several different ways: For key agreement (e.g., Diffie-Hellman or Curve25519 key exchange), digital signatures (e.g., RSA signatures and Ed25519 signatures), and public key encryption (e.g., RSA encryption).

To use a digital signature algorithm, one must first create a key-pair: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user’s list of known public keys), bad things may happen.

There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can’t cut it out of context and glue it to a different message.

The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key.

The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation.

Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”.

Next: , Up: Public-key algorithms   [Contents][Index]

4.7.1 RSA

The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA.

It’s remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is 

F(x) = x^e mod n

I.e. raise x to the e’th power, while discarding all multiples of n. The pair of numbers n and e is the public key. e can be quite small, even e = 3 has been used, although slightly larger numbers are recommended. n should be about 2000 bits or larger.

If n is large enough, and properly chosen, the inverse of F, the computation of e’th roots modulo n, is very difficult. But, where’s the trapdoor?

Let’s first look at how RSA key-pairs are generated. First n is chosen as the product of two large prime numbers p and q of roughly the same size (so if n is 2000 bits, p and q are about 1000 bits each). One also computes the number phi = (p-1)(q-1), in mathematical speak, phi is the order of the multiplicative group of integers modulo n.

Next, e is chosen. It must have no factors in common with phi (in particular, it must be odd), but can otherwise be chosen more or less randomly. e = 65537 is a popular choice, because it makes raising to the e’th power particularly efficient, and being prime, it usually has no factors common with phi.

Finally, a number d, d < n is computed such that e d mod phi = 1. It can be shown that such a number exists (this is why e and phi must have no common factors), and that for all x, 

(x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x

Using Euclid’s algorithm, d can be computed quite easily from phi and e. But it is still hard to get d without knowing phi, which depends on the factorization of n.

So d is the trapdoor, if we know d and y = F(x), we can recover x as y^d mod n. d is also the private half of the RSA key-pair.

The most common signature operation for RSA is defined in PKCS#1, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. SHA256. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number x. The signature is computed from x and the private key as s = x^d mod n1. The signature, s, is a number of about the same size of n, and it usually encoded as a sequence of octets, most significant octet first.

The verification operation is straight-forward, x is computed from the message in the same way as above. Then s^e mod n is computed, the operation returns true if and only if the result equals x.

The RSA algorithm can also be used for encryption. RSA encryption uses the public key (n,e) to compute the ciphertext m^e mod n. The PKCS#1 padding scheme will use at least 8 random and non-zero octets, using m of the form [00 02 padding 00 plaintext]. It is required that m < n, and therefor the plaintext must be smaller than the octet size of the modulo n, with some margin.

To decrypt the message, one needs the private key to compute m = c^e mod n followed by checking and removing the padding.

4.7.1.1 Nettle’s RSA support

Nettle represents RSA keys using two structures that contain large numbers (of type mpz_t).

Context struct: rsa_public_key size n e

size is the size, in octets, of the modulo, and is used internally. n and e is the public key.

Context struct: rsa_private_key size d p q a b c

size is the size, in octets, of the modulo, and is used internally. d is the secret exponent, but it is not actually used when signing. Instead, the factors p and q, and the parameters a, b and c are used. They are computed from p, q and e such that a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1.

Before use, these structs must be initialized by calling one of

Function: void rsa_public_key_init (struct rsa_public_key *pub)
Function: void rsa_private_key_init (struct rsa_private_key *key)

Calls mpz_init on all numbers in the key struct.

and when finished with them, the space for the numbers must be deallocated by calling one of

Function: void rsa_public_key_clear (struct rsa_public_key *pub)
Function: void rsa_private_key_clear (struct rsa_private_key *key)

Calls mpz_clear on all numbers in the key struct.

In general, Nettle’s RSA functions deviates from Nettle’s “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see See GMP Allocation in GMP Manual.

When you have assigned values to the attributes of a key, you must call

Function: int rsa_public_key_prepare (struct rsa_public_key *pub)
Function: int rsa_private_key_prepare (struct rsa_private_key *key)

Computes the octet size of the key (stored in the size attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can’t be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1.

For each operation using the private key, there are two variants, e.g., rsa_sha256_sign and rsa_sha256_sign_tr. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key.

Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function’s context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument.

There is currently no support for using SHA224 or SHA384 with RSA signatures, since there’s no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively.

Creating an RSA signature is done with one of the following functions:

Function: int rsa_md5_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. The random_ctx and random pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha256_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha512_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)

Creates a signature from the given hash digest. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t signature)

Similar to the above _sign_digest_tr functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Function: int rsa_md5_sign (const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign (const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign (const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign (const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha256_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha512_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)

Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE, respectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign (const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s)

Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Verifying an RSA signature is done with one of the following functions:

Function: int rsa_md5_verify (const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature)
Function: int rsa_sha1_verify (const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature)
Function: int rsa_sha256_verify (const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature)
Function: int rsa_sha512_verify (const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. In either case, the hash context is reset so that it can be used for new messages.

Function: int rsa_md5_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha1_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha256_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha512_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

Function: int rsa_pkcs1_verify (const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature)

Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

While the above functions for the RSA signature operations use the PKCS#1 padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in RFC 8017. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security https://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf. The typical choices of the length are between 0 and the digest size of the underlying hash function.

Creating an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)

Creates a signature using the PSS padding scheme. salt should point to a salt string of size salt_length. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Verifying an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

The following function is used to encrypt a clear text message using RSA.

Function: int rsa_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t ciphertext)

Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure.

The following function is used to decrypt a cipher text message using RSA.

Function: int rsa_decrypt (const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext)

Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by cleartext must be of size *length. After decryption, *length will be updated with the size of the message.

There is also a timing resistant version of decryption that utilizes randomized RSA blinding.

Function: int rsa_decrypt_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t ciphertext)

Returns 1 on success, 0 on failure.

While the above functions for the RSA encryption operations use the PKCS#1 padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in RFC 8017. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs.

Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions:

Function: int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)
Function: int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)
Function: int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)

Returns 1 on success, 0 on failure. The label is optional and if omitted, label_length and label is set to 0 and NULL respectively. The maximum size of message can be calculated with k - 2 * hLen - 2, where k is the key size in octets obtained with key->size, and hLen is the output size of the underlying hash function (e.g., SHA256_DIGEST_SIZE for rsa_oaep_sha256_encrypt).

Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions:

Function: int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)
Function: int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)
Function: int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)

Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to rsa_decrypt_tr. The message buffer pointed to by cleartext must be of size *length. After decryption, *length will be updated with the size of the message.

If you need to use the RSA trapdoor, the private key, in a way that isn’t supported by the above functions Nettle also includes a function that computes x^d mod n and nothing more, using the CRT optimization.

Function: int rsa_compute_root_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m)

Computes x = m^d. Returns one on success, or zero if a failure in the computation was detected.

Function: void rsa_compute_root (struct rsa_private_key *key, mpz_t x, const mpz_t m)

Computes x = m^d.

At last, how do you create new keys?

Function: int rsa_generate_keypair (struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size)

There are lots of parameters. pub and key is where the resulting key pair is stored. The structs should be initialized, but you don’t need to call rsa_public_key_prepare or rsa_private_key_prepare after key generation.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

size_n is the desired size of the modulo, in bits. If size_e is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if e_size is zero, it is assumed that the caller has already chosen a value for e, and stored it in pub. Returns one on success, and zero on failure. The function can fail for example if if n_size is too small, or if e_size is zero and pub->e is an even number.

Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

4.7.2 DSA

The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1.

For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime p, a small prime q which is a factor of p-1, a number g which generates a subgroup of order q modulo p, and an element y in that subgroup.

In the original DSA, the size of q is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of p is in principle unlimited, but the standard specifies only nine specific sizes: 512 + l*64, where l is between 0 and 8. Thus, the maximum size of p is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure.

The subgroup requirement means that if you compute 

g^t mod p

for all possible integers t, you will get precisely q distinct values.

The private key is a secret exponent x, such that 

g^x = y mod p

In mathematical speak, x is the discrete logarithm of y mod p, with respect to the generator g. The size of x will also be about the same size as q. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod p. The best known algorithm of this type is the Number Field Sieve, and it’s complexity is similar to the complexity of factoring numbers of the same size as p. The other type works in the smaller q-sized subgroup generated by g, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity sqrt(q).

The important point is that security depends on the size of both p and q, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a p of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a q of size 160 bits implies that cracking using Pollard-rho will take roughly 2^80 group operations. With the size of q fixed, tied to the SHA1 digest size, it may be tempting to increase the size of p to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack.

The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (see Randomness). Let us describe the common case of a 160-bit q.

To create a signature, one starts with the hash digest of the message, h, which is a 160 bit number, and a random number k, 0<k<q, also 160 bits. Next, one computes 

r = (g^k mod p) mod q
s = k^-1 (h + x r) mod q

The signature is the pair (r, s), two 160 bit numbers. Note the two different mod operations when computing r, and the use of the secret exponent x.

To verify a signature, one first checks that 0 < r,s < q, and then one computes backwards, 

w = s^-1 mod q
v = (g^(w h) y^(w r) mod p) mod q

The signature is valid if v = r. This works out because w = s^-1 mod q = k (h + x r)^-1 mod q, so that 

g^(w h) y^(w r) = g^(w h) (g^x)^(w r) = g^(w (h + x r)) = g^k

When reducing mod q this yields r. Note that when verifying a signature, we don’t know either k or x: those numbers are secret.

If you can choose between RSA and DSA, which one is best? Both are believed to be secure. DSA gained popularity in the late 1990s, as a patent free alternative to RSA. Now that the RSA patents have expired, there’s no compelling reason to want to use DSA. Today, the original DSA key size does not provide a large security margin, and it should probably be phased out together with RSA keys of 1024 bits. Using the revised DSA algorithm with a larger hash function, in particular, SHA256, a 256-bit q, and p of size 2048 bits or more, should provide for a more comfortable security margin, but these variants are not yet in wide use.

DSA signatures are smaller than RSA signatures, which is important for some specialized applications.

From a practical point of view, DSA’s need for a good randomness source is a serious disadvantage. If you ever use the same k (and r) for two different message, you leak your private key.

4.7.2.1 Nettle’s DSA support

Like for RSA, Nettle represents DSA keys using two structures, containing values of type mpz_t. For information on how to customize allocation, see See GMP Allocation in GMP Manual. Nettle’s DSA interface is defined in <nettle/dsa.h>.

A DSA group is represented using the following struct.

Context struct: dsa_params p q g

Parameters of the DSA group.

Function: void dsa_params_init (struct dsa_params *params)

Calls mpz_init on all numbers in the struct.

Function: void dsa_params_clear (struct dsa_params *paramsparams)

Calls mpz_clear on all numbers in the struct.

Function: int dsa_generate_params (struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits)

Generates parameters of a new group. The params struct should be initialized before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

p_bits and q_bits are the desired sizes of p and q. To generate keys that conform to the original DSA standard, you must use q_bits = 160 and select p_bits of the form p_bits = 512 + l*64, for 0 <= l <= 8, where the smaller sizes are no longer recommended, so you should most likely stick to p_bits = 1024. Non-standard sizes are possible, in particular p_bits larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large p_bits, with q_bits fixed at 160, doesn’t make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use q_bits = 256 and, e.g., p_bits = 2048.

Returns one on success, and zero on failure. The function will fail if q_bits is too small, or too close to p_bits.

Signatures are represented using the structure below.

Context struct: dsa_signature r s

The r and s fields are both of type mpz_t.

Function: void dsa_signature_init (struct dsa_signature *signature)
Function: void dsa_signature_clear (struct dsa_signature *signature)

You must call dsa_signature_init before creating or using a signature, and call dsa_signature_clear when you are finished with it.

Keys are represented as bignums, of type mpz_t. A public key represents a group element, and is of the same size as p, while a private key is an exponent, of the same size as q.

Function: int dsa_sign (const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature)

Creates a signature from the given hash digest, using the private key x. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo q fails.

Function: int dsa_verify (const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature)

Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0.

To generate a keypair, first generate a DSA group using dsa_generate_params. A keypair in this group is then created using

Function: void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random)

Generates a new keypair, using the group params. The public key is stored in pub, and the private key in key. Both variables must be initialized using mpz_init before this call.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

4.7.3 Elliptic curves

For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem.

Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a struct ecc_curve. It also supports curve25519 and curve488, which uses a different form of curve. Supported curves are declared in <nettle/ecc-curve.h>, e.g., call nettle_get_secp_256r1 for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a shorthand for the bitsize of the curve’s prime p, e.g., 256 bits for the SECP 256R1 curve.

Next: , Up: Elliptic curves   [Contents][Index]

4.7.3.1 Side-channel silence

Nettle’s implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are:

  • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key.
  • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries.

Nettle’s ECC implementation is designed to be side-channel silent, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.

Next: , Previous: , Up: Elliptic curves   [Contents][Index]

4.7.3.2 ECDSA

ECDSA is a variant of the DSA digital signature scheme (see DSA), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key).

Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating.

Nettle defines ECDSA in <nettle/ecdsa.h>. We first need to define the data types used to represent public and private keys.

struct: struct ecc_point

Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key.

Function: void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc)

Initializes p to represent points on the given curve ecc. Allocates storage for the coordinates, using the same allocation functions as GMP.

Function: void ecc_point_clear (struct ecc_point *p)

Deallocate storage allocated by previous ecc_point_init.

Function: int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y)

Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed.

Function: void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y)

Extracts the coordinate of the point p. The output parameters x or y may be NULL if the caller doesn’t want that coordinate.

struct: struct ecc_scalar

Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key.

Function: void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)

Initializes s to represent a scalar suitable for the given curve ecc. Allocates storage using the same allocation functions as GMP.

Function: void ecc_scalar_clear (struct ecc_scalar *s)

Deallocate the storage allocated by previous ecc_scalar_init.

Function: int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z)

Check that z is in the correct range. If so, copies the value to s and returns 1, otherwise returns 0.

Function: void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z)

Extracts the scalar, in GMP mpz_t representation.

To create and verify ECDSA signatures, the following functions are used.

Function: void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)

Uses the private key key to create a signature of digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in signature, in the same way as for plain DSA.

Function: int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)

Uses the public key pub to verify that signature is a valid signature for the message digest digest (of length octets). Returns 1 if the signature is valid, otherwise 0.

Finally, generating a new ECDSA key pair:

Function: void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random)

pub and key is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

Next: , Previous: , Up: Elliptic curves   [Contents][Index]

4.7.3.3 GOSTDSA

GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (see DSA) and ECDSA (see ECDSA) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in RFC 5832 and RFC 7091. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key).

GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, RFC 5831). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, RFC 6986) of corresponding size (256 or 512) depending on curve size.

Nettle defines GOSTDSA in <nettle/gostdsa.h>. GOSTDSA reuses ECDSA data types (struct ecc_point, struct ecc_scalar) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use ecdsa_generate_keypair() function.

To create and verify GOSTDSA signatures, the following functions are used.

Function: void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)

Uses the private key key to create a signature of digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in signature, in the same was as for plain DSA.

Function: int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)

Uses the public key pub to verify that signature is a valid signature for the message digest digest (of length octets). Returns 1 if the signature is valid, otherwise 0.

For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle’s view on curves and actual identifiers defined in RFC 4357 and RFC 7836.

Function: const struct ecc_curve nettle_get_gost_gc256b (void)

Returns curve corresponding to following identifiers:

  • id-GostR3410-2001-CryptoPro-A-ParamSet (RFC 4357)
  • id-GostR3410-2001-CryptoPro-XchA-ParamSet (RFC 4357)
  • id-tc26-gost-3410-12-256-paramSetB
Function: const struct ecc_curve nettle_get_gost_gc512a (void)

Returns curve corresponding to following identifiers:

  • id-tc26-gost-3410-12-512-paramSetA (RFC 7836)

For GOST key pairs key derivation/key agreement function (VKO) is defined in RFC 4357 and RFC 7836. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (see GOSTHASH94CP) or GOST R 34.11-2012, Streebog, which nor part of the library yet).

Function: void gostdsa_vko (const struct ecc_scalar *priv, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out)

Uses private key priv, public ket pub and shared key material ukm to generate shared secret, written to buffer out. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret.

Previous: , Up: Elliptic curves   [Contents][Index]

4.7.3.4 Curve25519 and Curve448

Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in RFC 7748. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn’t matter for the curve25519 operations which work with the x-coordinate only).

The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored.

For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252.

Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related “twist curve”. The function curve25519_mul uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by RFC 7748. The output is therefore well defined for all possible inputs, no matter if the input string represents a valid point on the curve or not.

Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from RFC 7748, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The nette/curve25519.h defines a preprocessor symbol NETTLE_CURVE25519_RFC7748 to indicate conformance with the standard.

Nettle defines Curve 25519 in <nettle/curve25519.h>.

Constant: NETTLE_CURVE25519_RFC7748

Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions.

Constant: CURVE25519_SIZE

The size of the strings representing curve25519 points and scalars, 32.

Function: void curve25519_mul_g (uint8_t *q, const uint8_t *n)

Computes Q = N G, where G is the group generator and N is an integer. The input argument n and the output argument q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult_base in the NaCl library.

Function: void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)

Computes Q = N P, where P is an input point and N is an integer. The input arguments n and p and the output argument q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult in the NaCl library.

Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^448 - 2^224 - 1. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in RFC 7748.

Nettle defines Curve 448 in <nettle/curve448.h>.

Constant: CURVE448_SIZE

The octet length of the strings representing curve448 points and scalars, 56.

Function: void curve448_mul_g (uint8_t *q, const uint8_t *n)

Computes Q = N G, where G is the group generator and N is an integer. The input argument n and the output argument q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size CURVE448_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult_base in the NaCl library.

Function: void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)

Computes Q = N P, where P is an input point and N is an integer. The input arguments n and p and the output argument q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size CURVE448_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult in the NaCl library.

4.7.3.5 EdDSA

EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups.

Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost.

Constant: ED25519_KEY_SIZE

The size of a private or public Ed25519 key, 32 octets.

Constant: ED25519_SIGNATURE_SIZE

The size of an Ed25519 signature, 64 octets.

Function: void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv)

Computes the public key corresponding to the given private key. Both input and output are of size ED25519_KEY_SIZE.

Function: void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair.

Function: int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448.

Constant: ED448_KEY_SIZE

The size of a private or public Ed448 key, 57 octets.

Constant: ED448_SIGNATURE_SIZE

The size of an Ed448 signature, 114 octets.

Function: void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv)

Computes the public key corresponding to the given private key. Both input and output are of size ED448_KEY_SIZE.

Function: void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair.

Function: int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Previous: , Up: Public-key algorithms   [Contents][Index]

4.7.4 SLH-DSA

SLH-DSA stands for Stateless hash-based digital signature algorithm. As the name suggests, its security is based on a cryptographic hash function. It is intended to be secure against an attacker with a large working quantum computer, often referred to as a “post-quantum” cryptographic algorithm. This is in contrast to “classical” public key algorithms based on the difficulty of the discrete logarithm problem or the factoring problem, because those problems can be solved efficiently if or when the attacker has a large scale quantum computer at their disposal.

The SLH-DSA algorithm was standardized by NIST in 2024, as FIPS-205, based on an algorithm proposal called SPHINCS+. Public and private keys are small, while signatures are rather large, 7856 octets for the variant with smallest signatures.

The main idea is that the private key is used as the seed for a pseudorandom generation of a large number of secret values. Each secret value is hashed, and the hashes are combined pairwise into a Merkle tree. The hash at the root of the Merkle tree is one piece of the public key. The holder of the private key can then prove knowledge of the private key by revealing one of the secret values, together with a Merkle tree inclusion proof that proves that the value is included in the public hash at the root of the tree. This idea is turned into a practical signature scheme by combining several variants of hash-based signatures and Merkle trees. The selection of secret values to reveal as part of an SLH-DSA signature depends on both the message and a deterministically generated nonce (also referred to as the message “randomizer”).

Verifying an SLH-DSA signature boils down to verifying a number of Merkle inclusion proofs, which is pretty fast; performance is in the same ballpark as verifying elliptic curve signatures. Signing, on the other hand, needs to produce all those inclusion proofs, which requires traversal of all leaves of the corresponding Merkle trees, and this is several orders of magnitude slower than signing using elliptic curves or RSA.

Nettle currently implements the four SLH-DSA variants designed for “128-bit security”: There’s the choice of either SHA256 (in the SHA2 family) or SHAKE256 (in the SHA3 family) as the underlying hash function. For either hash function, there’s a “small” variant with smaller signature size and slower signing (but faster verify operation, since verify time depends directly on the signature size), and a “fast” variant with faster signing time, larger signatures (and a slower verify operation).

Both the private and public keys are of the same size, and each consists of two halves. It’s somewhat peculiar that the public key is not derived deterministically from the private key, instead, the first half of the public key is a random seed value that should be generated independently of the private key, while the second half is the Merkle tree root hash that depends both on the private key and this public seed.

Nettle defines SLH-DSA in nettle/slh-dsa.h.

Constant: SLH_DSA_128_KEY_SIZE

Size in octets of public and private keys, 32, for SLH-DSA with 128-bit security level.

Constant: SLH_DSA_128_SEED_SIZE

Size in octets of the “seed” half of a private or public key, 16.

Constant: SLH_DSA_128S_SIGNATURE_SIZE

Signature size in octets for SLH-DSA with 128-bit security and the “small” variant, 7856.

Constant: SLH_DSA_128F_SIGNATURE_SIZE

Signature size in octets for SLH-DSA with 128-bit security and the “fast” variant, 17088.

Function: void slh_dsa_shake_128s_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random)
Function: void slh_dsa_shake_128f_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random)
Function: void slh_dsa_sha2_128s_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random)
Function: void slh_dsa_sha2_128f_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random)

Generate a new keypair, public key stored at pub, private key stored at key, both of size SLH_DSA_128_KEY_SIZE. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst.

Function: void slh_dsa_shake_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root)
Function: void slh_dsa_shake_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root)
Function: void slh_dsa_sha2_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root)
Function: void slh_dsa_sha2_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root)

Perform the deterministic part of key generation. public_seed and private_seed are the first halves of respective key. root, the output of this function, is the second half of the public key, i.e., typically called with root = public_seed + SLH_DSA_128_SEED_SIZE.

Function: void slh_dsa_shake_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)
Function: void slh_dsa_shake_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)
Function: void slh_dsa_sha2_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)
Function: void slh_dsa_sha2_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair. The size of the resulting signature is SLH_DSA_128S_SIGNATURE_SIZE or SLH_DSA_128F_SIGNATURE_SIZE for respective functions.

Function: int slh_dsa_shake_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)
Function: int slh_dsa_shake_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)
Function: int slh_dsa_sha2_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)
Function: int slh_dsa_sha2_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Next: , Previous: , Up: Reference   [Contents][Index]

4.8 Randomness

A crucial ingredient in many cryptographic contexts is randomness: Let p be a random prime, choose a random initialization vector iv, a random key k and a random exponent e, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain.

Building a good randomness source is subtle, in particular if your program may run inside several layers of virtualization. Today, most operating system provides a good randomness source, e.g., /dev/random and the getrandom syscall on GNU/Linux. Please use that, possibly in combination with a KDF! If for some reason that is not possible and you have to roll your own, the rest of this section provides some advice.

In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name.

However, such a generator is inadequate for cryptography, for at least two reasons:

  • It’s too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that’s far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried.
  • The generator output reveals too much. By observing only a small segment of the generator’s output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker.

A randomness generator that is used for cryptographic purposes must have better properties. Let’s first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what’s unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask n yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can’t guess the seed correctly, then the conditional entropy is more than n bits.

Let’s look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session.

Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are:

High resolution timing of i/o activities

Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it’s one of the better randomness source one can find in a digital, mostly predictable, computer.

User activity

Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially.

Audio input

Any room, or even a microphone input that’s left unconnected, is a source of some random background noise, which can be fed into the seeding process.

Specialized hardware

Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type.

Secret information

Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once.

For all practical sources, it’s difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can’t observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months?

So let’s assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine).

How do we generate output from this seed, and how much can we get? Some generators (notably older versions of the Linux /dev/random generator) tries to estimate available entropy and restrict the amount of output. The goal was that if you read 512 bits from /dev/random, you should get 512 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn’t matter much. For most application, there’s no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties.

At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let’s call it the generator’s key. The key is initialized from the unguessable seed. Important properties of a generator are:

Key-hiding

An attacker observing the output should not be able to recover the generator’s key.

Independence of outputs

Observing some of the output should not help the attacker to guess previous or future output.

Forward secrecy

Even if an attacker compromises the generator’s key, he should not be able to guess the generator output before the key compromise.

Recovery from key compromise

If an attacker compromises the generator’s key, he can compute all future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time t_1, there is another later time t_2, such that if the attacker observes all output generated between t_1 and t_2, he still can’t guess what output is generated after t_2.

Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones.

ChaCha (see ChaCha), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There’s no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (see Arcfour) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key.

The “lagged Fibonacci” generator in <nettle/knuth-lfib.h> is a fast generator with good statistical properties, but is not for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed.

The recommended generator to use is Yarrow, described below.

4.8.1 Yarrow

Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at https://www.schneier.com/academic/yarrow/, and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits.

Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later.

Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a “fast reseed” happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise.

The output is generated by using AES to encrypt a counter, using the generator’s current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy.

Yarrow can also use a seed file to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens.

Nettle defines Yarrow-256 in <nettle/yarrow.h>.

Context struct: struct yarrow256_ctx
Context struct: struct yarrow_source

Information about a single source.

Constant: YARROW256_SEED_FILE_SIZE

Recommended size of the Yarrow-256 seed file.

Function: void yarrow256_init (struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources)

Initializes the yarrow context, and its nsources sources. It’s possible to call it with nsources=0 and sources=NULL, if you don’t need the update features.

Function: void yarrow256_seed (struct yarrow256_ctx *ctx, size_t length, uint8_t *seed_file)

Seeds Yarrow-256 from a previous seed file. length should be at least YARROW256_SEED_FILE_SIZE, but it can be larger.

The generator will trust you that the seed_file data really is unguessable. After calling this function, you must overwrite the old seed file with newly generated data from yarrow256_random. If it’s possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism.

Function: int yarrow256_update (struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data)

Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). entropy is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero entropy is always safe, no matter if the data is random or not.

Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with yarrow256_random and overwrite the seed file. Otherwise, the function returns 0.

Function: void yarrow256_random (struct yarrow256_ctx *ctx, size_t length, uint8_t *dst)

Generates length octets of output. The generator must be seeded before you call this function.

If you don’t need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time.

Function: int yarrow256_is_seeded (struct yarrow256_ctx *ctx)

Returns 1 if the generator is seeded and ready to generate output, otherwise 0.

Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *ctx)

Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded.

Function: void yarrow256_fast_reseed (struct yarrow256_ctx *ctx)
Function: void yarrow256_slow_reseed (struct yarrow256_ctx *ctx)

Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care.

Nettle includes an entropy estimator for one kind of input source: User keyboard input.

Context struct: struct yarrow_key_event_ctx

Information about recent key events.

Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *ctx)

Initializes the context.

Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time)

key is the id of the key (ASCII value, hardware key code, X keysym, …, it doesn’t matter), and time is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, time should be provided in units of microseconds. But if you use gettimeofday on a typical Unix system where the clock ticks 10 or so microseconds at a time, time should be given in units of 10 microseconds.

Returns an entropy estimate, in bits, suitable for calling yarrow256_update. Usually, 0, 1 or 2 bits.

4.8.2 DRBG-CTR

The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A.

We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented.

Re-seeding and personalization strings can be implemented by the caller, if desired. To implement re-seeding, use drbg_ctr_aes256_update. Similarly, personalization strings can be implemented with memxor. If you need entropy derivation, we suggest that you use Yarrow instead.

The security bounds of DRBG-CTR are not intuitive, see “Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator” by Matthew J. Campagna, from https://eprint.iacr.org/2006/379.pdf.

Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm.

Nettle defines DRBG-CTR in <nettle/drbg-ctr.h>.

Context struct: struct drbg_ctr_aes256_ctx
Constant: DRBG_CTR_AES256_SEED_SIZE

The size of the seeding material.

Function: void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material)

Initialize the DRBG-CTR-AES256 context using DRBG_CTR_AES256_SEED_SIZE bytes of seed_material.

Function: void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst)

Generates n octets of output into dst. The generator must be initialized before you call this function.

Function: void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *ctx, const uint8_t *provided_data)

Updates the internal state of ctx with provided_data, which is either NULL or a pointer to data of DRBG_CTR_AES256_SEED_SIZE octets. This function is used for re-seeding.

Next: , Previous: , Up: Reference   [Contents][Index]

4.9 ASCII encoding

Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text.

A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte).

The base64 encoding will always use alphanumeric (upper and lower case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There’s also a “URL safe” variant, which is useful for encoding binary data into URLs and filenames. See RFC 4648.

The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte.

Nettle supports both base64 and base16 encoding and decoding.

Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn’t need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function.

The following functions can be used to perform base64 encoding and decoding. They are defined in <nettle/base64.h>.

Context struct: struct base64_encode_ctx
Function: void base64_encode_init (struct base64_encode_ctx *ctx)
Function: void base64url_encode_init (struct base64_encode_ctx *ctx)

Initializes a base64 context. This is necessary before starting an encoding session. base64_encode_init selects the standard base64 alphabet, while base64url_encode_init selects the URL safe alphabet.

Function: size_t base64_encode_single (struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src)

Encodes a single byte. Returns amount of output (always 1 or 2).

Macro: BASE64_ENCODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_encode_update.

Function: size_t base64_encode_update (struct base64_encode_ctx *ctx, uint8_t *dst, size_t length, const uint8_t *src)

After ctx is initialized, this function may be called to encode length bytes from src. The result will be placed in dst, and the return value will be the number of bytes generated. Note that dst must be at least of size BASE64_ENCODE_LENGTH(length).

Constant: BASE64_ENCODE_FINAL_LENGTH

The maximum amount of output from base64_encode_final.

Function: size_t base64_encode_final (struct base64_encode_ctx *ctx, uint8_t *dst)

After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated.

Context struct: struct base64_decode_ctx
Function: void base64_decode_init (struct base64_decode_ctx *ctx)
Function: void base64url_decode_init (struct base64_decode_ctx *ctx)

Initializes a base64 decoding context. This is necessary before starting a decoding session. base64_decode_init selects the standard base64 alphabet, while base64url_decode_init selects the URL safe alphabet.

Function: int base64_decode_single (struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte (src) and stores the result in dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE64_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_decode_update.

Function: void base64_decode_update (struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. The buffer pointed to by dst must be of size *dst_length, and the amount of data actually generated is returned in *dst_length. Fails if dst_length is too small; using a buffer of size BASE64_DECODE_LENGTH(src_length) is always sufficient. Returns 1 on success and 0 on error.

Function: int base64_decode_final (struct base64_decode_ctx *ctx)

Check that final padding is correct. Returns 1 on success, and 0 on error.

Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in <nettle/base16.h>. Note that there is no encoding context necessary for doing base16 encoding.

Function: void base16_encode_single (uint8_t *dst, uint8_t src)

Encodes a single byte. Always stores two digits in dst[0] and dst[1].

Macro: BASE16_ENCODE_LENGTH (length)

The number of output bytes when passing length input bytes to base16_encode_update.

Function: void base16_encode_update (uint8_t *dst, size_t length, const uint8_t *src)

Always stores BASE16_ENCODE_LENGTH(length) digits in dst.

Context struct: struct base16_decode_ctx
Function: void base16_decode_init (struct base16_decode_ctx *ctx)

Initializes a base16 decoding context. This is necessary before starting a decoding session.

Function: int base16_decode_single (struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte from src into dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE16_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base16_decode_update.

Function: int base16_decode_update (struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. The buffer pointed to by dst must be of size *dst_length, and the amount of data actually generated is returned in *dst_length. Fails if dst_length is too small; using a buffer of size BASE16_DECODE_LENGTH(src_length) is always sufficient. Returns 1 on success and 0 on error.

Function: int base16_decode_final (struct base16_decode_ctx *ctx)

Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.

Previous: , Up: Reference   [Contents][Index]

4.10 Miscellaneous functions

Function: void * memxor (void *dst, const void *src, size_t n)

XORs the source area on top of the destination area. The interface doesn’t follow the Nettle conventions, because it is intended to be similar to the ANSI-C memcpy function.

Function: void * memxor3 (void *dst, const void *a, const void *b, size_t n)

Like memxor, but takes two source areas and separate destination area.

Function: int memeql_sec (const void *a, const void *b, size_t n)

Side-channel silent comparison of the n bytes at a and b. I.e., instructions executed and memory accesses are identical no matter where the areas differ, see Side-channel silence. Return non-zero if the areas are equal, and zero if they differ.

These functions are declared in <nettle/memops.h>. For compatibility with earlier versions of Nettle, memxor and memxor3 are also declared in <nettle/memxor.h>.

Next: , Previous: , Up: Nettle   [Contents][Index]

5 Traditional Nettle Soup

For the serious nettle hacker, here is a recipe for nettle soup. 4 servings.

  • 1 liter fresh nettles (urtica dioica)
  • 2 tablespoons butter
  • 3 tablespoons flour
  • 1 liter stock (meat or vegetable)
  • 1/2 teaspoon salt
  • a tad white pepper
  • some cream or milk

Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used.

Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper.

Serve with boiled egg-halves.

Next: , Previous: , Up: Nettle   [Contents][Index]

6 Installation

Nettle uses autoconf, and the generated Makefile requires GNU make. To build Nettle, unpack the source and run 

./configure
make
make check
make install

to install it under the default prefix, /usr/local. By default, both static and shared libraries are built and installed.

To get a list of configure options, use ./configure --help. Some of the more interesting are:

--prefix

Change install location.

--disable-fat

Disable run-time detection of available processor features. Additional configure options can be used to select which features to require.

--enable-mini-gmp

Use the smaller and slower “mini-gmp” implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are not binary compatible with regular builds of Nettle, and more likely to leak side-channel information.

--disable-shared

Omit building the shared libraries.

Previous: , Up: Nettle   [Contents][Index]

Function and Concept Index

Jump to:   3  
A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   X   Y  
Index EntrySection
3
3DESDES3
A
ABI compatibilityCompatibility
AEADAuthenticated encryption
AESAES
aes128_decryptAES
aes128_encryptAES
aes128_invert_keyAES
aes128_set_decrypt_keyAES
aes128_set_encrypt_keyAES
aes192_decryptAES
aes192_encryptAES
aes192_invert_keyAES
aes192_set_decrypt_keyAES
aes192_set_encrypt_keyAES
aes256_decryptAES
aes256_encryptAES
aes256_invert_keyAES
aes256_set_decrypt_keyAES
aes256_set_encrypt_keyAES
API compatibilityCompatibility
ArcfourArcfour
arcfour_cryptArcfour
arcfour_set_keyArcfour
ArctwoArctwo
arctwo_decryptArctwo
arctwo_encryptArctwo
arctwo_set_keyArctwo
arctwo_set_key_ekbArctwo
arctwo_set_key_gutmannArctwo
Authenticated encryptionAuthenticated encryption
B
balloonKey derivation functions
Balloon password-hashing algorithmKey derivation functions
balloon_itchKey derivation functions
balloon_sha1Key derivation functions
balloon_sha256Key derivation functions
balloon_sha384Key derivation functions
balloon_sha512Key derivation functions
base16_decode_finalASCII encoding
base16_decode_initASCII encoding
BASE16_DECODE_LENGTHASCII encoding
base16_decode_singleASCII encoding
base16_decode_updateASCII encoding
BASE16_ENCODE_LENGTHASCII encoding
base16_encode_singleASCII encoding
base16_encode_updateASCII encoding
base64_decode_finalASCII encoding
base64_decode_initASCII encoding
BASE64_DECODE_LENGTHASCII encoding
base64_decode_singleASCII encoding
base64_decode_updateASCII encoding
base64_encode_finalASCII encoding
base64_encode_initASCII encoding
BASE64_ENCODE_LENGTHASCII encoding
base64_encode_singleASCII encoding
base64_encode_updateASCII encoding
base64url_decode_initASCII encoding
base64url_encode_initASCII encoding
Binary compatibilityCompatibility
Block CipherCipher functions
BlowfishBlowfish
blowfish_bcrypt_hashBlowfish
blowfish_bcrypt_verifyBlowfish
blowfish_decryptBlowfish
blowfish_encryptBlowfish
blowfish_set_keyBlowfish
C
CamelliaCamellia
camellia_cryptCamellia
camellia_invert_keyCamellia
camellia_set_decrypt_keyCamellia
camellia_set_encrypt_keyCamellia
camellia128_cryptCamellia
camellia128_invert_keyCamellia
camellia128_set_decrypt_keyCamellia
camellia128_set_encrypt_keyCamellia
camellia192_cryptCamellia
camellia192_invert_keyCamellia
camellia192_set_decrypt_keyCamellia
camellia192_set_encrypt_keyCamellia
camellia256_cryptCamellia
camellia256_invert_keyCamellia
camellia256_set_decrypt_keyCamellia
camellia256_set_encrypt_keyCamellia
CASTCAST128
cast128_decryptCAST128
cast128_encryptCAST128
cast128_set_keyCAST128
cast5_set_keyCAST128
CBC ModeCBC
cbc_aes128_encryptCBC
cbc_aes192_encryptCBC
cbc_aes256_encryptCBC
CBC_CTXCBC
cbc_decryptCBC
CBC_DECRYPTCBC
cbc_encryptCBC
CBC_ENCRYPTCBC
CBC_SET_IVCBC
CCM ModeCCM
ccm_aes128_decryptCCM
ccm_aes128_decrypt_messageCCM
ccm_aes128_digestCCM
ccm_aes128_encryptCCM
ccm_aes128_encrypt_messageCCM
ccm_aes128_set_keyCCM
ccm_aes128_set_nonceCCM
ccm_aes128_updateCCM
ccm_aes192_decryptCCM
ccm_aes192_decrypt_messageCCM
ccm_aes192_digestCCM
ccm_aes192_encryptCCM
ccm_aes192_encrypt_messageCCM
ccm_aes192_set_keyCCM
ccm_aes192_set_nonceCCM
ccm_aes192_updateCCM
ccm_aes256_decryptCCM
ccm_aes256_decrypt_messageCCM
ccm_aes256_digestCCM
ccm_aes256_encryptCCM
ccm_aes256_encrypt_messageCCM
ccm_aes256_set_keyCCM
ccm_aes256_set_nonceCCM
ccm_aes256_updateCCM
ccm_decryptCCM
ccm_decrypt_messageCCM
ccm_digestCCM
ccm_encryptCCM
ccm_encrypt_messageCCM
CCM_MAX_MSG_SIZECCM
ccm_set_nonceCCM
ccm_updateCCM
CFB ModesCFB and CFB8
CFB_CTXCFB and CFB8
cfb_decryptCFB and CFB8
CFB_DECRYPTCFB and CFB8
cfb_encryptCFB and CFB8
CFB_ENCRYPTCFB and CFB8
CFB_SET_IV(ctx,CFB and CFB8
CFB8 ModeCFB and CFB8
CFB8_CTXCFB and CFB8
cfb8_decryptCFB and CFB8
CFB8_DECRYPTCFB and CFB8
cfb8_encryptCFB and CFB8
CFB8_ENCRYPTCFB and CFB8
CFB8_SET_IVCFB and CFB8
ChaChaChaCha
chacha_cryptChaCha
chacha_crypt32ChaCha
chacha_poly1305_decryptChaCha-Poly1305
chacha_poly1305_digestChaCha-Poly1305
chacha_poly1305_encryptChaCha-Poly1305
chacha_poly1305_set_keyChaCha-Poly1305
chacha_poly1305_set_nonceChaCha-Poly1305
chacha_poly1305_updateChaCha-Poly1305
chacha_set_counterChaCha
chacha_set_counter32ChaCha
chacha_set_keyChaCha
chacha_set_nonceChaCha
chacha_set_nonce96ChaCha
CipherCipher functions
Cipher Block ChainingCBC
Cipher Feedback 8-bit ModeCFB and CFB8
Cipher Feedback ModeCFB and CFB8
CMACCMAC
cmac_aes128_digestCMAC
cmac_aes128_set_keyCMAC
cmac_aes128_updateCMAC
cmac_aes256_digestCMAC
cmac_aes256_set_keyCMAC
cmac_aes256_updateCMAC
cmac_des3_digestCMAC
cmac_des3_set_keyCMAC
cmac_des3_updateCMAC
CMAC-128CMAC
CMAC-64CMAC
Collision-resistantHash functions
Conditional entropyRandomness
Counter ModeCTR
Counter with CBC-MAC ModeCCM
CTR ModeCTR
ctr_cryptCTR
CTR_CRYPTCTR
CTR_CTXCTR
CTR_SET_COUNTERCTR
Curve 25519Curve 25519 and Curve 448
Curve 448Curve 25519 and Curve 448
curve25519_mulCurve 25519 and Curve 448
curve25519_mul_gCurve 25519 and Curve 448
curve448_mulCurve 25519 and Curve 448
curve448_mul_gCurve 25519 and Curve 448
D
DESDES
des_check_parityDES
des_decryptDES
des_encryptDES
des_fix_parityDES
des_set_keyDES
DES3DES3
des3_decryptDES3
des3_encryptDES3
des3_set_keyDES3
Digital signaturesPublic-key algorithms
drbg_ctr_aes256_initRandomness
drbg_ctr_aes256_randomRandomness
drbg_ctr_aes256_updateRandomness
dsa_generate_keypairDSA
dsa_generate_paramsDSA
dsa_paramsDSA
dsa_params_clearDSA
dsa_params_initDSA
dsa_signDSA
dsa_signatureDSA
dsa_signature_clearDSA
dsa_signature_initDSA
dsa_verifyDSA
E
eax_aes128_decryptEAX
eax_aes128_digestEAX
eax_aes128_encryptEAX
eax_aes128_set_keyEAX
eax_aes128_set_nonceEAX
eax_aes128_updateEAX
EAX_CTXEAX
eax_decryptEAX
EAX_DECRYPTEAX
eax_digestEAX
EAX_DIGESTEAX
eax_encryptEAX
EAX_ENCRYPTEAX
eax_set_keyEAX
EAX_SET_KEYEAX
eax_set_nonceEAX
EAX_SET_NONCEEAX
eax_updateEAX
EAX_UPDATEEAX
ecc_point_clearECDSA
ecc_point_getECDSA
ecc_point_initECDSA
ecc_point_setECDSA
ecc_scalar_clearECDSA
ecc_scalar_getECDSA
ecc_scalar_initECDSA
ecc_scalar_setECDSA
ecdsa_generate_keypairECDSA
ecdsa_signECDSA
ecdsa_verifyECDSA
ed25519_sha512_public_keyCurve 25519 and Curve 448
ed25519_sha512_signCurve 25519 and Curve 448
ed25519_sha512_verifyCurve 25519 and Curve 448
ed448_shake256_public_keyCurve 25519 and Curve 448
ed448_shake256_signCurve 25519 and Curve 448
ed448_shake256_verifyCurve 25519 and Curve 448
eddsaCurve 25519 and Curve 448
EntropyRandomness
G
Galois Counter ModeGCM
GCMGCM
gcm_aes128_decryptGCM
gcm_aes128_digestGCM
gcm_aes128_encryptGCM
gcm_aes128_set_ivGCM
gcm_aes128_set_keyGCM
gcm_aes128_updateGCM
gcm_aes192_decryptGCM
gcm_aes192_digestGCM
gcm_aes192_encryptGCM
gcm_aes192_set_ivGCM
gcm_aes192_set_keyGCM
gcm_aes192_updateGCM
gcm_aes256_decryptGCM
gcm_aes256_digestGCM
gcm_aes256_encryptGCM
gcm_aes256_set_ivGCM
gcm_aes256_set_keyGCM
gcm_aes256_updateGCM
gcm_camellia_digestGCM
gcm_camellia128_decryptGCM
gcm_camellia128_digestGCM
gcm_camellia128_encryptGCM
gcm_camellia128_set_ivGCM
gcm_camellia128_set_keyGCM
gcm_camellia128_updateGCM
gcm_camellia192_digestGCM
gcm_camellia256_decryptGCM
gcm_camellia256_digestGCM
gcm_camellia256_encryptGCM
gcm_camellia256_set_ivGCM
gcm_camellia256_set_keyGCM
gcm_camellia256_updateGCM
GCM_CTXGCM
gcm_decryptGCM
GCM_DECRYPTGCM
gcm_digestGCM
GCM_DIGESTGCM
gcm_encryptGCM
GCM_ENCRYPTGCM
gcm_set_ivGCM
GCM_SET_IVGCM
gcm_set_keyGCM
GCM_SET_KEYGCM
gcm_sm4_decryptGCM
gcm_sm4_digestGCM
gcm_sm4_encryptGCM
gcm_sm4_set_ivGCM
gcm_sm4_set_keyGCM
gcm_sm4_updateGCM
gcm_updateGCM
GCM_UPDATEGCM
GOST DSAGOSTDSA
GOST hashLegacy hash functions
gostdsa_signGOSTDSA
gostdsa_verifyGOSTDSA
gostdsa_vkoGOSTDSA
gosthash94_digestLegacy hash functions
gosthash94_initLegacy hash functions
gosthash94_updateLegacy hash functions
gosthash94cp_digestLegacy hash functions
gosthash94cp_initLegacy hash functions
gosthash94cp_updateLegacy hash functions
H
Hash functionHash functions
HKDFKey derivation functions
hkdf_expandKey derivation functions
hkdf_extractKey derivation functions
HMACHMAC
hmac_md5_digestHMAC
hmac_md5_set_keyHMAC
hmac_md5_updateHMAC
hmac_ripemd160_digestHMAC
hmac_ripemd160_set_keyHMAC
hmac_ripemd160_updateHMAC
hmac_sha1_digestHMAC
hmac_sha1_set_keyHMAC
hmac_sha1_updateHMAC
hmac_sha256_digestHMAC
hmac_sha256_set_keyHMAC
hmac_sha256_updateHMAC
hmac_sha512_digestHMAC
hmac_sha512_set_keyHMAC
hmac_sha512_updateHMAC
hmac_sm3_digestHMAC
hmac_sm3_set_keyHMAC
hmac_sm3_updateHMAC
K
KDFKey derivation functions
Key Derivation FunctionKey derivation functions
Keyed Hash FunctionKeyed hash functions
M
MACKeyed hash functions
md2_digestLegacy hash functions
md2_initLegacy hash functions
md2_updateLegacy hash functions
md4_digestLegacy hash functions
md4_initLegacy hash functions
md4_updateLegacy hash functions
md5_compressLegacy hash functions
md5_digestLegacy hash functions
md5_initLegacy hash functions
md5_updateLegacy hash functions
memeql_secMiscellaneous functions
memxorMiscellaneous functions
memxor3Miscellaneous functions
Message Authentication CodeKeyed hash functions
N
nettle_aeadnettle_aead abstraction
nettle_aeadsnettle_aead abstraction
nettle_ciphernettle_cipher abstraction
nettle_ciphersnettle_cipher abstraction
nettle_get_aeadsnettle_aead abstraction
nettle_get_ciphersnettle_cipher abstraction
nettle_get_gost_gc256bGOSTDSA
nettle_get_gost_gc512aGOSTDSA
nettle_get_hashesnettle_hash abstraction
nettle_hashnettle_hash abstraction
nettle_hashesnettle_hash abstraction
O
OCBOCB
OCB modeOCB
ocb_aes128_decryptOCB
ocb_aes128_decrypt_messageOCB
ocb_aes128_digestOCB
ocb_aes128_encryptOCB
ocb_aes128_encrypt_messageOCB
ocb_aes128_set_decrypt_keyOCB
ocb_aes128_set_encrypt_keyOCB
ocb_aes128_set_nonceOCB
ocb_aes128_updateOCB
ocb_decryptOCB
ocb_decrypt_messageOCB
ocb_digestOCB
ocb_encryptOCB
ocb_encrypt_messageOCB
ocb_set_keyOCB
ocb_set_nonceOCB
ocb_updateOCB
Offset Code BookOCB
One-wayHash functions
P
Password Based Key Derivation FunctionKey derivation functions
PBKDFKey derivation functions
pbkdf2Key derivation functions
PBKDF2Key derivation functions
pbkdf2_hmac_sha1Key derivation functions
pbkdf2_hmac_sha256Key derivation functions
pbkdf2_hmac_sha384Key derivation functions
pbkdf2_hmac_sha512Key derivation functions
PKCS #5Key derivation functions
poly1305_aes_digestPoly1305
poly1305_aes_set_keyPoly1305
poly1305_aes_set_noncePoly1305
poly1305_aes_updatePoly1305
post-quantumSLH-DSA
Public-key cryptographyPublic-key algorithms
R
RandomnessRandomness
RC2Arctwo
RC4Arcfour
ripemd160_digestLegacy hash functions
ripemd160_initLegacy hash functions
ripemd160_updateLegacy hash functions
rsa_compute_rootRSA
rsa_compute_root_trRSA
rsa_decryptRSA
rsa_decrypt_trRSA
rsa_encryptRSA
rsa_generate_keypairRSA
rsa_md5_signRSA
rsa_md5_sign_digestRSA
rsa_md5_sign_digest_trRSA
rsa_md5_sign_trRSA
rsa_md5_verifyRSA
rsa_md5_verify_digestRSA
rsa_oaep_sha256_decryptRSA
rsa_oaep_sha256_encryptRSA
rsa_oaep_sha384_decryptRSA
rsa_oaep_sha384_encryptRSA
rsa_oaep_sha512_decryptRSA
rsa_oaep_sha512_encryptRSA
rsa_pkcs1_signRSA
rsa_pkcs1_sign_trRSA
rsa_pkcs1_verifyRSA
rsa_private_keyRSA
rsa_private_key_clearRSA
rsa_private_key_initRSA
rsa_private_key_prepareRSA
rsa_pss_sha256_sign_digest_trRSA
rsa_pss_sha256_verify_digestRSA
rsa_pss_sha384_sign_digest_trRSA
rsa_pss_sha384_verify_digestRSA
rsa_pss_sha512_sign_digest_trRSA
rsa_pss_sha512_verify_digestRSA
rsa_public_keyRSA
rsa_public_key_clearRSA
rsa_public_key_initRSA
rsa_public_key_prepareRSA
rsa_sha1_signRSA
rsa_sha1_sign_digestRSA
rsa_sha1_sign_digest_trRSA
rsa_sha1_sign_trRSA
rsa_sha1_verifyRSA
rsa_sha1_verify_digestRSA
rsa_sha256_signRSA
rsa_sha256_sign_digestRSA
rsa_sha256_sign_digest_trRSA
rsa_sha256_sign_trRSA
rsa_sha256_verifyRSA
rsa_sha256_verify_digestRSA
rsa_sha512_signRSA
rsa_sha512_sign_digestRSA
rsa_sha512_sign_digest_trRSA
rsa_sha512_sign_trRSA
rsa_sha512_verifyRSA
rsa_sha512_verify_digestRSA
S
Salsa20Salsa20
salsa20_128_set_keySalsa20
salsa20_256_set_keySalsa20
salsa20_cryptSalsa20
salsa20_set_keySalsa20
salsa20_set_nonceSalsa20
salsa20r12_cryptSalsa20
SerpentSerpent
serpent_decryptSerpent
serpent_encryptSerpent
serpent_set_keySerpent
sha1_compressLegacy hash functions
sha1_digestLegacy hash functions
sha1_initLegacy hash functions
sha1_updateLegacy hash functions
sha224_digestRecommended hash functions
sha224_initRecommended hash functions
sha224_updateRecommended hash functions
sha256_compressRecommended hash functions
sha256_digestRecommended hash functions
sha256_initRecommended hash functions
sha256_updateRecommended hash functions
SHA3Recommended hash functions
sha3_128_shakeRecommended hash functions
sha3_128_shake_outputRecommended hash functions
sha3_128_updateRecommended hash functions
sha3_224_digestRecommended hash functions
sha3_224_updateRecommended hash functions
sha3_256_digestRecommended hash functions
sha3_256_shakeRecommended hash functions
sha3_256_shake_outputRecommended hash functions
sha3_256_updateRecommended hash functions
sha3_384_digestRecommended hash functions
sha3_384_updateRecommended hash functions
sha3_512_digestRecommended hash functions
sha3_512_updateRecommended hash functions
sha3_initRecommended hash functions
sha384_digestRecommended hash functions
sha384_initRecommended hash functions
sha384_updateRecommended hash functions
sha512_224_digestRecommended hash functions
sha512_224_initRecommended hash functions
sha512_224_updateRecommended hash functions
sha512_256_digestRecommended hash functions
sha512_256_initRecommended hash functions
sha512_256_updateRecommended hash functions
sha512_compressRecommended hash functions
sha512_digestRecommended hash functions
sha512_initRecommended hash functions
sha512_updateRecommended hash functions
SHAKERecommended hash functions
Side-channel attackSide-channel silence
SIV modeSIV-CMAC
siv_cmac_aes128_decrypt_messageSIV-CMAC
siv_cmac_aes128_encrypt_messageSIV-CMAC
siv_cmac_aes128_set_keySIV-CMAC
siv_cmac_aes256_decrypt_messageSIV-CMAC
siv_cmac_aes256_encrypt_messageSIV-CMAC
siv_cmac_aes256_set_keySIV-CMAC
siv_gcm_aes128_decrypt_messageSIV-GCM
siv_gcm_aes128_encrypt_messageSIV-GCM
siv_gcm_aes256_decrypt_messageSIV-GCM
siv_gcm_aes256_encrypt_messageSIV-GCM
siv_gcm_decrypt_messageSIV-GCM
siv_gcm_encrypt_messageSIV-GCM
SIV-CMAC modeSIV-CMAC
slh_dsa_sha2_128f_generate_keypairSLH-DSA
slh_dsa_sha2_128f_rootSLH-DSA
slh_dsa_sha2_128f_signSLH-DSA
slh_dsa_sha2_128f_verifySLH-DSA
slh_dsa_sha2_128s_generate_keypairSLH-DSA
slh_dsa_sha2_128s_rootSLH-DSA
slh_dsa_sha2_128s_signSLH-DSA
slh_dsa_sha2_128s_verifySLH-DSA
slh_dsa_shake_128f_generate_keypairSLH-DSA
slh_dsa_shake_128f_rootSLH-DSA
slh_dsa_shake_128f_signSLH-DSA
slh_dsa_shake_128f_verifySLH-DSA
slh_dsa_shake_128s_generate_keypairSLH-DSA
slh_dsa_shake_128s_rootSLH-DSA
slh_dsa_shake_128s_signSLH-DSA
slh_dsa_shake_128s_verifySLH-DSA
SLH-DSASLH-DSA
sm3_digestMiscellaneous hash functions
sm3_initMiscellaneous hash functions
sm3_updateMiscellaneous hash functions
SM4SM4
sm4_cryptSM4
sm4_set_decrypt_keySM4
sm4_set_encrypt_keySM4
SPHINCS+SLH-DSA
Stream CipherCipher functions
streebog256_digestMiscellaneous hash functions
streebog256_initMiscellaneous hash functions
streebog256_updateMiscellaneous hash functions
streebog512_digestMiscellaneous hash functions
streebog512_initMiscellaneous hash functions
streebog512_updateMiscellaneous hash functions
struct aes128_ctxAES
struct aes192_ctxAES
struct aes256_ctxAES
struct arcfour_ctxArcfour
struct arctwo_ctxArctwo
struct base16_decode_ctxASCII encoding
struct base64_decode_ctxASCII encoding
struct base64_encode_ctxASCII encoding
struct blowfish_ctxBlowfish
struct camellia_ctxCamellia
struct camellia128_ctxCamellia
struct camellia192_ctxCamellia
struct camellia256_ctxCamellia
struct cast128_ctxCAST128
struct ccm_aes128_ctxCCM
struct ccm_aes192_ctxCCM
struct ccm_aes256_ctxCCM
struct ccm_ctxCCM
struct chacha_ctxChaCha
struct chacha_poly1305_ctxChaCha-Poly1305
struct cmac_aes128_ctxCMAC
struct cmac_aes256_ctxCMAC
struct cmac_des3_ctxCMAC
struct des_ctxDES
struct des3_ctxDES3
struct drbg_ctr_aes256_ctxRandomness
struct eax_aes128_ctxEAX
struct eax_ctxEAX
struct eax_keyEAX
struct ecc_pointECDSA
struct ecc_scalarECDSA
struct gcm_aes128_ctxGCM
struct gcm_aes192_ctxGCM
struct gcm_aes256_ctxGCM
struct gcm_camellia128_ctxGCM
struct gcm_camellia256_ctxGCM
struct gcm_ctxGCM
struct gcm_keyGCM
struct gcm_sm4_ctxGCM
struct gosthash94_ctxLegacy hash functions
struct gosthash94cp_ctxLegacy hash functions
struct hmac_md5_ctxHMAC
struct hmac_ripemd160_ctxHMAC
struct hmac_sha1_ctxHMAC
struct hmac_sha256_ctxHMAC
struct hmac_sha512_ctxHMAC
struct hmac_sm3_ctxHMAC
struct md2_ctxLegacy hash functions
struct md4_ctxLegacy hash functions
struct md5_ctxLegacy hash functions
struct nettle_aeadnettle_aead abstraction
struct nettle_ciphernettle_cipher abstraction
struct nettle_hashnettle_hash abstraction
struct ocb_aes128_encrypt_keyOCB
struct ocb_ctxOCB
struct ocb_keyOCB
struct poly1305_aes_ctxPoly1305
struct ripemd160_ctxLegacy hash functions
struct salsa20_ctxSalsa20
struct serpent_ctxSerpent
struct sha1_ctxLegacy hash functions
struct sha224_ctxRecommended hash functions
struct sha256_ctxRecommended hash functions
struct sha3_ctxRecommended hash functions
struct sha384_ctxRecommended hash functions
struct sha512_224_ctxRecommended hash functions
struct sha512_256_ctxRecommended hash functions
struct sha512_ctxRecommended hash functions
struct siv_cmac_aes128_ctxSIV-CMAC
struct siv_cmac_aes256_ctxSIV-CMAC
struct sm3_ctxMiscellaneous hash functions
struct sm4_ctxSM4
struct streebog256_ctxMiscellaneous hash functions
struct streebog512_ctxMiscellaneous hash functions
struct twofish_ctxTwofish
struct umac128_ctxUMAC
struct umac32_ctxUMAC
struct umac64_ctxUMAC
struct umac96_ctxUMAC
struct xts_aes128_keyXTS
struct xts_aes256_keyXTS
struct yarrow_key_event_ctxRandomness
struct yarrow_sourceRandomness
struct yarrow256_ctxRandomness
T
Triple-DESDES3
TwofishTwofish
twofish_decryptTwofish
twofish_encryptTwofish
twofish_set_keyTwofish
U
UMACUMAC
umac128_digestUMAC
umac128_set_keyUMAC
umac128_set_nonceUMAC
umac128_updateUMAC
umac32_digestUMAC
umac32_set_keyUMAC
umac32_set_nonceUMAC
umac32_updateUMAC
umac64_digestUMAC
umac64_set_keyUMAC
umac64_set_nonceUMAC
umac64_updateUMAC
umac96_digestUMAC
umac96_set_keyUMAC
umac96_set_nonceUMAC
umac96_updateUMAC
X
XEX-based tweaked-codebook mode with ciphertext stealingXTS
XTS ModeXTS
xts_aes128_decrypt_messageXTS
xts_aes128_encrypt_messageXTS
xts_aes128_set_decrypt_keyXTS
xts_aes128_set_encrypt_keyXTS
xts_aes256_decrypt_messageXTS
xts_aes256_encrypt_messageXTS
xts_aes256_set_decrypt_keyXTS
xts_aes256_set_encrypt_keyXTS
xts_decrypt_messageXTS
xts_encrypt_messageXTS
Y
yarrow_key_event_estimateRandomness
yarrow_key_event_initRandomness
yarrow256_fast_reseedRandomness
yarrow256_initRandomness
yarrow256_is_seededRandomness
yarrow256_needed_sourcesRandomness
yarrow256_randomRandomness
yarrow256_seedRandomness
yarrow256_slow_reseedRandomness
yarrow256_updateRandomness
Jump to:   3  
A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   X   Y  

[Contents][Index]

Footnotes

(1)

Actually, the computation is not done like this, it is done more efficiently using p, q and the Chinese remainder theorem (CRT). But the result is the same.

nettle-4.0/nettle.info0000644000000000000000000125636615141166424011775 0ustar00This is nettle.info, produced by makeinfo version 7.1.1 from nettle.texinfo. This manual is for the Nettle library (version 4.0), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2026. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. INFO-DIR-SECTION Encryption START-INFO-DIR-ENTRY * Nettle: (nettle). A low-level cryptographic library. END-INFO-DIR-ENTRY  File: nettle.info, Node: Top, Next: Introduction, Up: (dir) Nettle ****** This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. This manual is for the Nettle library (version 4.0), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2026. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. * Menu: * Introduction:: What is Nettle? * Copyright:: Your rights. * Using Nettle:: Example and conventions. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. * Index:: Function and concept index. -- The Detailed Node Listing -- Using Nettle * Example:: An example program. * Conventions:: General interface conventions. * Linking:: Linking with libnettle and libhogweed. * Compatibility:: On API and ABI compatibility between versions. Reference * Hash functions:: * Cipher functions:: * Cipher modes:: * Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: Hash functions * Recommended hash functions:: * Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher functions * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction:: Cipher modes * CBC:: * CTR:: * CFB and CFB8:: * XTS:: Authenticated encryption with associated data * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction:: Keyed Hash Functions * HMAC:: * UMAC:: * CMAC:: * Poly1305:: Public-key algorithms * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA. * SLH-DSA:: Stateless hash-based digital signatures. Elliptic curves * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448::  File: nettle.info, Node: Introduction, Next: Copyright, Prev: Top, Up: Top 1 Introduction ************** Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a _simple_ but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.  File: nettle.info, Node: Copyright, Next: Using Nettle, Prev: Introduction, Up: Top 2 Copyright *********** Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required.  File: nettle.info, Node: Using Nettle, Next: Reference, Prev: Copyright, Up: Top 3 Using Nettle ************** * Menu: * Example:: An example program. * Conventions:: General interface conventions. * Linking:: Linking with libnettle and libhogweed. * Compatibility:: On API and ABI compatibility between versions.  File: nettle.info, Node: Example, Next: Conventions, Up: Using Nettle 3.1 Example =========== A simple example program that reads a file from standard input and writes its SHA256 checksum on standard output should give the flavor of Nettle. #include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; i’. -- Context struct: struct sha256_ctx -- Constant: SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. -- Constant: SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. -- Function: void sha256_init (struct sha256_ctx *CTX) Initialize the SHA256 state. -- Function: void sha256_update (struct sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha256_digest (struct sha256_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA256_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘sha256_init’. -- Function: void sha256_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw SHA256 compress on SHA256_BLOCK_SIZE bytes fromINPUT using STATE as IV (an array of 8 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA256). 4.1.1.2 SHA224 .............. SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in ‘’. -- Context struct: struct sha224_ctx -- Constant: SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. -- Constant: SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. -- Function: void sha224_init (struct sha224_ctx *CTX) Initialize the SHA224 state. -- Function: void sha224_update (struct sha224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha224_digest (struct sha224_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA224_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘sha224_init’. 4.1.1.3 SHA512 .............. SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in ‘’. -- Context struct: struct sha512_ctx -- Constant: SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. -- Constant: SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. -- Function: void sha512_init (struct sha512_ctx *CTX) Initialize the SHA512 state. -- Function: void sha512_update (struct sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha512_digest (struct sha512_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA512_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘sha512_init’. -- Function: void sha512_compress (const uint64_t *STATE, uint8_t *INPUT) Perform a raw SHA512 compress on SHA512_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 8 uint64_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA512). 4.1.1.4 SHA384 and other variants of SHA512 ........................................... Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in ‘’. -- Context struct: struct sha512_224_ctx -- Context struct: struct sha512_256_ctx -- Context struct: struct sha384_ctx These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. -- Constant: SHA512_224_DIGEST_SIZE -- Constant: SHA512_256_DIGEST_SIZE -- Constant: SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. -- Constant: SHA512_224_BLOCK_SIZE -- Constant: SHA512_256_BLOCK_SIZE -- Constant: SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. -- Function: void sha512_224_init (struct sha512_224_ctx *CTX) -- Function: void sha512_256_init (struct sha512_256_ctx *CTX) -- Function: void sha384_init (struct sha384_ctx *CTX) Initialize the context struct. -- Function: void sha512_224_update (struct sha512_224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha512_256_update (struct sha512_256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha384_update (struct sha384_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. These are all aliases for sha512_update, which does the same thing. -- Function: void sha512_224_digest (struct sha512_224_ctx *CTX, uint8_t *DIGEST) -- Function: void sha512_256_digest (struct sha512_256_ctx *CTX, uint8_t *DIGEST) -- Function: void sha384_digest (struct sha384_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing a digest of the corresponding size to DIGEST. These function also reset the context in the same way as the corresponding init function. 4.1.1.5 SHA3 ............ The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, . Nettle uses the same context struct for all SHA3-variants. -- Context struct: struct sha3_ctx The corresponding initialization function must be called before any other of the sha3 functions. -- Function: void sha3_init (struct sha3_ctx *CTX) Initialize the SHA3 state. Notes on the SHA3 implementation in older versions of Nettle: • Prior to Nettle version 4.0, there were different context structs and initialization functions for each variant, e.g., ‘struct sha3_256_ctx’ and ‘sha3_256_init’. For backwards compatibility, the old names are now defined as preprocessor aliases. • Prior to Nettle version 3.2, the SHA3 implementation was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The ‘nette/sha3.h’ defines a preprocessor symbol ‘NETTLE_SHA3_FIPS202’ to indicate conformance with the standard. -- Constant: NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. 4.1.1.6 SHA3-224 ................ This is SHA3 with 224-bit output size. Nettle defines SHA3-224 in ‘’. -- Constant: SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. -- Constant: SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. -- Function: void sha3_224_update (struct sha3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_224_digest (struct sha3_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA3_224_DIGEST_SIZE’ octets to DIGEST. This function also resets the context. 4.1.1.7 SHA3-256 ................ This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in ‘’. -- Constant: SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. -- Constant: SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. -- Function: void sha3_256_update (struct sha3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_256_digest (struct sha3_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA3_256_DIGEST_SIZE’ octets to DIGEST. This function also resets the context. 4.1.1.8 SHA3-384 ................ This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in ‘’. -- Constant: SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. -- Constant: SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. -- Function: void sha3_384_update (struct sha3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_384_digest (struct sha3_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA3_384_DIGEST_SIZE’ octets to DIGEST. This function also resets the context. 4.1.1.9 SHA3-512 ................ This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in ‘’. -- Constant: SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. -- Constant: SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. -- Function: void sha3_512_update (struct sha3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_512_digest (struct sha3_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA3_512_DIGEST_SIZE’ octets to DIGEST. This function also resets the context. 4.1.1.10 SHAKE .............. In addition to those SHA-3 hash functions, Nettle also supports a SHA-3 extendable-output function (XOF) called SHAKE. Unlike hash functions, SHAKE can produce an output digest of any desired length. There are two variants, SHAKE-128 and SHAKE-256, with different security strengths in terms of collision or preimage resistance: SHAKE-128 internally uses a SHA-3 hash function with 128-bit security, while SHAKE-256 corresponds to SHA3-256 which provides 256-bit security. To use SHAKE, the context struct needs to be initialized with the ‘init’ function and data is hashed using the ‘update’ function. Afterwards, a digest can be generated using either the ‘shake’ or ‘shake_ouput’ function, where the former generates the digest at once and resets the context, while the latter can be called multiple times to generate the digest in an incremental manner. For SHAKE-128 they are defined as follows. -- Function: void sha3_128_update (struct sha3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_128_shake (struct sha3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-128 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function also resets the context. -- Function: void sha3_128_shake_output (struct sha3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-128 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function does not reset the context. For SHAKE-256, the ‘update’ function is the same as SHA3-256. To generate a digest, use either the ‘shake’ or ‘shake_output’ function. -- Function: void sha3_256_shake (struct sha3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-256 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function also resets the context. -- Function: void sha3_256_shake_output (struct sha3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-256 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function does not reset the context.  File: nettle.info, Node: Miscellaneous hash functions, Next: Legacy hash functions, Prev: Recommended hash functions, Up: Hash functions 4.1.2 Miscellaneous hash functions ---------------------------------- 4.1.2.1 STREEBOG512 ................... STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in ‘’. -- Context struct: struct streebog512_ctx -- Constant: STREEBOG512_DIGEST_SIZE The size of a STREEBOG512 digest, i.e. 64. -- Constant: STREEBOG512_BLOCK_SIZE The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512. -- Function: void streebog512_init (struct streebog512_ctx *CTX) Initialize the STREEBOG512 state. -- Function: void streebog512_update (struct streebog512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void streebog512_digest (struct streebog512_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘STREEBOG512_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘streebog512_init’. 4.1.2.2 STREEBOG256 ................... STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in ‘’. -- Context struct: struct streebog256_ctx -- Constant: STREEBOG256_DIGEST_SIZE The size of a STREEBOG256 digest, i.e. 32. -- Constant: STREEBOG256_BLOCK_SIZE The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256. -- Function: void streebog256_init (struct streebog256_ctx *CTX) Initialize the STREEBOG256 state. -- Function: void streebog256_update (struct streebog256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void streebog256_digest (struct streebog256_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘STREEBOG256_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘streebog256_init’. 4.1.2.3 SM3 ........... SM3 is a cryptographic hash function standard adopted by the government of the People's Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 "SM3 Cryptographic Hash Algorithm". SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256. Nettle defines SM3 in ‘’. -- Context struct: struct sm3_ctx -- Constant: SM3_DIGEST_SIZE The size of a SM3 digest, i.e. 32. -- Constant: SM3_BLOCK_SIZE The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3. -- Function: void sm3_init (struct sm3_ctx *CTX) Initialize the SM3 state. -- Function: void sm3_update (struct sm3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sm3_digest (struct sm3_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SM3_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘sm3_init’.  File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, Prev: Miscellaneous hash functions, Up: Hash functions 4.1.3 Legacy hash functions --------------------------- The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a "legacy" hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. 4.1.3.1 MD5 ........... MD5 is a message digest function constructed by Ronald Rivest, and described in ‘RFC 1321’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in ‘’. -- Context struct: struct md5_ctx -- Constant: MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. -- Constant: MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. -- Function: void md5_init (struct md5_ctx *CTX) Initialize the MD5 state. -- Function: void md5_update (struct md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md5_digest (struct md5_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘MD5_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘md5_init’. -- Function: void md5_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 4 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5). The normal way to use MD5 is to call the functions in order: First ‘md5_init’, then ‘md5_update’ zero or more times, and finally ‘md5_digest’. After ‘md5_digest’, the context is reset to its initial state, so you can start over calling ‘md5_update’ to hash new data. To start over, you can call ‘md5_init’ at any time. 4.1.3.2 MD2 ........... MD2 is another hash function of Ronald Rivest's, described in ‘RFC 1319’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in ‘’. -- Context struct: struct md2_ctx -- Constant: MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. -- Constant: MD2_BLOCK_SIZE The internal block size of MD2. -- Function: void md2_init (struct md2_ctx *CTX) Initialize the MD2 state. -- Function: void md2_update (struct md2_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md2_digest (struct md2_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘MD2_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘md2_init’. 4.1.3.3 MD4 ........... MD4 is a predecessor of MD5, described in ‘RFC 1320’. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in ‘’. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. -- Context struct: struct md4_ctx -- Constant: MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. -- Constant: MD4_BLOCK_SIZE The internal block size of MD4. -- Function: void md4_init (struct md4_ctx *CTX) Initialize the MD4 state. -- Function: void md4_update (struct md4_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md4_digest (struct md4_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘MD4_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘md4_init’. 4.1.3.4 RIPEMD160 ................. RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in ‘nettle/ripemd160.h’. -- Context struct: struct ripemd160_ctx -- Constant: RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. -- Constant: RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. -- Function: void ripemd160_init (struct ripemd160_ctx *CTX) Initialize the RIPEMD160 state. -- Function: void ripemd160_update (struct ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void ripemd160_digest (struct ripemd160_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘RIPEMD160_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘ripemd160_init’. 4.1.3.5 SHA1 ............ SHA1 is a hash function specified by “NIST” (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in ‘’. -- Context struct: struct sha1_ctx -- Constant: SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. -- Constant: SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. -- Function: void sha1_init (struct sha1_ctx *CTX) Initialize the SHA1 state. -- Function: void sha1_update (struct sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha1_digest (struct sha1_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘SHA1_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘sha1_init’. -- Function: void sha1_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 5 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1). 4.1.3.6 GOSTHASH94 and GOSTHASH94CP ................................... The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see ‘RFC 4357’). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in ‘’. -- Context struct: struct gosthash94_ctx -- Constant: GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. -- Constant: GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. -- Function: void gosthash94_init (struct gosthash94_ctx *CTX) Initialize the GOSTHASH94 state. -- Function: void gosthash94_update (struct gosthash94_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void gosthash94_digest (struct gosthash94_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘GOSTHASH94_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘gosthash94_init’. -- Context struct: struct gosthash94cp_ctx -- Constant: GOSTHASH94CP_DIGEST_SIZE The size of a GOSTHASH94CP digest, i.e. 32. -- Constant: GOSTHASH94CP_BLOCK_SIZE The internal block size of GOSTHASH94CP, i.e., 32. -- Function: void gosthash94cp_init (struct gosthash94cp_ctx *CTX) Initialize the GOSTHASH94CP state. -- Function: void gosthash94cp_update (struct gosthash94cp_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void gosthash94cp_digest (struct gosthash94cp_ctx *CTX, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing ‘GOSTHASH94CP_DIGEST_SIZE’ octets to DIGEST. This function also resets the context in the same way as ‘gosthash94cp_init’.  File: nettle.info, Node: nettle_hash abstraction, Prev: Legacy hash functions, Up: Hash functions 4.1.4 The ‘struct nettle_hash’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’, and is used by Nettle's implementation of HMAC (*note Keyed hash functions::). -- Meta struct: struct nettle_hash name context_size digest_size block_size init update digest The last three attributes are function pointers, of types ‘nettle_hash_init_func *’, ‘nettle_hash_update_func *’, and ‘nettle_hash_digest_func *’. The first argument to these functions is ‘void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_hash nettle_md2 -- Constant Struct: struct nettle_hash nettle_md4 -- Constant Struct: struct nettle_hash nettle_md5 -- Constant Struct: struct nettle_hash nettle_ripemd160 -- Constant Struct: struct nettle_hash nettle_sha1 -- Constant Struct: struct nettle_hash nettle_sha224 -- Constant Struct: struct nettle_hash nettle_sha256 -- Constant Struct: struct nettle_hash nettle_sha384 -- Constant Struct: struct nettle_hash nettle_sha512 -- Constant Struct: struct nettle_hash nettle_sha3_256 -- Constant Struct: struct nettle_hash nettle_gosthash94 -- Constant Struct: struct nettle_hash nettle_gosthash94cp -- Constant Struct: struct nettle_hash nettle_sm3 These are all the hash functions that Nettle implements. Nettle also exports a list of all these hashes. -- Function: const struct nettle_hash ** nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., ‘nettle_hashes[0]->name’ for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.  File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash functions, Up: Reference 4.2 Cipher functions ==================== A “cipher” is a function that takes a message or “plaintext” and a secret “key” and transforms it to a “ciphertext”. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called “blocks”. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called “ECB”, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some "feedback mode", “CBC” (Cipher Block Chaining) and “CTR” (Counter mode) being two of of the most popular. See *Note Cipher modes::, for information on how to apply CBC and CTR with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of N octets, you key the generator, generate N octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. *Caution:* The first rule for this kind of cipher is the same as for a One Time Pad: _never_ ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you're reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can't decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to _always_ use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (*note Keyed hash functions::), or digital signatures like RSA. Some ciphers have so called "weak keys", keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don't have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as “key setup”. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. * Menu: * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction::  File: nettle.info, Node: AES, Next: Arcfour, Up: Cipher functions 4.2.1 AES --------- AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in ‘’, and there is one context struct for each key size. -- Context struct: struct aes128_ctx -- Context struct: struct aes192_ctx -- Context struct: struct aes256_ctx -- Constant: AES_BLOCK_SIZE The AES block-size, 16. -- Constant: AES128_KEY_SIZE -- Constant: AES192_KEY_SIZE -- Constant: AES256_KEY_SIZE -- Constant: AES_KEY_SIZE Default AES key size, 32. -- Function: void aes128_set_encrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes128_set_decrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_encrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_decrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_encrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_decrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void aes128_invert_key (struct aes128_ctx *DST, const struct aes128_ctx *SRC) -- Function: void aes192_invert_key (struct aes192_ctx *DST, const struct aes192_ctx *SRC) -- Function: void aes256_invert_key (struct aes256_ctx *DST, const struct aes256_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key, because calling, e.g., ‘aes128_set_encrypt_key’ and ‘aes128_invert_key’, is more efficient than calling ‘aes128_set_encrypt_key’ and ‘aes128_set_decrypt_key’. -- Function: void aes128_encrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_encrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_encrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void aes128_decrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_decrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_decrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to the encryption functions above.  File: nettle.info, Node: Arcfour, Next: Arctwo, Prev: AES, Up: Cipher functions 4.2.2 Arcfour ------------- ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher. We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards. One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like "secret:1", "secret:2", .... If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); } Nettle defines ARCFOUR in ‘’. -- Context struct: struct arcfour_ctx -- Constant: ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. -- Constant: ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. -- Constant: ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. -- Function: void arcfour_set_key (struct arcfour_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void arcfour_crypt (struct arcfour_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called ‘arcfour_crypt’ only once with all the data.  File: nettle.info, Node: Arctwo, Next: Blowfish, Prev: Arcfour, Up: Cipher functions 4.2.3 Arctwo ------------ ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to ‘sci.crypt’ by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ‘ekb’. This parameter can be used to artificially reduce the key size. In practice, ‘ekb’ is usually set equal to the input key size. Nettle defines ARCTWO in ‘’. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. -- Context struct: struct arctwo_ctx -- Constant: ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. -- Constant: ARCTWO_MIN_KEY_SIZE -- Constant: ARCTWO_MAX_KEY_SIZE -- Constant: ARCTWO_KEY_SIZE Default ARCTWO key size, 8. -- Function: void arctwo_set_key_ekb (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY, unsigned EKB) -- Function: void arctwo_set_key (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void arctwo_set_key_gutmann (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for EKB is 1024, and for convenience, ‘ekb = 0’ has the same effect as ‘ekb = 1024’. ‘arctwo_set_key(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 8*length)’, and ‘arctwo_set_key_gutmann(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 1024)’ -- Function: void arctwo_encrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void arctwo_decrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘arctwo_encrypt’  File: nettle.info, Node: Blowfish, Next: Camellia, Prev: Arctwo, Up: Cipher functions 4.2.4 Blowfish -------------- BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in ‘’. -- Context struct: struct blowfish_ctx -- Constant: BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. -- Constant: BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. -- Constant: BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. -- Constant: BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. -- Function: int blowfish_set_key (struct blowfish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. ‘blowfish_encrypt’ or ‘blowfish_decrypt’ with a weak key will crash with an assert violation. -- Function: void blowfish_encrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void blowfish_decrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘blowfish_encrypt’ -- Function: int blowfish_bcrypt_hash (char *DST, size_t LENKEY, const char *KEY, size_t LENSCHEME, const char *SCHEME, int LOG2ROUNDS, const uint8_t *SALT) Compute the bcrypt password hash. The function will return ‘0’ if the hash cannot be computed due to invalid input. The function will return ‘1’ and store the computed hash in the array pointed to by DST. The hash is computed based on the chosen SCHEME, number of rounds LOG2ROUNDS and specified SALT. DST must point to a character array of at least ‘BLOWFISH_BCRYPT_HASH_SIZE’ bytes. KEY contains the plaintext password string of size LENKEY. SCHEME is of size LENSCHEME and contains either just the chosen scheme (valid schemes are: ‘2a’, ‘2b’, ‘2x’ or ‘2y’), or (the prefix of) an existing hashed password (typically ‘$2b$10$...’). LOG2ROUNDS contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is ‘-1’ the value will be extracted from SCHEME. SALT should point to an array of ‘BLOWFISH_BCRYPT_BINSALT_SIZE’ random bytes to be used to perturb the hash computation. If it is ‘NULL’ the salt will be extracted from SCHEME. Sample code to generate a bcrypt hash: char password[] = "ExamplePassword"; char scheme[] = "2b"; uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; ... /* Make sure that salt is filled with random bytes */ ... char hash[BLOWFISH_BCRYPT_HASH_SIZE]; int result = blowfish_bcrypt(hash, sizeof(password) - 1, password, sizeof(scheme) - 1, scheme, 10, salt); if (result) printf("%s\n", hash); -- Function: int blowfish_bcrypt_verify (size_t LENKEY, const char *KEY, size_t LENHASHED, const char *HASHED) Verifies the bcrypt password hash against the supplied plaintext password. The function will return ‘0’ if the password does not match. The function will return ‘1’ if the password matches. KEY contains the plaintext password string of size LENKEY. HASHED contains the hashed string of size LENHASHED to compare with. Sample code to verify a bcrypt hash: char password[] = "ExamplePassword"; char hash[] = "$2y$" /* Hash algorithm version */ "10" /* 2^10 hash rounds (strength) */ "$" /* separator */ "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ if (blowfish_bcrypt_verify(sizeof(password) - 1, password, sizeof(hash) - 1, hash)) printf("Password is correct."); else printf("Password is incorrect.");  File: nettle.info, Node: Camellia, Next: CAST128, Prev: Blowfish, Up: Cipher functions 4.2.5 Camellia -------------- Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in ‘RFC3713’. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at , but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in ‘’, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, ‘struct camellia_ctx’, for all key sizes. This interface kept for backwards compatibility). -- Context struct: struct camellia128_ctx -- Context struct: struct camellia192_ctx -- Context struct: struct camellia256_ctx Contexts structs. Actually, ‘camellia192_ctx’ is an alias for ‘camellia256_ctx’. -- Context struct: struct camellia_ctx Alternative struct, for the old Camellia interface. -- Constant: CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. -- Constant: CAMELLIA128_KEY_SIZE -- Constant: CAMELLIA192_KEY_SIZE -- Constant: CAMELLIA256_KEY_SIZE -- Constant: CAMELLIA_MIN_KEY_SIZE -- Constant: CAMELLIA_MAX_KEY_SIZE -- Constant: CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. -- Function: void camellia128_set_encrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia128_set_decrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_encrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_decrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_encrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_decrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia_set_encrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void camellia_set_decrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void camellia128_invert_key (struct camellia128_ctx *DST, const struct camellia128_ctx *SRC) -- Function: void camellia192_invert_key (struct camellia192_ctx *DST, const struct camellia192_ctx *SRC) -- Function: void camellia256_invert_key (struct camellia256_ctx *DST, const struct camellia256_ctx *SRC) -- Function: void camellia_invert_key (struct camellia_ctx *DST, const struct camellia_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key. -- Function: void camellia128_crypt (struct camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia192_crypt (struct camellia192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia256_crypt (struct camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia_crypt (struct camellia_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) The same function is used for both encryption and decryption. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way.  File: nettle.info, Node: CAST128, Next: ChaCha, Prev: Camellia, Up: Cipher functions 4.2.6 CAST128 ------------- CAST-128 is a block cipher, specified in ‘RFC 2144’. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in ‘’. -- Context struct: struct cast128_ctx -- Constant: CAST128_BLOCK_SIZE The CAST128 block-size, 8. -- Constant: CAST128_KEY_SIZE The CAST128 key size, 16. -- Constant: CAST5_MIN_KEY_SIZE Minimum CAST5 key size, 5. -- Constant: CAST5_MAX_KEY_SIZE Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128. -- Function: void cast128_set_key (struct cast128_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void cast128_encrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void cast128_decrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘cast128_encrypt’ -- Function: void cast5_set_key (struct cast128_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption.  File: nettle.info, Node: ChaCha, Next: DES, Prev: CAST128, Up: Cipher functions 4.2.7 ChaCha ------------ ChaCha is a variant of the stream cipher Salsa20 (*note Salsa20::), below, also designed by D. J. Bernstein. Nettle defines ChaCha in ‘’. -- Context struct: struct chacha_ctx -- Constant: CHACHA_KEY_SIZE ChaCha key size, 32. -- Constant: CHACHA_BLOCK_SIZE ChaCha block size, 64. -- Constant: CHACHA_NONCE_SIZE Size of the nonce, 8. -- Constant: CHACHA_COUNTER_SIZE Size of the counter, 8. -- Function: void chacha_set_key (struct chacha_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you _must_ also call ‘chacha_set_nonce’, see below. -- Function: void chacha_set_nonce (struct chacha_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘CHACHA_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void chacha_set_counter (struct chacha_ctx *CTX, const uint8_t *COUNTER) Sets the block counter. It is always of size ‘CHACHA_COUNTER_SIZE’, 8 octets. This is rarely needed since ‘chacha_set_nonce’ initializes the block counter to zero. When it is still necessary, this function must be called after ‘chacha_set_nonce’. -- Function: void chacha_crypt (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to ‘chacha_crypt’, all but the last call _must_ use a length that is a multiple of ‘CHACHA_BLOCK_SIZE’. 4.2.7.1 32-bit counter variant .............................. While the original paper uses 64-bit counter value, the variant defined in ‘RFC 8439’ uses 32-bit counter value. This variant is particularly useful for *note ChaCha-Poly1305:: AEAD construction, which supports 12-octet nonces. -- Constant: CHACHA_NONCE96_SIZE Size of the nonce, 12. -- Constant: CHACHA_COUNTER32_SIZE Size of the counter, 4. -- Function: void chacha_set_nonce96 (struct chacha_ctx *CTX, const uint8_t *NONCE) Sets the nonce. This is similar to the above ‘chacha_set_nonce’, but the input is always of size ‘CHACHA_NONCE96_SIZE’, 12 octets. -- Function: void chacha_set_counter32 (struct chacha_ctx *CTX, const uint8_t *COUNTER) Sets the block counter. This is similar to the above ‘chacha_set_counter’, but the input is always of size ‘CHACHA_COUNTER32_SIZE’, 4 octets. -- Function: void chacha_crypt32 (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above ‘chacha_crypt’, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long.  File: nettle.info, Node: DES, Next: DES3, Prev: ChaCha, Up: Cipher functions 4.2.8 DES --------- DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using "triple DES", see DES3 below. DES also has some weak keys. Nettle defines DES in ‘’. -- Context struct: struct des_ctx -- Constant: DES_BLOCK_SIZE The DES block-size, 8. -- Constant: DES_KEY_SIZE DES key size, 8. -- Function: int des_set_key (struct des_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. -- Function: void des_encrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des_decrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’ -- Function: int des_check_parity (size_t LENGTH, const uint8_t *KEY) Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. -- Function: void des_fix_parity (size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. DST and SRC may be equal.  File: nettle.info, Node: DES3, Next: Salsa20, Prev: DES, Up: Cipher functions 4.2.9 DES3 ---------- The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then _decrypt_ it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as "ede" triple-DES, for "encrypt-decrypt-encrypt". The "ede" construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a "two-key" variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it's simple to implement triple-DES on top of Nettle's DES functions. Nettle includes an implementation of three-key "ede" triple-DES, it is defined in the same place as plain DES, ‘’. -- Context struct: struct des3_ctx -- Constant: DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. -- Constant: DES3_KEY_SIZE DES key size, 24. -- Function: int des3_set_key (struct des3_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don't care about weak keys can ignore the return value. For random-looking strings, you can use ‘des_fix_parity’ to adjust the parity bits before calling ‘des3_set_key’. -- Function: void des3_encrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des3_decrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’  File: nettle.info, Node: Salsa20, Next: Serpent, Prev: DES3, Up: Cipher functions 4.2.10 Salsa20 -------------- Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, *note CTR::). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It's also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). *Caution:* The hash function used in Salsa20 is _not_ directly applicable for use as a general hash function. It's _not_ collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a “nonce”, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in ‘’. -- Context struct: struct salsa20_ctx -- Constant: SALSA20_128_KEY_SIZE -- Constant: SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. -- Constant: SALSA20_KEY_SIZE Recommended key size, 32. -- Constant: SALSA20_BLOCK_SIZE Salsa20 block size, 64. -- Constant: SALSA20_NONCE_SIZE Size of the nonce, 8. -- Function: void salsa20_128_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_256_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_set_key (struct salsa20_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. ‘salsa20_128_set_key’ and ‘salsa20_128_set_key’ use a fix key size each, 16 and 32 octets, respectively. The function ‘salsa20_set_key’ is provided for backwards compatibility, and the LENGTH argument must be either 16 or 32. Before using the cipher, you _must_ also call ‘salsa20_set_nonce’, see below. -- Function: void salsa20_set_nonce (struct salsa20_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘SALSA20_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void salsa20_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to ‘salsa20_crypt’, all but the last call _must_ use a length that is a multiple of ‘SALSA20_BLOCK_SIZE’. The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see . Nettle calls this variant ‘salsa20r12’. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. -- Function: void salsa20r12_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds.  File: nettle.info, Node: Serpent, Next: SM4, Prev: Salsa20, Up: Cipher functions 4.2.11 Serpent -------------- SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in ‘’. -- Context struct: struct serpent_ctx -- Constant: SERPENT_BLOCK_SIZE The SERPENT block-size, 16. -- Constant: SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. -- Constant: SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. -- Constant: SERPENT_KEY_SIZE Default SERPENT key size, 32. -- Function: void serpent_set_key (struct serpent_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void serpent_encrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void serpent_decrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘serpent_encrypt’  File: nettle.info, Node: SM4, Next: Twofish, Prev: Serpent, Up: Cipher functions 4.2.12 SM4 ---------- SM4 is a block cipher standard adopted by the government of the People's Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 "SM4 block cipher algorithm". Nettle defines it in ‘’. -- Context struct: struct sm4_ctx -- Constant: SM4_BLOCK_SIZE The SM4 block-size, 16. -- Constant: SM4_KEY_SIZE Default SM4 key size, 16. -- Function: void sm4_set_encrypt_key (struct sm4_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The function is used for encryption. -- Function: void sm4_set_decrypt_key (struct sm4_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The function is used for decryption. -- Function: void sm4_crypt (const struct sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Cryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption.  File: nettle.info, Node: Twofish, Next: nettle_cipher abstraction, Prev: SM4, Up: Cipher functions 4.2.13 Twofish -------------- Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in ‘’. -- Context struct: struct twofish_ctx -- Constant: TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. -- Constant: TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. -- Constant: TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. -- Constant: TWOFISH_KEY_SIZE Default TWOFISH key size, 32. -- Function: void twofish_set_key (struct twofish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void twofish_encrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void twofish_decrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘twofish_encrypt’  File: nettle.info, Node: nettle_cipher abstraction, Prev: Twofish, Up: Cipher functions 4.2.14 The ‘struct nettle_cipher’ abstraction --------------------------------------------- Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in ‘’. -- Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types ‘nettle_set_key_func *’ and ‘nettle_cipher_func *’. The first argument to these functions is a ‘const void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_cipher nettle_aes128 -- Constant Struct: struct nettle_cipher nettle_aes192 -- Constant Struct: struct nettle_cipher nettle_aes256 -- Constant Struct: struct nettle_cipher nettle_arctwo40 -- Constant Struct: struct nettle_cipher nettle_arctwo64 -- Constant Struct: struct nettle_cipher nettle_arctwo128 -- Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128 -- Constant Struct: struct nettle_cipher nettle_arcfour128 -- Constant Struct: struct nettle_cipher nettle_camellia128 -- Constant Struct: struct nettle_cipher nettle_camellia192 -- Constant Struct: struct nettle_cipher nettle_camellia256 -- Constant Struct: struct nettle_cipher nettle_cast128 -- Constant Struct: struct nettle_cipher nettle_serpent128 -- Constant Struct: struct nettle_cipher nettle_serpent192 -- Constant Struct: struct nettle_cipher nettle_serpent256 -- Constant Struct: struct nettle_cipher nettle_twofish128 -- Constant Struct: struct nettle_cipher nettle_twofish192 -- Constant Struct: struct nettle_cipher nettle_twofish256 Nettle includes such structs for all the _regular_ ciphers, i.e. ones without weak keys or other oddities. Nettle also exports a list of all these ciphers without weak keys or other oddities. -- Function: const struct nettle_cipher ** nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Cipher modes, Next: Authenticated encryption, Prev: Cipher functions, Up: Reference 4.3 Cipher modes ================ Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher's block size. As explained in *Note Cipher functions::, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information. Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB and CFB8), XEX-based tweaked-codebook mode with ciphertext stealing (XTS) and a couple of AEAD modes (*note Authenticated encryption::). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability (https://www.kb.cert.org/vuls/id/958563). Today, CTR is usually preferred over CBC. Modes like CBC, CTR, CFB and CFB8 provide _no_ message authentication, and should always be used together with a MAC (*note Keyed hash functions::) or signature to authenticate the message. * Menu: * CBC:: * CTR:: * CFB and CFB8:: * XTS::  File: nettle.info, Node: CBC, Next: CTR, Up: Cipher modes 4.3.1 Cipher Block Chaining --------------------------- When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an “IV”, or Initialization Vector, is used as the "previous ciphertext block". The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if ‘E_k’ is the encryption function of a block cipher, and ‘IV’ is the initialization vector, then ‘n’ plaintext blocks ‘M_1’,... ‘M_n’ are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) ... C_n = E_k(C_(n-1) XOR M_n) Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses ‘const void *’ to pass cipher contexts around. The CBC interface is defined in ‘’. -- Function: void cbc_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CBC mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cbc_encrypt’. The function F is of type ‘void F (const void *CTX, size_t LENGTH, uint8_t DST, const uint8_t *SRC)’, and the ‘cbc_encrypt’ and ‘cbc_decrypt’ functions pass their argument CTX on to F. 4.3.1.1 Utility macros ...................... There are also some macros to help use these functions correctly. -- Macro: CBC_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } It can be used to define a CBC context struct, either directly, struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) ctx; or to give it a struct tag, struct aes256_cbc_ctx CBC_CTX (struct aes256_ctx, AES_BLOCK_SIZE); -- Macro: CBC_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. -- Macro: CBC_ENCRYPT (CTX, F, LENGTH, DST, SRC) -- Macro: CBC_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cbc_encrypt’ and ‘cbc_decrypt’. The first argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second argument is an encryption or decryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. These macros use some tricks to make the compiler display a warning if the types of F and CTX don't match, e.g. if you try to use an ‘struct aes256_ctx’ context with the ‘des_encrypt’ function. 4.3.1.2 Cipher-specific functions ................................. Encryption in CBC mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher's encrypt function. Optimizations to process several blocks in parallel can't be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, ‘cbc_encrypt’ can be considerably slower than both ‘cbc_decrypt’ and CTR mode. The second reason for poor performance can be addressed by having a combined CBC and encrypt function, for ciphers where the overhead is significant. Nettle currently includes such special functions only for AES. -- Function: void cbc_aes128_encrypt (const struct aes128_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_aes192_encrypt (const struct aes192_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_aes256_encrypt (const struct aes256_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Calling ‘cbc_aes128_encrypt(ctx, iv, length, dst, src)’ does the same thing as calling ‘cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src)’, but is more efficient on certain platforms.  File: nettle.info, Node: CTR, Next: CFB and CFB8, Prev: CBC, Up: Cipher modes 4.3.2 Counter mode ------------------ Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If ‘E_k’ is the encryption function of a block cipher, ‘IC’ is the initial counter, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 ... C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, ‘IC + x’, IC is interpreted as an integer, in network byte order. For the last block, ‘E_k(IC + n - 1) [1..m]’ means that the cipher output is truncated to ‘m’ bytes. -- Function: void ctr_crypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *CTR, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption function F in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘ctr_crypt’, all but the last call _must_ use a length that is a multiple of the block size. Like for CBC, there are also a couple of helper macros. -- Macro: CTR_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t ctr[block_size]; } -- Macro: CTR_SET_COUNTER (CTX, IV) First argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second is a pointer to an initial counter that is copied into that context. -- Macro: CTR_CRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘ctr_crypt’. The first argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: CFB and CFB8, Next: XTS, Prev: CTR, Up: Cipher modes 4.3.3 Cipher Feedback mode -------------------------- Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode (CFB8) being close relatives to both CBC mode and CTR mode borrow some characteristics from stream ciphers. For CFB the message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If ‘E_k’ is the encryption function of a block cipher, ‘IV’ is the initialization vector, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 ... C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding. If ‘E_k’ is the encryption function of a block cipher, ‘b’ is ‘E_k’ block size, ‘IV’ is the initialization vector, then the ‘n’ plaintext bytes are transformed into ‘n’ ciphertext bytes ‘C_1’,... ‘C_n’ as follows: I_1 = IV C_1 = E_k(I_1) [1..8] XOR M_1 I_2 = I_1 [9..b] << 8 | C_1 C_2 = E_k(I_2) [1..8] XOR M_2 ... I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) I_n = I_(n-1) [9..b] << 8 | C_(n-1) C_n = E_k(I_n) [1..8] XOR M_n Nettle's includes functions for applying a block cipher in Cipher Feedback (CFB) and Cipher Feedback 8-bit (CFB8) modes. These functions uses ‘void *’ to pass cipher contexts around. -- Function: void cfb_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cfb_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CFB mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cfb_encrypt’. Note that for CFB mode internally uses encryption only function and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘cfb_encrypt’, all but the last call _must_ use a length that is a multiple of the block size. -- Function: void cfb8_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cfb8_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CFB8 mode. The final IV block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cfb8_encrypt’. Note that for CFB8 mode internally uses encryption only function and hence F should always be the encryption function for the underlying block cipher. Like for CBC, there are also a couple of helper macros. -- Macro: CFB_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } -- Macro: CFB_SET_IV(CTX, IV) First argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second is a pointer to an initialization vector that is copied into that context. -- Macro: CFB_ENCRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_encrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_decrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB8_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } -- Macro: CFB8_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second is a pointer to an initialization vector that is copied into that context. -- Macro: CFB8_ENCRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb8_encrypt’. The first argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB8_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb8_decrypt’. The first argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: XTS, Prev: CFB and CFB8, Up: Cipher modes 4.3.4 XEX-based tweaked-codebook mode with ciphertext stealing -------------------------------------------------------------- XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is a block mode like (CBC) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length. Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256). XTS encryption mode operates given: • A multiplication by a primitive element alpha. ‘MUL a^j’ here represents the multiplication, where ‘j’ is the power of alpha, and the input value is converted into a 16 bytes array ‘a_0[k], k = 0,1,..,15’. The multiplication is calculated as ‘a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)’ ‘a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15’ Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte. • The encryption key is provided as the ‘Key = K1 | K2’, where ‘|’ denotes string concatenation. ‘E_k1’ is the encryption function of the block cipher using ‘K1’ as the key, and ‘E_k2’ is the same encryption function using ‘K2’ • A 128 bit tweak value is provided as input and is denoted as ‘IV’ The ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows. For a plaintext length that is a perfect multiple of the XTS block size: T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 ... T_n = T_(n-1) MUL a C_n = E_k1(P_n XOR T_n) XOR T_n For any other plaintext lengths: T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 ... T_(n-2) = T_(n-3) MUL a C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) T_(n-1) = T_(n-2) MUL a CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) T_n = T_(n-1) MUL a PP = [1..m]Pn | [m+1..128]CC_(n-1) C_(n-1) = E_k1(PP XOR T_n) XOR T_n C_n = [1..m]CC_(n-1) 4.3.4.1 General (XTS) interface. ................................ The two general functions to encrypt and decrypt using the XTS block cipher mode are the following: -- Function: void xts_encrypt_message (const void *ENC_CTX, const void *TWK_CTX, nettle_cipher_func *ENCF, const uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_decrypt_message (const void *DEC_CTX, const void *TWK_CTX, nettle_cipher_func *DECF, nettle_cipher_func *ENCF, const uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption function ENCF or the decryption function DECF in XTS mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal. The functions ENCF DECF are of type ‘void f (const void *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC)’, and the ‘xts_encrypt_message’ and ‘xts_decrypt_message’ functions pass their arguments ENC_CTX, TWK_CTX and DEC_CTX to the functions ENCF, DECF as CTX. 4.3.4.2 XTS-AES interface ......................... The AES XTS functions provide an API for using the XTS mode with the AES block ciphers. The parameters all have the same meaning as the general interface, except that the ENC_CTX, DEC_CTX, TWK_CTX, ENCF and DECF are replaced with an AES context structure called CTX, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface. -- Context struct: struct xts_aes128_key Holds state corresponding to the AES-128 block cipher. -- Context struct: struct xts_aes256_key Holds state corresponding to the AES-256 block cipher. -- Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key *CTX, const uint8_t *KEY) -- Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key *CTX, const uint8_t *KEY) -- Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key *CTX, const uint8_t *KEY) -- Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key *CTX, const uint8_t *KEY) Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions. -- Function: void xts_aes128_encrypt_message (struct xts_aes128_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes256_encrypt_message (struct xts_aes256_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes128_decrypt_message (struct xts_aes128_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes256_decrypt_message (struct xts_aes256_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘xts_encrypt_message’ and ‘xts_decrypt_message’, except that ENC_CTX, DEC_CTX, TWK_CTX, ENCF and DECF are replaced by the CTX context structure.  File: nettle.info, Node: Authenticated encryption, Next: Keyed hash functions, Prev: Cipher modes, Up: Reference 4.4 Authenticated encryption with associated data ================================================= There are some subtle design choices to be made when combining a block cipher mode without authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the "associated data", which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step. For encryption, the inputs are: • The key, which can be used for many messages. • A nonce, which must be unique for each message using the same key. • Additional associated data to be authenticated, but not included in the message. • The cleartext message to be encrypted. The outputs are: • The ciphertext, of the same size as the cleartext. • A digest or "authentication tag". Decryption works the same, but with cleartext and ciphertext interchanged. Most of the currently supported AEAD algorithms use the encryption function of the underlying block cipher, for both encryption and decryption (OCB being a notable exception). Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle's low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don't have this restriction. Of the supported AEAD constructions in Nettle, Galois/Counter mode (GCM) is widely used, and was originally designed for high performance in hardware implementations. Software performance is rather poor unless there's an efficient "carry-less multiplication" instruction that can be used. Both CCM and EAX use the same building blocks, CTR and CMAC, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The ChaCha-Poly1305 scheme is designed for high performance, also on machines without specialized crypto acceleration instructions. The Synthetic Initialization Vector (SIV) modes are designed to not fail catastrophically if a nonce is reused. * Menu: * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction::  File: nettle.info, Node: EAX, Next: GCM, Up: Authenticated encryption 4.4.1 EAX --------- The EAX mode is an AEAD mode which combines CTR mode encryption, *Note CTR::, with a message authentication based on CBC, *Note CBC::. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, *Note CCM::, which uses the same primitives but has some undesirable and inelegant properties. EAX supports arbitrary nonce size; it's even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle's support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in ‘’ 4.4.1.1 General EAX interface ............................. -- Context struct: struct eax_key EAX state which depends only on the key, but not on the nonce or the message. -- Context struct: struct eax_ctx Holds state corresponding to a particular message. -- Constant: EAX_BLOCK_SIZE EAX's block size, 16. -- Constant: EAX_DIGEST_SIZE Size of the EAX digest, also 16. -- Function: void eax_set_key (struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void eax_set_nonce (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce. -- Function: void eax_update (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t DATA_LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it's not necessary to complete the processing of all associated data before encrypting or decrypting the message data. -- Function: void eax_encrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_decrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_digest (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘EAX_DIGEST_SIZE’ octets to DIGEST. 4.4.1.2 EAX helper macros ......................... The following macros are defined. -- Macro: EAX_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to { struct eax_key key; struct eax_ctx eax; context_type cipher; } For all these macros, CTX, is a context struct as defined by ‘EAX_CTX’, and ENCRYPT is the encryption function of the underlying cipher. -- Macro: EAX_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) SET_KEY is the function for setting the encryption key for the underlying cipher, and KEY is the key. -- Macro: EAX_SET_NONCE (CTX, ENCRYPT, LENGTH, NONCE) Sets the nonce to be used for the message. -- Macro: EAX_UPDATE (CTX, ENCRYPT, LENGTH, DATA) Process associated data for authentication. -- Macro: EAX_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: EAX_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) Process message data for encryption or decryption. -- Macro: EAX_DIGEST (CTX, ENCRYPT, DIGEST) Extract the authentication tag for the message. 4.4.1.3 EAX-AES128 interface ............................ The following functions implement EAX using AES-128 as the underlying cipher. -- Context struct: struct eax_aes128_ctx The context struct, defined using ‘EAX_CTX’. -- Function: void eax_aes128_set_key (struct eax_aes128_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given nonce. -- Function: void eax_aes128_update (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_encrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_aes128_decrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_digest (struct eax_aes128_ctx *CTX, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘EAX_DIGEST_SIZE’ octets to DIGEST.  File: nettle.info, Node: GCM, Next: CCM, Prev: EAX, Up: Authenticated encryption 4.4.2 Galois counter mode ------------------------- Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (*note Keyed hash functions::) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D (https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf). It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in GCM has some known weaknesses, see . In particular, don't use GCM with short authentication tags. Nettle's support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in ‘’ 4.4.2.1 General GCM interface ............................. -- Context struct: struct gcm_key Message independent hash sub-key, and related tables. -- Context struct: struct gcm_ctx Holds state corresponding to a particular message. -- Constant: GCM_BLOCK_SIZE GCM's block size, 16. -- Constant: GCM_DIGEST_SIZE Size of the GCM digest, also 16. -- Constant: GCM_IV_SIZE Recommended size of the IV, 12. Arbitrary sizes are allowed. -- Function: void gcm_set_key (struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void gcm_set_iv (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *IV) Initializes CTX using the given IV. The KEY argument is actually needed only if LENGTH differs from ‘GCM_IV_SIZE’. -- Function: void gcm_update (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_encrypt’ or ‘gcm_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_encrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_decrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_digest (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘GCM_DIGEST_SIZE’ octets to DIGEST. To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: ‘gcm_set_key’, ‘gcm_set_iv’, ‘gcm_update’, ‘gcm_encrypt’, ‘gcm_digest’. The decryption procedure is analogous, just calling ‘gcm_decrypt’ instead of ‘gcm_encrypt’ (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call ‘gcm_set_iv’ with a new iv. 4.4.2.2 GCM helper macros ......................... The following macros are defined. -- Macro: GCM_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to { struct gcm_key key; struct gcm_ctx gcm; context_type cipher; } Example use: struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); The following macros operate on context structs of this form. -- Macro: GCM_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) First argument, CTX, is a context struct as defined by ‘GCM_CTX’. SET_KEY and ENCRYPT are functions for setting the encryption key and for encrypting data using the underlying cipher. -- Macro: GCM_SET_IV (CTX, LENGTH, DATA) First argument is a context struct as defined by ‘GCM_CTX’. LENGTH and DATA give the initialization vector (IV). -- Macro: GCM_UPDATE (CTX, LENGTH, DATA) Simpler way to call ‘gcm_update’. First argument is a context struct as defined by ‘GCM_CTX’ -- Macro: GCM_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DIGEST (CTX, ENCRYPT, DIGEST) Simpler way to call ‘gcm_encrypt’, ‘gcm_decrypt’ or ‘gcm_digest’. First argument is a context struct as defined by ‘GCM_CTX’. Second argument, ENCRYPT, is the encryption function of the underlying cipher. 4.4.2.3 GCM-AES interface ......................... The following functions implement the common case of GCM using AES as the underlying cipher. -- Context struct: struct gcm_aes128_ctx -- Context struct: struct gcm_aes192_ctx -- Context struct: struct gcm_aes256_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_aes128_update (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes192_update (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes256_update (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_aes_encrypt’ or ‘gcm_aes_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_digest (struct gcm_aes128_ctx *CTX, uint8_t *DIGEST) -- Function: void gcm_aes192_digest (struct gcm_aes192_ctx *CTX, uint8_t *DIGEST) -- Function: void gcm_aes256_digest (struct gcm_aes256_ctx *CTX, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘GCM_DIGEST_SIZE’ octets to DIGEST. 4.4.2.4 GCM-Camellia interface .............................. The following functions implement the case of GCM using Camellia as the underlying cipher. -- Context struct: struct gcm_camellia128_ctx -- Context struct: struct gcm_camellia256_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_camellia_encrypt’ or ‘gcm_camellia_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *CTX, uint8_t *DIGEST) -- Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *CTX, uint8_t *DIGEST) -- Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *CTX, uint8_t *DIGEST) -- Function: void gcm_camellia_digest (struct gcm_camellia_ctx *CTX, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘GCM_DIGEST_SIZE’ octets to DIGEST. 4.4.2.5 GCM-SM4 interface ......................... The following functions implement the case of GCM using SM4 as the underlying cipher. -- Context struct: struct gcm_sm4_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_sm4_set_key (struct gcm_sm4_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_sm4_set_iv (struct gcm_sm4_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_sm4_update (struct gcm_sm4_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_sm4_encrypt’ or ‘gcm_sm4_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_sm4_encrypt (struct gcm_sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_sm4_decrypt (struct gcm_sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_sm4_digest (struct gcm_sm4_ctx *CTX, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘GCM_DIGEST_SIZE’ octets to DIGEST.  File: nettle.info, Node: CCM, Next: ChaCha-Poly1305, Prev: GCM, Up: Authenticated encryption 4.4.3 Counter with CBC-MAC mode ------------------------------- CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, *note EAX::. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C (https://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf). Nettle's support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in ‘’. In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets. CCM mode encryption operates as follows: • The nonce and message length are concatenated to create ‘B_0 = flags | nonce | mlength’ • The authenticated data and plaintext is formatted into the string ‘B = L(adata) | adata | padding | plaintext | padding’ with ‘padding’ being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and ‘L(adata)’ is an encoding of the length of ‘adata’. • The string ‘B’ is separated into blocks ‘B_1’ ... ‘B_n’ • The authentication tag ‘T’ is calculated as ‘T=0, for i=0 to n, do T = E_k(B_i XOR T)’ • An initial counter is then initialized from the nonce to create ‘IC = flags | nonce | padding’, where ‘padding’ is the shortest string of zero bytes such that ‘IC’ is exactly one block in length. • The authentication tag is encrypted using using CTR mode: ‘MAC = E_k(IC) XOR T’. The tag size must be even, at least 4, and at most 16. The intended tag size is encoded into ‘IC’ via the ‘flags’ field. • The plaintext is then encrypted using CTR mode with an initial counter of ‘IC+1’. CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity. 4.4.3.1 General CCM interface ............................. For all of the functions in the CCM interface, CIPHER is the context struct for the underlying cipher and F is the encryption function. The cipher's encryption key must be set before calling any of the CCM functions. The cipher's decryption function and key are never used. -- Context struct: struct ccm_ctx Holds state corresponding to a particular message. -- Constant: CCM_BLOCK_SIZE CCM's block size, 16. -- Constant: CCM_DIGEST_SIZE Recommended size of the CCM digest, 16. -- Constant: CCM_MIN_DIGEST_SIZE Smallest size of the CCM digest, 4. -- Constant: CCM_MIN_NONCE_SIZE -- Constant: CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively. -- Macro: CCM_MAX_MSG_SIZE (NONCE_SIZE) The largest allowed plaintext length, when using CCM with a nonce of the given size. -- Function: void ccm_set_nonce (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) Initializes CTX using the given nonce and the sizes of the authenticated data, message, and MAC to be processed. -- Function: void ccm_update (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. Must be called after ‘ccm_set_nonce’, and before ‘ccm_encrypt’, ‘ccm_decrypt’, or ‘ccm_digest’. -- Function: void ccm_encrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_decrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the message data. Must be called after ‘ccm_set_nonce’ and before ‘ccm_digest’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ccm_digest (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"). This is the final operation when processing a message. It writes TAGLEN octets to the DIGEST area, where TAGLEN is the parameter supplied to ‘ccm_set_nonce’ earlier. A buffer of size ‘CCM_DIGEST_SIZE’, i.e., 16, is always sufficient. To encrypt a message using the general CCM interface, set the message nonce and length using ‘ccm_set_nonce’ and then call ‘ccm_update’ to generate the digest of any authenticated data. After all of the authenticated data has been digested use ‘ccm_encrypt’ to encrypt the plaintext. Finally, use ‘ccm_digest’ to return the encrypted MAC. To decrypt a message, use ‘ccm_set_nonce’ and ‘ccm_update’ the same as you would for encryption, and then call ‘ccm_decrypt’ to decrypt the ciphertext. After decrypting the ciphertext ‘ccm_digest’ will return the encrypted MAC which should be identical to the MAC in the received message. 4.4.3.2 CCM message interface ............................. The CCM message functions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by MLENGTH and the length of the ciphertext is given by CLENGTH, always exactly TLENGTH bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, CLENGTH for the encryption functions, and MLENGTH for the decryption functions. -- Function: void ccm_encrypt_message (const void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the encrypted MAC to ciphertext and outputs it to DST. -- Function: int ccm_decrypt_message (const void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the MAC from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. 4.4.3.3 CCM-AES interface ......................... The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface. -- Context struct: struct ccm_aes128_ctx Holds state corresponding to a particular message encrypted using the AES-128 block cipher. -- Context struct: struct ccm_aes192_ctx Holds state corresponding to a particular message encrypted using the AES-192 block cipher. -- Context struct: struct ccm_aes256_ctx Holds state corresponding to a particular message encrypted using the AES-256 block cipher. -- Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *CTX, const uint8_t *KEY) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface. -- Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) These are identical to ‘ccm_set_nonce’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_update (struct ccm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes192_update (struct ccm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes256_update (struct ccm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These are identical to ‘ccm_update’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_encrypt’ and ‘ccm_decrypt’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_digest (struct ccm_aes128_ctx *CTX, uint8_t *DIGEST) -- Function: void ccm_aes192_digest (struct ccm_aes192_ctx *CTX, uint8_t *DIGEST) -- Function: void ccm_aes256_digest (struct ccm_aes256_ctx *CTX, uint8_t *DIGEST) These are identical to ‘ccm_digest’, except that CIPHER, F, and CTX are replaced with a context structure. The number of octets written to the DIGEST area is determined by the TAGLEN parameter supplied to the corresponding ‘_set_nonce’ function earlier. -- Function: void ccm_aes128_encrypt_message (const struct aes128_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt_message (const struct aes192_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt_message (const struct aes256_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes128_decrypt_message (const struct aes128_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes192_decrypt_message (const struct aes192_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes256_decrypt_message (const struct aes256_ctx *CIPHER, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_encrypt_message’ and ‘ccm_decrypt_message’ except that CIPHER is an AES context and the encryption function F is implied.  File: nettle.info, Node: ChaCha-Poly1305, Next: OCB, Prev: CCM, Up: Authenticated encryption 4.4.4 ChaCha-Poly1305 --------------------- ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (*note Poly1305::). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle's implementation of ChaCha-Poly1305 follows ‘RFC 8439’, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver's behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in ‘’. -- Constant: CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. -- Constant: CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. -- Constant: CHACHA_POLY1305_NONCE_SIZE ChaCha-Poly1305 nonce size, 12. -- Constant: CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. -- Context struct: struct chacha_poly1305_ctx -- Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. Before using the context, you _must_ also call ‘chacha_poly1305_set_nonce’, see below. -- Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *CTX, const uint8_t *NONCE) Initializes the per-message state, using the given nonce. -- Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. -- Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *CTX, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"), and writes ‘CHACHA_POLY1305_DIGEST_SIZE’ octets to DIGEST.  File: nettle.info, Node: OCB, Next: SIV-CMAC, Prev: ChaCha-Poly1305, Up: Authenticated encryption 4.4.5 OCB (Offset Code Book) Mode --------------------------------- The OCB mode is an AEAD construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits. There have been several versions of the OCB scheme, the implementation in Nettle follows ‘RFC 7253’, which is almost the same as the scheme OCB3. 4.4.5.1 General interface ......................... -- Context struct: struct ocb_key OCB state which depends only on the key, but not on the nonce or the message. -- Context struct: struct ocb_ctx Holds state corresponding to a particular message. -- Constant: OCB_BLOCK_SIZE The block size for OCB's block size, 16. -- Constant: OCB_MAX_NONCE_SIZE The maximum nonce size for OCB, 15. -- Constant: OCB_DIGEST_SIZE Recommended size of the OCB authentication tag, 16. -- Function: void ocb_set_key (struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes the KEY struct. The CIPHER context must be initialized for encryption, and F should be the corresponding encryption function. -- Function: void ocb_set_nonce (struct ocb_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t TAG_LENGTH, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce. The CIPHER must be initialized for encryption, and F should be the corresponding encryption function. The TAG_LENGTH (non-zero, and at most 16) is included when initializing the state. Nonce is optional, and length at most 15 bytes. -- Function: void ocb_update (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_encrypt (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_decrypt (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *ENCRYPT_CTX, nettle_cipher_func *ENCRYPT, const void *DECRYPT_CTX, nettle_cipher_func *DECRYPT, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the data of a message. ENCRYPT_CTX and ENCRYPT define the encryption operation of the underlying cipher, while DECRYPT_CTX and DECRYPT represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_digest (const struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"). This is the final operation when processing a message. It writes TAG_LENGTH octets to the DIGEST area, where TAG_LENGTH is the parameter supplied to ‘ocb_set_nonce’ earlier. A buffer of size ‘OCB_DIGEST_SIZE’, i.e., 16, is always sufficient. -- Function: void ocb_encrypt_message (const struct ocb_key *OCB_KEY, const void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the tag to the ciphertext and writes it to DST. The CLENGTH variable must be equal to the length of SRC plus TLENGTH. -- Function: int ocb_decrypt_message (const struct ocb_key *OCB_KEY, const void *ENCRYPT_CTX, nettle_cipher_func *ENCRYPT, const void *DECRYPT_CTX, nettle_cipher_func *DECRYPT, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST. Like ‘ocb_decrypt’, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. 4.4.5.2 OCB-AES interface ......................... -- Context struct: struct ocb_aes128_encrypt_key Key-dependent state for encryption using OCB-AES128. For decryption, a separate ‘struct aes128_ctx’, initialized for decryption, is needed as well. -- Function: void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *OCB, const uint8_t *KEY) Initializes OCB and the underlying AES cipher with the given key. -- Function: void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *OCB, struct aes128_ctx *DECRYPT, const uint8_t *KEY) Initializes OCB and the underlying AES cipher with the given key. In addition, initialize DECRYPT for decryption using the same key; this is needed for ‘ocb_aes128_decrypt’ and ‘ocb_aes128_decrypt_message’. -- Function: void ocb_aes128_set_nonce (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t TAG_LENGTH, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce and key. The TAG_LENGTH (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ‘ocb_digest’. Nonce is optional, and length at most 15 bytes. -- Function: void ocb_aes128_update (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_encrypt (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_decrypt (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, const struct aes128_ctx *DECRYPT, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the data of a message. DECRYPT is an AES context initialized for decryption using the same key. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_digest (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, uint8_t *DIGEST) Extracts the message digest (also known "authentication tag"). This is the final operation when processing a message. The number of octets written to the DIGEST area is determined by the TAG_LENGTH parameter supplied to the ‘ocb_aes128_set_nonce’ function earlier. -- Function: void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *KEY, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the tag to the ciphertext and writes it to DST. The CLENGTH variable must be equal to the length of SRC plus TLENGTH. -- Function: int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *KEY, const struct aes128_ctx *DECRYPT, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST. Like ‘ocb_aes128_decrypt’, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: SIV-CMAC, Next: SIV-GCM, Prev: OCB, Up: Authenticated encryption 4.4.6 Synthetic Initialization Vector AEAD ------------------------------------------ SIV-CMAC mode is a combination of counter mode with message authentication based on CMAC. Unlike other counter AEAD modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle's support for SIV-CMAC consists of a message encryption and authentication interface, for SIV-CMAC using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in ‘’. Unlike other AEAD mode in SIV-CMAC the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext. Note also, that the SIV-CMAC algorithm, as specified in ‘RFC 5297’, introduces the notion of authenticated data which consist of multiple components. For example with SIV-CMAC the authentication tag of data ‘X’ followed by ‘Y’, is different than the concatenated data ‘X || Y’. The interfaces described below follow the AEAD paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext. 4.4.6.1 General interface ......................... -- Constant: SIV_BLOCK_SIZE SIV-CMAC's block size, 16. -- Constant: SIV_DIGEST_SIZE Size of the SIV-CMAC digest or initialization vector, 16. -- Constant: SIV_MIN_NONCE_SIZE The the minimum size for an SIV-CMAC nonce, 1. 4.4.6.2 SIV-CMAC-AES interface .............................. The AES SIV-CMAC functions provide an API for using SIV-CMAC mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface. -- Context struct: struct siv_cmac_aes128_ctx Holds state corresponding to a particular message encrypted using the AES-128 block cipher. -- Context struct: struct siv_cmac_aes256_ctx Holds state corresponding to a particular message encrypted using the AES-256 block cipher. -- Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *CTX, const uint8_t *KEY) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES SIV-CMAC interface. -- Function: void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, prepends the initialization vector to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_DIGEST_SIZE’. -- Function: int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: SIV-GCM, Next: nettle_aead abstraction, Prev: SIV-CMAC, Up: Authenticated encryption 4.4.7 SIV-GCM ------------- SIV-GCM, described in ‘RFC 8452’, is an AEAD construction similar to AES-GCM, but provides protection against accidental nonce misuse like SIV-CMAC mode. It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle's support for SIV-GCM consists of a message encryption and authentication interface, for SIV-GCM using AES as the underlying block cipher. These interfaces are defined in ‘’. Unlike other AEAD mode in SIV-GCM the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext. 4.4.7.1 General interface ......................... -- Constant: SIV_GCM_BLOCK_SIZE SIV-GCM's block size, 16. -- Constant: SIV_GCM_DIGEST_SIZE Size of the SIV-GCM digest for tags, 16. -- Constant: SIV_GCM_NONCE_SIZE Size of the SIV-GCM nonce, 12. -- Function: void siv_gcm_encrypt_message (const struct nettle_cipher *NC, const void *CTX, void *CTR_CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the authentication tag to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_GCM_DIGEST_SIZE’. -- Function: int siv_gcm_decrypt_message (const struct nettle_cipher *NC, const void *CTX, void *CTR_CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. In the above interface, NC must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The CTX context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the CTR_CTX context structure must have the same size as CTX, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *CTX is destroyed by the call. For convenience, Nettle provides wrapper functions that works with AES described in the following section. 4.4.7.2 SIV-GCM-AES interface ............................. The SIV-GCM functions provide an API for using SIV-GCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure. The AES context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. -- Function: void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the authentication tag to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_GCM_DIGEST_SIZE’. -- Function: int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: nettle_aead abstraction, Prev: SIV-GCM, Up: Authenticated encryption 4.4.8 The ‘struct nettle_aead’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’. -- Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. -- Constant Struct: struct nettle_aead nettle_gcm_aes128 -- Constant Struct: struct nettle_aead nettle_gcm_aes192 -- Constant Struct: struct nettle_aead nettle_gcm_aes256 -- Constant Struct: struct nettle_aead nettle_gcm_camellia128 -- Constant Struct: struct nettle_aead nettle_gcm_camellia256 -- Constant Struct: struct nettle_aead nettle_eax_aes128 -- Constant Struct: struct nettle_aead nettle_chacha_poly1305 These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the ‘nettle_aead’ abstraction. Nettle also exports a list of all these constructions. -- Function: const struct nettle_aead ** nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Authenticated encryption, Up: Reference 4.5 Keyed Hash Functions ======================== A “keyed hash function”, or “Message Authentication Code” (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice's value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can't show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the _same_ key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn't attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can't distinguish between a MAC created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. * Menu: * HMAC:: * UMAC:: * CMAC:: * Poly1305::  File: nettle.info, Node: HMAC, Next: UMAC, Up: Keyed hash functions 4.5.1 HMAC ---------- One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in ‘RFC 2104’. For an underlying hash function ‘H’, with digest size ‘l’ and internal block size ‘b’, HMAC-H is constructed as follows: From a given key ‘k’, two distinct subkeys ‘k_i’ and ‘k_o’ are constructed, both of length ‘b’. The HMAC-H of a message ‘m’ is then computed as ‘H(k_o | H(k_i | m))’, where ‘|’ denotes string concatenation. HMAC keys can be of any length, but it is recommended to use keys of length ‘l’, the digest size of the underlying hash function ‘H’. Keys that are longer than ‘b’ are shortened to length ‘l’ by hashing with ‘H’, so arbitrarily long keys aren't very useful. Nettle's HMAC functions are defined in ‘’. 4.5.1.1 HMAC-MD5 ................ -- Context struct: struct hmac_md5_ctx -- Function: void hmac_md5_set_key (struct hmac_md5_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_md5_update (struct hmac_md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_md5_digest (struct hmac_md5_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘MD5_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key. 4.5.1.2 HMAC-RIPEMD160 ...................... -- Context struct: struct hmac_ripemd160_ctx -- Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘RIPEMD160_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key. 4.5.1.3 HMAC-SHA1 ................. -- Context struct: struct hmac_sha1_ctx -- Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha1_update (struct hmac_sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha1_digest (struct hmac_sha1_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘SHA1_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key. 4.5.1.4 HMAC-SHA256 ................... -- Context struct: struct hmac_sha256_ctx -- Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha256_update (struct hmac_sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha256_digest (struct hmac_sha256_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘SHA256_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key. 4.5.1.5 HMAC-SHA512 ................... -- Context struct: struct hmac_sha512_ctx -- Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha512_update (struct hmac_sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha512_digest (struct hmac_sha512_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘SHA512_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key. 4.5.1.6 HMAC-SM3 ................ -- Context struct: struct hmac_sm3_ctx -- Function: void hmac_sm3_set_key (struct hmac_sm3_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sm3_update (struct hmac_sm3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sm3_digest (struct hmac_sm3_ctx *CTX, uint8_t *DIGEST) Extracts the MAC, writing ‘SM3_DIGEST_SIZE’ octets to DIGEST. This function also resets the context for processing new messages, with the same key.  File: nettle.info, Node: UMAC, Next: CMAC, Prev: HMAC, Up: Keyed hash functions 4.5.2 UMAC ---------- UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, *Note GCM::, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in ‘RFC 4418’. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle's implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is "abc" (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to "abd", and this incremented value is zero-padded to 16 octets. UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle's ‘_digest’ functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size. The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle. Nettle defines UMAC in ‘’. -- Context struct: struct umac32_ctx -- Context struct: struct umac64_ctx -- Context struct: struct umac96_ctx -- Context struct: struct umac128_ctx Each UMAC variant uses its own context struct. -- Constant: UMAC_KEY_SIZE The UMAC key size, 16. -- Constant: UMAC_MIN_NONCE_SIZE -- Constant: UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. -- Constant: UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. -- Constant: UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. -- Constant: UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. -- Constant: UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. -- Constant: UMAC_BLOCK_SIZE The internal block size of UMAC. -- Function: void umac32_set_key (struct umac32_ctx *CTX, const uint8_t *KEY) -- Function: void umac64_set_key (struct umac64_ctx *CTX, const uint8_t *KEY) -- Function: void umac96_set_key (struct umac96_ctx *CTX, const uint8_t *KEY) -- Function: void umac128_set_key (struct umac128_ctx *CTX, const uint8_t *KEY) These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment). -- Function: void umac32_set_nonce (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac64_set_nonce (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac96_set_nonce (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac128_set_nonce (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called _before_ the first ‘_update’ call for the message. -- Function: void umac32_update (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac64_update (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac96_update (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac128_update (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These functions are called zero or more times to process the message. -- Function: void umac32_digest (struct umac32_ctx *CTX, uint8_t *DIGEST) -- Function: void umac64_digest (struct umac64_ctx *CTX, uint8_t *DIGEST) -- Function: void umac96_digest (struct umac96_ctx *CTX, uint8_t *DIGEST) -- Function: void umac128_digest (struct umac128_ctx *CTX, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the ‘_set_nonce’ function explicitly for each message.  File: nettle.info, Node: CMAC, Next: Poly1305, Prev: UMAC, Up: Keyed hash functions 4.5.3 CMAC ---------- CMAC is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. CMAC-128 is specified in ‘RFC4493’. The block size is always 128 bits (16 octets). CMAC-64 is specified by NIST Special Publication 800-38B (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf). The block size is always 64 bits (8 octets). Nettle provides helper functions for CMAC-128 with the AES block cipher and for CMAC-64 with the Tripple-DES block cipher. Nettle defines CMAC in ‘’. -- Context struct: struct cmac_aes128_ctx -- Context struct: struct cmac_aes256_ctx -- Constant: CMAC128_DIGEST_SIZE The size of an CMAC-128 digest, 16. -- Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for AES-128. -- Function: void cmac_aes128_update (struct cmac_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_aes128_digest (struct cmac_aes128_ctx *CTX, uint8_t *DIGEST) Extracts the MAC of the message, writing ‘CMAC128_DIGEST_SIZE’ octets to DIGEST. This function resets the context for processing of a new message with the same key. -- Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for AES-256. -- Function: void cmac_aes256_update (struct cmac_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_aes256_digest (struct cmac_aes256_ctx *CTX, uint8_t *DIGEST) Extracts the MAC of the message, writing ‘CMAC128_DIGEST_SIZE’ octets to DIGEST. This function resets the context for processing of a new message with the same key. -- Context struct: struct cmac_des3_ctx -- Constant: CMAC64_DIGEST_SIZE The size of an CMAC-64 digest, 8. -- Function: void cmac_des3_set_key (struct cmac_des3_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for Tripple-DES. -- Function: void cmac_des3_update (struct cmac_des3_ctx *CTX,size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_des3_digest (struct cmac_des3_ctx *CTX, uint8_t *DIGEST) Extracts the MAC of the message, writing ‘CMAC64_DIGEST_SIZE’ octets to DIGEST. This function resets the context for processing of a new message with the same key.  File: nettle.info, Node: Poly1305, Prev: CMAC, Up: Keyed hash functions 4.5.4 Poly1305 -------------- Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5. The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point ‘r’. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that's the only thing AES is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point ‘r’. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See for further details. Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (*note ChaCha-Poly1305::). Nettle defines Poly1305-AES in ‘nettle/poly1305.h’. -- Constant: POLY1305_AES_KEY_SIZE Key size, 32 octets. -- Constant: POLY1305_AES_DIGEST_SIZE Size of the digest or "authenticator", 16 octets. -- Constant: POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. -- Context struct: struct poly1305_aes_ctx The poly1305-aes context struct. -- Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *CTX, const uint8_t *KEY) Initialize the context struct. Also sets the nonce to zero. -- Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *CTX, const uint8_t *NONCE) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. -- Function: void poly1305_aes_update (struct poly1305_aes_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process more data. -- Function: void poly1305_aes_digest (struct poly1305_aes_ctx *CTX, uint8_t *DIGEST) Extracts the digest, writing ‘POLY1305_AES_DIGEST_SIZE’ octets to DIGEST. Also increments the nonce, and prepares the context for processing a new message.  File: nettle.info, Node: Key derivation functions, Next: Public-key algorithms, Prev: Keyed hash functions, Up: Reference 4.6 Key derivation Functions ============================ A “key derivation function” (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the “password-based key derivation functions” (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. 4.6.1 HKDF: HMAC-based Extract-and-Expand ----------------------------------------- HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in ‘RFC 5869’, and is split into two logical modules, called "extract" and "expand". The extract module takes an initial secret and a random salt to extract a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle's HKDF functions are defined in ‘’. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the ‘nettle_hash_update_func’, and ‘nettle_hash_digest_func’ interfaces. -- Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the secret SECRET of length SECRET_LENGTH. The output length is fixed to DIGEST_SIZE octets, thus the output buffer DST must have room for at least DIGEST_SIZE octets. -- Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the info INFO of length INFO_LENGTH, and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 4.6.2 PBKDF2 ------------ The most well known PBKDF is the ‘PKCS #5 PBKDF2’ described in ‘RFC 2898’ which uses a pseudo-random function such as HMAC-SHA1. Nettle's PBKDF2 functions are defined in ‘’. There is an abstract function that operate on any PRF implemented via the ‘nettle_hash_update_func’, ‘nettle_hash_digest_func’ interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function: -- Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. Like for CBC and HMAC, there is a macro to help use the function correctly. -- Macro: PBKDF2 (CTX, UPDATE, DIGEST, DIGEST_SIZE, ITERATIONS, SALT_LENGTH, SALT, LENGTH, DST) CTX is a pointer to a context struct passed to the UPDATE and DIGEST functions (of the types ‘nettle_hash_update_func’ and ‘nettle_hash_digest_func’ respectively) to implement the underlying PRF with digest size of DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 4.6.3 Concrete PBKDF2 functions ------------------------------- Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function. 4.6.3.1 PBKDF2-HMAC-SHA1 ........................ -- Function: void pbkdf2_hmac_sha1 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA1. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 4.6.3.2 PBKDF2-HMAC-SHA256 .......................... -- Function: void pbkdf2_hmac_sha256 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA256. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 4.6.3.3 PBKDF2-HMAC-SHA384 .......................... -- Function: void pbkdf2_hmac_sha384 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA384. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 4.6.3.4 PBKDF2-HMAC-SHA512 .......................... -- Function: void pbkdf2_hmac_sha512 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA512. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 4.6.4 BALLOON ------------- Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from Nettle's definition of the BALLOON algorithm can be found in ‘’. There is a general BALLOON function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs. Each BALLOON function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter S_COST determines how many blocks of working space the algorithm will require during its computation. It is common to set S_COST to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter T_COST determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer SCRATCH is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function ‘balloon_itch’. Output of BALLOON algorithm will be written into the output buffer DST that has to be at least DIGEST_SIZE bytes long. Note that it is safe to use the same buffer for both SCRATCH and DST. Next follows the description of the general BALLOON function. -- Function: void balloon (void *HASH_CTX, nettle_hash_update_func *UPDATE, nettle_hash_digest_func *DIGEST, size_t DIGEST_SIZE, size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) Compute hash of given password PASSWD of length PASSWD_LENGTH salted with SALT of length SALT_LENGTH and write DIGEST_SIZE bytes into the output buffer DST. Parameter HASH_CTX is a context for the underlying hash function, which much be initialized by the caller. UPDATE and DIGEST are the update and digest functions of the chosen hash algorithm. DIGEST_SIZE is the digest size of the chosen hash algorithm and determines the size of the output. -- Function: size_t balloon_itch (size_t DIGEST_SIZE, size_t S_COST) Compute the size of the scratch buffer SCRATCH. DIGEST_SIZE is the digest size of the chosen hash algorithm. S_COST is the space parameter used by the ‘balloon’ function. 4.6.5 Concrete BALLOON functions -------------------------------- Here follows a list of the specialized BALLOON functions, which are more user-friendly variants of the general function. 4.6.5.1 BALLOON-SHA1 .................... -- Function: void balloon_sha1 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA1 as the underlying hash function. 4.6.5.2 BALLOON-SHA256 ...................... -- Function: void balloon_sha256 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA256 as the underlying hash function. 4.6.5.3 BALLOON-SHA384 ...................... -- Function: void balloon_sha384 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA384 as the underlying hash function. 4.6.5.4 BALLOON-SHA512 ...................... -- Function: void balloon_sha512 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA512 as the underlying hash function.  File: nettle.info, Node: Public-key algorithms, Next: Randomness, Prev: Key derivation functions, Up: Reference 4.7 Public-key algorithms ========================= Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle (with the exception of SLH-DSA), you must install GMP, at least version 6.1.0, before compiling Nettle, and you need to link your programs with ‘-lhogweed -lnettle -lgmp’. The concept of “Public-key” cryptography and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, "symmetric", cryptography, sender and receiver share the same key, and this key must be distributed in a secure way. And if there are many users or entities that need to communicate, each _pair_ needs a shared secret key known by nobody else. In public key cryptography, each user needs a "key pair", consisting of a private key which is kept secret, and corresponding public key that is distributed to all other users. Public and private keys can be uses in several different ways: For key agreement (e.g., Diffie-Hellman or Curve25519 key exchange), digital signatures (e.g., RSA signatures and Ed25519 signatures), and public key encryption (e.g., RSA encryption). To use a digital signature algorithm, one must first create a “key-pair”: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the "someone" also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as "grant access to whoever knows the private key corresponding to this particular public key, and to no others". * Menu: * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA. * SLH-DSA:: Stateless hash-based digital signatures.  File: nettle.info, Node: RSA, Next: DSA, Up: Public-key algorithms 4.7.1 RSA --------- The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA. It's remarkably simple to describe the trapdoor function behind RSA. The "one-way"-function used is F(x) = x^e mod n I.e. raise x to the ‘e’'th power, while discarding all multiples of ‘n’. The pair of numbers ‘n’ and ‘e’ is the public key. ‘e’ can be quite small, even ‘e = 3’ has been used, although slightly larger numbers are recommended. ‘n’ should be about 2000 bits or larger. If ‘n’ is large enough, and properly chosen, the inverse of F, the computation of ‘e’'th roots modulo ‘n’, is very difficult. But, where's the trapdoor? Let's first look at how RSA key-pairs are generated. First ‘n’ is chosen as the product of two large prime numbers ‘p’ and ‘q’ of roughly the same size (so if ‘n’ is 2000 bits, ‘p’ and ‘q’ are about 1000 bits each). One also computes the number ‘phi = (p-1)(q-1)’, in mathematical speak, ‘phi’ is the order of the multiplicative group of integers modulo n. Next, ‘e’ is chosen. It must have no factors in common with ‘phi’ (in particular, it must be odd), but can otherwise be chosen more or less randomly. ‘e = 65537’ is a popular choice, because it makes raising to the ‘e’'th power particularly efficient, and being prime, it usually has no factors common with ‘phi’. Finally, a number ‘d’, ‘d < n’ is computed such that ‘e d mod phi = 1’. It can be shown that such a number exists (this is why ‘e’ and ‘phi’ must have no common factors), and that for all ‘x’, (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x Using Euclid's algorithm, ‘d’ can be computed quite easily from ‘phi’ and ‘e’. But it is still hard to get ‘d’ without knowing ‘phi’, which depends on the factorization of ‘n’. So ‘d’ is the trapdoor, if we know ‘d’ and ‘y = F(x)’, we can recover ‘x’ as ‘y^d mod n’. ‘d’ is also the private half of the RSA key-pair. The most common signature operation for RSA is defined in ‘PKCS#1’, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. SHA256. Next, some padding, the ASN.1 "Algorithm Identifier" for the hash function, and the message digest itself, are concatenated and converted to a number ‘x’. The signature is computed from ‘x’ and the private key as ‘s = x^d mod n’(1) (*note RSA-Footnote-1::). The signature, ‘s’, is a number of about the same size of ‘n’, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, ‘x’ is computed from the message in the same way as above. Then ‘s^e mod n’ is computed, the operation returns true if and only if the result equals ‘x’. The RSA algorithm can also be used for encryption. RSA encryption uses the public key ‘(n,e)’ to compute the ciphertext ‘m^e mod n’. The ‘PKCS#1’ padding scheme will use at least 8 random and non-zero octets, using M of the form ‘[00 02 padding 00 plaintext]’. It is required that ‘m < n’, and therefor the plaintext must be smaller than the octet size of the modulo ‘n’, with some margin. To decrypt the message, one needs the private key to compute ‘m = c^e mod n’ followed by checking and removing the padding. 4.7.1.1 Nettle's RSA support ............................ Nettle represents RSA keys using two structures that contain large numbers (of type ‘mpz_t’). -- Context struct: rsa_public_key size n e ‘size’ is the size, in octets, of the modulo, and is used internally. ‘n’ and ‘e’ is the public key. -- Context struct: rsa_private_key size d p q a b c ‘size’ is the size, in octets, of the modulo, and is used internally. ‘d’ is the secret exponent, but it is not actually used when signing. Instead, the factors ‘p’ and ‘q’, and the parameters ‘a’, ‘b’ and ‘c’ are used. They are computed from ‘p’, ‘q’ and ‘e’ such that ‘a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1’. Before use, these structs must be initialized by calling one of -- Function: void rsa_public_key_init (struct rsa_public_key *PUB) -- Function: void rsa_private_key_init (struct rsa_private_key *KEY) Calls ‘mpz_init’ on all numbers in the key struct. and when finished with them, the space for the numbers must be deallocated by calling one of -- Function: void rsa_public_key_clear (struct rsa_public_key *PUB) -- Function: void rsa_private_key_clear (struct rsa_private_key *KEY) Calls ‘mpz_clear’ on all numbers in the key struct. In general, Nettle's RSA functions deviates from Nettle's "no memory allocation"-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see *Note GMP Allocation: (gmp)Custom Allocation. When you have assigned values to the attributes of a key, you must call -- Function: int rsa_public_key_prepare (struct rsa_public_key *PUB) -- Function: int rsa_private_key_prepare (struct rsa_private_key *KEY) Computes the octet size of the key (stored in the ‘size’ attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1. For each operation using the private key, there are two variants, e.g., ‘rsa_sha256_sign’ and ‘rsa_sha256_sign_tr’. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function's context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with RSA signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an RSA signature is done with one of the following functions: -- Function: int rsa_md5_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’'ed earlier). The hash context is reset so that it can be used for new messages. The RANDOM_CTX and RANDOM pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature from the given hash digest. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t SIGNATURE) Similar to the above ‘_sign_digest_tr’ functions, but the input is not the plain hash digest, but a PKCS#1 "DigestInfo", an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. -- Function: int rsa_md5_sign (const struct rsa_private_key *KEY, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign (const struct rsa_private_key *KEY, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign (const struct rsa_private_key *KEY, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign (const struct rsa_private_key *KEY, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’'ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’, respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign (const struct rsa_private_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t S) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 "DigestInfo", an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. Verifying an RSA signature is done with one of the following functions: -- Function: int rsa_md5_verify (const struct rsa_public_key *KEY, struct md5_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify (const struct rsa_public_key *KEY, struct sha1_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify (const struct rsa_public_key *KEY, struct sha256_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify (const struct rsa_public_key *KEY, struct sha512_ctx *HASH, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn't. In either case, the hash context is reset so that it can be used for new messages. -- Function: int rsa_md5_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn't. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. -- Function: int rsa_pkcs1_verify (const struct rsa_public_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, const mpz_t SIGNATURE) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 "DigestInfo", and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. While the above functions for the RSA signature operations use the ‘PKCS#1’ padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in ‘RFC 8017’. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security . The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature using the PSS padding scheme. SALT should point to a salt string of size SALT_LENGTH. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn't. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. The following function is used to encrypt a clear text message using RSA. -- Function: int rsa_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *CLEARTEXT, mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. The following function is used to decrypt a cipher text message using RSA. -- Function: int rsa_decrypt (const struct rsa_private_key *KEY, size_t *LENGTH, uint8_t *CLEARTEXT, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by CLEARTEXT must be of size *LENGTH. After decryption, *LENGTH will be updated with the size of the message. There is also a timing resistant version of decryption that utilizes randomized RSA blinding. -- Function: int rsa_decrypt_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t *LENGTH, uint8_t *MESSAGE, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. While the above functions for the RSA encryption operations use the ‘PKCS#1’ padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in ‘RFC 8017’. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs. Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions: -- Function: int rsa_oaep_sha256_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha384_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha512_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) Returns 1 on success, 0 on failure. The label is optional and if omitted, LABEL_LENGTH and LABEL is set to 0 and ‘NULL’ respectively. The maximum size of MESSAGE can be calculated with ‘k - 2 * hLen - 2’, where ‘k’ is the key size in octets obtained with KEY->size, and ‘hLen’ is the output size of the underlying hash function (e.g., ‘SHA256_DIGEST_SIZE’ for ‘rsa_oaep_sha256_encrypt’). Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions: -- Function: int rsa_oaep_sha256_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha384_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha512_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to ‘rsa_decrypt_tr’. The message buffer pointed to by CLEARTEXT must be of size *LENGTH. After decryption, *LENGTH will be updated with the size of the message. If you need to use the RSA trapdoor, the private key, in a way that isn't supported by the above functions Nettle also includes a function that computes ‘x^d mod n’ and nothing more, using the CRT optimization. -- Function: int rsa_compute_root_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, mpz_t X, const mpz_t M) Computes ‘x = m^d’. Returns one on success, or zero if a failure in the computation was detected. -- Function: void rsa_compute_root (struct rsa_private_key *KEY, mpz_t X, const mpz_t M) Computes ‘x = m^d’. At last, how do you create new keys? -- Function: int rsa_generate_keypair (struct rsa_public_key *PUB, struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned N_SIZE, unsigned E_SIZE) There are lots of parameters. PUB and KEY is where the resulting key pair is stored. The structs should be initialized, but you don't need to call ‘rsa_public_key_prepare’ or ‘rsa_private_key_prepare’ after key generation. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. SIZE_N is the desired size of the modulo, in bits. If SIZE_E is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if E_SIZE is zero, it is assumed that the caller has already chosen a value for ‘e’, and stored it in PUB. Returns one on success, and zero on failure. The function can fail for example if if N_SIZE is too small, or if E_SIZE is zero and ‘pub->e’ is an even number.  File: nettle.info, Node: RSA-Footnotes, Up: RSA (1) Actually, the computation is not done like this, it is done more efficiently using ‘p’, ‘q’ and the Chinese remainder theorem (CRT). But the result is the same.  File: nettle.info, Node: DSA, Next: Elliptic curves, Prev: RSA, Up: Public-key algorithms 4.7.2 DSA --------- The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1. For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime ‘p’, a small prime ‘q’ which is a factor of ‘p-1’, a number ‘g’ which generates a subgroup of order ‘q’ modulo ‘p’, and an element ‘y’ in that subgroup. In the original DSA, the size of ‘q’ is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of ‘p’ is in principle unlimited, but the standard specifies only nine specific sizes: ‘512 + l*64’, where ‘l’ is between 0 and 8. Thus, the maximum size of ‘p’ is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute g^t mod p for all possible integers ‘t’, you will get precisely ‘q’ distinct values. The private key is a secret exponent ‘x’, such that g^x = y mod p In mathematical speak, ‘x’ is the “discrete logarithm” of ‘y’ mod ‘p’, with respect to the generator ‘g’. The size of ‘x’ will also be about the same size as ‘q’. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod ‘p’. The best known algorithm of this type is the Number Field Sieve, and it's complexity is similar to the complexity of factoring numbers of the same size as ‘p’. The other type works in the smaller ‘q’-sized subgroup generated by ‘g’, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity ‘sqrt(q)’. The important point is that security depends on the size of _both_ ‘p’ and ‘q’, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a ‘p’ of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a ‘q’ of size 160 bits implies that cracking using Pollard-rho will take roughly ‘2^80’ group operations. With the size of ‘q’ fixed, tied to the SHA1 digest size, it may be tempting to increase the size of ‘p’ to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (*note Randomness::). Let us describe the common case of a 160-bit ‘q’. To create a signature, one starts with the hash digest of the message, ‘h’, which is a 160 bit number, and a random number ‘k, 0’. A DSA group is represented using the following struct. -- Context struct: dsa_params p q g Parameters of the DSA group. -- Function: void dsa_params_init (struct dsa_params *PARAMS) Calls ‘mpz_init’ on all numbers in the struct. -- Function: void dsa_params_clear (struct dsa_params *PARAMSparams) Calls ‘mpz_clear’ on all numbers in the struct. -- Function: int dsa_generate_params (struct dsa_params *PARAMS, void *RANDOM_CTX, nettle_random_func *RANDOM, void *PROGRESS_CTX, nettle_progress_func *PROGRESS, unsigned P_BITS, unsigned Q_BITS) Generates parameters of a new group. The PARAMS struct should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. To generate keys that conform to the original DSA standard, you must use ‘q_bits = 160’ and select P_BITS of the form ‘p_bits = 512 + l*64’, for ‘0 <= l <= 8’, where the smaller sizes are no longer recommended, so you should most likely stick to ‘p_bits = 1024’. Non-standard sizes are possible, in particular ‘p_bits’ larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large P_BITS, with Q_BITS fixed at 160, doesn't make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use ‘q_bits = 256’ and, e.g., ‘p_bits = 2048’. Returns one on success, and zero on failure. The function will fail if Q_BITS is too small, or too close to P_BITS. Signatures are represented using the structure below. -- Context struct: dsa_signature r s The R and S fields are both of type ‘mpz_t’. -- Function: void dsa_signature_init (struct dsa_signature *SIGNATURE) -- Function: void dsa_signature_clear (struct dsa_signature *SIGNATURE) You must call ‘dsa_signature_init’ before creating or using a signature, and call ‘dsa_signature_clear’ when you are finished with it. Keys are represented as bignums, of type ‘mpz_t’. A public key represents a group element, and is of the same size as ‘p’, while a private key is an exponent, of the same size as ‘q’. -- Function: int dsa_sign (const struct dsa_params *PARAMS, const mpz_t X, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_SIZE, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Creates a signature from the given hash digest, using the private key X. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo ‘q’ fails. -- Function: int dsa_verify (const struct dsa_params *PARAMS, const mpz_t Y, size_t DIGEST_SIZE, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. To generate a keypair, first generate a DSA group using ‘dsa_generate_params’. A keypair in this group is then created using -- Function: void dsa_generate_keypair (const struct dsa_params *PARAMS, mpz_t PUB, mpz_t KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) Generates a new keypair, using the group PARAMS. The public key is stored in PUB, and the private key in KEY. Both variables must be initialized using ‘mpz_init’ before this call. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::.  File: nettle.info, Node: Elliptic curves, Next: SLH-DSA, Prev: DSA, Up: Public-key algorithms 4.7.3 Elliptic curves --------------------- For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a ‘struct ecc_curve’. It also supports curve25519 and curve488, which uses a different form of curve. Supported curves are declared in ‘’, e.g., call ‘nettle_get_secp_256r1’ for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The "bitsize of the curve" is used as a shorthand for the bitsize of the curve's prime p, e.g., 256 bits for the SECP 256R1 curve. * Menu: * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448::  File: nettle.info, Node: Side-channel silence, Next: ECDSA, Up: Elliptic curves 4.7.3.1 Side-channel silence ............................ Nettle's implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. Nettle's ECC implementation is designed to be “side-channel silent”, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.  File: nettle.info, Node: ECDSA, Next: GOSTDSA, Prev: Side-channel silence, Up: Elliptic curves 4.7.3.2 ECDSA ............. ECDSA is a variant of the DSA digital signature scheme (*note DSA::), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in ‘’. We first need to define the data types used to represent public and private keys. -- struct: struct ecc_point Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. -- Function: void ecc_point_init (struct ecc_point *P, const struct ecc_curve *ECC) Initializes P to represent points on the given curve ECC. Allocates storage for the coordinates, using the same allocation functions as GMP. -- Function: void ecc_point_clear (struct ecc_point *P) Deallocate storage allocated by previous ecc_point_init. -- Function: int ecc_point_set (struct ecc_point *P, const mpz_t X, const mpz_t Y) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. -- Function: void ecc_point_get (const struct ecc_point *P, mpz_t X, mpz_t Y) Extracts the coordinate of the point P. The output parameters X or Y may be NULL if the caller doesn't want that coordinate. -- struct: struct ecc_scalar Represents an integer in the range 0 < x < group order, where the "group order" refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. -- Function: void ecc_scalar_init (struct ecc_scalar *S, const struct ecc_curve *ECC) Initializes S to represent a scalar suitable for the given curve ECC. Allocates storage using the same allocation functions as GMP. -- Function: void ecc_scalar_clear (struct ecc_scalar *S) Deallocate the storage allocated by previous ecc_scalar_init. -- Function: int ecc_scalar_set (struct ecc_scalar *S, const mpz_t Z) Check that Z is in the correct range. If so, copies the value to S and returns 1, otherwise returns 0. -- Function: void ecc_scalar_get (const struct ecc_scalar *S, mpz_t Z) Extracts the scalar, in GMP ‘mpz_t’ representation. To create and verify ECDSA signatures, the following functions are used. -- Function: void ecdsa_sign (const struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Uses the private key KEY to create a signature of DIGEST. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. The signature is stored in SIGNATURE, in the same way as for plain DSA. -- Function: int ecdsa_verify (const struct ecc_point *PUB, size_t LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid signature for the message digest DIGEST (of LENGTH octets). Returns 1 if the signature is valid, otherwise 0. Finally, generating a new ECDSA key pair: -- Function: void ecdsa_generate_keypair (struct ecc_point *PUB, struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) PUB and KEY is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::.  File: nettle.info, Node: GOSTDSA, Next: Curve 25519 and Curve 448, Prev: ECDSA, Up: Elliptic curves 4.7.3.3 GOSTDSA ............... GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (*note DSA::) and ECDSA (*note ECDSA::) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in ‘RFC 5832’ and ‘RFC 7091’. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, ‘RFC 5831’). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, ‘RFC 6986’) of corresponding size (256 or 512) depending on curve size. Nettle defines GOSTDSA in ‘’. GOSTDSA reuses ECDSA data types (‘struct ecc_point’, ‘struct ecc_scalar’) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use ‘ecdsa_generate_keypair()’ function. To create and verify GOSTDSA signatures, the following functions are used. -- Function: void gostdsa_sign (const struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Uses the private key KEY to create a signature of DIGEST. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. The signature is stored in SIGNATURE, in the same was as for plain DSA. -- Function: int gostdsa_verify (const struct ecc_point *PUB, size_t LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid signature for the message digest DIGEST (of LENGTH octets). Returns 1 if the signature is valid, otherwise 0. For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle's view on curves and actual identifiers defined in ‘RFC 4357’ and ‘RFC 7836’. -- Function: const struct ecc_curve nettle_get_gost_gc256b (void) Returns curve corresponding to following identifiers: • id-GostR3410-2001-CryptoPro-A-ParamSet (‘RFC 4357’) • id-GostR3410-2001-CryptoPro-XchA-ParamSet (‘RFC 4357’) • id-tc26-gost-3410-12-256-paramSetB -- Function: const struct ecc_curve nettle_get_gost_gc512a (void) Returns curve corresponding to following identifiers: • id-tc26-gost-3410-12-512-paramSetA (‘RFC 7836’) For GOST key pairs key derivation/key agreement function (VKO) is defined in ‘RFC 4357’ and ‘RFC 7836’. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (*note GOSTHASH94CP::) or GOST R 34.11-2012, Streebog, which nor part of the library yet). -- Function: void gostdsa_vko (const struct ecc_scalar *PRIV, const struct ecc_point *PUB, size_t UKM_LENGTH, const uint8_t *UKM, uint8_t *OUT) Uses private key PRIV, public ket PUB and shared key material UKM to generate shared secret, written to buffer OUT. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret.  File: nettle.info, Node: Curve 25519 and Curve 448, Prev: GOSTDSA, Up: Elliptic curves 4.7.3.4 Curve25519 and Curve448 ............................... Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in ‘RFC 7748’. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn't matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related "twist curve". The function ‘curve25519_mul’ uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by ‘RFC 7748’. The output is therefore well defined for _all_ possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from ‘RFC 7748’, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The ‘nette/curve25519.h’ defines a preprocessor symbol ‘NETTLE_CURVE25519_RFC7748’ to indicate conformance with the standard. Nettle defines Curve 25519 in ‘’. -- Constant: NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. -- Constant: CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. -- Function: void curve25519_mul_g (uint8_t *Q, const uint8_t *N) Computes Q = N G, where G is the group generator and N is an integer. The input argument N and the output argument Q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult_base’ in the NaCl library. -- Function: void curve25519_mul (uint8_t *Q, const uint8_t *N, const uint8_t *P) Computes Q = N P, where P is an input point and N is an integer. The input arguments N and P and the output argument Q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^448 - 2^224 - 1. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in ‘RFC 7748’. Nettle defines Curve 448 in ‘’. -- Constant: CURVE448_SIZE The octet length of the strings representing curve448 points and scalars, 56. -- Function: void curve448_mul_g (uint8_t *Q, const uint8_t *N) Computes Q = N G, where G is the group generator and N is an integer. The input argument N and the output argument Q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size ‘CURVE448_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult_base’ in the NaCl library. -- Function: void curve448_mul (uint8_t *Q, const uint8_t *N, const uint8_t *P) Computes Q = N P, where P is an input point and N is an integer. The input arguments N and P and the output argument Q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size ‘CURVE448_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. 4.7.3.5 EdDSA ............. EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a "Twisted Edwards curve", of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. -- Constant: ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. -- Constant: ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. -- Function: void ed25519_sha512_public_key (uint8_t *PUB, const uint8_t *PRIV) Computes the public key corresponding to the given private key. Both input and output are of size ‘ED25519_KEY_SIZE’. -- Function: void ed25519_sha512_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. -- Function: int ed25519_sha512_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448. -- Constant: ED448_KEY_SIZE The size of a private or public Ed448 key, 57 octets. -- Constant: ED448_SIGNATURE_SIZE The size of an Ed448 signature, 114 octets. -- Function: void ed448_shake256_public_key (uint8_t *PUB, const uint8_t *PRIV) Computes the public key corresponding to the given private key. Both input and output are of size ‘ED448_KEY_SIZE’. -- Function: void ed448_shake256_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. -- Function: int ed448_shake256_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.  File: nettle.info, Node: SLH-DSA, Prev: Elliptic curves, Up: Public-key algorithms 4.7.4 SLH-DSA ------------- SLH-DSA stands for Stateless hash-based digital signature algorithm. As the name suggests, its security is based on a cryptographic hash function. It is intended to be secure against an attacker with a large working quantum computer, often referred to as a "post-quantum" cryptographic algorithm. This is in contrast to "classical" public key algorithms based on the difficulty of the discrete logarithm problem or the factoring problem, because those problems can be solved efficiently if or when the attacker has a large scale quantum computer at their disposal. The SLH-DSA algorithm was standardized by NIST in 2024, as ‘FIPS-205’, based on an algorithm proposal called SPHINCS+. Public and private keys are small, while signatures are rather large, 7856 octets for the variant with smallest signatures. The main idea is that the private key is used as the seed for a pseudorandom generation of a large number of secret values. Each secret value is hashed, and the hashes are combined pairwise into a Merkle tree. The hash at the root of the Merkle tree is one piece of the public key. The holder of the private key can then prove knowledge of the private key by revealing one of the secret values, together with a Merkle tree inclusion proof that proves that the value is included in the public hash at the root of the tree. This idea is turned into a practical signature scheme by combining several variants of hash-based signatures and Merkle trees. The selection of secret values to reveal as part of an SLH-DSA signature depends on both the message and a deterministically generated nonce (also referred to as the message "randomizer"). Verifying an SLH-DSA signature boils down to verifying a number of Merkle inclusion proofs, which is pretty fast; performance is in the same ballpark as verifying elliptic curve signatures. Signing, on the other hand, needs to produce all those inclusion proofs, which requires traversal of all leaves of the corresponding Merkle trees, and this is several orders of magnitude slower than signing using elliptic curves or RSA. Nettle currently implements the four SLH-DSA variants designed for "128-bit security": There's the choice of either SHA256 (in the SHA2 family) or SHAKE256 (in the SHA3 family) as the underlying hash function. For either hash function, there's a "small" variant with smaller signature size and slower signing (but faster verify operation, since verify time depends directly on the signature size), and a "fast" variant with faster signing time, larger signatures (and a slower verify operation). Both the private and public keys are of the same size, and each consists of two halves. It's somewhat peculiar that the public key is not derived deterministically from the private key, instead, the first half of the public key is a random seed value that should be generated independently of the private key, while the second half is the Merkle tree root hash that depends both on the private key and this public seed. Nettle defines SLH-DSA in ‘nettle/slh-dsa.h’. -- Constant: SLH_DSA_128_KEY_SIZE Size in octets of public and private keys, 32, for SLH-DSA with 128-bit security level. -- Constant: SLH_DSA_128_SEED_SIZE Size in octets of the "seed" half of a private or public key, 16. -- Constant: SLH_DSA_128S_SIGNATURE_SIZE Signature size in octets for SLH-DSA with 128-bit security and the "small" variant, 7856. -- Constant: SLH_DSA_128F_SIGNATURE_SIZE Signature size in octets for SLH-DSA with 128-bit security and the "fast" variant, 17088. -- Function: void slh_dsa_shake_128s_generate_keypair (uint8_t *PUB, uint8_t *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) -- Function: void slh_dsa_shake_128f_generate_keypair (uint8_t *PUB, uint8_t *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) -- Function: void slh_dsa_sha2_128s_generate_keypair (uint8_t *PUB, uint8_t *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) -- Function: void slh_dsa_sha2_128f_generate_keypair (uint8_t *PUB, uint8_t *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) Generate a new keypair, public key stored at PUB, private key stored at KEY, both of size ‘SLH_DSA_128_KEY_SIZE’. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. -- Function: void slh_dsa_shake_128s_root (const uint8_t *PUBLIC_SEED, const uint8_t *PRIVATE_SEED, uint8_t *ROOT) -- Function: void slh_dsa_shake_128f_root (const uint8_t *PUBLIC_SEED, const uint8_t *PRIVATE_SEED, uint8_t *ROOT) -- Function: void slh_dsa_sha2_128s_root (const uint8_t *PUBLIC_SEED, const uint8_t *PRIVATE_SEED, uint8_t *ROOT) -- Function: void slh_dsa_sha2_128f_root (const uint8_t *PUBLIC_SEED, const uint8_t *PRIVATE_SEED, uint8_t *ROOT) Perform the deterministic part of key generation. PUBLIC_SEED and PRIVATE_SEED are the first halves of respective key. ROOT, the output of this function, is the second half of the public key, i.e., typically called with ROOT = PUBLIC_SEED + ‘SLH_DSA_128_SEED_SIZE’. -- Function: void slh_dsa_shake_128s_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) -- Function: void slh_dsa_shake_128f_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) -- Function: void slh_dsa_sha2_128s_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) -- Function: void slh_dsa_sha2_128f_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. The size of the resulting signature is ‘SLH_DSA_128S_SIGNATURE_SIZE’ or ‘SLH_DSA_128F_SIGNATURE_SIZE’ for respective functions. -- Function: int slh_dsa_shake_128s_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) -- Function: int slh_dsa_shake_128f_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) -- Function: int slh_dsa_sha2_128s_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) -- Function: int slh_dsa_sha2_128f_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.  File: nettle.info, Node: Randomness, Next: ASCII encoding, Prev: Public-key algorithms, Up: Reference 4.8 Randomness ============== A crucial ingredient in many cryptographic contexts is randomness: Let ‘p’ be a random prime, choose a random initialization vector ‘iv’, a random key ‘k’ and a random exponent ‘e’, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. Building a good randomness source is subtle, in particular if your program may run inside several layers of virtualization. Today, most operating system provides a good randomness source, e.g., ‘/dev/random’ and the ‘getrandom’ syscall on GNU/Linux. Please use that, possibly in combination with a KDF! If for some reason that is not possible and you _have_ to roll your own, the rest of this section provides some advice. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: • It's too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that's far too easy. For example, if the process id is 16 bits, the resolution of "current time" is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. • The generator output reveals too much. By observing only a small segment of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. A randomness generator that is used for cryptographic purposes must have better properties. Let's first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called "entropy", or "conditional entropy" (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask ‘n’ yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can't guess the seed correctly, then the conditional entropy is more than ‘n’ bits. Let's look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or "unguessability" to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it's one of the better randomness source one can find in a digital, mostly predictable, computer. User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially. Audio input Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. For all practical sources, it's difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably older versions of the Linux ‘/dev/random’ generator) tries to estimate available entropy and restrict the amount of output. The goal was that if you read 512 bits from ‘/dev/random’, you should get 512 "truly random" bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn't matter much. For most application, there's no limit on the amount of useful "random" data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let's call it the generator's key. The key is initialized from the unguessable seed. Important properties of a generator are: “Key-hiding” An attacker observing the output should not be able to recover the generator's key. “Independence of outputs” Observing some of the output should not help the attacker to guess previous or future output. “Forward secrecy” Even if an attacker compromises the generator's key, he should not be able to guess the generator output _before_ the key compromise. “Recovery from key compromise” If an attacker compromises the generator's key, he can compute _all_ future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time ‘t_1’, there is another later time ‘t_2’, such that if the attacker observes all output generated between ‘t_1’ and ‘t_2’, he still can't guess what output is generated after ‘t_2’. Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. ChaCha (*note ChaCha::), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (*note Arcfour::) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key. The "lagged Fibonacci" generator in ‘’ is a fast generator with good statistical properties, but is *not* for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. 4.8.1 Yarrow ------------ Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at , and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness "pools", referred to as the "slow pool" and the "fast pool". Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a "fast reseed" happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a "slow reseed" takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using AES to encrypt a counter, using the generator's current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a “seed file” to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in ‘’. -- Context struct: struct yarrow256_ctx -- Context struct: struct yarrow_source Information about a single source. -- Constant: YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. -- Function: void yarrow256_init (struct yarrow256_ctx *CTX, unsigned NSOURCES, struct yarrow_source *SOURCES) Initializes the yarrow context, and its NSOURCES sources. It's possible to call it with NSOURCES=0 and SOURCES=NULL, if you don't need the update features. -- Function: void yarrow256_seed (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *SEED_FILE) Seeds Yarrow-256 from a previous seed file. LENGTH should be at least ‘YARROW256_SEED_FILE_SIZE’, but it can be larger. The generator will trust you that the SEED_FILE data really is unguessable. After calling this function, you _must_ overwrite the old seed file with newly generated data from ‘yarrow256_random’. If it's possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. -- Function: int yarrow256_update (struct yarrow256_ctx *CTX, unsigned SOURCE, unsigned ENTROPY, size_t LENGTH, const uint8_t *DATA) Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). ENTROPY is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero ENTROPY is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with ‘yarrow256_random’ and overwrite the seed file. Otherwise, the function returns 0. -- Function: void yarrow256_random (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *DST) Generates LENGTH octets of output. The generator must be seeded before you call this function. If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. -- Function: int yarrow256_is_seeded (struct yarrow256_ctx *CTX) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. -- Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *CTX) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. -- Function: void yarrow256_fast_reseed (struct yarrow256_ctx *CTX) -- Function: void yarrow256_slow_reseed (struct yarrow256_ctx *CTX) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. Nettle includes an entropy estimator for one kind of input source: User keyboard input. -- Context struct: struct yarrow_key_event_ctx Information about recent key events. -- Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *CTX) Initializes the context. -- Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *CTX, unsigned KEY, unsigned TIME) KEY is the id of the key (ASCII value, hardware key code, X keysym, ..., it doesn't matter), and TIME is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, TIME should be provided in units of microseconds. But if you use ‘gettimeofday’ on a typical Unix system where the clock ticks 10 or so microseconds at a time, TIME should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling ‘yarrow256_update’. Usually, 0, 1 or 2 bits. 4.8.2 DRBG-CTR -------------- The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A. We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented. Re-seeding and personalization strings can be implemented by the caller, if desired. To implement re-seeding, use ‘drbg_ctr_aes256_update’. Similarly, personalization strings can be implemented with ‘memxor’. If you need entropy derivation, we suggest that you use Yarrow instead. The security bounds of DRBG-CTR are not intuitive, see "Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator" by Matthew J. Campagna, from . Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm. Nettle defines DRBG-CTR in ‘’. -- Context struct: struct drbg_ctr_aes256_ctx -- Constant: DRBG_CTR_AES256_SEED_SIZE The size of the seeding material. -- Function: void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *CTX, uint8_t *SEED_MATERIAL) Initialize the DRBG-CTR-AES256 context using ‘DRBG_CTR_AES256_SEED_SIZE’ bytes of SEED_MATERIAL. -- Function: void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *CTX, size_t n, uint8_t *DST) Generates N octets of output into DST. The generator must be initialized before you call this function. -- Function: void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *CTX, const uint8_t *PROVIDED_DATA) Updates the internal state of CTX with PROVIDED_DATA, which is either NULL or a pointer to data of ‘DRBG_CTR_AES256_SEED_SIZE’ octets. This function is used for re-seeding.  File: nettle.info, Node: ASCII encoding, Next: Miscellaneous functions, Prev: Randomness, Up: Reference 4.9 ASCII encoding ================== Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There's also a "URL safe" variant, which is useful for encoding binary data into URLs and filenames. See ‘RFC 4648’. The base16 encoding, also known as "hexadecimal", uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn't need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in ‘’. -- Context struct: struct base64_encode_ctx -- Function: void base64_encode_init (struct base64_encode_ctx *CTX) -- Function: void base64url_encode_init (struct base64_encode_ctx *CTX) Initializes a base64 context. This is necessary before starting an encoding session. ‘base64_encode_init’ selects the standard base64 alphabet, while ‘base64url_encode_init’ selects the URL safe alphabet. -- Function: size_t base64_encode_single (struct base64_encode_ctx *CTX, uint8_t *DST, uint8_t SRC) Encodes a single byte. Returns amount of output (always 1 or 2). -- Macro: BASE64_ENCODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_encode_update’. -- Function: size_t base64_encode_update (struct base64_encode_ctx *CTX, uint8_t *DST, size_t LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to encode LENGTH bytes from SRC. The result will be placed in DST, and the return value will be the number of bytes generated. Note that DST must be at least of size BASE64_ENCODE_LENGTH(LENGTH). -- Constant: BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from ‘base64_encode_final’. -- Function: size_t base64_encode_final (struct base64_encode_ctx *CTX, uint8_t *DST) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. -- Context struct: struct base64_decode_ctx -- Function: void base64_decode_init (struct base64_decode_ctx *CTX) -- Function: void base64url_decode_init (struct base64_decode_ctx *CTX) Initializes a base64 decoding context. This is necessary before starting a decoding session. ‘base64_decode_init’ selects the standard base64 alphabet, while ‘base64url_decode_init’ selects the URL safe alphabet. -- Function: int base64_decode_single (struct base64_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte (SRC) and stores the result in DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE64_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_decode_update’. -- Function: void base64_decode_update (struct base64_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. The buffer pointed to by DST must be of size *DST_LENGTH, and the amount of data actually generated is returned in *DST_LENGTH. Fails if DST_LENGTH is too small; using a buffer of size BASE64_DECODE_LENGTH(SRC_LENGTH) is always sufficient. Returns 1 on success and 0 on error. -- Function: int base64_decode_final (struct base64_decode_ctx *CTX) Check that final padding is correct. Returns 1 on success, and 0 on error. Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in ‘’. Note that there is no encoding context necessary for doing base16 encoding. -- Function: void base16_encode_single (uint8_t *DST, uint8_t SRC) Encodes a single byte. Always stores two digits in DST[0] and DST[1]. -- Macro: BASE16_ENCODE_LENGTH (LENGTH) The number of output bytes when passing LENGTH input bytes to ‘base16_encode_update’. -- Function: void base16_encode_update (uint8_t *DST, size_t LENGTH, const uint8_t *SRC) Always stores BASE16_ENCODE_LENGTH(LENGTH) digits in DST. -- Context struct: struct base16_decode_ctx -- Function: void base16_decode_init (struct base16_decode_ctx *CTX) Initializes a base16 decoding context. This is necessary before starting a decoding session. -- Function: int base16_decode_single (struct base16_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte from SRC into DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE16_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base16_decode_update’. -- Function: int base16_decode_update (struct base16_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. The buffer pointed to by DST must be of size *DST_LENGTH, and the amount of data actually generated is returned in *DST_LENGTH. Fails if DST_LENGTH is too small; using a buffer of size BASE16_DECODE_LENGTH(SRC_LENGTH) is always sufficient. Returns 1 on success and 0 on error. -- Function: int base16_decode_final (struct base16_decode_ctx *CTX) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.  File: nettle.info, Node: Miscellaneous functions, Prev: ASCII encoding, Up: Reference 4.10 Miscellaneous functions ============================ -- Function: void * memxor (void *DST, const void *SRC, size_t N) XORs the source area on top of the destination area. The interface doesn't follow the Nettle conventions, because it is intended to be similar to the ANSI-C ‘memcpy’ function. -- Function: void * memxor3 (void *DST, const void *A, const void *B, size_t N) Like ‘memxor’, but takes two source areas and separate destination area. -- Function: int memeql_sec (const void *A, const void *B, size_t N) Side-channel silent comparison of the N bytes at A and B. I.e., instructions executed and memory accesses are identical no matter where the areas differ, *note Side-channel silence::. Return non-zero if the areas are equal, and zero if they differ. These functions are declared in ‘’. For compatibility with earlier versions of Nettle, ‘memxor’ and ‘memxor3’ are also declared in ‘’.  File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, Up: Top 5 Traditional Nettle Soup ************************* For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. 1 liter fresh nettles (urtica dioica) 2 tablespoons butter 3 tablespoons flour 1 liter stock (meat or vegetable) 1/2 teaspoon salt a tad white pepper some cream or milk Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves.  File: nettle.info, Node: Installation, Next: Index, Prev: Nettle soup, Up: Top 6 Installation ************** Nettle uses ‘autoconf’, and the generated Makefile requires GNU make. To build Nettle, unpack the source and run ./configure make make check make install to install it under the default prefix, ‘/usr/local’. By default, both static and shared libraries are built and installed. To get a list of configure options, use ‘./configure --help’. Some of the more interesting are: ‘--prefix’ Change install location. ‘--disable-fat’ Disable run-time detection of available processor features. Additional configure options can be used to select which features to require. ‘--enable-mini-gmp’ Use the smaller and slower "mini-gmp" implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are *not* binary compatible with regular builds of Nettle, and more likely to leak side-channel information. ‘--disable-shared’ Omit building the shared libraries.  File: nettle.info, Node: Index, Prev: Installation, Up: Top Function and Concept Index ************************** [index] * Menu: * 3DES: DES3. (line 6) * ABI compatibility: Compatibility. (line 6) * AEAD: Authenticated encryption. (line 6) * AES: AES. (line 6) * aes128_decrypt: AES. (line 71) * aes128_encrypt: AES. (line 60) * aes128_invert_key: AES. (line 45) * aes128_set_decrypt_key: AES. (line 33) * aes128_set_encrypt_key: AES. (line 31) * aes192_decrypt: AES. (line 73) * aes192_encrypt: AES. (line 62) * aes192_invert_key: AES. (line 47) * aes192_set_decrypt_key: AES. (line 37) * aes192_set_encrypt_key: AES. (line 35) * aes256_decrypt: AES. (line 75) * aes256_encrypt: AES. (line 64) * aes256_invert_key: AES. (line 49) * aes256_set_decrypt_key: AES. (line 41) * aes256_set_encrypt_key: AES. (line 39) * API compatibility: Compatibility. (line 6) * Arcfour: Arcfour. (line 6) * arcfour_crypt: Arcfour. (line 59) * arcfour_set_key: Arcfour. (line 54) * Arctwo: Arctwo. (line 6) * arctwo_decrypt: Arctwo. (line 60) * arctwo_encrypt: Arctwo. (line 53) * arctwo_set_key: Arctwo. (line 37) * arctwo_set_key_ekb: Arctwo. (line 35) * arctwo_set_key_gutmann: Arctwo. (line 39) * Authenticated encryption: Authenticated encryption. (line 6) * balloon: Key derivation functions. (line 181) * Balloon password-hashing algorithm: Key derivation functions. (line 150) * balloon_itch: Key derivation functions. (line 194) * balloon_sha1: Key derivation functions. (line 208) * balloon_sha256: Key derivation functions. (line 216) * balloon_sha384: Key derivation functions. (line 224) * balloon_sha512: Key derivation functions. (line 232) * base16_decode_final: ASCII encoding. (line 145) * base16_decode_init: ASCII encoding. (line 122) * BASE16_DECODE_LENGTH: ASCII encoding. (line 131) * base16_decode_single: ASCII encoding. (line 126) * base16_decode_update: ASCII encoding. (line 135) * BASE16_ENCODE_LENGTH: ASCII encoding. (line 112) * base16_encode_single: ASCII encoding. (line 108) * base16_encode_update: ASCII encoding. (line 116) * base64_decode_final: ASCII encoding. (line 100) * base64_decode_init: ASCII encoding. (line 74) * BASE64_DECODE_LENGTH: ASCII encoding. (line 86) * base64_decode_single: ASCII encoding. (line 81) * base64_decode_update: ASCII encoding. (line 90) * base64_encode_final: ASCII encoding. (line 65) * base64_encode_init: ASCII encoding. (line 40) * BASE64_ENCODE_LENGTH: ASCII encoding. (line 51) * base64_encode_single: ASCII encoding. (line 47) * base64_encode_update: ASCII encoding. (line 55) * base64url_decode_init: ASCII encoding. (line 75) * base64url_encode_init: ASCII encoding. (line 41) * Binary compatibility: Compatibility. (line 6) * Block Cipher: Cipher functions. (line 12) * Blowfish: Blowfish. (line 6) * blowfish_bcrypt_hash: Blowfish. (line 45) * blowfish_bcrypt_verify: Blowfish. (line 85) * blowfish_decrypt: Blowfish. (line 41) * blowfish_encrypt: Blowfish. (line 34) * blowfish_set_key: Blowfish. (line 24) * Camellia: Camellia. (line 6) * camellia_crypt: Camellia. (line 86) * camellia_invert_key: Camellia. (line 72) * camellia_set_decrypt_key: Camellia. (line 62) * camellia_set_encrypt_key: Camellia. (line 60) * camellia128_crypt: Camellia. (line 80) * camellia128_invert_key: Camellia. (line 66) * camellia128_set_decrypt_key: Camellia. (line 50) * camellia128_set_encrypt_key: Camellia. (line 48) * camellia192_crypt: Camellia. (line 82) * camellia192_invert_key: Camellia. (line 68) * camellia192_set_decrypt_key: Camellia. (line 54) * camellia192_set_encrypt_key: Camellia. (line 52) * camellia256_crypt: Camellia. (line 84) * camellia256_invert_key: Camellia. (line 70) * camellia256_set_decrypt_key: Camellia. (line 58) * camellia256_set_encrypt_key: Camellia. (line 56) * CAST: CAST128. (line 6) * cast128_decrypt: CAST128. (line 41) * cast128_encrypt: CAST128. (line 34) * cast128_set_key: CAST128. (line 29) * cast5_set_key: CAST128. (line 45) * CBC Mode: CBC. (line 6) * cbc_aes128_encrypt: CBC. (line 103) * cbc_aes192_encrypt: CBC. (line 105) * cbc_aes256_encrypt: CBC. (line 107) * CBC_CTX: CBC. (line 55) * cbc_decrypt: CBC. (line 35) * CBC_DECRYPT: CBC. (line 76) * cbc_encrypt: CBC. (line 32) * CBC_ENCRYPT: CBC. (line 75) * CBC_SET_IV: CBC. (line 70) * CCM Mode: CCM. (line 6) * ccm_aes128_decrypt: CCM. (line 216) * ccm_aes128_decrypt_message: CCM. (line 248) * ccm_aes128_digest: CCM. (line 225) * ccm_aes128_encrypt: CCM. (line 210) * ccm_aes128_encrypt_message: CCM. (line 236) * ccm_aes128_set_key: CCM. (line 179) * ccm_aes128_set_nonce: CCM. (line 189) * ccm_aes128_update: CCM. (line 201) * ccm_aes192_decrypt: CCM. (line 218) * ccm_aes192_decrypt_message: CCM. (line 252) * ccm_aes192_digest: CCM. (line 227) * ccm_aes192_encrypt: CCM. (line 212) * ccm_aes192_encrypt_message: CCM. (line 240) * ccm_aes192_set_key: CCM. (line 181) * ccm_aes192_set_nonce: CCM. (line 192) * ccm_aes192_update: CCM. (line 203) * ccm_aes256_decrypt: CCM. (line 220) * ccm_aes256_decrypt_message: CCM. (line 256) * ccm_aes256_digest: CCM. (line 229) * ccm_aes256_encrypt: CCM. (line 214) * ccm_aes256_encrypt_message: CCM. (line 244) * ccm_aes256_set_key: CCM. (line 183) * ccm_aes256_set_nonce: CCM. (line 195) * ccm_aes256_update: CCM. (line 205) * ccm_decrypt: CCM. (line 100) * ccm_decrypt_message: CCM. (line 147) * ccm_digest: CCM. (line 108) * ccm_encrypt: CCM. (line 97) * ccm_encrypt_message: CCM. (line 139) * CCM_MAX_MSG_SIZE: CCM. (line 81) * ccm_set_nonce: CCM. (line 85) * ccm_update: CCM. (line 91) * CFB Modes: CFB and CFB8. (line 6) * CFB_CTX: CFB and CFB8. (line 86) * cfb_decrypt: CFB and CFB8. (line 55) * CFB_DECRYPT: CFB and CFB8. (line 105) * cfb_encrypt: CFB and CFB8. (line 52) * CFB_ENCRYPT: CFB and CFB8. (line 98) * CFB_SET_IV(CTX,: CFB and CFB8. (line 93) * CFB8 Mode: CFB and CFB8. (line 6) * CFB8_CTX: CFB and CFB8. (line 112) * cfb8_decrypt: CFB and CFB8. (line 73) * CFB8_DECRYPT: CFB and CFB8. (line 131) * cfb8_encrypt: CFB and CFB8. (line 70) * CFB8_ENCRYPT: CFB and CFB8. (line 124) * CFB8_SET_IV: CFB and CFB8. (line 119) * ChaCha: ChaCha. (line 6) * chacha_crypt: ChaCha. (line 44) * chacha_crypt32: ChaCha. (line 76) * chacha_poly1305_decrypt: ChaCha-Poly1305. (line 63) * chacha_poly1305_digest: ChaCha-Poly1305. (line 69) * chacha_poly1305_encrypt: ChaCha-Poly1305. (line 61) * chacha_poly1305_set_key: ChaCha-Poly1305. (line 48) * chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 53) * chacha_poly1305_update: ChaCha-Poly1305. (line 57) * chacha_set_counter: ChaCha. (line 36) * chacha_set_counter32: ChaCha. (line 70) * chacha_set_key: ChaCha. (line 24) * chacha_set_nonce: ChaCha. (line 30) * chacha_set_nonce96: ChaCha. (line 65) * Cipher: Cipher functions. (line 6) * Cipher Block Chaining: CBC. (line 6) * Cipher Feedback 8-bit Mode: CFB and CFB8. (line 6) * Cipher Feedback Mode: CFB and CFB8. (line 6) * CMAC: CMAC. (line 6) * cmac_aes128_digest: CMAC. (line 33) * cmac_aes128_set_key: CMAC. (line 25) * cmac_aes128_update: CMAC. (line 29) * cmac_aes256_digest: CMAC. (line 47) * cmac_aes256_set_key: CMAC. (line 39) * cmac_aes256_update: CMAC. (line 43) * cmac_des3_digest: CMAC. (line 66) * cmac_des3_set_key: CMAC. (line 58) * cmac_des3_update: CMAC. (line 62) * CMAC-128: CMAC. (line 6) * CMAC-64: CMAC. (line 6) * Collision-resistant: Hash functions. (line 18) * Conditional entropy: Randomness. (line 58) * Counter Mode: CTR. (line 6) * Counter with CBC-MAC Mode: CCM. (line 6) * CTR Mode: CTR. (line 6) * ctr_crypt: CTR. (line 33) * CTR_CRYPT: CTR. (line 60) * CTR_CTX: CTR. (line 48) * CTR_SET_COUNTER: CTR. (line 55) * Curve 25519: Curve 25519 and Curve 448. (line 6) * Curve 448: Curve 25519 and Curve 448. (line 6) * curve25519_mul: Curve 25519 and Curve 448. (line 60) * curve25519_mul_g: Curve 25519 and Curve 448. (line 51) * curve448_mul: Curve 25519 and Curve 448. (line 91) * curve448_mul_g: Curve 25519 and Curve 448. (line 82) * DES: DES. (line 6) * des_check_parity: DES. (line 47) * des_decrypt: DES. (line 43) * des_encrypt: DES. (line 36) * des_fix_parity: DES. (line 51) * des_set_key: DES. (line 29) * DES3: DES3. (line 6) * des3_decrypt: DES3. (line 65) * des3_encrypt: DES3. (line 58) * des3_set_key: DES3. (line 47) * Digital signatures: Public-key algorithms. (line 6) * drbg_ctr_aes256_init: Randomness. (line 343) * drbg_ctr_aes256_random: Randomness. (line 348) * drbg_ctr_aes256_update: Randomness. (line 353) * dsa_generate_keypair: DSA. (line 199) * dsa_generate_params: DSA. (line 131) * dsa_params: DSA. (line 122) * dsa_params_clear: DSA. (line 128) * dsa_params_init: DSA. (line 125) * dsa_sign: DSA. (line 178) * dsa_signature: DSA. (line 165) * dsa_signature_clear: DSA. (line 169) * dsa_signature_init: DSA. (line 168) * dsa_verify: DSA. (line 190) * eax_aes128_decrypt: EAX. (line 134) * eax_aes128_digest: EAX. (line 140) * eax_aes128_encrypt: EAX. (line 132) * eax_aes128_set_key: EAX. (line 118) * eax_aes128_set_nonce: EAX. (line 122) * eax_aes128_update: EAX. (line 126) * EAX_CTX: EAX. (line 79) * eax_decrypt: EAX. (line 60) * EAX_DECRYPT: EAX. (line 103) * eax_digest: EAX. (line 68) * EAX_DIGEST: EAX. (line 106) * eax_encrypt: EAX. (line 57) * EAX_ENCRYPT: EAX. (line 102) * eax_set_key: EAX. (line 36) * EAX_SET_KEY: EAX. (line 92) * eax_set_nonce: EAX. (line 42) * EAX_SET_NONCE: EAX. (line 96) * eax_update: EAX. (line 48) * EAX_UPDATE: EAX. (line 99) * ecc_point_clear: ECDSA. (line 36) * ecc_point_get: ECDSA. (line 47) * ecc_point_init: ECDSA. (line 30) * ecc_point_set: ECDSA. (line 39) * ecc_scalar_clear: ECDSA. (line 62) * ecc_scalar_get: ECDSA. (line 69) * ecc_scalar_init: ECDSA. (line 57) * ecc_scalar_set: ECDSA. (line 65) * ecdsa_generate_keypair: ECDSA. (line 93) * ecdsa_sign: ECDSA. (line 75) * ecdsa_verify: ECDSA. (line 84) * ed25519_sha512_public_key: Curve 25519 and Curve 448. (line 131) * ed25519_sha512_sign: Curve 25519 and Curve 448. (line 136) * ed25519_sha512_verify: Curve 25519 and Curve 448. (line 141) * ed448_shake256_public_key: Curve 25519 and Curve 448. (line 155) * ed448_shake256_sign: Curve 25519 and Curve 448. (line 160) * ed448_shake256_verify: Curve 25519 and Curve 448. (line 165) * eddsa: Curve 25519 and Curve 448. (line 104) * Entropy: Randomness. (line 58) * Galois Counter Mode: GCM. (line 6) * GCM: GCM. (line 6) * gcm_aes128_decrypt: GCM. (line 172) * gcm_aes128_digest: GCM. (line 182) * gcm_aes128_encrypt: GCM. (line 166) * gcm_aes128_set_iv: GCM. (line 147) * gcm_aes128_set_key: GCM. (line 139) * gcm_aes128_update: GCM. (line 155) * gcm_aes192_decrypt: GCM. (line 174) * gcm_aes192_digest: GCM. (line 184) * gcm_aes192_encrypt: GCM. (line 168) * gcm_aes192_set_iv: GCM. (line 149) * gcm_aes192_set_key: GCM. (line 141) * gcm_aes192_update: GCM. (line 157) * gcm_aes256_decrypt: GCM. (line 176) * gcm_aes256_digest: GCM. (line 186) * gcm_aes256_encrypt: GCM. (line 170) * gcm_aes256_set_iv: GCM. (line 151) * gcm_aes256_set_key: GCM. (line 143) * gcm_aes256_update: GCM. (line 159) * gcm_camellia_digest: GCM. (line 240) * gcm_camellia128_decrypt: GCM. (line 226) * gcm_camellia128_digest: GCM. (line 234) * gcm_camellia128_encrypt: GCM. (line 222) * gcm_camellia128_set_iv: GCM. (line 207) * gcm_camellia128_set_key: GCM. (line 201) * gcm_camellia128_update: GCM. (line 213) * gcm_camellia192_digest: GCM. (line 236) * gcm_camellia256_decrypt: GCM. (line 228) * gcm_camellia256_digest: GCM. (line 238) * gcm_camellia256_encrypt: GCM. (line 224) * gcm_camellia256_set_iv: GCM. (line 209) * gcm_camellia256_set_key: GCM. (line 203) * gcm_camellia256_update: GCM. (line 215) * GCM_CTX: GCM. (line 93) * gcm_decrypt: GCM. (line 65) * GCM_DECRYPT: GCM. (line 122) * gcm_digest: GCM. (line 73) * GCM_DIGEST: GCM. (line 123) * gcm_encrypt: GCM. (line 62) * GCM_ENCRYPT: GCM. (line 121) * gcm_set_iv: GCM. (line 50) * GCM_SET_IV: GCM. (line 113) * gcm_set_key: GCM. (line 44) * GCM_SET_KEY: GCM. (line 108) * gcm_sm4_decrypt: GCM. (line 271) * gcm_sm4_digest: GCM. (line 277) * gcm_sm4_encrypt: GCM. (line 269) * gcm_sm4_set_iv: GCM. (line 258) * gcm_sm4_set_key: GCM. (line 254) * gcm_sm4_update: GCM. (line 262) * gcm_update: GCM. (line 55) * GCM_UPDATE: GCM. (line 117) * GOST DSA: GOSTDSA. (line 6) * GOST hash: Legacy hash functions. (line 192) * gostdsa_sign: GOSTDSA. (line 30) * gostdsa_verify: GOSTDSA. (line 39) * gostdsa_vko: GOSTDSA. (line 68) * gosthash94_digest: Legacy hash functions. (line 217) * gosthash94_init: Legacy hash functions. (line 210) * gosthash94_update: Legacy hash functions. (line 213) * gosthash94cp_digest: Legacy hash functions. (line 240) * gosthash94cp_init: Legacy hash functions. (line 233) * gosthash94cp_update: Legacy hash functions. (line 236) * Hash function: Hash functions. (line 6) * HKDF: Key derivation functions. (line 16) * hkdf_expand: Key derivation functions. (line 42) * hkdf_extract: Key derivation functions. (line 29) * HMAC: HMAC. (line 6) * hmac_md5_digest: HMAC. (line 37) * hmac_md5_set_key: HMAC. (line 29) * hmac_md5_update: HMAC. (line 33) * hmac_ripemd160_digest: HMAC. (line 57) * hmac_ripemd160_set_key: HMAC. (line 49) * hmac_ripemd160_update: HMAC. (line 53) * hmac_sha1_digest: HMAC. (line 77) * hmac_sha1_set_key: HMAC. (line 69) * hmac_sha1_update: HMAC. (line 73) * hmac_sha256_digest: HMAC. (line 97) * hmac_sha256_set_key: HMAC. (line 89) * hmac_sha256_update: HMAC. (line 93) * hmac_sha512_digest: HMAC. (line 117) * hmac_sha512_set_key: HMAC. (line 109) * hmac_sha512_update: HMAC. (line 113) * hmac_sm3_digest: HMAC. (line 137) * hmac_sm3_set_key: HMAC. (line 129) * hmac_sm3_update: HMAC. (line 133) * KDF: Key derivation functions. (line 58) * Key Derivation Function: Key derivation functions. (line 6) * Keyed Hash Function: Keyed hash functions. (line 6) * MAC: Keyed hash functions. (line 6) * md2_digest: Legacy hash functions. (line 82) * md2_init: Legacy hash functions. (line 75) * md2_update: Legacy hash functions. (line 78) * md4_digest: Legacy hash functions. (line 113) * md4_init: Legacy hash functions. (line 106) * md4_update: Legacy hash functions. (line 109) * md5_compress: Legacy hash functions. (line 46) * md5_digest: Legacy hash functions. (line 39) * md5_init: Legacy hash functions. (line 32) * md5_update: Legacy hash functions. (line 35) * memeql_sec: Miscellaneous functions. (line 16) * memxor: Miscellaneous functions. (line 6) * memxor3: Miscellaneous functions. (line 11) * Message Authentication Code: Keyed hash functions. (line 6) * nettle_aead: nettle_aead abstraction. (line 6) * nettle_aeads: nettle_aead abstraction. (line 33) * nettle_cipher: nettle_cipher abstraction. (line 6) * nettle_ciphers: nettle_cipher abstraction. (line 53) * nettle_get_aeads: nettle_aead abstraction. (line 28) * nettle_get_ciphers: nettle_cipher abstraction. (line 48) * nettle_get_gost_gc256b: GOSTDSA. (line 51) * nettle_get_gost_gc512a: GOSTDSA. (line 57) * nettle_get_hashes: nettle_hash abstraction. (line 35) * nettle_hash: nettle_hash abstraction. (line 6) * nettle_hashes: nettle_hash abstraction. (line 40) * OCB: OCB. (line 6) * OCB mode: OCB. (line 6) * ocb_aes128_decrypt: OCB. (line 151) * ocb_aes128_decrypt_message: OCB. (line 176) * ocb_aes128_digest: OCB. (line 159) * ocb_aes128_encrypt: OCB. (line 145) * ocb_aes128_encrypt_message: OCB. (line 167) * ocb_aes128_set_decrypt_key: OCB. (line 121) * ocb_aes128_set_encrypt_key: OCB. (line 117) * ocb_aes128_set_nonce: OCB. (line 129) * ocb_aes128_update: OCB. (line 138) * ocb_decrypt: OCB. (line 64) * ocb_decrypt_message: OCB. (line 94) * ocb_digest: OCB. (line 75) * ocb_encrypt: OCB. (line 56) * ocb_encrypt_message: OCB. (line 84) * ocb_set_key: OCB. (line 34) * ocb_set_nonce: OCB. (line 40) * ocb_update: OCB. (line 49) * Offset Code Book: OCB. (line 6) * One-way: Hash functions. (line 14) * Password Based Key Derivation Function: Key derivation functions. (line 58) * PBKDF: Key derivation functions. (line 58) * pbkdf2: Key derivation functions. (line 68) * PBKDF2: Key derivation functions. (line 84) * pbkdf2_hmac_sha1: Key derivation functions. (line 103) * pbkdf2_hmac_sha256: Key derivation functions. (line 114) * pbkdf2_hmac_sha384: Key derivation functions. (line 126) * pbkdf2_hmac_sha512: Key derivation functions. (line 138) * PKCS #5: Key derivation functions. (line 58) * poly1305_aes_digest: Poly1305. (line 56) * poly1305_aes_set_key: Poly1305. (line 43) * poly1305_aes_set_nonce: Poly1305. (line 47) * poly1305_aes_update: Poly1305. (line 52) * post-quantum: SLH-DSA. (line 6) * Public-key cryptography: Public-key algorithms. (line 6) * Randomness: Randomness. (line 6) * RC2: Arctwo. (line 6) * RC4: Arcfour. (line 6) * ripemd160_digest: Legacy hash functions. (line 144) * ripemd160_init: Legacy hash functions. (line 137) * ripemd160_update: Legacy hash functions. (line 140) * rsa_compute_root: RSA. (line 412) * rsa_compute_root_tr: RSA. (line 406) * rsa_decrypt: RSA. (line 335) * rsa_decrypt_tr: RSA. (line 344) * rsa_encrypt: RSA. (line 328) * rsa_generate_keypair: RSA. (line 418) * rsa_md5_sign: RSA. (line 203) * rsa_md5_sign_digest: RSA. (line 218) * rsa_md5_sign_digest_tr: RSA. (line 171) * rsa_md5_sign_tr: RSA. (line 146) * rsa_md5_verify: RSA. (line 244) * rsa_md5_verify_digest: RSA. (line 256) * rsa_oaep_sha256_decrypt: RSA. (line 382) * rsa_oaep_sha256_encrypt: RSA. (line 359) * rsa_oaep_sha384_decrypt: RSA. (line 387) * rsa_oaep_sha384_encrypt: RSA. (line 363) * rsa_oaep_sha512_decrypt: RSA. (line 392) * rsa_oaep_sha512_encrypt: RSA. (line 367) * rsa_pkcs1_sign: RSA. (line 234) * rsa_pkcs1_sign_tr: RSA. (line 194) * rsa_pkcs1_verify: RSA. (line 269) * rsa_private_key: RSA. (line 86) * rsa_private_key_clear: RSA. (line 104) * rsa_private_key_init: RSA. (line 97) * rsa_private_key_prepare: RSA. (line 117) * rsa_pss_sha256_sign_digest_tr: RSA. (line 291) * rsa_pss_sha256_verify_digest: RSA. (line 313) * rsa_pss_sha384_sign_digest_tr: RSA. (line 295) * rsa_pss_sha384_verify_digest: RSA. (line 316) * rsa_pss_sha512_sign_digest_tr: RSA. (line 299) * rsa_pss_sha512_verify_digest: RSA. (line 319) * rsa_public_key: RSA. (line 82) * rsa_public_key_clear: RSA. (line 103) * rsa_public_key_init: RSA. (line 96) * rsa_public_key_prepare: RSA. (line 116) * rsa_sha1_sign: RSA. (line 205) * rsa_sha1_sign_digest: RSA. (line 220) * rsa_sha1_sign_digest_tr: RSA. (line 175) * rsa_sha1_sign_tr: RSA. (line 150) * rsa_sha1_verify: RSA. (line 246) * rsa_sha1_verify_digest: RSA. (line 258) * rsa_sha256_sign: RSA. (line 207) * rsa_sha256_sign_digest: RSA. (line 222) * rsa_sha256_sign_digest_tr: RSA. (line 179) * rsa_sha256_sign_tr: RSA. (line 154) * rsa_sha256_verify: RSA. (line 248) * rsa_sha256_verify_digest: RSA. (line 260) * rsa_sha512_sign: RSA. (line 209) * rsa_sha512_sign_digest: RSA. (line 224) * rsa_sha512_sign_digest_tr: RSA. (line 183) * rsa_sha512_sign_tr: RSA. (line 158) * rsa_sha512_verify: RSA. (line 250) * rsa_sha512_verify_digest: RSA. (line 262) * Salsa20: Salsa20. (line 6) * salsa20_128_set_key: Salsa20. (line 49) * salsa20_256_set_key: Salsa20. (line 51) * salsa20_crypt: Salsa20. (line 69) * salsa20_set_key: Salsa20. (line 53) * salsa20_set_nonce: Salsa20. (line 63) * salsa20r12_crypt: Salsa20. (line 84) * Serpent: Serpent. (line 6) * serpent_decrypt: Serpent. (line 38) * serpent_encrypt: Serpent. (line 31) * serpent_set_key: Serpent. (line 26) * sha1_compress: Legacy hash functions. (line 182) * sha1_digest: Legacy hash functions. (line 175) * sha1_init: Legacy hash functions. (line 168) * sha1_update: Legacy hash functions. (line 171) * sha224_digest: Recommended hash functions. (line 71) * sha224_init: Recommended hash functions. (line 64) * sha224_update: Recommended hash functions. (line 67) * sha256_compress: Recommended hash functions. (line 40) * sha256_digest: Recommended hash functions. (line 32) * sha256_init: Recommended hash functions. (line 25) * sha256_update: Recommended hash functions. (line 28) * SHA3: Recommended hash functions. (line 178) * sha3_128_shake: Recommended hash functions. (line 330) * sha3_128_shake_output: Recommended hash functions. (line 337) * sha3_128_update: Recommended hash functions. (line 326) * sha3_224_digest: Recommended hash functions. (line 230) * sha3_224_update: Recommended hash functions. (line 226) * sha3_256_digest: Recommended hash functions. (line 253) * sha3_256_shake: Recommended hash functions. (line 347) * sha3_256_shake_output: Recommended hash functions. (line 354) * sha3_256_update: Recommended hash functions. (line 249) * sha3_384_digest: Recommended hash functions. (line 276) * sha3_384_update: Recommended hash functions. (line 272) * sha3_512_digest: Recommended hash functions. (line 299) * sha3_512_update: Recommended hash functions. (line 295) * sha3_init: Recommended hash functions. (line 194) * sha384_digest: Recommended hash functions. (line 167) * sha384_init: Recommended hash functions. (line 151) * sha384_update: Recommended hash functions. (line 158) * sha512_224_digest: Recommended hash functions. (line 163) * sha512_224_init: Recommended hash functions. (line 149) * sha512_224_update: Recommended hash functions. (line 154) * sha512_256_digest: Recommended hash functions. (line 165) * sha512_256_init: Recommended hash functions. (line 150) * sha512_256_update: Recommended hash functions. (line 156) * sha512_compress: Recommended hash functions. (line 112) * sha512_digest: Recommended hash functions. (line 104) * sha512_init: Recommended hash functions. (line 97) * sha512_update: Recommended hash functions. (line 100) * SHAKE: Recommended hash functions. (line 309) * Side-channel attack: Side-channel silence. (line 6) * SIV mode: SIV-CMAC. (line 6) * siv_cmac_aes128_decrypt_message: SIV-CMAC. (line 83) * siv_cmac_aes128_encrypt_message: SIV-CMAC. (line 70) * siv_cmac_aes128_set_key: SIV-CMAC. (line 62) * siv_cmac_aes256_decrypt_message: SIV-CMAC. (line 87) * siv_cmac_aes256_encrypt_message: SIV-CMAC. (line 74) * siv_cmac_aes256_set_key: SIV-CMAC. (line 64) * siv_gcm_aes128_decrypt_message: SIV-GCM. (line 87) * siv_gcm_aes128_encrypt_message: SIV-GCM. (line 74) * siv_gcm_aes256_decrypt_message: SIV-GCM. (line 91) * siv_gcm_aes256_encrypt_message: SIV-GCM. (line 78) * siv_gcm_decrypt_message: SIV-GCM. (line 41) * siv_gcm_encrypt_message: SIV-GCM. (line 32) * SIV-CMAC mode: SIV-CMAC. (line 6) * slh_dsa_sha2_128f_generate_keypair: SLH-DSA. (line 80) * slh_dsa_sha2_128f_root: SLH-DSA. (line 94) * slh_dsa_sha2_128f_sign: SLH-DSA. (line 111) * slh_dsa_sha2_128f_verify: SLH-DSA. (line 124) * slh_dsa_sha2_128s_generate_keypair: SLH-DSA. (line 78) * slh_dsa_sha2_128s_root: SLH-DSA. (line 92) * slh_dsa_sha2_128s_sign: SLH-DSA. (line 108) * slh_dsa_sha2_128s_verify: SLH-DSA. (line 122) * slh_dsa_shake_128f_generate_keypair: SLH-DSA. (line 76) * slh_dsa_shake_128f_root: SLH-DSA. (line 90) * slh_dsa_shake_128f_sign: SLH-DSA. (line 105) * slh_dsa_shake_128f_verify: SLH-DSA. (line 120) * slh_dsa_shake_128s_generate_keypair: SLH-DSA. (line 74) * slh_dsa_shake_128s_root: SLH-DSA. (line 88) * slh_dsa_shake_128s_sign: SLH-DSA. (line 102) * slh_dsa_shake_128s_verify: SLH-DSA. (line 118) * SLH-DSA: SLH-DSA. (line 6) * sm3_digest: Miscellaneous hash functions. (line 103) * sm3_init: Miscellaneous hash functions. (line 96) * sm3_update: Miscellaneous hash functions. (line 99) * SM4: SM4. (line 6) * sm4_crypt: SM4. (line 27) * sm4_set_decrypt_key: SM4. (line 23) * sm4_set_encrypt_key: SM4. (line 19) * SPHINCS+: SLH-DSA. (line 6) * Stream Cipher: Cipher functions. (line 12) * streebog256_digest: Miscellaneous hash functions. (line 60) * streebog256_init: Miscellaneous hash functions. (line 53) * streebog256_update: Miscellaneous hash functions. (line 56) * streebog512_digest: Miscellaneous hash functions. (line 29) * streebog512_init: Miscellaneous hash functions. (line 22) * streebog512_update: Miscellaneous hash functions. (line 25) * struct aes128_ctx: AES. (line 17) * struct aes192_ctx: AES. (line 18) * struct aes256_ctx: AES. (line 19) * struct arcfour_ctx: Arcfour. (line 43) * struct arctwo_ctx: Arctwo. (line 23) * struct base16_decode_ctx: ASCII encoding. (line 120) * struct base64_decode_ctx: ASCII encoding. (line 72) * struct base64_encode_ctx: ASCII encoding. (line 38) * struct blowfish_ctx: Blowfish. (line 10) * struct camellia_ctx: Camellia. (line 33) * struct camellia128_ctx: Camellia. (line 27) * struct camellia192_ctx: Camellia. (line 28) * struct camellia256_ctx: Camellia. (line 29) * struct cast128_ctx: CAST128. (line 14) * struct ccm_aes128_ctx: CCM. (line 167) * struct ccm_aes192_ctx: CCM. (line 171) * struct ccm_aes256_ctx: CCM. (line 175) * struct ccm_ctx: CCM. (line 64) * struct chacha_ctx: ChaCha. (line 10) * struct chacha_poly1305_ctx: ChaCha-Poly1305. (line 46) * struct cmac_aes128_ctx: CMAC. (line 19) * struct cmac_aes256_ctx: CMAC. (line 20) * struct cmac_des3_ctx: CMAC. (line 53) * struct des_ctx: DES. (line 21) * struct des3_ctx: DES3. (line 39) * struct drbg_ctr_aes256_ctx: Randomness. (line 338) * struct eax_aes128_ctx: EAX. (line 115) * struct eax_ctx: EAX. (line 27) * struct eax_key: EAX. (line 23) * struct ecc_point: ECDSA. (line 26) * struct ecc_scalar: ECDSA. (line 52) * struct gcm_aes128_ctx: GCM. (line 134) * struct gcm_aes192_ctx: GCM. (line 135) * struct gcm_aes256_ctx: GCM. (line 136) * struct gcm_camellia128_ctx: GCM. (line 197) * struct gcm_camellia256_ctx: GCM. (line 198) * struct gcm_ctx: GCM. (line 32) * struct gcm_key: GCM. (line 29) * struct gcm_sm4_ctx: GCM. (line 251) * struct gosthash94_ctx: Legacy hash functions. (line 202) * struct gosthash94cp_ctx: Legacy hash functions. (line 225) * struct hmac_md5_ctx: HMAC. (line 27) * struct hmac_ripemd160_ctx: HMAC. (line 47) * struct hmac_sha1_ctx: HMAC. (line 67) * struct hmac_sha256_ctx: HMAC. (line 87) * struct hmac_sha512_ctx: HMAC. (line 107) * struct hmac_sm3_ctx: HMAC. (line 127) * struct md2_ctx: Legacy hash functions. (line 67) * struct md4_ctx: Legacy hash functions. (line 98) * struct md5_ctx: Legacy hash functions. (line 23) * struct nettle_aead: nettle_aead abstraction. (line 9) * struct nettle_cipher: nettle_cipher abstraction. (line 11) * struct nettle_hash: nettle_hash abstraction. (line 10) * struct ocb_aes128_encrypt_key: OCB. (line 112) * struct ocb_ctx: OCB. (line 22) * struct ocb_key: OCB. (line 18) * struct poly1305_aes_ctx: Poly1305. (line 40) * struct ripemd160_ctx: Legacy hash functions. (line 129) * struct salsa20_ctx: Salsa20. (line 34) * struct serpent_ctx: Serpent. (line 12) * struct sha1_ctx: Legacy hash functions. (line 159) * struct sha224_ctx: Recommended hash functions. (line 55) * struct sha256_ctx: Recommended hash functions. (line 16) * struct sha3_ctx: Recommended hash functions. (line 190) * struct sha384_ctx: Recommended hash functions. (line 131) * struct sha512_224_ctx: Recommended hash functions. (line 129) * struct sha512_256_ctx: Recommended hash functions. (line 130) * struct sha512_ctx: Recommended hash functions. (line 88) * struct siv_cmac_aes128_ctx: SIV-CMAC. (line 54) * struct siv_cmac_aes256_ctx: SIV-CMAC. (line 58) * struct sm3_ctx: Miscellaneous hash functions. (line 87) * struct sm4_ctx: SM4. (line 11) * struct streebog256_ctx: Miscellaneous hash functions. (line 44) * struct streebog512_ctx: Miscellaneous hash functions. (line 13) * struct twofish_ctx: Twofish. (line 9) * struct umac128_ctx: UMAC. (line 50) * struct umac32_ctx: UMAC. (line 47) * struct umac64_ctx: UMAC. (line 48) * struct umac96_ctx: UMAC. (line 49) * struct xts_aes128_key: XTS. (line 112) * struct xts_aes256_key: XTS. (line 115) * struct yarrow_key_event_ctx: Randomness. (line 291) * struct yarrow_source: Randomness. (line 226) * struct yarrow256_ctx: Randomness. (line 224) * Triple-DES: DES3. (line 6) * Twofish: Twofish. (line 6) * twofish_decrypt: Twofish. (line 35) * twofish_encrypt: Twofish. (line 28) * twofish_set_key: Twofish. (line 23) * UMAC: UMAC. (line 6) * umac128_digest: UMAC. (line 113) * umac128_set_key: UMAC. (line 76) * umac128_set_nonce: UMAC. (line 87) * umac128_update: UMAC. (line 102) * umac32_digest: UMAC. (line 107) * umac32_set_key: UMAC. (line 70) * umac32_set_nonce: UMAC. (line 81) * umac32_update: UMAC. (line 96) * umac64_digest: UMAC. (line 109) * umac64_set_key: UMAC. (line 72) * umac64_set_nonce: UMAC. (line 83) * umac64_update: UMAC. (line 98) * umac96_digest: UMAC. (line 111) * umac96_set_key: UMAC. (line 74) * umac96_set_nonce: UMAC. (line 85) * umac96_update: UMAC. (line 100) * XEX-based tweaked-codebook mode with ciphertext stealing: XTS. (line 6) * XTS Mode: XTS. (line 6) * xts_aes128_decrypt_message: XTS. (line 138) * xts_aes128_encrypt_message: XTS. (line 132) * xts_aes128_set_decrypt_key: XTS. (line 122) * xts_aes128_set_encrypt_key: XTS. (line 118) * xts_aes256_decrypt_message: XTS. (line 141) * xts_aes256_encrypt_message: XTS. (line 135) * xts_aes256_set_decrypt_key: XTS. (line 124) * xts_aes256_set_encrypt_key: XTS. (line 120) * xts_decrypt_message: XTS. (line 83) * xts_encrypt_message: XTS. (line 80) * yarrow_key_event_estimate: Randomness. (line 298) * yarrow_key_event_init: Randomness. (line 294) * yarrow256_fast_reseed: Randomness. (line 283) * yarrow256_init: Randomness. (line 232) * yarrow256_is_seeded: Randomness. (line 273) * yarrow256_needed_sources: Randomness. (line 277) * yarrow256_random: Randomness. (line 263) * yarrow256_seed: Randomness. (line 238) * yarrow256_slow_reseed: Randomness. (line 284) * yarrow256_update: Randomness. (line 250)  Tag Table: Node: Top545 Node: Introduction3111 Node: Copyright4684 Node: Using Nettle5512 Node: Example5906 Node: Conventions7197 Node: Linking9360 Node: Compatibility10880 Node: Reference14491 Node: Hash functions14913 Node: Recommended hash functions16355 Node: Miscellaneous hash functions29892 Node: Legacy hash functions33766 Ref: GOSTHASH94CP40627 Node: nettle_hash abstraction42817 Node: Cipher functions45084 Node: AES49163 Node: Arcfour52678 Node: Arctwo55162 Node: Blowfish57853 Node: Camellia62486 Node: CAST12867052 Node: ChaCha68991 Node: DES72087 Node: DES374494 Node: Salsa2077579 Node: Serpent81620 Node: SM483130 Node: Twofish84417 Node: nettle_cipher abstraction85719 Node: Cipher modes88248 Node: CBC89430 Node: CTR94359 Node: CFB and CFB896977 Node: XTS102747 Node: Authenticated encryption109122 Node: EAX112514 Node: GCM118360 Node: CCM130979 Node: ChaCha-Poly1305144140 Node: OCB147496 Node: SIV-CMAC156835 Node: SIV-GCM161552 Node: nettle_aead abstraction166467 Node: Keyed hash functions168142 Node: HMAC169785 Node: UMAC174749 Node: CMAC180395 Node: Poly1305183304 Node: Key derivation functions185892 Node: Public-key algorithms197564 Node: RSA201285 Node: RSA-Footnotes224803 Ref: RSA-Footnote-1224856 Node: DSA225034 Node: Elliptic curves235226 Node: Side-channel silence236634 Node: ECDSA238077 Node: GOSTDSA242883 Node: Curve 25519 and Curve 448246879 Node: SLH-DSA254784 Node: Randomness261660 Node: ASCII encoding279485 Node: Miscellaneous functions286406 Node: Nettle soup287532 Node: Installation288529 Node: Index289758  End Tag Table  Local Variables: coding: utf-8 End: nettle-4.0/nettle.pc.in0000644000000000000000000000044615141166424012032 0ustar00prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: Nettle Description: Nettle low-level cryptographic library (symmetric algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Libs: -L${libdir} -lnettle Cflags: -I${includedir} nettle-4.0/nettle.pdf0000644000000000000000000205166415141166424011606 0ustar00%PDF-1.7 % 1 0 obj << /Length 587 /Filter /FlateDecode >> stream xmTM@+z&?tBL$d4*.<_fW_wիrc;`GUOV&ʮ[v6W7TvbuYt/N.5=S> stream xmTM@+z&?tBL0d4*.<̿~UfW_uvc;Z̫MfG} I]/ޭmޯo⣩0^'^x]fkn{EK{*ʇupg6;ލ$4;gZ8, M[TPRJGeWxmE7 "/7j;{Yʋ"1tm|oirI ɑc׺>[TқEnn#bBSEV嶭mzsg)gR133w xAb;aGL6K&0+}&"?(Ҧa/ c,!-f3*Ix {asIC%hS7}H=ŤIY(jŧ Z4{SO5Z ekxvKǬ@2a> stream xmSn0+$z"aKU^CvF^p=!94gB˥0pދ s#P~k@hZ+vQڦ(A,Rf5Ħq8>K_X NH3$Ǟ{<0*5c~Pʯ5W42^!0^#rqxƘE3x z)cgl1BҰ?Xq!NAWA*d1)iȧΰО 9璆NVfkVaUJ?%͚5ػbTW=ј52f&p2pjV^cHMcVYxLS7E=1j g endstream endobj 6 0 obj << /Length 262 /Filter /FlateDecode >> stream xڍ?K1|Io+xl'wӅs`W7٬0yT4*e4>5wm9eΠ.#(TwڑMT+lWOց!ޱ4MCeWG`oہw#lݳ()9=i4k)(UJC$*ho \lzNXa.oG{x:xh #U7'#8]YB+[i8.>uÐ AE Aƈ bh1 endstream endobj 13 0 obj << /Length 435 /Filter /FlateDecode >> stream x}RM0+Pmb7f9m)7EԼg ؼXUzofޏ=+E$>I%op-^O8Κ/MWG!%$(1MVV1|UsUYȏy¤Sj(Z{!y".&žfD}\*L?%Wd\-u試Vڬf&B(K<moP`gYດUĎ*Ҝiؙ|dQ_It\{/]䄿}z>쵶9cBZAmrbgRPFʧo9%x3a&8kƳɭzW&'BB> stream xsFW(8mdlv:6S iwd'! ? s;-/ZV)Z8:j/N]vVZ-VﲥсpɰWnGKYgt$j8TGiN&dVi}|(EFfC#+#aI=|c-pW<΢?w>ߋk0$J3a֦QZY/HƾL&F^y5D:,l' Q9gUZ9[#$|v$%!+ΘL*oX8RЪ"׿- hA[ Еg_qFpDƬ .sYB.=pR6,4kgl,iSv[m`/2 ۩|x> ]ͫ} HCɞU&HZ(WUe:MǃTQ>Izm L&kVJ%wl l_#f܎ JQI\ hPfO&_9%^ڎ-4e#B&Usƀ(4 $1Ύ6!*?<<*ӏV9QوHt7U P2ak.JM*Gy/|7_ا6I:/e-2D}-u#[l!-R"/K"h˽Qpì=kgC#͝T_-¡*|·斶!^k/KRߋu7÷A%D|o,M j~KoAB]n gt4lBVZֲz=Zmiû q2:c=qҪ;ק”6H)Q-%UO$\U3W ț2SqBz|~ E:&ws\@銄ޞTuVE> stream x\mSFίG.~!iI 3M#5;cwb  klY>04 3\ xcPt;)@ XnN/ x{HSw `1f E> Q@p< ;yxQ- 'iOx{-y 7Ac6=MSNAJ@!q2 8f>bfD=j.0CådwrA6эngQi aygpUz| sZ`I8[zcŅ"l3xC!ꃳW"D˯\T4'B!l$ג1hC @> >t%ft+o.>S_rkQ5yN/6wӨNmJw]%˛Ị$EMSLW|&9>Nx1"/=XbgNٞw znN׋,]D+׶6C E(*IJWy><pşxZc R.о TX{$Epp\x fԠ UHqb `XSU'q&9F7,a_in3Dh]4ں5J|Kγw !iY1a]. ܠUuCJwe[P)Yp 4=S,dM^e?.gnq> +eiA.$dD,X8<ז,X~u<23:ULe"AK~vz]h]ZΏ#A>f|l0D pypQˈx>yUW\Qcr+0D|? Lu '^RJu}]QM2-$LRNJ],O_9K6rI? W"af׼&%yEbT/*`J-!MqKnlN\ w*vC}SRɝPIdi^[|4 -}W)] 1P薦3`̀h=PMtfrLl.GB[FZ+u(-UһCu_=$dR­sJl@w4>z#k"t=uBe` !oBYioa#0KS3#Ϙ(qS=I[T<:pUTlK@$+Vt#WgA`F\2Rfk6'1q9i~0$o j v- Pj+N\GU%"B(d@D4lz!?~ y7(vm3pY8ޠH=Ѡ@8[)=ff?j•*ݢ_EEmyz Z Kue,BPnQЗ-v0 X}~AZ5aG]vEU27Hb\WS(8Yo?FdQ?ݘ[\w"lkYg'`Ś_u :L))Q?u4- iVĨoa&]0"W,`{)%rStϐO!uG)\ A+PWVĈԎ#j#,\M+nr xz#lrO!Ǵ"Ry!]@]Ơ?bb!ԕTsG:nۢ*1d~ <`(+JEN endstream endobj 9 0 obj << /Type /ObjStm /N 100 /First 815 /Length 2335 /Filter /FlateDecode >> stream xڵ[W_8,EA$aG؃- nZ+3mn{|jC 5H q D!(a+a q@V8G ) '  -x%tp qI.C&@ӔA*4SVz(89Rд;PMKrAtT W۩t PcPqMdm(pqSூSmH}i8%/ a9S8'[v)06`aHYr:5.k94i+u)/ ]aA/u > >'|Z:AjΡg|F ^NЙ)O{vIAO[_ ݨ% Fwp0/aAwH BISRqS I[ ZINﺃC$A(!tgz&"NB|Ds >``H%E=xF/ b$YF Ä"?Wp9ptzO/>n1:LQ >SY t3>Ϭ`1l*X6P%Qip[\k`"ܦ`ZN9CTU'nՄe ^덩(N9bF +ŒS:TnWuaôTSNvIgnXXWlr8c0m`71X\3A2H;TnWI5}Ud#6AS%5bfj8k5:Ըo *]cBg>HsN vHu᮱J̵SB]c/eʱ#.iVsN Jlb9&PPa\_9ƅ|}LJ$vsj\ȷiCbC]îY4TѸqƕ|0הYKјY9ƅ|EE{9 95.#{ŏ*Uj_ʷk,}j5"_N<SB]#~X:XQN vèڪ. ԑ\g 4)pۦGf^]:7*qsJ\ȷk5֤e{ZktNոo[5ә<"I7BGhSB)8q{>8ƅ|]Ĝ- 5t5TH|} e6NmĜר4~-ƀ$:d:3of1WFIõ7o0ur?Z(;~&!R{Tn*r;PE"T{MU*r[XE"V{U*r{`E"X{MV.+rϊhE"Z{Vn+rߊpE"\{MW+5xE"^{W+r܀Ec9{MX.,r<4c<8ȣd3m=;q$drr_r_r<쀎GGGG»_ 4JR[>ݍP篅t[Ґ]{ye7lw w;} u0N9.%"n#OjHĜ||~[ef Y9(8ƅ|FC%KiOAٮSN vH<U xB ?Î<} endstream endobj 344 0 obj << /Length 1623 /Filter /FlateDecode >> stream xMsHꝞƟ8qZ.Yo I# ` yp?=ol92B5vgg7q #*B9l8^EQ'R ) V8p `NEBE A.E |/#ұ2١0 nL c\/q{e!ػ}=bυ+RBtkЇ>'/;f}ӝ`;yXe~rK Zf)O*QJH<߇?:4FG,Q=XDIrcEn2\%yP qS-.&Z#*LF>!ݩ=JΟ/f"LF-a&n+_.zlb8t&-R+;X^E/n'ϫ,8% ;q~8w:Eo0>7(0/i.&2A#pWnK`,d$'-ߟg ylϟb"M uyjL)6V66Sl^kl^yuÇO>z;qqT7]}\0t TTk,s Pn&H} &q 9rj1r(QimP|k }(+79 S-zDx50~ZhmhHv4=\p>ao,Wf:_/w 5M'HcF^amszT~>-`.MrU?cX>n}u?yN:N/WQa`T/pUpŗ\^ib&\U|`h=.rhUz\$Z525њ."&gx7B^I)(_nKjfD^4 a`2 y4'Я]]kf(Ǫ[Md23i6jwXqJ>%ĜiMl5&.I7uWW ]ZO{tdG)7ir VR u)*]8(EPQIvQci$>e0nlϹR(g]RiKR${5`T3ۼ~} _shWx`6S % 3}ܒ & ,ۍ/P0LW,Qfܙ'2y$ H̥׽X6.HUtzMn$8<3\Hd#$.0pz7OHVASF S"3(ʌ(AHQq`~lj(q ⎒Qi/79Mn #+in$qPzzEt紐%溘r#>^0N`vnr'IF"Bq>_qq2{jIy"yq1^$@r:="R: endstream endobj 233 0 obj << /Type /ObjStm /N 100 /First 905 /Length 2154 /Filter /FlateDecode >> stream xڵZ]}_EPI$`~^’p} S@&d[k͌ZJ*I%DJl(% >jҪ(k͟doAHT.T5M+fc՝%jO\qFb2ZÃFea1MījAü%)yOBݫF)@0Q2$U⍓i޼&o,-ëZRk=Wr^}SRЯڽyT y ׭jjZ۸(@+^8A/YGFM|`Z2{2<#K!FJ60\8a<׼K02qA.Z%elSkU#^ۅ1m'^9q.]9i^US0N ~kbj7XF꣏ "  f=B`1bf VV‹bf?ꖄ?*` XE0zE;JmGׅUaataԼ`W˫W!]}||z\}q~sӵ|\>:gH5dcd}^JwǧO:N7\T(3~%ݮYG2W7}򀫭&Gݍ&YsIsj\ȷc-Ǵ3 rNSB>MX=\b95.5fwGV*Gc~J}}咱ʭSBMzV[XGkiqƍsj\ȷk~DthcW|čmQ[w8$9%.5sW>QzDZ95."՚x/"BcN=IcpN وpRnlǜ'ErԸoUL}F;<)8ƅ|RsG<){T3cΓsj\ȷindsj,.QN (pY9FO[N r6N׸oFJHԒ +Cj Ωq!߮ ѷ2"c,)ImSB]r}r#qYIsj\ȷkde컟"e8ѩt!y4s$’u'|~{nWFPrIF9%FS=֎4uDZGq=)V(]B]a 9Rs;'甸oh;ʹ1VcpN Ȋ"YIq95.5zui[NZ7Ωq!nw 9sj\ȷkn>E mJB"ISDoSBm [-OF׵556dk$Na'8ԸoU?6kN r6Ωq!>yfssj\ȷkxD7QplSBV!8n3w2Vsj\ȷmSA \+;i_uݦUt(3xDXpѥ-df"tE"/w{`3Q^pߧ_~k%5.?ܞy2aԚ7C}~oo_I)?\˗$y4wI_>~2/͟O{=Oh c˾ԯiSjK~Y+Vm혲)SB_HH׮4}_ endstream endobj 351 0 obj << /Type /ObjStm /N 100 /First 889 /Length 1749 /Filter /FlateDecode >> stream xڵێGuIn]]' ! .]ZYlE=3@l'QX<ӇLȑ<97SDDx )o\#~*3~YaH*J`1DĒ`bVU8{TU&.vk bUֽ*Nlle4cG{gs-wb_A1vlȨU\}GMc7N9;cµ` X˧QobLa7Hűi&A1vԛrsmuw\NOs1Ĉ߀qok1fv89311c@D8h6Ǝz#n;]')abf]Ύ88}FQoMq,j@Vfb4ޘcmZORu&A1vԛ7?G`L;8ecl8*vF qL Z]W2WGnF{iڛ!*UA1vԛU#ho=EɆQoBԝ;޿tk_A1vC.1T!:{*qfq4ƞz#nMҴ7fu^Nh.nl&Ƅe@qbqަ3GQoVC>x$g1#73dC7Vq`"ΪyT],'$gZGɆQo"f#܉C{ZH2$M D;s{9ᒞД ޘ\SO)_}`ˑl/.v Q|77W}`=>4vycm~^v׫}'twcx6W-ݷo||~^>V?/:tzu\ UTv5y}lG.o߮6Kkyuп:N={0tX]>U᰺NRk7m\.ޟ߬7V?ejx#]_;u endstream endobj 432 0 obj << /Type /ObjStm /N 100 /First 846 /Length 1119 /Filter /FlateDecode >> stream xڍUMo8Wpn"9X0 S u77중b0! ߼,) +xKP>`U+H6X S$@ ɹsAQ.\MRgL<;er9G BIΔrIِaE F"88y WpM5)|W, k>r9A+o'8pGTI| 7gi5d emUN~s>S9>wg7G&Ok18m ш -͔fcF2r0pVpAJ`ŀ4 =X;bHl2.р#;dZ d!EkrHВDH,T-БGg%hI<:eehPf݀8:Qn Ѓ%DB- Mf9@js!3R;"Pat͐ u a `N<5Bz 1,b BAe9>L/Ow4QOE5@t>}" + פ*"-qu}z.zY4eKۮz29r1|?+h[Е;Nbc#|Nu}!y9>H)E{/Lg' k?tfݒwum<9NE#֞^iV]rO&-F߻*Ct!T\@b0-j볉2v>d:#IQ_jot˦qUeӏ:|o8;3:vGSBmݷ90{Z&Gt8dϐ>V7a?-S|Zrm@K)eyvc :~JEPu2(`#]xsJw4fMf|<=ݏ U.^<6MiKq10EZU\VY ŇX?ޏx;nᲈMK"-Տ!x+uU[}lMS}1p]_YZ> stream xڕV]OJ}ϯط =WUऀԴ}BL0`-3 !x̙36^!WRhE Ax4cP۰UPXВ |k'^{Az1 7Zaxax (,NZ8 ~k#3GȎz?6C ¯Gq^yT r"EA/E{#^D$ 5g'%DIf$'A`D$ ~ aܕa* T ~J$5 T4=r";A`$(Pu!AbUy5 H,r!4[9>RrN<!qRpx"n:wUhГ "i+Cd A :TCAtL  <@\ &BE-d4ZJG"gh1uRмx. dhr mf Mk s5gcj$6Pkӆ /Om%h2F*yQet޼'3qrV~.X9u,޾mIz-yE?̦v:I <)7b?y59MQ}yʶ"['ϵ}^߳ÝP-Y^G oAGww묪BcĎ"6U.="9{]yߴ˂wf󪬻9=%jڠm f{4\O]bGitdQdU̾Yzf]90}^mf^71Qt]_MQC ==po[[t8=OWXy7;Hx 9-Koo7-V-6yi^w׍2ouɯzviq;zC^SpIYWYUOk}xJw {k=;'Oч{C 'AKz ,G3y{ȝOQF7~f6W\U]㸏1.x<_f3k~Nl8_E_u nSU@[ endstream endobj 826 0 obj << /Length 1493 /Filter /FlateDecode >> stream xڍWo6 _9َvn]VlðۃbV,mnҦ@MQ$ERJ/^ѢHӰTEu;L~s W'?l>e8 ˨Eaަ^6\}̆$Q͑dag  TM< ne~+cmע#]uxPU`~@vbVc{OUPgwٌ5l# +tb2YGޮ:Zy08 ,P Z*~#]`{<n 5_u5bfFQh}Gg~$-ugȉ.%=Ceki; NeJdZqA"0U0ϐ?853tz++_vihMkʄ˕*r6L܏#&v+WrJ(amTkp^Uenvp~Bk!ɂ֐5\w0,y-*4W~2x݋}=.m18RCS[*2@7X,;84 ZBR {A$c Bd4]SARkT0(d[n !)YG j|\G{s& XN*8'8,O2BR ol1Z k %-%`EqmE{%0D#u-Ia5ccklVp6(iXcreBVv)Ǡ<:6DrJ/O1K=ڛmeL1Bb̈́@?pzoTʐB5=@qA[-W3PQw"V*l9ih/HםmwLҝb Tqu"U#H0{eH;?bPS v0:mk -q\Z_֠[LsQ]_i&zBp@xu~v  }ez)L?*"dW&a: 4#5:i? B{/WՄoqԎ endstream endobj 830 0 obj << /Length 802 /Filter /FlateDecode >> stream xڍUK0ё!ΣM jPB$.òmaP.Or͓]Yfm$t{9&$|o3W:y-O۬5߾O"v&?+_%"Ửu%Զ2^Vڦ>%gOF.S4Yކ{(M+X4ɞKC7Od41$a+gZ4LLt; '5M?N:/3^sK[0ax00$60tS9<șUil ,(i|z aQ%8sd GQ D=Kq٠i ͖ݐA>^fmBA՟)|@-( ax &…UJ'm0wղ >)k,.Ss r'f\OӲ}}ȀX"eb:jXʒq[FaFPyh֮@4}="PupOiYC5?i.EhnXoWnTfo[6 ?Z.ޏ{u kξp3}>#a.<z uWSGcv{ڬM-I.u]O6?0G#&KpDxXHCzΨzUyS-bпh&@L؁={GTl1Sc8> stream xڕVao0_:m"mC(ݤKL>44-" &&ugs& )V޻3 2lC6c \Wۛy=ɼvή 1m 2Agl17sg4|Q[W<ߵz`<>1R!Tk9VqFZnj]Ú.% ,nE`U\&`gI`#.2Qw6rk\gTGAAR0~LPMń^L>]`)di voT>cQ2\-EUq\Hr) DMؓ"(R ai:r)K7m,-_ >72ˬCK=˱sy%Hјq9^LGCmՐ],Em#VEJlb` '"=Mɸ6Q  @m B+/A |mc%=<z{rQRtKb;zkgiSƜ+< v(5G-; ^At0^庱AZ[2vo /CMFxPŰEP-?qLy=mö DZ9h26&D1΄;)jڽ:_=|GY}\+Xn?ςY=V#1ksZn56 kkd{Vb>{{Hg~469GvvٚmIo[D1{9i)z2M&o_:k= endstream endobj 837 0 obj << /Length 3008 /Filter /FlateDecode >> stream xڍko UEԣ &q IaZzW=Xn`Kp3R7,ItzSvwJ_`~}OܨςL>,=}=ḾwVeC,Yx*Pq;kć(&ΰOBd ?4acQ쀛O>%Y$]7@Cwšmv?Kál~K*z*U(iF^ּ@x֏35x: 境9Y^"! $ ) JW2NExcN7] A t(m ghTX [/b5vpӃ}bGY'qr=*`h.#a06X{QXlemCw[|cyK g6E~ *4Z^I UH&40 YIyaBpbwڞKg\-^eiwmv3Dbך76;(uJl8kyxK-MqA{Vץ$@$ ؇, ;'#~hwY_%({VQv;Ynھvf" KCPg;XpY0`/xIoCw ]΢/zf -޴U둎 hYVd=v lځ8ayY-KoQ[NNm: U4R|+U9{0MC|50?fe3_ mh邋8tŬ8t*,~zJcEIa{e{$;gCI.LWj: E9X){Hȃ%;W_/0X MQ8g1(p}dcB[W-KL{dj8Q ra,Xɉ[>e\EOFM\Euq ^\ߢB!o8.Y=ZFMն_ޢ2|= K&JV T ,;62d>"ݣl _PRxbѕBEOR*a0f(e8z&lX܋C$ϙLɩeIUQI'Jҵ_bXS?{i_a6˃J8Zj\* MṝF*oQ$ ln`aeP`o[f}3I$^Q©N(0棩''OB8a LMA!fdA0F"B٫MiwNr Y]!v^ʌ 8@R5aQ%qde#&Ho gI>3pB#҅HwL( 8Rex&~Ƙ%[rD uŹ,EObஆT1?M 20LC>$[O"ޕs M8Pns@ bQ箙Me㥬BdQ] jBtչgab1RzXM LOrsѬi)egp}hEr4׎ɯI.0ꭨq0~=0)\[A$fDsU?^p$\:%Mp1qT*|?7b!XtVVaʗeM%fqC|+AJHq%PLz5ܘQ'~,D#8pv2x6cu0azC7T6_ f5u *}{e@UwyWbLA7#l|^ſ؏͔'zqީ=>)'^a."^Nľ}B!} }5yIԠ#2qx;ILq9,CZ-ZDݦ7wQNKo'%F?s"+ןC칱GػMH+@ &8c#X,l<`R0єsaܰPk `8VZ6 >}o1Xi_*}U-SS9#*pɍk8%p%x%S<(IdB}ȏTr1*?UczpAW]\4Eĥ<<4$YR WD,~:ńX͏r&r[< f/ȅO,!Gy zL,0କZ[mwX쁧\UrY"Z%s^1Y9*!;T М*]u#UP/Uey8W}SI-ɃBr ň85;*.c^f9r]-Z E #~+5ʐ6BJ)JG(K͟  BYY8[*[v/vnB?QW% l0e٫4'޽LꌼRbǙ]'g1s&a{g:4:氇2e՝Ԍ޻< endstream endobj 840 0 obj << /Length 3142 /Filter /FlateDecode >> stream xڍZYo~s <نq0 !aؤ%קn#ʻtWW_u|UTx_xS7yeRT7Qn7q|Oiz~q]}oI]f8Izgҗfft߻xvLO 9lYa ;'Yʶ*uiuo؎'nf5<ӓLEz$L?pe$e:}5G5a)Cp bq4pMm4܀͌4/C L#=*;5{Lj 9ad>Z΍U1ZȪki:}8-)J2πzRIEIWo'~&gxj+ !@"fk"}[۷fYqdYg 8Ո#gQT,kWĬ8AUd[M+zm4Ԙ(4 s{-5g|h*}>7}Է2OǼ6tK%rRU1S+c5dU}M }42xM䳜&L8"hjI& .ۧY} :76j^a$?5x$ ;C;6TYg$17NfGPjQa>ЮvPN)'~}9,=⟺7p _McI\@#u_QUU2Z6 G4mƧ" x|$`'~R~Ц YRQg9Ѥfכ7g)#@\GJ1ԐVP݃q'[׬fasMipȃwKVdLv|f8 [iʏ^\GIѡݚu~qqMhqWA\XM8!* UnEUxƆpY^;'qKq06 HQ)xO 6m#3Ye~8a_c;-d T !@t':J̍'ؐ7fP`8Cfy p "LsaGxFF~/Xᮣ=?Jb`} [($*2]]hBbM2Z:@b/2tz\i8HÓ&^KʉqKT <-X/EY%!Xa%:Ӌ3Og-!X5S"h} TQL>9J̆a #:E c[MBOvU2*ec{0cF_SWs{2: ICڙ' ~fLOsu<Q@8`L eYczw'awr9rq6bwK%&*2q}'>DSۨyh*R]wE++^ e(Y vw9Y"R^ٳX pַe(*D{OIJ.6kNc؂;sR#yS*u .`یDžT/P=7fa+*%Y5{Vp-u[x3؀p#{N\Τ9, +",AY2̫g p'er]ґE $ĵif sȣG*9oC9li+Z7PE8 #ADS…ZAU~ ’yHNpbxf `$t];+6~&~3'/L-V6u#Y*U_QjUDVuVvE {fE h2MFvtYm*q?@@9Y8\'6rzSZ _T<Qs΀ ӗ&${@HQ20U$_$"X4Lo5 a%9P!0Biljt=0~u$\2u`?V: 7A~s$ٛ”e6$jN|bS«rXy" GA6熖iȒRVHb=I>t^𘹨 *7CoಚɊWUi%*2דDBOP$.l endstream endobj 843 0 obj << /Length 482 /Filter /FlateDecode >> stream xڍSM0W#m;mʍE,B(Xn2m,%qd ?{@bUy~7pɑQw,BRÎg^۽~hYudGNR@wZ=آBP(l7K>eʖ}{J hL$VV\$A/jnE+J5uEɩQ`-5W.6P)Cz)zl)^Qu镵9Ti@ 1\덅(KP o6';%ox$՜OHRzpe:n7x l0~d\NL6jIARH.zRv6d"WSh$ZcR6zk˯> stream xXm_Tml |hi%-, ;3K26q/ϼ,E lQ"E, nAϯen W+_={Y*wۅΌJ6wI^ݍ_)W~&2 ERT"IS˕62ymVlS!mw{/Wy',}}򶣁ם{\2>{J~, nf]k%%yvQkH w iRF{Hxնظ5.EDҎKH4cn:=nM276)T'-mlWkg shCd68Yӑgn byTpfψRWC dy!4_!8NY ]}p=&uHv홡g1;qzdm8@ Â>Fvhwc)޺m$" y9 ΌOuiXv WtdMhq4TH4ԧӁk N" 4~]C(24]TL/'rPfo v!aZh9?iևA0tjkrqE9 3F@KTxspU0qrhB#Mw| VC@cb>y z?jIvhp!f5\l X*֫`0!w.MY8m!Ñ:~skƲB |Cɢ"8֞o=QR]Ja|o:P*UQ)чQ,(4.a@T9 fRQ WU|U U%su?/$\iJ*\/q 1qD_𕽣P4  zPn =b1#Qj,k+UzVc8c&0R6{{@.'SFH)B0e(t-Vv!֒Zdm9ZeEKƒ2ܯlÙ2tqec! &XWo,KQN=/ hflgjz@aOf{ύ31pC[_?kLDb*\UIctP:,Y4g_b Ԗ{ 1 !Fm^wKC͛ͅUTEV_wc잓S9}lfJ8tSe1Ö`_|x ).wgyR-Jva`_|)Mogl^N2kX2nS@*4J_ Ptyf˅Z4 CR* έ ;K)}qjH  &, endstream endobj 854 0 obj << /Length 1933 /Filter /FlateDecode >> stream xYY~_G9qST,;7{$3Nv2hmu[[r$zz{V(Ys7A?X$Ud_y4ʤdjw6.xK0Q~OY(*|דL'si{v2gpMؔOW3ŜOg,Y/ϙ 0\n ?*]_*nx(H\ׁiO(bWR w7_q" "e@ٯګf5t-~Zt:w >)B;M WΉI+O6wU=x6e&2 n~-p(ha0_^`Q" %?C-2giE:juaEwrI+jw\ɐ Z)*U9yI"_EkI;볉ȵ(Wv4i\ƀVSKYz ' qZ&{Bc!B'_+|5-s5^] ˙jc҅LXif$е"1V@,L.qp5ms9TZ5.c~ {ACu'cȩQ@BVktVqZo'7qPv{KHًJB7p9E[ioUԽMA9(DmQ(ݲGp> `"Gg NuѮi}HdCjY }mB6? M*p>6 (f^ L 皾D}bۅU_'1 2#5Ei_yRkG (q{(ÊWw;5;ݙ"U5?vgjڝCӝq`vg:q`\30YPOe endstream endobj 858 0 obj << /Length 2125 /Filter /FlateDecode >> stream xks?R !@:$KH^o<YJJR>)Q|͝>b (\i*b{js.d닯5&p2zZ7yl+jgsnJF%O:WheV jfݫj)w>")3Fyj\'|m?F6THç/-I*6r;x1Sy/\NO8R)_$c $fF?~VuNpj({ r_t% :` wd%s+\7Eܛ|ܿ3+ΤGs: bvfx_ 9ɂ^u"Mܮ qY˒cd J/7H~|ZJ'#+g8S0WLE.!%h5 t2/ev Ky[ԯ"1/~M7dB[ۃo|u׭ЦȌ=E9Sfcm0}Yu{Nz bJ$HQ0yS` h6ۺ 'lF,;v6+4o=$LC95Uh)GU}{ۂs ǥ ]҃o۲ŢZbхG`.L\dZ?4 T$ҝ?Mp2tgppȍJ) υK^Ή̡RT@p?͊M[5=0d}N:){@cNWǃ3%;¨@:XtyIS&*=!5Dn),{޹s0|lw{Dw+\n0 BM<ҾACfz%7M!%&ҩYc}-a : Q 7EnM)$ CT: nCYfd-d)oQLX5v*^@n =D \h"DM+ñ9*|~e;+0hhX돼E=,[ۗp"WV |j%>GR}ЬȬ T;%[T˰VMOB6t:/9"Nb[u998=Q 9@%4qXd2ոJX3|KA)&5Ȥ̀<2tmX!t= %)2r݌*b!txMu.y4OKKO_]?ݚwD6AC6dC(* KIii nMvuЛ NBk&Jmٵ]&/lܰn'Wz)6w5ԅm;b>62|  Z^s4bsvX0l$PbA 0Ɩe`T..2^ظG唴珮d H.Cx}Q!AM=l 50bUZ6bF!7c_W@>qOzOF .?C> /">Bѓ9Cdb00"P T]2NNaz&m|?5/%:RgBo7g[fi;"ZYbJ~a,󗠙nf#( 7u-mHA 1}+8V"{ QL?^.?ȟ endstream endobj 862 0 obj << /Length 2147 /Filter /FlateDecode >> stream xYs6_GƂ/~-ii/֞2Z$)%8o RJ"Lo <Ȣ e* ȍ_ߜp7˓Z߭δ2T/fstY 3L$:ۓ.O 9QJ%0qzp[/g<8eZ \8[њOMY`CuB]u8ߔKSٯW-JLk[,4Q/+ŤD)uR6R{eF@is.IώlďLpH4I$@`o@Xɿ&~uT:ӝXs $J㱛|3T|ϹXsT654;2(%c^y?WUO5M%[L2+(=t%?|&SIp87d"A_ N5B3moMQysn].0c #Aso N2`t^ (Wv#7EEz373嵿; e1XFC~{p\}o[ c-DHa^D@hg`|y. CtD/ܵǐD 4,i !nȟMK '<0dS8q29ؑ2( X9?fO >w(  QAO5e5lWA$\rL$"$@o^YFOE`pcq iU2zR_Ils+w衹Z5U-2T4qGE>k !(=@ dp=M NkxƱؐs?zcle ~M&bGXЌ?P >)2m[x@|"-7e,ð3` ruRDe[uD㭓SfaJTQ &3W@ܕumZ@7u:n?"!G?S[jgO mY4SxeڮKmf:@b~jw3S Z`4LBc:Zpq7eU9a"DZgHM0gB r/.8[&elHp<=7ʐp{mcb\I6s_箐Z-'tU)z]V E%NGw$s "4@`Q5(zk%fﲅ{e}/H` endstream endobj 867 0 obj << /Length 1531 /Filter /FlateDecode >> stream xWnF}W* J( 4si4՗&AS+DN,)Q\q rvvٙCDA,UIOv h vS0Y>y?locLhKD1..1nzLDV뢂E"CW_AqIJcNie&rg~ٖܶ> stream xYmo6_avmvX&EXJ,ԑPq _(r(tMͮC_nE7M١ ksw< B#e3,苅S+ͻ:,r#*}@}t2'^v"}rrj$jvg2d$?7*#K,K{7RB@m,4,QoaIY*m0,T#zbXtxFM  K6DgtWW~_}xC¯WgWnȯx2E:i5$dq^ey^"u[%.}I~ԕ0`wDh|Y}Ս,HW1*.VEDnCjwDC#~rVIJT ahjUAP\}$卍"߾ q^#C0x*c<EEyі p8Yc&p ~4zܔgT*ə K>QC{9Ez!G\Z,6?5p yleE]=QUtC(}A!Hi“,1٤CW>x"P4M멾D9 wȂpl. 0)Ų aՋW>t*oi>"B+,= t.$w7с@Wdڻk,RNE3+h rLhQѢmqU)\P lX\VP]&U jsZ$}1N%PIQ`x 1(Ċo8<`9BfBjuw/ O:kr@ $X:J_|*F{98 @&5 PմwrׇI$&=Ru^oBaWhRhv. Fk |ܚ !LvOt#dX[->7 endstream endobj 873 0 obj << /Length 1520 /Filter /FlateDecode >> stream xY[o6~ϯ4l6ް`QS?sƒ/ `l7 Z=YQhol;eI+`&t[ ֺuf-nRNh>`aêVcY2۬iR&@UL"SŃʗg!e h!~QQ  ^WUQT6 ZqJ"OBFI*S4ە WVOV/ @wU$Aܛn6_8WrWU$10ZԻX7QL4m#"uB^{12&BVlRLa,mȘPD}r=A)~jY`x@-`[6o 9h*gOt.ojgnw"_ On Ed:;D;8yӻ7'^wo{OwNPZV]/6*%<LvnV kHAKy/Lnlﲦs[oAAzs/-0X6WE`< G& 8B%]* c bj@{Cfä?MOcHLu|.Foʀ{V3MP_m{?gzX1G>` aЊ|Ps1J[Yr6xw_M{P@"-LlӮofח^\IFaC (nU@ MgeB.2ثS>{> stream xYmoF _aaRU/0Ҵ۲em(fKtnǓ-JM EHۑyd' ~$cD(SX?bnYLt!='GOpe,e_l>y.54RiNͥiLUi(2耫/f;UZ{ڄwM&q".4*lYWSF 1peZ d e8꠵1Bsq^V%rDBg+٘ %:"-: 󚒾Y$'R7{s E*"Ie5?#|g(v^Tp6;=:=c8DNT ul/gۖM(v悓1' -T|xgyhVHC_@raZq@nHƗsQ<LEn-4n|IijҠ0m[V ȫ9횷 ]5c~ wjڹw _s+^O^cdȍ???>:=h1daڕ3eIGbEZGFyeQQ 9hٲ /tpښ7 ONgT$A״c~ @a䮼6ppi*Pg" #sÍHxYVt:Ůyr=0q>g¯)sr"՗C 3IpUW^NAb+/鮥w:إ IRU|2v~<9mݲ;\*zXa*uvehwn\&>B)hAur:D˟Ƃ< @$t Vr1@C?~jqx`FI+ \A##n}`QjD%p?[l}w]rcߕK4hЕ+{w]7'o/ce#RbLD>|l˸{x8%N !sD*Q}ƛe]~yv> F~[I '.)DDG {E>_g,">eyh =Lu&L:9+cL St9p Sբ\Cf2I`NGL(\7BWlW>ukL%{Eu^Vkm`w;A*-pѕ*[5Uq|[n]w5ܑo_$mq{LkInjU zr2t1Z`rxOV,Kiy?^P &<5G endstream endobj 880 0 obj << /Length 1942 /Filter /FlateDecode >> stream xX_6ϧ0I>)=&Mڤ-v/mVm!Jt6 g$Kv \pwIj8qq"X"C?E{vwӭp5J-DA*1bwִU^rEʻ4kӚ:7˕Le<_poʄ aDBeզiK݁XCi ˚\ ЁBx6+-wM[m[fteEioMKxyy0ζ-6k\Dz3"3t9ç.h`BNnm q(?,lL,;J*;D`G $܏ڊxrTmB׸nGoGڏe :F. L_$gT4]$鷋t1-eCn?!T)\W!'H`_YnrqN0:Rǃ;4߽z당d'l6]oӐ`8t|m}t7艑J/T=]otÓwWmUr[Z #*á/Yx,iyO=14yٟx{ⓤ>kmx# 9ur /IjwtДm b?{*c nɇlM"HbQs S_jpl!q0~It#b)8t N{;X B00}9{%u ꡬmrc?%@A+& >q۲m[>_\(S&õݫjDMhzq?c4iwXsU B{:`j f+z`,8Z=8xwP!6B zWB,5Tb6͑s؞OtZ@aΣRK׽)Sί:,bkMw )Ս)lǮtRC͡)c'k! d\pHGW6kjwҡlg$ޖ&=ɘtqM]QNCKpmr@>8f: L0z_7~{HxɻθC͡-,8>YL1WB~_{^tP**@:C_ 0pZee]}k,Gߟ7=-+|8;xcѨX.DT(N ~ ]gKbLZ,lDs=lR]2 PC B{g[`W7k^L3kA6p+Zչe4d%o5dNP3^inUb_g4}oy?hF1hnik.{{_oxl^xk| W,_3i<&a|R oTBwۢ.?vKy"Cb}'17ap,Nidwdㅩfm0g>Ǔ B:7`/y&i܍kC}ap|@PeIJ98ے׆^D:}+EKCrډ48NtrlQ=zqr&AO!k5#fc%{؎)݇JiDŽQIzڎ U,]wշƄdc#Mي$z))=GVmʰx+#+?CZXdtY3Ƭ4!iO =Xum\C&2:<erĐXke^h~_5[dkwܚ_*#} endstream endobj 883 0 obj << /Length 2192 /Filter /FlateDecode >> stream xXms6_oGD(BL^zuu|piCͩDH(o RBNOX$Xg]>Ktfd$ ξ9Qn=ɯOxe3<^c+ywxIp=XFUԃdU6(ѡ/Uo:Onb o+$sDLΑr ~؃qg {7t'vQGxbE&Fn`С'f4#wşg߳++]+R߭+>;J K|=WAUi] 3_jjb6)I4: ɷHo[JF;dȿiQ\tQ:&0@ݱtCZVJ9> w/niJ.PBzz\`U# w_et>?;ֈߡSd4B&v 6<=n٬׮.]Er*?i,6W W36u)}p[W/|uY@c߆|ݻfQU~5 endstream endobj 886 0 obj << /Length 1409 /Filter /FlateDecode >> stream xXIs6WHuBzIi3NM3Z-N$%,}XH 6eَL&3 >{II a^Ъt/aY=)4Ѷ*+ ./?]w-`3h"~YuvZՄE4pD s$Qj'D= /z$lj[b}Q#k{1EWB"}z_n̙TcG&SlY8G(ũZڧ-LU(G,Om1d7GD  b))m}PSYn6\ 纫.k=έe*̹n2Ňgxt^R Kr[X]w0hO> N.w?EYE༬>(Iʂ:~sEY-;hv(ZrYY%2ge;;3\W^i[Z`JT'S!54}X쯋}8-LiEJçDFcCۋvE˅e>>FR0=qSknjWb ۬ q)oqN*`cCZw"ӺOy(,[7cĠ﵄ <ƶPd4mcŠ<^B9Qг﷗8'zek FCoV2 ő7垓.HŽ6{C)`("jrZPeC#xQ)¨ c_nm0MIa7WOalwc=-邪ǻ Ȍ|C $&0"kܣ/ endstream endobj 889 0 obj << /Length 2264 /Filter /FlateDecode >> stream xڵY[o~#unAQ IbK}hDKD%R%WI_ߙ%i{c1O2>KbNgfFWg­ aaqy( 2?j η{YER>R&\yGT΄brBũfBi HXa. 7SЯ9ץiãW0c0fW@V$/}_٣k`̝F@NaR2Lj μ;P:hMs\eQ$mV w,-d,W+idF,Rb܂'-{ع}^_Ջjq)V2e3mQiޖu#rS \JSb aujߟZjl΅NNc.dEEmqstmNB Ӑ6UrعCޘ9`j.oNBQ!sFL$'|9OU3(j%r`Yv|t(hlm3sm8$^cgYO<9\d JT8l]Dw! QnrS|Sk`1N1ۘ8c14q;veLi/6f;u[5ʆcI2b&/XV&2,tܝ ͧL+<~8h4 ||r^}\q1i~e'NɇaPmxr6l]eHo2@zV qh­68S+Roq-\ /6߸ғ >60pD @(8ѫSurʾ'we2+-P@ -޵U))du5mwWXj޺)KD ݇kW:D,'dB L=AA%?Lsw-w )_ed?Ue l^%ς&lj4i\H ҄ n{~ѿ+14T* Ɨ|I(NfL19w rC(3–lje$lűbտc gOC ?xs 6>юmI-x*Nƕyn#.s#h,o~-}]-]K2ș .#412gp:ۢ{MX ڍU%T~]:۫ (?\+q_&2_]>Junstx$%;mn t w}H 98*?vv-:U`c`.JS"M&;_ac m`Ӕ]o{"ÓiVQ2eDXOXJ>nX1TyYW"Z5hDz)(}?U/46 }鴢Ϫ6D`YH*R"խ7Gڕcb.&Roy6Ὶfp 4x/\cr҇S{€񨪷k RhVD?h - Λۃ4X RKJŒȐB1rԡq="Rn A#[=\tE?hx-p9D]S{7b{uc8!|t5 Pb#pd,aC5YU*H̅:d;2\V<{*]syS=-f!9%Y*='i22=w[龠,pmg%Oң{ϧugIk׃Ng+Dtu䠬ׄz2u:Uuyj- V>B%> stream xX[4~_7Q0yt2DC)s$ٱΦ l'dI&hbDsN0bs6 ??qN;+]<~*eB3b3KM2y^}ɔs&S!dq.d,2vzœY+J2:3J ou ثvQ턦QبJ)7~g+(]Uje_ UK'fƄoUuyXw,?ܧQ@ \j9lQ8*rz)SP î֫ӹ&JO_U4Plk3"SDj>U& ͺNQ^ȧfDhasfb8|fW0 p B4{̲uU=3@EJE1mlOȜ.ܺqLʛ]@!`;|ЍNR6ʷ|QʅWU As雲w;DFXFCp5{sLpcƯ_<{r5_ɘ @*wqq$1gYtDQ٪od|]BF:*iTMML72@Ƴ13MQb[i @J yv"{Sr7͆(Ѡ) `(1H^VXŻ=>,hs8]5$ʉFf}/*:0/=-H >o0FGVw tDU:"N)vKԎ>qǙDA{6 BCBj>i1ߥlEԽ?Lg>>uN\Ak }n'8=}8B߇+}AZۍ#G*˄&\@2<'5$W,!V Pʻ a~r-ӭ뵛cR)o!_W-#n6_3"T{ю<5ₐ~=N\{@xu I2y ШTV/ $Mݥ1[Xɖ>|bS iWNPO"÷9*nnpFKb4/q @,P92QW~ȐF^ Ū-|MVcĆBPa֛A \t[܁ޑtSrXض-xЁ7~L[+% HNB^l.^Β%Lb]'W?ů=̀-gaܚ(-ojߏ\0=Ar}? ECim(ɀ>@%O9TJ'.Ce|)E0 .M>*wd݋TQ^0qұRhLTd^z](N4OLhՌ%Vb̪( sW||Ubp%,f5"[fX^aKW8iy(+ߜC}.c*;Jc$ae ?X =tfU\E-5f,|[xA=c<pu_CYfƋW8Bq^ᴑHػ͒ᄫZyaL<0zX q#nor endstream endobj 899 0 obj << /Length 2974 /Filter /FlateDecode >> stream xY[o~XTe8pH@ Ki B6 i kY=m)Erf9̪Mj$L"aÍ7߿PBŷx? 2nuSnn]~m{]l7޶.6$^ )”2_ƤWfn"L{۷fq[l#{# 8=j{aw@cn3f[* >:Gbz;!Zc&Lt~A7;Yf!o|~'S?ݟꢯBy"Ot6V#`Oy˒v>D 6 }mǵȾkx^xMi9Nmϙ&lY#ANND/zF)Čĩ@Q|3 ̕i3qƊC=§*W}VjaZIt}_~q PyoKTF%zMl7NAI(-gZ`&[`P\}GOMHT燪y4;hĜ$t6o $-\AdH lM[C,~hg+Q)N_;r`gpQ<:y]Vw{P-]ƉPt!eF d619})adHM ~?kV%%VΌF(${ kQ|KXrSi_rtliUYu9)AC3kU u A E^gq]tK> q,h 1WՋ ѻRy?.B33#3G'pppW#:N.鹑Glw'b^O^mFO%i+"eGK E8ْ_PhZ[..iCNDRGڹdK&{ 8'rXl_^#D9Twcʷ(Gڄ1 b ئ 긣ċ,m\lo6 SL&٥M8eGx'H~Oi>r1 lMv\p]?X4*cIaNk j3/chmv nI2O>;o>t|XYNN+lgNP %3}C\ Qb04n gȣg& q%$ݎ'Rݑʒ]ޖѫ~bv(3-HQ0`. aWHIѨk,/l%$'t#0XF2LHv&_.6n/1+:B #eHH2;lR%ow?bZ-ל(df.XO]) JGė"\pv8`a9JƢShьC 򝢧s,t^HXֻ3*Aw%=e0xSw ;J\K[kkgKŘV[O>LA% y!tĪ6KÇ8ut t9].iRU",@u,;54GA"O.GRN)|E^N_: ժE~)Gt{Tk*J#&{<7DD¾#C01e:DX61|c1˺k: i_6'< Zag#k>o)z`J_q@ _ hc`r'Zq]_%7 Y}? cd*ђ\J984T. :lwHD( `HB;T6 NE.4M0piE)͈149p.G`C@ay hCsro;Agwx2㽵礡* Go`>1=>!9N r$Y@2󨢡NA鬎X Oj d AwPcO]6@< 1Ss,Op0wp\O! m0;+5a%ԡCtd8]#} Ξf l<`kp ZX^ոY1[3 E_l֫Axȕ1MFe3G&To~ǣ>&>^^"Ą]H/7ܩzbKܵ'dViIw Y[;Mw荍ZQ.+ 8T^յ+d(}/d$eZkf-(NQO׾[}9!6g cxfV̰X6t<׻桕w=s&ʑ@vdHnZw+0)Ct1!%J{svYr[ˇ%\M]أfol䩻ye'*vv rt̳t 6Q}[YY5Zx 4n2i/:b{+HB-ʓ޿ H;&᢯/!K 0EphaѰd"2xuȶ2liexȮ۩=;/D=JjL{35h= Fqd}x|Yaqƭʂ.9NgJW(]|#2 {sC endstream endobj 778 0 obj << /Type /ObjStm /N 100 /First 863 /Length 1459 /Filter /FlateDecode >> stream xYn7}߯c]$vmRnTiuw In]ǑEǖW ?ؼΜV!UIEQ֣Ii2(꺓"N*$VQbNEHA> %)Q[eG锥2(ˌ2*P)g#S b=3F+RZ5w u4t $_I0?&Bi `Aa⼁`Zl%œ}aA l/X( pD8':G!IIrB1P_DN $#*6\S@; s And`Dx(4e@JA!L,-|Ov0\ʴKq5\ut=7iN܋8_1MwSV=paISz;].opxqy6>8:f^ $_-VtJ7m.-e<^O;WY/Ҝ,MO7\YS$z-^׺o=ztiffV{5|QM>ժz3}_YyEu\Í^uf/ u B2 XBd PU7>w`wGr&VsFSG ^YqV'ppI}VWoK~i27Mtnxve94srnx07~c2.nSe2~~-M_/._/vz;-'.mI ̽7vg!`e0Ne@ [:G ˼Yj [13o_roM?3ss$dx}/gMBIX[&yw2 &;%Ey+xOlՁth&uyz}]}Eē׷0M)TGqQCȸy<|̈́8.[tU" */L|k&Ļ$.9}Σ/>gPʟA܋o[.]7-ABWb~yc}k0]}ȿ$o(!l c nWOye(&/yΧr>i8< endstream endobj 905 0 obj << /Length 2590 /Filter /FlateDecode >> stream xYoܸj N,"6z&!hq|͋z]Z%Cp7(?uG~eGݳ50'/}2TA.oG]Gm[^:b1i6f0P>^zvv9+uBV*"_鈕_@4pW- [P36ijKj9v_cgWCam!D.pvϓ} r])oK}q+ʶrre{cb%]LNϴMjE^gڮ4KSkxǞnb ˄9[!̭u }6S7KMQfroLJ ZdVZb-[Y,v KdpliZәd:Q}x^3MWp½0_D*T@5*RBiP'aЇ$^< #?Qc" h "naq̣V_@ ̻#Cy ͗A7GQ1J۾BGڻ! GQvG```qՇ@iSjE3oQ$Ck+>!̒)-kù`kˆM΀TA]G[O 3v p,<\E}WK 3 ߡ7|*.۰j3.,~'-eY_( 3򅬀%FQf?(p=m9\#DO'#E쮫ѵKG9b?.OԒ95)8 CfUSfzQc׆E͡ cfs$q'<@x[٢y_6=t JWϖ!Sww'%F1D $O՞bc j)݉k:>@īx (S!Yj+d*D}q"aa{FG5LN(N*Kc^2~j_s٣ ԱPR^}kFi#e2px\as4<.f.Sg{Uv+e8s.S$?!USbwXn`dc9T/Ek'r)9C2ppHMMf"C @ M/MMó?nJ+t.aU׵+Ǽ<`LHmہv=9pDl"NUYr-]7`j#-˖LʎrԓTX4--zSm?@@N4=)G1 & ',Au`(#aQW?)Ҧ k$(+D"i~6O(0#/:(\Hq CL~"x' W[a3iQ`.E5cS!c87]hJ bYח 'Hb;ZnW>"(`P8^a6=# 9Lb[^R-~0Լfx Y23.6鍳ib:7מDcPoGch&z B r.$ soIM(.Fr[otGp< Jpk] "h_kB],O}8.zӿG!/ >^"z`2=3 ^u1;ՙPȕ^xK#Nނ \i@ {z' K6.BF~\Ǣ\K إ6;*,9'\t]AD.prxR8 i!9\O~={:(sj6cp]j|x{rj |R Rʪ4q2Ɩ^RO WёHQa&cm/l;aIJ_Ho&ɱF+ 619ۊu|*}q=RXO}$ @{{%'PH3#w%InFoI 1Hg23ǤMQw#_ԇ>jlveE6(f.;Op/8 Qru endstream endobj 908 0 obj << /Length 1928 /Filter /FlateDecode >> stream xZKo8W{1WWm=l =EXt,D\=fp(YVm D|382'; =2W\Z^Npf0poo|]1-S%ΫZ׺ҷ4EePwS|t}wLdBz.y%i^VH (q Ho^U'3Lh2>jҼLFQ;}V FV-? I+O9Ŀ'h?u }4y~zuM^tzj]6m>5ujJ]!F\O"* 7.<1,4=Q'0y`̕KUοAad hC1}P]C8-iP'AvUcƃ֞pJ: [k]{ܟ*XuA&bBB""{ǿ9FW4>"X+gЬ?θ3bGf2VGz1/6&6a`r T@˸aHOāS+cmYBLzygp@+t[a9ݵ*4,bʢ^nYL.0*l< vͩ3qx{FđbE!\YvԽ\۹RW੨J۾R#L+R8xҹ~L @%\z.F7ԇ4=Ti!dpі'@l =n 2氈^w\tX ˝TSSY时_Kv2d.8N% v`eFC| E\Bb1b0o@d@ؒ;q!pGTzr*Yh)D3_f@efd O[)!Y߂%=U vWm9g6{E/gfRݷ2Rzֱ,Q]~בQ'W>*@tL!>.%OG7ALA^3K@Z. wز(O2wW\4J*ʊM-,UF-RV̎-\Δf960 ̭m!* փ6m :_F7QRjp ӕ?:~K*hDQ>}NjL;nwfvR[kiXџX:TܲESwY[*@Z^BѻdjMMr*sDZux;QӚE'fkO'q˞<K?g{ `:,XKOnUV\MemAĻ {?^m5FӖDbb\M#2fB0?= r9_M9k҂AÜ(SbRmVcVuQs0ZQyqfUaƸ m0OtiiMr[\,.LJ|ʬcTdpeiIVSnL;%=BL &blg2h0|$>&,z^V:O [Xᘜ%+s`W?u]gVN҆tՊ`c+LZ"m5r]`ڴ5D;yuY 5֥H31T7) r0H@J=IkS(2FL)H-pH\>TV6+l*5?&<&ZAboE}S-&Kh\-*z^[ݪtoJm;=.5&O!H\|lTKH?g,jd)IG _N 7& endstream endobj 911 0 obj << /Length 1799 /Filter /FlateDecode >> stream xXYoF~R.(:vIGA'"Lnޙ%ӈЃf ?>Y8,rY=hy=śn-`bљ͸";z(j.ժ/DZܗzօZR屚/D$e≘pA˸ЪT\0 n1:'Ӡm| =Ϻ*l$>E`)u_QȚZIgYAƍ馴z̓bK2ͯ+@܂Pn#sbv:T_?\ҨHi#`l# V6G҈^+^h` Zoz]89̉"BzY֮,2XiEw} 5f]U pȫ92v]F :&n"k}-Z_B̋t4OTfP0VCxVa kR*ާ0'ڈNzi:-rB=o^hv^;Z*rTxNCp2PVVV^*.['ڂcY&{hs\VtRCC)n VC>:V:2d$iVA@,S657x&بT쨹nN@sqr΋\ɔe\(\a̩`P(3:uHpo,JR+7Su9N\yMa|$DM8s=wO(D'j$VU}c^Me֫f ɥ}'l_-ma$Pt Mm6;[}8HIیj_J7hQ)Dk#OákG^b ݿ"4/w3ʉ ~2I>ܵggs-Ș6?LCP0 9`՝I\DO="H 11 S~o_KGft Ŋ1`*NwPfXWֲ}Urk׊ΡyӰ{óPMǰN5ZϤWВLG2n+'s_3/p=% b1ZXa]w;| P1=wş{ ԏq&)Xu-mX ڣ8b"UDxNExfLi.ӕ2Ћߔ$bNWi]\ڔwj//(=MJ3Ǡ.in6QtRS䶑\,L%SG%3fjEݷV&ަm{3hj<u"uM 99u 1%0V1YeK}4cnnsr ܂OLs+Kzg%HEZo28{ b}FF~j0]:dԅCQh]9Ea+Ia<Hwo ƾp J^kz^#leYU_ej endstream endobj 914 0 obj << /Length 2355 /Filter /FlateDecode >> stream xr}K$\UcgfcR3NM-MxO7H=G6r }'1<>R\e'YFۛjps O/}*INx8'CTeͥlT1צ5uifs DB~˳VO !'*RQ5@# iYtdN9Yo [xtrytW%إjk;?`ꛪ6݂ ɲ,IY0]V[5'v3H@ {W!j=)HLm,UU:j:Dci t(LDRVl7փ$g<^!_3ZfkE]3G t&L~^Qhm;Qժq̗tKc]oCq*]IT {?KVS!B:R;)ۛ-^G3ۭ3b_obȴ_(XEKSڊ̝]C01sY0s{5e]\u2L4Xh-olݓFS| ?_Nec_PXNz`86'.<'IdAni}_nD?^~G?b3w{hC\ەifO9 z;@ }ö. 1!+ԁM0[s;4$18vQL(Iq&z󜉤_;V=@k=s‡SH@ RSp-إfiD۠涪mvi"NY(@Ob[wMMtmX=-U!@2/iC t>~gȏ0ߋ Us†E 7j54å*"L=|Cgc @\&c&BRzBBIr?tWu7Y ~p.Sj\]SB_Iɚ>LZ(j "n!\Q] xt\ֳTԺfKjUVpQY=Q4R$u_fA:h@뎊KsPgN@j-oz1h]|nh_m=jTQ>J gѪX 6wd%LYӁ S,9iRxŚ>b(ƒAɰ|@a \eY!/:s-?=C-Xc\M$'ɔj0kڭ :߶;7alYyX/y~ĴwÎc0it+q8L*ȯ_s2 H xEa jga&Gi:ف_RcMxf2X@{!R#n4Shׅs:ÎBIؤrΏKPlPF/Pb_2Dg=4|\'/b4 4F79$dd],`'LNH{&,,"|k<^ ,9p9XŸk,> oIqTL9-#h``nkUS/(,pe*Q@ܗ%0]gv#2 :6!)Xe/osGmօ=UMԜ{ Ǟtҝ Uݻ[y1X^VYB endstream endobj 917 0 obj << /Length 2417 /Filter /FlateDecode >> stream xZs۸_̔D($xo4қĝzw)bC*I%vł9'OA @v /B4\$QR̶7 3n[ٛ//R 4LzNb98d۾h(r% E[y\T$*j_] <"1/b-$IiS/Gd.EQBJ i3*Oe;iTLbIpgY|:_?יLHk6^l 2?l\$@*K&Az8(ɇUWxAkX "=Y^~c?uyvxM3pn58r**8?ٮg0^ (b<ٓRGćOz?8k#hKB ɄGѲIyęGO`p "^zARJD1 eBU7G>JX4܁e95˜HM5?x`UWˬ5$A'y- SYevzp3_v늵]oZ2xր#~;5 Ű@:z)'zHTwiEk벾UN?vnkwR'l5mLilUgOc o2Y[Pfl;2G4iv4(of il@Kl?PBtbsh|.*&185H՞Ar|'-&åhY&Gәְ%RxDzV~l9˄ >,'`)xXG8eO͟",S0gs`L`PMF JこcTڕ,zx 9YoڬT嶲6K1 (e\" Y,vT2ᨩ+V \]g}F#LGֶ%ϋD<&'n ~` vg!x艘9|B>4"m[ gvYlAXȖ3Gmmm:Y $e$$48њ7I'c'GqΪo|aLNJ [4CW 1 "7YS0.avSRNR{=ׇ֊9LP&$3}|S@w0,H61:k8&/f)wR'h]|cX~*/ Ha|`.cxD}%eT汞5ܚ8&eM6i[e&9،зt7s?>ifq%BG#sɩG^RPK-zsLS7# d͍3EImGUsX!&I{W_phk{Csy"~Rd^ o%ㇸ:HE~>%K"\PB)%Gu¢+(J&ؙmwO$JLVܕ]oBg1ǘW }2ϪާɊ>tsqc^G9@9(r49T%l$C#hiaxVK0fHOcV„׽  PuJIw\VZ,;]fX+o}xuo^t[猪uz+#ll/6)77s=ڡюgjfWbң9S(wahkn,&ٗoߟ8gciP is("b2r?$LWvp Aa-Z(ɯƾLU'2LJa\̯/Ɣ%iprvHh |@rju Co?)[x endstream endobj 922 0 obj << /Length 2054 /Filter /FlateDecode >> stream xڥXmo_!W 5wH.I J\JP$ARV_ߙ%%T0`.ggO,КB'w/,[m&r&'/.o\w-Z!,Se͛ѯFY_ysxoW?C|ID_WzlJk&iɘևҪzH-rLТa0?|{'5&I["}k*+IZoV>Y*._7iϸR+M}L?M<<*Mz mS0V]Ch~O V.4gsVNh]䵶_UJy81w8Ǟ=1'O4B{ +;Q׎i `&vN$ dA  "aIZ8nƛ4U6Q;B ʴR_H΄o40϶ekEntj|Y+&Qs˻$[c /0b#>;16̋Y/[ąs|B$ma,[٪Ulp HOfY3$r o푺 [sൄFMQ}ۨo _]ە]:wZUTKϡ5|q?g"R3aO~?fy$ַ>s6NlT(WR]8,mEm(Rc& $mi*nԭjPI?Wsy@,P5 aZI䏹 :,K1D~Pvp0HCzN˭0籤Y%1ɬpd~IzbH5tӃ,:acO&7UdKZ"#w]TdE-o@ dՉ}xt q7ŵs{,ÀK,qh5]!n'|gN.*\N{}UPdr9~Ef0%ȍH]k V93*I)HjyL[iCFȫ <qCSS.qQfmQv{slPUmEP5_5m$8UEtw{ևq,ks5Y&ʔu?9絨ώQ48'Oxyӏ#MCXZY i#o[A/B rWmLq n ?hݛh{] yA/RQ UJ8lOiCwit-Z[BԌwzKuf euAm. $.TFe&,T_Uφ}l tOy"N?hrӔl H#Y^PNm?7,87cd)$Aqkh:]J)}?>>5ri@_U'cM{Iڥ)_$*3 9ks_ձ endstream endobj 927 0 obj << /Length 1403 /Filter /FlateDecode >> stream xYnF}W* %:'=MV6aHʉ]^H1 ^rp(Fsh^f?FK)G4 qd5{Ǘɲ{Bzo\Hg1ScjqɤU%h(X0r,Kug D#oUʎD}}vt/KqV/n5)fvp[oG'r,r۳BF>*_<@OZ,CXQVci;V˥cQڭwވt*#Sy4fҕǤM&c_E0w3̒uԕI\ܢ/8ua`s3rͬԳ4R)=95 KQEi[ tbr]Fu6􇀊B;=z@aw<0➥(͝DTis ҡM@5C$_fpsm'\eƁN /y #$)d7Ⱥ1p>Z:d]́o"nd2TY4Dh<8/UA x֟7c0ܚӂc@t#89yT3H[QKc怛m<>gR*;.I, bPV>|(Ă򱃏XJ;I&[ Awrlj6 }OynH#w+8fFsFB 3hQLSPq)# è9`P>2(t, w4Ħµ,E>K]an2[4ކUt[\X?VGON/:~5}w0&ɍWE+աGM?[-o}U S$puՆG禯OW$l)'D]Hӑ\lB8+Hk۰l31Rxg!4Sx)o 0r`h-x#Ma |4aU:^/N S]1oj hX;\eEMݗZy V`㲱%wxxlZ)^1x 4{K+SA|X_?iv`CF5$\ޗo)1 0b!@ @~ {{WW$;@4^ 0E.!e~<|/y>-:KrLrHxiawf.ӑ/ [ RW6RpoYq|T4+7(򖓳p2ǝ4'LwTQve)~aߞ KI endstream endobj 931 0 obj << /Length 2035 /Filter /FlateDecode >> stream xYoFBiOry(HASEX"u$ofg)q= rvv7Y|)bmgwzF}&<Ηg_3<pjspNvMVJ@cﲫʊ4/d,#H;ug(#1! P:hZ̈́s}6yYE+"L#qBY7Ӝe@6lD"/>dUsq!f>%I3UT7>mJJOD fJʸe; @[ ń,jpeN*4Vy?!#ƕS:Lȸ{ls]Gȋph<ף9溅 u4osit 5Aj}j+YɌ R,T箼țTMK6OqBn`5Sı8Ї;ȲUMiSvFݫlA=⚸1hv2}c[A<\7zS@=e^>SyI+f) |Ҏ|[ChFq&+[S =8 y؋= Wq-aF%:ֻHݻ)q=-#$m'bYVM>Jh&Hj۽[hKEhI"m4j oVjl6MdD)]GܔN@741Z& YUa4["Fm#qt4x]qdB-p^Öf26EEzd)  "_+m-/=!"nZ];뇋?6ɎdL̷Bs&hs|DNmQm*{as4Ȋ,={t]yh :`<{~@օ4uu|'q(w;H p]C bj 3_1{ѢRh=VGLHqp$H5 Lj=!X"M.W~v> 2b8vʌxN7b9{)dY KE 7\ym`Oқ=S7ʸd ΪE{+Wsɦv,P'}C#UǵEr)[_g㬯t[d&M cP3mM5s?9y1mҞ\o\ΆyJ#E '@碯Ƈ9jV>k^x:o]3 ͒ŔQ,r{7!.txu §l.ޞyENնnn?>ɧHt,n˜8g,$#B{^l)PǢ_˭0@@kփ̔Խ.A 3)/Wia G6T KiG?F:ݡAcfxXL4+'&~P28޷qH"8^O6_߹&?=~zm endstream endobj 935 0 obj << /Length 1852 /Filter /FlateDecode >> stream xYmo6_⫨advHðEL"D2ny,9raC_xwCNbG'iC7ת/rhkޮ}xL LvRcE,GMS&dMB5,m'~MɜڱMg$QdF9W<c(*/>wRvղ;+*Ɗۢ_Ѡ f,a$Bqƀ O, [ALU+i`ԁ,.HՔhN$`' bͱ _anu"|xWT~z\\Lq= 8op|WUA kUe4pf F׵D e` ]Y@AvC[pօbV.GIBz{'y-s h:UV19Tcb ` ^YF>wbL]d`4lP^!p3"p) M %%$?Kd22+jՄ k iMƃuRǣcW6ƞ^l[F)?Т@0ͳ 2ږF2dBD WYTQVK c5.}J7٥˛ 2Y+1S̽ր&-rV+~ + w>U`D3H$b` 93TѶ)_C×Ϗ^w(V_#L"L$V ~ϐR #4!2n KS@:vn^=n உC^x)uq_{^j/ Y{bz3yA x³Z#u*!Z_ V[np-mkɊbJty٣%!pf3,hBA}%xܼB4~w\?a*t[ )>v?AKo/ XrN+H?&WD07yӤ z) hO@?LզpѨ4fK*-FuOՃ`wiP.-·lEG3#d8”8!Gu wk͋"Fڿ8/DYu~!Wp54 Ru endstream endobj 939 0 obj << /Length 2367 /Filter /FlateDecode >> stream xko{~/h ,9-"Vq@E"B*;3|HcCq3\O.ph-Rc݋Cۻ x+@\M0_u-d(0:_ζپ+Jk?.WDhzS,W*UIpqU3eB'2 &!!޿^ZMW6RQ/i)ܸ iOM/al7q8(2a7Bua~?0d[T(x~u۬W|+UA 9Mi V~xoWou1'r "Cb!9FVh\a4^."(VVOmRˀ2~ZF֖U084%>z-*KR`M[ޕ5\=y*JlHzQ#D"0ڿ/xy!FFje͢Sѵ"N058tZ;qjdSIHIc} {G -ђI͡ACE 3@KAAWe5! |O!d@SKF_ :G(yI9|T,^ -/?QZ56]>T7j7b"0`Rr ,?Ӿc|{yvƏ |sWI*@`=|N$nE={;bM/uҲA讽x6bH?!*#1Jh,(ƫbNUO2)>—Fr /$N0rt宄{ 9'sJA>S{هMWD4Ѱ-e#%۾sEH,`OUQ wCzuʐu.+ C0K$HP:^ լG`qḌXsixΧ sL4'-V!~oC zgz:I匷p+h<+ڽoh` <|/}7zqahc9adc–!%l|b1/H<(%?3;ugi`7HjaK1IGaU|dcXJ>2mT 9jӘ;]!G:f_Qei.IsxR!fV9Aνo zy3foD`?x #n< p~JM2h[y/-Ae-}j NyX5~x(ڼ~W~/e8y8x½Km5rPy9A*U< v}q\:)Amc4/`焦 MIЃAjQo72KT5)*cI=cl(cf Xv1_.Һ ː?՞wys)نӑ:@c>Q1sZE#H!z|Zσ$c}~$0ńj>u,zoitA$͊D+ endstream endobj 943 0 obj << /Length 2766 /Filter /FlateDecode >> stream xZKs6WLΖK+7V9VK6N(A!gImo7DEN9CUh~Pb?)M&eX|S_D7o/q7_K"*v.:'NJo;}{Vz8K)?_ոTǟ'|fS*D%4Wvӫln -.TQc{jIvޡeߔ'"-/SYamIc $V+J~ٖMwfj)vGaJx@!z+ߧO}vjgST#A H"D`:,%3?#RW&i A$ޚ\I?E0-H}UM'U9Q[R.te 8hT?HBHݓd"nƌ,qK["C`z}aԝ.`x,߅KB#YUKK #̣;8(p:ΛLi^'"D{îAKL| $kg1& ag"=P?Sda6(cPƅ:.d180NECGUWF0uIc<\[ ,n"eY^zV0Z.aăw 8(O=;L'ete-)_ABO BL80;;{\mSp6DAdNc{͑1 ciC^k8Q4B,Zr^'IdawT0ו@|%ӊn; qR7ym dJ6иK NQ2aՙJ)5hg.KI 7 uŭI~Wu.1 ]hՔ9N,I z=M˛f 3,ybBaZhyf[5IRL5/Gl栖:a9<=Q?zZ0nrLo 7lRկ)P6܋ßXl=VƔ7+~<P|4U-FQ7 (̕Gv+`Ӏ4\H stY6:G_Hr3G"y% ||y^Z|Q)2Pé (Syγ?m*eCWC۸ h҉}8n]6=Qm`~_Ji&lu> W  ڹ×;!W F5/^<Ŏ_=%E2_0\L\5 +Skݑޔ.#k/xC1,r2&"VC4z1X\x<5To!tL VA'hOp!V\xc{i>۩{\˜] ^X=8MY(5?> stream xks|1Ji10$TsJvNNJRE`%baX=/XXvjizfzzzM `kQʷ¶+U(0q=՗ ? puy3%uYygl׻dߜxoݍk]JUl\~帕Q3y™`* "V6PGYoz:Iw *Br >CP[We-OiaN7}}eSw>J&i(:dסC?@u]z*g@$%nt|@Ǡ]/l'd;zξ8ǛT's9_ҝq51uW[fr-|(J@5j)1ЏiPPklBC*`nߏܮb Px% ( 5pf0c[$1mQԧ,) Rz#n70r]!^PcS;zLzVk֭HAުQo6 ?iUp;a-YQ :xO1Eo*8YGUD(]q[i du Gr +k}e~,#HkaUJQfx H&6GQ<[12?Al_2ٶj+/ &i,n )Ucz q&^޹/e*$0-5/q "|b8Zd}yQyrh]ס KBkLpQ31R- 8LsJcϘ$;qUb>/^Sx->xDSjl'Jfɱ' M2K"Me>x_%Ϊo؅ӪY2 Zf>:#AsJ㇐k2,9ܒJP ACכl'[#8Lmy W!cDob[Wv-\+!roxfJ6XCBrs-R*2c2}zDM3ju&EN8 H$BVP ufd[ f ܗhw6[hUv X"7{ ){!Nb!]dvN&:p$nIzHi!)d'DBlM=6uZmqv1 s 4Z0@+|8e.u QxP}=ᕔ lW -#$PfrX|iˢ˞>q%e3uXCM о`ʆ_Q)3Xǖ4fB.s'zd%֔8nSԐjշIjSm~?/Ȣw IGŎ rCK{u;v'9i ƊHvb, <#wsnC9 (ܠ̣%P6#-!2 ىG R̮4yH]=|>FP @OJ't^#:H ~*l4Klr|߶╪'V#^?&A*SDcGIZC6seX@ΜV*c67$xPl$ӘLޤ0Gvr.zrvh+<0,:qY[@ U2$QƊ2!ӡ=ՐN1?,K[0lqy!o E( 4%@ɶ1f}ǭƜ姩>_>e/'U~b?u( SVTUٱO X Fq;H f퓠k;1/]&cÑygcxh>?@=â$7:8u@K,W ߓNq 〴CjTuQ9`A SE,_4+& endstream endobj 952 0 obj << /Length 2112 /Filter /FlateDecode >> stream xYYo#~_a 9 B6JH؆0"[`!3ӔVGWUUesMTT@tmb'5IuR=uR0+c,MsظPq V'C8y mvBӤb-]#l0 vWl䙇ׇgDZ.M@dݖu bB5y,kW#Z M ׭P?aH?4#q)t]1k+9Cc11c$y-M0;+#Q?a37$jlfO #FX8##\fQ]rK7Ƞ4B3T܄ d&ǒxD y,8JHc pp[d29`+wx^AiyT@T׾U)=#pAc&e-Fn:FF&,==ۇ t& ?UT荃nFlÁM"T&NN=!C`>2@]=4~2ЧꮬKeLY)C D6i DcB-JMF2;Fs #f" 7 aQB+܃N=:BώcN 2A 8VlɏB8Faq*"A~YAWP*Ϣ,PźOj85tk4:}?.:BbBѕF?G;b݋GKI4xnx&Sd:V Ӯ"" u_zOJ!ʎ1PҹmQXea5<_+ ˻"U lq_ȹjA&#•Vv$q<54~0.,q;ctc0I4邡u.7Eyxfq?'{}!tiaozYw5_7!p$)Z9yRG1X,R)$MnB<GoGB\]>=mO`$t3b,2\dM=R+If}&SO[ZܘGM=E]C/A'd̊s8cBC_It;㖧PzX]bjg; ;~1/ 1^eًt~9MIkWwwwJHaӁ7G\=.+pbIJb@7MT  E ˇcNYWTSlXH71{X0ִEE3KjgT*`:Փ4ÞElZff]el΁ou ~aƠ@~gG2G xeM4yENh.ƒ=XWnuX|բw8a6 !W endstream endobj 957 0 obj << /Length 1699 /Filter /FlateDecode >> stream xr6=_KN3dIC$EZbC!$w iDZ뗶.b[|ÏI6'/p7ɳA0>K&ۤ&w8 5ÑS? GJIv5Y5͆#(~d{sZа5jFKRK{}%M\ AVC鵥. k$]-ۮ$B)Z@*o{3v e3BfY]oXkxB, #se=kfU 0+b2Q,+xwX;b4˩a$ė*<|cGƂ*{Y '}~Ǽ^9|yvz0bV`+jSdrZ#lҽ@߽1|,8zWJa{]ٗQؿ#B/ c莮q-v~>&M|C\[:OfN{CcXJ|ˈďh{; D"!`X;=w\ԙ#:"aQt5Ȫ~K~JA2L|fnYIt1Fy[K~T&=@b5.4]SK~ .P@Lz"9EU3!$oblغXwT&W]ikCmz x[ h̑HiJȂ$\ԹnyW&(5@v@cWЦb=_2Mh5wswpN+Bu1q sED5cWSm4Ah"N0 6u(nT2N\{03(ԅ/i5NES:vh9?5{l'%+]Գzٮ C6dMQ0H`μYrCIqNf(!uQ૩O"q21+OuMi0[!L-HMmӚVŬMqij`-E>]oiMJcF$3ms- r))M@m2u/SCY̷0*80TMaVc "i(cOܕZ6~_? <{.}S>"έa]&^?@Ld@[ ˀq;{ǼۿQ[Bܻ=Vwo\>Z.@׮vV͕> stream xYo6_GyYK0 ɒ-nk Ci[-y6wǣ,ّi~)ɼÏbJb#߾-f=;Z'ãZb?j8Nɪ2E ԏR{c0"~t6܈BS`;E"qRB, ހK5QӬFp9>l pqt9^di&vqa,)o8wڗvD.ĭ. πKO2H,ꠐ OâCFknߜzaY5b+C[mGi:0~1XoX-gz""WeA'24 |>je_D y&4C̊dA+iQͧCN#Gb!Yiv1u`~9/ 9jj:){yfp'@H6IF(ColJx=v:g'4Xİ&v# k[65x46adNV@܎;8-< )N?kp*uj]a)L748r7Q5b襵O/*;3 UUw `maT] p;( Nj'Lg`vL$'PѥyfR’]bETP 3%g;)WiZ.3pZ(ݕBû\+)+usiB1GM:Ϩ+]$VPB {|6ˊwDI}}~qק/Fuf6-sp% ~oVgu!Yhc;ˋWgpiR_nы'p/>i<4營Fy-H$G8L_4Q=jTW;UW-տuZg b} q$V ΤEm;`Q>#qQni\BKrT[Nz/?al:ؼ?  'aw#)Fb~I@)xRDNP 9(ȀT::|@)BmLJW,rX G-,%j5p0Eԍclw a)dYrҷ@4X,R!prEݹ ™Q8 G5µHyO]%]=^%Ui>v Ddw vB [0ja칡P3_ *j .|5x4 H=`"6hUmXO,~ hCfz =2qw&5Z;2_:ֶ䋺ȕif^$Ma--`/!! PTem^ضo8HVE:Z. &3TᥗУLP{h_NOg& '򺯵 1h1ˋ/KUgc060X]u{гW7 z J}bohǤ endstream endobj 967 0 obj << /Length 2462 /Filter /FlateDecode >> stream xZ[o~ϯ[sdbi] -%{Μ!MTF s;oΙ1OxbdJ&ͻ 5>f0q֛yq4N桿br]]LJәR:\銹D*~MGJ @eW- S%+RYfR&H-1VQ!iT2!y@v2ڲqF݈L>3G焦,'i7q8P| ʠUR~DW;QԸ@߆eXCaʾE#|k=e-x6lEniwlö)u7w&?4ż6/-@ kYU_ϼ #5C B,0ݣ{Cj$1,XDCPl|L't4LsUI@UfH#4\oi^QUcE3*U0/%\ rQ!\vBq :IUxEcyEdt 9Ya{rw`6KfbIpL^BVK2׏~W*.1.XJũ$yQ9['iP\ %a$9e7`ݱ+e@g;&fRf̈́fCȋ6"&Zy)+ BX)wF𔅏b[%1-Pxgk8'S[& (e77/gʐ/ka2"D[*xG 7c\`w>`c-:?۳2n!uUoE\Ʈ a¤ 9lz !R@m 68_d(e=FAދ0 næ.lzڻYmW.q "C vy]~/6:m-|.r+Px"w&j:hֈ7ܯaǎwN~0w]"S\FVl¡:7NYjǴZfdwx_]^)g,$3$/ d!Sh%H K\LUy?'fYd) '{* 1Dn(ñV=m`A~@]ㄋǾxT`5`0 GNObj@V^^\QRMbw?. C71pt#tPct[/Z>otnquqi„貱OVG /_KzhL1}2(/uXKgL*o26("bp26U- ev:<0*_Ϳ\_^|7 X&d@m[Gݹǫ-ӎ\'p,I> stream xZmo_q'*m\&mH pjj6W'[ ;|՞"R 0[.3̮*|ƫDJ*_nY_^pn ד/},Sܮ>DZJJ]~7y"dr/^]ϔ W>!U+cRdoknmނp6 sHYjfF `G[:LΔJE/d&c;P|wJ">Rƺ_UIO YkUF^MvXLJ/Anմ6<ʎnT>nO01KtZsɸ.G&2쬝ñͷ4꛼9/HFY@c\+&eBt:8XmY#A1MyvY>Vj@WeN!up˙aHh*MNaN_{hVz ŽBJYibl.}촫hsnqNc~( i("OrP oh #ؓQjX}*iC 8M8v:di%-ۖ&ԇH8NKytpKjaD{5y,zK2L3i }MW%YSWņ/H珃2zS]m]إw\)͠I7 &nAGjb 2J~Xεqh>b8ڠ6]ipky~|}& &AK*`څL1n腸I 㜦8ś 1Q$[#.sմ=̍; dz?]76YYRFJ!z[3[K”7֛)_0.X!TEWdes֧4 8pxyAd8fMs9cK|bhw!߀w3߀"AG=)ؙ~()6vu$BlV0`UtDļ 88?WminY7YE4sDkE¯z*e5~nv WNjq62rcNl >¤Q{GqI̺l_@Dŵw'3u'ce Um0Č`,"CS;Pe-fbgpݧwƉ'8k&4`'B恸YS -s]t0Oɼ6+6DCo!BUan=|=A'eЁ `[ ?+-x᠍hCC: N,uLYFJguWJ EVF&-I0@,2*)vsy|V- 7ilfND!WrpW~B|HɻcHvt5w#i2(3u8agDF1.w쳻 GRIee{9Opr)]^Rlg^n|uVV[o ?P6}@fW!Mf h 9@ipyTg ]#P*mZۈ+>;9?} endstream endobj 976 0 obj << /Length 2848 /Filter /FlateDecode >> stream xZmoܸ_~\dY("mR$Fp%+ܮ'i~}g8#ڕ_HrpI$ O('YFۛj3V0q|uOD" Syrq퓺(N~ٮ/UEJ8xW^mYJ*ȞtgRRO|dS2V4MOʳ:$AI}WoY?R> uRe2*a[qZ=LʛT٠/?D}޿5˪_+ݩLW22"4UL SS;<0Tl. xy?ޞtI0/K,fhaC 7/?TӒF+~sd7Yn`*GVfSwnd!dHfom~6.Eʉ'JcSo>lԍJsq<+ijإuSªҋ%2B3̀Z؏T"#o?rQN*XUہMoKu:~C>bshiǛ4aԽ/JY#R,pCQlռ(濾 H\ɈfJsDZ (xSW}m_jU}8:o@6@h36&ZRvX|+CϿ;{^,iVNϥzBbNcS7zPۧS*F~7O6_^}+m"t77_W2IE I,RAWmwAعEt,Ig KZi'x!kvҶ$rSFW+&~J騞th\0: ciqmh.`%+Bt؝+`c^o%Xi+I' +\ I, ߉4)E%Rg0ǯuͦn+~S>J{;8F0:F կےvkaq*1N=N:fC_C U=aБ̨u=BCJRn>1Q*pHlv` [뾭rg}ƶHknvWMvѦuF[ڝTHw1;t9WPkb V8&˩PLVQ4sTeFk4 u R0y=v jh4o\\j|/SYy(T,?\J>zѹXVf᠚X#L4F6HAS*ĈyJE€s_hk &hTpVxZUn+:P+tKA9cqm"QO(uHbqS7ܘ|N%EΕ 9ovY#Tjo7֕-$'*``h첎mዦ.Ak";/ 6Ol.й+ [|2fu>7hL'2 _B#fe/;wlm{ª,xPkͦmWbvY_cٕ\vfzt2T^Ϡ9Ov 48Ő2Hr/pʡ )l2+ <4YQasu4p6["- $ 6MA1QTF i 9gՑxoTbL%)yֹsqi hK/Ń`$Rx=:YQ`%1 (?s]z@W&"AMHc[ 3%k\vsZp}u&Y=4xfI1;JRFJT7޷.0$oE(Owp'Wi')gRc>=8I:c^#"<2dHNJcS C"[AySa:kx?.26«L<\9cgjC` ʀqWZ^LQs"d1*>FC/t*"C=h{ϣ }Օ_uKJuݡ(W{E &r qdOj!] SHTAN: @պ,4P,',pMKMW 6˜ɿA^a [RqhCӀBI+xv#83_6h'o^RVNwoHLY endstream endobj 980 0 obj << /Length 2618 /Filter /FlateDecode >> stream xڭZm۸_NYE"yE?4Htۻ"Z[+,$yCIM{M%p8̋^Gtz%9'ZEjG+yԭ[¥͋߾β+jzus瓺\}HPv%</Bdf].L3%\/>ūU3e2+/ES*WP.P7w',̓Pɀ]j%㢪e2JsYe7Tmwf=?wۺ-dGZW.&Iykx&NW5P5}cX¬k7b:tDX &ՒrB3\1-Kz$pQKBdC՜&( 6_bGIgQYJ|Eߵ5$)ǒ+>Kޓ% i_7-ybq -^h遝!ABH0LG>l(eSwFgZFx(!ۏGL|zYGs"iN,W,ѧE'E/nA ^PTT΀;/E j[Յsi֎{ٞDo~bZM.!/O/g ƒ {XrC(СYMGhk~9&O'JFv]9XMͼGWڌؙO=YLd0,5lvJ4pS^5>ylivf¹]LMTޖX\y(|ņ! xŧ^ cP#Fl֙G 96*V0_j^>`ǕYeLjmj_5Z gvktVXl;ˉP!es?<Ȃ>!$ࢾƷצ ϴ.+9D1q8KJrq` 4 2|31HW)9#C x+GUkzѸ&7Eݔ6eɻv(}3QcLA˜ kXS ҫrpڝeTvYn3[[FN@R= 4%Cբpy-BMrn Ky/^Qh3nF%Ƙ}RǡRq US?bG-5)}cVpuXk=7[}ku3hWq'Q *(DA Pwomn`ĦΠLӬqQa4龏$ޥ!f49A[s6zv{j.bhPE8B?W gg@)"xϞJ_hs]yPyu2`KXw혿@ƕr~5+N-:3rz)&s0}B5|yp*C.@Aa?kRA?ZB:,mZ`.H9DZp&?e -__ݬۻW 9FO}.tS4`$37ьUgX%Vo8b+x3tv*pthEps PG91oqE3`ia i'#M nfpM1{gLaf mMYCq^+*GQxk=E:TN /7Q؀fk}L.FT:K#(RM}e!'N:`36Qƻ@?(UhwF  1n/ dwB 1;G `gɰ#`y<-iB%\Մ,>Ԁt:P~NIqPir}P-o,QcO9Pm%Y)$]Y/8Bwam?T Eی$">9ZZWU`q =hC?A84@t=6ΤH^/4TX/8.BfO3Nm_FjLQ@G3&.VAL3ld_",K6ZM:oqT -r N R' A t5 uN!]YQZ*{o92EH }C":Wu8@bKY't׵زz:Pt0Xo>vtbԮYRM K h nƶ7̅6ZЁMTm, 25 M/|*K_-9ܤy{%_-i7"ʙN>ٲ3&SSHJVX2X/p2@4BAK n;}Υ ~[5&Cz dD4m,EC!.w;?ÍѧK' [ӿ97*ۿp핃oXM[*c=SdAFxz endstream endobj 983 0 obj << /Length 1973 /Filter /FlateDecode >> stream xYm6 _o fYR}؊uۀ I;>'7ǏMۀa8˒BRɇ"?0BqNЋV  q9͓/^J11ݐv:zqZr#j)^eMvd)wOXI.<#E\d;&-߬=#r=y g#4wU=|_Xnw.m[䇻+9U0xфHZ) J%JyE{ m}&]Zڋ%S$Z/*Ң& vzeH6zCdfVeTiY} s5414\{Y5/KŊC&4"@XjNbޓbiFw$[[FI#ї75O߯+|Gh%B$rki YKR*JS&n- !Azu_ȂYܿ9a=Qõ. ܣ+ͣ,ۮ.N@u{m+V!&a? 73_-I'TA8-`WI}{+)NMBc h*VflYY]ƃm0X[vߔ:j=ξqv̫ŝ_v +hdxWP ~K`(!Z$>DbF` 0L`6kvB3A{tc>!A,(d%YcLj͊913A0Ini5g FYҭqXgY&:w 1_.FRPZ斂GHw*z:PCмN@ Io. 8vB6=>^< nY ׳ۮ ]pBz?#yΞt[)GrY.3 0?+ũYg"N Zl6o- P<8so8lV6N۹ב}.WsHl(XɌ+9IH#:BxB 6\d,/J$a]VVRlj_ pBp>uK^jd3PfߡOa,Hjli?[ \CR_޿vmAmr_Namz[|Kq.VC!򂰾ȅs Rxm%j3% M!D YPfνV͕ȏp\]GBXȧ6fH&z ڼ]Anpˉ阗^59Gb ?T#R yeBD$( $REu3wLoX:BEu w 'QN c[up[}m /SG{} \6# rܕiT6fV}JxdgN7ٷ2œKXxgR]Lb׃qSQ jESr|U^p*?յbb/Id4f\GDpw5, WYsJtTQ.mP'zNNشYOAbzlNql6D~;;:ܤEQpOa4{6!&axx|;%M)A:)۶;*095r%fՔ `nΩ1d9&q;mwcJy֮07Z<"%E:T\ >j%@0+ӊO/ƶev6 3Ƕ͛۴'=~΢0lLS/$2V%*kah Bϭms)i+<+礇DLcAƻ4q)^O瘷߬|1hX4v i[, @c endstream endobj 987 0 obj << /Length 1770 /Filter /FlateDecode >> stream xZmo6_o_E,:lņ0TE*'ia}ɢ-I )(x<{-OTE1<};do MFF&!”9ޜN%6U譱 HqNve\6Q|'pzBwĘ iϘc"Nvod,ުL_I:'N]k]括Xf߰ w*cD$i1ub2>|vaa;:{0ңsMQi7D(娻2Pa@LN̫sSK$g ;'1{d m K2,̼{̼ÙFJZl.j,YW1CݸyeY 3#)nĆ>努PH "\cX@xDHcT #$JHpBe f. Dj% (#B^@cN"K嵛۴Cp)bt'˂|R2+ЌpO";Vgn"(9j+=zSzi\`jous>܋ڼgw0Trp*ũMy w XJ (!3ԛ7b"F%`L[:mii 6֛u?6U^|;sfMݺP uRb$ō\|jB+AP1OF2qpEH j )E ̪q v0G.;¨Z89>9QW~dxZNr IoQ&t퐋J8vӢ1LHyu]it3v/䓙u W>_y%n6YWx:oyj40oiCo;ȌA:F`XINrϢ*t#/`[jn;j~K@|C{ǰ=yy_c0 jVwc:u]mq3ݳ% DOͺ:׸+$ Et1eyAMNRJ “w$‰5_cN{!x"-a!uby0Ƽ$@ AB cgL3Sx v™adP%OK hcl$^)iݛwڥ 9h;@L]HO-:Ov~֛&VYFle[hhlW=DRC<.A%۲Һmv}^C㷀?zG'?S>Áᇂ{P9B f*,z~k*@`*}Y4t,DN"?cYl #,w@(3\&hhaoh\ -Lb9;xˑ !B{-Q-z endstream endobj 901 0 obj << /Type /ObjStm /N 100 /First 885 /Length 1792 /Filter /FlateDecode >> stream xYQo7~ׯc\9C@F˃jokdHfK]+^,/w[r̐Ԛ]pXqإĸF\N.ǀlj>j cuuk( B,$g#19(|F?!!A⢄VxT!;z1Hb֡-r@P(1 *bth_6EM9zbQ Ȕ05E2Gb3:)Yb bKU.|aR%iʠ>dy$$>2 aLe 3(,Pg0QAg[eӻ C7ͳ* :X)7`wY-DL&9X:)F-hEfBBkt5gM_P4G@ /gNܹ@ZZC+zV4}'dJ`WV$Bh_j2Å*hYvJ-F: ^ ¡ O"TN#0LS*Ѫ UgϞ͚[<_,YMwů]7S35/۳{Ry|_? sk^K׼p_}y}Ѯ -_ܷgpo*FxLDg[\]xzw\lO |{ noU?_ z)oon0JsZjAkN_u}`v|af i>7˛YVo[3LWuZcT &Ko} $ᣱ0L=E~vo?f®?,6Eߌ3cb3aq3lsuhƼPFpuC|owh;]~?R:+!Wu*W窇ANI#$>>NO#ɟHjO5Ɓ15r?6QY;/<8PPH "keGZ˿m}u\ifϖfѾ_wM?*bn!LoESn?xFe=LD>O:pEdlziub^uz(JQ9~ : ҔtpQP >W,@[,}ٱx5ZcO4 a"ԧGYM:4\l*p--[6eWzxIx1ק˫L 4|˜b +s)p$9p,d?Ji@LS$ǹaOÄ#&k1a9 {am/2 7ڜG>&a um&޿FMMQ_oҵd۳ՇoorsެrXd\ȶ6z3_,+0~#&LT8%0P'SXGs#t"}6KZ0R~'稼Ax{y` jm U|`} Iɔ yAHQP d!wBEP!v%f<(vy6l7Ep!D-๔n(k>;PdT>ۑ;?kW.j\7-doĂ'fqIJ" >yDabo|ڽԈT+B#Us0vΛGL8[wǽOʈP<{)JǙ~.2*i-tXLψlGF\ir:,T&+d;6Y endstream endobj 992 0 obj << /Length 2811 /Filter /FlateDecode >> stream xko6{~ˈqCKZnC3]WVړI|菿P5ݤEpEy7$$OREe'ݣBۛ#xK@\N0?z"Od(0')lk}.Z zXFQ)6E[ԫbTJ Ro=?LLEY$qY% ɉ"cK!_ų7pJ? EJsNFBE!|r>őpL*t8H"T|>oNEn]%.յ+d@ʒz)AY2&ܯ r-*|X,0}CXe]4(F0js]EwUT[|[Б?2jAvveg:ޡx#>ɷJH?Z~P, cY.%ݷQ`:Sk\5'0|w4"ph5أp5kڅ P 0d6MM# lx9+[GHt6I~(W.*ъjU[!p`T}LIk}&ܮ/pfõ;b5mjp[RҜvCRa$"RI~gÅ@?!P~h ȅMx"|@$8Q th: -gOan^$|mGk3A&-?clUEk Ӯ0jc8(BlyJ?,O%?Ж'IO1 wс\Jlx Ad/]ABj֎_qy]!oiB[tIl"GzFG}vS(|)WX~6upl0= p|AS.bh -pߊv8X#"PВN B)<ŐǖQn$8ݶ5?'tS2WS-SZTS{Ey6yjUBY$m56CMK\ ȻIt%8-ջaopqЎ :_9TMZZ/3p:XTtOG_tC|ig]ʁҴ;I*P_g@Q$r v]ir|Om{Rv셌<e@<MY R;Hl|bۖnzv:<@s4{sXp~S{Q$Cr Pp20冑, At 9Yc5P 'U6%bHa]{CEv4 h(!)oOALyVe@wFJW1^‡f=/e~> ÝYQjQ$Ck2]@?T%N2wl*Sa <8zmp|~~u&i>Kɓ)&ۭݵ*l ;ч8/b-tH-/O,ұC2v]iͯ.9k*$it(̎渺 fU =J=}V{/أGvoRs-vtXu. zXW;Askká8'/G*<L*>Ѡ[_ހ㞝oY,}kڅƯdPRٙxxAKǟD¨oHϿ@BX_ϺpO%)s uq5)V0)gm;I='w s2V10` OXх;-p;:td-hYQ endstream endobj 995 0 obj << /Length 2049 /Filter /FlateDecode >> stream xYmo6_6⫤maò6 dr"Ė=IIa?~w$%Q2eK 4Ey;I$ '$d9 ly=1woΨ]73gg^K9!I„N.V2xy꬜8x> !w*+bMg,a ^]xU%;&\or4&DłP.]b {bG(bF5S?h(QN~ 5Of/E'ӝEш]16i1eq`v4ׯsmޮ⺾[Ezh:OoAMH(b"1nuǏ^k΅λcyBG=a'{rTЕC#qWm"Y/)!s+o;)8:<|c]^ ,өfL$X&+2]C ,QBBl>\bQȸR 8(W"##Hb @jFmuk4(TD%IT4qJx:M,JJD8HF*و0< \{ /DeUd#b*$з jV]RiN?4j[jgYCT-MZ9Ӡ2Sywήu[CaQG=rRH;uDi Qͅ^jC%(ە~7\X#7vvN2! w8"X!iDc`᮳b[@Bg6K{m\f$4 Jo`C\B݊/&Rұ"cfIp/ON;5$ɣF_LvkȂy Hy, rdO˻E}_@g^JO%Sp`n*DBtм+q$zv@=zO]iTؕHq%B:ɵyjƵXA)pzAi8}O%Uip=#M/ endstream endobj 998 0 obj << /Length 1999 /Filter /FlateDecode >> stream xnF]_1't'ɼinMfE48챤|}rDd X}TUU)YU;jw:n ?.ξQYg|uq5EuQ^E/nRFF)jlg®7"ZHJ hՏTFphGK%ڪ|`޺7L8fױ)&0]jŔs~'SdpwK9GdwDh>pp E*<6d#G41KAZ$Cr\S=.Xi/}\ O83*짦rU^WXL* !oʸ~jDI&$l,l vR] Gj\-ja9!k$qu\.kK%W–j\b ?\Oˈl* 4bQޔ4\yA(^ڠ?K( • )5"k[6]B+{HX]n;#R}ɥ1nW.OK?Gg2/*. R2쇎Oƒɣ^돓fH[LQ/^1('#{Wؽ#6t#ZsrAϥfR0qM*a>{|5zJ-Y~;ox#Q2cR'J4N\6h^ Bf.$LfIxO99Xw}7W`_Ow6W9XqT#Ksgu^7|sLO=&Ƅ5sZ{2q~il3O-w623Q-+DwZ~\*{t}SΞd8y΃ME}(i?\G[ia*FA:F3njפ0=c蕀sتʍh~~ utv *bFowk r ;:HhBe' x-9MZԌǃⓩ3zH?9:E> stream xڵZmo~b/NԻҢsy)ȹAK>Zz8F ZH[yetTɁvSt=' zӊx6CF'\?:~ǥ_#Gb>Y?P/vǍIlYDӳv8ئ:'P~{\1+oULD}/n2pӉl^UXqN1 5͗kzQwG4vZލ=SHs[2(ݙy`F(Q0 zܹ.)ۂ336&ʢo.\tMzwVzT 23;lQM#ORP!k H0 `;tfq0;HPo @nA^Vq&1ۛ_ζ7H9'xvL9gPIsgEQEo7Qa]~.24Z=2cr[ O |B*GOQeFz`qX'΅`rC5GuY;dC1Bш\JQ"8q^U2J8s' E>x3eDovoQskgݷFfs &Ԓܦ!c^<(A׽}TYoa*JV6^TBEdC;mCm=`— \mrڊ<ZvZ`F|&Ҡ+a`ē|&)~G|UrH t&"F\W@r׻7^]#,WN;fy(>-b^; qe2R ~0A-QtfC5.$9}Tv&^rB &}>Swg_iv,χ9k9t86QtͰ~ X Ec5.E1t;Oc?JI"Jysq"$}ڦ*R;t68\K?I̓Jq|%2G׊4#-*LjĔq[)9R88UC+̥5 m[6'0  bBڎ{~ 6 FR/)ѭT'Ow5kGM=>{*ȩ쟏}폫<̣ W(]拍pҶ! hȨ\o0nBHԄ@O0cjފx&8*^(TxuwhuGI2`-MURd-1|y Cqx;wDDyX/`xj 7> /%0..`15NętĮ,#A#S, Dc4#٭<>TAnޮ&iZB DąSTxJ`#0ʗ'>I' 4JoR4_|c)ǾJ-Xsy>UC aRaR9["  Ɗ߅8LgPjT;gaMO]uhGa瓷jwtB\  p,pJ5(Ud5UyR$%SoZƩ4, P֒DCR_g؅ealI;~HNȪ1_Erz?c᩟N n\Ǎ/2ГTr@vҡe9)qQAnvu׎:8tF)~ؘ/Z]|Z()4g_X']{x5l1z6R;u섌1m#fhxTJ0~7aF]I}Y2<^ $c}*Ay:+ -9/0> O')S+߯V4NtZzR.>38(NczT)| #w_3_ P_[Bk ⿋ endstream endobj 1011 0 obj << /Length 1911 /Filter /FlateDecode >> stream xZn6}W,RmeśHI4m MCrmv!ic_MeNKQ gg1Y(er?Mo}27`7nώ|Qxv.ufV4b?ZZU/HJX2pӓãn+N-e# % STND2)B1 n4D5S5+]+M(+H:2U8ڥ7|ZA!q$E7}"A 8FP?G` @R?]/קmBHZy92 (E|ALBTۖ.uSΘnՔD3)_Y`N!JIsx 9҉>ckI3+QpڅIl;'+=J WPGSۗU)+&2a .םE ofJߢD*!@&)dPBg[Lp{ZH Nq3\AgR+,x7`rg]40%cHd0sq; qx ȇXݶZy%il8#`7b.Q6@Aq 0gOS7#@@s$^Ͷؑ\P+8!onN:MQ :/Cp""IY!IoWFkǝHwvf/[CKd{!\=oMݽ"y~Ĭ.T@6* *lZ&͸-DyfBa.wb.T<ڡ*.rKĹcL7 !6FeǝiYk[E lMf뫓:?ݧ]ICUY9fV׼+Z;LgÃJ!eC{'ӘhF * .;nzgEkn1tCijM6Cw>rOqRkbxin:T馯o,n I- ښ c&tMsۆ7Q"{*~$ Uɻ]43w1wᙻ왻B-yuEd^ NI@O-g6[dSSHAv|š 70;>?՘(`!":C!<*[*5nW NJ"e[gd mNfۇS퀳jC뢲1eK n-6K\4uv$PNƈdn"I2`U,GdYy+K5 endstream endobj 1014 0 obj << /Length 1864 /Filter /FlateDecode >> stream xYmo6_qSE7Xj+P[,M6t4AC>DG'#FH1MG]_D#L?L}ySRPdO.USG 4fߍx8/E5-F Q$1Fo'?'R%w6%I)JaWnSB2)b^kB)G[!_3 ]pE>]/kݳNeHP%Xv䲰9_QrBZF*_vpVI1@3x@zш*W:޺]c8'fWg'wrnNMS' 2Dm˪)zUTfQ Tp"PqkBjQ׼r󤬒eUw،6ސf O㲚7R[hl0ky%fz~Œru pH-q>DsR;AdiMtdYcQ\`!f{}`QJ"v'P ?]-:1 ۷5E~u/}UOZ#Z$Ha d$i -o}uam;jєuxs I 'tXӬhy8m<4^CĂh0jq8,P1׫fn: XQ}w9m%Xݦo:4t1-NǓƯBChB eDh1 Qv*w᪺Vg#*gn`s.cHYt.6fpbY."H:N~uU@J1IP{Im}BMm5ܪXds40j NU*r+%|JAwJ.]=tAX];ȞdPs}Ì/4Q(6U-uI@@&'x8-mGue!$8xQԵr~Q8Hd^<~4 "DH8"4˛,َE<.xLx7!Œ!sR$qڞ Fc[L#OBjYs&姶6B\ uzVM?:tg3~k/Q!B>_m՝!1 E(k>0J'ߑ5b7]x5Cp;؁C%sz{=~pZA:Y|m~^8Ye (lTԗa<8=3qXy~ rНۛZpݖdI#h9$#IGK4~$)N`2[NoOK^[yWLŦ~Ij0|0wF(wUZmmM E$tZYj endstream endobj 1020 0 obj << /Length 2558 /Filter /FlateDecode >> stream xYoܸ~_K+R(|\MCһBqpHX˱sSQEr3|3,g*X"Y}z=_q;oo.^-߅,>nu}N6|'/ Z׺|!BO:DBkHo4g+H wR 8yBY,7"RLx!lI0G- ]͔@Te_9G0_rlմ9.ʦ}G,J-:H8[mF ƣȚ0V[Qp-1ߗ<@NMWanMB70)=U״ƾnuӤkH(hjҴvcw(euM) miqwY(ځ:ҡ )n"E ڜ&Б`ન^Soh rP" @0/]1VZ7u cA͍G|:,ˆɸ M0GXomf! i^`xy< +WфBHܕCJm,5' O frEwu7pπӝ> N 4Dn+V QEɈ LEcAH7ьX@;@fㄦJDs}ZT&.&}9GL/pLn#F F}V^ݼ6NXY,ONVt8~0p{I0Wykh, zԋ;rdЃgClE'!ĮF葆$$ePMl@EH'ئݦ_޿5BLuKVv|hpm>w=L|Az;c]CئV^~im[H[kc".qͭ~GXEZO`BIcr2S=}Hua6$sIg\c#k* IϿ{wc64+ZroGOQdңYwe@#4TaBJm SwQ EccT'^LwSjPb]Y{61D_ ~ڔ)딾vH~h-Ym+H;;'Wf_utب H>t2Y'U7{1>ѰnjT:Yo8ľE-yĀn@ O.mv\fYY7-[WK iAR%.fiE/_G[]OT'Kfpz J(. ľzETax01+n,m&l"K17PF:$aCxP{U6D2>h}lrtALp' 3wv|a1cscSmW:)TirlF9S@%hOELApjC|.u5e[UM.ߜ|XlQ6̄?F Mڥ5 KQ_ pr|mACwJSTLMURtm!Bi+~g6n#X50(N !/ZIt(°E) ^C S;2xfi m  en.jɈb̸iVWtDT:$yWeF]Y1D@cgeT"|XNʞOMz',IEi(Q;xC{CeqeDR&㰂$]t< qÇF'd5HC4[-u+6bĩ8fNt,#d锻9iw~ Fif*#'z0 iܮ} 㝕'҆TD=^oY.yM W$^H^g*V{ 0QMuCL*WԪ!QS<Ř9hda,io_ |!Msa}|Xȹ-aKۉ9?Dt`Ƴc8ME3 % ի8٧8G텻`$-6vӔ<д|˂/l5:{ e(QiM ZPntۧ+O?dRw w!3):>է4)$VpPS.lo2?>̤:xI[]"EB{=e舉W ρgeBi04qAvsd ѐ!Nq5:'zg~P"\)|^(4ML`#u!I :[g\OY.m^ޕlgk3wfP0 + dH}ld\狼@X28\_[ endstream endobj 1025 0 obj << /Length 2321 /Filter /FlateDecode >> stream xZmo'XD~jE PCkӎ[2$z zd])!3Uh>V'##d,y;C9 %AOk _{zmP8fJv2Q 3"k&yl[bK%㚦Ϯ#a"hMwrs"u”dms7sbeNE=iĄ%Y'b(`ZQ򰘑-ΘiWe|[m¤ly|#hsSS;XD`Yj`D$d,KDRҴJ8;3Q;h1zs2E .ہy;`}0њy)vc7aپ(s wHKXhS|uC𴭫Cjdm;xz9),띊N&1&1xt?A 8|4cP*Xdc0>q7MyDIT׮~ sN&DoYi,-?5vs;868 ۪06uЇAѾf' E)&{O}3@RTmY_&q~16ƣ6ϣЍvn7lF6MkbF+OC_ø0}r:k}& ѣ4dp8-T[@[]80 _NfNcLv( Y }-<_-%P8XFoY&e=2㍭"h)s{Y-SFŦWY3OyWSRz߁=YtYGi׳0s.H I2~ Я5@4@',:8%e@x GC^A)wÁ[ $)=l՟]x_c"/²QOE|;lvP P]ʍ&V*mm:fbcyr8ƘVC-m `"#bW Џ&{&E,_nՀue` 6)Ry!H\/h $"xǗbg_, uğg셉&'*z`4)7yWP IA~y|F!(v4C( Jz|\ %=,pݽL-]{z0|}& Wn1 Y[4?+fQdF!ݘ: דï#Cs|&=`tc^LTth?)L&@R29TqBk)Rse۹- a?t8@3N" L~yK#}%s^54j$pSA\Eij9 endstream endobj 1028 0 obj << /Length 1790 /Filter /FlateDecode >> stream xZo6B!b~[:E;toXf+Q?2Kn;L򣞝[ !yw{P!)Ɛ:Op:Fn L<ʟzg.Fn|VA&MlIc1p.WM6ϦPC=?Q=d)wlkaǑ޼H;+eD2BPK0^ŋnkG.^qčbwR>S(5QT 6> H漍B ˚"ϊ}' 1+6jvjɞOK*!r4 p!t>\Li8_3Fʐu=RG9RGIϜS%:/~do1l7.I$Jumo#<j;Fj jՠ3>I#X\y<|aID Qe]n]Z' ' > stream xZo6_aIjeiʌ#DniKrK<ݏ?60t ALֳ^:cn^*5`j`|j<ί[gÑ"?GR赽K[fv8*Rl~xJqLHP2@'0!`o_rȢ(,ƈQ‘HԯȧC`Y6JOVYZ6[&QBW1K&rL2wLJ"FL$p&zm:@L_Urv1j{lQV0t=v 6-@iV"ʂ8D:H<Ő'|j+"QZU @ae9X+ng>46Yk[F.pb*+~U D:HBf2KfؼZ,QosP [dPsN@)Gk"Tm~4Q0L @%ROEWE:?SUBM9T@=e 5w綪Z/IGDQU#AGrMA^-w:?+~-\~[Xbq^bC7Y `5OvL$# 㘒jpɓ.w{+pqOdM=훴!tjgj;> .'l'P\fT [_ 0\uSP</SPblA )aQjxTFD*aK8Tã l(5hi_/ga&0vE;LE{\ѢvHծVPR~VNT]Z_Kst$wo6?RO L6v {1EG7О!ScXSt@rqi!D1]%.~|akVh nʺ[s4ξC0jZV|o~8WoƓ7]kuplB1,"oDL> stream xZo6~_aI"?%ro[P`haX[L;Be;_;-Gv5N"ȃ)#>}: (TbzWo~y¸[#BP鶨d6:̮jBHID6AsVƉ-+1IlEܣ~)Ke}XH")-4o-\f9?mUeDq -uL1G,D֞22 ]W}վUTms˺*p;Îe@<H@3dv•fyp_ں=D%bY7V,>櫼}[jEAFM  _t{7cįNy:=g|=!bI~=ÑïT*9_ U&{ݎ A]bkw;q3[Yo {r~&Ք'Q䣸鱋^q:$TqЁ 6u;z9kp=t1Rb8l4=ͮJ,,*@cb9"gB^z6WMh-&mu˳WJ]<3 0+WC#=H a\( aʂnX!& i5K$*L;v''DWvX jfC Bxʨ8eYza̢<4hsZ14!JyVm8TCLtTo6| "sk]/&vU^#Ү<=ccܡggK%G= %bnO0r ݽ@lBvG1Iwur}ľL.Wޖl_}Aa9,ZڝϚ6?Ĺ"Sӝ}fMBΧŢO78nƻE C=-.͊OY8{Flx`>x@{Ѹ$)M;fǗxϢJ*RH|;mvso Wܺ9{uV%$!cş7wʴ(z*Ouo Дt \{) (BW@{A\)޾,i(2C=X]X}X]r>P,dZ cBMo }@_Q8T@"ٿ2 endstream endobj 1040 0 obj << /Length 3000 /Filter /FlateDecode >> stream xn_!%Tꋗ&ZCxm43C_؏OUWl:@aԙ?uʳ,=lh#x @\L0/o]gJTv=%u:{,١+1&Oֆb]4E 8 BsGWQb~)j|%V(cW?'&8yWsA`ctHPƅINI{9|w\tho$*{_PB[#]s̻ySvC'ȞCT"H^[~.:х֩lP!zm}M,Q*wu})JF"Jm{kvbnfzʠb=RW$ZX \I 25]fV vۂY1 <mm qU;Bc &AycTY~`K@|˗IY"4ۂbmlmFeKMwԱCŻJ8 T Kg 6܂xsr)Zk+b}&5¦f~:m'_5B]h qN>ƑlV :»zk#Ъڕy^N6BP, zEMف% -rϗ/HL~~us{ws+"p3fPp.cϛY a:JA#$PQ"|+0P -4Ʈ>2\h؋ :%89y >A~9DJK!/uvb^d(/n~VZt>iyaH8d?Y0a|SQa]ZcT 7@c[:J]TUEEMQMƓ,/r귏&\ߒ[n0 t40x{AA`T6' {v$[^ݰflrsUTJ4 tm%UuA6JvOcm"hHZ;[nJ5`^*Qg"p3uq> 5fb ϣcZ7EɊC GN8pWgjF wê\Fٔ}Kci+ عk9ݶ){PFGk/bfeIe[d46k*Aa r>~rehHIBJ-X+Qzf.NÉ9ΙEJ0 -f$B_(&js"IҴ=fԑQAp.{)f3ywh")!٧O7" F1Ɖ6zM{jzpq)DMG36GoYھ//$)O2m1?l̮#Fرp飙 \ы-YCn3`MYo MpJNm ꥡ(hґR"a}bu3=NmW5Cpͩʏ(+II}*Qy*V"Ǵ̭^ݽCS+ ?_2hXUJ=}%+ui(K^v0~Gwp!Ձ 3a?Y TMJ2# T_Kd $NIp}/G M#"}`ϤS+Ğ2Y|v־Ƙ TΝOYpWIx$ˡ0*]SeCOU:&ۗ^?'}lIf/%ªIX!INbI~8Vjl!Y5TE֣~*U5= <.f3՚i:'> |8e6gA"Djc=W(&wE|߅vF=+$c(,C$b @ C=UDOKhol ]K*]@b諟ƏӋ^lrb%*kY&ƅP̋CGerj~YR/_uh0aeZ4~.riW! N] Tʉrn׎lT%}tɿE endstream endobj 1045 0 obj << /Length 2036 /Filter /FlateDecode >> stream xYKsFWpK`he7uH%b! HB*="%=gbљg Dt^fǷ[b@ͫoH91ѱjktyݵE=_p#|!>./fvWW7(ؙ:!iT**՜Q[Y[+.I6CA:;hF}<smXىzfڇ+p~Zem*7tJK\|m/`,#8]PN&]Vv‰sl{(xY9:}W4Mq_l($.te$TDuMf\ GLRmQud2 Ra`-t.sJbi0N[:4YAgx^Є(7Ghܴ7^‡}E/^&Z1e=P>T)p:h^(-_?ی Nkk>yM9TޗƠoDJ`܁ -=NHIT@ufFP&;DŽ *Ǎ*4,O;1-۠GZ;%94E8 *'$R#D(޾ 4Pt-;zPdJ=oi^YW3Z;VUxXD1) N3}WlEf-%3 ɥ2~sxJ&<-R_iMaElK +AN(cmQ`KKN! GKB?,?j":g۽A8ߗ-.g5<&^} y,L XvTzVQnQ(LDLPiVhڑ,$eK~w>4ZO^CI䳍v\+K˫I76Ѯ=\WkiJ;kDҔh숪}|L4$Ww|)[5j_{,zq\MsWkKt/W Ҫ3g.:&5Q1sTBϬ1=B$KOiݑs^;]J)M鎅9@ X-"@ўڴA˕[ܛ!tǑRFlFd9IGo#!MD7ڗ"Giv nj}代)Ǽ *0ŝbeOŃKlۦ8U/BKY3wbР Te 4wCz bOmC:d XdF?U w*TYhE85WvQN]*4 Q4dy@7p _&nZ)݄&-В(&Xh#8'd[M^"W`5S4rf)cwEfob-X+9 wia2}gp:fN)I7rQmyڏQ?Aw endstream endobj 1048 0 obj << /Length 3026 /Filter /FlateDecode >> stream xZKsϯPDF "ܜͤj+PJTHjlO7$lL xtd~l%+-DI*vo[Q07n ȿܼJXgIV7[}~j-䟯Rr[(K62w+L@ i .ؓPdIw@8m+-Tcw<ܸQͤӊLX#io "xXV-٥&#xhr>LNx݇1 Ƴ\tU\ƶ)#:Tɽ״]tt:QTDzT"0:ӡvp,r/|0 lܕ{zNg)O f5hG=,.m^oQugұ9: A{:yfk˕G2eog%h}uD&?Ox"4!$$:N:وFUF5A`2,qIPVW!a뭵E΢ږ3hF׸͸yGXd͊ ] ӎݢ7\ByIi h|wa;}L!(Ap 33ܲbҕytrŕ۲?{j[Q#,΍:?^# |:C"AP,B tÇy0RvV5 >%}`Tqd wεP7 9҃Xoq۴N]aƝ o1RJ?Ёd)ef $UW\{<| !B‡%~JHLXT T|4lƔx @E&iu-Q<+_GrݡvsNKvw.=V So!hHOrYFF|4Z+ N1!qCS0{7ЅIvkY4akǶi#B`P!A%d[MIlÿ'>3 Fy>!SxS~n( b#$"5o,bľ W ym2pltf}Lt(mˎo(' S!8i=ۻ!AQN'ėx(v ݾ+˲zVf+קcݿ]/KR?r*@GDM L۱1`;c^2=*Zw!dK3UD(ntZ( 1Ɖ1T⢛V nf^t!YNPo8|(I(08)sfߕ;;FYf; 惴G8H+]2psO>zF-.uN# `ӟqO`B\rDW*;&ߖPR6ӨBPH Ĺl &K]Vr&;-9X v1ԫK ">l-KRxtL(F5hbҧbNr*FXXtv͈N忎yz lͨol=/v-r5 ,.Z_se_{iK`0}qP*BU: / 7w@0muU3A#Q'v"'n>Z\T}(%zέvCXB$0AkW{027|@k[s?lKWZs)((<3!<e< +Oypy K#fv1.dcDwQ HajFZ`hI *`aFؖ%g $ JW/Vp]Υ)#xc;;-R9 d֔KCZܫ@ؾ{$6|P.=0hb38 endstream endobj 1051 0 obj << /Length 1325 /Filter /FlateDecode >> stream xZm8t~["NjWEm8wo ,d!]Q1=~'6C_Y[Q[5ꭵc:?$MQīݶ/`e=6gn-[ZuSM?ƨ5)е`9#h,8$čNy! /O DwdB(G ;SC72p x0v0~!:ʆ4QV-t?ުtjE)Ak]-l-x'C9 0e&>Barbup k0iJ&0yAxJwk)Dn\FJSePcH_t=jƽ8 dq}Ʃ+QV2b"`__p w\T!! X'tH] wPl\ j"bL-mEoJ{7Fmٖ '2` ,T_ N)G/TM?:28C-d<0kft@ RϼY=ǜ8Ƽ6:o 2>FiDyWfT^re endstream endobj 1057 0 obj << /Length 1623 /Filter /FlateDecode >> stream xZ_o6ϧ?2KL2Rf r5 ].¸C{!fdvseu}ޮޚr3"<\Dͭ)MyLS*E$͇w7Rґ29GDqD}z?W,:wŜD_01R!3g0]Â"ʲBd4Yyaz"Eh33xh(o*[2`ޅd1x`iCʑbHĩń!"j-AL4,6XRL(ϫ !/Z#I椙mUʎ]%iˢ*AZoŌ$c^+꛵Q.}#)TE6& YpqA£"q9Y_h%kuH 6r9 GQ/$2w Z7$q|c?P`bɉǍQJ+* Y14x-:|y56|( g #QB3jW:B [rA!9"uXekFN2aBB<}Rz"Ϗf_ч/vCnF3klVւ}L>!3U Ff7K7m^xmW'}}tI8#Zϋ+5^zk;Pu7yJx:(KSv2/V"ly2vQ܅j(']0eO@Ou5UWfg(l ҶD |śW9_pߛP[8/XpE1EG f܉^ja'}['`jz",/X_XD{ X&`1.,q W!,, _jͣBR$OiM+Dd;Lʋv•\yFXqJԃ)]pB V^0]oALנ)]7Q&D7IE rueS`NnT< D'NO`ݔΔcSpEqro>[6f BlU?*Bw'|S4E¦8Xk޵)R48:+$ pu=Qw {JIDu 2_9-*oKPo 'z·vRy&Z>to'>cJ"klԛW)/90}Ɨ3&0Uho.Cc9aCտZPT_<>)cQ? endstream endobj 1060 0 obj << /Length 2181 /Filter /FlateDecode >> stream xYmoF_oGLƗá@:E$ a4ewfgV"eiPb3/E.rRE͂^B0_ /^iRX\ތ\/~η՝e?&zoo޶+e)sb/..S'R"0Y4i:ؿQQkζKYDru'wKG]s/Tjhkg@t9-MUZi:RN֢ qG|>q ȽiYk׳|UVFP"jfj(1-)ԇ,tvڀگlM8XwÞMRX^6\Tav{Pp )F>({bhect6|mCF5 T"xU -a0g(q0:`B`f;9wwMQ1 D*gېϘP\5g@-"GpR/2OG/v=}t4e ܼ5zYP z@=>v?c7!(!iTΈ<ǐEdcњj%$.%zhn MY2tl_Vy9O_5יLʲ R)Q&FgX$K|y"|TQ$1!a +zP߿=/ERL5=&$?:}5SF3͛2*7ejS]Uĝ'Jid.ySBS 7.4kY1c,cN0nj~,\ "toNN`dRMw /%2?hx0M!}`סn]qRD%1=j߯8,9E@y}O!ۜ^fC.S.lj>:B)ܽHY[`q #)&d`@BwjTV rLaUiNh)̈f " p{l:]" ʓhH)}sb Dh=j%H,xMO"|3=dt8+NF (-2}N wc&sOZuaρWnnI(8s˪D$܌]O2{Xͧ{po-QZ 3(P$h~w0"1I[?`3IMR.UBfGj0 仢~+,2 AWPQSL򝨧Q,e|rf[G<1J{pA91Tt |ᯢw ϦFMÛ:&^ endstream endobj 1064 0 obj << /Length 2251 /Filter /FlateDecode >> stream xY[s۸~T'B }rN6xm6%"$**VLs΅|LKbV Ζ3{}ݾl\v q~g>wM) )6_(xƔ&_BB^?pq}q&OU= #ŸT؇WHz|UE>G^ g8}ӧw~+ 6Ȟ:7UM$B6׊ż%S')&l6UuyX'OlE̤0_O:dBE"n6i^GK4y faD--x X#w#N?e+{@x;SUɽYw]@'YUC^E=nԟHuJtr'd>^iLkSuB]+>ys/wIqK|㿭 {\OɁ2@ ,\X]Ɗ.K&RŐ'6F;"1>}b nN%HM[S,pX2l(\)"n~ * z4k*v'crAȌsm7fq(B 8v$uiv1A=[חMa+U%ۘ>Ji~O%eD|lk5 t}+_8(z)RhXwq. `[Byxeowq.kiICIjGM҅p)؁axwp>֭37* ^ڵrrr*s9Ijkr u$H+=4d)$\u#tEɴ / geO^3/b0> PN_@υl|̈$ȼc'G$忖oo^]#pvɧBnd0-$8 H!p%ƴ/Rx&=6wfU ||t t& "ueiVc,aa&MYN֤Mիa ƓAgaLw68IK;lʧ}S`l}^zTnl،A![wE G(Fu.$v9Wqf)w?:7cp7Iwg͔ǂqqvSl}3CG|SptFe=E5</3IJ-u6i/ pTX! >CƭOڣLvEIq{S I qڊۛKAJ,ka-74b{6EfBuRAӼSC:r 6,Át%luǽ>œ~0TT@qmdL+CKFHb?< A(=wkZ=| kJְ NL>Dl⟮?xrII>B \oS0tw,f) P ^RȣNxHI\NΥ*;,X N``K='W4q^Va5dl4 צ~VjS5ua}r{د8J1Dso`%=#D[ +ǣ(s:J?"}(i eA4{ !rSib[8Io`M4Je70dJ]-A4i|j>EB.;L7Zme*AdԁOڪ"gV~QT5Ws endstream endobj 1067 0 obj << /Length 2582 /Filter /FlateDecode >> stream xZKoHW{voL3`N|$0heH Ij>MYR,7UU]"XHXn^Q[//Xw3yZ0Jzj.zn[]\ !"ϋ+)U]K{qHӋ7H)Ώ>/4ƴܯ`?Y&$Ͷ`O3TDL2*m5CP-sT4RNy8:io92lJv13RP Qa2jnZzˆ8 ܌J0M(F!J6IUغN- JԬX$Iٔ87Qc?7XTAr#uYMVLnjCKV܇\_+S`F*H,^hƆÑ11̅@k&+]˴ۦKwJ3Hdg]g#!8Ձ4_lzl<|i[t>7]d3)\bqNS#Nrl!C4ɹ2gݦ {Dqpz"s#}x>XC:20P3y XAiLÒ,I'ӱ?1:'%SECfIL'Sɔ9u j $.:.V0Lx37 BNx'DXi{Vc}ƀ,@pS& ;9aqҫ.1#UFq!kWAö؃`ҥ8z|r;(mf&p32n]( r5i|XO1ՓQue-ѩ*I3 DIo4$P>r㐂4A%5D8 (BG0q]\fp OM>ʻ܇IE'tc]|'6B| =1:qNs? ȃthxyi1 y8O8[";y&m^voYr$3`>$=&oWc'wM.m<O 34KX |τLw l"[ؤ a,yͬyorݾ WZѶ*}\Z>))wB%4a}5T^ɂ 3V+B< ȔDf8; "ugi!5QDCژhք 쨤M[601j\Tf@bY3N^r Woť:==/Ջ/ !$*9Qc`y߸j?FҐU.7۝4>e=s-ssFbs4% >|7Z=~RH`7K*NM[ !ym]FIt<>K*PE _t*DŪF!x{шag \#RΚM9{Ox̲g7 VPy gDm#88$$zf9m[Z{hK=H4cI| rS2ba`cp+ D&ѿT,,͓Qwg>$HJ9^ДPu@5m148<@'×]U~~CCAQr֙.|S܄}y͕]<]c$B{AG!3~{ |p'I+;2`A-DʞTaXjS9"sT1%?٩]Y}y/|7 8' +?BPk#)[ݹ%D];Xc$該ͮ*aWV8t)v޳~"_nxlv6u7S=f3jd(@~`ә~iڪ$m/K/ endstream endobj 1071 0 obj << /Length 2283 /Filter /FlateDecode >> stream xZYo~DNG; =630hӔBRTu7)όEu7]U_4Qc3GgF⤝-_ga?X[G_Wj(qԱ]]fn/|!J~*+|7*l+2!PϘ Bi+ 2%$p @7-}K ̶y9,ޥp@/I9'Nֻ7r-A ɤnݲw3ƈS 4a-*,ooҬfހZms=Oa-_bm*l,H8<.IRm ct\{NTAH XDKK -E"UֲN(bM+S~ \"Җͧ)Mx%/&Ol,h Du-lRq ՜A`X@bFI0PHv+%G‚Vȏ|u`uڅpT)nX,_0N789Ja3ESB0azׂ-7eaiNhmqD'C>6e$ 4`7Bםu诔rYgvh* 'Zu Oyz6X97 (|.ڤUmRMFd{Hs`Rn3yhPP{~B`Q1 )n!zÈlP\!-8] {A8>1x> hÐ'jGԹF8$8=r_ŗ0SàN(7}0 J0Fg~!m!^pvbǬɄ8j)z|E*7eBs" 8^9˥c'S 5> $8M3)v.Ф7EVރNl 7ZPpѷ܆h?I%3_18jTb-7Pk!CSrÐ&V9=Ii1ges1W7E*HA9u)X\րѴUrj@b $7[0,}d}ب]' /Sr^ x; %/hSJсocyxzy8 T8ƒR" Q-J=giUUOHp endstream endobj 1074 0 obj << /Length 2965 /Filter /FlateDecode >> stream xZ[oF~ϯ[5xY,Hp7{i hE*$A&ӱ ,p̹}Z.|_ZDţzI7oW]= ؏vzwMmV/WZky2z۬4[TBj^^[YN g>! a4\RWH{2m\J7^ RZ/tDo*_/aCUu5REp~^ﲦI6/ _n_}f2*7kb%jhh!-Omv7(mgđTM:svnQEM=&TۣuG=e] QJ~gPPaoB\K#yWMP0 6 'X02PS yS͞>9Zi}#M{~: >I3I7+F" IWȄm uYz&Cqථv\%9Hb8dO+s)_D}pJ2 INv <{ߝPy"˕f^?<#+_OIQc2Jz~l o6ٸj24oz uF:' b;o2լ>m(Td#.b M<gGD"/m%uhmREށ &!)x*؜p`u;1) q_Y=j-.k#ăr5$>XDK5_ R_gObMx 櫧0DBGGCONN&'b̯E_o@tH;G1%N_n0::3?v:>:t'9Ρ:H6ʑ]i@>Nޱī-UxBO~BS 41. k{P%RNcBr5-.1D1+@v+38 2_^rҐ}Z>w@M1NXa'Y' ܄W_όdD"moPSFi1H Z~V9-|qNҝxsq CpzD0m'Xkzg0i!04c1ϺZ%ozwyQx䟼\䄻xB|.sݎ}*V0˛d  mwCwrd}J$PP#05$.1˥ 2wхt3fK[ nx~P*(!q7Qs5VٯH A# sXI>Cj~ Xx4YC9s̕|bO2E(QDEiRW[ps|K?pbJCk`sju[fs$ָILJ/9%_S0])풷$Ÿ 7Vy3Ë Cx`U՜%-&eYvV6ڭ:°w0\P^"JK rҕD&&sSGo&7<~8*yi&ЫU#[CF:ݺSB* f́$ A@?tG Epd[;#󆨗OU:?cJGrJtWf6񅎻շI98{cq0qrW4DWGn0]F/.u1?`t~9O:[Ap1uhܡvZt uG#mTH x5 +ӶB缣0t*yBҶ;h4x=h˓lw=wc ϘFjt: S%P[&# :qM|o\#JΈɑl\D>fRR~W.I,̇jLӋ&G:¢4v`DCJSpǏP\$Sdc=!p.6͙@?Zva<@WT8, StWO-Kʦy$a3N"7/0>.k'6{N3}6+Ԗ1SN'Tg>҉]14:HӦ!vn/T)0diNjcׯxozê8-kCǗ 9?65LVVDԮ8"a8zmGe!nFEMU8s旉ɮrCH mOU7pImǑsNHot&h}H=4N> VEQ9u*ҹ r wvMp|! c&,FOa<`Hw؉yF#/r;ukR(d0 l ct>tݷ5a34Mi@!!> =鵰gu\d2ǑPP غo8ϢXwe1ne&/^:VݕP!Ɲ-|5˔*&Jv.u>ZyJUTz1RV?a]n*UGc 7F!3/M f7$q?\"tezTpNP:SAUw閏m涃8 إ|`u|ƝlCh\jx7axw-|=o7]ߊ)a.NαKX>{Cǟv}ys1.g }p1:~b }??//'gqY]c1tSvILbSXTW]<5 endstream endobj 1078 0 obj << /Length 2053 /Filter /FlateDecode >> stream xZ[o~GnN97ΰo*`>4 4+%$W{ΜUR p8<9,_Ehed*r͊?|u!, G+ziKwcRՏmzlzJ)u~wyYE"b.{VZ W> 2iWUKExQMka'+YBi黈x͛^\n_5a&,K5}v}- Tp(|Oz?W ',EXkt$VLnqY!r+V h띾BhfN1b&<}3kptV)y3ݭ [dLQ%v)ӂ `'b'1 =o^!Y1PYICY3ֶݩ\ ]ǺmNWqEnq曘<nf*7PA٠ho[h de佝Vqo'N xۼn:h[0eNoir†)ҸRA8h D{ f&/:rK(A4$ xSȧ %s[G@>u#>^2 $Gqg?1Y$~Y33%"J 4@0t] rEI ?T9sB`-MGrҖqCA騷FV}ܺ] e3t>evMd E&?Mކ }xMLܴySQb0/)N3v=N(+\h(OO<필TC1%F%d3͓V\C1wf4o7g^[߂p 9 W[g2o+NOT/a20b/!]cIg{<-%rd 7-"[Y&+ ̠œ [C>* )`шIOt pVXLK㟼fL1='(# + OEڍX#A=cf׽jw 7ڱQw /g2Sʢ-=ܘA1f5>HAPx-hC8EX_!*wJ"qf4f_TRM3M/]j@ HVfq3xJ : @߿bJ9 (xYBrnMjf| !"H?%԰޴KD$+;t交rτVh:~lpMs\Z8zJgK6mg`XL"<{"K',t۴J>:{zXb=䂮sK*S2fU:Opdqö!Gă]]3X6f𥝝_%yҹC,eC'<։lH4<Ӣ SL3> yA:0=sIFglu~tp-uȐv|VRQv4Lәf:$+Ax:Ղ-T@aA0,Ӛ:8TC5>D|BVFLvӓIwki]Ep6vzss[\3vxw@ 3?5C JNo96^} $)w*ŸxcH8ː~?\ƅ!T Ċ/?^sATH% D oZہB;, b;J i)v@{tsWѰu_6=:=^NQ31@:ƍDb+& D0{w:,Gldvu'TB^o@_W|w6qv1M!ǁCڸW8p?È=՞?p[d"vɩWxa:g %wB"ݹ5Rf*KpN$-:iqs^We$ endstream endobj 1081 0 obj << /Length 2639 /Filter /FlateDecode >> stream xZo_RhoIE_{ -\`m(I٥H:.=L.gwkg~;#1'f)JT'w޿y&<=.}ژ,婘]\>Dgl| M>ZLel"/HDS 8p噲fBibJ3X]s\Dg? NVZ Yh*/{kxl9 *ouq &Q1L0&$X44)&Q^ZTmմ~ۊnMQf5ۉ},aZ4z$wvf -F]%6*eY\l f%U[~H)}pY|B|B$%" #4!Pˎxu #SF]+1޵Α]cz:074u i\',vkw~ $bޑHFdepB '|·xVU^h8zh #ܺ_H5 X6o2f9&7Ͷ2&Oǽ3i$ 8 eon=]I@7X@Kgv]Xf4IcMthsL$R)B%,62C*ˇr 8FNf.y{s' 3^sG.t^xiR8;X9·Mq]n/S 0 &U< t1d\=rRh\ˌB yȀS\'V§Wg"CN3gf•7̂+7mgXr.faxxajϫvlDpIc%mܒJ cqFL<8$9 -¼ͮfW_.j*ahˇ(,0,?qӒ+2PF/WCz(Qt];>ևQS#sUq7O;dH HZbӾ}\  bG' b:&0uݶi纻{$>m"H;t#7|j+JZaz~ %G^ Tg#o&be99c  dne2mqb]ÙմՑ5Ju-I2nuͤ^KAxE&W/5߁ݕ`p~T qk@plY3s9%}Zb5W46eմUu?"T[8aJa?nvGQd.sIK\D7vɻЛA){rvdNjHy&aÎh&tRO5! CPpX;tBV2MH 0{h};Ŵ2ʫUC{8a :ģa;qv~ݷ`^Av'DQR3=E3ke A"S9BLNXuJ7"8ҥ5v`a@ȓޛB|ŲcoW Ԋ^E<1'v=3 45ܽ @Pz>_A| | # 2sj(0$,aO}gK,G>EWWciS_6uTMU=+`g-Fjś;U¹: !;@R9v)(H֜ߌ(s{߷cB^~ʋrT娧2`+ɤsQ|pM"eIOuk]001W[@;9 L`bY/Te7+wcux}ф`&y7NS?=K  9q{2x9m ͧpR=*&)@ j)@/8GϐC$`;StL,]Dh{$NV| E/z`s^ڛF}*C-]3:J/WD[%JZ2a~Fڴ_1H < F`r8<(XśzAw@8# U^F\r^ͦN0ı-@9cP..6YPaKG>[GֽؐwD]<1.-exr0ޠ5EE|^\k^ƇX…YacnCcY3x?j?i"W֏W9O/ws"p|pS SpJ _=wLoʁ~ZED ?)͛Clch9u rO]Se~2 Csh ;L8! ل$H~#u}b Lڌ6,eܷ*r*k}/NLMd=kWB`ƿF"Ŧ *f5 nKMlw2\Ǧ,]'W1\ endstream endobj 1084 0 obj << /Length 2256 /Filter /FlateDecode >> stream xZK6Q^M-Ig2tc;46--;[TQiwCSRXW(HsN aFEݭG8 t Pts/RhN.Mv`׭y&>!ծLLۛ_/^lEINS(e؈rVA)e\R 2A(Hx}ɫH 'I^~S:ņ)ji[0; B h8n ,ɩLa*pmXBez5f&{,gЙ1V57MY't&)_r.b2e䔵k<$؅Dw 1|G+b&PTR$W7ˢ39tmm&ѳuxi tW|Lv*WV3|tMc x Ӽc݇[@.Qob8B88 B_X)R N + <@/M3AC:|00a[;nc ]#R+ Z$ڧdKþ{bPNu1 iE1Aбu<uX/[?=?j!Pnϣ^68W(IB"}؀Xdim0QJ )YÛޏ%̚~ڱRyrh~e\ V JuAYA.  J]ZNahE*P[*NmS<,nzj{\ݙ⦬Zs~F} Z ZUIpâKQ2 㓊upRvf[{ʤNYaO˃H4==fM{}ɚzXMxgKL?59lsW97srxNc~\-כyЁx.fjfz i0N)M->nɎ %,4ڃ0A~j~$ ;Thap &zǔDz5(Sʩ 0XΠnsje}=1Хm@3'tߤ]0`"qeX*J{pvStw=\;NzŦ@_Ż2._|_&YC"Cj)'gdvdaQ}\ߨ?<3s3Ϲ\v[8l}H} R ~^zŎ RQ>c0  fSnN |eUZ@"vg\HJmwG*9'8PDP~UVO W=:D̋^nJ> LX1wS|t1 p;(Xwߗɏjn?귿) %u+2y\5F;:`9AW?~_6E?l}T֏zeW$uH = 1$}ŲE%QwT(3DV Yv2YJ$]pd]3HLc٠?:`aͬs"# <|U/{`k=MhW5{l> l=sTT*U#9C~&KZC2"CNƦk^Tty衘&E`}&)U3Yh~ntAʰ\C{7o (#NdWXO%"@&+xK-t P=;*<;o1-I#IS:RjQ N-\4qow' RgQq1. '}jA+X~A?C2-Ҹ RC9dkzCY$ J1LGa s=3(6~=6))?]H۴3(a۶.~<<ޗx&|.盨]")~$ݍcuiưa;͔*J}cT1CMD,-aI6V9a} endstream endobj 1087 0 obj << /Length 3328 /Filter /FlateDecode >> stream xڭZ[ܶ~h#Rԭ- lܸv8}r@;6dgun&@aÛxs&?z4Tn"nÍ|ef+~8Pa7׷cqߗvEQ`Y۲+}ݙܤq$۟Tl̅m$([ɕuEG-os5]\2ޜb/9V$* \`AiWW Lke7<]x%uD'r8Qlt6[8lJJ*4χ, O[)+׳嗋I$p{SkXel}j^an0 W6| Xo~|5p+=/`(-8?4_%s]]QOd?;6%&g,4 m s@rF5gUt]x )zmUd#ȀLjU MLmt@`Mzͭ7tpCłdl&_&4f@"8 L/67+@i}Fф*H{AeI-%)5ڦbhىxM0X);ʂ}LfrἚ mP}/j@ kܗbbR!AOޒOK@aLmP8C-Լ αd}@Ӽ^O.2`,񑍦/ |Ql2>>] /T0pjIǦ݂w\# #k ,3 KEBF$# $!UY\3b;׈k_Q HXJG[v0k Hy .OpuJpYʓI{{vQh@p;ܾtթ*:#~EaGu'ςG,_D򺳀o$;90 aweOydʏ6C@+?//5zebA:SL/E)'Ձp.2 lN 1*DRg5FQI1Ԏ{O)"}MNGB]1Idbp7-V$zQhgk2ZKB*7 Q_8p.W ]g[YDG ^hQ#} >ph=C*n~W٬'#c^v+q45SttͨC3W=Y 6ҧ[ظzlNd5p$2v9 h-$-$q2&jIC1I#JB}f,^望U't=AxޟDX9d؍Qw ]ۋ$" !Y[NvPa'r-[QG< jvY9Y`/'V`]/-̢lF]vQYiY  Wpa46~􊒣#uSGSt(!-/%mňjtI"wgM :b26ʬV?:oH&5܃*~&Ue?_Ē OieCtEDS؂3aD`yjq]ۿ3g73!)~Kba a`nsGwpXZaznXG|mH =06Xrϖ{"%39P.P$C&f^^t7U|ʫ&dr$N LlR)}|Vs^Y# + W)QXďgN3^G37~"x*5+&Ʉ endstream endobj 989 0 obj << /Type /ObjStm /N 100 /First 946 /Length 1734 /Filter /FlateDecode >> stream xZn7}W1}9dH%@h(\YM:ZÒ{$Үy4K93s%GL)x b9ŁNǷ7yƜS`b{#ɍbvF'1cS")>*ql JsL,I26ǐLu[Ecy#Q-fT'[/(XRJn Q=YLGb&\لU7b$ɄuB@ nEOl8 :3XET$u(8GԹ些lӉ\&r[XEaaQHA{&Ɯ$'7"f£>\ǙDzlHL2_ZtRI`XE)ÂUBW9=}8ʼnZ A[0*@UdR2AIEPATA)U$}VL&REAA%!N2xssΩ(Ru5,>#P5 2 v'ѨosiaAFPڱzwC]A/|ͨy~ю&s4ϟpnnFRA'8~=5{:gnd..ƓYMuIμҁhBGs|7[mԼS{ogtqvv  a{Y37UcpɸN%obà d ʃiJ-KOxP6|V]jO-6{,N+¯ Y&f\S6jOӿG͓drcX۔""<[a<58{/Rz ,ZzXB@[Nv1e-)O(:JCHu;Ŋ˷#[B1S4^)t {6譨}NN}ۊ5e~H`/=aw/ }ҟ840zSL Lr*uQuQ@4m`3ZܞlDu6;''';vogotb"]c\to߳^!ZxR;DOa Ɣ%;g7^G8tKGfO2| ﬥ#dx 6tMh$ Hn+ 8<4v.T鈥< 6t$\/ L^:SDq*H endstream endobj 1091 0 obj << /Length 1088 /Filter /FlateDecode >> stream xYnF+r:Gw$.` j5XA_;$E*EʕDh)Μ8sј~H`pC YmvHea԰mr[!VY1<f1_G"6Ď"jTOƓJPO_Ni0xU9%5G)"xL_5'\z3:<.De݊a "Zm| }r>d.{Lܧj AFGLHDD V q2]4qOUAD DVoGĥ ++̿Vl1n].JBT?]QN*TzXwxNA hi~yMF1 z 坛wAHjW> stream xYMo8W(/*.EmP4>[Bc)mv}dK,+hECj73|||Vx{!cHsŋ\7  ZNO~+G0Xoz^jz}OѝIIsL"dPMCK52lFaCVuRRqDwIq$AbBa;]k*d=S0! h> stream xYmoܸ_ޗʀW'R^ڢ@:}@$]zWJړ8FI+']"@gÙg::ˣ4dgYDv}ƃ7/)[bg߿LEa~*vu6޵816x];_\6H{vu;Z?&<1*g*#JJ2ذQ&F`}:>N$N@.΂Kgy':Aƅp.ƏO%0Dr١ClPO庮X;QP_.lj/V܊c_:vŖI۔BDײbr]z7p csDe(ثB/![54r-R`WA%i;lTʢemپᙗ/xtOݸ%{&4p4| /D) JtOr*7\A!@ݵeU??09B:< lND ;r?5X{L+u5rg E[orcD'<({^ėwx/!tAIM!o~xmJLJ39QͥܰI: A!|p|pY"6IA"YbPtȒ pKHbAn7<[GJȂb  43ܕ0+TcēQ嬚=*kmv#VtXMT6wlcU0ԃ_9%#Ԁbm\ {Km {}d3-fو><(kW3rnHݲw8R^r^c#LV(#o, O|v7*^*бP{DN[L/Q*y , Z0KJŌ:ȤOXYlFKmvU.AN'g6SQpPUA8*(W=y* = 1 G$6( &XS\ٗݾ`|=3ndr3%w2h31ؘȰphCks(z޺7H7ZsLWU_?bڎMr8N0qh6&],v Ab!$@Kx~~j juERp9$L k' xHr")(Pw>РEk۳-Im0`f8SAr- Fx>c1/{:#{jH 8*KJapGF#91uDO-_ڏLB;fP[3}$y{@ߺzMY D¼;aB̓pζ% ͼ %}I]s3sq^CiNHPcmL!ůM >WL6Z89 3(NT`P=`pfj$Hg_ _+aD @:xf38B.Xpw 3FjAoJpF!^;eo; {`/ㅘZ~&6~1#n ,_H`p4L< 87Ab&K,J Uـ/'bT_efU3H53,@ JA`ӶN^VN`mrg<eGMj* ] T}[ B.?ulpK%~ Юrõ+"Gy.P wST~72>Fpw\ݟKS"eMOZ'd>R'H}zv։.&ixAe'ߕj4̑;{%qⳅ_voU2˲ 7iM'Lči r$4yYX t6iuxe2] O=U }k? ׄdmhIZHo)zyusk&o0ލzqٶ _ d endstream endobj 1102 0 obj << /Length 1417 /Filter /FlateDecode >> stream xZKs6WHu"xqLIFCS͉D$]pI)Yzt| X~KAt`A91BIXl}}BFɏАx^j< Nkgs#!dlaG̰HQ80l%sO;6%"F\ޝYlt>x0M (%FJ槍y!돟OxrzVGDF*qʢej HEiziK;x1.9`3#c0J{kaT\ QQWd?O{G(z4(49t1lEAU TTBhCWC̓e4@6EFt:c)"N8M>¶j >aAK+HHP ڳ)5I/Ƞ`啌\Ѭ%WYjhDU۳ze+¢e$3Ӳ?ue>hG$<->G$|P YvöED2@k3uBP!2]Pض (t]X0*fK9&5;H͢T%YPBm2^"`̭_` 2߾խr46$Qt-rO> ff!4K Λ?UQNgNgyσ0m.j,*iz;Qfu|ڔS;qQ،G|O}\&5:R¾'p N$bGe5p_1jEG:8)Xϋ P.K;VE$z –e|i=*xlLIT/|yq@ߎ&מ bf 7U? z[Jbi36oWi=m %k6-J"D>ƯoqurT=hJ9s&~1pj*x| X|z|?FsX)l/MNV= !t=G w$|u k+P?gpwM)۬(ʿpU$,]Z7sl zP-\;2[Yv{žϐawow^^P(IUwqu!NQ73*-:ࣂ4,u GEiHQAx(>fuҏ0`neUH`qa; j7<4UE޼҅纺fx ?MvxƝ弇 ϐfl|S}=?)VݻW1zY<&F) endstream endobj 1107 0 obj << /Length 2059 /Filter /FlateDecode >> stream xYKo8W(/*/IdXMEEm(2 eÒ~gHJ*M@ᐜ|b؄h:Ʉ ZIzD-u{9q>b/ƸlEL%j6]'oEiv !"dKDٚͅ0Әk%QƦf=:uG%S&P2l*IN7/JDhu5e;ƈN cJ\L*/tz6//Mݸ)ɘ"R ҄K2vW4͟W3 O8Q\Leը3+$(L8y)Yw㪋μXpM GSٷ2 .pI2,b,x'pvH-WSi}6/WGt 5)O5)Wq3bi,L]nDf*ޖMY]kXW& x2EwdgZD#vnahI3؁m -(ݘU]8Hvݬ68d>+s8u,^|G8s3U\~7@4fq͔U5+E[}P5Y47u-ϭii\+{>Zހa4ʗ;O/kG^j 9"_.yteʉmx: wHHu!Q=@YE,o\޲fā t(Vpu$:GXI"١kLJ޳s gpK)om 9bNJ,"Wd,z;¬cGľٴyrПtTG/׊R&?_zh_r( z|$#ev(7P;qJI,Ch7S]9wƖ2,M-zhe#8ZkJx \[$e ( {2:N>e Rd.&n]h^|ygti'aeؘƤ7HU &Dx=La6eC e" s-D[F7t$9˗jw RP~"wLAY4ͦ~rtT]-7Teݐr(ɇ0=XqzG(19}E0d3Z"eæ*SUtB=:ho]@!@k5r&h#UJ!g [)a[֋ee3YJh ~x@Sǁ@of7&xRCͿs!'?cNʡϚI![r^k ,,3 Iz\%s+G09I2~O4{*6AG 6z[rՁ~H7}M`Y]A\|(b/_U, {Zw<-}iu"jh7ǽDt ScfٹujRBϥn)^,baC_.+d]Ve[Htŋ$o}079,]|'_åNmwxn]KPҴ诒(ilP& gE4ܯg-h_|de̯* _{e\-cEL endstream endobj 1113 0 obj << /Length 2483 /Filter /FlateDecode >> stream xYoH~_1çL [qVٽK_0qUu Lٻ]+0MU]W_7r?EL(š]ͯ?=o ?^>;}eB"3uY.Gg|d'Kcl TJl??;LY|)cV.\jԆ<{OTuK]}DW`Rd*a- ۨˋҷ:UXXg.'ٿ^9sOW}>gL"],ކ.WV{Z|'*ΖPCY{N?RZ!IcuhW]єѱ$<>o0r>z IC>63b2 M`;xS rbFBxUwz&p)C&vҫ]&MaEbb!̜КP7R_U]uUX)G1pp=!Ʈl[i"p(T/__Yxrj n[束]eT589fU77)6˦][͍ tvq XpsT@6{2NM!;ük_R0)r4L]u7dƆ0]Mt+&U'K"7 NAd9YNdtƙ yk5U PyI`AZaXlA d)1*ʩ"oA-)ܣf. c+7Đ0 Md*|0Dd:SHK9VU'PNm9ZP](钨1k[ U1Is&0b'?PuSC%UPh2* %+[;Ԓ{weY?H۹jLw8MT(~1_IhyL ՛;(=3rpﶩ;tW4`iw_Mh,)`i_@Y0 ףnrmBà̞x>IesN. $<$'ŹI#eޘZnz\a }Lz|>`yï$7l}6-VxxC| a-z2<*=ؽ.(mm=̼MeŽEm/*uC 78"8a=*j|bmw KdE7K.Z].b)EMa~4Ur$ L1cAi)7#u~vr rȕŐ/.@dy@` usl̤D lhb8 2⏜~M6!#1a\Q&G@€5$@M oI vkUY $7 w5&N5Pe@qL#͘_1؄Kg$&lm2Ϸ7QMG|R s=" v}ftdtNg߯T2j>/4@z Ɲ<9 8a܎ǧ\ݤ0@{(',R} &w) B76I<=_xx/Lf=r^A㫮۶?x؊nsz~(1&ʶ-GP2JM tk`]^[?p*֥3Iz_NySajyB[m -D( AXƬ7~wMصqʯ]|n~o|TH4$}i endstream endobj 1116 0 obj << /Length 2724 /Filter /FlateDecode >> stream xYݏ۸_aK f/:r%͵M&֦mae'P_^m6ע!9C4)Yl{{jQOx.ouf 96jmC#Y/==-U%:Z3n@5%??(k0#k,L!9V<0dte9tXD/ѐkyn-< -+V:0MZ\k/-;6.k%l莐.Cn<ʖzKl~) '7 ڌ]C`NR7vJ4l[Mq’.(9RɣR1*j%%Byw*߸y?:CF:Eۦʖ>!ad( ~ӟv}i4xe8zdz˫7<WYݩ3q^ʰ*a 3w U2. xagՀʐɑy_ !MB4@} !KϨW4zpWUtIe|x*8!3FbR%8eip8@S"3IO8S&P&Sze=;L,)bŔ@]q<$TV&P].7 N=z4ɽI9/gQYvkXFs7p<۞n*_ĹP0^(cFV4IL=?$~<h&"X\(yM݄;gTVuVquE+eI_cw?L) k,`Q/Ce P31"H F.M`w8VpX CaAwBRIZRX5Te"WԆиeCM;KW5m_-zj*nBy:B6h{XZҎ*D( `G&^߾ݟOA_^%^vZM 67 76ǒMD=xŪ-=+hMo#DE 5eQӦ\ݺ"@СvU95 o12\n}%l!36P`S#Yo2G&.we.3 ;Ľ;a'XqQNO:;zh v$EYyr, 0dʿ)*D'enxl" rhwQw.:.aIff?M vP;+i$/(^Gm/ eRb#0#ڴ؈`0"!)Uـs'Á%: ܁,~ʧ<O_l%'Y W2XrfD21!7֤SRJ)ɤ]"B61`UvZtU;|.[=<|AE0mO2S5|K݋׿b#, ,Z#<y&rxjIGOiNYyX⟈Qޘ{WöL4HDXW휌]f3(r 9]a` cd5V؁c/Ͱ)\TlP&W:"|Ssz}ε8ߴ`Y{[?# -ߐ9/ lI_큛~IR{t&.tg| 02f7`qoy}i1gvC׽_{ьCw~g+-{$cG1xuo$N iðty7vi izE֣=dU{c s‚<4\Z_\:AdMZ& u o:Uj`kMMܿ!D|2'(y_o9(R*Bh= (!LB jeӪ)0_#! lZ44oR;zV:Va)K| * >\bM>8oA= .lR(=0 7"TmL0 N-R—LXX4稁h_AE!qBJxYT14pY=t(L*st ΅P:;@ꓰ9kw/z d endstream endobj 1119 0 obj << /Length 2884 /Filter /FlateDecode >> stream xڽZn9}W؇`ēlf3&~FGjYȒ[E/)KX,!&щ8i'gדPxg,A٨g?Rj(qԱr,r1y?=_mŸ́SLJ5}[.˺˳wܨg.e?DV3V&dP3+ͼ36@=a88 G0ZjX^_n"t-ۛPˋo$ћ[ں}6mfl ^Tpo~yEBrU ϸRvzV~~>fZpPU5 KGwUn ;QiU*NeJ^~;̳ 2[2 `z.tCUwz%1$gMw7q@[P{oc\|{skM,/F-c<ܳԘ &ʁQ ]8/7M>J跙P.)%̤ ,(aٟ1,`Hͭ u7S簨FhPpN(OfܾԢ9 ))TqenqD9.LCp[lQ6U]ZuǺmk 1Li].sW Ý>,Ü>Lt a6JX0YаsUqH8K<4jTo}:,Q 'MUѫv"@`z~y[ -i)tG r1RI;6lCdVioąqWfcw2vfwŇ"f/N%joMΒ6u"νmfpR!r$~ceʸ",+Q[fuЃ:s*:U\{c)p$;R}f^w3X(FT2S1sJF43G4,祴PXpwHJ7P-T?Z# NV)K ݶj„>BLHLwl9׀=L3&)|Y]>#*XU͞  L- F CHIn%=Dsf36$zY#՝1~u U*ۮOOP(56J\Y{%r&m&qsqF3c$WU9$fTw^CK\O^~$a=(y839~@:q4w64յ4W5*؁)8.#:M;ֹR/=^CF Iùb[`X*20ˑmHǯç ?:B)`-6P4 ?#S=Ž-1#YC{D媓<ʪF#yn+y*G̥1̈'pd P`cWSe3Fʀ<~*sHʉ@hE8|$q(Sf:3d,1Wߎ!iPnv8)!xf!c|#( +4fzQԺ(0PύaUta!};t8ܙSPc(5Խ<#Gx2^y&jmg*6䋈& ?uv!l@x2$,ze˧Qq:`(Ҥ)ξ@%y%@wc];.@ @C,4ҵWy;:<Ժcmh k&WQZu9oaID0o8d$?S%Uxx8Cr>VTK=PaD^ i︤ |IWi^jGd{Rix;"6x;C4 8'ump_ x ~,N!{kxO@۞Z0tcJ.RwXFmFcP z J1L89'<6q(PY ZBLvOwbQ&^׸&-3P.V-sҏ$벉3, mk{ɦVX6෿B|7(e~l-t7|+- E4Put(W6ؕ}Srp' o6 lqd+A6."^Gn518ц'A'}l|1jŨjtK"ޛl+䷇l61"R%1mdL7 8u{xew֙g8Fd Lc8:(k7Ë.E:,k!)C3[KyLoE9 rt'< AXpMU ) G_u.7p=H)t.w{UW1N_E( endstream endobj 1124 0 obj << /Length 1788 /Filter /FlateDecode >> stream xZn8}Wmb;Y,Hmno-Ŧm!Jr"r֛h5 3g(?4"T4Kl5=L$OrTddϳecQB)٣QߚL16h"y,?O:S-}9H)JP aʼS D6?ȎR/'OIr`DT89>:hwNM)CJ(!q)wOGƫbe1SD#9;sT˳ɔ/i=ςYT"u}! FZ:ǜ6A쉁#rtaY3R)㲨?\E(Z!$ =\Hi"zYa&JJ;WsH^Hn)E6[4_ ٺ_Q1BĶ u`2@|͋pn&u3ٽK,;(7E HU|0q(ZOL&h}%~CqʝYW?CFBMEVSL$H"? WQ΋W̍O)CҺRV!LBvW|Bu5I}3~!q5Pl{ O+BX[t!&,=T!(dpS nDmѳ1]pMj 1wZ`B'PD e$.Wr1Z7U5DT #X^[Ul3 ˭W!~/ d__YN/P.{qcy>JbHINȭhF&?;"ec^d^xG^}Eh6b*g^ Tm(t!e-d/5O_^ IJ߂l/f^QA'b #jU|w ]bw[.؏]ڽѮx̻v>.9.^yYM_yA2Bw^w^|nŽ8&_^;p^;{T{/Ec NNR^w@׎{ݎ{ 2/KhuxA /lQ(졵 4 eu̳ / svbVV64ZE21Ki<1ʗ.ݲ+Axr3˪\㘪]qV3pʋVSMVuedaYC zUϲ-ڶ~L#ވ:%ޮxJjX.&wk=?Ҹ=ʠ ԍ|?΁#S#.lax5 gYh]<6WƣX-M(Cu$i^%(0@M2VP_`jK5IbVEc4YV@P+TV}" r1 h?zefa~s_[i(IV!#iKMJ ixq P3F\AW-\AjOy1%0ҧ;p?yXh>8pj݃|cJFӃFRقc&qf hqh$cE.t60 s5/ypBܢ˕_+VB]=$뿕M endstream endobj 1127 0 obj << /Length 2917 /Filter /FlateDecode >> stream xZKs8WHoEI`of&2)-+!d_?h{A 6AU ?r*9eW6+<[d受/~x̥.o.O+2QX+ߊ)b-ty尕LpLvy,\VLr ؤc[li~q oMWv΄J.wpZi>l+^¥N}/MMSm%&ܢ8xk.J4}}1Ovyټ[ʏhp+ɛWB+iU r5xRXџ˘GNLұ%߱+ B 8"lX+a]$kN(nA;<azm5zx7&\z{$P8cz[X8]SO-:G64Ṁc2O+SZ ɔ 9 .3  ì__~yaĵd2ގ`&]Nҥg8 ۞0E3wym3~@ ۼhŸo4eZPn׾DNԩX]ʢ=FiMu7 tɻ~FE* ~An*O,˔F݋|6S*cV{J4k\PL o\K29Λg4FAU ΓmcKdn@088j?eVm@ZLɿd {B,[tK $3F>?n@r-g.{x&Xf2O)Qs!]yѧ m@ǂ.pdpG]ӗ\/TA%0gnzmwl`= DS4SSKC{ޣU--#j96SR7rЋk27;D,vGh%8Ȑ$R!} ?@KC%[zKpQp0yvA Qi[[Ǚ}fPy g Q @ aqdxd Ah5-E4<3'$ 26rӜI9J>q@L)4<'% $]?]Um0-@xQۑ+' C8Z ^WGBc]q dL#u5kFToa[ܐ ;ԽE |_UG/N'c*-ovf$:,5I?RYٛ!Cuxp>:#|v fKm~1V+ه9 07L{n1As֝Fb>.d F1Fuş(ĺx[]\yS$ԓ8@Q-X] rɢNm_j Tp,nw< ߕO2=#%&ܐLGs@-ս0xRV llRxM%3vjP)- ,ly(2MKxKDCK;,)7/f|=žFH'i/P&I!Ω9YLbb<?A+\OO%5'T_>|Y4CCeIXQdHzo&I+R0_)I(>fhT0 DhLQG@,cyCe61ܙAFЈ>ySpL^TaP*85\HUܤ4rbوngr'q>vNm9]8iKdemo 9]t+j܁oe#4/& q})`|^hԓ^H77|^ TW#2\m…ahaV"xڛ0H $Tjģo27٧E6mTc<6ejp\F@4RG'db+ G3Edž|I8 @>07p"?T%Z#NwT&ՆHLHۅ j=ӣw'N?\Oe}*C>"!{D#ڴ)7$l=c]I?3V%pb,㜂AW.! G:a;]\dLR;awž6B`hr> stream xZܶ/'VW8v 1 ! +D+-$/ۿ3kٵ7@ *?򪈮8ίÓȭv+~D2]'1Id$WsV۫_8nqo7I6݄PYd>yz;J;!ՕEK2t)-R28/~eJR_ZYq*ӱ_qpjʡj ~镔H'8;g^n@$3uݶͻ~oFi4*AX($htܲ\#NFwekLIgB#؆*A'W!8X&M?lն 5)I_H)䆧w<`"- ς$~T4AojZN)Bc :V@t~5*r e<.;3-؏H\䪘sERJH-bXK$޵]5ujv4dLOk2]]}fbM{AJ aGjkZ?Fk k׾ }MX<Z<5EH(a[0iT-ai6>B30TWP*7 X£xce!$q{itAۯX 3]WklU,xS9?{ ]Qyp:F]u;#-G.Acd6۱(`!{rbj4tTY.PyN -Qgh EX9zc#3m[3:E{OުM7]0*?()tl7/?Y3?</۞H EVhE$gfPy~C a!RDL:Y v8VueuG+dRG!lɤ H\ר͎] $Sdۈb3!%4aowIƻR=wݠjKHIHC)_M!cd b6G!o11}ٝ#gDBT64!2'cJ'BgL!4EX8m$AP44;' UC*xn` ʭT1*?is4G "K=bB\:0qM}MχeUtUmCzؓAoD8*-Ζġ-1EpH T9wĖY!uՏD/L36 M}X4B+3\9%ok0W87vuO_P0~Nw= *:|lĵ#aSf@AkJ\_yǹ 5U |y'cp)?W[۲&K>7pp֒KZ7l[4j\P 9g 3 j.s*!L豊\_ C8=v K3F>{̰iӗhޏ`]Y*%:mD"n%5+@sLrŭ< צxm[ɠ]5C3)d풎i jX2qQ+-jX"x's1.0oQ.Y({XNJHNf'`.RRdut_$I8L]r1aFK,HEA*.nv]NGckzHz]GT(ȟ[tԷgR$h4'X^*E",1>HIq/L$:E\|`"+kU7vG?Limxzv) k~'ޔ @o\ӓ ?q!T1 nH5⣗H^v\c_r vJ"n 3`L S4VF뀧7;ۣexXa嵝Y./F3#K N؟F˴{33PcuiA%uH3a`6v,N!=ۆ!/4 !3rVO7a@55ߴ4^f:u䭱Nixߝ!6C50Ҝg~_qUg)'j=3P]䑒1'ksպ"4,#leK5\LJQYKsA=!pnV egq-gK ooH5DmK_zkzl5νk4'ΰoO=)|s7W^{jDBrȃ_" 'uP!PXXoyJcNLӭzfXqed~wz2ކ f[@K@:3[ ]bWsi]{"(m> endstream endobj 1133 0 obj << /Length 3353 /Filter /FlateDecode >> stream xڭZYo~_!$G#X^ÁSٚi,aiS戳#'bwuWWGn&"?&nÍ?QBCoi}?rus.u_8 EQűޛGә40Sy+ )0f$}6<_`ۆ3mzg[-)m{w8OGРe:=[V+M%-Nv*=0@zoaN;#t& 2దa ;3]3Ѝn{`#cv`j՘^hg1 )(>  4:CԳix[ X{>Cr8 6udW8Y O%Pc73Q 2ME 3?lvO#jIEjys NQN,#hQiBJP\2&`k3? 'sΈT, 8O!<릯}&K'{߁VyFܱe)!tZe"|'#=N,@N b;nj[DM'>C$]Ѥ<86x+p'c1:eyZX `,vZXhL9`͆lIVaj<ԴM)0*:G/eߧtm)]m~9՟yDG=#&߷MA>[~ xo+3۬!0wV9M8ki1]?NxGtΦR, /&iEgP,CJF}|:C#r*xܱ|CX:A[]oIwU,0ҍfu;t"ؑx50 B,Cq {]@C<DAI~FHǢH@N2x fS";儉dyH2tg%ؔQ\ gqNppΫQsɱvUțH_J2$\ےJl Db"%3SoƱl4pLP>=($:R̀tFtp֭)@gez@`ka} {!X!%n1A3U:R~ . = dlC&?QgKYgR~_2SD9-u""RߏJ9I)v>v#b`A pNJ-Nic¡W Nu5PXޡDX^ XrR(:TIǵ dGjy*I|&_TQPd}s} x!tW̃Ba1% l3l4(hf *_7M7<-@B:4B,0%B/h|wϙv^Xibnе$v䰒~$es[*CSC+ ϥA^x|ݯ "\ŹE |?~dؿ!X`^2|߈<m_ dNl[7 Vovq{,i|b`v(I+eL,? O)XrJ@Ry4W ƖA0i\a\2pEѧKHNj9zr|,x.cPm 6qAzEFY`Nȇ w6@R岥iWڱ;=ŧMLaT٘{:y(t N(N!MOtKŜ`٭vΙg9MLqSQCf벺gjvI9'ҴX)CH]?8 Z> S01_EJ xuFH<&1|^zb"`(լ$Yp¥乥Dd~Y2NV]`7|s BGg+:r*)01kAX-NriBAgB>XV~! ީ_4_;7H*T)?sU^)ծW~0obқ8?=/;'B1%byl{ `7Ӂ#fAKa)^cVk=+A юh/xDm7`S?:F{@1G,v~QW Z(pHk>w$jW~fcYۊ3_7s؏suҎ):= =-ͼǮ=nkp M_P2scfNO~&u$joo6K_bP\>=t0=r?}ńgePpHTgͿ`vޖT]w;5= endstream endobj 1137 0 obj << /Length 3254 /Filter /FlateDecode >> stream xڵZm۸_a-bV|TrAk~Z^ %G/pH^,(gyf(JᏯtI 6gmWTxgܷ[Cw+"-v7v)y/OmoRDfN^۝mm7kQL'YqgByeK96[PGƤ:ظUIɹCZ ŌVk.~݇EVNm6I[z/;zƶaVC*2O͋hFTV-erY0. ۠Ǧ$Ms<65v}]7jHm[UhkȚEZ0es; [-=V4iW6Cs w跴p mKjDr|6F^M[َ!ƥ^hԺoJ0.uSj6éot=ՆjK:\op Pl=ɘPͿ^mb•Ѭ*+O>~9>LNv ]Ll_yŢ*9h|h3=iT dJrZ A)O%+AԖöxl"/aIvM`ZF+N7,+? =#^Y(ꩧÄr)t!4P8\r:A]wms6,}e H!*܊Z:eK2eRi|FD\$Hd`p9i苪S_=}Hw7cj|^*`3cE{ mDP+UH27S^w864@K:q"C1s_nܭ Ta|0=q(T);%%D,0Ti w(U$1uu.j05Yw-) v0NF>U?ųe@|чq~7< <#q-md1)0}d{ I0 ;FQփOx;I}4`Q~U9tg hDF˳9# ^1.2yk.v/k< uNSqj9@n qӤ'xpBz pĩ%JP4L+ɡt~cD{1D<*oېU ̘[t 4.KN=⭿r9h`n-õQ[7&Sb(&Ԡ$4Tg?Q6+zX(.'g(1v&)-4wH.&Nj%.kB8N]NF^X+^BFߏX$i% |⋫.X} {& ц՛Yk27._#00ۇmK/> \&9~B$ݩ"eNDH:C> irgl-1F)mP(E&&'QB(A@bseE yM'g%H<"|TJ' )%&XK> _yp}ntW)~tj{Xy?$mz\h (Y`Tk:f9/B).srH{*X:_{U}.GGb1ʇI`> stream xZoܸb~\xU}k($0-+x%m%}_yzuvMwHp~3CRbXe*Q*t*ն+&B850'_ƬDfQ&V۩mzz۞Rl حmm]سdb4:{Ӌ?]C)?qNĤDUTBi_j=k[6ߟ\oe!1Y20x5L*TLc]eSwٗY'Z %B$0që \%8 #ZPWSH"̌J P/km .:?nաHG3a?.2@:Zy&H\7P2  }&Kv0[ܗk-oO+-/S8cdl}ȀOul:ޗFW熎RhXq E70{Z"^XM$w OaӰ (CHp!F]Y0u;aX.;[`M9ѐc%r4e:Ǣ]=bVE:hf~E뗽G3.;9[qiP]s- HT#ֳiDz.+bل4"c-a6t$n.眔.*b8]$Xx}{1ajMXkE؜2%#KuǮ-JA A oz0hR"{:P@"8|SA,a<޹6ϗ wzP nK_a|[v :ln! d]/"4ZCpIrqCIUbm-bF:V=3QV9\sܻ+P}Sn6$Ʊ9@`xܨJr})l)eV 㚺  9B pـ{D8eM`l ,,hamv|L(a !`atq#kdɋt" aIt^_{74pN(ov<}^02@MBZ ΦzGlw?Ds0dgۥ{qwB< ;~A_r\j۶i;f Mm~3KaAtIwR!Bg >x)cGmrn`?kRc>M[Tvy㎥+{WáUpPh{%v(qp0Cv"}F  {X8+}fG2QCJ)OA<1%sH4|FX0n ޕx,g@Tt5 _^[pwኡgkx"MȊI$8: }ɂ/]G&{﹩n;}@-[ R-ޡ?RsspJ]5!`!i)sҐDPK F2H.w$-)myd Bu#21\* TJ"8)搼i:W`1B#8'dX@'NKukaUh%QI43݋+  Ѝ#_`oo0_tӀX]0jhe25a$y'jciɉ.\4 qϻ[H%,<[gas2M#{2ӳ!q>"D(YU$>3oO 9UM׸WNzǖIOiixN7U'NdVr #a8:|ꗄU$B G1rI8i%L`sK9K< 78]g=7p?n2;[ q՜ WYS`wij. i&{>=8AV/.A:ЖaB_q?&}˘ڐCS{0̙ĚXzvI~jCQ{rɍ#Qu =lciʎr^z\@hQ%>-M'ү-j$84pd3twB (=C-zwb&[5)zCwLT! ~3[!'iϏ5|WS"~c ?,z>ZmUduGJ2A-W/> S P2w2,wgJ> stream x]o6= 1Q}t CȴՖ In(Yd'Y?Ȼub'F1J؏Fr1O[7ʟ.N~|HpX.]P2Ԧ<+Xp9=.jIK9á [07'G^ԴpBrehv$C4`yRo[:gZH$_f5n8] z]ԑ ͢DJ|28}lޟ9Hx"@r+d):uI b/oC|&},Jrܦ*K!aCd Q$f=FM}A̒sF?d͙-oKb=MCS:d!R}땙:ps#$Q!*d>-W4B hzyZ+2=z@u(ꈴT>ou27QgNbQvR7Q(d0>QZBJ}5Z7\DR+ʺ':AGqtg|+#""dZZYhZՌl(r]; 0w~w9H =}t!#ÞÎ%ҋ`ƂJ &@ޞk%ghQxC=}0) x+աȺc!F vHQ"0׮>ȾW2ILzΚ2"2uf@jlITۭSd2 }4u՛i.lܙc>ZGn…2T_)EYQy G-%~.ܦY>/3ׅ>naPl•e A  iܕڻ=*8XM3g=Faܮ۬ CPt:˾%,>jAOV( 3ؙg?[)}/(80h;Y, (> \e @]+6iM/8#:{˅|k0p(Ws'^-Ь К ,? h> ZYfoam--هJ0fT<+Zc-F^\1!8Wi]-U Q["T,)\ {D^DߣD4UA\%ܝ뗉 <5R![jB\*.Up`)}{b1(xoA*,B6闁Memhg]ҏI?ڿYYr~İZ.~q(LE}pDk\4쥴q>>\-(63k$] I#,3SCkAVU%5!-BVj"Ŀ[wl|eS ;HﶝHͫ%཭|roݪNc<5Ae .1G4Sծdٶ a,^P ߶ {^gMȮh i: CAؓ endstream endobj 1153 0 obj << /Length 1866 /Filter /FlateDecode >> stream xYo6~_!loQS״[6lؒ`k Ci[-ew'Jd(v8AS~ Mwǻ$(R/x-[*'?:[=:;R$!ΦmQgj]6 |1J;Mv0!oٯU[ڄ=w%xH„t}30_%"Nߣ0P{P)”#')?ˣrFyAx q'՚ x z/qʼH3;ً=A7 noʅj˫ysx{5gےL!pEm B+mzj ̊#@p!kp$ٷHʮNe2\eQ+ /kNApRKQ oSo!xWeϥ'L\҅wzW̸Qʅ=Z%س$Nx&3B|Ul)N.6 SjZzbA -N`ͩ:i 鬑SrXW2r c@E_A>d:̙y9k>"q_b^Yї`c+\'1ek L˰ -fizlNc駒<ê@{rUZU'M$wsASW/t(7UA q>ˬrWx3sB 6\ǭQv:o&\bG;Jkb=N V=ąLp ^{˺=(|ˆrP[Q?:|Z[p%V`w@^\'0{e]s}DʓkFȊbC['"u'XGb,aw5'Ǝ)qJR\V2BG'3ۊDfcQM-rU^&y0"爱h k' نqK;(uaRkwWfejDK+ ׬o=o;\P`[Bn>,͇r +#ctZOa E2CFP;e{>"*nxD**gǛsMIzW4) 6(#Z endstream endobj 1158 0 obj << /Length 2295 /Filter /FlateDecode >> stream x]o=Bh_"Z\-$w2ZI 0JbC:,)R{1q'f J$4lz;τ߷ο_=xE3Y1 A]gv页| EFږ/d"(0jgzT w~0xMȄ oF2k󪜋#RLDă eINg(tu5bum|sKg5" Fug?O e)ƣh ?yloiog<&d\n@) 326=-4(-b"&bWآDamBb#sBH,5[W餧vomӮrSM 㡸eB ;ek;%HИ|h{8fc|)XEEV4H?]A5_{2bNf: Y"bTl ?8 ٍ۹)&cb|)2aG6($nVILq5M2&^l6 0Qcq 3,/tз34/iKi%HG?wI#>aWA?Cy?kZ~"xri@xʉy[\mHA7Ym-,Ԏn>VkY5TFzlYlk) 7o,:fRܡ ߿`^p>EyU=Wik씙0z`A]Wڧ, \Hܓ{a`d%p.YQ+OYwywm:0.P]xV CQrT&!0J8n87 ,#ΤEҎC{,gLg:Mɓ3ydg"כDB>y?͛<9&` ߐ,u5Vj?.$r`JÆcch-jI(ɢwDdWuZz8ȩKt;Fm볂+I칻BzYR[}6P(&/Oc&%~mDp4bQ$up=7ϩSP9dY?G2uX)zj?1p!jq&]}VpBM3部m߫ns`-ȷ٢1ߦj#1S1h}S9Jfe7VLMzP_|?5{T20bF½>EnktvI`5 |Me5%+v Ͻ[WTGMǺiSB_(BH16P'&y#r+=2wN`ȆLO*w3z/c[e7:KG!֪IF9![{d! 2ݕ!13?t :}#Ow#; endstream endobj 1162 0 obj << /Length 2070 /Filter /FlateDecode >> stream xZmo~B@? N}̷՗^m@@ŕETYRJRl#"8$evvvgV'fYgR,luvF/߾~.#va8%<Pu6)xIw T/K-Wv _{sq/JyN8 tĚ I>cɷ\0̄`IJPiN^6sX/ :]zYoP彭2omݐÇ HnC>fRnj[~ڕ;[Y$xQL4)j}9_y-sePC,^]6SBCtwh-o͔l0DvڂߪԚEߩ)2LF ` >O0X˯2mNE48gyB)viAjYCDzkz6K/:*)@Cyig1`[Q;JAtʿ6k\Uq&pҞm(l"#;x6/ 6[z뚶ns2;?~{qu)Wgo1XC ,>!]r@:œ ĸ&U&Z{4-ʼn  xoFAۢO?8Oy=:Xwơ᳭mFxb8]=HoUczc}w[K#:TpyTU1`So". {? bcɸ0by/Ԁ8We[&WboiK?=ⱽI;iO ǓǡX~P*Aj"V@'<cM>7BRћk6v y99;$R &|PT'AݮVRc>: :H' 5u4zv"!@bKў`*77|ʋiԝ# t"ңXa-'^:_>mAcQl"84OQ'€8k"@2xBxa-UfzC}(c'N[4.40Ï>}'F->E2:&03q\(dRāl}蘓KMewy%,otPD5 ®)2!1RF ƥU fbIM^+(%qxrT\`*ߺ)p7KCcŗcKPo|ɖ3cz{T_&-!@yWK3L" @ض^o( %|Ud<#7lU7)=2݌('|wutcPhN-w/hp f0Ø ":bP74ǣLo) Ѥz?AiMA4;SzIڕ0΄$Jah4C -7en_vVyCuPjn6W|T#j`r"ߤ:ԗ?m/cG}TC.J _ŷ!W_)(n_>*9{ׄoV"]^z$gJwŏ6#S:+=NO簳/_p|9 IM]HolONQdfPn%݂Lկ=D#ӻ/_ ylIp>:x3󥠄&W3_ endstream endobj 1166 0 obj << /Length 2197 /Filter /FlateDecode >> stream xZsz̈(!3mGuOJ:LMw=,}X^=J,i],vX(HxޟQG-gظq H9chl//vɡ6|!¯0ٚk3_p#rveJr@{ #f* ! y,&_iYJՌ1vBn&9i^ρ *Y9]"_^CK(͢h.tSHx(E^yNU]6C.K׫_̭]e`\FI#3PG~XsH7ؚ\WR;)|SWHsSיY[8;1MQ2ҏfUO{52%LL~]xDd=5`/k;T[;aDtݍT$͟pθ áVՐTUrm&KW֊ag|Ł1/\ ?6KS7e^YftH>fm"vn4kJC;pwq'솥~`(p}Zfs}E(T|<$JR|6݌@7r?MD<A[J >adC @_ Vd9# '64^vgRTF]/ş/>ɖ+r*Mu@ v;nm0W,ɇto <[vj lqM<㬓W1yIn fDqpM$o] Ÿk#}>%0GL1D#1X6C58{M4icpTu 9R umj?xW'iJ}!L 0>LYM )-*S}V,p~ʞÐtxfʜz=)jO00Φ>45QyF0 Jhdi~=ak@ϱ?\)ṂݲV^pVޜ /}y\]˩m*]xOf#p۽$vӵHU?R>кsx?RVet`fUOnmY%eʉwկJxH].bJX,bK"gѕ]e +EK+ zpN*)C$U+%{pQK8}%J}*NJtw W b(y }~,sN0Ӛ0M":%ݤY\]Ggt_hݏj0x1sdGɣh#7qK{*v]Y¢&`}JEu٢+0/^ձnl̜KQcEґs&[= θ4MGwI]i7]ɖK/ڂH 13..xR*ӏ`q&.B)YU 5uO+Ffcd.SbI"㇟7h bŷrd$ԭ ɋzw(Ht_ƻ)AXRcǷvrGj*ݙ)Xf?|<v6U_o'#+ΩTL N,!/\v0tϛP'mX`dL+%f\@ұ1g~4e8P \HP5%35zuQF66k ;BJž1LlAH;UB<³O'芁nGAC#\ .[Kq,jcw6_R6 Ki ƏR}m$J endstream endobj 1171 0 obj << /Length 3652 /Filter /FlateDecode >> stream xڭZY6~j LnUƩTj3x] #L {&~/)=MU ?║2ʔ]m/bm+n m`f6ۛA땈,nNfz:\mkF)~\㪭$YbڦWoo~zϛq+$<|P[JT|7?\YmWՕXt%Di25E]~zݴ\w{pʋק|c(vXk6*J&]og۲.<)"ǃš>F6ɆI/qjpLV!#/)>xV;g}#p"İɫ]}|C$2:g&3)]庮t<;Ѕ W"h.6m,Mjiz߸Ěёg6ȜB/Wm.D;͢x][.- \c݌?ElR,xs7Kz]]C?Oy86򔳅P:J4'I$Q@B)=ĮG#k[-?uw|meWT{4=cE mW7nyŋ(S_.X}!Y;聋K@aFboc6*=[B/4zН[t[ 9_rT4j4 w# cU*PǠ7;tؤ?jl~ZQ}K:B9\HPԁ g ZoMoЎ;_݁8"\@o+,u` Ě.M| <5BUKW W޾1u_Typ>Y$}TL}- * 鬜d#.>!!9'Ji Gݏ&I >HSQ0GG Њ;@=V" $. FeoOpUնD}UǢ\ZP#y{ <*UGXyKnD YZ$ʱ*UAdU8ɴ2s3FQ`V.`xj;$B,&x 4,zLəD 1/ώVX r/gޥ338Q0g8o*(a(;S;B.k_)x*Y;SԷm]>XlQ՝nKUK !8q ~Ĥ!0)\g| .Ḏa D? T>cʱ&v&`jٶmEY07pj C hv V̻yX xՀ$!18)tg$v<WZS925ɕkZ1(D1թq,0s\Y1<DxDAğ`{1 Xq!XLVS> stream xڥZYo~_7s` þx86u +>JC␳$g%ק1fwuuWGO]eUbLn&"j(oo;TfQnSl~ }ѮƘ~Z[}]ZL'.Ho7~ϛa)+y‘S*c6mNb枟줵I|@ ]wJ- J!+je )WkA^KG!s5CU<=N<_+e˴}3. NcTD{}~^-FYP#Gs;{*V x*^m0@ !$ -kâ,O{80oLzDR>tZSFnW|Z;&*q)^E׸e<.xmߢ`[EEqA(ۋkX]yx]9fHw V3 -А[HL.dW oHʥ\tAFe5?Uukw|}](0ҋF.Ԓ mF٨]Ŀv:xIgn>'x iЪAl_dgQkqQx7AGIJtE]T$ذۀHP1%$#ݵE_pglsй/wǔ:m~[KqpJM sMݩFq-B" Ag^ ",!neoEE/vwZ~[ cSSGG F= S3pw"mD1ęb!VeA-nݵ9i{.;vBYPKwY1Kœ93XǷnR:C"G~=\"xGv5 i Y%I3Z`ĎZ *{VrJ"<^{# 2@S7=hQvGܠp‡->܄wL3̩{A˪n:. Lo}r :ږ=F)H@l" ~. # 0OHBŝgTlЯ*@ǒWlif'+fv?]t: M-:T8!$}pp_="tuΏ?Zc?>ytI^_qo+M2 .j"(hm~2S}%2b!GiˏAn /6JKQpKpCDv is9k%loäGut=Sn}F܉pVLbtBRH> Jl5x+GOg肐{]!oIxf&RJ. GPQƮ8{;Cse!W 9#gpFoNc4A,قk0R7Ae|!ua^lARU陬+%@$XbQa{Y|H4<|RWȷ a‹ Snf To,d 5%Q~0QE$:QP+}1IIO?a 7Ϡ !;N-]ݽGK[) i8=D|UcйAvǐ)[. jaeI<ƺ%̆XУk1^rV/;<}yZsK\4H$vxa>5յc_,*Y99o_͆Ailjv/ḑ̌eR/@񕼘 \>%N^w.F:1Vre rb 6l,2k(g S?! Vrx8M2?FܤHUS}3~ՖbtLTqpX~A%\b-W ?ʀả Dhg~1IR68(RC$4J@^Ah?b_eA_fۍTgf$aѩd.0BIU~Vspc8㉏ $27! _2I# 'aEv~ēnL=7'P݉/j#w3''x-|jmE^lw\Me.f^*sY7 \ *xK(m/zIN OG2%㰩{3_ILfOJBME CvrÈf901WƧ q.^S<[̜ÿf$ d$5S?Of(B,^;_G/d0wFw. O\2I*[coFVz_R,)*VI}@p)NI}a c*X0*\,(?ʨ`P}[y-XD"XOw`3Ac}YI6ҡSnK`\xprd뷉4˖*:Զ-̺!2T_+tՉ6GJiFI%R| @oA^f+8k/諊GlD-+#W2@.Wxr[s oA:e>*ݪȾBqF!ߟ\ 7J..9ΥBģ 1"Bx"uI> stream xZܶb/֥>F|*nڤ l vh;á^kݹ8VpyP|_*ʮ'm+x]̿^=W&J gy"IzEI{@3˽\?w /^ 0 D {$ڭ; z")as?LN Ǯp].Y׷uk8)ڿ@:)  1rO)YKn^uT=TɌ`5IY*E_0 ɮ}ᢪn֞= 87^0[ `?JOWbԌk>e&?^Gpf6s(=pT˧[L܏ =N Aµ7:G_tMTn].!1LQt%< |ڡYn!?)gC5Lڶ/9S ~`MF7>#"%ȀKis{BȢ.$!=A|ׇ-dYlj#>EQ9SjEp >veξ\$%a#$μyrF:qM Bt @Ƥ pm< ǖWtMX$yߟknɍ"%dRE=[M$2;nawŒ+Tqt tIK{_0 K[,+ ?D1.Ϳ6- `&RY]/,gٺڵl^&\ߜ;bv"IoԔ9PjtE*[@aɚÛ7'-K'l{">m;L39UBjAn"a#/Z%aǺ+ŔC<~W_`@K~/hH`3-?O|c,<$xIS[w\|>IE < Yp: 9uS\5jCD`) _N Si L[&m)]橓`+ံ9KP@.jZLe[?ssjɿB+hYK{y 3.ZB[95P驇Jw zC(N[Gc<ܘYx1\JD T?#͇r=4|:K,=)]O0bF_u6hPlC ۇx .K1iLUv/M͔+ +?݄E )1gMPlC/7 iki]F<ͱ `ZU,0&i@pd ¤EM^o5{<.´8nnwPH og:'^x7ŋg KOSuѹ EfUD|PLglGH&'3u%gS&R5,k9Di12o{:a7{T*US]XF}Ba۝^mՖ'G Ƌa&B3VMuUݬufwm|eƒ}4ZӠSx/).-^LJޡ2fKߘGk YvO\(aSw2K LqƎU:P*gOsa#y@mSa3[ =}2-ylgCuA20O&QOe XfL}St2 (w_:kDsjaʎt*ku|2J;/siX|sr;n' c2-RjAXBpAeCEY f9(cƑ tݖ[Uyw 2Y:T& R_LǞe\?|90/ML1DdEPWM1X"W*[Zlq(Ҟ_mfQr[pԺ=}|CK ȇ#xřH| Nmť>ܱ;S=Eƺ8iysTE~wy)!Ax3} ?C[ endstream endobj 1188 0 obj << /Length 3053 /Filter /FlateDecode >> stream xZmܶ_u-+d|H$H}(P8A ޷HZϿ32nݤo0(3yf|?pHɜE[=q9͋?}/nSݬ7屫2SZ*]TUuNYw =QJjUKE_uaų7 ,3KiȜƼ?+u[޶NMu[뎆T.WY.:OIQLS5UBMrt.--$tSNTAbR3b%7j[Mb^wb?j1ŖRqn/ݕ0٩Mfr6NK׋;hpİplV^VS]CCڡ?kx7yVO+^xgz4La6՞`F×׀\vS6c8?([ s`+Azl2pYSq ނW`Ӯ+ͳHMY;f؆mre,n LKr<+R eTf]"sNGj.&8E+-׈&-w}j돡 LZ5XیgZfF G:l%. M`>["3KcP>x _z?ñ3D6߀v.==l}u6 <РyFN1x}vީSq, 9+Ws6.3#t6ѮΜ1&5Ȫ @ÅBw lg YR6C |tjBȝL zx @fG>ב |?,r-$BvρG4?©Lh5L4jVeJg->h;raؾjC};4, P`XNo}hnsȍaۻpڮH#C xH{) >BO/m$eB`Ӕ=%r 322QalV*U1PEKfUl/=~b {mI*$J?I"jqQćWM}}D'FD VbbgYls쨸RąKJL&XVfF3mgwz\L_^܇3Ͷ=9OC8F (ƙF;Q HCby6l=:7Q&+OX Wr71Wk8𯯾L֐횡SȌqJn1Cubtf_} VD,eݦ3(;n(N_ֲx6 x4N ϣ./q*gY3F8)9lp5`wSQ^0R^8qZ &`gQ[pX;zrVx^`b@1H3Y8tӕJ#r0I7yo{hD/5gy҇-P_ ?VR9dNK Bjl0 /uZ#;HXED_|'M](n(or+Sw5UXYr[L J HLC8jf ̨1lBB#95 9@rj!2FT!ʩc u>V\riO$sisA.y蓹t Hl- fb_OKB*.ȥtf4H,jFΥqri1&^ϥ!a4y1O5}ȯ`~[4V)^K{@2CdB(f= }>v=V*tԊwL$AԄk;]\YbI24x`,7'*qJ]nC%GpO%ރ2"ڼyFd=`d$gF8O\"40G[ HkL;iQcs1| 5Xd K \ew\9ɖ\EWrA@dƊb8t?/  xs͟HhQtZ+@ _"Nv#GxQ>.8kR\?Qe> stream xڵ]۸=bїhI}^ڦ(Cv}H+sm!|QM ?h8r]?uW%w1qwEBaۿPBO/~sݩ$J=>/zݽ4a5D鏛mf[nՕ.J6*;eB.T^2) ]Fʢ;ϐϮy("nt|#C3i۸xt=Latap- P w&օsؿ8W[$2ʘ 9GJi ޅ1*mۮ vUֱn]}|Pkbr: Jjmî0x838̶OF N2ӢŜNCst,Qn4 `6+&tg Tf.”t"Nu*Ʉez/.$Y`{iYzS}wpmVOǦȗJvՓeQ~zQuiDhƀΊ_0 /03 M5Q#]?2S++^fTL BQT`:CyjFv2i1jDv iccyc>%B` ́%L*z& i'"8qX64 hRue>,ִ< 53oU'y+@4KgsP-{WOGǰ gvQ>CAxgGNl1B䗫6צK v 4F0aPFr̚M]jvli`{'ӝ,@'oWSjl];2QH&9lylA&y牥5C+/`EevMM`cdۑ'6SșX6&%Fvqq< G He(s"7 mӲDĈr[51p>~'`m am6߲7U+ ;uR᧔@phf8wsm$8#[rAbdgL^($4HD4+ud㘫54rf\Esir9FJE:KZaR0ӥzEN"(W12ޯf'+h9;[vˆ}A89~C̡J!j 6MX`/;́#O>Z8=U49Q&Ǫmd| RIw. r#Ӌ:u_Pn~d|ψ^8t h50s]ৈc2 8žqpOv e:l!ʣ6R C) n_?di8*ȫizҵe<0g{Fѣ/R!gkyON@66`*<_hPM=v`r ,ˁ N"Hk*b&qJQB.B#`v©RR0O߮Y$"u\OvUTgz pK b<@qj!9GX1@` pA0txB̑*ތ.AhQrPe8A.>W8 #]\xdNFu{<5%̒-ifut~ᯯH(e }' "o{ˁ*l)Iޤ+hq}',SE$AO3JAѷ~'~B A>j1|ԉ53׈8y R\dGN3L,,؁yQϙk%^G 6.?r蜟k;džJdTM4va(ZJRP%|k7Ҫj"kHd@ ?CC{s1( l:Cuۿr \r,SKnxAGgLR\ԒAԘE*L,=Qa\]d ¨SV-BtmQ]17 o\ endstream endobj 1088 0 obj << /Type /ObjStm /N 100 /First 958 /Length 1882 /Filter /FlateDecode >> stream xZ]o}ׯcC3$@>@[v.67 4֮ؖ.9KΜ9r-3Dol2 yoH @1!DNA;ﴑM e"^n%ng&GhaP(e_G f HRL=RW XBJP]1 HQ[l( LR>*Ng* ދvaf:H"l y(8ZbBM ' +0K.A hUOeXbb EtaJ:k T2QXQ Ub1ENd}lc=GGվlZT1:/%: X" 8%e]\usAbj+n)B $V I2"FfUSS/$̑|&@DIRPW +zf:RR2([LvO }ovEDX;cIW[mI2F j1^(.K+ɓA¼3ǟ X['ti<1 |W'X=i-TC _F`X9Ҽ2Ӽ4_xy6x<2rlh/bj߯㷓/JT565EqHMkm)m8 CmwC!Ct:m1+S곱l4oY;;fwUYTag T"ZBi4?/[)NB9־`_xG[ޗZ.oTSMro*j٣ԪnNvsZm+Vs3&g]7xlﳟW?/M3x1|biߵmhOs>&Ë7p9i淟_S{3;{ߛAo5Nk!8-KĖ^O~?n q,Eqo^`obw HQD-A%>E~e|Y{ǏQACE{/Ew AS}EEtu3??ĿǧWld[~xA. Tdt0/wA7sVF?FOn|\C`Oo(n@7^I %9BHU^>Ƴd!S;א8JɇwY{ꨈkk3ȹ58"܆PD8ǩCGe|.5lflqD~  f[ξUܙ$N\+_қ/v(J],W؆lRXOkltKxb0[u1y&/\tO/.ա氚ek"]Rjdԩ̋Dd騷bڏ,xwqL}{q{s?0$d_WL%?}t]Hf| \gKuȑfigvt\'OQ߸b߶wػhkKJ>4-Q,K6VdcLW;gtXlmv;72\!Ʀ߃)-4(^p %XI? 1C#fw᪑wYB$UrV xWOL]{26U0y|C}(ǩ3UBU#Gu;=K=Ǻ* endstream endobj 1197 0 obj << /Length 2421 /Filter /FlateDecode >> stream xZYs8~PR[7ȭ}d25{e&lƛ%Fs[P|XV`J&=Զ咧I`&O}g{gq ]a l_Q>12LH:$QWYRo{^ 4mU;_`U=0 %*Kc AU)JSi̿?|mN Iuѿ>8xl9"}NAQJYA R0=$XNDOBRU&VI" 5rz/7=j23AQZi$HMz5rJ)trӑry I@lz8teSeeڪzx"I {ȔABԂ?z} Oy=vЮ' tA6[?51\.RoYg; ȇ{]BC%1PcA%aA8Q. ʢ M3.MAȺ7,tR{m2F#R'=go*pyw]nt1C,F}XçS7 0DS`_^_#ӣE 5lw"hFnŤU!N*VL҅@vKw";29 .\;)Ҕ`.ڥ\6_6EO_ 0oDqu >k9gDR9Q6頞2jZXWPhťhu pu +o&!}:}anI*(qGW;~\g/ w%>87/J >Ĝ)|Gl.S '<ܡJLeJPq8epۆL 9DW(Ki&Fr6R}*`8tm->AvW9mukT#J!d费/%}3SF/kě&E>紛ek[9i؏s8Oy0mu;Ȃm۽ ;Q{i MYLn R .0fRom۽-wH1T&Nǿ#lۍj^ L5t:T??萩%ei/1Si`Y^D3NtL ¸hK“;qEkyAa3cF ,^i(P-7N[%`Hsָ,嚤̸鴳?$6$:s)uiAn3y>>O*m%dΖΡ! b76MӞ2Vf d4bD9F "m w do'[T܍~BDaGJF+^y3epAI ,|+<_fďes"L0Zrk:_! Mf*Үc;%X.|to'> endstream endobj 1204 0 obj << /Length 2773 /Filter /FlateDecode >> stream xڽY_oOrqˈIQAQ%r0t-x-IZΧ D.Ea"p8ᐯR"]Y iV7mW8 0q=7}PjSV_]\MI]lWӛrdeY"?YK3{e[[oZ"WI!N>]E`xL8d+m$$>~81Yr7}'<BJ \Ό[ҚOJfەiN yúS.LH1L4uw}{V}8ų˧tJyJ%n0#a[Ϫ^KDB,j3YL9ɞs.Rtavϩ?v`)~_,J12?p4^`MynbοuRpWm-a 6>u7 >A_}CTODA_AZQ K #^%ѿ?Q:)wՖFGB׫Rv]yMd#D8S^%5gx6uj#7e n&ŸMרL&}i٨o0 S@i-X>Tnʼ[>Tu="׶mW5K?;Ѝ˪1tROZ ҃ {ߠ}(%.m_l^ \@Xk|?m]>!@X66G.!8ִem.7k1A׶wү BձK#f#_]kcYwH/hQ\LO4ytލvyvka9](t}-@jrv[~v'VuWX w0:eF\~]|i)56މfyV# l v.͆Fm/!J+Y($~?-*e2_=w L o:chW+ He§OX9{gΘ(T0|hY ^9 lQptfH[|IšMK~A4 q6G}EjאcX^*#r:L`8ub65i듓L@frs=-dF?3OgَU L  q,gtZ$?r~{akX; ɉ[6\gy&P ?&|)G 3 ( .ɸ1g-C)_[5BO} i Y? j[;^IBnQhՈFdvV `3eY <7I!ǬrG- O.{A"<`io;ZoK#eMsnW{wcрԽnÇ/-Y;Zut@Q9V}okTҎ]D҃wHm -E ˊ>SZL&L]+Q}8;[kr\/Cjud.>)pEiZކ9GΣB a=L><"+­t?e0h:Nq+9n]7]JvŤ6rNc^=t>;r}9T-3*.9{B[jVybi*TXzYLIafjs¾@~fG{|!ǡPqց#E;C$ y@6/Pp GZkJPC7ahs Jz4b X h!\bۿp7)_}2xೊaLy߽fsCpA!/-{pCX>{UwgK.!٭,%2[ K _,|Zd^;_ eׯgj/x;06"Ł޼ ˳cyt2KLn=+ƧOJ"Z9@}mq|4D  w> stream xksD|CA҃l8X8puU@{b֖|l=ݲ$g.TgwOy<+LkQl}vuF߾|.˫}cLDv jykt.wkcud>?kwZW/y ٨_}WTV O>C`7;Ks#6Dدߜ:׋jsLJQXbs3;Uݟ>_vk&SRoMBPF M1o zPز)in$]0w݇@]tkUAיH1ɛW$Her]U~Ք}(ZeoJ$2wI(*;HX6&&LLcP 0ҹØ_;XZsG <5T},NLzwTaI۩9#CERY%;iTn%mΘ`r2S=řHRJ< ;9<-hjݢw} !p~YM$1/-#`Hg ]%NJ~jj{_u|?*c Cv+uM[- [WvaFf--h9̼mZӶyv4N&oɸza4\ ؁@~(1sY4[<{S6+.gawQW^HfJ\.=׫}d uɧꠊI%{ $F,VttZL1`%*pc+R"K&~L~"L"MI8+_c^-MoB[ȋ wM ²سQ@9_SCCFigZіwpv]pIZ9nD`Y')A6v[kmdMd|>綉Fe[n߀ yB' >30ne>HM!Ǐ=Z2ߚU)\?~9F017V#Jc4ؿT%^z AT[~\~Xp34&ىTE:7+ ,ve2\JP??Ri\m9~5X1iL.Nd](c皤bОr*iEZ<m&8D/e_ 0___`u~eF-[Ho`Sٿ;laC8yn_7@V%1i[RwI`(\\Ŏ__bQSL7} l(BFldn7>)τISR={yέA%iP! 6Z弓&\kZHʸ0#9ͫ\wXW2g݆U/(X0qJT"97=۬x~ +qMӺN[CɳX8y֏z!O=MXgD*'[8PlEO6 ':kٰ}p7 Dm7i 'p}*($z2Hbә>A/zsBL}T(,+"!RYNzmݡI5Oixf\O06ȩƪiqQ<VVBL QsFO^ n$aȰ457Rُ[GfkUc @CfـvmL:hǑƖ&R=!x 0>9'D+T '*EhQ%( S,RD|]2k HӉԻ{uz; H@Vؒ~4e{BҠ}ݞ!еeݺtc(8m]m8- 踗q*q{d:a(Fb/Ы p!"҇RdD r ~wA˕ 3̆%J7CZL3a,߲_TG2kD.(~l]@˾| ~TL֢8[}{ɣ_9`9QPezr.VǨ h;ť6lDžL !8F>)Bر.2!fC[RePD7ۅ)3y1 >w!P7%#ĐL1]zHgiI猴6TcROIN… .Cdž$OLzEMIrx\'>AԨ qq%]T* GprY,ȸl2ϸnʎDKQJ.KsTsポ`RE% 7Y3TŗATwaY!Z^9քSk7$ORA:oKHq5fR-9; w.,T0(eś(^ma`81@I@KndYحչ%ɐlh6C6?R:~u sa}^=n/_b*b`9oy/)>Pl`w*Ru& Y@hdkpelL7=Ӷ毚Z+]%wQ8p:ñ!"=K:C M7/0&]"YyO 1NTO}2N38l;&8?|t5GhuN*(k*= ~_O(~ȥ9 G,bk]7|Cy *wKo4<9});߰)TWeU,O&`K,TQń;ɋU {@+@~l2&3>vd|&:)rN+Η 9zo=\4 ߧUdk;0fC@e&Bi4 axYZ^b<ؔ=<^jH'%_õIwN6@! u:$L8@_"AӲfr '%߄ ?U1m ǠXz{fs, gC UrO7j?";t[4 J Gd2:?цE815c=]vH|q}3+@8%V endstream endobj 1213 0 obj << /Length 2768 /Filter /FlateDecode >> stream xZKsܸWLD%OLesTb\ 5bC$ǶӍg,{S.=@ĊßX|(RmW#z݊/~x$#ɿ\>zԘ,X]^ܮ^E7m7gkTxD/ɫM~LL7}_H@PJ aTbP45(+Kjt7O[xبnin5ۮ)]{oIUy繢+l[~כ~l*2Eu. VhZоB1ah[CEsiHqTf?3.9Ni& `]7G3 uC~)6 - }K";d]7Ȑ^KɖqV, -lX]^qT T%1K6$Og@,-,qY)'EόM^!o5xc *WzY67DNBv(a\& 6o +ZYMWBDeݞ <,t n2{PvmYlc e>vyK&n?9עɺC;Jdp\%'I0y/GI=eŽK^1Vhi.t+D#毹U׹~c'6MT*N;:\A]{N/Uo\/fϺڋkR_un^!@xAYN/T*dlE9{OiP']faYSBnZjsv-Gڲ8w -~%*k䀇Hfqv?"` 5/K Z$Ҹ_5΀}Q|LK26e  …Woj p1V~iTa5 dҴ25ҋPt)e]SnoWSf/DQ|qI!BKRi#&仼AMrjg,C ӂIG3R)GmlHFk1CZipx9DuVzC qdzd>@,m9IvC,rVD37'U lTb͘)O&4Tě(=iVĖ*խBؒ, aLRԜc%S=fW=Sgmicj|! =4AdA5q&sHhA ,JGG+dY e>iQADZ[?sK˲ mP Wዏ03Ɂ > =|1H S-%s D&V":dބi`HlZ3=RfZZ ֓UVJtq"CTCW^B|v^*&(gO)eO` ߱%0䔐J ?ËlUƖ[N/V;6\(U=y#p~UV.96>M)zGҟpO#( M>REaLGs g=+fKnjfG@Lra0rԃ}\G}Bޑlqd.-yi O[달:rN@'il p|&EI)~z-"t4`G5 q6]?ŕ}IaGovZ'd3k-DSt%_0kJTJ_:*ĵsSV|`N7v endstream endobj 1217 0 obj << /Length 2655 /Filter /FlateDecode >> stream xZYoF~gWð^ 8 Y[k5!!#E.rYw}Vu]_UH-S4XMF~xd F+_\^&;T뮨~hƍ+΀E>47r(yc9*}~ [_aѡcxy6IQ|G39l]Bq*(M{ӘJ[2?&V'|AJ71 LDZpWйVP VM Ȓ8]Tz?K|pȑlx;9V: @hbzY+*!.%|:Ϊ|VLlJQʚab0 $pĺ RNhG6:{tl42:#b{|9vJGQ4O06ʢJrU^qq׍kk;#4mD(#]geFlE4c5{LUs]zޠC8-N6B++Knh-rߨ؏`|@Ϳ[߆J}٤Pf7`M]CMjMГպgg@sYJNjnn'wd?'^~9w]w%sI7hil¢zoᲸjaY߽N4bDNQW1~CD8G;W?; d"ɣ+XF1ݶ؂FݹZEZyGpxyڨq&&t Cos)Pr $(UE$AI  1&;DB'1CrbBDo H8q+w Y~=4jKܰ0JdU8udp[9lGUW%&H-ׄ0ĸau8myH[x41dp{ sc2HSX X-՚kwAā?pܼWVnC==Tb{*׀\ aUQ" й6MYh051IUL;rU֫>*$G)c>cP=blE7QkbeI͈ C ڊ[D}:2 @ Ov$[[x> ㅔmۃIR\J9E$e>jZoh#\@Ս<t9 NKf3RC20\ rC$ZU! &{o4#Xr)kL$-ZÕD4%Ee>)4_Qt=x[XwY:+_aaP /ׇb`Iݧm&L\wÄJo&7?}~7RkhE"xOJUosPK6gw7;=? '@:gVm|{zx2o5h=}kU%&55Ic{&YC5?(RLVޚzoӏK7H{/2&BM?޻oycVIS$U.)`ܜ}?|/OA!)|}|}=Nnn7G~_[jnҝ9aW@:J&A:_> stream xڽY[s۸~ϯn-K:n3L"$qL A(P&xܠp_(E~E@~^2o n^M./2\l\V7N_,8?_,$u˨+_o~zqu3nF g>s$4IYa~yݵfPETxï?,aie\W\}$_yוl~Xf70Eן.SDX]SyUuz9񢈽KZxA-4s2 ʛxﯾ[^ULmp09 ~ خkS~$ܚQݲnA% %Jw!H?J";XCq;n;=(|8$v%[^I0D(#{#6gԃԹv8eD~d@ 86,ر Yw}́ߵUneewa GEhptPcYڍ̳vԘ*8oaa$|<L[s_biвa`O ^1>@&iR/r&$'.7;#ߖGBw6዇X7ʘzLS̉= =cs ƴ "[D4'̺\5^mmƃ:-(ǥ+h#=Dku4buF Z[1;k87zf 6LEO_k>0cs 3w ԝ,0qgP4Y0iFs&>X:LX $܂ qagw p2VWH\>^n oD +;uqPiبjMe^ZIr̜;% /8NxWMClaݏo_0(+?Ν:(?JC )qrK:FB6{8>K}uc6h}EcE+ B1$`ݮ("lvyvOc%sK1K_ʦ|9&wըx JR ϘQs$v8:Nh3v_x`3oRlDiȂ0SPKNzln9k 4Hga{SXI29Dz0=)?H.bkE@4P uInN>9!́~P0妄)-\]SAwvg*li+j*dn{P!6b>l5v6E5姊- AyJ % <Gͣ%ߓ dȥ;=O]!Ol<\_| yR¤dL ^c1 S4PCRW$g!9ʣp$݁S\D7M}8 <(@g4&PL! 51"-;Lk5Y?R'%i/EZ=,iq.oYJRc2D !4Eh@<);~a>'gt)j!k%Qzg(+aF݆-N_9_cc8|c7W%?{B endstream endobj 1223 0 obj << /Length 2079 /Filter /FlateDecode >> stream xYYoF~R܃eIz݇6 ZZY)%ίRF?h9fv, gZJ(3[OB7Z]Ψ 떰p9XW/hC o77|) RQnme/E"t$zNU$m•CjŸTd/ir@2X9Aun8hoa=BWϥ?s2}(U:HkКPll]ZhP,ꉂs#Swnba o#"DO$5 I3tPٶ޷R4K<>=Ջ'6v;ڒm=Kk"IY_g.7ގ!g6)65elʮ]0`s1p-3@OE/QЍA[{ yZ]šs,) );ns05B ֌ESׅaq!и2"Q9\ٚWNmT~-FHZV~!ֽTRSo]uV7viNn\}C*f:V&g}ȳ4}4w,Md5 bT^$~FlhYdk[Z|]ӫ >V;dIC~& ajdԓoiHu ۝k]~*8#4j(@& /`#_ <=а>}2b܀ ]<+$Ȗz9}1sp+FQ5"S& wM28e5L(f\x| aYEE-,R00xYx?NL1&~_cD,Td/=)0:7d ~mW./$#n)1q `7b:|)yګPXwOY#ه2+L{l,ԧ O{pol#b!!<7o&gJnL2|vvH(mǤ .1E0gȐca%0ٯs8A]1)0M 3Na<8$sa--پ0,FX8eRqG[R6Ǹ9= 5m8cFcp?W4S)ɰ T}of>&&iO:ʲJ`zTs({nR\SDǷ^wQe!&@k.td6U26.!0n!6_r #>i]wA+?|3,zԉ endstream endobj 1227 0 obj << /Length 2312 /Filter /FlateDecode >> stream xZݏ۸_m̈"k>kpf406bK$owCɒO$!]H g~3pģ~<ʒH2eQ[ˈ o^>:=?EFH2a@߃2n5Leu{%c=Pr5l:T,1׫PƂ},CYvxiIْhRxoR{MC5{p^*T; yı}1#|Vvhl:x0hNF7L|/м&p1@ٓn0X,{ÂVsmܢ4V;X ^eݺh7KK;IKtyR+n59k[i }́OJ+k;D9{ų,Ξ?|f8W|>)~b31!{;dY4e9)Zx)\FDTHʲ4Fp;T3uԢTE{[W^2V.vrIwO4Yoq&psz_x9Sx!va8ىetL{?t?^Kr߂o}w|ۻ[L;OZg2ڿy(sjD)X &x]e7k z\>99 )m;4ʡ)K* {~ *V3aK_Efsl|NC2?zh6_۶2Z'h,Ď q)gW/|z狛"{v;I %ǣ‹ϧ 21;DB=b&L)Dt'1\ru>P |TlAޑ~@/R&.fh|BF<>K58>c%H) ϶;>>0h`0~`e ©W>RzГ`bxtg]](G)$dbR ^I4v K-m05&<\|`Kqp4%mx<e<˪B[\x6%"3M TnZۅ<,a@PRŶ-9yDlQWOsr~/!7CZ(EI]z@dۊFJ<'UJx[_QKY dwq: PlW چzSj4^gpnQ8reyMu Wǀѫ] @[ Pν[@3#wSӖB'ө6cx^u{轕Wq ̄$=w=) lpQyp80գm$oO;vO9-Hzd实:9rt$>S+2_ ]ᠢuP 47s/k(HM#޿*ir2".JQMS\#EQv[4%|)񬀗_p86g/&o9@+\ǃi,E١%xu7}u0\ <'5&n W\A7;=2Fw( }4n=g5 +?G endstream endobj 1231 0 obj << /Length 3218 /Filter /FlateDecode >> stream xڕَܸ_1ؗUnYw7`=y@fw#Qml}Zꑝ,3"EX?D?CaUm&"xzoOo}8 먎˥ zn.N}A~ϲ<]ըLvN<ݿye,"!:nN2Cqu=w8JQv"H|pq.O{[զ90*_153.4fF۩Ɵ$<6{<ջEԝ}u>$nɸwz@"Q0#D҃=-&dD5`̶t& ѽBC4 vPݾgfu}ѤuY`V"+K4,=rl ˤiuJݨjT%> C1W|d5ݳ;΢X fdL@DYqWe K# , VAKhe}Q-X)5I;2y"e5ȘIt7Xw Z9BV9YUφ2 Y8849,9kYtcԔ`S^aGn F3Jc0hqhr$ü>lkc!8+ʑRYL0$Iל\ݤAIXpyw{lGoA9A+)O?c,˖7e)^FŖ,n =lAʲ~*OV_1&_7(=1ԣЗGqU>KKշZA$=RAx7[$-vXed‰HB "ǡ7*ٖO^oz@A ^ 9u7{_bqP"d| җlY(@0j&FY*|RL"Ђ0Y" 6Z9c A ѫ=^8 BV=773DN8tH.O#. bƿ+r Y^d#}t"mLl2_Zp֒cE@V"$xD5% f!<}%*5߮.E Q9 %<)✹3rɍ7wJ:cűL_$8AiơX/A#P iKTgGAwfnՠm]Q%R`m ߰[ǁ ^:MtؿV!=mfF AB:?ݲ"ncjd>NoZǥ8ǡ/ޣF% ,RҐ1mYX!ٌI09r /ؐ5[0=I1ن-nw !Ner5tcViރ_2"0eR(ء tQ62e@b ː/c꼔k%"ȫmI2JjE0hDGX8JvzLwrRpne G Fj=%@c/ M `q1X$K-´}0ƫ!8~H}<|% L'MV_8qܰ>pXwTFe?Q\yg-M}-MRT GK88edasG %4{l H+ZF? 7U H *[JdQfӄO$ O` cl8 A 7׎RHs=f(}#ũ%G5Z\% )Ri NB/űysOhkכӢتeR4LTNfdBBu> stream xڍˎ>_eأa1 fw rqC&D[DT:_zQ{4A-Xd]t_PU ob~M"x;@ܭ0t|ǢxH}>>+s.^]eQ.ϋ}V~ܥ*$}DžV'S;\%y/CO{BڑN:~hXE}vwQ8K"HfDjF>w2\4F9S̋N[z6oQ"tz_i'>) Ḡ*v| r|Yl8Q9/[z&s?}R=B$-\t!U1Iy. ~YUf'53/3*5n>4uh-fz6/׷F#YAB3j oK4Nⴋ{T*Ҽ2͞$iE.,+I%[`.&K7et8 U \j4a/,u0w 1-0d_hd_!+x3*_ݓUxzwLXVV P##{,naJH_u Mn5\p5TvRq/Ri%pu<:ǓR+HRpɌ0n[~刿't_'Za.2#i[sB>'Yv)O=U|e#h5z4vp'o=9{'hcl3,qm%*P {iy-OU* y0cl>72ERMIDͷ$>-ĝ[ŧ[M>[6rz/\( pbĄOBtUTB4+@LKo*|x=S.B_C%R/V04՛}d!已Xx|,d xi#il\<·CCZt#}UD6lھ:,y,ɯm?tO2fn#9B\̊[̄qCpymh+nO. 5>6.*Tf+B֥rv24+̊,[9-ByiDF<>J F#e5&\a)gUNs'o +m6E"Dr0{[_U~I]^+{I7zG:KܴTI]WqPn9F'//,9xs[y"IAHYn]}E` 4 endstream endobj 1242 0 obj << /Length 3023 /Filter /FlateDecode >> stream xڕYmܶ_qh[DQoAQi)EOުJ[}ZiOF\8!9<3Ío"ߔM$a*"xÍ{  _ݽKӛ8 ˨o˥_aO$Z{*۫" ?z{?*B!K+BqY]mϸy`E|A;OnDϗav0NyF;|nGXL?JM!-7xULzǍm<<1Ιjr~?GZdǑ] sOB4,ar` +}%yvLP 3ԼhV&g:ASS4<'RtS3ڑ l<74<ϻBHJ%mc_h-/]ꍅEYD_DXjStQ,u'q9,Ik=`{yR/&>pQ%**|[gR K`.|_ VoUE[ nء 1>,4 ky ŽHl|A), uNpiċ,SyR%`Β `6рFkYϧؾlqN [3Xg2m|1]/kCkjw? :!p,dZPUq<'}&xJ7O-G|H-U)"x̀qqnt֙oFPwS`68/p񁉳)boOZGB G32QveA`0L[ %@?5XP\/RԁA1s#TEŝʝ(Zcf٘ZgEÜeɥbkͧq.aZ_jdYE'< ~ޚG̬ 5ngyLKf;XQ3#MoCxfP:L9Þ:ѽO iacɢҀ^R0H0uxei@v*eL *bu2L€ |v`Ǧ=e[*,i*pp SM'Khqh>V ERR.%/ܚSxu33Tf)l]=n$QV jd^ \z,/Ri6=(zþҾӉ:5eE$Bͺ/3!K|Q|f'"K_N~i\^ڰ*Tij-V1a`{0[˓~ϣ~ K#c6\ u|+!# =p#f`8ZwÄ/k8˄6ڻ6~j`63|eාr :"E*јds6FAYP&W.81zi Νo±b`w2=53n ,Ń.r[ qF;n$XU:clV:IjM%/-?TC҉ K5Fa49:Ice 7tV1 j"A[Piv8 TI/Ci[Cj@-L 꺲klq_`"HsAL GV5td+9\:( Ć/Z@Y&<\-BR$[VP̀n "`i#1fv#yu2{3İa{>"b`Yrʋj F h:BS gՓuv~KˏD%[Kjdq8gepⲐURh)!c¥U{ɕ= TӀ|yGy Nͮ37̵dfb.l΋o6Q/ d%H _#es|x27&r݂2?Xg~ ;b4/F3lNjtDH%/oˎ4:r6`!iVw8ryExr]вf~Ň1V endstream endobj 1245 0 obj << /Length 2824 /Filter /FlateDecode >> stream xYoܸb/ /O(Q*iRvP\\[]ɧG_Pȉ ZR|g~܄OnpcHd:gmn68y[^F" 3Om/o6'(qpnUaO*5&dN>^pV™ߦ*I&[8:Ӡ='*  jp rZ}tO8d[VlcpNg釧{c%-hy[O2(?bk&(act5SI[ Kdvy&2AZ[Kw ^]߸{ۺ?monη\W6yW7_4`?!̇>?E#/P2WG Xp#\-5B}ww.[fk}[V7W&D%.f(uۿ8&M0Ht'pOЂi駨{/SA'#sofVfЩ3+g/& l^-}5޶(SNI^yxiΩ\&\r~ZC+HED@=̛\MYď87͠WmMive ^hhP]CV")*p~#أII袩ۖp.odMz"5jl҉"Rz=,ttY3j0t]c?u梥ϜW-+܃A>=kPy|N99!|_vҊ[T r04% $3D?Wnp{q5dFD`MP2T|>э#ڮHY+F즂Pq@ME~V!_Wk*9n_W` yW vCDHJ %jG KD}ggz=*G[*3E]!KN]@1&7TTږf He|G-*mdζpU ~候ӵUw ߌBض$Q d̖@fzeFY:3pU8B/6+l°&ZN`k&E E_}wr+Tdr}ϞBg15긊q0/:/] vwхC"oPj^zx࡞& D Ia?cQ@UB/⏷XW/[q#P@@< gܔ1H@N)Y;v9 pu"bW{ևY >`LpPG"jJ\dYVrE\[ugO,B{` &oEwyc*Ծ.jJ(5IeUFLJ$\CIL/3.Û 8 |P'{Uuu;&M\2gQʳVkx]70~47yY/@ ߢU@s{l3nsg,D yk r2mi,bV83O|0_uL焯g- endstream endobj 1250 0 obj << /Length 2633 /Filter /FlateDecode >> stream xYoB҅rCQ ]>-ɕDRL'iC€浒 "R""߽h^PW@Q}u6 jmx]n}k곥Rߝ-k2)ss 8=髳?v8+ /R~V:x%ZHfޞ%ʼUy&xX-ipҧ5l{:atgƘR_Mvy$^h:NT+F^//^r+%dY{:@}mM-hOXU5g|ƶ4K Y#:`[ 8=mV tI1nKvvDć)?tHGg|="?VWY9}(_E/B`;}}+a>WZ*:2git„ ̳P :_~&ng n 8 lbk>>nX[KL]q4-X`kجi8A,-9m1,-ʳJ$a4 ?" !̷]!1xw|%@w7z.IA&1=Rb9 `yAm;\Ly|mMn0>wp_:TN><`so`|Nͩ@|]{zPA~4tyT>y_\9"~Kpc0Z~}sy}< #/v+BZWtSL:y"EѯiwIA,> ?2--*(ޘ=@ /SWH6 űv8*D`H3,4lv{:ѯ&_"q1lGL8ػw㩵=ZE`ۆDJ$Sqˍ-(@؁l~F.@Pe!!kfU8Z|SV`(m",~)#6OMkvԆZ6hÍiuKyhD l,-sیSO`sV/@:LOUsy*LcVS3S0΅Be}ѺAxpj:f,Ky:ܢπ'7X9ub'RDj7P!wp!U":Q>yߥ-̇# Y@ysٮE"`Yo~\^^\at5HC{!`e!]Cv4ƶ48*۹g lۆ2n5t?Ga|3C o}w =m?_NzWI| RTk ui(4ݞ {8r- T:r\QSOop}VLCrDˊŇ_f J dhQ$Rxqp1zf3"n:!쨋EVl?܀E$\%`vf[5=b:0 S[ʣ+NG[g3d8UVKNˊ=Efs8ro ^AED3DVfq=A C9fj葺xil_|9|-EzIHm8BЕҐ .3ͧp}B"sc=dϋ݋R\1~R8%E./BCI3G)CJ 1?aL靊G_5*>9w[~]AY-k"$(^ qFPwACp;=^UɊpombe5 ڒt0V J<;(28v"9$wI9YaOsqjC}TĶ*Qw41Dh9P'gC|!j8F KP§k)LJ.~ fM..6kQ b_KgB0a hҹ]48f0]Y~26 0#)Q,ɂӍK9$~( %Mx2@tcD3 2YMU"d Qm ESV}T;3吏#˖8<+t}K(> stream xYo/⵾5Wpp`$HmC{:-&%lxY}{wn6*a"&JXDӦȉyoί/o^^\nW?\ܞ*b%S-ZrFjՆ(m?ea l)#] nB6 BFp#T2ޡ\9VzN|lވy$ ':}@/H2Qb eBE gO`xtLiC^ +2/:ն6>gX 1#SȹXNހ}A r>0Vxsg 2 &}UJAs▏mO:!$X IN2Qkv K2P`xDLᓿ`Dž/Lwkg?1L;ͦ;d%әPrf%FfiU܊Hd%XnDhg6ͺ*8ݤ".k!6_emic8`)Wr6|*`6ʡ&C?4)Eٌ0pUOuё>wKy!uE#-0^NHW43mQ!%"G\Eժ´9`J9U \L?H!C&}]}3Z`d\R#~?sٴ2AB%˄~.!Z׉`ꩁ/By*qvxZo0*c0/Љ C`H9&6_[6cCΉ-;ZoZ1%HT؇\T~(O&=CWw dp+J@/w8zeSD% sNX#Vڄok_*?^"B]ԒU;ڨ|+]qG1D$!Z 辣OҚ0sPgeODNm^5@#/i /ަ-v).~$If(NICnvO|b5؇t/,rx{$bFq:/NM{Ժ)؀D]0v()]?J*mpr'x8bfu?/Zz6G_ 8kg,_$0GO- r}\N/sUs'D%x6] T8v3UiMY(gw)+%\GA=WId;CZ&skRPĻMzGc"HBKQ#<)- j-;CJxͫ)Yh}H#pd=UC(/@#mljJp8`n2HpKԬbzc1]3κCNF/۩!cmZvmεuNBӹ\QRc4lY `ZP.v>5#Az "s=GI9 k+DDC}z8]Pq~Rf S#X9z!qm!~4.$%ꅠٛhn=.lynKyR GWUK)};6,nf:G# F-`9 1lKuҊ|ڼ|KMr5s.>7rȔTH͡Tq! a9R^k4ۗW$Q*ӝm+kPĦ2\B$̈́&lb5}). .q4AxB!0 ihxq:P,#EcjZc<ئ_ԁntf@u0,r._WaƏ:CtPsmV`x{s$СeF,Hܠ2{&M۞3ISU_gG?}|>> stream xYms۸_M`z4>%#R1g(%s*ʒm5x@X,v}" #]/.|O/X_R FILc N׷]U˕"]TчlUYΖ+nQj/g 3OH% <5 m%aBz>]Zu%>^0Fb8ֽI;t KRgZαKíDK֮*:$\vRTu3ܨe|?paV9,<Ă@#ׄb`Q' ̓"wV/W(5hۨɾ5db6luRC0QUjkإ4(G 4‹ǂ`QMk?҄KVd`A6ÆBY4RkUS6 gk^.Wۼ[;>f6Rs KۇwQ'?Ct[pbh+05ͬ%p"&i$VDH3sDNƶǝ_:&3nܚ:MTg8=g(GNy]V{I+tv}&#Wed{L6w?o9)qV [1x"Gɽ mqˌ~3zon]oжǷIEV~mnVhu¡pXh|˷K8B?izMX{St]RWAx(WP-7bخn # D{yҤ :@m(sB8"DliͬэVTXҐ9WvF5q| Jsx6Ϲ,ᕌ{L (W2H/@EMkGW ﬓRt W6+g] <kSs+pndA$Wc_IJ 3- yt ;wEFE`;/Dc)a},$YC*Vnz0Tz~_*Q+ o ;ݫ3:UckVbHMhVl4 4sZǞR%vDݣ_ֱ"K.zQݖj@a 0<DZ .Rx5hw3 T,~}\(,`6)KJp?g%01BxOQ8| _#p&>_;9QR'Ro~(x76<5g&r8!|ZoI1k،DAdUbd^4[<̌*HUnOG\I7D̆[9Ukh9̙!0+ijLuG'{+H4l['!:|U[ǻ`ɷY)]YݾHJ{mcz ],Py(ӹ9HDا^=CYLwI4W50F]lQwH) r-#֑vi`papyg~G@u{lX+F;R+H0%c#Fm9iS Na+* }). E#srFI{hg.KNr.22ُ!eQφMҎfFh3Z5a)fلG \`IvvB| L'3C@gk]lz29v(vFE$(h<9ߺ,/Ú0(b.zg:E@KP"S|Үj$߶L HŻ'Hx1g㞑<8pQGq&rFE`3@U# nu|9fW,2ϪjWڝ=usYw}XpȾ_u߅u7gN;x 7Vjy# 17z`)>@dď cTN!4 ϋ``#x>؎X Jv8(ٍrĿq2tu?> stream xZms۸_t`L.]聯N/x9D.qbA)E^쳀ń?1)r' Z ]o^|1Ys1E]&Ww}[6gJLBk\˦\M˳ 3W\F#‘Jz̈́ҤX1m7b ݖ)rF՚MnUߺPW"OYmA ~nWUya"k>Aδ|#ŤS𶘼}񯸢d:FkZ.jl̙]3(}wUVTj>.Y|rO\3.ı ::5UVz f Kmꖚ 7P3]eH/\(rZs|l]o_zļRuI}H%A-m>W|}92,7$zxM:?.|_cb`R;鈃h ZT0uÙ.UX%2apxg*h~;,Ff!kLkIr5LzMjF/:iʦ*cp "@FBnVӶ_:!aV`Y9gͼZ p@IALG9uC!1emĴ%Wwohi>ٌp>t6kk[; ͢aj,ja7ӾբhB"`"T{WRm+ϣ9OԋE}&]24>afIP i$5ꎛ N09Ny: O'*vQ~Cҥj,wٛ μ0#lH=iUw>ǖƬJT<0د 1 zڬ=Mp8 Ÿ|v\ZWm {sAaJ[qd%yRdo>M{ `֎LCuG$ C8Rݠ 9F3m_2KLn`x[7e;BsVVm I_ZxRn[0J)9 Ќ\F}?Ӧ㑹A$BoM5d;b#sz*Ma4~ 5BZf6K}G@~{kTه;XF9fi+Ɩa53"fY%f1T_oc"Ep%0x ه =$ LrK60,,;oIYm'T`- kIy)cEgJ+xD zFfN1^<3)%ScTAj/c6 ea=W  vEz')TԃJ` _::O%qjU_I{T91EVsep=&t{i{Ka%гE@17.aM%:ww.t3*`ۑBDu40x.߆!Pq9R;O˅s,;|ur\=-!7rV y&B%pqT Lm{xYcsCOq߷]8fR` \I]1Рnb|2S-`lY|Xm0JdЛǎCt*) G֏Ȭ{v~9;#z*Ճ6:exD6O8}q:`3)Un )[ K|jS1 R~yzpT[ةoxM9yCv?H>u=&70tyCt=#fy{bZa9 Fב>c+&v,dyH˜䡞 qPHEIv42~`J']8腳LsqbqpKFwA̠(ǟx./sKW%aK!5ɈaV,~ϫ{yy{equeū#u{q1 )Q긻SyOvwy ' ݟH^5Z}86h l 4 y"t7b%;GQ̯8OÁ_b &+?E~gGι3JY_ey:O #nu/ endstream endobj 1266 0 obj << /Length 1190 /Filter /FlateDecode >> stream xW[o6~ϯۨbŻ4 b:la@DŶh :$ύ<߹, #X(pEswQ"?]ėc>ay RનbZkj]o17Yι@zG7:i@P{[3򜏼*p̸+YrL^Yd讫{=l-8 >}[5Y "4uV2@M Bp%D$OE4}?w0FIYLM p$Ŝ~)sڣF5e KQ[t"kY\$^ڱ9ۄ5_{7RH:*5y*2C^9 K/*:v؎MQב8Ga6V'ru^gT-wLϨB&zg 7ӣ+VC x}[\G_p ͩD> nMƥ&.V š;㔣<۫7&$l1Hf0gude*/OM |;5*&'YYy$G}rZQ,;_W1cj ` 1<2#$f)êBv_OZ!';y#WG 6;6č]/6}k8M ƿ+>3R39=|B1JL#g] B3]*q wc4`[-USK>rd؃^ l=dP[9b(n':?J0?958 B? aܦ.?ft&Q 9GE0>Dnm4u܆F]$]0{~wKFڷƣּ+ ?Ȇ$vc scpB"H}gVMAǃCYm>nH=N dV0y Rg=d$<1?<^ 2TLK Sa~)drJN~N+Uu" >Q/}7,UCcrϙ[әPgƭ#q>){ 86J{_x8齘LYWg(zt$(؜6Ȋ|uC|* X0C?/ endstream endobj 1270 0 obj << /Length 908 /Filter /FlateDecode >> stream xڍVM6PoP)$ֱ6i9%9p-Z"BIE$g(k,`QÙ[XdSySm@t >}x`9lxѼ KDŽSe at~|k@ENt[$lWԹUo4uAiS#Ze4 f冓Zy7Oޱ \6 ½O%)Kb{ Y5gR1^bKi~^V3<\yP4 ?F+fEf)#yU'91$$cumZZYihܯѕӳ>jrg'elnO\wD+[tWt6x3[o!.%A oj>bt20.F&ōso=DK\Vt ~ʻqӀڇ4cĸ:K: JY׺Y kLH(|)<:N*9|Ftq^G>0<`^C{鈴Zګphvnw}Zh\|ws~"jy J"캬X!?Gj endstream endobj 1273 0 obj << /Length 1145 /Filter /FlateDecode >> stream xڍVIo6W=@[K遖hRT3ʱ=N`zGU?U$aWNz3_l%*VYymBFow?oN8~Oid2K)i( ck?9նʙGױB2qFzεzQ)IO^%H˨MP2fa)EƅP} ^*~Ts$%xh Ab.1lZoW0sX$$6:HCKTLlk͇8.ߪ Ա9`P+c< ѿ}g>BZ0uX2>)&7;мnNͭ-Ve0Oju38 Q\ċ,WVpd7=2E!tgj^3 ,S8B5[A 4\1?ܝ MH6e ^-2`Lta'@Q[rBb,i]$2 n[,_C/"L6u͙~ZEWE*~+l$k؏ ̗7x/AxP^_XB4[s1ڶ:)|~buyLwv!J[*+yӾG' NM8 C C甹1%<\=ɯ'7;'}:޿ ͽowZ9 %?|_xS;ӛ`ߍ+Rr-Rkb6@/4-K~konlu{s#L3/['^F7q޶kѷ=n[5gzD֪y &aE<~c*8V\LosЫra͊J{t0# PBx~;ntj Px%c3$?*dYzyG˔n s }֌Vap#2}Cz7+?(cĶ|2" W0 endstream endobj 1379 0 obj << /Length 1736 /Filter /FlateDecode >> stream x]o6+ti_7w8na6lJ,4˿e(Y]\Ih)z=! 6_iIJfWxգ v=Ӱfx=Hc #AxÉWw|5n )yθe椊x ⓚK(|ou~.3^LwIo%d2A0bœa$LJSH 9oʼsܥGkH̡7׳ico'86!$Et @+D$zļunyg$h_ΟG}8 .QlJf'ܟ.0P j- iL#1L8)PqcoȒQct)9ƒ&Kv8XnMju}db\}߂`ԡޡJBEY g@mtOp<+I0Lj<*$}rM@FɷS.a ).tOǧRRR^U%&v/-1M8l "MH "RVVFG-kI'?`sוoTw^b;]Z|ĵ/D'e"Vdf:aO!;G^:OPRtf|X4sPʊs4 qBdh\\eEB8$ 2yuJ#%,JliEMVJʥ wdR&nJ ^)\y7$KFIW>Du*UR"Γ3,"؄bqr+rז`nIfRi/:д"?Y8hrWY6@W5OzUfѲ|Ьo{VP ٨k3(5üW9%$r,]ZZ #z:3?d.^MOpvҤ YF|l/ZFmv2e2>N(Xf[6TۼՌcXȂQU 7q[r+3bnhN7{_AbDX-5cъfhufE;;f_B ͜rSGN݅RŐUyQYr$BM?)P5YTe!3BY5l?NU۩"AH*ID"> stream xZ]o[}ׯ؏uRE ~P)&j%ɿKDWEF8޻wyٻ5j 9shd@yhS2%Rzz(9YXI=A#=pV5Ԇq9c ^Z%УUC0C\0CU52~Yހ0ck[8aͺjTbjP2k4QBF%0j F/.އwpN8$c 6 ^bn \j`l6g v_MI ^blMS$*,Hz%#j.Ot54i 5f2 eYb=k0[=x2-Jb\-mjoa= Vֲ&B'sKELhaKY) l+J$24WL s*`)۲ } aCMAM9 .MpFj6ȞznJ YZm.#zxmBDU ;zx"DE|yionŤPuET 瘲>?}z!#`?ap>84"y8(ǂT%ο>jl|@I{IN#a+PmCNqrE+U$qZG]^˲mQP)ݓ%_\^ܜNʴaՆ6V8u}>#>|tMrӕCE4"r;CA(c}4HFUJ5jm[vĝA8Ō[FjaGw}RzjXsVUX%1-mY^q>(pF?PjdaQl8Xh;&grI- D\s {D(g^{O $9*Q&I ;s zywu/ϟ|v1[lzv>p1v\.>OEhRfSվ endstream endobj 1497 0 obj << /Length 2012 /Filter /FlateDecode >> stream xmoHScI{K&s|[$v.xMQ3,S']{7O渡>pX9tr挱@Azէzi/YhLeZ!E_C̘}O'K3cvd$ I8sDhqmFke0eFu8xs&+E+q0D'?+%(<O.{ h֯Y"|!n P䵣30C@3ua/~#$ uj!+V'?rQ=8w~ ?D~ [ɬ@`Uf,!,m4 {pSp~>ǸN\v L$o>_y.SDKo@Y0f-Ef_-2#^nM3n4C& kbP0/!K@\0ɧ:g3vtCk-\HFxt/GO|9~ H9t4qLӯgFT''/$>ΠjaR6r+t,=F? +Ym ׍qXQap=\zmͬq="@zFظ^˘l>4n ס | e /5,G X* Lrqsd( (BK5 R_jŤq<,%2^xP0g5k}VbmQ0KOBb, @Dq ÙJf]Fqc+L2%z h47,b! PZ;`YlƗS^(+e P(/nnuHh0ɠbξ XQ_j/\r,0bY}*AxS$2iZT7vZ]as%,5-uhvЩ/[ zSs> 3*l[HJkkW% 7A/ee5R 0>X" ɅJmnU^wV<]ӍZ#,ެ]ͺ9q?zTGٴ_?Nx}L D!e >*xL2iRiYEXsVLSʹFnz7-asWSzmOۏ/[8۹P74u,hoHPxC;:)/[6:~ *NSW;@[1[G~oAs vi&{8%~Aljp9xp$<^+^_&a l3iI 6ŗџ$R[.iѰ@x P?LVNVxN <Avyr'qjf&E}"dVa2[ܚKm5 !xڮwxgHFRi:Dʗ4+58be[:F{;~ X SΑڼOƓv endstream endobj 1382 0 obj << /Type /ObjStm /N 100 /First 1005 /Length 2258 /Filter /FlateDecode >> stream xڵ[M]2JU% LIgxx0dɿ)[ﵡoBt9*J:h!$⡉ܰĕhJw'1qc$(\KIjԉ4QwPtw(mC k5a\BVpѼqһ[517;M,[]8[ݖmOH#ƘGw/^]~w7_y~/mP]~9rGoL `LK(}z"]ޤzLw̿O}w$3:99IVsk(#rf^92v-pnH+=)'qV7J)TZKɔ> !YYre'!D#k9K Trb%oa =,NiٕȕS1 öIU3lz'kM9$+'rGu,+ݕ!Øɖ%nk6>F>t^;~'m|w~]Hs[mK:rН$懺[Ug;1a(l]щY>mWpt{1-*do9P0Uotշ¡xץ1~w5xz9vlлkG #f[t2.U[bv킞DvdڅuKY-U=ZĵAuR=Y|1۵ C#rV|ǖ~ ݔG~ -u Hݮvp>ZńAK uo2d-mk7,Edfl-7EoBJ\F%e}-! w%' v88? 22.eN쿜$W-U~LoiԸ/*${{+sj[{(C74uO=J/_O}Nqw8>B{㗏w}yo[[6^ N3_톄an(ӣL2Z1JF@<ycGR 08aX-F S S S S S S S S S S s s s s s s s s s s @\r 5k @,,,,,,,,,,llllllllllrdD6IdD6Id@nrȑ9(9(9(o``wqm5Xy1xu-5@9.Փʁ^8:=Z?k4n7V>8 ;z'/}mk9K+'f,NidJ\hiANí[萌E{-g3u{)B"ڮ54?U텧;OqsT+Mv8Uiϴy-%v2gWJ?.SlWG?8UM endstream endobj 1610 0 obj << /Length 1565 /Filter /FlateDecode >> stream x]s8\eK{%44N;;;׸ē0t_dd>Ӌyk"D3ox/^Qv}py{Hz7߷j0jӺh zHy2IJi+LGItlw"haLh# _@;!L;p%4?a&?\sGX[»pf ļJIw >hw3Ф&2/i< q0 MG\o, B6TĞJ`r2e}<@,!l4Gs,M1NK"2"lywp2k}֦QCGLC3/(&$Ec𑿹Vl9ۘpE-.z'U25N 6FWO,Q;/TenD3-9m"[d&X8^MboI^/fE?$YCmu۸5yH6gHQws+k8T{ب_N`azoTq[^[XVm%ʬTV[BtۇvVʪ13G]a,INvY- *}0=xU B]f^SAAB8z|p C1 5)%8JP1,w&#G$A)y Z[(j^& x.` z{V6zMH+A PCdA/.hh&haG9h0;؇hgI&MZδ`jΚvMsPФ&pdݚalvS퀆/YZчNsֻsϭ_> stream xڵZK\_eQg{\L}t{l|v_us}RH@CK+@ Ơ$(ĽVX9P/Xt_th12Pc ハ+|ܱH<1_bF# ? R8Ksd3\(SrlN}Z1R!\yΐB9\-b ^B2BR,bt+)=BcJOP!e ]4ąø>ni?`?KLА[6- 1Td]3Rս7uc+eEιhrJ@Qj>2%.SR9Tι!b!b0mE0?la1cb:%uMIUuΡZlLIJoSRWԍiJjpx0]3#4f9{6u'9LhӦfӦMmnv1pס XM;gĺcLkNݻh*{,},&ßjsxXeژA=F{x},<|חo<?w͓A{p+!+8  #{ˋ^?|݃Fjz콢vpU]Jƶrr.u5#uʮ,{qXNMsA5 'rk9^7+KmKC\ҨR=kyᤁwzWo늵*w+sǴt'WrzR kdB7ORv'-TF>r"^lK8j'AЪB^Llzᕳ=ۖ18Z~mEKDEOK QӴz벖RgNOK}id(c !҅]*ZrU A^'b{<כX.dCOK`mt~O=hW.ZNuS՝0ۥKEAZf;Δ͵|͒ZRsn풬}`KymaKK)Ǩ 8%[z t5lx4/{t:'K 9E,Ġ>6>Q|+/ >Oryʺyӣvt>n}jKw*!=/_v/vQiyt`17ֶhflOce1FoHUa.^;QLp[s0F۱m a$\>gbk{A>Zg\i*<쬆c㎵=+98>Rbgg~7Mֶ!y{J쬞XKwZfq|?vfhΕ;{aEt+ {ʌ=јR>{;G)׎ⓢ;:qv7|_'ݒ'ykCrl#/%!1W~^JHUi{wn;=Q"JwoUNTz"}-2U`\ˇ^ 9\ԕũm/N xg%N 2׺]xAuޖ a5buʬqm^b~@--`n}1zG["^D.h ~8^g~P 8g8G ]AsqM?wq;Q|cJ輞h6\{Lhs{G)^c9ъa+O_}>yWLi͛%\I\\w~ ͡#^z//_߾7~|8x|9$ ??1~k}?6(8ټ|'4g'eCyY<6r9P.K4q@"C"C"C"C"C"C"C"C"C"c"c"c"c"c"c"c"c"c"c"S"S"S"S"S"S"S"S"S"S"s"s"s"s"s"s"s"s"s"s"K"K"K"K"K"K"K"K"K"K"k"k"k"k"k"k"k"k"k"k"["["["["["["["["["["D'rO={"D<9䲒\VrYV#G"D<6~H\-AGj0 gp9~rJO endstream endobj 1612 0 obj << /Type /ObjStm /N 100 /First 1001 /Length 1831 /Filter /FlateDecode >> stream xڵ%y va,0đLpb{!ȁާx{Hb陹͏],:Ґ ih!BZa":#/x`ʠ^=/pGSzQ*?+# z+ 휃>%'AŰH)&Sڞ[bڹ9*^(j[ϰMj)Q&×$p(2{Ԯ!n<ØȓuQ=1m/c;Lj)-Of-Ky~d— Y$2;'"#|kMGQ_+6T>mcZ*˘&~T>ҵmcG#Y+6&}T>T>?oe9#nN|鷦~^=îD0XZqh+f\?O.suu {VE8h,N}/2JS՝QOs8yMpoFm4b}~ H>jUlwӤUl֢M|Շ>^zFO璇:~ԧ7璧go6 eagyԇ<{jzCZwy]-׸v"6I úq-pͥM{ѨӸ6> stream xs8Wx^&\^s׼:N`> 'N,m^4@1?V GI)L N_ك?!-<:yuy@0XxA)<(>LtRJh2M'x̞1:]\ɐ|䷫Gs,ݤ0D&F@(eٍM>9 i!X2 #& G\|Tf4IT{TwrP~7I|C $a INWe x)g 3pylL}Ȳnǁ^[>CWDLz B N7EeK1Ћg2e=x-R\>=s(˅x>e-G '%gXPPcadnzF@2%dL6(cCYqHUcqs+Yj>yEJ? ^xޜ2lX5"l P&# dYm=]"%L4򱽈3oMA-k䥬I=ޚ t<NjEXXsoH7~)ck7?"[Q3|v~1;_,;DoӹŌ`f @T?7}:n+3Ia< ~WϦ.p`K0DAr$0bVg`5g&ry徬(5kI?>w2Tk:t}䯬^;2:(,%Y`L_^˫&- 3P8 =;xNTTk/,Jyh4Ɩ!Me]Mz(fq5Y+4bk,H6^ Or|d57@@s~#tPbv;]/'[&CB)K0Z ㅣFqw+񕻓L}o|@m8k\Z (粌R6LC74?B{ڿ6т ql /Hei-3x%C?a!`}yWQP*r%tZ]q˙ATa|F3|OrBB:BBK6ArЯCNr:{i':\{':k N0--gsMua Q;P/;]VEtb{&\-U@J˂-GShrm]2NOWۧRj>xw&1ytm!K?Pc3gE+SN,Y @[:m0ğjNפd;J/-~M( IM i=J+E#\/%tɌM,S4Z/8L  C-ˇQ{̃0v͆ˏġ)W04)& endstream endobj 1817 0 obj << /Length 1724 /Filter /FlateDecode >> stream xMs8j=,ioN[[g7e cHgW6/X2H$`?ә?*Dh #d~U?-_qc3p|0wЈHݷÏ?>lƌaO7/>,I\o3f CJ蟻n>8ˑT00CyJ VP7>@Ǽ4o*ގ2Wj LqsFc*/8+|Cp;ZC M-̼z4RMb4 ͹Pavr*8Nů=bbSGtv| 5ADbcwIeY>aim W"OiPWi2Y̗O,) \]* 0YM:"ѫeI`!4? F"I1t݇H^S!zD 3Q/, œ2 iL&IIjBT$}nȲyEMAxM9\jh$x Ql8$ rc1ȊٷX4mc)* Ͳ'E-DNMhVot6x(sӳCθy Lq3x&ˇɊ:6 d3"%xܪhi[u~:˛tZn̅:?Mv~>}M! &s|>ک 9n7$qĆߐ iv֟=5cDiXK#uNcsin c-9=V[\EC1Z؝!U&dx3ͫIam rOYv(=^]{ѹMQ0zkaW3dCNbW|Dvg{VEϖ]g3@v LR+ !@ZFFVl܁~M>'q|FAHQa)9$Env>Rx')* #k/f *Yek{jb@gyr%u..&㪻qRqԩ*g{33 &Ƽ2_-F9<~1?y6k@=.`t>C}0;tx c7-z*nFcKپy|& ˬ(-|1eT}H1/i"F/_ aAwzEQc5E5FTyq#3"pC0Rg{egi"҅z9 }at-lT`;z;勷B lEWWOS=[/n_ ޾xK{Ā`''z?Z]J,eL̪8.hϦx2=y83ΆzV?|hQ) I{gdN4[{vDji. k+qen>=: endstream endobj 1613 0 obj << /Type /ObjStm /N 100 /First 1011 /Length 2566 /Filter /FlateDecode >> stream xڵZM1pXdE;rI!"/#6bۙ8H"5AÙmǏbI= u 4zMUf )0*{VZuւe!'kY$!(B<\-[>#[N!nJaCq\S):ohsB}6|Fy24iGJ!x-{Hk=jP'B5=,hG:l#jN <\KjUTKܰ٣j9:d&e_1}9@`U}UC뾵mը-X3Lϣ`Ygu֚ZZk9ضi4 ̾-tQgq6Gj9m߰}̑H!s01͹aF#ץ0`>G Cc[Js֕d!=ݰis_dv)6O1ARnn\c7Ir4w,_Fó,"Optڧm:<&={vwo߿twy?w>x!N w*9N+-b;`xY ?.od6|}%_qk8_)$|kO &?xxi.R/)|6a ^cpOͿOۿ]~>>NLJvz/۪4f>o?J~>FflT67>#t6ddddDDDDDD.D.D.D.D.D.D.D.D.D.DV"+Jd%YDV"+++++++++++Fd#وlD6"FNNNNNNNNNNAAA!G sZ bYb5}2 E-iVHJ,$NM戜irg< Pr q,)>M0+G[˙R33up楜bT|"XipN/$8u-g3p^)RRk:JmQD@jBpuZ4z9ȩ96r*4g?^cJ@PZ$Q %DjK9u$p^M[ βFTwTk9"ܿr5!+eCҵ&ڢ_I|VCNip `"}3ϊãig}=lԃdI|H6ߦ;!>2} /:jt~$_OQ|[%oEQB]y%9YuхY|R6TE4[%K]'~ހyIES[M?ʨQ 8 u主71_k3ԣ7.׾PLxC=+ҶT4EpݽN+HofY˗egӥSO3JɗЭPpzh{&Q>\?Dl|ZNyA-?8JYWJG쯕[9*e(e&N2pPk85j Ǯ54kZ֨5kZք5*nM{ [֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[֨5*n[D_F2ѿ:ӿ:ӿ:ӿ:S`j0ŔmvU y:$5ƍLMwgIc~SE2JR7W(%{/( endstream endobj 1819 0 obj << /Type /ObjStm /N 100 /First 1001 /Length 1869 /Filter /FlateDecode >> stream xڵ? *F+I8iR;I"`_q>5lRxv=%R#qhfhf6"kc4Q jtr5G5jX Zϖ\5/hqX4bj%;lT&W'KV/x$rxGLy 0alu,UZؖl/DzXs6e=.CHïZėbMbY%MDz^)-%^GSRS KPmzǰl,^,5F3[sol̳01G9A9klSY-oSl=m,eG\Mj3sg}JCଖ6D@2;56t[xXV/)g6? 1}zy~n?~O?}_m d׿} ?'[/szX.SۧO?mn cN$YFdֽȡ}LOa0-C'sP̀@ߘE9SobtɌѱ2'Y^QOweϙ&HL͎m9nbq2%:LB1Aj{~f!֙Ո>3{4̧ӻԱ,tj;N]BjeS??w%gR蒑wlR0+d ښoYHK.Ą.!9O71ދsnDL2K0Μc^&t 2Ʉ.a[w2QO,$݇!3 t Ye'g>GeBpYHL܊>D-tEBPY{uϹ7 {zf!.Qڛd䙅صܛO.ڛX<t{C@L&ߺ{2yf!sV%Ȱ'(syf!&[I&!K֙^oL.Q{"#3 gOޤIط,D%{O]2Bث{C=A8cKmo2gg"<-t3 t e,D4wQ%2> !Lj?!K.#Dɇ X*IJ ƌ6$wc8xHv8q]lcs܅;_ xCKf G6 {y M:xH3!7'G6z=<ņ~䖪N^c|Uxl#zy%yU%sábgfX U[q:{}@p/ӾCFTBM8w8Vatr$Ϊ;E-oAD GP߃;֝by rqO7m{M+UkÙ^3mm]* T endstream endobj 1940 0 obj << /Length 1968 /Filter /FlateDecode >> stream x[o6+`0;ea%0F}8SM%%-P'cӹCz=I)L|w5= ^70{{z7wfR6*AO^ c;w)|sz<\`$ۭ I΅H~ `5VGU֢$@Z/l3 '4_F4V9ᄎA=O,FDSrh %jm$ ۉsnDF<xjY4FBcٗqa"5p=:;?k$* ۥ k`3#P<,FKk| T`JYp%rZ #Iuw yR,o v1L92őnAy1ƴiY$k&Jٙq AQE)tAQfv'Ķ%_,Lm -rjjC{ڀUr_Eabei$HB6=[^ s$q 4Y *Q܀T@`^BuXż=,$v J#Mdn~p/Ӓijt:ĝ&bۄV}B#lW@"Ր >@MAHH\fHXek:#kBv{2A `e҈bDܘ\FuDird#8b JK /ql:@E Gt~+PrB~ iS˙Q V{UD[і?wwM 䔡aQ#Hh1$[I> stream xڵZߋ ~߿*9q^0{Hbp .}vW2Z aiF0." A 3Ћ0jJ!(chR @[+!cۼ5*(Y'c =83ȅ;|1GT,z!i(VHG\VhГALٕFLT8B\$2l:qX­IWi=4b,# Ј#8-2G="cVV FEEc(kpCp3- R/j(qftW(KwBu^7z8esۜ/G_Ճ_;cpt,>~^2/c YkW-s} N=|xb,1?07i#3 ֍ k7kL!w?bhEcU9qan1lN٦AOKcs4o 9)h[lcbOŚ3`sqº^ ^;ݗOww_4闇ޝ~xyThN?z*zC6"2j7U9+?>XNٸUl<*JG_^{C*tث:=3lҁVӗiexY=5|j5Mu~٘YHtM3Nr_ak+_Cix=/b=_m:K`P|sϏ7oOk?Np/&x_~ttw?;D=t-gSӞ_x1y_LRy==S)EdDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD'rO={"Dy$H#G"D<y$HdKdKdKdKdKdKdKdKdKd DZ| LR$M0RH&Ko&Ko&DDDDDDNAKAKAKAKA?z!P#lxU+ڜH= 83gXFm5QGяV)^q.$Nɽzqu,'56N!eNY FM̉ZXS@rs!]yJ/jm"ƞap^s'|,F尹t7xEQD֏d7G9Vq{p݂0T":E~(z!Ok)U8ZWҬɡeÊ㱔Z5-z9*Uc9*HaIf{P:i0˥yQ)0˥t'&^&CE\?Y1"l_sft,[D[f2jŬƋVόMP17O+c65{M#x{+n6DG {"E|⩬sMF2>n5^8|;M"E|~o7JDlM搬ڝ^XxNc>1wxx2:3kEI{ ZVyr7ZEQߨlΫ'iD옣Y?g/:4v?(egn,~&^glXY> stream x]oF+Ι/fznU+M+j+DIH0861\}VMj:L$Y,I@)t^|^3}_'s4 2gҜѶl$O"%QH"{`,Oȭ 4 },'[%^Ll4" `B"ry=pF NqB@zvT<.&2$G`CE<" h"a%~M\BO9` 6"|#BePpD SGEdtDkbJ-`-Tg15si2}#2}k-9-1.RY˗L;<"Չ{gbCT$!Q !bDeN¬ٺ~oM,DRXa`lM'DLɗ ̒ Bwg}&F u:b|.csDc6jyrs 3&Bn&C8w0Gmn;aLmƱo@p? =#jU2DERAG4H[qtn0[T2 _81RtتcwB*بt(%Q2K&1 5W &{GGr6H/#҃`L;G)yPxןm#I|%zYҶlu;ojZ3#ծEpږ^3"UOǷXσr4/ϖez~<}LUnpU 5KotV觢V^.I^&(#Һ0Ih<֮B'և 0fWMl2uvL_ws㎷;߶xHP#>؈5׶/_ uۜ1Y18 V;]LS Y!j\F79}F_yRʳZu:/s@ϧSBzPφIBW5 u  ŎWq^DεYʮX*na!STAo%ydYc$ #YWr_ 0MYVoY; P±7' υ|c«=nU8`_PiKL 1,u)8 endstream endobj 1942 0 obj << /Type /ObjStm /N 100 /First 1004 /Length 2614 /Filter /FlateDecode >> stream x[ɎWh_X\b# 0cA؀0i -KUjTeV&|@I%"ArKR-IȹꂅZمBNhv5/k3Amπ]dTrAܫup5*M^*);kPr)(%&BGA% P2QԼU5b%ʡԟϩ35WG-8o@P[c(LiZT1t] hTgC 1o3 /ajdSudj3{q9pPz "K(^[g 7~IlA0. էI B}UK%א W!Ĭ)3 4RL:fZZP(P QQPhh i),^CX#(-Y &(isZWk$&JkpF[O]Ӏq`:^ K׍(-z_}]/|Glhf*+a/*$D &]t0.&CK\BfD-.*&"Jœ% 7 =yrwz܇ӷN/>CÏ;}wUCHN߿^q.Q1F)CIFoÓ'"~1߈6|}%Ո^u:Nr,]1p;_mQWJ$8WZL*Wės) lN|)GhKu>އ|i,ծ^|jӘb\7iĔCn;ѱKcpjw}8N|d1aFM^) oVbV:p94Xiى.34YAXqcՁǜÉg[C݇1V!hnv3ipn8^ ͠]_3f׍a'e\"A-1iQ&u>v- '+ ]шPbi Yc4sJkyA*[1v8rCAԹ½ _ix׀}8A:+?zz<(Sj>3W4o|&(wo_ܣpzy>@t4?{{~<w?4h6߼Cm/h` Y'S%d :ZiUVa:%)pZB^j/d^ȼy!B Y,dYȲe!B, Y,d]Ⱥu!Bօ Y.d]Ⱥm!Bl -d[ȶm!Bn -䶐@~W1d#HXsx!i gNwΜ"эP}/Nɱ\>ւZwbd䒰3'[N5U7XeMo.ʪXڱX7x'dv,gYĢ.Y䆥O7ڞ:'d&ٽ8+tzNpz6w "S@2̧jމ3gN7|#$ ӎDҩ[!\eԄD](c*#Z^wRI/ ύM;qw-C嬍"oV2J%nȢf%r,V/@EXNtqc7r8}φ/OI%fjY3|eI DZgm;{έ<~|HܐȘcOf7v]OB| qd:$CX|i1b[ t`mMV |Le l1G5Z|[!*s4vcձKڹc?|c|K|H7H|#e=ٸq OiЍiS<~Gq"r/K}) U=fL< =hsuBLy~<,c6΄~lÃzN!7vTZ.G"yل'*xpBƇ'M 'H^)$@XV!5FAs&V{#D [e)n)YÆ__zι_̆XͫbYVH7f`@P?.LQo zr^OI'9o]Xyhn;7RrǢ>5U7CW=]^&=DC!sJI_rQ9߯. WOB:'/e3?SBXʼΩṈ^.ͩ5oKO,^f<+N!YRF3+ldcMzC p&y7gR/5>v\Ps2ңk }޼uUw:pl3Qgmv[*f.C^4`6,mKmtgcu 4 `=B<6GZrU|yOUZ>NzJ9ӻ :wf>נ.A~KƄlގ yj3#: endstream endobj 2017 0 obj << /Length1 2024 /Length2 13792 /Length3 0 /Length 15021 /Filter /FlateDecode >> stream xڍP.=x``pwww %<];9{kfާսޡ$UQgp0J9ػ22XY,,L,,l W0_bDJ- ? ĝo2 S7;E{`cca3@dPd9])AV֮o41r3:M@7FsS0@t4֮|Lv.LVB 5@ tvZ*dj2&DJ53&́.on@g9@]VXz`ebwyd ` R L S{ M.o ٛߙDUo<sg Wy벤$@@{1s> { ˿psdִ9e%e&B#8YXXX@'ܚ^*qtpXY~}\L݁Wg7*!,@3O71v O>Xm,^>_fU99iQm*NL`dds=wSп_Y{K?پ2vk9hKmj?Cnb<M_QoCrVM@` (:6b`u5}[Q{+ry-T@?rͿv 8T,,KXo@SJڛ;X`l\SggS/ķ#~CַMz=f&{7[q~KgĿΓ,`Y0Kq V`̲Ʈ+AoJƧAf?]zctxr17|ә;ߎ$ؿEgh%i-IKxvps̭ 92rg o2v0r`6PKO:?Y߂ty*Sێ3Z;d\=-ou:c_nv}-@'qi?ئ6ZЃqgBprG;gɹ.[vhp/$͵2ɳaK=\XkjۣqNCѺ""NZP-]rNn<*XwҞuWBwTwq#=}aь6(,0GHOy6w}37J"@w^- 6n| |=<"ḵi*ߩr > qC?>9W0 f+taQtyg9'T$u>!ҖIU9@ɉu ,;zN4D/S4{$JVrs-y Ǡ]%lLH7~m1,y Vp;9Dlj nka&ށ1=_/!>7-0mڌ{fT|ʥQU\|۴ lv BMVڶ`x #g;3r ?D+Nvvp_;n>ڝ1mi-\f[SIoIDMQJ90gj%Gft! wBn)FJ'l4`xdީw$rk.a09=o:*zu\2,gih)5e4k~}&EOУyq3Իq \49xhnϑ 0AT-zҕD,Mn(n_>sdf|c1!Ǚst^KVtA]_/70\1ytw9/Qe*L(JXBT?ؕU5QMѝZ֞zV;j+\<䠚ӦayaVnSi2۰#^0سz<QBt#BiV?rK^g&4 t[xo2ב3 *?jE9Ž"TߵA-v3PL8F`#eOdV+Ч8"],<$|_Kt$T0xS_fͿ0vMØyYG, Bj)MHdEc{ZX!X2">+p67ngedsx^TȮ|Ee5"&bI&7CЫfqPpk萻J]'.-T.4eg"p<<4`թh2^/\2ʃp0JX^0OOx^u B<2[lB{wF*]s|&k(E,9SPRj5.b57R`4'3NnR7v5#v9>è[TDP` $);NP復A ]''VTH][ ,n0MEҾP_y+R(M;R 蕕i TF$vCA&[=9t0bVKkz Dc0 etIG VέCɻDfEcafDTfU3 h2|y,~hb ,BL2^Hۄ-<"BBw&PG27K>A(ĸkxV_\rSYԖW  =H)E<>a6-Qg͉aHy,iϣWD1=RWhY앚4}-Uii>ݤỉPߏ;N tOv+|/'q}k%ڤEt;FJ\ܨ~¹c.t%ƒH:qKyʚ=SGׅrl}dj)ཚ1}wzA10o[!m5҅@Ze]пr}fJ-[<`G)?_enT7Of7LVrcBqP(k)89r)ܲCPtN? +xfGZW)[3vxUO3ͺ-:-?S:s̼KZy8uO1g?2Tޠ# ]ߴÞ po)) 06!ݽ>|~m3PMJ/3) td4XtU+]a)0G +=#*UIuRmT%]+4T)2k2F~dT꽍O/ɭ*jiB S϶"QJ|iHyZ =!۷$Ƅk(_t [d{-&AaT-I8MZŝ72(NZQHzW=bA<".Bѷ.Ä(NK'HR#*ZNsOj ];oIJf줐 [Mks^Ei DPNlZ!Ȫ@d`ߖB6m>i)BXFH_qKE['ܓ6DÊ~rX8d%7%^ml(p]H<<Y(;s\9j]@\{T1z9" "gjHB Ѫ=2s?&'Gl:緙<ȠJ&#ż\ 兄AeT= .$y]Q]Sg{Nn]Mq}ʯD6efV_)C ҫ!ت\?F_b}y3KGlP釷=" p&vll6纼^Uۯg&0~D#cÌl9Ӆ,Yi58kݺ{pcݓr s5aA ![D-x_ _p\EkWm;3ţDYr;O|F1\ee8 ~R"n?ZڈRZ}:f͵RB99FE=>Y2 L4ҡϲ˷`ڒ]?i*0.O$>ҎA05pnk{ TLº@V|l+l'x2X0j a`!D|W"dd>w]m^LKij^ c,˩N9u9RbB]_Map@3_$`s-si4]-O1W{om?5l1K𳉂4((˗+;ӭ[&j 퐔2 3MNk/@lB\ ͔%bYz}[je$sz Emy|Qȿgt6e_FRDOͰ/c2 тetB5Gp4Bݑ -S?3ew]3kyX& S3\X48`q A깈o^R0/C Y>Q*m"CWIK:m Z{)!IDRY-uI'a3G4Q|L8>^A$TAKR Es{݄ijP,iIuau} |'9͊aSe]痳Hq5i= YV_qDW 2L5OeT2c] QacL/gR>զWVy22V!G-7U_rDѕGgr#hӖhTqxP<8qHd˫pOHZxSLncl# A!?\qXj$SiխO vi,[5,- c&䋞HR@NO|p>Z{$9)1ߜ{orWC?3 pLDo`T΍K~cZ䆗ѧkJӃ/Z t6e?˚>eC~88 P S1Y]l1k3"zox'nt"lB" ?\dߏ$FemӳvԢ|i!oAXAYWTP]Ц0ig忧obeD.lFF. dH.s7 f$Ss^&0#]2@Yq cťVE'UOd#K@:RUh:qu|H ZndFPU^8@mcܐLzG/R;bհώmVAnܚ7԰ KM(52y~]y"48oFɧ G3eyn !}gZnɗ v(G1R +ݮo ^P4&"5=]uwrQaJ2h5>\ԥ>CSMT਻-_lJ~d]c5Ccړ{n%TDzyR$3b)!K|c[Dž(wmJ=]$t1m/rvYQ8 Q 32O:ꍠP#Ru|o\6HJ3*07 7歾T/XDaR73%T ]7YS\ Leՙ.߈?Zqi:pvֹbm%a]OW+\IFSQ rz O:S54Q\S4)U>pu00/6U zWQA\fo3,@5 z;9jr;Hn٫gq7/rq} ^ _^vg.=WhT_3PIRէFTagҤ;A8h?/HhݻvUN;L%9[ .:^.1/R} 3L&nO/x6LLuv)LVz1 Gjh,7>E0v?˼b*F< ]S]f;HƽJ.L|"h;軣V[:&?u]. ?~k'rTpZg}Rjm4av8b~-"Xu dr=2l+'n bG6yIʴZ/8ȢG m vXث #jB|J4"I6Zlot#NGJbB$#g:c鑌)&}ʎj4!xI@0t5شX$Cz^q.%#,BJt p u<9ŌF!1Fp TA3g`Ð٣فpg9A]cc!o~W)3̯[nLtUՍ1-RM&5BSVd? !j;lPG~;wG߽g(#-fi5>YvE59vb`*AaX *;6)Zxw9u{$sl=|J?Ɔ3唛ʌzDtw*/r!6ȶb5Y9iSѮf_HȃtZ6ʏ[5OTor}[Ljj{Ӌ%?y͵-=~ ݄=<  G.Md|C"-=@=gLKˤv^(䒩=+7B`>=ty4ڭ}eyI{}˸@{bÂ|]-,xQϯј>BA?(]T=y-c?;:[tD8 OPX aK?j~K' %,^вp b1lb"iUʲ{bBn=eF ѪVh7 ykߧq9 u &`OM#<иSuvrT:.> bΩM%iӭ=j!I}K;Y_=I8cդϔ+UfԇzY 47Z2)q10A<+$6| <8/`x̤/ſW$C  ?mKe #!H,dR`Y]V:t^Y-|z(CbpӉIC>it'/5xEZGl㫚BIZ}! X CyWZ+[+)Aͬ 7:=+<–.{gW9Mؗ>LV)P& t;.s=%%9,E!TwcPjEHe<]BuPHN[׃4)'䴂RPU'`B.ug.iyPin+KjGA;+W_@a-3g9JCwƽby0X&I Rߙ ^K~f~}hcBsDK*e3]͉ʋ/\MP.uhUii(ipH?8>cDF՘N=-e58]W; xK{)*td)zACnQ~ aW-a5a <BB9(^ -%j*w7TVAL SB}|~0̜l#oLn>-@nbpF'pF4[ƩO,o%0>%mrY%\c\qϩh.!TZX?!>ԉ5闳M;8f/ s$~} HW I~p^׾@bmhԼl*6fB4CVWMApXPD y[TXyZفUZ4ܖD6ݻD&G!8,RK g}^pyrģәA؅+iLs=TYnI$MyujYh`oS)$G( S\^j^\N~/k3>’_HW/OUQ?4S;(0;"kµ`7[ٔ}d1*T'W2*BWzD!L uhmF%%lpXD-=7ObE&nLPa#/|[8LB|HH4/al0sXd\44 r;K;09Fz"C8y 9c$jeLs^IpJZrτ j;zO1/7 w{hVlj<ѐZ*T%147A?X#i_ 17J)X|ջBTKFs (<94u'#L$(Lm iɅ(԰7 3ēlӺu~h$K2a:x7ǩӿ8WJ~6Dpd梭aГ*0>djtf*{U&0g""BUzhًWV>wZ_=$h)ߥ\hhQ$ aFIg"xRu7j¢XTT[+D1)֔9"d/mK3EeOӏYjqDT 1`0mF#{6b;)xj/xW68|(rOgY~<1{ C^c!)#%>d Y 8όsݵJ+H&.!zԍŲxH(Z 3])upJ . ߙrc7zE SS+q=1*)el>rL*KBgfd4U,fPVǐS7=_Js,1F97L'Gmh΀R(,P,G ɐYKQJŶS3h1N CXsa_îExf-}la`}xPF+0B\E b:WMyخ/8ꜯNS÷%)4a[*JO{̔4|P3-7 h|m0 *9 )AM+R42_Ao6ҬqT 4'J^UV0MJb }RX]k?.kcaR;BC" :}?9@G[2w0 ]o{JzKJ-j&4nOn\m^ xRUwd[='<oX)M[|20^\kS$ጤsPO~_K>[߱-ؙ_ʲM8E#Y`~PA$4|:]P'Jm"Lu4p:"}hK Eaco cHeQ&)C}q7W{]$tT%1LrE'-ʨoE¶:U<kZczaҞ'5C~lGxLN8^-'~d<ԋ{уe!9dtb\6A!rzzjv+A vRJOiy2P1&A '{ը]IG'tӰ`O)$os_&$V>tW`mM+ ~Z[⯺R߽?|*5 Ujz#cXoB 7m^ J6^l_-p$z ݭMUxy]GjjwqA]9S#RvNU!KJg̦2S%uia!=IA6ywN8p%UAR8g)7Db3֩ut3ݣx 3ÏdX'l9*(w)dž[G2 J *gg,3\ԩ#{Hukz`Ȧn>D],mڋ`}9q8#J|EQC' >:52ܻo"AƏԗūXͧ^ pkMGr2@>Vd4L HwsI9$Y'h*QK gŽG)sʮ~ >Z2:>oTqN}2B=WvLj Ye 6R13#',baDI:LȚGw=%m&hwEmro 2ZVa'.FAefaN丰fAWOh'3S6>36>QZ-W(6I@Ny<+QlhEƁʳ؀yf Žb^)7{ iC.""lԌ۸ŔLbC5I`m%{zv,K?ek\MNX̫w:2չ!4I_sGqOP9IT!Tt}ۇTiEвIosdcb{4cka]s$K85wDY3_oz'TDJVz7]Di 4`Dw%Կ9}Q p1Ok܁} \ۍlF`oqΨ\T9^%~cHr4{.9l"ox5]Mu\ l0!pz~?| jQt΀dbN #fi!|ݝȶdJ8= /W5֡"z}/0qw&ݣ 5hH[}__!Q\V dmdqajqP 3tՌBH(KnN'OM"6K/z\%VoH8BC :I)0M;t]dz\ziҫ붴[ ?\=!k PkbGUtKd=ț[>JNu3T^ٝ7'Z,$\*O ]WD8 HWJ3LȐC=Az~(lKء%}Ƽ 'N-uW廅(uO GS=r`yn?ZeI{AlÊN%QE I_Kʋo\OX7 0[> 7N}z „;I[ h$i- ^5oG`OVoWSgtL+7,u,ObvphOr y%ɢ:'i8$H)N oYVy endstream endobj 2019 0 obj << /Length1 2366 /Length2 17468 /Length3 0 /Length 18855 /Filter /FlateDecode >> stream xڌT CqZ!@p NwעEJqw>}߷ֽ+k%yƞyg_BM,ndvrtcfgaH*Is8Y85mA#Sk6Nn bwsyyll1t 6%#ZlceW9=_qPY @{ B Y9 zzz\YV"LO7k:Y* t4dj 'K7O mAwG ah)TA+mws, o8hn tqX؃*Ҋ,n^nL_@{W'?hc4+u @Z\ T\6n,6WH;ZH:98\O 2ݛ߇kdihaWάZ6. 9@DdV 77/?y[E /1_g'g% %  *!,lf +G?!br`/dl2aNuĬ2:*z.J '//37'foUͿ`+h;]Hǿg BXN !79ߔuoFm:{2n-Pr5NW'삸h*mPq3{\kh6 U'W3;Ar}Bf_*dy򽣹_[@od6(qps|!hXY .HqK'0_' `K7JAV?*XX v0AV?*A aW ]忈®A ` Z]A>"~Hf?biA,!:s'{GZX6 0r'1t' $H?bn;_;bbi!M֠VBm?tO(n#dT?jHԐ`ΐ=O-O۸ t9Nr;Ai?p@h7rcqP Xݬ$o7O8@i? $M0d)sw0En! y釓`m]XWqbO Ytzf%p:B }MvFtB;>c?vvkxP*f?iQP1"2`{a]bM'0",_爽UPklWb?Us|DgKR"@Z%ɍQ` 8sMj{.zҙgv"dWgdfHjbGu.ڸԟ ۷9m -8ndKNkkZc6~9S؇9CenjÝԛ|B6CgKE,0ؔ`_'Y_a@Bэ.Xֆ=뤅J>A<bM`-tg>Q9c'OQ\Ǩyg1  2Fֶs}ơZJ֖gIΘYVHunA=-li*t-9rTώPE~L̢*݃9XG`ncЖ7:J8g׏b}lwoߎ'i iQ66-p^PjA5g!0ec#YQct\w)PD]_;GU= h"ۘ`TMg\ȒC͝Db'4'3#W=jLkq0e5HLAM7XafA3҉EqRDO W\a>(-X\:}=/!,/x.h 'JA] ](0{#~y}/0"ABY@BS` L=G }}V52W)h̼8!:[PڧL!7ʭ%\pz=抮4 <&wcDu"pо*ٜ*Z^ZJϱA%;aNW6%݌}B ;VY3\GGxJexPY ҞCg nX߁ T9A.,4}׈Æ1&ha'qVDrhBf.9~2y7696h5hESIE3FU>}T'1SsZ0Zum&7F`DuT$ L"y.Җ)ds&k0-eZ㼴tMgYӿ߸eW+Sm@f?m1 ZUbtPhkdXa (|I-d"<ļNJ"/D" #vk G]kTxBs@+n8Wo{eyo^?ly4j ȃƚ17*bG 85}\}{3޵#ꡛ8%5oGBzajV7RUҀIzJ=lY#.\+̳h}Mqμ>1%c9xdT&QNo[^<ݯ@([C؏()%f-Ik2+Y[rCSyphx,sdHܦY.P3T>򊿼IlsIHhNL)È>Ņ˫Љo|/Y4~@ ˽G,l <T\+}Ct/7X&QǶpSgNq'h޿ww/h|/=  ]Z[7Pζl[ʡ:ːh~iCͼS/+zQ 6+ W Ǎ:ۣ]g+:ԛ&CjVEmA;/lED30 TlLS.w}E:_Ke/O @ҩGq߅1 (½pn=d\|~JFz7:Hۤ3n@ h7WЙ< }S=Qx$ izaU ^":'y7K.[[Ǽ7}#ثdmH%ʍDS5_q`˔boT%]/Vʱb$v|\=j*s*p͊[|hO#OW(? WR/eٱr5E~)1HL@&X{[M$jDR"/G2):o-:r߻]+z(pt|N_y_MӠ@v@_Uiy~=?wɛk?혩乣+7}WrIA>"7:Z%{d| >j"KdSAWEH^Xs:D稀i8d\.nz:̶vQԪZW9M`5>Wf_CҿUO>)G}k&B=DKc='~Qka}Ngx.G `?3QmiJ$bezC$#s.Iצ25ުY4 0"/2I$jJR旳j,mJq>=-Y·;d"-plkr~NU K~y5_,nJ>ҳPT}k12M>Qΐ.Գ{L(`"cR&R2"2L0#pXN׀ 32 毰n%,r육FQZJt*S^M9S|eУdwr֕j0)(:ѾR`C3OӦRE"I)y;U-Gw:R~#:23ief6RqlA1湪d:д8W6G2Lpu '9:`4E;Y N*qBnҫ蒐2*|ThCL/ 걁$mxrQaz'gqM ,h"J8G`/0_cwLyXRL\S#vG '͉ EnDy i(lb<@̥͝Yg" (. l5u˓ W.6x/!W_LrAo#PTB5V{o.\ 쯮?z6H6T㥜,'G}iBuks(yF޽Bh뽴c^݃+2/2:8+#/tZwQ&=zt°^BCsgihΰJ;^Ƚ>pMJUnbA̟H$Yԅz kCE#c)Z1xۗQe.EG(pe# 9vy]q%,5?,pc t(/[ 8$6E8`H4Q'nFC[%qΏgnwEn{>7(A"@]`;t8Xߍ^a#vT|5Ԫ>V(sj"S-P]ݶa*(*o_/3~dRyw tuWUj6ZS[$|[0w~eӺ+Mz8ەj`CmHbmZND, uq[ɳ_ hF.UTHװG5y28 Ť5.!jxi,2b=əmEX(|YNiV@`暉{ E]2--McެDGc[J`GQEod-*<ۿ&+k<~yuKN'b!0ry2mkj 6ȶ'x겋%oSpC-Wu,ڂfhj\!x{5MG hAݼ~$tlLXtK;l` + [ cueX^odӜf^o,~s 6Ɇ0Iܖ ǞK{x,[#tb",5,"֐>QW6meOhfF,|Ŝ:[.HwafIq.<=n? QTK*܍`=|3v e{v>q:2!}$rB]xl hTYT=lBYY%*X3\%թd Wߓ T|wC~Hgl<[lI2y7LsE-;\n2PM}c,fmRZ=C7RW0P& ]]xwil$^]kb }J?rf5hWZ qkFZ {ac~s pn՗ i̊&"#3,Avd͋TIlʹOL y_*U{_ߥfiIY{ ׶brlUr]rդpbAi9zL`ş?2&Gfvxz/]*4fbr4/ 8v;xYG/~MB ǚĞ hgM]Pp}gI+n@>=ᎾZӣ3,Wo#aܭ.[O}-EKmԜ5`&ˬVv۠e2$ oy)g Q7\qXQ7#%&=F%n$[-+Ra qd-?h\k Xb~a`4v*Ko44@"ӓ!U'mv)^J];< jL쵗:pV8ګLmTe[[a>2NrC[9cHo`*  |xǖ"?ula-ЊfEIKm.4aUǪd\ʌn8'h`wUwt{I5_h\ ,1B"p$4X8u*ޚ8)CPt~"@=|v 4ޞB!jOzѨ ! |`mԦ_ólN:}G5crx\;׀/>͞ڰ}}aDcGms>% o?r۵£<̱gOIDCCC}5.\Ȃ$wP:> 7X]i,(/_ǷVk[Ԫ\1wQz^=-;~&v$b1CNK8\?3h1SBuzԖc.1Z6+0%`uO%`qG}rUVsΝ1-n ćуOt2Ա*tJlT'C IpJL)rՀ[+YXWᛰh ͻREAs|'A<{BWt ˶tr_l1/vcիJ'Uyĺ< Z d (]БEB4y"ϣ><떞|]WVO6{'nS(/LS =% 5aߚϜĖ= fJ FsvVWkTqfAZf X2zm/Ξ: DQSv8{CRWH(;[VJ]oe;x?I8qS!KYc1v r 5d_?aň##l-.]8BAj@&/x[*8Š˙RajV};hgN .f"JNӁW-{&:Zk6 ~[ Ⴉ5з׌Kvz57%O80tObf_i!]HP!P.<0P ,Yln*%  _+bٗP[RВu1>r{ z`:k]6977T6W̏~_| # u:46s(=pZV5C4M)HqDzW:$f?T$.*;:WWNT')2_l #K)^ YK7z>,]z5"#G'1~VN6]FpK(j^i!)N+ym3$Q{.Ǩ{j(|z2Uf7Ψ[y{sC TZ sI|J4IMWX4ZWb#/v7 j\/J*%i쮱+sF;]F[^ZOB5fx%Z\ۙ>cZuXsdיȕZodCŦ')DlǢ<0NUt_i4Wj}zGeԇj%LcTגo y-NV^qAf>JM)ůAd]a6]~ˣn}Wr1̏7Pz)igTmaf+&e^Bsɚv9MGjjLRP&1aKy'CLپYSP.ofgvWa#Cu_a5"YHUzo`Sn 6Q}A.b o:5Ur)^~%.\1v||eT q`.)D24Պ5e"<ǟ[3mcqm+W7,6!6jtǴx5اFIB'o1꽸O28둥97/ "L?͟iBi%zC+W[t~h lB3-m'Brcn0d]~745-Rl}H`4TY]йswa&]IӁHS8_nm<1=ْĻӞHR&9JY\i/\;~Y2.T-ؑ-'(169b~Z^KG{'ZptڠXlnwВI's֝̄nT)#di^I1yiKsU;T]ObiYW=?Ja{g!Yakʿ V>'e`.uy>J(. rW>C;qlN q`4&e,4q(Tg4?.//C@sޣ,_m춅S_jwui.ӈ BL֒X1I-XxwKy8.A'Ağt5#h]IĵLL6Y6ՒQ@uqHd95"ox\p| B&FMLeݹa =e{쁴E_ؕFIz(%|A;e!!5чJJ;nbgilw%0oDjh\An |@C*b㑚UA`vnצ9stHv߆&,#|D*~l׽~4,F3<[%t`7@W ;k ِ`HGK\Y'PQ>J#&Iښ=R4^1g>[OkIk;_ cWE_ N(|?O0CBt)T|֯jOxA꺙I:@#1tVp7D׀3lTLɂ; ϱ VaCpiǎv˒ ?*}Pi N6ľ)˒:-8)GmB 2]zĺlNK&lUJڳȏ]G bwA|1xq\wj;y6˗ =~X(o/[;VV R]{ ;Q^ņ%Ng:,Q AUZ5Xw͈6~D ,T] ͟">q\(D?CX, .)㐚LjCT(N'0hӨ>W0Ey f`bN.K~0Dl~! y#1Ouu|T#DkGq:oa*TpDcI/[ZtFjX1^ xl^Q ߬az01eAkYZHlKa} 5HAUy\`A6'W+{~+c3"Yix<ˎ$m=Ii$AeéGе y2wςOh4'̼unsS^ߓ|ZjX?]|b0N_'*q0LFM^\I)uE(Q%IS#uV,DOWnDE d+gHyt)>;~;TkXa"muEi~URϷtq%X%:mCPWIMiFé%#&*+po*[7]Ff4naqVT9GuV ',gg= A筢6ַKwL"ł=uYDv.FX1n(Os&?%VS3M?Fn'9TybwjQo;bp$ߧ3џu`_hЩNlB{%`j/9[=wQYj-9ȐӑZë;xPyBAn.T{hgFR^tRIq{ibO(<~E\w`T7nF*WSi[9J»o,B5ÙY\Ԙp*)u;šQzcxvdZ7#k|dF%6R]qҴԮ[-a;g[r$*a 8`rj4V@+DNS]6]V| ӼԪt&#hTLucp0ZD&p U,ל|c5RYpJYY^wyp[zkGNfr!U1}ˊաgHZSB=>86TZ )]7r8ttMy=z7,~4z9|?? K+*j4h`9[.e6?uƋAϸ̾BQw9GKXbcOW}4Eri|;q6y `~C|1m-M'V-P)@of]u{q=Iύ pٱHi0-}=*qF؍,fajA|GΡ]-y;l9T/f :ge$/`\!$._]eI٬ޛ5΋#oyNl f$N[qE͜ #o=Fḫѻ0ǟ~Ni 3<'^9ÊZCE˵@g;=?mI`Ll p|ѵN+1,[eዋx^Qmd&Tcv 戮 !L#Fi0xpFauxV* $<9`sHc:*[U}rQux{ <|{ERZP(?iLӺգdbAM_!IhN/qB+b8qov ?&bÍFOGFy2=1 {G, %߈Vݖmj2.t9?[)-Cؘ-߼,0X>-nxoMʈD8?Z"B#x,q\Q Pd]܉ʼTr5tn| ~ܘlgYeMч.ݓeu4fkQutdtZхx0' >H~KS"]x?^7\z~vZ/K9;X_$huS -#+dvzPC.cjˁKXYv*^OG>1 .4XXNxU+ \T%^6_8G)G;JOm-0+λ862F+xwޱ>Uڟg׋3"HS=GgxBOB -f3vKAޏ}QA!R_>~֛QwEA%_j$a)v;PH^(2b+bZt ?Lf#͵rPۈT&Vw&lu)Ǹ(5Q{sDRBeHe._u ZT,_v#)%rn7٤=*fݵn@_%F]GZGQ(ynF (~KP4%/nԟD0]@痄,͐ XK?SϷy4 Lkw=X*3[bZ,y%`GebŜ\(ܮ̄&&fT1X3Ooh B Rprhxo=f}oqz^/lj ĝM˽NOmOo&&S=_[OQ> stream xڍTk6LwR#% % *5C  ) ҍtxy9k}ߚfkk׽^ ?-0SeZuʩONJZ#зܫQ`wy4& &zM|~' JFNq>X+ [I@[s{6yhw-)*fvv<52aҕz⚦/׃y@r큠بVHj]nw?2vleѿl7=<1(X ne@K֐qk BXo=JCĉ|f\$ݺj݋ "E{s{ymt+.A/Yv5F(qIPFatPݘ%hl}iEf0P LK>*OAgXUFkvAi˗&z]vou"x8(oSI9y-;gg*=18[jx/jşWH<+ ¹zFh˾0%5(̋@{bɽWg!VlQ%a |z'm v`z3dplvdB&6EިKN9cf)y[ Zc~)~6ى7h):X|yW$!`nN/gfvbE/.Ҽ u&-M%nopNrc(//do'X"[U΄Q#2 D]iJP s'A~fKȲd4ONY;YG:p7yo[ ~lSw)Q6j|tY^Ǚ'JS ,M ?>!@c(W0;t/`yiҳS ȿ?S@ef#s1o2U \52?{P^K(xN|3<탛|){lqD r/.zT n#%ǃ\ʹԭ^̯q(axbHPC7o7"P[Pw(h2_MAHt??ˮHEzH=>wHF4(PͰcMvʩʘ.D{ m~ _ĩB; fPIW[z,x{yP=Oě"M2'iE a%?{u@憋ԾCsV_}U oRfO7;_Ltp2@p'^GwF; T2ZHr=aծ!ʰG5_zJV?AKvULϒ(@{OSzl|NʋX["fKAj㙣8u(>rξ-nddZQ~2zЦ_;t|ޒi⛇g$?xAƃ'0 VRo|N s8䇳S̽ILD3֙ rH.&c¶h Mw`2{?Ma6OmLnG!ERۙm6f(Dܹѹw\(Y{v z _9Au.։u3Ǝ X5+% .0HN n;}6_@`n+-pGΒ?G'+*3ʎ<Ī~7ly:yd42 CO:kF5MJKB~4|fR÷/4%^QT^LC!{64b8?-Ss­}dk󰢼$˦à@ jU)'0c)^'WG]g\cC`,XlnMl(] YL[Ϙ4s80X|C>N%{t^[(J$QٜV;)Zy6?huX"=0GXɊF4I% ZyRV;5?8E.+[ 62.0{PndHέ#%Z25raHvqC!nO-[V#QWcINvUxv?ͅ<鏳 MJXY^K<܇PHH망FCKL;Og"Iue`Q P0xB7TYXN2æ@di8cw+=Spy*}rHڙ1X#od~gj٣KV^?8$Ћ%lSMFUHXv*kgN2$K?tiMny-m;ztk ٳZȥU?7EO.rgn27`*\Qۭy.Zd]̺p<"7˂WbVb 뎜h]U`Ҭ/6aJ&T1᳆neu4;곯129+Uo̓g8|HӀPgn&kiJ;MS?$5ӽWv')JRq:nċr:cʙes2 zv48ݙ4~yP_/ 3PBIhXT'.)+5hh%El/݇MխU R+QYI"Ycd e'[U>%x/oA㞳-aiSΞYu5S6`P z~U{~%گWi$c=xM}tvk~՚C1-#ANKV_ոۯ IyC${oR9>*lwJX侜nrblC&7{I˾/n)~'JDi|Ǵ~VG֧1[\q&f 4oK")#o52NT0Cq+/!gpg'kVqR#3@|R-*ӥ „ƪ)>tlK._Iɚh5-s3Efw $7)ҾÔ+ĜfQ]b;r5qdV$C$a~Fys)8ہhXdo Kqg#U6_&.>>DJ3߀ˆT.@,di,r1~ 0}QsmcJBӿ9Hv@2Y):ٺθX?݊1W[8Ƶ(o=/˴Q.6(ڡkUCwqja+_R.3 zgtsقD\զh\ixgm |y5ZCxc4nWڞxv!_ V_upUY`afy eQ]>}6YXs([&z)c[ e8@Y߫7}I65٪\5uEYS 9-d@1w~xY.=;}UЯ W^0…Z2tW W,3X}Ԛ%u߸>s-((wvF4.W! 5Ci5=<=~Ɯ5Q *kL "X0RTk[;0C镵 %>iMڼ/WzN(uxOWCD(7 V"ڤ,?uS"Bpߏ-W3]gVJi"~r]IW Ph m޸32t`_U&D`q 牜H J$)J369r5]#fL-RHp~g -Vvn 7,ĐILv(pAu7iQJ5{?y+KUAE0H7fGɭ,W6gsp }c<{h"/9h{~H/EaVJը \aTQiBʲ@Knq$ZKJj_/V>8\MTddG]Dg!%&b6[si:'ZJߌFͳx25N/ Uĝ囮(~QI4tշr5MsA1F$ ݆MutWǖ9 g Ef\YbOa߽6:g+$il.jHfZدXm,4i2 ^;,/4d(E= G?WbLB` ~4\xC˭/5/Rx\X6/*r*LSck1zՄ mGw)5 -iMݬ;c=A佹#xܐH5%h˴tMqOpewJv\#{S/4T6\DH&{UDq>\ !ȕT> $LCGS'n^g]Neϳr3Xc>#f,9x Ux:裯<i x\V|X)'|T"c@"-"Uj#$ D ŵ|O.iˇmgK}~j'$Cz EĈ˅cEl biQ]d7BdC%ox{6⵾L~X=MKcDu}C\U6Ar*yY[d+۞ah??L 8$P>vuG"qKfE0o|xz3^< dՍ p讟dȾ og>{qk,$ljҤ bУ[톺v Q߂8I+y}%냀+E;DViVXP֑ Ag{F@~+a t]Ac vfڎnon~LGx(ž?1ϑ^??Kc̗u1m~'~,qj}GQypIu?WAldF2C`xiyiӰ:ip1oBPٰ1QHOX('F%H~RX0AJ6G{P,> }Knpf^QRVP FaBH n5iS1 ~.T݁+ME!n%Q_ JaHiId2RNd,QǓ4IkGc3R*^!k +O0?.Pn4ƧDgWW\D+T@ 4(ʨm0]yɿ>iI|@^ዾ.ønذ١Z1j#[Y]wuӮT|u{~19!l;fCV_=p}usŅwZި7I[PP=< |2NU!>f:m" t*UXJߤJ;@8fG:lbm,WiWl$qX=Hs[oS~8_ľP[ p`|H6CXy}D |Ah6ԯ!0D(U2vRI F/Ԯhxd.-*jT꧔3 4lHu>'8!6ªYtn谕6g`[0 #X:!gظ'dTӾmX>j?űCDr]UJ=q 2/K*ZH]w<<'CC|M6 =>B0R0v$.zGH$}>Z+e\)*a;ֺHȦw8W\;%Z/J'%joů(WŠLۢZN ĕ?ϓ|/Cy}RzjH#X~яj5FA՗Y_|MgV (XXhBb(ZP'32Z<)K'k͛AÍw8d#uӨl l`PDZ?[s&&9*C"ߨ'#ԉ~\x\ }R/ < a/f~7N8o03g>m^-YM?ʹ.zz5qXeu a.R*8Lh.pȌS.H2MS W 1\LyvZx.G. [|h3 Y1}^2[ӌč?̌wR:v">˛pY;ϭ 䓲{TJ<4˅Cճ䆋йD4ʣk<$p*ƽvuwF15Q!6-9*)#dXJ3:3mzK:v!oTŨqY4Wt0X: 9G7k1-x]~$gU SO_#&yAHgENbatG[)I!|RQ w݋m툨Y ps#Spvx 9ԕ-.5ݠuV+&\nZhp`d`hjܡRZ2Hӽ5- /XI$Ky$ TzC5G-/zx2쉂\'_&$KJTwOk 'i'ȾuNmvO^m e,}pp0;<;\W=u^w&^Z|6h*I6D=|ޛqU߲u.aveӫ)z9zʞ$޴r>n8oyl! g hמ y:4Xyx7<13-7Itkc.e;SlY2w9G:8RF[o q[QVp an^M>r#I;@MyWP5?FeMu '@qi2+deX)*ܳ9ВR?ƚTdpַ=M-{@gr q uVON ;ުѻ~$8њ \pcK=Q3b{q@ Gohf?w|ask 3j2#jí*ӞЍވ+`=չb 6Ut2X2~P(5.!y[tw7BpWߕWQϣWOnR#?T?7=?yo=C_*ZxҟVn\*-5W=<gn"=uOVGK@؇2oBFQ>#hA~Viw!zeQ<ᆧ8_ỐLNy6g 5߈4Цm4C|ra< nVILdW*$LCD]\N3mrQ bYgn{tGYlj_s-D>gP%VKt^-X\HZmʴ%AX.q! wy+Jm"O{4= a5^~lO`"KNJC9q+n12ImlAgC*¬cw endstream endobj 2023 0 obj << /Length1 1398 /Length2 5888 /Length3 0 /Length 6843 /Filter /FlateDecode >> stream xڍuT6("LABa0$[mlAD@;%$DAB:D3~{}?};NV=C~E(FAB a0mp>aH4J!c``ަ hPĥABB@a!!h4P삄h ༏vt ߏ@.7$%%+ !`PC!`{!K9J h \!0,  ;&!C-{$CQP4T:PZ|? ODHԯ`0vpܑ(8ij p|@0 Ǣ`0lj TU qX,猂?YvppXvEy}E?ǀ:; N0u? ń$%D$Ł0' Y ivǀy#ma'00o Hh#Q0g1H7~ , QXPMOQȔq*)݀" $$,?x;bQh|~w.HG!'A rt !1! _!7dwloH{?x," -*;j\?3Hs4~egZk4v/DiўvI f&YwT<kGjDY icx G_ + Ʀm1gj 0DxQt_Tո8(/AZ(iF5,]= 'u%/ &5 d Uy6FOl2:T -_ܛ 7"BPpgt<xGBeRIGЕnlx%l_lq Շ_Yoz.Z\f@n"1b+;4Ij!#] .te& <2?ċB\ITj#$>嗚 7 4U[\ݦROi͌%ZzZT9u+^Br4)O=_?LfԢ]c#UF f}d?f|/s/sU{@Rcs+aU:h;\,iX RRl%ux1d"%qMꒆ|KYff$e7Qk.a+;z TL;߮QVz<D,2N|Ns=:l4`Pxo-Wb.;hi+> ?ɅŶSp.wnCe`aPJ^!M$S|{1K gwY2\ =̀|0Be= ~BFǤY 0GFBџŖLUT}N^4\aAT|~40l3ЗNe n]/a& ,^/+z`[,;_`Dy鲅]sp'JUfԂ)Ʊ'oP^&!`#qNOMUyI+PNqahN23Agc߭]'>)ҧ:Msͣc`D%Lu%K:Z$nD N=^$cUE ^q6Ǝ]9k-! >iV@ے U9](WR(o|@"Δ9K̼k7׾L8>׏ayi0Bڍ OEgKׁTS$< .~us%Ucݝ1Uѵ_t J,j ]⃒p7j]@bpTEFN_t$` gaI 7r׍0oܸeaA5YyPA})~iw6s|_+3<||/Z. !3td#d=?pKTXX-G5L7vp*rP٩NY ┪ůjvONF)_p!*&|Ua\[QV oτE\xAGrUvB=t+bŭHvDfhc_,!B=e>dj?nWɻ\ZKk"g%w f[0^ň|Su_? (51zkEWa|f m-8R JڴR3áDb[.ʖE?hkoAXc\fV^,Ztm^qMY{籨|# $ *߭SR3a20Oh{n7}ѨD$q$)Ԃ;G/9 Rڻ^ *}<9[fsL^`-iwmf,'<@{ +VvF,(*Cdg),VcW 8>S) Gp`VO*>&%Omot g_ra:#2"Ɨ 97cKTܣqa^={rÛ iPJ6F[Zիb&WU=B}k--_= .HF,`ZzWMWK'bV[IK_ica9 ,Jh~$3^Õh֧}RY(3q]Laբ0:wR]@g Dŭ37AZhx*l?T "Q\]|!hΖkAҍM$C$Q>A%~bvs#>bR_7T̿xEǾ6 tk@Ԉ1:cm$i9MU}-@3?nx{W8M H4, CY<V('^u}gw2MlT>8=z]0lFڒZR)-gB(V6ne-1NL{c#lc^ ogeծ~Й;d<ܩfp/#°y=܇Krɝe#cMZ_)GbNrZxYr@zNM_L*o\/iPa T+L,iNUuz6~ ,כX_*YU-\&,X9u{ՋYta)L|@!v3~4Y];-=TLڿ ȭ~)&{%m}܄4dTs*˶A[B=ǯ$ AONwew\rm_v?=yyU?3o$jHI6#d4d]+$?R}Oе`; ԓNp)},츅UG߃NiN3TW$]5Yjcij|ahZ蟅9 lH&n&H } MxHzRk^i>p?qu y*~=/Uѻ2_R˘aG쬶MF6/OnK?}" Q|NeiG4OپASUxtI^¶5fh"s7*=|fJ AȸJ(/BOrgh 55ɌjބI>e,<60)_aU.K/v=PX1,42z3>o$@*~K7}2SxP8ý5ɝmh1>mǫܖ_gy$Y_o(hJ/ȼ=ʢ S ^Y(N6oY~qZZ+"׊ ;"]Pn)lP֒I6djgǼ`̜Yߒ9e!17 xA?PU+ٍDv/G?߰?_j_율u++<3 ϕ-'2ᡟE/ʌTD3mc* &|T-Hyt(u1 6~LnY!O$q׹Z}ngydjDLK~dK$ߘݙP +sXIL|9*_ttV5> stream xڍtT. C "0twH0  13C HKJ*tt#t ){׺wZ|{gww?+g (a(^>@AKKM $P#䯛@B0P@@@(O0#@@ PB@TEP H'jkW ..w:@ A0eqœ9`(\v(?; GJs?CQv$ r``EmP q8B jgX]oBPd wr<0[ QCy@0_@# + w xH0B!FUsJ0kBO1g0;aYՙuq)`\$BP0x7t rc&r;l0C@|6E" Q+-F7揍Y>0b'C/k8?S4P3cp8WPD1/>, m\5 ]=e n?i1r3ysw⿪X )::sa/ZWFZp` }Z-5鿣j(F r0[ yP2b Ep0. qd 1!1jC^/?Pֿ'(B @$c,F(L 3 f13f7p_~"Ss @< ` 8Q}EPI;ڐ$^҉ P3"T҈r~zڌFt3my^J*O#^f [f#xcF :' L]Xw#nXvsPx߫蘊wSUnnn-KӤe7Yy5XAw/s):p5,,Q;UC$νRO_eݶu}(JG„Fs/2?mPyYܒݶ*\N8>Cnw̨$T{';[=l(@!0"QJ?`u2/X^HC բ#f".o ywU\ @4eڟvASe|[)\'F3wbqdNF}֠5,(#NUl`vk,mьH0Zݻ_0+>ʬN@Pف'ooRWHͲhE'B yߘk붲jrճ8Lo6e7:=)hrhԧ'0, 7͔aqݶQ.:2*H%A yoEVd+xEG Ive lyEis蒥ƍ8D'nLv>9QPFF}BI =`b[U|(?LJP=TtM )0y y7{KjnyzCPfEg NC )vFϕQ;݅[ =M ԛN9vy"V`̖#,Z&8E}冷QO -VE\ȮX{8ͪ7MSgtǡd (5&twmx X'+JɣC dY;ƹm@F!7 wy)Fy~ d!$gdNZXPW܏؞BLƷSy:Dvjqc/I/}D`wֱc$;=X7\]8%At| >;5m Q??-z+}R*^pzmx̳!xEVm2ӊR5hZ`]0C8BXKwSP=ͣ6BROLVYEnkD z>rLIsTKX i|OXIz&lCڷgXOʂg'[CCs& w?aIܧ  WEM:&49R#;~WI8aF J*סsncij?UKCJn;.ѭ wga˕Yw.${enj+ɣgnMȖ 76\*=*Aky_cKӟG|#p*GpiK/pIB6˾&g7q1 ̗~z\| ;$.ĵ2TXl+Tk6K ʉظI#P7m\~ycOLmAߢ=>*˝'![0@OS@yLgJ^uBt|P_=BM6ơ:FO{%sQ1݋1U3׃C]%yTR~S˩|بjEwߜxA"FNXJU,)1s9 K( cdBMo[U &6,?PqkhpnuWo62m0z0Et(8MfK75sY |{P+ڴƂNu &՗v Ui27qd{s/^W 侲O,jgaLX~)2e$`yL;oX/*ŦnZT,_"F[|8W&4DIa3Sz.4nr2cx'oٝ¿r<:q+.h$8*T7؜|+R<_ 00oĮ?*-zvSmȃ1^tStw"V?H_ϔs_ &?YSL 9ڇ;RP)39 JH&l7_y_=tK -Ȓ,u~kpShRWk5!)Fm_pʩmTHX]oQ(`ŝl?I~ H/LY 0͓OC}d D4M/jֲv씮bblsy`/hWT~W_~0o"K㳮qx3Ch5_k_+sjWЂ|~^FkdnB˝x\|m goWLHf(Q!X2rqjZAߧrM~91"XZ)"'즶(Ir.P9 .6M?%G"[!VɕҒHNow oR_@7|xj(AٔyZbE ._:tϯc/r+/m6ﬕ)[rShwXWKr*wraƛ(USYʟRg0Pe~꿀JGtb7 ˞X1y&pMO6txɄtͶ\ȥ$i48Nja7gURՇލ7qO<ˎ,f(rc`\6|i86`>r%XU0$r| ]Jeq;M6%ړe$ 5'R~%gxiT4b޴?aG\DGpVȉ@ݧxͥ^O"H$g@K3aO}DL=|OA/5*wv?JToD~2Y" N{Ps7>̹JPַ7Ӊt-B`3/NAv⁧9=?{KPe|sL3rwz(\ >'˖O+JÜ 6 .'v䰐*Ԫ͓Koݸ=revy>.$|N2r!"b~JGJtcD]0@z <7+SOX-۴өbuz[M]I&$O.NGQem㸻b>L7JV%kqT.p|׹J4tfI-i|Л J?'`U+5ܥ2(#Oqeͥ9i7ȑ&CN}Q;cj.g"Vj-eUNok@] o<țY㼏-xɾzBh0[XA7ND_Bv5> |{1H$)QKkZ2u60ҽ#?Sh-`KYTQ@݃z>/Te J6JuUR_])Үb;ùC׻[Gb܊3]nGo9 Tw4hUAF깞;džKYjYf5o"AVΟ%/FU%W$\7Fs/W{sܨ/i$p˖&N~ee/և5_(6t%Ӝ WUzMq:w4qFf_p"9ұRVh5/霃I9UMu1}JOT^#LOi KiPex Ċ'3:Ӟfj˭^L!ŏ'kwؽ6d-e&߭DjiUR$R}.C*V&#»'ϻj?NbZ2&(3炟z+G)QDf󺈓PM?=pYvGW~Dbloe(Qg"CVVɖK0]k+M|*_i)f4ljPF6Z Od9bB]b[fx23JtI3&ckIq.=ot3z\7~0-sޘiBfp.LMa+i}4> stream xڌP]Y.--Kp  8A[nACp'5{Sǔ$UVc1s0J:ػ02TYY,,L,,lV.@'g+{? Ĝ. N j `errXXxg7v2(0dbNV.4{ИXyyrL .@;PFSc[?!h,]\ݙ휙,hV.U3 h]0@weLuK+j.N@H`ke wyڛ5y#oc o`ne (I3x0~:;݌lM@17HAS3uYLh𛟸vO'kcn073]#{W?& «daae̿ë{:R*vtpZA݀'W"VV hae$Aw豀vߧw2s|5k J:ZWNT`dd^2nЃ(_{slAmcA o,E4Kb aQߖtKMGmlgehi]]@@t C4rZcAVΒV@3e+S˿oSfkeTvp}A?:2]ΠK7u0}8NNƞ!'t̀-1 0wpB=Q.No߈ ,b,x"n+b0K"6+b0˼"+q{E .E("+eW}Ej]k"PvWʮ@ٵ_(ο]E .Πݲry53yE֙8A/#sW9Կ PvW49A9LlA;/߆c6{l fV@'3~55 :\]AvsW1rV79CWR朿\2Y6hHP@Pl^At1Q9bf~ rf2ٻڙ_-`EA1bW5(#n `GHsh#W_ֿ[43O^vWS1 rrYw9'(_ӂ^M.N?Gw?@1\IARj+9P$/ߩs:F t9zMLCkCnE NSJe^tjwGM ZwIz-As%D}\ޒh:aaoPk/FLC'2%Vh v ~j۵ws4%ީ/dÀuWoZnj}KhJ'a̗I]2 ѩ|ðm*t.zϺU¢ >Bx™sLccm]K0ɷ(9l;; ؑ4:kMe.)z+[$IYv J \PSb]mOGOSRy*v(sH'pjr>.%13GK=WPf# aAFxAEb^u)憉A Ԝ<%Hf.Bp'Ls?Wz tPKCD4k&fe)xh=;k[Z<[ Y8|;g;p$Z/CYuReVl +IΕᣆG:iikO\g?SbJ--Jnz72-է_vMY։/d>|sZMӿ@8}z?O29[}JGiE w!9o1]Qvb"e(9n6%iʹJ.e ۇ/MI8z3~|8 siZhτ Ȟ; /\57.9$pJy`$ ۦ ROzv_^Zc$amɺd*P qZ{P+jVx ykŧM؅eLPPEzcښh8TrՕ_܂sC KNIMI!1Fp7@xCas.v|uecI/ 2'Ĩ`7Eh)n^ yg$ M{[.OpY8I 9ʣJDDp’צlou~Q/i-Mg  S*14M'nȳ,F>b0Y_%@lJnJMܲer*9 q˶>];3CD5X*Ra@qҫMrm #Q}DžIqoYIkU6x`uU-ߣ*j@*jlaN6_-Bq2i,Ƈ zfЍ;'|<ɦI0ɍ:ߎ zTmKud; ;IjNkEAAC+T&m"k s FGd k}ჸ# y%}I/;S;f)k~rV"%"A:hV_Vw/'Ou_].êBD\А0iZ [,yf]_pyBzJ)v- < I}i~)_\&iZcII%1ުKEotg7E"V J~>%.#<(7FS#9C yZ]ZU ?|{ >C:=7J[R!h=cGFIrFB.oeo[܆[ #T6KMC:Brc5ۼ&/-~Z|w̝о\m*2qO1`qV]W9Dde_~(6iFɛ{=$H"|HD Nq diާtl~$$j#|e&h˔M. BCyJ/'YDNk]x瀞aڄhN?}`}Fo/oB "U 5Ui~w _$o$Oq_aմ|mК l0oo[fZAk=HjĀ$5!Q1VX5s}6аri#g=6R#'Z;?IFʵ#ߠĠl/ /t>)ƒWd9bAzD|jУFaֽ;mF0 3kKYmȌ‰rRqd>*e?^>A{g0 fڊDOz5.$=f|& 6=Z xCvfszª윬|ub# O\BHT [YG֔rXuET76Wزm;&Zp04tw/XQ1IۡN:^aT8Ni"f2bFp./a ԑ,9|@9FUBѣ"eR==+8_'F$N&Th 2JK($̿8 9J.&Q~~o"G"0{$pNI^þ\j. #m**zQ7JOZJ\eLf}¤{i"8{r+b.+#sлjMZߑ0ȇH6cҢ&,$~Rwʈ2Ӧ$۰:9Y/x5Jo@ aABofxPIM^I\U6'kx%ۚ(OCA(m}vR?;2y: J-lThḍF-1B+H{{}[Z Feߞj'An/Ez*w4@ᘄe0+a|{NoٹT+^3O7w;gαBH)!;D[[֒p֯*m)t> [{99ڇA\wƅq9#ۧ%m?TP7EDRv\l̒PM3Urh)x6_RZћ8_3?m{S߁fpkB+}%D~!=S[/-i&P†'Cs۪V"G})Da!o,̸&O 0қ;[A3tƑ~%@Fmږ~iolѨ#>L?ES%Uۋ P,)me 5o}։ųt/^L49 3#DtKs'񧱬ysJ]f{}j>1H k z4 |rYeC8PLt@!@"?r!Zp鐗t,%*ҷOT,֥Ti/W,(Ȕzv9At7S9` ۬b*=?W*9B1P{86F[+r'lL 2U wX|7{Hr}KxS?]挅™И%.f*,TN3S򞇾i,:̋_*uq }]0ƒgZsEajӔHXR(K|&6pf (KDZ~g AݦB0Zޛ`I f8( K->n9,.GԦ0=:,d [Φs.>-i%Ν@i5Ô8! ˒TV ^M%Uur(v#=Н˜v@7Ui75ښtŠԜkr"<%Iի[+^x'5XM0^跨tg-c6XIalW Ub8 ;ԑ#ʲ sqt 29s4Bt`l_5xY(Y|(umONu&HqE;$k'*-XYn DҢ~sk [p͝yH&QA)Hnʙ }ԌlL5"Tj aiziJɹYi )tOc[cS?<>H}h7͘{Ψ~o}Fɮ5jb<\^f,CUR5j`Dt5TH_iB,blr9UIg!jہaVM>ohy9"^ی5pm$ 8mS*뾃܏/N< :fA&MF4)= r%WCSR%_Tb4&7}SuB>y9ޙ ؋k_[s4EG`S˱_+"db ڰE N GX˃R y\lSI?bq?/ƛ%9`Pn@Uv*T(0? 9d:4~)DONpz>0ʦ&w+o~%m[+$ƞ}<^*w+{Kgz)$rÓ;r gM<4#g|])X9;C8!E㫁h6}ܜGmh+cGee{(69-3]ӒApn~XE"3jY`=7(ՍPb?P-i4{jSXL EI&ELW] rx*xr0#*J6z/#ifh;;͹.\Gڟrr0oi|Z,hۢ|+t+pjg,]&' Odin UgɴF|kW= \1GJ]VW w&fprfC9iю́W2% ˾ lBw/'DiG˝ 6XAϫ=,ݰr^7#ɵ/O')QX[Ԅ;[7ɓßfMb IJNVav=uC+snǐKi U|D( ^hqJm5 ]iy4" >: R%H;]HՒI"Y{ =Q7~8'OrgVɳ.>!(ʲ3R1ZR~cBalvwk@`\6-tѧ_3vK:CT6Ӣ(6%hɉ71Xn}i4!ɵ Lv95B[ݴsHI(;Mzb3ŴnB99)^wY73iHhE!wh%F$^+-W e~ByxO|3u3yw0[{/omѰjxzGM2Q(:d\Kf'J,tDb~۶Z8IT<-%a.qiMi/BQ .6n7tw$u4N X({>$-zLR)M%$Snx 0{\4Q+8bdtqlZT@tІ9AG^ ^]apȮ| q\ˊ@)wtQ>Lewmn5AAq+t͍=vYJ-BZ}LՑ\ ʚha]FchʥÈAa;)Db37c(z0jʇ-Hچ0mw(JuW97|'S~Y,UN<CQ LQ,!"%h7/B妞Q(x큏߈ /N00<⺰>xDэ`dw;Y=@F1njWI5-‹K>%o\YuuK8ؒ,7UӲcFhL?hc NK@'JH}HEAZ( i$?P[CEW Wr]VǬ\Q\:9MC'? T(DCML|R49o_ 'XR*{hWQNt b1KZ藧=:ϋ(h·NoX(b 4TN2ru#E0PsjFO7[ ֦KۭJ TWmkzԋ_kP){}#sU \+kB |#۪e@7EN2qGtMd5wL5!۾~&;KUjzbr|n /E؎̷I3"zsKӦc{e 9Uת;"洶Ð.y'Ė#T#M ȣ@ Z4&0FHmBI4Y8<=F(1],⋝a[ mm8 fHγ:J ;K1瘂Ӟow6Պe!6ɆnB]ɵZ.$bl=yufGtcT_DMFEIMwrO**ۗ:Uϙ)\ɲ9 q.$"y.֔M~[~ pKّ\t)&O|5gegkhBy>tdy ׳-Ix*\2X¼#6kMG{ R<2H&r$i[%$@E Kr]?;ٵqxB$,+πrQ.͢oq#!潅lPN5'E6!N`.c(<ش3灯ZNgpbcOX"!TGx'(.k שW$,600]_l[>q%vpp ~;V'Ь_y({v$TTkEMhjgG8vn_V=($V=7Aٝ{8/pdb9ogBkgKp(T:yǚsǹ%xM8I&@$cP_1a%IkGqfmx޾f7" *KߜDI7ȷ{|}Uf&]̳{Q8"bp`9nw??̠L.F>b:UXovzw'9v>?e҄1.,BŖM' Ny]aR>7+gE}ozIk^즃ZGe9j5%E^q.T؄Hv=$_MF3p T&Ϭ0n7~Zh1]ut}QT/DFe|ś'N9^G0ts)ЊUlesnޓy5A'> ;GT$c&؁<6NG0jb<m3Yx^3s2w#B<4P+ú:uu$i?0+gdvI՚'6c&2MF:s7*3X9Bz>޹ )֘l e9f_@fO䘇tc<`Hd~L()A]D p9s0^ %?$T%q冬RX ,Ϣ oQ*jk7A<t&fqLrVL Q'NI>9$=DN$JNEhe:w-ΉιU8mHb#ewM5'T'/$}e4gźn>r T<@enXFANqa AKrBilNSSNa!Grn"Um?a&Q"/ o9Epk!YjgCFѐK| m7:u$ 4wh\.217S1f-ځ4bÂD>d۪oDJhC=Q_ hEdBLˆ+_EϚI%Yյ9$م6r@&?i<և_CPdu(P%6',DXf2!~*q|`ŔJ?~#pm iXR܁Mj2 ptr,nv&8OtKP0\W+׈ϝ@9N::(!2/ :LUq4ͯBҵ|$e]JJ,j̊qipzߚ=wrY_ לЮD˓M5d+'B(9ۀ'ɎÙҨK%šƛ+Y }١-rڄHBvVkjɦX?33eд6l&LR C_ lb%CpU^o2'=Qtv5VY*iO ALIYMd;)TȃdZ"D9:8yDAOOKI7m0tt|k Փs^WRGl}/?hm,,TݍuB1bu%Ofne؀ qꝊѲ}ՎM4OK2 0%m06jn 13ÎOFK*.zSl/Rˡ鐯Øoh&B43t9j!$u0vD&$ z ,ܹn1{n++W*M*;"p@9xJ\\h[DOYʟmWLIK3g'm 5ڏ6*b,΄_PwP\X MEg-ߤRA}/ضwV; y]ú~"Pڦ̷;Rb)MQ<󅀷?XvU|Ѓe7$sb[ˬt?MDQ/N4TXǏ`n%"=V" (> (! {*w[ Lo.-Hc|Wg$HUyFaxd3Ͻth#3` Mc _?7 x'.zg  sȓ}oRz\EZp&{<Y LPTwE]T?˱ Ϛrhtmrۑk֟ o+f6!csM7?6vg#3+[$\,*=0:DX&I'Q4ⷚeR ;xr:4VWB|岎es̆aNUˁgjhĹ_b<rwf|1e|giJOzFQ-ߒ`4Dz]\_!_bOvBH/x! GЖ-FebV3'G KWjySNNW vv@K 8ZHvxXaEiBQ;1#69J" J.U~̻Tn+uՏnF)e;Bo}'S$W,#j^on:90W[Qa#DJg VvHC^f MYWG䭐\[A0CʓIvrg#҅iQAm믉o6c)6m?>RVxX+-/R͞pYnTf-"YQ*`}Er +W)RH?G#XSQ-Q$a>孫Sh{\haA%e8J$aۂ-]}'S4IꕵwW+dq~f&?YWfT?W2`9L>igC =uV$N#N61*8,FY7JÑgQeK1! c4Q>UcS%|h.QDa`V,}Fv̘X3^u°%L<%'gYJttbswN"h:LWVpWyOEvJrR<#KFǽO*vSfKO1 ||z'n rA,h9=e[k6I 1\psIr)aa.4Ϳ t ٷNaՖӰߤd;FnmbU+qUnfBYҷH} p#Hj(_e=+ ȇrӣ)hN "D`=$wl7%0Oyx8U8'@ٽ+ÐrN |w`;wNي;H&iHC q +.5h Ջ ۍ -rzW/鳚¨@}0iسlۧhif%[dJEUC''ib c޳RXY8ڂ-Y9VV']JY_s>jӐBoBwY*V2P8,rT&@yu^6ȨL#I{ќ; tg-C5_r7!?0vmj Jʗvkiw  ;=+vu -od迣Y$)D襙 ^~.&9 ߓC 'f&\XsݚksFb}Qs,MDIpQq:h$J[5UzrIǥZPY1b/D)n"~ -L'` az:Ф:1'9ALGù llL3;R9}K]L#f7?W'g1emY)O,jad+jYE%ei_|?=Dq9Up='Ax>ٰn1"Z9G7葮}L'ްnL*Au `pln I ~j"@ SYak7m0c9>cƎ /OvϟXRAp B~A%Q-+LP 6uʹ!/W@ eDɺKak We e$[>9rz>j%cYuWzP9Qbqz(czМՏ nVh 5X9e󀟺ɖ 8B#mQ\oe Fz?C`0 ;"g?ۘLyהO9ʆ>S4W-&]ل ,ki͖!%m$t%zѰX ϠqTߨ2+OcYs~pU5IbmWlN%LqbB1B?G|?H% cQ2C㣸QkBA} ,?`"HG9f:d 8 L| æ['6'|.!&|UPAumUUOKR'mb?bʫjJd1;QqU`A(!5\SNo{EvI02d ;&eOv&ϛzo;o"UPkIKEe4ȫ>sn|]=IP*'ƞj}r)%l?%z>A'lR\01mzۙyKƧx<:}D00wzt~҅}ʥbV8,pFK}eH K[4 T OpT'hk[PՍcZyXBf+ax~?6y/|bJN$ƝڀYLm #ְS{Oϊ6*<=~=%҇T'Ә6jߖw$e̥sěĕs>b,/ B[Wk57`K_:]jAw<]7~QTҜZCZ(U~NܵX8*5azfڃ͞V?T_ IuxDVb:dǺ19 QULqԳL$SpBD-:!it._p644yW35-jhHg h.:) {iݓhV,GX]wyꏃc$JBM0( Q*wZZϦQY%?L 7` v;h(r hC}NVc9ä4&<$:R,qP>V>d1 m@R떓jbC/ pmԖetȔL{*-@aHr2Kfa͢ܣwZfl3jz8a.( iY6s}̤DCVjm(gMG@vHNy*vŖ܅_+zX;VFW!],ZHѴdp RS;Q lD~XfGyv޶Z>. H.393xO{F@mU9H4~[&f\4oKVHTEIK=^@H"!_49n`Hg5ͽQ(UE^?'ʰA'|Z}xe 8Ziu> ,kA}PJ!!˳c;Dg[c\nV;Ln7D!L~Q\P0JXg wlj'=?PO,.k+n -ɯ=WDxJru4ۀovA㦺e^.f-^dFsê4Gs'xJs\ CQOCQ9ݿ H6MGjK7ܣ3mJZa"?*Aݠ5LʈEQBd 0}@|9(: .U v[Ru@|.<)R(r6x1H~Ng&'mㇶĬQ)-mrpX!etv_xDHx6HKanZ"GchC ?5 {4W9@\qdC~,-'׻5]5`ϗsM"q&1uN@Q?N8K(.݁XDN" l(X__ρAz!~Gؕ"1Tf ^*C$;s(BVxiUv$ն$-:oB|1^n%98Yet)Cm@Ov|.Ӻ$~#bgZ= T^E4AƏWn%:KK9N#oA迂`W9pbiׄmM]'2^{1.߀tK)A^lH"(<ι89(NR4h̭U!!<%7mhL:/aph8ZSl$^K|˕_& }9D+a׭0Fg>Q(%})}Iw+Y)Wg׊ {8,jԉU]J#.( X\i4u/ 7&ӊw>eu%l({\*m/ І:^ <<8_[ u ։Il}'>anw 967]Yy};m "%PЪ[p&U_. !.%;o3|qܞŎ]7 /9tz0c8B*80L4p*hF4']Rš{ź` PezL$D;FWb#t \A xDi c}'q]0LQƠ dT*a<6Kg?[¹ K)ei٩;5E5Jc'iYb ` \`:9(F^(qQy2rslS1,F+'+r_k l:sW܃9Ul &W8Bi]\WGl(57Kd\ "4Z[ynx-/ƽ{W{v)瓉f\"h nZ xa#)z2bxmRAUBaۍNt$E8髃Î^w72 $!лAtQظa& pWfe53 ˮ@CǿJ}r ԥsa+  0HK.R kO^U[ ؋yBACHξU.D1ށquY *->!5` 43{~7;Na w]'2,yW,A-$ULtg͖P$5,Wμ~)#x/GА%և*5j|p((}Fآ60 mޒ8j/Go "$k1~3*hubB֨<-cyy٤.տq0nɷ>`_b cD`?},e@`.y~ლ KcR$ x)z\cp>xYіDڱxH-~KY~fs);G a(zmFz4>xepa{?b؃!6'ɹбxl*Y25b8*2g۠N>+SP@nktD\AcjQF8Ƃ!ZEi]U@7&2!`"'3 N  4v~b` q|+sl~3\[yC^e{J[7;.Z6Lnw7L'b|269-1[6UZ2d;,H(1TP|AAzMc#[PEĉTon`l5``_lcKE|=skXbGFu}5*T->Z7&=͡$d(apYgSDGBe`M;.W|sE I{M2Obn3k_zҶ,ɤͬH_|ӓd'j ouQgpՓ騢/Z 9c0L ք~@$ё{c 4'B<*f껚xs]5 HQ-J (U >v+l${4r'wډLK| }SGk+p`5{ *{j_u1Z*>G<7~ ufF^` {iu~x@ d$ \ybB~](Lj,2S+g@"k,.T'%r&̚:2C!"˖YeLF Ai&L˦sJ €;-vBaOR%LN5_c O25,뙑AS0&pe+ u;t k1f/vF8mc gB35`cUAO\бnnP3 ߝw5`DfK^bEЃ(} G .Xh-ܼ<ƀ(ڟ* Q`RG=$9WF$1/bAe$72AT;i[)sTw^ ' N{ r)beUЀLGI%gMlϦYe ӏU}ޝZ+$R};, 8?9_aoJ:.Ie` jQQ:hfșB+k N?ʪ` ky;̀ƣO$Hs{P2#4k\_q St*_ht"bM_㶞(6ީZLO[՚@(nyIm¡y 3U endstream endobj 2029 0 obj << /Length1 1458 /Length2 7016 /Length3 0 /Length 8006 /Filter /FlateDecode >> stream xڍTl7@Z%6 #H(%)) )-tHHIH()%i4}ys~WWEϐ_iSA"P$PQ@  #8 pH`PS0fHP BD%!b`0P !K;H;90B$$~a^p{( E917C݀H{8 \R($'u@z9p(g s*u.L4r{ (? 07bku=`?Z /_P{{G8n0"~Bݼ/N TB1U- wU!WLHww  fzX]H?ppU+e`N0P I0O +Q @z1%0 Q^>`+- 9c`3y/?>C< -$-Y.o  P sw=(,#@?b}>_ w,$0 ?1_gvc(o>*>nn\-WH g]apժG8D G;ׂ0=7׃䇀l+ Y_G:.AQ #:3@ Q `# k"B@#CY H1 o@XB," yc P^c?o_xyav70GP`0{ CڇOjG'9M3s^>g$i/s—ӆz>)s3_wZZS΃.l &oƞ32m]z'+JTB  t>[e=%+K:RWyqYf+ib4-2 [ FOCns^{.?SgצH2w%ߕ[|=Ci!zP:/,?_4O- i7ۺHuX^2 -ػSNںydR!O_%tI5 %0`ՑTkT<$0Qz'ú$hLA\K{tt7) 1MFZ?@7?S&h=y~+PsVHËYB^_?s/YfS'!_TgOѼ:g 2cќaM猽GwQ|p!ZLZbޥz[hB f_XՍϷ#q%* !hà3; x[?]OZ y4$1gsVbqRU}M} .$c{ 3m,I鯳yr١fz.0^9;yEҼ;jN/H{y+PrR# 'Qd_4("Q (?? a} t'$ʝ lGmFKDvxżM;\I,|@_֫2H47̯6coהBBnУn_@v2K I0ڇN pp\K0SZ'KJZbAgxƴ`+pEˇk{7â1-:_~+=I`'"ӝ.C%g8{<+]SaGg7,-;)AlC}܃4TK^Ӎ-!E #Nj/LI' (a}En1`Cc혘.~QKZْp27?lkRDRxmfumِs`\=WyuCS;:0ht2 m"jT~OăyeЅËpCcD]:H8"/e~ԗdĚyc, I[;B'8*6Lf*ǏELɂLe&u<7pKKxD1]y }df/_;*» 1+;m,9+"kB'bP ^W,/(ݥp*_ d3xS@9@05{'G0', {jIk s7Eb$`lr҄6kq:a ٺbL!7yn)IA]Nc5:(O?}y"J>OV5,i_{ĄuHq)*;-! U7Y{FW@p 4!G'ΌMf> Q~m`F\rZ(Q(,nG kSB&._?v*rx*h/W|9̐Tav)uJXɽ`4:ep 2T}2m{Q5!ڧ[im%!jl/zIG9ce˰sY&6Dm? # bn• Or8vMz;L4PfYXՋ EVuFQ7*SΎEVyבZ^u93Fo -J󍵆>ߗbI7Z-DdzO3Pns60ە[ċ Нu#e\"Puz#l̼0VNUl}֩'kQ\1 *]鴣KAYXRl5>ID  @]K!2~ڞ9QVV̈́TjrSHjZi]jx骶%fWG=gCr{ba$ĩFtUQM2{di$pBBq' 2hb-w)h2T!;^0R, $/~Y5f!]mtH؇aEj6/~Kg߿oH~B*-ËoϠhA"՛Ek5]%αcWe*|_zW9I(L}6haweGAGDtW1vҫȓ2`KܳǑvެ1$W_ ~ Kíԃus->6/W3ⲡrRV{/';3hĦQ_m;憎؁%Y :VeWH  =f';-ѧ|">w /AJl5є;W'huG͍6S7_΁t %QxA;t޽+)ږFՙ*~#hLʾ1w4 vWeǽ$ۋ7| ϧ J6Cr?xmEgS:SI.Y"HHY'hBu /aH}$elwfJ.WS9<xÜ&8_pAQN!@RVD4%猢_*qݵB=={܃:b 6W H85uJyt߱xw :Stkf0oCsbg ^\9дoIܽt.m9ŝZ5W̯ Ҡ[H;4]okӭ:cO4w-u5˫*62(a,TwKp.~ؔeɷV+7z@ H֧Rg-58AIr'^ -_( }>po pqG|nDdj}d~mxǸEV&bK}j?1ŀ|݋bL ]*&L ,*5&7މNJkmt*%XE^\"Q#~vW%k>C<8ϼ|Gc3XN sF&OʁRvPsQ 8ׁcϦ@*)I[-/^|;}>MR85bd 6S+^PAOp~ Q(OByЙvceYDuJg5Kj2 B b}剩Z3[tFG*4e [<"bwsւN-tڌ~&찰-NX h @2$ƮkB(A9{W𿡡zI v7i4i@x|D G 2w$~@2AZ'/d[$C56osJ-MP讀6T9hv2Ɗ]7\p3/IߨH8d(Jvx=`Τ'm}TO'\ `mw30tm+B3gIY+2Ҷ?B [FmKoMQq?ߌS҈pt]ؑ TDI\e)2GTCɸƮPYr_RNÅm̸A/oq1 E[n?4]~ m^zPoZļ ;(QC(Jh 2!␽A Q}sF^ʼnİԵ30$g΁?h+Knv$nM\ӿSkƋР.WlОYWf<'Cf&?$rёGw+". kvI|fVIw7_( Q0b4z>FhOvяr(3oyȓJV2K0~S(; ZK\xi]hEC^Bۡq]k;[SCI g%L}zި5Txe+E>ˬz6U2 $'|^ٟBMW#"T7^ք@_GHdX |}Vbֶ/茝aԕ3XSγ;⯘-OBGRTnD̾HD[[:Ulh-B=|ĎEVءbwM[F`sjKfG_JelbݰI#'4j 4]Zw :Ȳ!GBoOy= }rO|ƥnWxTK*,BgkL5DFc㟅|mNdi3 =(eXf\ {<|;Pj[z=Fd-m 2"$EV9%Kv8aM<}huCɰW4D:{[l/>8+yK,ȜKjfzIc ~7]Ğț?sb|Ba[;e/8 3:VA qhP=s[16"wZ[W{)q=KemWH>޽-zju1C-ѰBTAalU{ 5M{|P37rN{2ɂ}o嚕!+S/14hƾ!0[|@7zoaE/%xɦ,k3.Vfv_;;k7~% o:QtK EWRL=gOsWU *vawNzl7ޏɩ >HH>)f>ޏۙ-mVyyUv28^E%io]:ml)sYA 6閊)QEiZ{%A&=BNbD,LX߹7]LceLzNBg6i(f?%|VIaW&z޴/3KPE=-zP0xyj2rD5:7._U:O>:;O0IgU7c뚕w}A{ ZoYŦW@L@dztPN:86d8ٓX\),ruϋ\B-4}sg-]rem[ٜLk1^1!y4}wz[j#LUHHDH0U> stream xڍuT.HtHʀtRݩ003 " !HtJKt# J~9νkݻfw~wY m`8 (j< =&dg7࿴&`I/" B@[7m8 b@qI!!ĿIb ha`$!"w@Ve JH ; B9o+ڀC \()G?x@P0p~ 9 &@0r RP pBl0mkt]r}5 ;`=tUPh" w u8"tH@B'apgg0 $ݟuO?ku=` 0[#غ n`u=nU(v6yovnGB?H;B}?%B ` A?o`# h-ߟ,ne A=q\A #SSC]?ۤGE@!q!? w!O:[Woobp3`?7O ݿ?A\ zmū[ /jm!nmUGn9 !HlA8ƿ zp$ U6NL[gIe 7E Ix[I -Au`Gާ8@PH h$4#GI7p qϿ?`™)KʗM kC2kORgn$xI/I}Ⱦ(s}e^_ڐxsio0He{w.&F~#u+W@'zV WG$z誮ف5r1M1h( 7֙(~&|}48E FKmڑԖhcHl a+o8Ѓǯ9KA*PI7W3ibLw+h{>~šC+8. B]jD@/AyFnwrhj*&*G/gAբ Z=~2Z6z%>{S(>% M * mrmB>Px93Dh4vi[pTȊ4" @ S!zAv" L)z}#P}Vɏ\dZ_Q5fԌ gŏ'E(FP0E~c.mfaa|5ix-qR읇C;^rх/Q 0^dy*cTvG{Ph`=6?̍QwRԩlisbF,Be'wd)vtJT[*AHXze3M *9}?1CewP~07j'QS8Azcٹ!cMS5dA1LpDyøqYNrͤ3)!qy g- k[gcta~?x-!kL8K7gf_5#psr7;բʩ g.=U`/Cz'qw|3g$߽&{^/bZ]& mƐE 4,(*E["s~hXN3^.ԩj+ R$ LѴiunU։fMSUe %QL*F&UDfob]s ;lmk};C(NPED%Wjhp 1ط|[_yCV9 Ȟ AM&c! W#]L -\B*ܱN#혤`{lVCKd[}FѯĘT#}r"{᧘Yl fߞDPt},6s{eû{]~^(`*&u!焎*/5ca |Tu^qdMϚTQ?XBԤd\m(?y.wye-&ևo(1ta2ijHYW!"L'L&c!زBwvt=sVSmuτU"B}]ݝ[kwRHg-wt~ o$~-&_g_dg]19It.Ⱥ,b/I9(t~]`t4 } ;3N)LnX-wf(v7MM5Hf1O;KΉRLX =Mu9vL^9ֵl~7rqV LcJ%>D|嵃ެ, 3#ϵB" B7yOS 1Snt7X!oDݔJ,9eW4xG8w+(7'+ٱ?mr9cb*qY#\ҹaZ WcĠ}"[*AgF_i7drYN\>#N {OMz9_YcXJv DecsG$shac."[u4 Qq{ )2yEjHPΉ%׳h} 2y_jv*btLfŒޓHy+ֿ m{EnhE0_ަg|θw5.Klѣ6QL_MUT,Ns,ɖ> o ?] UJ&)9d( r̴<` el{v5]tˤ:H$I2甫 ?sy_![7\\F1CM'ipwP]{R4޼rrU|[\nY+j-<5gZ7k nhiG;^lC 4Uj<[#m>J+, R a'eJ J]$ڏ85NF.ɒ0#\a$5J(a #X5 i-I߭ɰ =15CbK=`,͆nNf 1p, a!*jmm0y14sWyKYbϐSFMotޣɩqBRɕl_tVV&}ZVzUDuQxg$p.̛ڵ&IP~ϘҭU9u;te {oqV|O3vV4wwYb:-)OS'&p)Vl%wMogX^RI[l|%ΕwV $'_'O6GKWFreMu\CDvYR I SJ#wv*uLlƓɜoTP 5/4E\XY>967/C)k buL!Q!HS砶iH}Ь-Ct2 _ȏֿPIOE ". hH $?NkÙ|ˀ55M 9?t:OVϻh/ , Ye}9ȬMs(G>Ew=0,P>ϭR\ԌOt6bc_ WjXg?J,zqgvx~k6\uo~ =U@G"gwCր+P].$ac[SSk\]a5QiL#UWuixX'JLĿ_Kl l {FA2bZʔ1h|>ضXb\pp=Uz M 0‹rHuZu ݳyWN8keMAJ'>ޗcҙ~§%@qs]nGϋ+>|` g{QYMPq1.dr I;PIE;jûؔǒwϹ!mDug:unI_a6YLRS߲UF1&ŭN>3CN9a8i4 Þi:үyyT0Dxƃq7Ւ kPqqjiV-!(Szim_0v_#`h(4^Ash3YvG1wP{6 mi[Gq!r|iS*sT'!C9&٘aZ8ϊH$t9HsQaf fK+uWPE1V4.r1׏#<}iE qT֨ D'-'Y3ux3co ^ՠc0^zqtKdS4W ; m@3ƮTJ7TbJ1PJErj.Ύ' k b {4[vkwVG?|xt[fyeõiO<N^,]F1-/dsT(Cb)E#q `B:iRQQߖȹoø<]>-b6NTgnϱ1Vap(X)yu\޾_anQeQ{&W>YaeF<]xׇ/O6hnmgk6m5S܄D.4:Dwҍ?ꝍX.kp(XQUP'(j{NiRZqt}DtCM - [~[N92 $$/NA&-8h1)MOz[zjyl)>q&/>?6#SXws hf4zB6>uW{*C4%!]N]R`ɠl-5*mޔ}j9CH/B cHo53Jny1~ ʝp˖~`׈f潿%*yj &Y;wXݻ4u1فp]֨ l|QAJn Dm',7\rC#N5)GD`9{ゅ3b"`*ZFYa&=]evA@}pJ@ /3h|a TSY3=ܮx&JK"cҩC=wY¤h  cM:|iKRJH*6fgeLm2^o2?&+ ~*A9nH^&S/1v"f\u鿧Z=yt> a"7|);Ygz-Y"*w_%kk ߵ "k?:jTPT P~#gŚݳ遱*]`NZ/3 /,hOD1wSEx^trԕ vsMMQK,d/>(5)s岦Txj߶Uh DmlT_X9SD/8^zŨ8'Zs6~ 4O_Nq垁m/i$.]N߮w7{lr\u?yա\ZD ~VaX4t܊GFNU`>S!6#ugtnNb݈EЫPنLۆ8Q됷yW֏ouon[Q&Qtb(|,[ eδ>nTұ a._y!xT%"P60~}4HTLư$H]gJԃ}%9vX{UiaV+7R:)s{@,ݒ" [qղdp$/IG _w> k=RlppomI94^Y06#SHgRKS;cƛ} x\(5DjUдm紳IJ]sLQ]5Bk^ 'ח7 kE"FR+c3zl;MUkEq.z/peVV1cl_yYx媿K SBEhᑍCyLgSFkExWJL2h!یMoEq2TWikڔ5ٔ9 گ6jw&G> 7wEWs\{c lߠơsg% ޟ_KH$cڗ͎PgV2GyRcm'+bT\ͪu Z)*=No 5\fuQnQ¡ʃQ>Ps0hץv@ VdW'όO:#jz%l~6:{"hꋴb{aH/]KHb\C%Qh%v~hkē;hP/F^fF /#)Y3xN> kV$kՋ~މR/ǒ;j})4NEk أPC@V-Jv$%OI17Tx1׾iSG%H %?Y#mkzSj=Vgg_#yW?} endstream endobj 2033 0 obj << /Length1 2332 /Length2 19447 /Length3 0 /Length 20820 /Filter /FlateDecode >> stream xڌP\  epwww '%9_uoMzڞ~5dD tB&vF@q;[g:&zFnLL dag^h.5t~7HXXLL܌fFF1sZdRv@'X2;{G 3swyPS8hq- m@wFcCk5wvf`pss7qs4㧢Y8N@GW w9C?ÒT-+ۙ::k cӻ  Pm5׀?޿Ylhllgcohaak0eݝi& ] - I .0|?9;Z;;;YXw&ٚm`'j4~?jekfﳩL\Tm-\xl\nl;=%o{>^v>X/'CW #X&&3hfa 'h/~?yG w61>[&v9\e%%e) JXEcfc018|wCdWo]]sTK}b?hyq7ݿ G-o?yuq~}Y`MՁ^WYJ:![36Ih`ll+W}-l vN opzTK)lL~.f6v#6543z[;w{y>S;G`-  ` bE? 1>A,?]zgewv?]]zS VήA|E\A:?="wg2߻/|?4G{໹_7l,_\ nb|h'{؛?ﲿ{a|o_6%^Pl﮶c_{h[/EI=_^L~ZM?R]~ۿ/N|_bzO ;/?##y/;|~=ǟ]=_{%?W24]3 nu!SOZrpyBJpJEZ\&|:im K?Aij vqDP}?> ZX+HY 'B[{}h~5_et1:ųdFsXĐt(w3(oR 4>1,^Ẕsk*NؤZX`(S^‡_0J W,fӦ!2W[(E6u]dIS@M-mFw$GnӏBuev ߩZ-sM׿8j"4Xr ~%JJcXn=b|9rU_c)6[Q׺MQ廪K$M>}`1bTj0Z@|lQ*!?X^)/sgQn"r%'F&8?CƾaPB%eo@*62 z~ž>G+3ݸ{8ߍHieN7 ު4 XS+5P2X\}03bK:}Ír5;c 8Y򫨿OJK8"}mػL}.IĕA.M$ÑdW^03ޒח%.wNa־2'|!xEm1G.A-@c33u|? 6wٞ$W&gaٿGm]^N!ƌHW0ۣ(N:;5Ea)IE3Ũz:o}w^_\4сp5$%= &gHcM&g*x ~Yfu74ww$Znw!FCƒ=U@2nkb#Kuau}u f),sL%?SgI'"g-\\dte ; `B!D?6]r?p$g#W z׃j"[uyy4])ڬ'!;bB&* Nv#z@<;_T]~3QeђVtC-&LD%{ų|aK] jX^3(va4h˒fZS6uuN_1HPu/9=6CJ:nR0Jw5{?VscT5uc[)FbK4ghȕ B& 27Mg/R 11>6UD$FlrگJN)IO_QLK6|S9fa3zJ)AFa"[%'DL3~XGtM}~(;`O*r-kr 't+-"$ 5tmϬ큝ccCKU,OzzY1BCAb;ץ_QjgWzW)K-@ZpX!;3ˉ+hwV1 w=ӲN;{W8[!$J,-'EU*Չۙ\2S0}9?}r΁263y&o]v^KlM(qp솗u@rĜk Nzu_K6A'?s [IF:3؈po#fM\"ꘀ\ H\8Ly<<{~d+uG.&dij^Ӏ}嶅[5vjxyyВ N1kr> , .8mZdAFkC`B"y-ݢ3b 0^Śr|,2.,8 #n#Ts䔽G)50oԼh8}Xˠa7Z6k<[QWYɩwUӼls?1V,b˥7ۈ93}~^~_P=`)3qM'T^) <0~[OydxcS *wɧD&1[oqOHO~ڸY"{fQZ0uStѶK 2Й($_&Fe}0engF +:A7Q\u>b3fֱROuKt~(b}*0+HÙ`Ub\80 |(g5TOJ+pTWH2>aqs5?bd?}&s|@Deb֪N#Z%;[.PNTIoٝ%C@9Xh=hg):{ZxXnKCA(?"Yc1&St7i?ٝ ,FXXCqWy>˂GD$q\׶h*B };Je$CPIȌWq͎cKMz{_76zZ.C$8y(9DH&\0suX:~o$|b?9È*kZ?8U-Q'$d)9S"! #}3@JCv7)3.O)rS<%<`nhlDgq}֠5ѤF)@qB2Vqcl%UtΜ$KV©`qR4aU$V(=t  :P{kG ZIFsjDd%ذA'#6Xg}|'t]_400BM? (a?"rnF&.-! NT} ] Q,Zdxa3N= ]x:py[|?vڏns R7{%\:7"L[&/=1kg䯯t"Ń"Ea'5 'Wu/ڿTdo C)>  .:𠳟3)+U@'ㆆ2ZXlҘT͔x\H)NPQoƼ%S7Տwi{0{]iou ~%\bXT(»v[!Q)or_d(3=wmUsy؋G\o"]lPȵQMTۇ[|[@q&7&b[_z7:vq)G̒KcSF;TӍUw! VVb5-+ zED(/3;&]\h ?rjr au8a7[rZMNCo,كGF_s &l^YL%:7EW 7_bLˇJb\jelQb GLP  gIE\s#`<х#L8JHi=w"kv{ ʇx%)rֈ0OQ{NmQX< Y+'971CqYR(q2 \'L-o~Nk)S}ro $,E/6җ/+PS$:.aAr`_P4-5"T[Qd|I*#0`)5,i'V=e}9HcE͂d󍕼ZD[WI>̪pMYr ƽ8l3Əx~a8YKh6#Qku #~=K8ՒɔT60m G:,7@lA 2~E /6tu׏w1|:n.HY.3kuD[;gD n*4D_&# $(kPMB$$,6ᓩДC<& iZ,mT[Ih˝QM5#:޴ԍ}ߧKf;g( L>0X*V=yDVZa[HGkC?EV(D͆bt46'( j ej*A96*+Xni|IJαY+BRT2I~Ԓ_E$;P113j.FEkB1d^WE -NB7NNnLOE&P}yR>ߺ[Ӕt9p@H0ʔu=] QeR}Rr#G*eVd+%9kh)xy|{eщ5rVg Y#R_ 4U &!My~fSuC uIG&v C$bq v(~yq^B=ڀ J@7iXmZS1ςkܙuzܲE\Nep!SԢOH~3$E.籭źdE$QOJ VB{xAzukJS|G_,֒(ÌLxw cig,~"J歪eP^Qbzb 29!v #v1w|FKN.P =:ߛBm:Rz }*4cN}"3vRx\[-L>/ c DtޥJj0&Ȗ1nU@o1gdwWIX~Yw qL{D[ϩR?.ں| R([ w̯oj=\z8k &Y.Ưo i1;"tt37r 3&Ƶ[ǭٶ5C8r_\#͞*"~H8DTo"HQ]liVt~Ԯ(CA J8/‹X<Ǵ{ 9 V/EAPb/ʅ\鷴.@^P0LtB#*QQw&gd:`{%7}+Wv5dp=($m:ٔg]az8PRnJfJVkܼPL:DB5!K㎣^)6[4y~i' ;D{*}^(\dJ4’-(j'T=nu3d3^PZ. C`a Q8J|GLhH*q pmG6,w}MXn{߽J*%AG;yA6{JǚЙ)ݹ +TôT@r|6]4$v8gp:ggYIf?g"n=1KTUMẄ_)bK+ ngKSH}t덛qŚ@qwV-`}TPa&ׁ%up@hr2(/-}0j&-5&{^]Y0s; 0ڑPo'4w>ʸd֬DUI;$g ~i%7_ەa u?jaz"zvkކV4FMTq2.J>7j/F5WC{,3|Q ?Xyh3'{lmgGm\oݎ,/p5 7F?!3fⲤ 5~43hU@ y)|FҧQU u yͭɷ"q.< xX35S.LLD|OXgIco$P lZ7c&i ^+YXN"01JOII92eLe<Mh ϛ6 _IEk[xr〕#hQB`70M 3gd+Q{ʷz lbǙ1̫ TZ 1> ÷a@a6Tj:<"#{ ĕܱۛWk-bp]߰JZrUf/ PzQmH"pV\`B&]^D"`bV'UIܯTa|oj)e[|C7݄ 7C|(嬦VE?OrV-զ=?|cS%gWI 1c`a@}FL<-3 E~Z9E'Ȁ igSNO{, 5]T [#Ԁ)P9՗~nک=/NoR]̳''meFٞo>~&+ iH"LoJ-XS`r4 ƣ$ }q-Nsm0Q1E|ұ&r:'PLՅ8$f6?!bS*(~}qkcĽ+ l9L?nH#A\)+Od1sIPs^;A*2S4O3%13u B1U fp/_Yo=5u}U5ʴ%Az")ʼnCkTnvۅO5*ꈮ9͂1ZIٚS\Vg[QIDPBXk}?ϸB 4bC;Sna[S=dg,;O" iMb;ZRs,mNBl0_7,EY|R) of#1,%nQ,vzeFɩrrxY1 p/0LWLvf-c,ë ijV3a]4zz hlWWΨ1G **wp=>hfj8Տ,CR#0FMJ14=d d#_ӫHXRR Ghtwiٽ2_ }}29)*jG@'g~AzJ|t`1{8'%3˪p'BaB,~pvV6z|\=c]Jh} #d-(VR_E_CP&Q#~xYLfKT8>q ntmWS#,orPWؔFldm玂b;(!H*>0Dm^_+Y"ڢRQ 0uiⰝ%L<k{+i bӑ5~qe>f,͂'ztrf9/k܅JTβdbXt݆B䗯%7\='OPEM}bjbAJSTs\SFF_N^[;kII#xW'#X 9@gLAaN`i"zgDm &ƇlLEP zCb>@|]8q) Ex|S-/me.ܢȐO1SEYZr$/eHf*=4̷<<>s13-FCJ6u7@uCߺȰnipm`5bcV #o$ZKeLM3-끵 ^կFo@X`gufÝf>?GS{9 򁭱4SŌrY-DZ&&[ 0֣X*}P1(8#?Hh3J.2e?rl37cݿ/,NDcny<8p]_!a[knY:ِNǫ̇ Cl(ce.Q7/\t}5v%apvJ[Jo؋_=)_Ɋi3g0 w2_]]gpPB^AVY]dm[H:88:? EVZl`;H鴺!ʖb]-ˎ&VTdn: mijɬۅ20qV %䞣E wT} dHobmzāJ(s~TR~԰n8#l'Dy <Q8" 6|jAd[$ .$)mpkGG{^֡ AݫĸUe0/pԈz<5pf lБ;t>Qq+9 L](Cd1z:_GϱM;Ufb}hG!\]'p[Ir2{Wi;ȹM$] |%.D̡R\ZbEXgsQ%V(@\WsnJ㴐'i  WxĝJ~8"tiπ̜5~%] uy~v?ɣ](LJM"ǒH I|R*s"5hW{ߐ 7uࢋ .K/V o2_g8XSE肋'E`lKJr(%qx) !*e/Nᢉ85Oc%lA^AfQ& ק|qo#G9≨.siaT-:L Ue l,5z}YR=usRp4!rT2,N6Vmnoe󭷬Ae]>#>}ZBbͧ⼄rҚVSљk*`Eށ#B-3Cmm_%lBn+z􍮝f\iZH'>gX.G &+KTa6v6Ԕ_c*`Jh}+;lWD -[>&h7F%|ZU:?^~yV fqUK7GקŜA\$+2BGUR憝:GX%B{4fÃ|*]EL m%ԑ@=cqd,$zpFsuS axhH<%]ՎL<+6xDNN=,]wi#iwouJAN*bU 5̍iK)׺:i["`9$Fl{ՍIjڦZxpBV9B<;vGו!`Qq05X}{Á}Y䢄RR^ M±CMp(yXG_ڧg1B5=qKrd~/)^|pP|Ht_ W1 Fg0Q.XC '_%W3%K֌򐏏 p(_˥\sՠo ?)𹺆 z3#ªg-vqdj;eP3jHsq+Knsܢ}WX1^4&Lq8ƮmlfϸݶZe'Ȏ#b9f]d.ⱊ$VJ8C3y/fkdge bϢ)dN0_[BפDs?5(7a`KڸS%Ec3 /:Ԝ!ҷYVtӏm MW-Qg|R-A.5k ӏFck[.%ޤR=`ifdP$#f4 1f:''ք"Dpu?~0Y.*!pjJCxHZ@yZҝTJ[wFk˪ &Xf]=_Kmu;)տyK1oX%tw[ցTpXbŒzäo&ycŌc{nb5_ /Q1gַgSZ"[׋9^)uYN,ಌ,Z;r*i #Q݋<*+E&.8D.HqA)ݩ\̪XƓM'y\mHi%U!sp䤛kj5 u͏seX-zSˣ}xn@9~H:Hg  :je+6e`nPb~qπ2i/H* ڿ6$'{sz>- Tsڋ}=Xg~V[H} f8x8* d4F$QETwIjMY2bJɌֈ "rn=w)6NyuIentesE->?8YRht)K?q(f7Z郦!š3dPnL7LDzv;a~^֍>/mRaQ2)t1ZG43‹p·ԄfAѳF_jbCqtާGՐw( x HQ͞. D&l8/[h FI|s ځjˬVo:ݭ|zi E/v燉_;d4'7J~w;2JPʜ 5 [㎑>2vAWKc&,{:iW#N61Det㴥^m $k{lC%n j"Ai66|G wʟyG\"rn❭TtvKp#o"=1.Hkŗ~%FZXDiR :5/yݗ2 ,Q֢o[QWQ.Ì2sUy1m~75^o,lDV\IZ›?c :DL}.K 4Yѣd/aV6rHW#'höcNe@ԥ9Q_>uq wЇ=.H'e/s; uo}S?S]s9{Mc-d|bn@̛#T%cmG w"|.,)PhJ_x7{}eh ,1Z'^¨k(7Eys GPl,Pyct lo󵔇/[o܊qⲩhHOsNn;K̵F rRram|0aX.u0FDEd#"Kn\ot@+SVoKBFV1ݽ~'l#=:ʞ1 A!沁 ba*'=ԟK {VPbbN\K78"E\}oxkss Z96ER.̹V7k)qzQnnaDP0a/81JH!ݘus[osLs QOpFS1]ez}Yj~sz 3kj<\f 4Nڦ%݃P\89 ķX88n%\m#4$م%v!쳞^grVͶv9ޢ]O8ЯP.ZRuz(#yYeR \>t鼁ڄ#D[\s;1"FG_'*zĒ?6ΜZ#@CA&b~^]r@X9`A#| g<̩餞vlZ 0r $d'NvlΪG7 l+{h+!SC&}ޣH{D2/6U_;aOSecCf `B*RRلDpUrUoy7%^Zrhe hQ8.vE+r(F#sQx 3(R 0 A i^ }7 A|ЉU *?4~t"4fVP3Z>A_sj$ S{(~um~ZI,rۆ>"^9|U>Sk0HjYZM7Kix 'lS"R5U\ʩME¼mpY][$g zqL,4_c]aUV3^hqЛ%L~}lCM'c7?7šXtNhU1i&bIJ*%bR9"OUR+!Ra7'mBm}B:c/X){f^ ۗ28H}p8A'96D{jd8(uHW`+)Ƶ^3nPF 8 寧t#Yg&#,˥ٽBdJxChͲ@5/BS+(ȉc'*87zÙM۟V3K:}ѦP-AA[5~^4S_$I]͙K}#~ K\Pmws- _-{,(ff9혨^?OIRj0,ƉF W NkEZ&Ķb A|GLo6x.a;@8-%bgMҾFֺI!+.ZJwǻq?o@Qd􇚁㫤F!eEԜ&n7JAFɋp֐WV̵5Įmtݚ0?6v).nn33cyTĬ~(LHGPT Zp꒠cS_O?TqOU5Tz(+oUP0+ 'n|Ei5nB^4Gvdӹ.j^7ӥQƗ"zZs#/mjGړb p/hmKּIdWlVK`-><׍=6O>Ll#\TyrvڀɎ{@bvAj`8F܎d9roHU̫r5gz gZ~T4dTpğpXbxG!e`+6yDS-ZK?5%4lV#ݼo2[ u\қWE"cy}$p=ZlpOe1MXKpc40/D*׫LYq9֜l@쾃90,b``KEy俁 ,0I`TwG,J](~v}Lvj]Н}PLO?.$d %zdFG&AD0<҇2WUZЂ4!6&^ٽW6^ȘZnh{$uN^r=m-R!B2NN~*(vER$0qVU)*%o~ +XGnb &DR_(LpwAUfc)4ꮥJ2SIt?I<8lSZ] 38h1⦦jpuH/2"LG( */y5SD: %/ġe|!(Aiprߋ9۱*iCTw hqT  AW endstream endobj 2035 0 obj << /Length1 2216 /Length2 17652 /Length3 0 /Length 18970 /Filter /FlateDecode >> stream xڌP[  CB4Cpw 5Xpww3gfr{gZ&!W0580sdL$$VaIT s[X9 e26I'+HOC[N1@ ikڹ99#܈F/w5 ch~hd`P52:Orn3GG;N::Zk)/5 ƀ(d F KP63P5qt1pVF@л1$! m,5߇`eo{_FFv6n6s+ @NTՑ``c_D d`n[ő0,bc,dkm qU}6.6A&6&0vS1wJ]Gf tӳq_ R2%~agk0y27z G'?`FC b]Z'3rc+7*m]4Fz#Jؘ8.S{BX itmzz//]WF:YYKO>2`MՀ j% ާAi8hYD]Ff7r(o 2kh}ƌ,ߗ315kYXnWX Ci tW/hml]&++ N/߈@' =NbЉAL:?=SbA3A:?= SAT8޳A FE1n3n?%!?LAKow}Kx|gkN|tBڼLm |htzi/H3|g 9@J 8~0tf;'G8r|?]q_H܁4rrpxWk^@+vqֈ+Т&wgqFfh}!k cƢFKuLzKupNź&Ԟ< i'=NM}&cS&!i ,jٌC1nҦrOd '៰ٙ2+g:$AW_DRGYJ7S?!IdJOIvzDbo AJ|D\;WWguo!pud6srR]L;22֊rw*-׎:L?[4U*ǧdʋ̓p! 24k7 Tܹګ/|y&`ހ BjlCb0 8Q xApv~ЭVf=8]\ׂEꊀ780dkoE7 g^cX}cBh{FYshlbp{Zu(k$ؓ+w_./(btPj?bfoɬdiU~q:ǥ ]_nY;}r-1|Q8ZDKwSsG~?k/o__k=*1E#3nzױHcZ=ԕ$ptQ/fGŲMoAg Q.!1g'UBC`I0uQ/Vy[V?si6P?l_cy%!< Miܞ7f.h,vK}Kۋ+)Ǽϗ @95kׄSm_*V(<dr9mkfj+Smz17UR֛a=P0 i لі$ Xob+uiZYX?$G,ֽI8ƦQs[+0,>1'ji][kK /?lx ?} <:9 #f|sW]hCi:?jd؅AF GvuMt`}t حLk8{O :V "Q[,%)"4(FD#13/yxӵhFhe6\r"l4jzʲ1 r-ɏ΃-ʞ:umj,lۮ 8>7x)X\jc@8O0Op2bP矬ZRk|T;!A6i / QQ=6zST;^h&}j9&,Ӟ&&q4L HB!8map֖)ct ̰x/I/ 4OW&8wϘ]3.+h3i&N*t-G&6pAxWcFT %XG؞3 .V?$̟ƨ_QO_{pC͗LN2:G˨QJe!x!(} 47#ost(g~ycg8~mo;NY!7Dnk*NHT!Fc}!뀽DFA BP[J9$UkeOyEWJ$l7‡CJB-M(nk#$84?WoU_t0k~|Trk'`ֺѬID"NQvp ~F:iME:?ۂ0'`"(>z:LLm>Oe@juy\KMZs?D鷕;3_Dq0k.ggu*36*8_:b܍3=x\ښ+ J' :!?[R8  qu[cA?HxУq&aWet} tVE^=qG, 3رN qmgWi>K~PԾgW};jsb'3yb ..rB,H>̹` EmaZot%|,7KrћB$3x 0ͧ >,P Qjyڊy|,CS0̑Rgu4o4U*.3E71nꎷ?(>W΂ܓ,/ϽHL$Mꅊ"A's51Ht;91z3[Ҏ@BhGaܶ%"m& q'`| ^ űWgXYST/C+upY*W2Ql F #28[ 5JeD μZ18҂:5\=q>)zp U7k~^>uR s7'nRr Ǻ|ƃߪ5hwW",w;hD$LZ EtOt\t"dX%t69|j5L]acDž\$`pL]x`P"8o4̔>{xԹ̓>= :♺XṊ\J>+ hBZ)-rys8gN)da\K|ieg $%V4lߒom|>%;bZU.o\̻al͸aA̔ }ATM.tENX234^Cҡr5i~ O ܃ojfR -APH@NmۏaT60AG5?gzgr.?=pWq-ie:wFn QƭDOѕY _*]'v}duN TbSMϭ컟bk̾QFޤ)[. k+{ ~GjbNO`nl,%֡;Ci6~ | qcqwUro: Gȼ׳rmnթ`7zCA-r N18Zk5 ˞T[ݣ Z@oW:xL/C(D&BC2.YXIޞ6ne5 l~#z,puXpRWlɔ{ /L`6R\l׶|{KFiHr˃gg&a6[TcB`׿'k+:n,]rRmk) UnrWzAUU}7)[:\[Z#8i"`î Jy/>";dpqʂ:06'Ց_+q]CٖΑOucr3hR[1Pv'ADudw",nj:îNǓvo3.i̛D+ wUg t.&&p e(; rMi`|jUFW A]Ոc4icc J^ohă|:`I~0KlF25q%'bfb;#uW. e:tLnGwb}r^y4X%{4^6*,3pi[ڼh^+ŸhRO齫8S7cX֠Z?H>kWnaۤgIϼ5=*qj%fi0DIVۨ*pAe uI ڸOb4`EY.Eq#9l~ &/Ht&íP庲%T[k?sc'KTpt\1k q?3lr%g>.U'dO?^*ì(oHu܆4pО׺o9bYH! ='^+*(ESjM42hMtA/91uz$.MTO:O:r7 B,Wy5OB\a=KtS0]f6ybJت5;/' )D,co,M 3yzТ3&NZz69+vҾ.L*! mb̦RI-u lIvr9|5-qT3aܥz&Ӿ~+ꘘ˔kA6wdT$mj7ޏc3%  h.Õk~˱>CTOf񲔣,&9|&;hEB.^> <Ub k_ϲy):m?:=E}̩vZ b\Zտ?6N P F\QO$p=|QmA@\QZ*g w!'0,]+Lkõ!eaPD%<X1& V\1EOC*ӌ~2g.KȪm0,:~>6>uU(5TBQGB{FjB2͌5[npVo7qrXaҝu-[DjB"~iH^JRz~.$<,&~K@ML8n \-c|OӗKhÞ*y(xo,LHq#<8@%o*M'񘤤;wb!ݐ!UfJq4R('fA-d|'U5R R$.`EhnKbok~{X(l@ )gƝΙ\ĿY;pCYub'37 + krM+6{~7o_ AqY/`%hܧeݒ#A5J~ j8ӁJu&x?8"Nrn1alKߙ~x+ e06z=Q 4!禱 8\BV\&扜DP*F p q-x jn(v#']Yw#M/"D|&UxVy /e!?=׷wM{g oYtߧQSyt^h'7Ry`P L&*7yJ[n:%nKhhlQ<"ҕSc+*-:|g/u^XlI 0- օ>^yͻ6m{"oy~H魀.l-jKoEa=&wP4pN_c?8Hw[y ;Vu*:t>1{ N{f mFNb!8*봏 B I S_w)%^ S=(&$OܷOm ge>rmhDk:׈Vi~?b,T/4bUIpK hya#TjV&JU]{;R;˿Q^NH!^?bIbO'2sK'zx@'Q_ h,i[2º pG2Fkq_[Nmx@_\\w Bӵ yI{թZ*"ͭ&$ByVtxV&CM~W rwm)qhjY6(CDC }BSH9ײdiO9K@*ˢ8&<ީxVۍ3lDŽEAƗN;;iPVLg4=~ͫcOC_siO׷y38 L?abix׿ d C y:˲-0X@rDxm+Z 7L'$ m='Q,E3ʚN7`T!F'Ȓ/e9erT:EA?Jif*d -o(uW>v&vHc5t&q jK|1+.}ڐeطV0q Mlo&V$nNo{vH0Bid)lRcgTIܯiJ4|u݊aOp&r򥛅aQW0$ ~aവ HY?ryv\95һb~N<9s&dJ<H,]maOQY,K!#W$8QMO*/6d[ǃ*U4NuڑtAfrK=Qk3 <+ɳ @PSX}7>aR0L%Яr'Ru--c%rKsQ/iq FUNb-ŧ;XΡ1) "8/a۴H!ۂ%Vg7'.9=sSzO 3^KQ7|&#:td2f!7#oVWAo }|9 GH56lU|1۵ Auks8 B)ciNy7QKuMHk4z)jFpzfr aW\c.)\"XSHu%Tyo]V[n $;#:1aJ0 hg =ܳhb6J63E:DJV:59yt V|l3X-"yF,~!/yFտ&IgD}  {ѺK·z=Ћ9 ՊȯnB+|oLѼy,Iam (wٲDR2g2d0Mr"r= P~۹"Y#igδc=$*Rdg}o8EӏM3a_P!W&< LN.w"~ z<62!C&ٜ$Bjc|=ϫf<)0=ڭhʪ S P!? SgnY͇> e#Tӻț=yUw :Oܷ֡>Xzd`4!.qujt@&sUQx6  rJ0Ɏ}[+BB츈/n7L=zxiyV񞩶7;GLuA,2PS=7=9vM_ /[]34>☑Ơk%,\G1j~ÜvIs,\ct264:p> эQuت{XP0?;!#bnN9!v}$\9^l~e8! ~2:n>mlDwD:N"$P D1E1m=rW)CJC$?00!8ܯR3=\%d1iIrFꄲkg>i*ۙ}'B]q u`2+sUTS*4S@u 1L@vywzg7PH 2u7S\|[\="rGDk5D\B޹0߄0q]\RRL/`?mfJGoϣ}Q )w*ط0j{}n؅pJ_P S|5|.3-fDc |.s*11fŐe? wq/3xBmH^ۈZQe:sș.7CAAXEI?8O$C6f'T:w]&ޤCE~Zd$}`6v)[l2޿z ^й|tW]&tj;T2@LaoljoپT&gPTxןoQ7pbUqH#w.|tb[a =ʷ2D[LOcAֻ$;^-z nz4ok(umۧϡ0<[v'2{ib[/GQb;Q F=kv>w+ BcnqKӦuE"0HpaǢ %'MbKrN<&B/jCك3kJR=AHH W-Wυq(l#}}ܳcIj~$S5aklM۫˞셖Ÿ=1oFR)> f̻ėĎvl{+O_>'+C9;lkv䜄|"jvJ@<9ϖIY/mz&}ʺ1u1\ԣ̲v#Z1hjYuIyf7 y1{%YPzK5[B1Q2ԸZq59EB8M`'ypXG0D*mhUJk=HNkS_$pc^*f+S1ׯ1~CfHĝ O~c`N+R"^b>UAW/v^FQ#nYJ;Ą,+OMQ+ ox%ӊI6kG\C!csP'xl]l+WƠ.." s5nU%ǤQ ^ JSf69 {y,5EBáHnŠMںdq)/8+WO{0ξ('`KЖ|V^fvY4AM`}1O;X QW EXGmc}p d߱I!7| vݴ#Hk%Zq*pxvӿc E?Zġ~!{TRW"c P|)B^zlYː1x4z0o>ʗw@0$4`)FHe@ A -CI5^)@Q "ei: ]bK=S˥ߥQ  NDڋvL%Ze$}ht|njKuz;% =na: !EW1Q8p_)WK0VS;:Q.쿫 Ewa`HBLu fQBڇT W5D0?\7YܓApҢ-4yQ4,'YO ڊSBk>FFT#2$ -|Ǜa>7r(İU/Y+ DP\bU,c E " ":#~Ľf~|EiC rBgJx~.[M4eڵ[\3w(G*{$7O %'6j.׶tcr\ "4d'^t}xlP;:6/ pF;R[umyB $E|/Jyy=mBUi l ק  MA^ ܘܜyZi8,C\>M{W쟳HQi|l02rw ` kv_~OӚЇp<¥ZUPz[=BPwsIj)y)b3^sRxHOoe+%TO;;\!}(`vd 4<'I#r6whv6j<_"Yr>pi9IMAˆԗ>MδrC.`*XXkcC2[_C25 =*T@íG|_Sxz4P@s_PJۆ.}p].Q<#B l$'=GuWxwlǒѪOmzhPMa[/I/m=GrQ blXy@TۺSGI$YR~A9H Bj)6dqSB]&3`X|pn3j!ߋ=~hB`-z?m]:N6D\_|t-ss PL%C"W)m 6 ,~
"aO3d]?m LU՘m |OM=ty(6DR i`= H!D>XnVeCsaެ]ma EfFCdcj!Rd_8:̘~xݑEOwխQ23-SxygFXNM y> 0Lj1DՅ>Y,Lo KrrOnK)9ץ!)v@s8 YT*rU8QGßI/r3:D]feؕJzqAs_"rp@;:MZ g]3͋Th2,poz0Ǐ]53FeHNgMZ?/dcعqg 'i5[ŏO55T >< : /iSuٸFcYA\:qjHWX.CI;+|;E6DԓX$AP"񕺑Aj:m J)~æpUs@,܃HfÊܶ|-?0d:}Nf&)P-"ƤUIOq؞tCPUͺ4Lǂ$ gqHp5L.A̒phܔO4ѩ;'hzru^%#Rrz0/=$.{k[(&YtO=A-uY[Q|R1ia50νk?[˚@HC h_$iʠsD-2`Kn2Tĺ`~5*5I.2,KTEg/˶PS9PWti, '5^E }Z2Â#x)!΍Je#ϫ~VUM7xJƚ  2*Mp48ӷjTnuO7V˥L6;Z^3F轞JlzV\Uh-<[v9^D2# |q?TЉL_\i(ŏ_־c$G1n>~Y EӬg׆gLh)m ƱH&yDݫ );6af>{D©3DX= >f]ӑys8Y\&4'Vq>s~R.`KTX(>ɓqZ P٣V 'RK^_Q3k/_ ܆$F;'=cruQk-ݢ1ListKG=kG}'],񑄠hN!=,R$ ?+_=C_y 4ow3:XCqf6kv'?OfP2J:Mf !&nO?dgT`.4FMܤnq.bRr7m Pm"8b0Z<3amd6b%-z90;&(44<.zy'Ay*݈__guVqa?QDj"S:d y,Ll0}% {my˯S-WE(=oPCc$;Y͘_H ҋ.C6ev1*﹧\UŊuށWx3#X}_zq:e>g2/1A!ׯ[%h ͗f,y#vH~AJ{2s2VHYp˷,D"-'KH2Q”=lp@V4\%H}ib`usMyRȉ*1ºekbqlcRw&nӞ@&&LلK-fKPBthŷibjʊbs.e5*QFUOJF݊[/ x/#GVVvq{i"5UMghGgݢ Ti!:YHKx-\a+GSsƸC{ P {MONjRqkEzciIE D*WǺ^-iTdL +=3/"9f6%*0UV]uXkÌk3V_ĢOGs"G.jzAa+h{+蚩sP@.}&n=Fл_{WC-1s2̌XdNu^O wDL<>xY+JYx=F,ߙ{kNA;\-x>[Bج_9"D%[8o=iYvb"IGҘ2{Jw.!er+m6BTH{WRiv"$] nI?A,;HF;0j7Uk%H4D܁I>>2{B~W\$-4>m")G-I0k1x6a'Fq@׶{MQA Z2D~&MxyJgq0Z"lċT;h?҃R%4k%.% ? 9Sp^w԰pLP, g];,=b]~t dr%>` {t,BuELVVW^Ky+WpfˮsciW][7;*27X'5PH\ydӽ\/E0HI,3@W UûwVw ~F F#Jpc0FLNѽB\z"pzbSb4se8#Q\l XI!o0Vܥ's'{lAȾ0rG) @XF[ vbǞ;S! YoE\${PbdtX~{=2vlդBߓ4H[?|fG4鰵z^<6B+0SbVʃ[͍e*`u/B2SmvpwX8$r \>i7V׫-t-!wv-6C o7q? jۆu^cyFaMjY >/;Oɰ9-$ĤA54{9.Y~r /P>gK Z `}ȴCd{"`=ZcLٖ%(:CS/Ax T&&$&cDAx7oY {U̓ R\Eqr/*Q߿Y.PD `04U(: p\DcV@dV  |\-:y@e,e NRų"ά7͑  @Gje| 유#t"7#+џ4+]qCx#d{]#əp]q a{[xa<^ĊR;4~A#J;I]'_w4+s&e[L endstream endobj 2037 0 obj << /Length1 1786 /Length2 10227 /Length3 0 /Length 11341 /Filter /FlateDecode >> stream xڍweT-P8w ŭhP Hpww/R)Bq).[>zν~1o.s=_h48$,f`Y=$ RP@ NA`;9CH9MaO6iSS2b p s @nH߁P'a+ Pڃ1N+kJ~0JH؁ eS5iEsS[yW 00ij ucaA`ր`g+m?qb04!407S'0` 1;?%[O4``k{\\)߅ %CL= VK-* sL-~:CM]M!fO7JLzWN33we6ZB jg9c' q??Gf[Xneqt+H+Ʉ @ ;ߋhz8rr6?uX>X~0M] O# ..0[A1d[TqDIgP{[:h$[R8yx\~!~R3 P|6ߜ]% k@ 0wC[_"L y iOCa:࿧Xlq_i,$쭞!, q[A`oﱳ؃ՠΐW Ӭ}N 4J9qLL=0@Oxq= /=PS C% M#A$fr? 7hH>>Ѱ>ih|>p>p>p>p,yt6:\O]OOt>> 89={d`w9,\$ئ.(O֏Gj^[MN^eW)9jbʈ21no$;8Q B#Ȏ8_c1IKy|? &5 %sTE!(BWݛez~]UW]eK4&0, Sq>fO|O|~ӡrS3r2Α.W/;ً#v/؋WBLuP pM.=nRQ5rpf JAt 8,+PvşJdd 6;Cät"ǬC$ZH<&l'1n E׻I` k*jW1U{L^R{3gZ%4lj1uOd/64jSSZ?<ŖPy4G:c(QEF/+a4>K:]@us6%:<>꟒i{,ю$ViV&kb|΀Аb>bW7(Mdt K^1zIܛ)xX$y%6GNdԝIlMoi;8Xi>2Q,{7l |Q 6@'$Tt6י,H%5W[՜?Qȯ[t2$Th\G־VU`tM5ֺMMr2hpZL:(ѧwvfNh*Y¯JB9<\xNixDɝ]mUz!W7S4oԍqPӊT h̭8(o%ȨX9q{_뽙bYuiz;"uO@ҹS෾&G6 XQ _ ;)4 ޢ>&Bõ4,e|d ֮_XSc3>Z|=&Bs- KIvOF׫t&sBJ134NvmK/T:Z){J£ҝDv_p F,=NpQWߠ bg=&WT3u8M[(@#ApfeGO?|> yv5Y.g\wV]dd ^]Ş׳ؽh+7}Dy5 #L 1mˎ$kYUSzq-)Ѱg=H8BrJ\:o JIQPp>%S1w:t/ =^nXOW]j(u'Ȧ(\eAy)J6Cf\w/V'AIy̚Z*saekEYޣm$G4+&oTT=yQ )K8{emdS*~/_qMo[Z3Ewo[NDTߞLOWiasYjVpݯ 4;@&À=7\ f%#ҩR/2=K~,3 )Ѐ&;gQ_{HUo5 q-4ͣ-cèyrV(T@z3QiVۙn#HAYP!/qi="zw\#e:z,ڟ+ljDZA9kr1!(w$}z,Ӯo<_9%;l}_/ay!T]gNAsw*RSvESfւ<N&R#'z $!wEumD{1nY;e/rNf>Kp̰5v"0>vrwϼHHg6|cz:V5yl [ LwAWLM7ܳG;SR D̊LH>3ջ߿Ń]N,h۴e>sb/Ez^1ޣGQbf#Z`d; qSYЎ$6hI JhLOdYeVs ~w|'6sbIJpNwnq|S=Su8ɫ:a1̓搋ܴ2YbzRy G4+x_xlQd.z"1K *#@E3 ?9~·S'IgΉM^3b YV@y}Bhi/}eƹU.zǖ u?Yo| r9!;rn.WqGO4wN&ꏕ:iMs¿ gTn,a-{[F0vι%M,AWE+U5\M}"1_}̨Ma>S[Dӧq^&[c TrG=,v0y9?z@m90W' rgR^<f9ȹ° j:aK7@c#!v1}e`Бɬ+E6r<~o<" SVZYk@Ü6t^șe

_ EO=:]瑫wK:}p=i<=LOG7:F?I|< keȕawnʼnIsuS=;tI Bu3v,$PolvMqʛ/_(^S|FNĒ pyBN~5A+Q- %KwPk/|ٸ?$9,_4&^06A[] c{5MSOWbhp N3D2ΝGkC^ӣNR{8gIl?\_\ۉ_Hغd&VP~qrdVVl #m&r(ĪHxToMl|>XJB1-(CznbuJUh(R1Ps}܋>0\Ȧ.}Һ_pYM<!@jlzb|x3_8 e̜!Ppץ!GV S=fK]YP5V t^aH]4Bsh(9bn^RDM' G,\~OxrqEzJ<fudO..JƾQK bUݛa0'kiAL-V>EzRKL{KPLg@d*(R222#:e?FCog]Ejfx'YJ"p|0g-'o(o\|{ >3EmE#4l)D(!ό/jUf^kcgV8173,:0s~XLPc-|~/^96R ɠp@p%k\9@b]x"̪\ba1JDm7̊>D]`@gODBUlMRܲW ߛ/6L>]VPVsvDvL> 3[<o5u#Z`G0Q\ޢQ@DJ QWĄv[n3\Q2R39mcp4naDAXG:_U+V1=S˔͐K6×ʳ4vAڌ뼷 S~ٹ;.q50Bb;҉t\fx?7d81€-:i^'Xk?Ǎ}P (ʱH4hs;amUnr-R3SR:KV `g1ۚ.~-EV B7{NfHKrmm 4adoz}p3j 4>g\)@=D+"CR܍~LlfBc C01ᄍ^=wʬ !Bc]6:mʅqDD_;ƒZ?e(TFnNG 6״Ggz$/ۍoaAF;.r? QP<3zT>){J1c1Pn ѥc͒5A{wz%:_ő5Nⴛׂ‚J?W#)M!?D$Z=|%?2:jCVgNT˂z#.Bd.u%+z Lpaޅo@>GfP}Re}(JXSb ɑxn] |sVm& q13n,WxQHxk R`/yfUmE7A|Ue#x1:vϩնf?0/`Yeǘa律tk[EˈA =?~12˛z-U]g;gjDC/OkG,9V@(qQSQR: Tl?Qe(~>.m!_3y-GlPNb+xl! q9֥ļxmaN'$Shwd`fBuԭOxG7#oE,m 0(UOjQs>ӊQ]<儜Οoٞ0ktm,$/њaa-vf_=ﰊNQ``b!AKPq9LnOraw6vqhqT{]4H4NA&ΌoN S)%I-!!%}Kj ݰU/9VV*w! RsfNk7#IT!_ERŲ lZЗh0D`a{iL$da-!u-X<])a0_сq6mikDU#{%k4.ޛLZ ]%éA`{e0'Q`:& ,bV[iKMt\/xFaw6N$U9jL턥) r?Wziɝ3U ?2Y˓}H›r'RKmi$W2]ܭ:S?lԱ56c}1fHi\LnrOdY!gW|yqnBf޹o{FK]OJSXuzȭQ\(k#'2l"}:}dԘ]#typ/?dT5)ɌԴ| 2盳IsGdVNxgj1Ӽޒښ*ڐč>gtz ,dHiܴVQc5]!b5 S #A/3j̳̓W? -RzA9{"z7<6 _4n>^Uh܌/[sLt'zu ؉l[Cip~oF$ޠz~9H2;"E&ʽm:,.IIYOUzYbCYr"JQ&:vm:첕X M5._e,̳S 9۰'Gh{e@~izG|hś-4gb;c~_.e ~j4u.6nf[3FPUZ?'Z"Ds ~Ft)v˻`p0wC?m7tT#G :6xz~E[G]]ak `L_Lñ8cW&KYa9K{Gg-K8,@r"68@:hi^CE3̽pWo 4[,zj!;,Ye5pƆl3QA͹F >AT 4ls>=liyR 9)^盩@>I4ŰCGڹwnUru謶3rV Z#ѿV:C&[&yǎ޳05=KW?TNRU3ь> pWᒓLllfSl\]:Ja6_v5uɱ- KВj2 }$/dmk $hx '5t~)(co qPDP8t-,LW)Phs;h>A 5} 1*˱]B|F3AIFkl|ݥ3ϫOA;i:6=pL*S@LG>9n=o@'X L,yRm*F@X y]XtfU< p3Cl3U#m?K9>T//39M~ } sIDyb3"! })t.Ou' wtBF_XҋnY8*.N c0mw!,>fp wշ0V!`!c/4!_TVKԵxH씚_#\GPpU>I=-ͣ~gfۃ9[a[&i9h8o#kԸz2|I=ٴq qkjV"~ \9ϒӥÿ~ܟjV a|yR}6ig4rGhq POB(86CC|KIR!h2xW@J(͂ Lb}rbZ}-z˶ETvyc+6#,ZtT2t,mwV n3)vWu\/WxE# |Zh벋]_*zd56qD9na iFdBdD[~ŀ/ [)g1]uȘwHTۓa_,hU7 C/>H2Tq8O^GP9s/0}|I) bIs=/R%ԩE}((vZ{^k[ݰ 6B\Vc+XS$6$0^*]ӮBo^l,ɩ"Bme.U؜|10Ӎ*8a7G t:'s뇏9SNkGUYYtKg#8h6'%GFtO4|t;l?|r![+ >qݡ2EUGzqR\* f6+b,++HIܸ "Q'cןUIhf} 'VEgƂ#BwXLI %= ŷ>uc m,uq$6nͩOR5Sn m t>5Qfĺό~β3Ju6@Tr mE놸L~3A!M. ĵ'jmGh = >iLoW!kS{M(>J_%/3f@o3;pl{,RbBU1? 6GGnI>9z|˻ʜEzBqA=_9ۇwҍ-k10u>u#/vCDmfh4[ ծd.t-2 yCŝ%]>G3M_k&XS v:`N-2Ll&seyO?PE4Pvc endstream endobj 2039 0 obj << /Length1 1401 /Length2 6058 /Length3 0 /Length 7007 /Filter /FlateDecode >> stream xڍwT[6R"C7 tw03 ] ҩH(%] " %!)~csZ߷fg}]{_^aa㑵@0$?/H /$¢E@B<P8L?0eS#Q@ 8 Pt~ ~Q =$T0EupD rܿYW 4HG+-ЃB!H`rD"$y^47 E: bBƋ;Bzp{7 .P[ A<Tu@OEr~?ODPد`- { RRE 0'삀^` :P ̇!~Am"N !x?Sz@lQpapo_+{(vn|0'DEeA H $@#n_Nf np75$jA#^ OǿWx @0k{@}3~7 0࿎OIDX;>??# Qaq i?mG Mu;&E\A [ԃ_!?;Rtqg `WH4()j\ *H0J 07P@촡H[|m74( G@-?_>lQE_.J=.P\Qz1 #Q!j@L@@?]_Um==PN/fZkKojn+TrV)Kͳ{~5IO0s͌rveړ%#4;gC>Y!s)ʹH4Ş%=hjDZ"k3L3$NרּUSM(:e1wb5bscE|1Xx n 90cjkX/b9YXŚFi}xp2 ZHTE-͵8o1!G0g<-Nx}:lI Ec&sXsA$qV]66Ϊ3okb.YnCZSh9iMX{#+= O"pRMG4sAIz [&^-pz^&3c\сi'%m=oD+Ek{UZ\]K-b4'0Xz#ᬉS:Qqˋ Png "eS?)<%C2M@GH-]D)מjZF!&gNHݑkN4dRyd2M扅}Yk 1tmb#Mp Gգ9L Ӹ^䉁ØifԇGz%`l恼GL{?u~dٷZ* C}Ce0#O\鶲LGnKRMz~9ei#涡hϟ|sa>9ݡզFǖִ` r6el:&cВeS @%ӱiGHC b/VD~"J]VM$Q& XsWc ?J#OYj1ۯM:'u+Ew"&LBs 0ݰ>$+jDk֡))O*ɮZb19+CoDXF̽GsV߰  }Gjd"L^WW/.Zi!M9΅Md[֮@&sb}ApP9ۊM,IΕSsKJ;w!\#-)%tipFT'݃@f & %^n›W.rv>K]7$e%: :fSnTQ}i֎L˱kz]#7{A" l81`ڗޏ >&~ʄۡei*PZqՠ*Ey F(A>+ufj\i{[ ,ьk;GS'AG)] 'ҶW2Ԫ'(l- {wf4 ǁ$1_N a*`XwMa4!d8dGZ 'mu&G% 9Np6~jR\剏˜Jh^Sp&S*>_#%ӼタJM[@(L3Mhcă;?#&$O3yj!XPoᡘC[Fi7 ~bʩ>ogNwvqi'N/45)PpeXQ~Gbwؔ1g?ZGQ'K~.YNab>#|Xͤ᲎o79WbqנGVv$uW?sqY|uRȑOq!k܈x~?gd!U#y)QzU679/^(K88-sAYav¾^5`QnW-eAh?G%.]S _⁋9sn' ?=s(o@␡GeicK48H!eg3n.is5A2{ֱ]S_6S צ\E̫Xg#|_s-21g Qf^&O>O6B2׵ȺXp<Qj$]ښY$k'?tWtymшP4==v|8Zgq1~y.5m/pUxl: YEd 䪆1kr0F mUϢJٻ>ŕ80AC͝a,*}lU0SX&\Tss#-={,^cR22y;} 7toQ%ـ]ڶ0TŜ Ux1)vCF MǘN2H'ȻdșK2NNSMI-gq "8hwTge OZ 7!yBC&̸,lǗwW"mJ7uY*_2 V#H%#- u~1_rb*s roF@cU\? *07NҶC,f[ŕ !+E]Ŧ@mXFuvOG>b۫\[-a#ݶG.gx;Ǜ7SKU)q|\K:͏/c:Q$HI{w?dzjltoc~=pt>p)UD,~Qg4&H'xPnk1~D!t:j8tśΪJ;tAcP ƴ=}<6O ܌~w%d1w{oƮMf̤FyUX+Zyn|2ηı4δA%ޑ1!Q_DH^K$]ْ]> ZWW͎ ż^ ,!c(<` 5 GnEΌ:S7CS™R%<ܵK.{˲0 zx޻ "i"h{fޣ-hT I>oȝ9jSōdcX~Uk?of-v£1~90?Y.y$Q̟Btz~1ó?Ljڬ;Yݸ2 y@6g`6Bo `geblK շjvL[̤8rܼe OV3꺣bs5Jwdvc2B7*6ψ Hj{);zByt^_^NA9H~CȳQXe.KΕ!ogaAf+^*h(>; X2 i?9RϺc;`v0A|{{P ޣב}@,T_RZ Z[frr*RG {5; &_&;?.`O^j㠻Y3|0V]Md[S>]k$iQ4/.[Ե[rkbWe=%-YfP0`?ꏚ̜ީc~YDH]5 TYȑʪ3Bo#NQyH]^i[[\dٔ>q]P>>UtD0%FM4K' a`t|I3_w^x:|,=s^޵E]ӎɵ V3'hgG6LtvbigoUn *ޤ;ȾFzG=h"Ic2QؖȜ 56N[LŎ:Go karj.t"MޜcqTZ7u|b2KЗ;mC^I|>HUxҌ}Q%󈔗Ӿʨ-zc%\+KKa52&ɷN#̟E<UB}1T*/5 >6#pvw5Lso}Pp;W5T?ox|8 _#`#,C'GlGa]%зa^ͅ:L#&fRcR[ cGL\u+'aNzoEk#z-n;X HDm@Kc3(R"ҍγqKXW$E˯ˈq̂>vqrTX5zSFZ}ՙ endstream endobj 2041 0 obj << /Length1 1398 /Length2 6092 /Length3 0 /Length 7054 /Filter /FlateDecode >> stream xڍx4\ڶ Z}^g{=1 ft轅QDA J""$$os{[֞u繮=6;#A@I@!vvc( Nn BBp@(yAQh= A0HI! Po Klu4p] uvA} s@b| /(бG@0 KwG eP x@FڻC&@0v"r!P^!p$:4z_`|? ODP`{0aNP-CᎿ0$oc;[* zH(׌ҠYpwQH_)C ` 9\78 wt5  PAms"@ QQ ]0v6g@xc@NA @yyCpQ3Nh35~K ~ _wh9"0TTD$@GՀ;!ާ[?3.\D L!?;R~?~{w(\oZ: 5%]#({hF e"U~G}( k #_Ot_>nM.ZC#MHD`eO>kJBA8g 8!~,H #4& @ F6 ߬@w!?`yt}u٠@ag}'.b(Vű$E7OmSαxRUB=ϧI?,"Ж1>g#yJ,;ns#%%guXқ;%PsȂm5faEDema2utؕ@2)wluUPI@h]4-e&Kx-Uj $ȹRUf +m{4ag];z_z7!Dd Nl mKskfSdw8\/ +f4ԙCTT^XhcmM}!l3}.1/$d)yTQT1dZ:@AN=~O!h9s:lUX1#lXyw~ 7d<*FED-wra\aQ!~gyidSabcEc]]| (9Rb OU֊~"&) |2}|K0qA6)^ǂBx6ZE=\*t95QS){ab kE?LBl)*Z9%~O{\),.w6dkI 9/93w[α)$GX#`5"JTq&]gmx^ZϾ,/oy~^ '\ު &5 Q&*NNd?.pqj%؆i.9d{Otq|>J 9* W/+Do㧇f:8+NJ,_km ߩkBghfi)G9{i:DWf̌y*'Gsg92r`̪?B0 ]@ϘT M.e+\x >N^:GM090Z,:jm7ЊHj$; ߽Ր-jL*oy{(swLm}jl/As*]K[:JS7S۔jbyk6Hc2єQx&ߔ,Q(3N/rxNJ[kf͌mC̥2eZ9y[n7rD'خƥ fuSrEƨzB8{ ShءјFSd.ӄE}WO_eq%6mvb\tr5}$ͧ+!>|lͬ.&:rgMr< b>ċ42+ dI|nͱpf&qhAyLDwd3Q-Plng8 ?R*0)i2ewg% W/ BNJk #[tb;b_0U#Ta!IJ|˂sxqbrio n#58,3y#2O0esӆ;`=)F n#bko 8\QEJ^]nrTkE Hp`|\#<(*|tey|`5nU8gvDž Ro'G"z1NPŰRԟz>8_7IlX <.R/ڽD/ʚdo,1I%Q{H).n]i@ӒdžֵjJrA2_Ƭ 2C=?pv'[+sKJJC~%)8f>a xTkmbgˉӖ)2fm|zٛwg9_q= yWCeE(lu^'7Mqn9 ϫPF$rT\Qnf-/T>5 qZb'b*\Gvb$L|G ^Vݧ5AUY"(=3gއ)EL*-7ϗtPKQXꐼe}>vYD >ZhR^&d6pmYWk9ћQy|Wc 䬾?m(;6@]SrȠ8[LImU%a|gXapYI7E:$xIP$"r/1K)")+ZZ*~3t,SDm7Î&&'CZΫ<  pǓڦq^t'OYS ۥtV>3xexy>4L0HbxeĸUTVS:u5 V{Ƹ"#{@]Kt%( `S{qCJ#塚 OW婩ڸKoq.SJ6$SOh.gWv+OgbM s"j@">U1=V!yAg?\sŴ3`kƷOSw捻2rSV'׉5>|QVXK"kgBfsu盈iӌI~Xlτ<~ =dė < | |}2A5B"dJb_ >gշd/1|Tmd 6:1X|!.tO '4c Ya?mfC+6 >*2=d;P)Nq!xd-{{ޖDDL\oNJ{ 5ݞϧI_og)Mzt ~)߂PVm'^}>v Z'Ҝ],,۟.n:E%ͻՉ pCc^jݺ>'[<88q\ˏmمOeY^gBO¨~Κ*]>F3z[@כ>w{H|3&Jl0&MA:F$ըdE2.<'7y&q$,AyhPiE Qj 0q]htCNCt0  _9u՚?oΑ%xjL?6,[V> ѽ'bL qe]{3:V/|،x=S'JVl. %O:p|F5V67lv#LtcׅUpf} V|UOکm%2~]y3̠INnF%魖' =3ض?zopk%rHIℹlYB^OQ7sҠ*"D_J_' 0_ݍ[Ju'HxTwohC3Еv3|w TGDR*8J'1xKr (wE >Vs v^i. |Bqm`}X+@+}ɫo8SЛAq ]:E0oJ/Hy,L̼]_v|+)׏XJ12ћ )[ s3r++7x_ڤ6uH,L#K{K <ӑJWEXw/1A,0q,0"<(> ?SCܝt'/[p?C0YղM\kp"Q>~ގm);W?uӋ^=5DګŤK,kTn;o # O-Ȧ^l=C-BmkWUJ{,ٰ!ylGCC;(fDZ۲W;C?M6~RPfK+:UX8;oWżXo?Úri,EvE;9f/H +I^1 *:Onvt.Vs4ToyxUǑp|"C] 3q z\-f+MI\n@V<8ãll~!9quBKCA]B+J8>rzZeo b*4K&C/3Yi.Jg%50xwu&>^p۩+8ƂzÉyW| "1uLDHf]dAbK0ݫZ烠-U}qe@.|[=Iw fܿ4a;ܩ"O5Dm5bWtcBy*~[Y仝}d8ν|.+1S{%~AZ*X"S埞#4ƭmqmQ7=x[pAp73UïV0EUnzw/} |`N1V_!2.B癟R.śF9R~KN5c;+'5> 3ky6̿2~ǽ@0/ٴYWSԝ%0tcy TidJeB2,Oou; ݏ ]\SdyN{փrfvζ4%aϫpW[{TN.K- %"w_>uaI ~"8>-iWVAG #ơ/|{pv8ڠ endstream endobj 2043 0 obj << /Length1 1736 /Length2 11602 /Length3 0 /Length 12700 /Filter /FlateDecode >> stream xڍP];wwww08 'xn-kBOv{}NCM,ndq1 $ll,llHZnɑu`['?,$]fno2)37Ce'@ ```cpU eak Pf(8`$jI'goW[ks 2wZfn6@Ƿ-N@7 A'd,bfqrgxں4`G3Gߥ Qll)4<\7~sqY]o4@_J0; G [ПfNf o[5PQbqrc,04s;y:@F\`V-\m,`[?jd#5K,% 70Iٺ-ݛڃG欖@v+`rX\V#y;ۼ?x2q|[-?-ٮ@?>oixr|KOYe[o>@iyB0Ԯ.Fȓ$E4Ǿz%g~x-#f{=<6{MhvX+]&i,#;OŮ.SN5iư,=>B4-U6MYP&c 8QB;ĿvTIԊuS/&Id8wWʘ mӈQ|Nt0K+M.=9x\SR0S~oBb/V^úEnh z Zr3x9펱 CTɷdBNnڲrYlaD%Dߡu,٘~J#3 ZٴB &5KE ı8[&@XxE)Z>t9djrG#`b?qY~\GvZa#¡>ˇ~ݱhوȬZ3% g3h͇bOm_3R2tS_Hkǭ⣐r]b-*}#xzN7E4=l)TcɲuE !p@\Wp@Mcչ׵CV_w諥P.b1Ǻ.}؆*K:|T{C"Y>CvYL>Pיz14`,;8 ,B6:Ƀy=w 1#5ePދB32^Pi>r]ZvEɢA$pHJ6UEnx$]}&q;t*B ~_VQ^B1+*6Ql+*l1~s99_Ƴ5|Ui`Ycyګ{͏%I$tI}92?iAx:9'!_SFH}NwAPFY֗9n #7ASt!8x47, tkʍR`;99Ȯ/J`uРg4TKQ$>le)w'R)flNڄ^txyl(s)൦rP`$!I3ihY \}0{8uRGfO}\'=ܠiUV}SxZkznѲÚ`l$WVok EFkM'©/TbF|yMWjW 6 K>F2K]>~*MQHJxK:QxPVI|ƥ.>ų$9uU,jVτLfOOwҡ9 iu.Iѝ t8FA.p?E b+@A~4FJq siX͓KFMA=jηlW@x0&,I:NQl{PyhX,?`)B:wߦ^7̪3oY]"[}KH"~F,)~]mZ c҅Itqc^Pm_˱ K#;FGD˺Xh‡_ԸaN"vjy.ġke1z"Όqe,yM^FѶwi?@"֨G[fD C&XpPؕ`X~fȻK8Y#r?5]MS-f_*ut%ّ"~aAϞḺ3n-]6CHqt;[;w`/%֏y *N"b>JGNMq'q'ȾyT|b A>971r@lNu *Dl)p4~6baG؅вCb)w `ݽ98K15sMO]Z,v(xp@b Lܸ#FfM$a}9hƽFkh5⻭!|ZyiQLj0HXK01W}ZKx]i24慄RBzЯ&o=f/ER/h)܌<:9/F\r[{? I9Z"]M8~Dשmp9M#,72#c.e,eߝ6VYC+ hs \,y3T3G腮J[=PZHMs 0^xe]&Mq~~l;Eҥ.6>mx=Ytz!f"Qz϶Hůyn43P9LB;_|DOw,f'O.iץpvz$9^il>=`I~C6lFuk~0f+ Pt:B,=#N(U_Dx:OB|P" LM/WC&e=#[@lb AԓsHuDS:Ïi7qjx5{s-t~Lex9oA&_Ʒ{g%H _F86sE jʆ##s5GUQ=DESr6v[uSP|#~u}&ԾgKEhh|q^נ>th>jǞ3C&P K'_^? [)鷜03Mo˚=NxO0mR>9ؒC.ƞ"@-օ׸U8&10Ar9쓚2-C-}ٵ޽)~ W?:TܲWVZ7WѧIwbnhx'jfL5އp~z_t=Sj) iVuثY ЂRdmR2D$J[Z\:UTAޠ$\,M$Y&ÙT-C`_ -,j-k)$f?ڰ^u*1xh;ҡTktiOi8fۢHy&^$AN] &65yΣe-MU{S:Eev3x4^ !^OJGmU\B;ߏ[b,0{Dk<~90Li8$廏~ǰh]9߬ 1K'σqQ^cŵ ^aNitT^j^@IW ɝ* NY®:}NN.\/288AsPMGצKk=lO GXScIh6Cy_j"Ȋf:BT( /99Vl;]-s1ys-M!GT23B8(<隞iv - c1l.LUм`Y))I_ZNYJǂJɧ2l=#I|Q%Q$; *1kwy{ 2_4/:)7vǒ,j`Zf&uszQiՎ8ζ"b{ɌfzwZFaО"GPnj\RGzנ"[T$.wЧ}+Z( RXD{fX;|yIS<*d4(o$災V!M1*d+Fg "#|jaZ 6''F%u;@M[H &I}FZTS+lݚֻY(OG!^VJ?bk1TW[1&Zz4;)m_B?(z+T'wABs@P J"L}=!{  8-OF#H۵{̊W$q9l\*ԿǺJAG ڷp~$J9azP/Go}<>Uqm70GQ p+*H%i4T`62օa3`xVP<a-CL+(I ts`2}]ȓF'z "eѐ}֕B p!) —PE>7< "+O_ V. Ervr~cޔlDeXM V oEfE6S38'oek3"lĔgDZ-Ä.13B\h0<4jT` >P-ȀeoV2}|sڅ? r8Ys [iĵSA65q&y 9٭(r"ff6bHk֨e 9x& >,k*-DDpHPn!}gJbU!0@6#hԒ,n4c2O P5!j8G.WPKȮ]<RH9P]FL=mHjoc _jxi,/κO“mN>QړKv{}LctI%O?Α? nH׀œ"϶E(XO_5)K׍|&hۈ jZP8U#k%i,nX&EU;`JX&QS?EƩ"̻EWUpx`9vr Sl +&>-_@lD|zhEḵd6Fd/eʬ#Zwv(tv- kWAn윏v:̀]{T䋾NT0Vd"!ݏ-L!8M$rL2T6jw`w=(䳅}0()>'d(\&FSqm[7b8"Ԇ4 =fZ0HzTڄ6:,acu)mW EBb<$XaOZ`ƭh/eIBwG"Np)bPdH`p=}m}knCGc( p^3{` I]E}ΏKt+Bb#uC}7BƧ_ꑫ_! .  4󈃔^]+g'BPqj{dEuzhwc ;*߫ 柷i|TE{BN,z,D9{}.h&|!mJyq#ޠ*?3?ɦ;<wf S0ifBXg] G(bM}Yv2g!%Ztn\]yj0=dďԥ]v1.GKM8AW/KfSHӾ*:K@.5;lx^RBE hb}9\ب*Ra \, 7_K)(auc=(KԨa4|[:8 Dߝ8uBgvåxx&蓂i2WHh̷Y&x< |GC%[R*biNd &C]ܴKV#]'JdZ{gVgٍk_AB".$BsxiKm^e((kb7!bRQOФ_=Y"PXIFF-0y$SGU3& 9d\$j48ɠDҮRGt߻_PaAvrbgB5f.t|8R;g#oY1odź8yX7O;0FI teL[F5% vUTνU?7_skޚ}㿜?6O 9Mк2Jx ]ꒆ_gf%a@z|<\wLE/yc8.fK;#ͅFtzd mJi֚lϯתD_"c[V.D(m 1H/WŶ?XǕJ$ iD2<ˁJ z %G)X,(/:m6VS1U+:s~!죈yQ? JȌcZq{5܏ٍ~J.i nd!ګou/pAW: qp| @n[dRr_QBxDDJ5*4B{(8髗{pJUG_Y<cT4ҧӘ̦"O\N౼k>FR:JP;sj+&朓BꚛժiX[jx/JPǐ畹t ~^ΏYƔ4{e4Aֳ/yб$jDM< kиː$.cQw(EПtyHGs1`ou<׉kj9ߟNi@5Ό$A/%Q5^aԒZm0I+%o!!;d?5;z9Oa Yn\rgG#IG1+:(`rg Í(JޓQd]/W=fWG /^[rYƋzbqMSBbyTϵ~4Xx >u􂉚Բvޢӝ"Z^;vvH97ʂyj{I(C{Ǖ# SE5Y\cm''`iO Gm.cm^OݭX=xd~ji^H;gҒϑϧHpcyuL5g|X1>8@aQ4L}*)/$K4$d<5u'rtc9 fCJ7lOY7): h̋=N&!M)ÐtYT\w̕_;2?~k@_8=.>~:f(B;% :d#B9p5crҾAaͷ=}3N=_"Hn 4F'%{S3(ID801J0[jmxL`9{Tth>FLjC/^<ܐŏξ@! {!Ghiq|QK7cRu|1]p湃jC-,mbtF r'άK_^zF$i?+>H_LlwtLƚ-dpkM/x_M.y)* 49F/Hh@^$9J.W4AkfV=W:K:Az#&y2H ށ O='oqG9_t5Ŭ^| U~Z SB}ΏJs1VO}iFTx.fkOS=ldԴT{{ q{u= =0D=TE9cФHJHh``vsY$Uvh[x_VACZzg=ޝZrGAOl~H3|9Wes(sJ0FdwGd 6V>S@YrEzzAf"V&ŗTi5s|aN.^ cHqM''\m6Nnd /Eo֧3O*4vofFU .^(حg#ԅ32}WkTvX1v˯=b{_o]v?u)=Ʉ\"2#ua#QYF]}&Jc?]f imΫcɧ8UFrgLIZMC,,)W{qa'R-,1ևnT)o%ʹ{V9j*uOTwZ{ϐI_+r0L-C6-P=+ݿ \޸8bb3s2S])lB8z'G]wv4|<r#?c%ĉJ,@hيB~4ߕ͎'^WG1DZe9&S!OB޾my A&vLj?, WPCYǓQl ^SwRBFzw/UP?Ҩbi -댢 >;O:"D|X.(9[)E--[0m2=e:nA΄Q'7yX/:[^E\ʌ/bOZL[)7Ϫg>܊ |sr>IR " nȚ Xr57&UM2/bݚvٸy] N9HuįNfkIZ+lK^̴#d@-mxsq<S~pT|n~cI nkY b$a&rv}@#C2 HyWd/99nt,')edhg eSG䲯C|xvJ>>;aa\ڪ ~VݜҌKg93>+qKS]( "jթ6=Acتq&eYryJj5T/t&d6ӵp(Ju9,6[$<4+=hK;M̕`EydÆǧQV# 0r Mq{Bsv ̒W= £5$c܅Tmyhq:;¹]̠~O tG}md1RxVJ7.9^׃m#F>pP![mhԔ0['B)8ǽ'F3 # wxIQڇ^l&eʝ)4l/y<ɉIik6[F/ņs'ƏڊNueDT-O\յ z)ʌ~C4E{oh =S5[Xʲxy vҼI>jI4҄I0o)ENt H>;3\,DrIl 6\1=fK1ƌ>M(jҏܲ4ˀB;>1w4%7Wxx#;Bj;). <+ p̷{t# 71f:>PCp딂Bi&_}Yvv٩dݨxA㚗Ŵ9)smCMIIJI-1 endstream endobj 2045 0 obj << /Length1 2800 /Length2 20165 /Length3 0 /Length 21753 /Filter /FlateDecode >> stream xڌP-w >Kpap`-=\[ nw>;9罪{aV*2U &1 PPdcr0#RQiڸ#Gڀpen`C%#@`gge4(1A@WD* 8hl||<.6榎%S7k8=@dntnnN,,̦ +a:F5@ tZ~ P6uS3"@o ḿ`wG !Pq:m#ؘ @69Lm6@"#◡+oajcoj6)@ZL ` \]l\]m+ R +/~6.@sp߽Y9\;G2,ܝX88$ˬn.VVV^v2f@ \ ` .oc Cu5\܁*!,lf@+Gb|.6^}VXPNpc( ; 7z6pu#pp:hqzq\ GTg??Xܬ] #n?1;8_oI ? >[? g7gp$ 7ww_Od?, h42(Fɴ3!4CF~ 6+dZp/2Q[#\D{ڧGDOSEGb DL~O~Zvm]TyX2^ +c;j H_bReϽ&uc"d 'z#ԅ 2*%FC7. Jp޾K0WGW G?'}F-pV[$"`~vfSN;xzitVJ"OGC*hN4@d`C?,f|G^ƒ'Q}df y=*((dܢ :[ QOǐJ{7=V GB-GQ0z-DQWQ\,ۂzEEɐRyrHs7(1a?vlT֯΢ROW(o0|7 1_U,tU?Fԗd" mLoGo{k6>K6~D&5fN9ѧ0U;ω]}ӦWOyˣMkF3J-3^s5cǫ(.;XU N~ܢ{,&oK` TvȲ6Z^ ‹^KRp OvZIݘE<>̑  ^##,#;`S#_tk;s%^IQJ\Gf~IhcKq ڲV 2]džWX/m.)}Eo3n(QC ={w>'KI^n+GhGSi6w-gR^!4C7\Bٷ:`ͱ<ِco9r #z[ƾX痯F'kj3ix%_G ''wIn@3?`"-мOGTN{g=p;)U 6;Đ06RiKڄH1WêDu b Z'>b?6DQ~;M/զex@grI?k*h ]G8Q)E~iIwTcȄ} C=1 p.FԆ2#Ҿo :(AٜN,MU4.uZ߫]܋ӊ2ϱ%7N&?2`c[}5$JEpQ- m2̯Lfh3)e.fdYS3^Q{sFxEM_ vpZ)rVRm]ޛ2cWT&D%m d<g9H"w2Zlsј93~f$DPVv뗹x>Nn^)Y h(f8ЏFNMl' cbSJ&" 䜦Q|t?̋,L2˥l]J:b dZ0o3umHf}3.V6E^iDΒq?L걓,Q[H_T(-ڈC,YUtwEGo768]T()ܢ2 ^>YMDNe q̀Ta~Y| U":C^2fR̞a nbqE;;&_8>Kx+GFHJ QL g)wyP6 96?kiŽplUFJ`+6X W\Ƀ-F;RE^3 R5N2{&/}+ڢ$FnCԴaL$aO|=0nwI<޻+F{X7O҇"NH˯F&c{&@M%}.tO-PsuB5zCg6(md!>A2/N ɭϤI,+v[„FLjVŠeb&%Q 9&Y:Isԗ#$2vŠ~nsk:^1qSt˷Y#[uX!}:))qZlwlx(?s!?66w=&5AmkBMRe#]ql,pR\ | R5n:oUz~]1|H$3;9zL >X%ǽ(A-BW &K !,f<~r0|0 ơūwt)OLz_/=zati8%-Wiuike#lLˏسuZE3JUUS7JNjq(i%sTv?M6YsUir^E`y+ؐۻE<+d\EIzKuGy_qfZ)c)!K&`N$!iSO60^9ǐpeyҦɋ`0b5d܇p[n,Emkz c1IH1K޾8DV0T,oOCG%77YǜY6%&mEC]XJE->߼JLJ;gOp?K1k5a̵d`sDi46rO5mS{phBdEw#&x,T wGBM/kWr]䧀h jRXdfNhHB ~A~П}5$c*aȥM CIw.E-‚" S:].:09`lNIgUZ"\R]=L%#c\JɎKZNTe^8t^ŦH\m+aC()^EHe'Rvv{QZ~m?uCS9+PVF(wjtMLk7HKgx/&vw)*T}94J)QRO55)d:N zY_p$%v&8/GۅԸkíkZ E5ۆ>pՖ(z)ER1H{ FBTn&x L"Ǚ48 M c/NO\7l G29v{cScuV]Knj\-y~s KvD&~ r@ܡ1>ӤCJwݳK_sjm00Q]W&271~^)(q|ں;33BiTߘ MYf!n#iSZC{ mB`\'hI fFj!6͙㵇LwhqMay?;ԓI*'Q6.7E%V1 {#fk CISrޖG҄Gf[5\,\M[˰8^r3_mhFS}C0ӆ{r5ު?-bfIC0}= L[C}=A=ND֭qm;tatx [wVSEVInj _LOl&gxDKe>o!}S!%pLF k)h'w|9y䘰f>̟k'<Ђ=M5;&&MqԠߋ`8,4p7 ezzy jUi'@RM%-"Y [ŤL)O:埰`1EjeZ"_R##M09&k[JXУS tgWkHrXd˂[̃_]YP!57-秊&)UiZr'xM'>aBhӈ +q»z`&G4ϤTSp\7Ȑ 4H{̙TjJN?R8蜲w#:]P/ΛJ3W߱ ,8ݢ9ЧFCY#.X& ! ML+܁əVo"BlDĠgbB0Uœ t_(κ@1$Ir Ƚݼ0QL8?7j;^Mj'F %iEC3g. (1`]?-@|YN.zGBzN]gUCf-ii2 mZ*m Rm»QE֋(ʂLJ(G7IwbOKT9@sQ˒]t̫7AR쵭E}JNM3.T"B1{ __G; 'oQD4Qeg]wlMRl".x+{5)abG%=1^8bFr+#,r)3vƥy~NV,+/ٵSS"vBn.FP}ڷ$a}Om|h ĩeףA~B(t0$շJ:V{h5j ^GZem_~U0U* a1ՅUcW7Vfގli0OU炚d5S? a\~lXP%dm&;` +={'a]|Ҍ)zoc,^oftHs=6j:(ݔ{2zcc}޽7-4*N@YgzH 53zR'}x.SA3Qs{ԫĪzoñ״TWYls,YWr4o3 UXẼd?~uYV(Ѳ$I+@l6ɉu2Rc]7Tе &Hح/ڌgo>8,ߑ%'YBB^p\MaOAPo1;=<֒ӸR[i"K&RͯÀˢxTAV~YZE/Pw7KǺS5`ۊv TehW PYE^-pZ}E謀dzL{2b xy8puJI`tBBG:Vf/O5C87 6,!۲?S':eM1E'@&K:~9JEtʆh,YFEVhwD KU(*Mԗg~]k?V_fid /G'v(#? Oy:^=;m@ϵ+^pMdH5٤'Mn:a6jSSq^.+|s{[P0c2Yz1R1bT]ջt&@*dB3DqݣIP %|%Gn;m>Wx-WfDіCEASJ@ a(IwG]'I+Tt>U_ePO@̘-Lտw#]t&.Jl-U}.XMZASnQmCNaL i&H篎_.F|hC9]kj?oa=2sT:ٺ"\f?\|csFI٩c884RA(K*uSܮgۇs u7ޫԻӢLfsGL*G0cI*_B/}]DT,ZT>cD4^D1_# 4|qiq⳸x@ɐZS`/&ϫ I>a6պ:Ox fcEe5*.>=)MvSk#A1~PeHA'|@g{MiDk K\E(U)wd;Vo_:{fcdl^Kh8j=b߲60:`6mjmؿj-L= .xqȂKe2,'+,Z찾6cq'fa{ ) ס6`>I sʇq't2jP" eck6B-kʺJ AL38kt>§DXFs9,t\9^NYJAQnHCOY=$}0EͳE6B$CVUiXK1~t=o#<2& c;S만K yh˨Sئ4@ -4+PS iQ_ha%0,Èa"&qĬO6:h&( ̠E#}DlV63ލ'|U[ŎJמvϰkf"j jrwgg OW+Ҩ  w?]DHz@턑@sx9r:]lMP X$Pgu݆ 9 tjq>q='%1 Nk{ %F4:yR Hf/!˿#YAC5tdCԓKL(LTM )Snpbvˠ4-l,a.>3&fbn5uA -[Qdrz:Fz]))PQD]"(WkX wk2zSe3'Fut:,|F~?1 }j]S2Κ 9'Kn݃蜥rH)vw52y@gs/H ^"h}э( NjH<tFt*Xž$|Sen0gJfX"LȮ.M9WZ*ki|ARm?J6>?.`^.mę+0cn^u SVKU]:w>_I8 r=2逌){`$i@m0Tk\U68Goh.'!:TR@>|ej?,?ehSyav<)XGuQ[E"6㥚ARk9  'yE3gTN7})з(}wN6ƾ,Rgcv 2g{jycѯ_Zvϲ\GXf6icNa+);]9EamTjE!4]-4g^bjtY)UxzD!T4^Q.pٶ;$ۼNu67 OvZa1.1"d;s2DME.7.rdh(ֿv /&`N_{嬔6R2qRp1PoEziKrg|3IQmDB:Z's@9j4aP;r t9cy"pNO/bۄ;$|}Qw-o2mNPNo^#YFGzSI11>X׳S8TSL{eTgM vL5xs| qb jN?_S I!^1֚eCK:+^+ҤJ= G^k(Aĸ>{ q&bdҶ=DF" H?n{Af3\r hRޖBFmnoDYCWP`$ke['\Lxb{{yY@;&oQN ~Z.rܙ78*\ti7v{C3^bW}3ZB=1>:߮rOLW"ubeB]m}NP2-)J Dq̺{B<2@I TXDBW!;4Dg,psw:- u4(^}t>GC#lͩPʳ1tV};Ȉzv{@uTgY=]܂17<]fV>8~.z:+#Xf.>~[[gKGK6fD3}S^T5Yq;[1;&CmjqYy{zz L&RyԷi 5ʔ7)X&P'+vI\90FqcA[34tMA#*N#%`][Z|D1r2;wIUj!oBt0'ǫ"(?ȴw%byY~5mO4-G~*]ϹF iFUsڇ ]1]Ei#:"qr>#Ls y4Kސ9ѷEvuYz|(f#jW^Go^5,~"gXr1l`ٱeU`QX"slE]~ ޱt-׎5ǡ>&hYYu[}ZQI/9A9ZPZFh6a]r);(SUDl%_w;s&_kgI;papEd]_ LeqEùd*2uZQ#&'R|ޤAL * ?1۞KPrN~Ɋf)1츙 ]:`LoW.s5Pa;6{ft:h'RREx|n-=}!m_p _`7WZלw iG҅< }+c#T6coj/wmta)fFRb ^LtD \uXE?r[*rTLoJIkWËm Yor=M#̚+%-Є璛Hd \QMaIw?'bRJkh 6-5]b7|miiu/!Y'$p[FT7F`5g}*Rp\'15>{YүC6f[k$„ep8j$ X9pZAt,a_f$7TS+yV|DDPrRb規uf~_VV0þ[,RC˹tG04O{Z Ba#wBIrG~_ڏBMKďѼ yǵK!/B0M- 3&%;|E@{n}oCʵr5&fGg\F\v #|$4cVQ "Ȝ*9(^ {xnt'%lbӦ U6VID`{-_l? [ved ]{!qvրHu#;ǽ>s`H62N U4:ȧ=&ř\;u/kLKy{kDe!#g{yv~+9hR;6:t@)9G17Ȗp^GfVw'r~'P{Eײ(K5xJFQwk H!_9F eˇ|_Ul >`*qm&V?A2!$moaHxw{Dz-J⅃L♹ */yV8Vg N2bo4_⼚lV\oD:%Ͷż8̻$e ls$I  DJϓ{KSrڍ2,u7ψ֍s6w !C\PC!2CY i 7U},>KmQ,,hJ&@̱zރa0&«sky)$,CVm#l>r,gA5) N+L `Y)HUA +ZO/&˭9w+SpGлC{ %ecG+( 'tt-`aCy:5~j_-}hRG|; kU"'c nFDuъF7 L",]%Lt'n1*>T#vSZᬼ.t&ajuvNhKVz"ٟQx/v4#@nUE?W͟Cl'z3g$BLtTZ--c@ڐsDGbj^D+]=ljp hR{ۖ<-nZkXZinC|V2ۍfs;PIND؃ԗ?kg2Ēa)Ɇ%FORS0'}9XCK S^NJtT+|2J0J,Q۪LJgo["oLyB('/4O[I\$O锈 aYsHkW53Y݊(PKM5Z/<>7K?sY'iHUU:l|݋$NUt#SkJVZkVz8!bOa* xC{)dlI>Y x~ bXow]z;p`52#&%=윫&U@ǣ V$9=Xö=̤EPvO +C+ qqeaCNp@FѬT b3 O\cbYn=~u)3fY2Qok̩X3@" 0ARe)p5NNT87f+Ə_*D]9Fl{)UDž\^Kʒ+p;tEF#<ۉقwIn4xSIX-/lQOL< ,@[O*vጅtkӦ'fQbn&Ϫp\jN'cWRɣ 8O|/-]*t.ٯ^mB„5}Bszu] lJRyֵ3nddدyOvY)1o{?\wҜBf٨QAݿ׏5>w1(3Xg$-uD'[xLJ|G .&l؀$leԱH{\2j9)ߢ/xG|cR6,ҭ/Ӫ!i›ߝB#KpR\O'pMאsQrf2;*7t嵨{܍WMl+}fTk,*"ԲT)=D gi`ɹD7R1f1ɜVlJOO brrɑM"xRT? VD49)=0ߍ诱E?_#CT<)ꈥ ; YގY3KXZd]?@eQyO}Y;W_6 \`3 %Py}dD){Ȟ JSB17Hɇ %LB=wi햨l.!W*ϙ݂'d"ghQyVur^k׸ʁth`oY{%lZ 8LK+$-R'ESOz|oKF4̉͗ UGq޴>3فՆ{ ovJ/[A&^{ E- :ӖEƦȣMX'ڀ]=A ,ۓEVF$Rvkǁ}߄*gSTOth0ak6*[nKds# [X'Fbjԋ)Z롯 .NE$ Ÿ@V،zF:c)29 F< yr= )2vSDߊ?cQÒT~ bھӾs< K<Ǯqi]@ Ťs|"KK.rʈLD~74z67 Kl>zơBQe AG3r oWqN巋I=bdS |{LIp ʛ{wӒJbwcx7i* 5&ުɓz$/c0oVޱ ¼MTEs7JĤOIUY&gl>B jit jkp: weBI-.X5kVEr(V )..zwC:>QX! bRpOTtb3p2?!ͰXI$d֬wZ}\X ;$ҹݰ<$.kٴ|0Ŕc ,n!ENP~,Ó9E.Q2(F63L?Ix^:z8k~* EA̦oel9Eu 4[SIqN앾]ڸRg_R]^$0۰g_"9Z$D؀"Z&+6KbWXn1h 7D=WȫnURu`t [́g 8Bu' ^=|9. xݗ<;$6<@Љ!$ RzT 2-Ip'0ē}tKӦ wUna;-E1D6v<:P>1+P^gRCf&_ߧM7>a Dۓ<ߡ`ޥ /$ܮbl*?I+kArMQa}*LC'T=Wnp?^Tpwo>Q-+f~X#SS(li5W_] eV ^uL#.=ܺ^sael.P+ZL{vo0VLh lQ ܽh܏'#SxNCު΢"ӅO Q "RlgO3x}H8W"29ḂLQm-N&Sxfyc)_d6mͼiԑZ5WMQTn#_oۆLE0`'%s5>?Z~dP*taMytg __75.de?H|_檳ɬ `hyoČ(6=?[]l`ѳx;@Dfڐ^Iqxd٥7qxhG[BD%ZWzz_ o0Ѿ endstream endobj 2047 0 obj << /Length1 1570 /Length2 3113 /Length3 0 /Length 4106 /Filter /FlateDecode >> stream xڍT 8/2R(_}f0v"Ša,ɒiA(RRY ![e_ Y?zﺾ뚙=ai#Ļ 8,TBDAbިv=Hqj1(8f;'ӈfx` @TY !՟D8.Xo`a`*G pr&ip8N# t8ýH"@&ɑ;=wƬC}|P82 S),=w^8<8$z lNqh&/ P x@j 1z & *F~@$? P!;D (@bdŁ~eQvDl @v>;CSE߽b^8uu@,WP`򊀒* 3%WWTKς 4ݢ_2w -ݐM;YO"?o]}ށ{ nȴ06o⚡X?{p.<$d @!-dfW?v;{š,$B!h˅$$w](y>G,=^}FNNͭ9I}XeBjwK]x1sZCK!fYb^}xfOu2>3!hw,$3L&m(~J矝e#P3fOM7*uݢJoO\gPE,Xfz%Zݪt8nkڗ$b}ߢg dr|R׶s9A5_,-{z\Bh3"Dx9z'UyBeJb*Z5SG/'T=mM&P)̘Ehl*X\xVKJ62T~RWB!xoR0D!IJ-+ gt4 /[mq r6n_i޳3upaudi8RK=v6CWZ泞׺ (@U| 󗉕wah(߱ .avJ鬻dbE֘dGNKUTĊoeJ< xE3,o׿M|1m=3ZaBXٮ%GœOCj}.yb;䷨.IxPqIȼ DeS.c=Xky LǤ,p+zطU'Gk\2${B-psu\& gՓ/(fV )P(ۻKN8\W!cMϤ!v%dLhJˠ'Su#l *n}$jJ慮ZdI9_"цKf%Cb,+ǔ*}8Y^(0[yXJ6^K Ĵ\]+tQXden]'ӉActuvQϲֲZKTLcc nsKeGh1sH]Fk3a nƂut^;-ͯgy/_?/Sy2I>EnA/ wnE n%޻ix\5^=ݔHMW&b ö(%-+Mߪj:&_y@@o.5xi1U=Ņo1xXR57.ih=4>4ڿםxy}=z#&.+vSHN6}(Bv[ 5ښvD AIjbe>WABvILNgEҺ_Nbm5 Fd5+ TI:\R93gO*%nb[,qґZd2"3%ߡ-|RYmɘߒʺK_:g6Z3z^ga=a4I8yC=bG3⋘ .*.5,%7ynnvpx FMwxL~\;wMuy :[rV3M۵U vۣ6no:'ƖPL7e%!g|LJ 5vt13eI:f>x${5^>wUbڔCFN{V 3q*b\ĒNS}۠=Fz\ּ^Z H#l9b}bn&¨.?m}.@:k@]F\ jqx8\&0BLT͜vNHjuKls3o_majk(7-MLvlSAvs6Mz_hoFp&qRUƗU ]J2Kvj\`oWVu ƔU:կ\d)c8o_}oh[*@ݐ~%v7 ]v[MށU}ST>:~?A}J=0ś]G?B$W8ȰC{5ڒt˕8Z,q܉߸ErUdK?οYx^h;ߒzTH%ՠzb*Yqƍ$S'.R)W ]Z5^gE'sgL>\X;warvE{ŮZD*F 1Vgk>n(q[4 -o,59pw'\^0RJ`CX_U`!|y#Yիnj>?:b1;5{Ib6^ݰY:8H:㴭~qX endstream endobj 2049 0 obj << /Length1 2257 /Length2 14767 /Length3 0 /Length 16096 /Filter /FlateDecode >> stream xڍPڶ!5 4и;;wwܝn'+Ǵ1Zs.(ɔTDLl@6N ,̼Ojj<ff6FffV$JJ5?f$J #ֆ_b ӛM l`app23Xy'ց t>1dmm@Hbv`3s76p96O@'s1 jk 9NNvLL@kGF[3Az+r9L (A(cDښ:@7dlcrTev  l,,- mNZm6fS()Dژr}V@;$E7hsrdt[%2o,ac"fkm qrD?qݙYKS_"Lm @Nfffn6r36go7ޞvv7 o)#prpy{ l0mT3Lov2 ~{/[+?/'-Iy9'*jd08Y<]D O2elLm?OOzAoyEoon_@oϴ xg'M)_mb/ւ ߤX i|cn-mbbG[rjV[ dG.[vVΎz X799ޜo/y)19;uzoM8+M|ÿ˿R?z`}cu#-kcgp}[@n cY[c Aw" ۣSۚ)4 mh4Uk7"˛‹ϞMu-^O*-H8}c"?Ԅw4- ;d)흹єr\{j.n+Tq!?N2DG~/1ʜ#sb F}w>}}3.kT6(SgJc'>1 *Oѽ$Y95o46]g&7Ld Rst>F\;*G J[36_0J5<' ڇ5ذ;nvkEL2=jZ΢鱢(snYP(r8lk0PfpT" mGֳ4qA~0.K.5NoK E^(a A[d-{=oXޢ73vwX!Eo 5Y՛ \ԒSO>pC:-*AP?myMg0IwAudlv\۝4ӝox@ \>G`nј2 ;`Tϸ% o~NhqU$Y9΁5-LW; ?Xp^hrIpg}<3 1 q אI6Yn#YF 9(ޖ*b-a_WжQ<ϔ$ \+6Ttu" v{ܭ\\1#:0myLʭvu?W'᭕81ÒKuÿp.Eu%H w:ʅoT<5itfta<~ݸ` l sW8U!NHLbA0eEǹu Bg\G]b0 BnSl=eRU0F:j^ ZCNpܐNs}8ߺ¿V|g@ /" G4DiO]r(=H8Ŝu& hd+N} 8д+ ۴ %e3.;%CgYxFT3jIߋRlejGd fwh}w21RNSAp3,(M3FT#Vۋ3 |4!#h AhݷZrU*;̨{Bs hC{*l0JuեVL M: >|!k$f5OD`N ׈yp\!w)pcKGX?y= ߗ_g5 YI׵\$rG+VZkGԒ %*A/zZThǢn)DaN<69$?{Nt[a0/CvsnT^$>N"eEsǻދ *Cfwy;{u{eޚ`B:0ad9oA^_}k]/L1GʘMAU+oRX6^7D}# ?H@ JfސhFI)z(9~6{gblѼ{yEo g弥[ʹ 16cU:ic F/}Ë&=̴1_t s~7I4D"'À|DnOYvW,+x*БI{Q^I"n:X<0`L`j.K_ C7چIN uQoאIKA, T:xJdv+q&g$Nj;,9=߁B`a4;x,H,>l\"*P+Avxg&{m+0lۯ.I,H};8! B?nYV]QR'=&Kae6ޜ,sYigH„\o|3ƥY`˨@G ~,5OU/Ӱ: ^ݡ4<<E B N9|尐Ro6ߍ|u4C{R͟dЪ o+W~k²KQkXfJ+<⟾S7 Lo$95zAu|׊]!t+!m< n"3W3#77e; kǭ\FX?`}X؏5Z+5&$-$ӯ79×@l {^6&ԯ͗#zac2-`ǧ$ȅ#`MuWB@.yEʼjN%o,M'fhJà00 .p3ݥMͮ-y4*lJ.噂ڜJ`侰W\=Sƅ_ hfbq;:[2 sBuc]ka[D4Vu79nqI”+4'XӨ7Q#v&$v'*U2ık6aĻ+aI`Sr;ѮN0+ g%͔ d~c<+U47PKQY6;5zt?U@"y3Dq!X;&ƸvCɊㆮCwRE6yt6f1")M∋N4W4l`SnOk\$h;2A&FSkE!<(:Yak28v*5MIXԻS_㬈JC( `2Iiڜ~WkO(Ͽ+FNCF=NZ# 6o,~Nt ^)SQ .W1&HWpO4Bt@M\8sng -@vGR~S-?fA?.mG8VGKk4v۟9sFNǠS~FoZnSl2CLho[7)]x]za)}Le+u-56b*r~'rMmC֎L/'2xDúV)gEcl3botܰqM36ASrstGrѓ<6"dof+5kWM(3h/R~a>aT6"|ѹgvm"єHR`uj3T|{uꏍQYae{G;_'I;a_;Llu!'y!䩧/Zi=2V?@wS~}m8B: b!uOщ|V~0|ELC׃)Tf :p(Lr"Iv8+ z )㊌)䄁W,~ܤ@wEܲȯ Ιb[X9;ݨuhBBzs߁FIf-'[~u:--F$ujVkpUM7'kl}mg1&Gg68n7 q"$ Kh@F}KujA۪Vj/5?ƸIZӧe ~SL~;w=v(())˨7 ˑ#g#y"ޒۭzWC-PvW0p*AIeN-htg Tmv1\Y~[Äx R5sC@k+U4,f;ǯQ62GQID[]t1~ͳOӻ}ƳN`R&õob٧zzؙE沇â]&4a~'1a}aoމ- 0rvG1+T۴@Ѧ8杄 @0 ƷA]qwq<ōR:[ol}pUɔț,h͙I™YȦXr(q/SXslș^ ,DV9φ8F5Y/^pnhz:b[!4)+2uoyq'}K}w.=u6R3il.ͪHή3]NdӤ*`pͨV#}DYaNLtxZSɆL=e쯧t;RÀPH`=(pʲW"{Gi<~w's%׺([Z+2ӺK&םJ֞7]Rcc2]V4CnfZFU_T'h jauo`bb_`o73<-̴ΎQKvڨ0mUoSs"(uFc2y,JdۉCh/9UE/ 2$dvi 7ӬI|scNhg)IbV3 i"~;M<{j۫')&URwb oMH7ԝվJ`a _qj[}U tav4 FO!{KuU ĴT`Cy8h^@6^E+Áw<*dkeL胳w 5hrLm3Mvhan_OB0)p„E!Jԟ%)|7': iF9VCƈokz1WW/49U!~.!L|f32M#4B >h,yT`j_tp|_/(|ni=! j|䟁f1Nuhs!é|m*$j!ɫ;u㼬S؆9hJn T4p=^2Gެh xy:Fc y(9L:͐:3{Y!Ogz&}5&{ZzhXV:RݮmCMa Eh|cv~ygv(*[VbJ6G Bﰣ7d=eOjr~eb| kuɪken%U7s#6&>+mQy`ڣ&j1ck]y״:[ZU˥ ],\3vßַEwAL_a◃B]Ԏ1ٱ(AfӤƴp[ ]3Ztb1KwVC ȻZ/BxIϣ~\0!;Gx=#Þ.x ]b#Ξ/&|;tdJ$\L+}="&OK?pıb*P{"d@֕H030`?ٟ[&:#=nB## 8J4*crI:+; b3;g*B#dW4rFNqӣʐ}Rq#v1wM,I)161h%q!; /70YS|e&c@P\/j ͣ(9րi=UQ}{ZB`,$d?NV6Dl6h\v  Jշ)uY a72+EńuRq2׸(FxLK9cDO a-ԶܾLLp;01kd0(ޣ)3WCΧǏ9gc\M~JxT"Ӱ:n`HM=}cr KgXѼ.Tڗӎ4tBҫ{e5GZx;QN Ng(qqK/<V4?HorkŔ^&ǃrt0 Úf 5>6z2jcgyЈˌшiB@{Ǔp"Rc`F?|h<1v M6nh%ڥ?D;v_l7Qעma'9G~z++Q{y2}M+r㧣`N,H0~p'DS0~s^2\ E{ͨ$7X)0pK QY5+& 7LF45d̢Iڇ$(u0!d 4hfql_2\BqN0VTdzoPC͠:Rj+s.NGhC @Z ,bꖣP4~M_i; htzT*e8[יʹԡH z~qU-KvܼQL!̴9^W޽[۱*$Svw y͎B{9@< RE6p!PH)+lm5J$ y xs42&83Փe?9!d6f~J b_D!a?ke؊zRHjSFV,(lI5y%t}3g:+>V@*Lo/X`#[}l[!IZgh)>DvtS=Hx|"I^Dl:ZZ/45s/1u1H%>*A9i9з??܏W(A/?$dZDҴ$8[ؒJ/ipHz8ް!:3)b>D+KGbFpP)F'*k?Շ],-PEMVSp&|>;cٴQC#''Soop 7!W)R;+UѧAxܓ׳  agGdH L{zRECG, %:a]  JmCÄ`(O{C_!eR-peThVC:WGp B%cjRl~}n3O8ZԟxC{ӏr x{xikbIm#`n%X*Ƥ}:Mw["G&9Fb_&+N(*Y'xQYnWhN%ʩrGq4@ kq4A9s'!ΊTrIrfoD-v miBٌnEtt]z.ho5Ro%COzb ưjK*PLӑJvw[O9,:]@[oJj$f*%Ƃ9 fbPQppbe8-/r7j#OF߰*-LҪUg~/l#>Ua%%~,@0aRY⠣jkγmenL&~UgI|?Z- t0hI. A927 xRZwOy{{LLD{R;"S!.Eѹ4hY̗`r!֬z`8VlQͭSk NYX*F,>-LuQpTx48fb eEz·$v9GF}9N٣قeyHH%+kXef^@mdFؔ ؁EpfvZ#NW95Љ1|ibթV0.& 37ijΪZY͍nUe$6 I/V/zLWv= IS#_$,1Rv)43Qȣ"$)gx犇>9Eʁvrd#_q"'|`.9#J`vt:$@}>.+%)0[kѾm|^@`Z*b]0/iN}[ |bC d?紩Α}IcˈUF K}/=H SeF ׏ae=#V-?4Lq,Y pDX22u| ~ШF79<8RWW8mo$q.Y$?s;pF=K-&x 2 #o69كab&Z ]BftY+hs:BM'Zο-!'ʭČ؟\}=>Ͻ<"|!`q8Wě`~L`_(dMW8; *ޖ~BU>J-TC}8O-Y{41tjC =$NpY endstream endobj 2011 0 obj << /Type /ObjStm /N 100 /First 997 /Length 3795 /Filter /FlateDecode >> stream x[ISIWq&&L[DGGx}P^.fNsP)++%_SF3qx&Ɓ,1f-đΘ G@Zpg3# iF:"- K!!!3i:Sܡ\a35rJid e(Wp`hf$,e28S(,LV(YXmq iF`k "X .,ed9SHɜ :sNe6.j5AA @$OJE]ᩣN3Pr|:r{gQC Xz~` π=S)$jD|d4s2φy\I|d@};Hs7X彧pVhtf\j8D`D(8-`9RY #\pYDO LzV!0 b!<1h>V@<? A B#3)uc {`e&k&9p`0~Rۍ㥢*cFF X@Z3  (L"1G;!q=*كzd=5^nr3`(B( >¬VtYNX\( s Qw{QBX{6@[EjS^wi9WYP WϏ3\KQ7! FF$+"s WXˑ e ^! V}ب/|,_"BRuBy{>aFPX]> ?]qC|7b\1.=|+w=>F  KH!_/W>8;b}{5zUuo?.X]MR4Fף<_,'׳zIAʗ hK/O7Un'-̀8_|9#q1S a򆡃/_Nޢ|"n ս>?[#O?DkzJ(JлFHn+i>! LokZ$&;>Fۉ{@.Cuƣѭϝ}|.`}zڇ6ǭN* ،ly%x+" %v1_%" 0UϯΞ!';3M(wxZJĆugȪh^GCs 04rq]>_>"zY7La U nؓ޶2C(܀`Pc7ea%Zz [r[fL)mo;̿>;<~itgu' _ȓ>d (_jGWW'ԃ2'5;ApXLB cPo?M.W7KXL3Ț?JTɌob&iYf`^'FfuP,zrq UBWAy.jA68SRo#h"P,)J*meSk[Zb#5kl&e&^FxueJ7b]J| MG`]FrIM )R"N2P+IEUQE-*"kTDEvJV1*jJ)SU*)UT0#7U0UtU=wU W])80vבZ|#u #4^MDND]yEjE]Z475Z|^/ʘtV+6+8yQBYm]%ˍԵRŻJh\6JmDթW2+Rw탬 l6+j]ʪ`2ϥ̆F7Y֕ e3cM endstream endobj 2057 0 obj << /Type /ObjStm /N 100 /First 890 /Length 2012 /Filter /FlateDecode >> stream xڅZM% _aaI$9F9,'zclj̴*VibBJJ!Պ~@Z \& -a+l _ G^zhSBJI!E~b"S D :&I(T";T%kH-̸0BÔ84M)9(&G(3CtJT(Fiӆԁ*H\ph!K{/P)&FE .#AIa*YYjY bDI1 *ܓQ NR qi.3$b*ǐ(!+yp+k|>|.q 4LeD  =) >oȐ,$K\9CCR!xd BX1@Q24CZVh$qd7֖1eah6ZՃC~߿~;H=~r\˷}w|_Z㧟 %+e2Aُwu- }a ˍXVXjnnu-&a[|"J; xXZڶX`eV^*<+6{Ll󲒨R7OĞZ-%ݟ'%/E+_l?_$GūO.KoSD;X}x=+l#gesv֧R"\{!'U.oŲrȕ\V%#W*XI"ɘC9I 3̣ g RT뛤rSyM8yu)l`yqEU)iJUc|vTIJ*}[R;7f9KMIv|.J>b(yg;v?>}ҡI#1IڋM6ɺ{&kwCcN!R{M e[(kSʥ%iju+GVjUnYv]R̔3C9sZnklI5AaJ;,1X_OηUo--VB9}Я/*w-=MLnd.3Py! Bu$[,S-7.jQaeS;򺎴(n̖HaɚͶUf >ms`yOupSw4ܶQS7jRZ)Eێ2g ?Vy VHͰ14X/ƊeJ%X(+^vͭ7vh2}y4 Wt╓sJ\r:呿>?xEy}.^XR,s"k#ҶX뮢5]FY(,Vc3S7`4_A<Ƴ9KueHJqKzLâX 7]ib0yיUu_,gwBUym*EwX ŏKPΞ)Z)#Ei?#HSӿ#2 )n*˗9.s~ Q@{+|zuR|{ù|l"_}?)DB<ƊǪϕ[2> endobj 2064 0 obj << /Type /ObjStm /N 35 /First 339 /Length 1697 /Filter /FlateDecode >> stream xڵXn9}Wi_O(dr~|&#MTnr>^qru E׀_qd!%yCha_3L{qtv vwʶeݒ-1闷Ͷ-CJ2yL*- ޭrɼ[mA*/8, /K209Sܱ'hܣc '!Qz~PfZp3|o$EyfqʯMtҶ9OO\бH Cnf39^] lŢSau Fi]w_G0Aw+ I?y)[}4DYϺ՗|{963:YͪwGˢ|oAOa;nG74 +Ex79ƙq̃=}Zt/CM%D.ss}I_ B0_.[ꑟ1Uq3/-4]5]-ړYM_yצ<>=;=Q.K|,6 ~=}\lڮoBJ.ﴻnffjyŐ$pH>Ϭo vk,.P=Q\<4m+|l X/<0gɮ=_A*^ÛԚhxWv-4eP/U5 <2H/e/$oRAH#+_?y]vAE)HX?QEa]DgσN[[$ќDsz'QDQrO{nhA ٫V& =袹i49mj6ߴgϚOb?W%y|AѡMz4V 8G5 endstream endobj 2100 0 obj << /Type /XRef /Index [0 2101] /Size 2101 /W [1 3 1] /Root 2098 0 R /Info 2099 0 R /ID [<2EE83D71A8C3B0BC3F3DC4A27E12C856> <2EE83D71A8C3B0BC3F3DC4A27E12C856>] /Length 4885 /Filter /FlateDecode >> stream x%i$]]>]陹ӳ/]3sg_k}y `"H@Dyt"!qqi"T15#$H\b\#y3/9S}=UTMј|=5sidWFcFr|0]@K&[[L_ח̀̄Y0&ata.̃"X K`),VJXa u6F [`+lv. {`/p!8 G(W8)8 4p2\57&܅{pCxihݒ2X gY+` lm18 g<\p}xϧO0yЃH1< x N5Y&pn k$IX&aMš5 k$IX&aMš5 k$IX&aMš5 k$IXvX5 k$IX&aMš5 k$IX&aMš5 k$IX&aMš5 k$IX&aMš5 k$IX&aMš5 k$IX pNjFZׅ̦v DjlbSh #6f h'Ǝ;: <Qt7F~cD3="B!TB!TB5Ek)ZShMz[ҳ$hB ڐ̀̄Y0&ata.̃"X K`),VJXa u6Fa lmvNa}A8c 0'7Sc͇Ğ8̄ VƞɆa}P}x Ac!vɞpJA\W{Xy .[ 6{04:=P^nw_ynۧ6y=}QRҊ}߈|^(c^«}NmUI, *S:ƕ \UK5SyQ˘f+(k=\_pSx*㨚tѪB ïǹ ~2W(^S&Vn(#2F}.!Tt"Ut*%<0ުoʕV=[cU1\+ B8A7mb;.jBVO ߈2K&`rVBZ`/8or英PمZ } Ed[bՊ_{j8zo20` lU`_k]L_nZ .qrV6 rSieq^6K_Klb⚓ా8H5U|uN(_hMIsSpZL U>:O.EcKpYH ʇZWuub%rO6qXUۭ22"~葏\wKDG黡#V+ص8W1!H;=Na 156d+Z&sAO_'`5bdUԙI,eԙ/당Eꋠ):E<1/Y E(j[_"aijVuU<5.Ό>NWƕyRE(M;;S͟rkt[&t,8%jJHFhjW+:xj|XMj'tjwcCs7>\LFIkFډG[|RDry_\KǺƟoXǒeëW RӱUϒr>Fg?}?JgsSwDi}_Rww),%)~gl_/SBŎǤc}JkLlIi뛣])苉!ؗ8^܏i.#>l֏hS)ʸ KoJܿGl_)bCһb8£ x6,c)}<>(!K鳍(gDJ_fKQgG0G##t(/Mָ.M+3ȳ,G)}](nca5ڔw^#F=ݑ]rwdvf A8h ڏF7Rq<[ѹ()0bj12tGEjt݄ye~ ~t+5\7~G5>ӭCo|GOS;cAO!^OhE_Gف KmCܜ %>g95|.S`MO\lpZK!ũ{[WE3թSlu~9J۩퟊rL(c_75__߼6 Ԛ*"$l= Mb1㩵rFS`e=u26|*6*0m{~j}Qz1``Qj}!߀'JXZ_~S2pc*8/2x62XZ+>GG% olOa'lI_R?؛ړbKS{7chj=ƀ㩽3Ǎ7L! ΧoEU4  p1x p N8 <\p .C<}+&܂pB(p-O$ p݃#x O)<^MJ(J(J(J(J(7Cμ˼ɼV6[o檜HgԙtfNg&W=ih:ygؙo6afe&,AffoMzffLfgC?PC?P!IfْYd:PfUY)ePUfYei[faYeVafɘYKfgf1YflfqYfV̙Uؕ9ڷ.GRckZІ `&`t`&̂0 s sȧbXKa V*X k`-6& [`+lv. {`/p!8 G(W8)8 4p2\57&܂p=!<3x/%N玽3IVxػd.g+IVϳWb&xػ w.܃a!<A=O{mSvK7nfIٯ?4yQ4/5;{&/֜4ͯDƻEknhKi?iZƿя͆H}. @deftp {Context struct} {struct sha256_ctx} @end deftp @defvr Constant SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. @end defvr @defvr Constant SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. @end defvr @deftypefun void sha256_init (struct sha256_ctx *@var{ctx}) Initialize the SHA256 state. @end deftypefun @deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA256_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{sha256_init}. @end deftypefun @deftypefun void sha256_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA256 compress on SHA256_BLOCK_SIZE bytes from@var{input} using @var{state} as IV (an array of 8 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA256). @end deftypefun @subsubsection @acronym{SHA224} SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in @file{}. @deftp {Context struct} {struct sha224_ctx} @end deftp @defvr Constant SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. @end defvr @defvr Constant SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. @end defvr @deftypefun void sha224_init (struct sha224_ctx *@var{ctx}) Initialize the SHA224 state. @end deftypefun @deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA224_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{sha224_init}. @end deftypefun @subsubsection @acronym{SHA512} SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in @file{}. @deftp {Context struct} {struct sha512_ctx} @end deftp @defvr Constant SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. @end defvr @defvr Constant SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. @end defvr @deftypefun void sha512_init (struct sha512_ctx *@var{ctx}) Initialize the SHA512 state. @end deftypefun @deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA512_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{sha512_init}. @end deftypefun @deftypefun void sha512_compress (const uint64_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA512 compress on SHA512_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 8 uint64_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA512). @end deftypefun @subsubsection @acronym{SHA384 and other variants of SHA512} Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in @file{}. @deftp {Context struct} {struct sha512_224_ctx} @deftpx {Context struct} {struct sha512_256_ctx} @deftpx {Context struct} {struct sha384_ctx} These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. @end deftp @defvr Constant SHA512_224_DIGEST_SIZE @defvrx Constant SHA512_256_DIGEST_SIZE @defvrx Constant SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. @end defvr @defvr Constant SHA512_224_BLOCK_SIZE @defvrx Constant SHA512_256_BLOCK_SIZE @defvrx Constant SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. @end defvr @deftypefun void sha512_224_init (struct sha512_224_ctx *@var{ctx}) @deftypefunx void sha512_256_init (struct sha512_256_ctx *@var{ctx}) @deftypefunx void sha384_init (struct sha384_ctx *@var{ctx}) Initialize the context struct. @end deftypefun @deftypefun void sha512_224_update (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha512_256_update (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha384_update (struct sha384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. These are all aliases for sha512_update, which does the same thing. @end deftypefun @deftypefun void sha512_224_digest (struct sha512_224_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void sha512_256_digest (struct sha512_256_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void sha384_digest (struct sha384_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing a digest of the corresponding size to @var{digest}. These function also reset the context in the same way as the corresponding init function. @end deftypefun @subsubsection @acronym{SHA3} @cindex SHA3 The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, @url{https://dx.doi.org/10.6028/NIST.FIPS.202}. Nettle uses the same context struct for all SHA3-variants. @deftp {Context struct} {struct sha3_ctx} @end deftp The corresponding initialization function must be called before any other of the sha3 functions. @deftypefun void sha3_init (struct sha3_ctx *@var{ctx}) Initialize the SHA3 state. @end deftypefun Notes on the SHA3 implementation in older versions of Nettle: @itemize @item Prior to Nettle version 4.0, there were different context structs and initialization functions for each variant, e.g., @code{struct sha3_256_ctx} and @code{sha3_256_init}. For backwards compatibility, the old names are now defined as preprocessor aliases. @item Prior to Nettle version 3.2, the SHA3 implementation was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The @file{nette/sha3.h} defines a preprocessor symbol @code{NETTLE_SHA3_FIPS202} to indicate conformance with the standard. @end itemize @defvr Constant NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. @end defvr @subsubsection @acronym{SHA3-224} This is SHA3 with 224-bit output size. Nettle defines SHA3-224 in @file{}. @defvr Constant SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. @end defvr @defvr Constant SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. @end defvr @deftypefun void sha3_224_update (struct sha3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_224_digest (struct sha3_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA3_224_DIGEST_SIZE} octets to @var{digest}. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-256} This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in @file{}. @defvr Constant SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. @end defvr @defvr Constant SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. @end defvr @deftypefun void sha3_256_update (struct sha3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_256_digest (struct sha3_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA3_256_DIGEST_SIZE} octets to @var{digest}. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-384} This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in @file{}. @defvr Constant SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. @end defvr @defvr Constant SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. @end defvr @deftypefun void sha3_384_update (struct sha3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_384_digest (struct sha3_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA3_384_DIGEST_SIZE} octets to @var{digest}. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-512} This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in @file{}. @defvr Constant SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. @end defvr @defvr Constant SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. @end defvr @deftypefun void sha3_512_update (struct sha3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_512_digest (struct sha3_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA3_512_DIGEST_SIZE} octets to @var{digest}. This function also resets the context. @end deftypefun @subsubsection @acronym{SHAKE} @cindex SHAKE In addition to those SHA-3 hash functions, Nettle also supports a SHA-3 extendable-output function (XOF) called SHAKE. Unlike hash functions, SHAKE can produce an output digest of any desired length. There are two variants, SHAKE-128 and SHAKE-256, with different security strengths in terms of collision or preimage resistance: SHAKE-128 internally uses a SHA-3 hash function with 128-bit security, while SHAKE-256 corresponds to SHA3-256 which provides 256-bit security. To use SHAKE, the context struct needs to be initialized with the @code{init} function and data is hashed using the @code{update} function. Afterwards, a digest can be generated using either the @code{shake} or @code{shake_ouput} function, where the former generates the digest at once and resets the context, while the latter can be called multiple times to generate the digest in an incremental manner. For SHAKE-128 they are defined as follows. @deftypefun void sha3_128_update (struct sha3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_128_shake (struct sha3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-128 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function also resets the context. @end deftypefun @deftypefun void sha3_128_shake_output (struct sha3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-128 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function does not reset the context. @end deftypefun For SHAKE-256, the @code{update} function is the same as SHA3-256. To generate a digest, use either the @code{shake} or @code{shake_output} function. @deftypefun void sha3_256_shake (struct sha3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-256 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function also resets the context. @end deftypefun @deftypefun void sha3_256_shake_output (struct sha3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-256 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function does not reset the context. @end deftypefun @node Miscellaneous hash functions @subsection Miscellaneous hash functions @subsubsection @acronym{STREEBOG512} STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in @file{}. @deftp {Context struct} {struct streebog512_ctx} @end deftp @defvr Constant STREEBOG512_DIGEST_SIZE The size of a STREEBOG512 digest, i.e. 64. @end defvr @defvr Constant STREEBOG512_BLOCK_SIZE The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512. @end defvr @deftypefun void streebog512_init (struct streebog512_ctx *@var{ctx}) Initialize the STREEBOG512 state. @end deftypefun @deftypefun void streebog512_update (struct streebog512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void streebog512_digest (struct streebog512_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{STREEBOG512_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{streebog512_init}. @end deftypefun @subsubsection @acronym{STREEBOG256} STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in @file{}. @deftp {Context struct} {struct streebog256_ctx} @end deftp @defvr Constant STREEBOG256_DIGEST_SIZE The size of a STREEBOG256 digest, i.e. 32. @end defvr @defvr Constant STREEBOG256_BLOCK_SIZE The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256. @end defvr @deftypefun void streebog256_init (struct streebog256_ctx *@var{ctx}) Initialize the STREEBOG256 state. @end deftypefun @deftypefun void streebog256_update (struct streebog256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void streebog256_digest (struct streebog256_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{STREEBOG256_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{streebog256_init}. @end deftypefun @subsubsection @acronym{SM3} SM3 is a cryptographic hash function standard adopted by the government of the People's Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 ``SM3 Cryptographic Hash Algorithm''. SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256. Nettle defines SM3 in @file{}. @deftp {Context struct} {struct sm3_ctx} @end deftp @defvr Constant SM3_DIGEST_SIZE The size of a SM3 digest, i.e. 32. @end defvr @defvr Constant SM3_BLOCK_SIZE The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3. @end defvr @deftypefun void sm3_init (struct sm3_ctx *@var{ctx}) Initialize the SM3 state. @end deftypefun @deftypefun void sm3_update (struct sm3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sm3_digest (struct sm3_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SM3_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{sm3_init}. @end deftypefun @node Legacy hash functions @subsection Legacy hash functions The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a ``legacy'' hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. @subsubsection @acronym{MD5} MD5 is a message digest function constructed by Ronald Rivest, and described in @cite{RFC 1321}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in @file{}. @deftp {Context struct} {struct md5_ctx} @end deftp @defvr Constant MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. @end defvr @defvr Constant MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. @end defvr @deftypefun void md5_init (struct md5_ctx *@var{ctx}) Initialize the MD5 state. @end deftypefun @deftypefun void md5_update (struct md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md5_digest (struct md5_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{MD5_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{md5_init}. @end deftypefun @deftypefun void md5_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 4 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5). @end deftypefun The normal way to use MD5 is to call the functions in order: First @code{md5_init}, then @code{md5_update} zero or more times, and finally @code{md5_digest}. After @code{md5_digest}, the context is reset to its initial state, so you can start over calling @code{md5_update} to hash new data. To start over, you can call @code{md5_init} at any time. @subsubsection @acronym{MD2} MD2 is another hash function of Ronald Rivest's, described in @cite{RFC 1319}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in @file{}. @deftp {Context struct} {struct md2_ctx} @end deftp @defvr Constant MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. @end defvr @defvr Constant MD2_BLOCK_SIZE The internal block size of MD2. @end defvr @deftypefun void md2_init (struct md2_ctx *@var{ctx}) Initialize the MD2 state. @end deftypefun @deftypefun void md2_update (struct md2_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md2_digest (struct md2_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{MD2_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{md2_init}. @end deftypefun @subsubsection @acronym{MD4} MD4 is a predecessor of MD5, described in @cite{RFC 1320}. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in @file{}. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. @deftp {Context struct} {struct md4_ctx} @end deftp @defvr Constant MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. @end defvr @defvr Constant MD4_BLOCK_SIZE The internal block size of MD4. @end defvr @deftypefun void md4_init (struct md4_ctx *@var{ctx}) Initialize the MD4 state. @end deftypefun @deftypefun void md4_update (struct md4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md4_digest (struct md4_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{MD4_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{md4_init}. @end deftypefun @subsubsection @acronym{RIPEMD160} RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in @file{nettle/ripemd160.h}. @deftp {Context struct} {struct ripemd160_ctx} @end deftp @defvr Constant RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. @end defvr @defvr Constant RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. @end defvr @deftypefun void ripemd160_init (struct ripemd160_ctx *@var{ctx}) Initialize the RIPEMD160 state. @end deftypefun @deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{RIPEMD160_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{ripemd160_init}. @end deftypefun @subsubsection @acronym{SHA1} SHA1 is a hash function specified by @dfn{NIST} (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in @file{}. @deftp {Context struct} {struct sha1_ctx} @end deftp @defvr Constant SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. @end defvr @defvr Constant SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. @end defvr @deftypefun void sha1_init (struct sha1_ctx *@var{ctx}) Initialize the SHA1 state. @end deftypefun @deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{SHA1_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{sha1_init}. @end deftypefun @deftypefun void sha1_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 5 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1). @end deftypefun @subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} @cindex GOST hash @anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in @file{}. @deftp {Context struct} {struct gosthash94_ctx} @end deftp @defvr Constant GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. @end defvr @defvr Constant GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. @end defvr @deftypefun void gosthash94_init (struct gosthash94_ctx *@var{ctx}) Initialize the GOSTHASH94 state. @end deftypefun @deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{GOSTHASH94_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{gosthash94_init}. @end deftypefun @deftp {Context struct} {struct gosthash94cp_ctx} @end deftp @defvr Constant GOSTHASH94CP_DIGEST_SIZE The size of a GOSTHASH94CP digest, i.e. 32. @end defvr @defvr Constant GOSTHASH94CP_BLOCK_SIZE The internal block size of GOSTHASH94CP, i.e., 32. @end defvr @deftypefun void gosthash94cp_init (struct gosthash94cp_ctx *@var{ctx}) Initialize the GOSTHASH94CP state. @end deftypefun @deftypefun void gosthash94cp_update (struct gosthash94cp_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void gosthash94cp_digest (struct gosthash94cp_ctx *@var{ctx}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing @code{GOSTHASH94CP_DIGEST_SIZE} octets to @var{digest}. This function also resets the context in the same way as @code{gosthash94cp_init}. @end deftypefun @node nettle_hash abstraction @subsection The @code{struct nettle_hash} abstraction @cindex nettle_hash Nettle includes a struct including information about the supported hash functions. It is defined in @file{}, and is used by Nettle's implementation of @acronym{HMAC} (@pxref{Keyed hash functions}). @deftp {Meta struct} @code{struct nettle_hash} name context_size digest_size block_size init update digest The last three attributes are function pointers, of types @code{nettle_hash_init_func *}, @code{nettle_hash_update_func *}, and @code{nettle_hash_digest_func *}. The first argument to these functions is @code{void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_hash} nettle_md2 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md4 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md5 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_ripemd160 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha1 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha224 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha384 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha512 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha3_256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94cp @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sm3 These are all the hash functions that Nettle implements. @end deftypevr Nettle also exports a list of all these hashes. @deftypefun {const struct nettle_hash **} nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., @code{nettle_hashes[0]->name} for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases. @end deffn @node Cipher functions @section Cipher functions @cindex Cipher A @dfn{cipher} is a function that takes a message or @dfn{plaintext} and a secret @dfn{key} and transforms it to a @dfn{ciphertext}. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. @cindex Block Cipher @cindex Stream Cipher There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called @dfn{blocks}. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called @dfn{ECB}, Electronic Code Book mode. However, using @acronym{ECB} is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some ``feedback mode'', @dfn{CBC} (Cipher Block Chaining) and @dfn{CTR} (Counter mode) being two of of the most popular. See @xref{Cipher modes}, for information on how to apply @acronym{CBC} and @acronym{CTR} with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of @var{n} octets, you key the generator, generate @var{n} octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. @strong{Caution:} The first rule for this kind of cipher is the same as for a One Time Pad: @emph{never} ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you're reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can't decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in @acronym{CBC} mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to @emph{always} use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like @acronym{HMAC-SHA1} (@pxref{Keyed hash functions}), or digital signatures like @acronym{RSA}. Some ciphers have so called ``weak keys'', keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don't have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as @dfn{key setup}. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. @menu * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction:: @end menu @node AES @subsection AES @cindex AES AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in @file{}, and there is one context struct for each key size. @deftp {Context struct} {struct aes128_ctx} @deftpx {Context struct} {struct aes192_ctx} @deftpx {Context struct} {struct aes256_ctx} @end deftp @defvr Constant AES_BLOCK_SIZE The AES block-size, 16. @end defvr @defvr Constant AES128_KEY_SIZE @defvrx Constant AES192_KEY_SIZE @defvrx Constant AES256_KEY_SIZE @end defvr @defvr Constant AES_KEY_SIZE Default AES key size, 32. @end defvr @deftypefun void aes128_set_encrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes128_set_decrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_encrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_decrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_encrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_decrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void aes128_invert_key (struct aes128_ctx *@var{dst}, const struct aes128_ctx *@var{src}) @deftypefunx void aes192_invert_key (struct aes192_ctx *@var{dst}, const struct aes192_ctx *@var{src}) @deftypefunx void aes256_invert_key (struct aes256_ctx *@var{dst}, const struct aes256_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key, because calling, e.g., @code{aes128_set_encrypt_key} and @code{aes128_invert_key}, is more efficient than calling @code{aes128_set_encrypt_key} and @code{aes128_set_decrypt_key}. @end deftypefun @deftypefun void aes128_encrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_encrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_encrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void aes128_decrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_decrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_decrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to the encryption functions above. @end deftypefun @node Arcfour @subsection Arcfour @cindex Arcfour @cindex RC4 ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher. We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards. One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like ``secret:1'', ``secret:2'', @enddots{}. If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. @example /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) @{ struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); @} @end example Nettle defines ARCFOUR in @file{}. @deftp {Context struct} {struct arcfour_ctx} @end deftp @defvr Constant ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. @end defvr @defvr Constant ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. @end defvr @defvr Constant ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. @end defvr @deftypefun void arcfour_set_key (struct arcfour_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void arcfour_crypt (struct arcfour_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called @code{arcfour_crypt} only once with all the data. @end deftypefun @node Arctwo @subsection Arctwo @cindex Arctwo @cindex RC2 ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to @code{sci.crypt} by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, @code{ekb}. This parameter can be used to artificially reduce the key size. In practice, @code{ekb} is usually set equal to the input key size. Nettle defines ARCTWO in @file{}. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. @deftp {Context struct} {struct arctwo_ctx} @end deftp @defvr Constant ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. @end defvr @defvr Constant ARCTWO_MIN_KEY_SIZE @end defvr @defvr Constant ARCTWO_MAX_KEY_SIZE @end defvr @defvr Constant ARCTWO_KEY_SIZE Default ARCTWO key size, 8. @end defvr @deftypefun void arctwo_set_key_ekb (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}, unsigned @var{ekb}) @deftypefunx void arctwo_set_key (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void arctwo_set_key_gutmann (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for @var{ekb} is 1024, and for convenience, @code{ekb = 0} has the same effect as @code{ekb = 1024}. @code{arctwo_set_key(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 8*length)}, and @code{arctwo_set_key_gutmann(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 1024)} @end deftypefun @deftypefun void arctwo_encrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void arctwo_decrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{arctwo_encrypt} @end deftypefun @node Blowfish @subsection Blowfish @cindex Blowfish BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in @file{}. @deftp {Context struct} {struct blowfish_ctx} @end deftp @defvr Constant BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. @end defvr @defvr Constant BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. @end defvr @defvr Constant BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. @end defvr @defvr Constant BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. @end defvr @deftypefun int blowfish_set_key (struct blowfish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @code{blowfish_encrypt} or @code{blowfish_decrypt} with a weak key will crash with an assert violation. @end deftypefun @deftypefun void blowfish_encrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void blowfish_decrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{blowfish_encrypt} @end deftypefun @deftypefun int blowfish_bcrypt_hash (char *@var{dst}, size_t @var{lenkey}, const char *@var{key}, size_t @var{lenscheme}, const char *@var{scheme}, int @var{log2rounds}, const uint8_t *@var{salt}) Compute the bcrypt password hash. The function will return @code{0} if the hash cannot be computed due to invalid input. The function will return @code{1} and store the computed hash in the array pointed to by @var{dst}. The hash is computed based on the chosen @var{scheme}, number of rounds @var{log2rounds} and specified @var{salt}. @var{dst} must point to a character array of at least @code{BLOWFISH_BCRYPT_HASH_SIZE} bytes. @var{key} contains the plaintext password string of size @var{lenkey}. @var{scheme} is of size @var{lenscheme} and contains either just the chosen scheme (valid schemes are: @code{2a}, @code{2b}, @code{2x} or @code{2y}), or (the prefix of) an existing hashed password (typically @code{$2b$10$...}). @var{log2rounds} contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is @code{-1} the value will be extracted from @var{scheme}. @var{salt} should point to an array of @code{BLOWFISH_BCRYPT_BINSALT_SIZE} random bytes to be used to perturb the hash computation. If it is @code{NULL} the salt will be extracted from @var{scheme}. Sample code to generate a bcrypt hash: @example char password[] = "ExamplePassword"; char scheme[] = "2b"; uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; @dots{} /* Make sure that salt is filled with random bytes */ @dots{} char hash[BLOWFISH_BCRYPT_HASH_SIZE]; int result = blowfish_bcrypt(hash, sizeof(password) - 1, password, sizeof(scheme) - 1, scheme, 10, salt); if (result) printf("%s\n", hash); @end example @end deftypefun @deftypefun int blowfish_bcrypt_verify (size_t @var{lenkey}, const char *@var{key}, size_t @var{lenhashed}, const char *@var{hashed}) Verifies the bcrypt password hash against the supplied plaintext password. The function will return @code{0} if the password does not match. The function will return @code{1} if the password matches. @var{key} contains the plaintext password string of size @var{lenkey}. @var{hashed} contains the hashed string of size @var{lenhashed} to compare with. Sample code to verify a bcrypt hash: @example char password[] = "ExamplePassword"; char hash[] = "$2y$" /* Hash algorithm version */ "10" /* 2^10 hash rounds (strength) */ "$" /* separator */ "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ if (blowfish_bcrypt_verify(sizeof(password) - 1, password, sizeof(hash) - 1, hash)) printf("Password is correct."); else printf("Password is incorrect."); @end example @end deftypefun @node Camellia @subsection Camellia @cindex Camellia Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in @cite{RFC3713}. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at @url{https://www.ntt.co.jp/news/news01e/0104/010417.html}, but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in @file{}, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, @code{struct camellia_ctx}, for all key sizes. This interface kept for backwards compatibility). @deftp {Context struct} {struct camellia128_ctx} @deftpx {Context struct} {struct camellia192_ctx} @deftpx {Context struct} {struct camellia256_ctx} Contexts structs. Actually, @code{camellia192_ctx} is an alias for @code{camellia256_ctx}. @end deftp @deftp {Context struct} {struct camellia_ctx} Alternative struct, for the old Camellia interface. @end deftp @defvr Constant CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. @end defvr @defvr Constant CAMELLIA128_KEY_SIZE @defvrx Constant CAMELLIA192_KEY_SIZE @defvrx Constant CAMELLIA256_KEY_SIZE @defvrx Constant CAMELLIA_MIN_KEY_SIZE @defvrx Constant CAMELLIA_MAX_KEY_SIZE @end defvr @defvr Constant CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. @end defvr @deftypefun void camellia128_set_encrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia128_set_decrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_encrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_decrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_encrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_decrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia_set_encrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void camellia_set_decrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void camellia128_invert_key (struct camellia128_ctx *@var{dst}, const struct camellia128_ctx *@var{src}) @deftypefunx void camellia192_invert_key (struct camellia192_ctx *@var{dst}, const struct camellia192_ctx *@var{src}) @deftypefunx void camellia256_invert_key (struct camellia256_ctx *@var{dst}, const struct camellia256_ctx *@var{src}) @deftypefunx void camellia_invert_key (struct camellia_ctx *@var{dst}, const struct camellia_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key. @end deftypefun @deftypefun void camellia128_crypt (struct camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia192_crypt (struct camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia256_crypt (struct camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia_crypt (struct camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) The same function is used for both encryption and decryption. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @node CAST128 @subsection CAST128 @cindex CAST CAST-128 is a block cipher, specified in @cite{RFC 2144}. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in @file{}. @deftp {Context struct} {struct cast128_ctx} @end deftp @defvr Constant CAST128_BLOCK_SIZE The CAST128 block-size, 8. @end defvr @defvr Constant CAST128_KEY_SIZE The CAST128 key size, 16. @end defvr @defvr Constant CAST5_MIN_KEY_SIZE Minimum CAST5 key size, 5. @end defvr @defvr Constant CAST5_MAX_KEY_SIZE Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128. @end defvr @deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void cast128_encrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void cast128_decrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{cast128_encrypt} @end deftypefun @deftypefun void cast5_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption. @end deftypefun @node ChaCha @subsection ChaCha @cindex ChaCha ChaCha is a variant of the stream cipher Salsa20 (@pxref{Salsa20}), below, also designed by D. J. Bernstein. Nettle defines ChaCha in @file{}. @deftp {Context struct} {struct chacha_ctx} @end deftp @defvr Constant CHACHA_KEY_SIZE ChaCha key size, 32. @end defvr @defvr Constant CHACHA_BLOCK_SIZE ChaCha block size, 64. @end defvr @defvr Constant CHACHA_NONCE_SIZE Size of the nonce, 8. @end defvr @defvr Constant CHACHA_COUNTER_SIZE Size of the counter, 8. @end defvr @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you @emph{must} also call @code{chacha_set_nonce}, see below. @end deftypefun @deftypefun void chacha_set_nonce (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{CHACHA_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void chacha_set_counter (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) Sets the block counter. It is always of size @code{CHACHA_COUNTER_SIZE}, 8 octets. This is rarely needed since @code{chacha_set_nonce} initializes the block counter to zero. When it is still necessary, this function must be called after @code{chacha_set_nonce}. @end deftypefun @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{CHACHA_BLOCK_SIZE}. @end deftypefun @subsubsection 32-bit counter variant While the original paper uses 64-bit counter value, the variant defined in @cite{RFC 8439} uses 32-bit counter value. This variant is particularly useful for @pxref{ChaCha-Poly1305} AEAD construction, which supports 12-octet nonces. @defvr Constant CHACHA_NONCE96_SIZE Size of the nonce, 12. @end defvr @defvr Constant CHACHA_COUNTER32_SIZE Size of the counter, 4. @end defvr @deftypefun void chacha_set_nonce96 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. This is similar to the above @code{chacha_set_nonce}, but the input is always of size @code{CHACHA_NONCE96_SIZE}, 12 octets. @end deftypefun @deftypefun void chacha_set_counter32 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) Sets the block counter. This is similar to the above @code{chacha_set_counter}, but the input is always of size @code{CHACHA_COUNTER32_SIZE}, 4 octets. @end deftypefun @deftypefun void chacha_crypt32 (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above @code{chacha_crypt}, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long. @end deftypefun @node DES @subsection DES @cindex DES DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using ``triple DES'', see DES3 below. DES also has some weak keys. Nettle defines DES in @file{}. @deftp {Context struct} {struct des_ctx} @end deftp @defvr Constant DES_BLOCK_SIZE The DES block-size, 8. @end defvr @defvr Constant DES_KEY_SIZE DES key size, 8. @end defvr @deftypefun int des_set_key (struct des_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @end deftypefun @deftypefun void des_encrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des_decrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @deftypefun int des_check_parity (size_t @var{length}, const uint8_t *@var{key}) Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. @end deftypefun @deftypefun void des_fix_parity (size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. @var{dst} and @var{src} may be equal. @end deftypefun @node DES3 @subsection DES3 @cindex DES3 @cindex 3DES @cindex Triple-DES The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then @emph{decrypt} it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as ``ede'' triple-DES, for ``encrypt-decrypt-encrypt''. The ``ede'' construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a ``two-key'' variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it's simple to implement triple-DES on top of Nettle's DES functions. Nettle includes an implementation of three-key ``ede'' triple-DES, it is defined in the same place as plain DES, @file{}. @deftp {Context struct} {struct des3_ctx} @end deftp @defvr Constant DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. @end defvr @defvr Constant DES3_KEY_SIZE DES key size, 24. @end defvr @deftypefun int des3_set_key (struct des3_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don't care about weak keys can ignore the return value. @end deftypefun For random-looking strings, you can use @code{des_fix_parity} to adjust the parity bits before calling @code{des3_set_key}. @deftypefun void des3_encrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des3_decrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @node Salsa20 @subsection Salsa20 @cindex Salsa20 Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, @pxref{CTR}). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It's also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). @strong{Caution:} The hash function used in Salsa20 is @emph{not} directly applicable for use as a general hash function. It's @emph{not} collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a @dfn{nonce}, the latter playing a similar rôle to the initialization vector (@acronym{IV}) used with @acronym{CBC} or @acronym{CTR} mode. One can use the same key for several messages, provided one uses a unique random @acronym{iv} for each message. The @acronym{iv} is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in @file{}. @deftp {Context struct} {struct salsa20_ctx} @end deftp @defvr Constant SALSA20_128_KEY_SIZE @defvrx Constant SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. @end defvr @defvr Constant SALSA20_KEY_SIZE Recommended key size, 32. @end defvr @defvr Constant SALSA20_BLOCK_SIZE Salsa20 block size, 64. @end defvr @defvr Constant SALSA20_NONCE_SIZE Size of the nonce, 8. @end defvr @deftypefun void salsa20_128_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_256_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_set_key (struct salsa20_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @code{salsa20_128_set_key} and @code{salsa20_128_set_key} use a fix key size each, 16 and 32 octets, respectively. The function @code{salsa20_set_key} is provided for backwards compatibility, and the @var{length} argument must be either 16 or 32. Before using the cipher, you @emph{must} also call @code{salsa20_set_nonce}, see below. @end deftypefun @deftypefun void salsa20_set_nonce (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{SALSA20_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void salsa20_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to @code{salsa20_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{SALSA20_BLOCK_SIZE}. @end deftypefun The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see @url{https://www.ecrypt.eu.org/stream/finallist.html}. Nettle calls this variant @code{salsa20r12}. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. @deftypefun void salsa20r12_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. @end deftypefun @node Serpent @subsection Serpent @cindex Serpent SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in @file{}. @deftp {Context struct} {struct serpent_ctx} @end deftp @defvr Constant SERPENT_BLOCK_SIZE The SERPENT block-size, 16. @end defvr @defvr Constant SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. @end defvr @defvr Constant SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. @end defvr @defvr Constant SERPENT_KEY_SIZE Default SERPENT key size, 32. @end defvr @deftypefun void serpent_set_key (struct serpent_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void serpent_encrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void serpent_decrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{serpent_encrypt} @end deftypefun @node SM4 @subsection SM4 @cindex SM4 SM4 is a block cipher standard adopted by the government of the People's Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 ``SM4 block cipher algorithm''. Nettle defines it in @file{}. @deftp {Context struct} {struct sm4_ctx} @end deftp @defvr Constant SM4_BLOCK_SIZE The SM4 block-size, 16. @end defvr @defvr Constant SM4_KEY_SIZE Default SM4 key size, 16. @end defvr @deftypefun void sm4_set_encrypt_key (struct sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The function is used for encryption. @end deftypefun @deftypefun void sm4_set_decrypt_key (struct sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The function is used for decryption. @end deftypefun @deftypefun void sm4_crypt (const struct sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Cryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption. @end deftypefun @node Twofish @subsection Twofish @cindex Twofish Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in @file{}. @deftp {Context struct} {struct twofish_ctx} @end deftp @defvr Constant TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. @end defvr @defvr Constant TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. @end defvr @defvr Constant TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. @end defvr @defvr Constant TWOFISH_KEY_SIZE Default TWOFISH key size, 32. @end defvr @deftypefun void twofish_set_key (struct twofish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void twofish_encrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void twofish_decrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{twofish_encrypt} @end deftypefun @node nettle_cipher abstraction @subsection The @code{struct nettle_cipher} abstraction @cindex nettle_cipher Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in @file{}. @deftp {Meta struct} @code{struct nettle_cipher} name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types @code{nettle_set_key_func *} and @code{nettle_cipher_func *}. The first argument to these functions is a @code{const void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_cipher} nettle_aes128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo40 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo64 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo_gutmann128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arcfour128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_cast128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish256 Nettle includes such structs for all the @emph{regular} ciphers, i.e. ones without weak keys or other oddities. @end deftypevr Nettle also exports a list of all these ciphers without weak keys or other oddities. @deftypefun {const struct nettle_cipher **} nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Cipher modes @section Cipher modes Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher's block size. As explained in @xref{Cipher functions}, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, @acronym{ECB}), leaks information. Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher Feedback (@acronym{CFB} and @acronym{CFB8}), XEX-based tweaked-codebook mode with ciphertext stealing (@acronym{XTS}) and a couple of @acronym{AEAD} modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @url{https://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. Modes like @acronym{CBC}, @acronym{CTR}, @acronym{CFB} and @acronym{CFB8} provide @emph{no} message authentication, and should always be used together with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate the message. @menu * CBC:: * CTR:: * CFB and CFB8:: * XTS:: @end menu @node CBC @subsection Cipher Block Chaining @cindex Cipher Block Chaining @cindex CBC Mode When using @acronym{CBC} mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in @acronym{CBC} mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an @dfn{IV}, or Initialization Vector, is used as the ``previous ciphertext block''. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if @code{E_k} is the encryption function of a block cipher, and @code{IV} is the initialization vector, then @code{n} plaintext blocks @code{M_1},@dots{} @code{M_n} are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) @dots{} C_n = E_k(C_(n-1) XOR M_n) @end example Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (@acronym{CBC}) mode, one for encryption and one for decryption. These functions uses @code{const void *} to pass cipher contexts around. The @acronym{CBC} interface is defined in @file{}. @deftypefun {void} cbc_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cbc_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CBC} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cbc_encrypt}. The function @var{f} is of type @code{void @var{f} (const void *@var{ctx}, size_t @var{length}, uint8_t @var{dst}, const uint8_t *@var{src})}, @noindent and the @code{cbc_encrypt} and @code{cbc_decrypt} functions pass their argument @var{ctx} on to @var{f}. @end deftypefun @subsubsection Utility macros There are also some macros to help use these functions correctly. @deffn Macro CBC_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn It can be used to define a @acronym{CBC} context struct, either directly, @example struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) ctx; @end example or to give it a struct tag, @example struct aes256_cbc_ctx CBC_CTX (struct aes256_ctx, AES_BLOCK_SIZE); @end example @deffn Macro CBC_SET_IV (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. @end deffn @deffn Macro CBC_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) @deffnx Macro CBC_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cbc_encrypt} and @code{cbc_decrypt}. The first argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second argument is an encryption or decryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes256_ctx} context with the @code{des_encrypt} function. @subsubsection Cipher-specific functions Encryption in @acronym{CBC} mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher's encrypt function. Optimizations to process several blocks in parallel can't be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, @code{cbc_encrypt} can be considerably slower than both @code{cbc_decrypt} and @acronym{CTR} mode. The second reason for poor performance can be addressed by having a combined @acronym{CBC} and encrypt function, for ciphers where the overhead is significant. Nettle currently includes such special functions only for AES. @deftypefun void cbc_aes128_encrypt (const struct aes128_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void cbc_aes192_encrypt (const struct aes192_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void cbc_aes256_encrypt (const struct aes256_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Calling @code{cbc_aes128_encrypt(ctx, iv, length, dst, src)} does the same thing as calling @code{cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src)}, but is more efficient on certain platforms. @end deftypefun @node CTR @subsection Counter mode @cindex Counter Mode @cindex CTR Mode Counter mode (@acronym{CTR}) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IC} is the initial counter, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 @dots{} C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n @end example The @acronym{IC} is the initial value for the counter, it plays a similar rôle as the @acronym{IV} for @acronym{CBC}. When adding, @code{IC + x}, @acronym{IC} is interpreted as an integer, in network byte order. For the last block, @code{E_k(IC + n - 1) [1..m]} means that the cipher output is truncated to @code{m} bytes. @deftypefun {void} ctr_crypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{ctr}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{f} in @acronym{CTR} mode. Note that for @acronym{CTR} mode, encryption and decryption is the same operation, and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{ctr_crypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CTR_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t ctr[block_size]; @} @end example @end deffn @deffn Macro CTR_SET_COUNTER (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second is a pointer to an initial counter that is copied into that context. @end deffn @deffn Macro CTR_CRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{ctr_crypt}. The first argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node CFB and CFB8 @subsection Cipher Feedback mode @cindex Cipher Feedback Mode @cindex Cipher Feedback 8-bit Mode @cindex CFB Modes @cindex CFB8 Mode Cipher Feedback mode (@acronym{CFB}) and Cipher Feedback 8-bit mode (@acronym{CFB8}) being close relatives to both @acronym{CBC} mode and @acronym{CTR} mode borrow some characteristics from stream ciphers. For CFB the message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IV} is the initialization vector, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 @dots{} C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n @end example Cipher Feedback 8-bit mode (@acronym{CFB8}) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding. If @code{E_k} is the encryption function of a block cipher, @code{b} is @code{E_k} block size, @code{IV} is the initialization vector, then the @code{n} plaintext bytes are transformed into @code{n} ciphertext bytes @code{C_1},@dots{} @code{C_n} as follows: @example I_1 = IV C_1 = E_k(I_1) [1..8] XOR M_1 I_2 = I_1 [9..b] << 8 | C_1 C_2 = E_k(I_2) [1..8] XOR M_2 @dots{} I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) I_n = I_(n-1) [9..b] << 8 | C_(n-1) C_n = E_k(I_n) [1..8] XOR M_n @end example Nettle's includes functions for applying a block cipher in Cipher Feedback (@acronym{CFB}) and Cipher Feedback 8-bit (@acronym{CFB8}) modes. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cfb_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CFB} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cfb_encrypt}. Note that for @acronym{CFB} mode internally uses encryption only function and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{cfb_encrypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun {void} cfb8_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb8_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CFB8} mode. The final IV block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cfb8_encrypt}. Note that for @acronym{CFB8} mode internally uses encryption only function and hence @var{f} should always be the encryption function for the underlying block cipher. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CFB_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn @deffn Macro CFB_SET_IV(@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second is a pointer to an initialization vector that is copied into that context. @end deffn @deffn Macro CFB_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_encrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_decrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB8_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn @deffn Macro CFB8_SET_IV (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second is a pointer to an initialization vector that is copied into that context. @end deffn @deffn Macro CFB8_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb8_encrypt}. The first argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB8_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb8_decrypt}. The first argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node XTS @subsection XEX-based tweaked-codebook mode with ciphertext stealing @cindex XEX-based tweaked-codebook mode with ciphertext stealing @cindex XTS Mode XEX-based tweaked-codebook mode with ciphertext stealing (@acronym{XTS}) is a block mode like (@acronym{CBC}) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length. Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256). @acronym{XTS} encryption mode operates given: @itemize @item A multiplication by a primitive element alpha. @code{MUL a^j} here represents the multiplication, where @code{j} is the power of alpha, and the input value is converted into a 16 bytes array @code{a_0[k], k = 0,1,..,15}. The multiplication is calculated as @code{a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)} @code{a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15} Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte. @item The encryption key is provided as the @code{Key = K1 | K2}, where @code{|} denotes string concatenation. @code{E_k1} is the encryption function of the block cipher using @code{K1} as the key, and @code{E_k2} is the same encryption function using @code{K2} @item A 128 bit tweak value is provided as input and is denoted as @code{IV} @end itemize The @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows. For a plaintext length that is a perfect multiple of the XTS block size: @example T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 @dots{} T_n = T_(n-1) MUL a C_n = E_k1(P_n XOR T_n) XOR T_n @end example For any other plaintext lengths: @example T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 @dots{} T_(n-2) = T_(n-3) MUL a C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) T_(n-1) = T_(n-2) MUL a CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) T_n = T_(n-1) MUL a PP = [1..m]Pn | [m+1..128]CC_(n-1) C_(n-1) = E_k1(PP XOR T_n) XOR T_n C_n = [1..m]CC_(n-1) @end example @subsubsection General (@acronym{XTS}) interface. The two general functions to encrypt and decrypt using the @acronym{XTS} block cipher mode are the following: @deftypefun void xts_encrypt_message (const void *@var{enc_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_decrypt_message (const void *@var{dec_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{decf}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{encf} or the decryption function @var{decf} in @acronym{XTS} mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal. The functions @var{encf} @var{decf} are of type @code{void f (const void *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})}, @noindent and the @code{xts_encrypt_message} and @code{xts_decrypt_message} functions pass their arguments @var{enc_ctx}, @var{twk_ctx} and @var{dec_ctx} to the functions @var{encf}, @var{decf} as @var{ctx}. @end deftypefun @subsubsection @acronym{XTS}-@acronym{AES} interface The @acronym{AES} @acronym{XTS} functions provide an API for using the @acronym{XTS} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general interface, except that the @var{enc_ctx}, @var{dec_ctx}, @var{twk_ctx}, @var{encf} and @var{decf} are replaced with an @acronym{AES} context structure called @var{ctx}, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface. @deftp {Context struct} {struct xts_aes128_key} Holds state corresponding to the AES-128 block cipher. @end deftp @deftp {Context struct} {struct xts_aes256_key} Holds state corresponding to the AES-256 block cipher. @end deftp @deftypefun void xts_aes128_set_encrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes256_set_encrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes128_set_decrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes256_set_decrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions. @end deftypefun @deftypefun void xts_aes128_encrypt_message (struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes256_encrypt_message (struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes128_decrypt_message (struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes256_decrypt_message (struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{xts_encrypt_message} and @code{xts_decrypt_message}, except that @var{enc_ctx}, @var{dec_ctx}, @var{twk_ctx}, @var{encf} and @var{decf} are replaced by the @var{ctx} context structure. @end deftypefun @node Authenticated encryption @section Authenticated encryption with associated data @cindex AEAD @cindex Authenticated encryption There are some subtle design choices to be made when combining a block cipher mode without authentication with a @acronym{MAC}. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the ``associated data'', which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called @acronym{AEAD}, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step. For encryption, the inputs are: @itemize @item The key, which can be used for many messages. @item A nonce, which must be unique for each message using the same key. @item Additional associated data to be authenticated, but not included in the message. @item The cleartext message to be encrypted. @end itemize The outputs are: @itemize @item The ciphertext, of the same size as the cleartext. @item A digest or ``authentication tag''. @end itemize Decryption works the same, but with cleartext and ciphertext interchanged. Most of the currently supported @acronym{AEAD} algorithms use the encryption function of the underlying block cipher, for both encryption and decryption (OCB being a notable exception). Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle's low level @acronym{AEAD} functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some @acronym{AEAD} may implement more liberal conventions. The @acronym{CCM} mode is a bit special in that it requires the message lengths up front, other @acronym{AEAD} constructions don't have this restriction. Of the supported @acronym{AEAD} constructions in Nettle, Galois/Counter mode (@acronym{GCM}) is widely used, and was originally designed for high performance in hardware implementations. Software performance is rather poor unless there's an efficient ``carry-less multiplication'' instruction that can be used. Both @acronym{CCM} and @acronym{EAX} use the same building blocks, @acronym{CTR} and @acronym{CMAC}, but the @acronym{EAX} design is cleaner and avoids a couple of inconveniences of @acronym{CCM}. Therefore, @acronym{EAX} seems like a good conservative choice. The ChaCha-Poly1305 scheme is designed for high performance, also on machines without specialized crypto acceleration instructions. The Synthetic Initialization Vector (@acronym{SIV}) modes are designed to not fail catastrophically if a nonce is reused. @menu * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction:: @end menu @node EAX @subsection EAX The @acronym{EAX} mode is an @acronym{AEAD} mode which combines @acronym{CTR} mode encryption, @xref{CTR}, with a message authentication based on @acronym{CBC}, @xref{CBC}. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). @acronym{EAX} was defined as a reaction to the @acronym{CCM} mode, @xref{CCM}, which uses the same primitives but has some undesirable and inelegant properties. @acronym{EAX} supports arbitrary nonce size; it's even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle's support for @acronym{EAX} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{EAX} interface @deftp {Context struct} {struct eax_key} @acronym{EAX} state which depends only on the key, but not on the nonce or the message. @end deftp @deftp {Context struct} {struct eax_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant EAX_BLOCK_SIZE @acronym{EAX}'s block size, 16. @end defvr @defvr Constant EAX_DIGEST_SIZE Size of the @acronym{EAX} digest, also 16. @end defvr @deftypefun void eax_set_key (struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void eax_set_nonce (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce. @end deftypefun @deftypefun void eax_update (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{data_length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. Unlike many other @acronym{AEAD} constructions, for @acronym{EAX} it's not necessary to complete the processing of all associated data before encrypting or decrypting the message data. @end deftypefun @deftypefun void eax_encrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_decrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_digest (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{EAX_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @subsubsection @acronym{EAX} helper macros The following macros are defined. @deffn Macro EAX_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher and all @acronym{EAX} state. It expands to @example @{ struct eax_key key; struct eax_ctx eax; context_type cipher; @} @end example @end deffn For all these macros, @var{ctx}, is a context struct as defined by @code{EAX_CTX}, and @var{encrypt} is the encryption function of the underlying cipher. @deffn Macro EAX_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) @var{set_key} is the function for setting the encryption key for the underlying cipher, and @var{key} is the key. @end deffn @deffn Macro EAX_SET_NONCE (@var{ctx}, @var{encrypt}, @var{length}, @var{nonce}) Sets the nonce to be used for the message. @end deffn @deffn Macro EAX_UPDATE (@var{ctx}, @var{encrypt}, @var{length}, @var{data}) Process associated data for authentication. @end deffn @deffn Macro EAX_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro EAX_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) Process message data for encryption or decryption. @end deffn @deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{digest}) Extract the authentication tag for the message. @end deffn @subsubsection @acronym{EAX}-@acronym{AES}128 interface The following functions implement @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. @deftp {Context struct} {struct eax_aes128_ctx} The context struct, defined using @code{EAX_CTX}. @end deftp @deftypefun void eax_aes128_set_key (struct eax_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void eax_aes128_set_nonce (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void eax_aes128_update (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_encrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_aes128_decrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_digest (struct eax_aes128_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{EAX_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @node GCM @subsection Galois counter mode @cindex Galois Counter Mode @cindex GCM Galois counter mode is an @acronym{AEAD} constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular @acronym{MAC} algorithms (@pxref{Keyed hash functions}) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, @url{https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, NIST Special Publication 800-38D}. It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in @acronym{GCM} has some known weaknesses, see @url{https://csrc.nist.gov@//groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. In particular, don't use @acronym{GCM} with short authentication tags. Nettle's support for @acronym{GCM} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{GCM} using @acronym{AES} or Camellia as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{GCM} interface @deftp {Context struct} {struct gcm_key} Message independent hash sub-key, and related tables. @end deftp @deftp {Context struct} {struct gcm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant GCM_BLOCK_SIZE @acronym{GCM}'s block size, 16. @end defvr @defvr Constant GCM_DIGEST_SIZE Size of the @acronym{GCM} digest, also 16. @end defvr @defvr Constant GCM_IV_SIZE Recommended size of the @acronym{IV}, 12. Arbitrary sizes are allowed. @end defvr @deftypefun void gcm_set_key (struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void gcm_set_iv (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{iv}) Initializes @var{ctx} using the given @acronym{IV}. The @var{key} argument is actually needed only if @var{length} differs from @code{GCM_IV_SIZE}. @end deftypefun @deftypefun void gcm_update (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_encrypt} or @code{gcm_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_encrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_decrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_digest (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{GCM_DIGEST_SIZE} octets to @var{digest}. @end deftypefun To encrypt a message using @acronym{GCM}, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: @code{gcm_set_key}, @code{gcm_set_iv}, @code{gcm_update}, @code{gcm_encrypt}, @code{gcm_digest}. The decryption procedure is analogous, just calling @code{gcm_decrypt} instead of @code{gcm_encrypt} (note that @acronym{GCM} decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call @code{gcm_set_iv} with a new @acronym{iv}. @subsubsection @acronym{GCM} helper macros The following macros are defined. @deffn Macro GCM_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to @example @{ struct gcm_key key; struct gcm_ctx gcm; context_type cipher; @} @end example @end deffn Example use: @example struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); @end example The following macros operate on context structs of this form. @deffn Macro GCM_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) First argument, @var{ctx}, is a context struct as defined by @code{GCM_CTX}. @var{set_key} and @var{encrypt} are functions for setting the encryption key and for encrypting data using the underlying cipher. @end deffn @deffn Macro GCM_SET_IV (@var{ctx}, @var{length}, @var{data}) First argument is a context struct as defined by @code{GCM_CTX}. @var{length} and @var{data} give the initialization vector (@acronym{IV}). @end deffn @deffn Macro GCM_UPDATE (@var{ctx}, @var{length}, @var{data}) Simpler way to call @code{gcm_update}. First argument is a context struct as defined by @code{GCM_CTX} @end deffn @deffn Macro GCM_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DIGEST (@var{ctx}, @var{encrypt}, @var{digest}) Simpler way to call @code{gcm_encrypt}, @code{gcm_decrypt} or @code{gcm_digest}. First argument is a context struct as defined by @code{GCM_CTX}. Second argument, @var{encrypt}, is the encryption function of the underlying cipher. @end deffn @subsubsection @acronym{GCM}-@acronym{AES} interface The following functions implement the common case of @acronym{GCM} using @acronym{AES} as the underlying cipher. @deftp {Context struct} {struct gcm_aes128_ctx} @deftpx {Context struct} {struct gcm_aes192_ctx} @deftpx {Context struct} {struct gcm_aes256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_aes128_set_key (struct gcm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes192_set_key (struct gcm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes256_set_key (struct gcm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_aes128_set_iv (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes192_set_iv (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes256_set_iv (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_aes128_update (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes192_update (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes256_update (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_aes_encrypt} or @code{gcm_aes_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_encrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_encrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_encrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes128_decrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_decrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_decrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_digest (struct gcm_aes128_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void gcm_aes192_digest (struct gcm_aes192_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void gcm_aes256_digest (struct gcm_aes256_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{GCM_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @subsubsection @acronym{GCM}-Camellia interface The following functions implement the case of @acronym{GCM} using Camellia as the underlying cipher. @deftp {Context struct} {struct gcm_camellia128_ctx} @deftpx {Context struct} {struct gcm_camellia256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_camellia128_set_key (struct gcm_camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_camellia256_set_key (struct gcm_camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_camellia128_update (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_camellia256_update (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_camellia_encrypt} or @code{gcm_camellia_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_digest (struct gcm_camellia128_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia192_digest (struct gcm_camellia192_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia256_digest (struct gcm_camellia256_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia_digest (struct gcm_camellia_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{GCM_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @subsubsection @acronym{GCM}-SM4 interface The following functions implement the case of @acronym{GCM} using SM4 as the underlying cipher. @deftp {Context struct} {struct gcm_sm4_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_sm4_set_key (struct gcm_sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_sm4_set_iv (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_sm4_update (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_sm4_encrypt} or @code{gcm_sm4_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_sm4_encrypt (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_sm4_decrypt (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_sm4_digest (struct gcm_sm4_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{GCM_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @node CCM @subsection Counter with CBC-MAC mode @cindex Counter with CBC-MAC Mode @cindex CCM Mode @acronym{CCM} mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as @acronym{EAX}, @pxref{EAX}. It is constructed on top of a block cipher which must have a block size of 128 bits. @acronym{CCM} mode is recommended by NIST in @url{https://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf, NIST Special Publication 800-38C}. Nettle's support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in @file{}. In @acronym{CCM}, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is @math{2^24 - 1} octets. @acronym{CCM} mode encryption operates as follows: @itemize @item The nonce and message length are concatenated to create @code{B_0 = flags | nonce | mlength} @item The authenticated data and plaintext is formatted into the string @code{B = L(adata) | adata | padding | plaintext | padding} with @code{padding} being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and @code{L(adata)} is an encoding of the length of @code{adata}. @item The string @code{B} is separated into blocks @code{B_1} ... @code{B_n} @item The authentication tag @code{T} is calculated as @code{T=0, for i=0 to n, do T = E_k(B_i XOR T)} @item An initial counter is then initialized from the nonce to create @code{IC = flags | nonce | padding}, where @code{padding} is the shortest string of zero bytes such that @code{IC} is exactly one block in length. @item The authentication tag is encrypted using using @acronym{CTR} mode: @code{MAC = E_k(IC) XOR T}. The tag size must be even, at least 4, and at most 16. The intended tag size is encoded into @code{IC} via the @code{flags} field. @item The plaintext is then encrypted using @acronym{CTR} mode with an initial counter of @code{IC+1}. @end itemize @acronym{CCM} mode decryption operates similarly, except that the ciphertext and @acronym{MAC} are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity. @subsubsection General @acronym{CCM} interface For all of the functions in the @acronym{CCM} interface, @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. The cipher's encryption key must be set before calling any of the @acronym{CCM} functions. The cipher's decryption function and key are never used. @deftp {Context struct} {struct ccm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant CCM_BLOCK_SIZE @acronym{CCM}'s block size, 16. @end defvr @defvr Constant CCM_DIGEST_SIZE Recommended size of the @acronym{CCM} digest, 16. @end defvr @defvr Constant CCM_MIN_DIGEST_SIZE Smallest size of the @acronym{CCM} digest, 4. @end defvr @defvr Constant CCM_MIN_NONCE_SIZE @defvrx Constant CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an @acronym{CCM} nonce, 7 and 14, respectively. @end defvr @deffn Macro CCM_MAX_MSG_SIZE (@var{nonce_size}) The largest allowed plaintext length, when using @acronym{CCM} with a nonce of the given size. @end deffn @deftypefun void ccm_set_nonce (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) Initializes @var{ctx} using the given nonce and the sizes of the authenticated data, message, and @acronym{MAC} to be processed. @end deftypefun @deftypefun void ccm_update (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. Must be called after @code{ccm_set_nonce}, and before @code{ccm_encrypt}, @code{ccm_decrypt}, or @code{ccm_digest}. @end deftypefun @deftypefun void ccm_encrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_decrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the message data. Must be called after @code{ccm_set_nonce} and before @code{ccm_digest}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ccm_digest (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It writes @var{taglen} octets to the @var{digest} area, where @var{taglen} is the parameter supplied to @code{ccm_set_nonce} earlier. A buffer of size @code{CCM_DIGEST_SIZE}, i.e., 16, is always sufficient. @end deftypefun To encrypt a message using the general @acronym{CCM} interface, set the message nonce and length using @code{ccm_set_nonce} and then call @code{ccm_update} to generate the digest of any authenticated data. After all of the authenticated data has been digested use @code{ccm_encrypt} to encrypt the plaintext. Finally, use @code{ccm_digest} to return the encrypted @acronym{MAC}. To decrypt a message, use @code{ccm_set_nonce} and @code{ccm_update} the same as you would for encryption, and then call @code{ccm_decrypt} to decrypt the ciphertext. After decrypting the ciphertext @code{ccm_digest} will return the encrypted @acronym{MAC} which should be identical to the @acronym{MAC} in the received message. @subsubsection @acronym{CCM} message interface The @acronym{CCM} message functions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by @var{mlength} and the length of the ciphertext is given by @var{clength}, always exactly @var{tlength} bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, @var{clength} for the encryption functions, and @var{mlength} for the decryption functions. @deftypefun void ccm_encrypt_message (const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the encrypted @acronym{MAC} to ciphertext and outputs it to @var{dst}. @end deftypefun @deftypefun int ccm_decrypt_message (const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the @acronym{MAC} from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated @acronym{MAC}s are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @subsubsection @acronym{CCM}-@acronym{AES} interface The @acronym{AES} @acronym{CCM} functions provide an API for using @acronym{CCM} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure, and a set-key function must be called before using any of the other functions in this interface. @deftp {Context struct} {struct ccm_aes128_ctx} Holds state corresponding to a particular message encrypted using the AES-128 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes192_ctx} Holds state corresponding to a particular message encrypted using the AES-192 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes256_ctx} Holds state corresponding to a particular message encrypted using the AES-256 block cipher. @end deftp @deftypefun void ccm_aes128_set_key (struct ccm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes192_set_key (struct ccm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes256_set_key (struct ccm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the @acronym{AES} @acronym{CCM} interface. @end deftypefun @deftypefun void ccm_aes128_set_nonce (struct ccm_aes128_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes192_set_nonce (struct ccm_aes192_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes256_set_nonce (struct ccm_aes256_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) These are identical to @code{ccm_set_nonce}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_update (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes192_update (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes256_update (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These are identical to @code{ccm_update}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_encrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes128_decrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_decrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_decrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_encrypt} and @code{ccm_decrypt}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_digest (struct ccm_aes128_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void ccm_aes192_digest (struct ccm_aes192_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void ccm_aes256_digest (struct ccm_aes256_ctx *@var{ctx}, uint8_t *@var{digest}) These are identical to @code{ccm_digest}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. The number of octets written to the @var{digest} area is determined by the @var{taglen} parameter supplied to the corresponding @code{_set_nonce} function earlier. @end deftypefun @deftypefun void ccm_aes128_encrypt_message (const struct aes128_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt_message (const struct aes192_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt_message (const struct aes256_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes128_decrypt_message (const struct aes128_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes192_decrypt_message (const struct aes192_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes256_decrypt_message (const struct aes256_ctx *@var{cipher}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_encrypt_message} and @code{ccm_decrypt_message} except that @var{cipher} is an AES context and the encryption function @var{f} is implied. @end deftypefun @node ChaCha-Poly1305 @subsection ChaCha-Poly1305 ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 8439}, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver's behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in @file{}. @defvr Constant CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. @end defvr @defvr Constant CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. @end defvr @defvr Constant CHACHA_POLY1305_NONCE_SIZE ChaCha-Poly1305 nonce size, 12. @end defvr @defvr Constant CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. @end defvr @deftp {Context struct} {struct chacha_poly1305_ctx} @end deftp @deftypefun void chacha_poly1305_set_key (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. Before using the context, you @emph{must} also call @code{chacha_poly1305_set_nonce}, see below. @end deftypefun @deftypefun void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{nonce}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void chacha_poly1305_update (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. @end deftypefun @deftypefun void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void chacha_poly1305_digest (struct chacha_poly1305_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''), and writes @code{CHACHA_POLY1305_DIGEST_SIZE} octets to @var{digest}. @end deftypefun @node OCB @subsection @acronym{OCB} (Offset Code Book) Mode @cindex OCB @cindex OCB mode @cindex Offset Code Book The @acronym{OCB} mode is an @acronym{AEAD} construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits. There have been several versions of the OCB scheme, the implementation in Nettle follows @cite{RFC 7253}, which is almost the same as the scheme OCB3. @subsubsection General interface @deftp {Context struct} {struct ocb_key} @acronym{OCB} state which depends only on the key, but not on the nonce or the message. @end deftp @deftp {Context struct} {struct ocb_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant OCB_BLOCK_SIZE The block size for @acronym{OCB}'s block size, 16. @end defvr @defvr Constant OCB_MAX_NONCE_SIZE The maximum nonce size for @acronym{OCB}, 15. @end defvr @defvr Constant OCB_DIGEST_SIZE Recommended size of the @acronym{OCB} authentication tag, 16. @end defvr @deftypefun void ocb_set_key (struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes the @var{key} struct. The @var{cipher} context must be initialized for encryption, and @var{f} should be the corresponding encryption function. @end deftypefun @deftypefun void ocb_set_nonce (struct ocb_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{tag_length}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce. The @var{cipher} must be initialized for encryption, and @var{f} should be the corresponding encryption function. The @var{tag_length} (non-zero, and at most 16) is included when initializing the state. Nonce is optional, and length at most 15 bytes. @end deftypefun @deftypefun void ocb_update (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_encrypt (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_decrypt (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{encrypt_ctx}, nettle_cipher_func *@var{encrypt}, const void *@var{decrypt_ctx}, nettle_cipher_func *@var{decrypt}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the data of a message. @var{encrypt_ctx} and @var{encrypt} define the encryption operation of the underlying cipher, while @var{decrypt_ctx} and @var{decrypt} represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_digest (const struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It writes @var{tag_length} octets to the @var{digest} area, where @var{tag_length} is the parameter supplied to @code{ocb_set_nonce} earlier. A buffer of size @code{OCB_DIGEST_SIZE}, i.e., 16, is always sufficient. @end deftypefun @deftypefun void ocb_encrypt_message (const struct ocb_key *@var{ocb_key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the tag to the ciphertext and writes it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @var{tlength}. @end deftypefun @deftypefun int ocb_decrypt_message (const struct ocb_key *@var{ocb_key}, const void *@var{encrypt_ctx}, nettle_cipher_func *@var{encrypt}, const void *@var{decrypt_ctx}, nettle_cipher_func *@var{decrypt}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}. Like @code{ocb_decrypt}, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @subsubsection @acronym{OCB-AES} interface @deftp {Context struct} {struct ocb_aes128_encrypt_key} Key-dependent state for encryption using @acronym{OCB-AES128}. For decryption, a separate @code{struct aes128_ctx}, initialized for decryption, is needed as well. @end deftp @deftypefun void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *@var{ocb}, const uint8_t *@var{key}) Initializes @var{ocb} and the underlying AES cipher with the given key. @end deftypefun @deftypefun void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *@var{ocb}, struct aes128_ctx *@var{decrypt}, const uint8_t *@var{key}) Initializes @var{ocb} and the underlying AES cipher with the given key. In addition, initialize @var{decrypt} for decryption using the same key; this is needed for @code{ocb_aes128_decrypt} and @code{ocb_aes128_decrypt_message}. @end deftypefun @deftypefun void ocb_aes128_set_nonce (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{tag_length}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce and key. The @var{tag_length} (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to @code{ocb_digest}. Nonce is optional, and length at most 15 bytes. @end deftypefun @deftypefun void ocb_aes128_update (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_encrypt (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_decrypt (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, const struct aes128_ctx *@var{decrypt}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the data of a message. @var{decrypt} is an AES context initialized for decryption using the same key. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_digest (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. The number of octets written to the @var{digest} area is determined by the @var{tag_length} parameter supplied to the @code{ocb_aes128_set_nonce} function earlier. @end deftypefun @deftypefun void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the tag to the ciphertext and writes it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @var{tlength}. @end deftypefun @deftypefun int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *@var{key}, const struct aes128_ctx *@var{decrypt}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}. Like @code{ocb_aes128_decrypt}, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node SIV-CMAC @subsection Synthetic Initialization Vector AEAD @cindex SIV mode @cindex SIV-CMAC mode @acronym{SIV-CMAC} mode is a combination of counter mode with message authentication based on @acronym{CMAC}. Unlike other counter @acronym{AEAD} modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle's support for @acronym{SIV-CMAC} consists of a message encryption and authentication interface, for @acronym{SIV-CMAC} using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in @file{}. Unlike other @acronym{AEAD} mode in @acronym{SIV-CMAC} the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext. Note also, that the @acronym{SIV-CMAC} algorithm, as specified in @cite{RFC 5297}, introduces the notion of authenticated data which consist of multiple components. For example with @acronym{SIV-CMAC} the authentication tag of data @code{X} followed by @code{Y}, is different than the concatenated data @code{X || Y}. The interfaces described below follow the @acronym{AEAD} paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext. @subsubsection General interface @defvr Constant SIV_BLOCK_SIZE @acronym{SIV-CMAC}'s block size, 16. @end defvr @defvr Constant SIV_DIGEST_SIZE Size of the @acronym{SIV-CMAC} digest or initialization vector, 16. @end defvr @defvr Constant SIV_MIN_NONCE_SIZE The the minimum size for an @acronym{SIV-CMAC} nonce, 1. @end defvr @subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using @acronym{SIV-CMAC} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure, and a set-key function must be called before using any of the other functions in this interface. @deftp {Context struct} {struct siv_cmac_aes128_ctx} Holds state corresponding to a particular message encrypted using the AES-128 block cipher. @end deftp @deftp {Context struct} {struct siv_cmac_aes256_ctx} Holds state corresponding to a particular message encrypted using the AES-256 block cipher. @end deftp @deftypefun void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the @acronym{AES} @acronym{SIV-CMAC} interface. @end deftypefun @deftypefun void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, prepends the initialization vector to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node SIV-GCM @subsection SIV-GCM @acronym{SIV-GCM}, described in @cite{RFC 8452}, is an @acronym{AEAD} construction similar to @acronym{AES-GCM}, but provides protection against accidental nonce misuse like @acronym{SIV-CMAC} mode. It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle's support for @acronym{SIV-GCM} consists of a message encryption and authentication interface, for @acronym{SIV-GCM} using AES as the underlying block cipher. These interfaces are defined in @file{}. Unlike other @acronym{AEAD} mode in @acronym{SIV-GCM} the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext. @subsubsection General interface @defvr Constant SIV_GCM_BLOCK_SIZE @acronym{SIV-GCM}'s block size, 16. @end defvr @defvr Constant SIV_GCM_DIGEST_SIZE Size of the @acronym{SIV-GCM} digest for tags, 16. @end defvr @defvr Constant SIV_GCM_NONCE_SIZE Size of the @acronym{SIV-GCM} nonce, 12. @end defvr @deftypefun void siv_gcm_encrypt_message (const struct nettle_cipher *@var{nc}, const void *@var{ctx}, void *@var{ctr_ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the authentication tag to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_GCM_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_gcm_decrypt_message (const struct nettle_cipher *@var{nc}, const void *@var{ctx}, void *@var{ctr_ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun In the above interface, @var{nc} must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The @var{ctx} context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the @var{ctr_ctx} context structure must have the same size as @var{ctx}, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *@var{ctx} is destroyed by the call. For convenience, Nettle provides wrapper functions that works with @acronym{AES} described in the following section. @subsubsection @acronym{SIV-GCM}-@acronym{AES} interface The @acronym{SIV-GCM} functions provide an API for using @acronym{SIV-GCM} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure. The @acronym{AES} context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. @deftypefun void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the authentication tag to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_GCM_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node nettle_aead abstraction @subsection The @code{struct nettle_aead} abstraction @cindex nettle_aead Nettle includes a struct including information about the supported hash functions. It is defined in @file{}. @deftp {Meta struct} @code{struct nettle_aead} name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. @end deftp @deftypevr {Constant Struct} {struct nettle_aead} nettle_gcm_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes192 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_eax_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_chacha_poly1305 These are most of the @acronym{AEAD} constructions that Nettle implements. Note that @acronym{CCM} is missing; it requirement that the message size is specified in advance makes it incompatible with the @code{nettle_aead} abstraction. @end deftypevr Nettle also exports a list of all these constructions. @deftypefun {const struct nettle_aead **} nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Keyed hash functions @section Keyed Hash Functions @cindex Keyed Hash Function @cindex Message Authentication Code @cindex MAC A @dfn{keyed hash function}, or @dfn{Message Authentication Code} (@acronym{MAC}) is a function that takes a key and a message, and produces fixed size @acronym{MAC}. It should be hard to compute a message and a matching @acronym{MAC} without knowledge of the key. It should also be hard to compute the key given only messages and corresponding @acronym{MAC}s. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the @acronym{MAC} and attaches it to the message. The receiver, Bob, also computes the @acronym{MAC} of the message, using the same key, and compares that to Alice's value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can't show the message and the @acronym{MAC} to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the @emph{same} key is used on both sides, and anyone knowing the key can create a correct @acronym{MAC} for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn't attach a @acronym{MAC} to a particular message, he knows it must be Alice who did it. However, the third party can't distinguish between a @acronym{MAC} created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. @menu * HMAC:: * UMAC:: * CMAC:: * Poly1305:: @end menu @node HMAC @subsection @acronym{HMAC} @cindex HMAC One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is @acronym{HMAC}, described in @cite{RFC 2104}. For an underlying hash function @code{H}, with digest size @code{l} and internal block size @code{b}, @acronym{HMAC-H} is constructed as follows: From a given key @code{k}, two distinct subkeys @code{k_i} and @code{k_o} are constructed, both of length @code{b}. The @acronym{HMAC-H} of a message @code{m} is then computed as @code{H(k_o | H(k_i | m))}, where @code{|} denotes string concatenation. @acronym{HMAC} keys can be of any length, but it is recommended to use keys of length @code{l}, the digest size of the underlying hash function @code{H}. Keys that are longer than @code{b} are shortened to length @code{l} by hashing with @code{H}, so arbitrarily long keys aren't very useful. Nettle's @acronym{HMAC} functions are defined in @file{}. @subsubsection @acronym{HMAC-MD5} @deftp {Context struct} {struct hmac_md5_ctx} @end deftp @deftypefun void hmac_md5_set_key (struct hmac_md5_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_md5_update (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_md5_digest (struct hmac_md5_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{MD5_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-RIPEMD160} @deftp {Context struct} {struct hmac_ripemd160_ctx} @end deftp @deftypefun void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_ripemd160_update (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{RIPEMD160_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA1} @deftp {Context struct} {struct hmac_sha1_ctx} @end deftp @deftypefun void hmac_sha1_set_key (struct hmac_sha1_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha1_update (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha1_digest (struct hmac_sha1_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{SHA1_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA256} @deftp {Context struct} {struct hmac_sha256_ctx} @end deftp @deftypefun void hmac_sha256_set_key (struct hmac_sha256_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha256_update (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha256_digest (struct hmac_sha256_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{SHA256_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA512} @deftp {Context struct} {struct hmac_sha512_ctx} @end deftp @deftypefun void hmac_sha512_set_key (struct hmac_sha512_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha512_update (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha512_digest (struct hmac_sha512_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{SHA512_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SM3} @deftp {Context struct} {struct hmac_sm3_ctx} @end deftp @deftypefun void hmac_sm3_set_key (struct hmac_sm3_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sm3_update (struct hmac_sm3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sm3_digest (struct hmac_sm3_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing @code{SM3_DIGEST_SIZE} octets to @var{digest}. This function also resets the context for processing new messages, with the same key. @end deftypefun @node UMAC @subsection @acronym{UMAC} @cindex UMAC @acronym{UMAC} is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, @xref{GCM}, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. @acronym{UMAC} is specified in @cite{RFC 4418}. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the @acronym{AES} block cipher. This cipher is used in counter mode to generate various internal subkeys needed in @acronym{UMAC}. Messages are of arbitrary size, and for each message, @acronym{UMAC} also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle's implementation of @acronym{UMAC} increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is ``abc'' (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to ``abd'', and this incremented value is zero-padded to 16 octets. @acronym{UMAC} is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and @acronym{MAC} functions, Nettle's @code{_digest} functions for @acronym{UMAC} accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the @acronym{umac} variant corresponding to the desired size. The internal block size of @acronym{UMAC} is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and @acronym{MAC} algorithms in Nettle. Nettle defines @acronym{UMAC} in @file{}. @deftp {Context struct} {struct umac32_ctx} @deftpx {Context struct} {struct umac64_ctx} @deftpx {Context struct} {struct umac96_ctx} @deftpx {Context struct} {struct umac128_ctx} Each @acronym{UMAC} variant uses its own context struct. @end deftp @defvr Constant UMAC_KEY_SIZE The UMAC key size, 16. @end defvr @defvr Constant UMAC_MIN_NONCE_SIZE @defvrx Constant UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. @end defvr @defvr Constant UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. @end defvr @defvr Constant UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. @end defvr @defvr Constant UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. @end defvr @defvr Constant UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. @end defvr @defvr Constant UMAC_BLOCK_SIZE The internal block size of UMAC. @end defvr @deftypefun void umac32_set_key (struct umac32_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac64_set_key (struct umac64_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac96_set_key (struct umac96_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac128_set_key (struct umac128_ctx *@var{ctx}, const uint8_t *@var{key}) These functions initialize the @acronym{UMAC} context struct. They also initialize the nonce to zero (with length 16, for auto-increment). @end deftypefun @deftypefun void umac32_set_nonce (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac64_set_nonce (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac96_set_nonce (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac128_set_nonce (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for @acronym{UMAC} (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called @emph{before} the first @code{_update} call for the message. @end deftypefun @deftypefun void umac32_update (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac64_update (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac96_update (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac128_update (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These functions are called zero or more times to process the message. @end deftypefun @deftypefun void umac32_digest (struct umac32_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void umac64_digest (struct umac64_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void umac96_digest (struct umac96_ctx *@var{ctx}, uint8_t *@var{digest}) @deftypefunx void umac128_digest (struct umac128_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the @code{_set_nonce} function explicitly for each message. @end deftypefun @node CMAC @subsection @acronym{CMAC} @cindex CMAC @cindex CMAC-128 @cindex CMAC-64 @acronym{CMAC} is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. @acronym{CMAC-128} is specified in @cite{RFC4493}. The block size is always 128 bits (16 octets). @acronym{CMAC-64} is specified by @url{https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf, NIST Special Publication 800-38B}. The block size is always 64 bits (8 octets). Nettle provides helper functions for @acronym{CMAC-128} with the @acronym{AES} block cipher and for @acronym{CMAC-64} with the @acronym{Tripple-DES} block cipher. Nettle defines @acronym{CMAC} in @file{}. @deftp {Context struct} {struct cmac_aes128_ctx} @deftpx {Context struct} {struct cmac_aes256_ctx} @end deftp @defvr Constant CMAC128_DIGEST_SIZE The size of an CMAC-128 digest, 16. @end defvr @deftypefun void cmac_aes128_set_key (struct cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for AES-128. @end deftypefun @deftypefun void cmac_aes128_update (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_aes128_digest (struct cmac_aes128_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing @code{CMAC128_DIGEST_SIZE} octets to @var{digest}. This function resets the context for processing of a new message with the same key. @end deftypefun @deftypefun void cmac_aes256_set_key (struct cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for AES-256. @end deftypefun @deftypefun void cmac_aes256_update (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_aes256_digest (struct cmac_aes256_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing @code{CMAC128_DIGEST_SIZE} octets to @var{digest}. This function resets the context for processing of a new message with the same key. @end deftypefun @deftp {Context struct} {struct cmac_des3_ctx} @end deftp @defvr Constant CMAC64_DIGEST_SIZE The size of an CMAC-64 digest, 8. @end defvr @deftypefun void cmac_des3_set_key (struct cmac_des3_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for @acronym{Tripple-DES}. @end deftypefun @deftypefun void cmac_des3_update (struct cmac_des3_ctx *@var{ctx},size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_des3_digest (struct cmac_des3_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing @code{CMAC64_DIGEST_SIZE} octets to @var{digest}. This function resets the context for processing of a new message with the same key. @end deftypefun @node Poly1305 @subsection Poly1305 Poly1305-@acronym{AES} is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number @math{2^130 - 5}. The key, 256 bits, consists of two parts, where the first half is an @acronym{AES}-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point @code{r}. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the @acronym{AES} key, and that's the only thing @acronym{AES} is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo @math{2^130 - 5}, and the polynomial is evaluated at the point @code{r}. Finally, this value is reduced modulo @math{2^128}, and added (also modulo @math{2^128}) to the encrypted nonce, to produce an 128-bit authenticator for the message. See @url{https://cr.yp.to/mac/poly1305-20050329.pdf} for further details. Clearly, variants using a different cipher than @acronym{AES} could be defined. Another variant is the ChaCha-Poly1305 @acronym{AEAD} construction (@pxref{ChaCha-Poly1305}). Nettle defines Poly1305-@acronym{AES} in @file{nettle/poly1305.h}. @defvr Constant POLY1305_AES_KEY_SIZE Key size, 32 octets. @end defvr @defvr Constant POLY1305_AES_DIGEST_SIZE Size of the digest or ``authenticator'', 16 octets. @end defvr @defvr Constant POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. @end defvr @deftp {Context struct} {struct poly1305_aes_ctx} The poly1305-aes context struct. @end deftp @deftypefun void poly1305_aes_set_key (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the context struct. Also sets the nonce to zero. @end deftypefun @deftypefun void poly1305_aes_set_nonce (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. @end deftypefun @deftypefun void poly1305_aes_update (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process more data. @end deftypefun @deftypefun void poly1305_aes_digest (struct poly1305_aes_ctx *@var{ctx}, uint8_t *@var{digest}) Extracts the digest, writing @code{POLY1305_AES_DIGEST_SIZE} octets to @var{digest}. Also increments the nonce, and prepares the context for processing a new message. @end deftypefun @node Key derivation functions @section Key derivation Functions @cindex Key Derivation Function A @dfn{key derivation function} (@acronym{KDF}) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the @dfn{password-based key derivation functions} (@acronym{PBKDFs}), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. @subsection HKDF: HMAC-based Extract-and-Expand @cindex HKDF HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in @cite{RFC 5869}, and is split into two logical modules, called ``extract'' and ``expand''. The extract module takes an initial secret and a random salt to extract a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle's @acronym{HKDF} functions are defined in @file{}. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the @code{nettle_hash_update_func}, and @code{nettle_hash_digest_func} interfaces. @deftypefun void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the secret @var{secret} of length @var{secret_length}. The output length is fixed to @var{digest_size} octets, thus the output buffer @var{dst} must have room for at least @var{digest_size} octets. @end deftypefun @deftypefun void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the info @var{info} of length @var{info_length}, and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsection @acronym{PBKDF2} @cindex Password Based Key Derivation Function @cindex PKCS #5 @cindex KDF @cindex PBKDF The most well known PBKDF is the @code{PKCS #5 PBKDF2} described in @cite{RFC 2898} which uses a pseudo-random function such as @acronym{HMAC-SHA1}. Nettle's @acronym{PBKDF2} functions are defined in @file{}. There is an abstract function that operate on any PRF implemented via the @code{nettle_hash_update_func}, @code{nettle_hash_digest_func} interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function: @deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun Like for CBC and HMAC, there is a macro to help use the function correctly. @deffn Macro PBKDF2 (@var{ctx}, @var{update}, @var{digest}, @var{digest_size}, @var{iterations}, @var{salt_length}, @var{salt}, @var{length}, @var{dst}) @var{ctx} is a pointer to a context struct passed to the @var{update} and @var{digest} functions (of the types @code{nettle_hash_update_func} and @code{nettle_hash_digest_func} respectively) to implement the underlying PRF with digest size of @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deffn @subsection Concrete @acronym{PBKDF2} functions Now we come to the specialized @acronym{PBKDF2} functions, which are easier to use than the general @acronym{PBKDF2} function. @subsubsection @acronym{PBKDF2-HMAC-SHA1} @deftypefun void pbkdf2_hmac_sha1 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA1. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA256} @deftypefun void pbkdf2_hmac_sha256 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA256. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA384} @deftypefun void pbkdf2_hmac_sha384 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA384. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA512} @deftypefun void pbkdf2_hmac_sha512 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA512. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsection @acronym{BALLOON} @cindex Balloon password-hashing algorithm Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from @url{https://eprint.iacr.org/2016/027.pdf} Nettle's definition of the @acronym{BALLOON} algorithm can be found in @file{}. There is a general @acronym{BALLOON} function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs. Each @acronym{BALLOON} function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter @var{s_cost} determines how many blocks of working space the algorithm will require during its computation. It is common to set @var{s_cost} to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter @var{t_cost} determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer @var{scratch} is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function @code{balloon_itch}. Output of @acronym{BALLOON} algorithm will be written into the output buffer @var{dst} that has to be at least @var{digest_size} bytes long. Note that it is safe to use the same buffer for both @var{scratch} and @var{dst}. Next follows the description of the general @acronym{BALLOON} function. @deftypefun void balloon (void *@var{hash_ctx}, nettle_hash_update_func *@var{update}, nettle_hash_digest_func *@var{digest}, size_t @var{digest_size}, size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) Compute hash of given password @var{passwd} of length @var{passwd_length} salted with @var{salt} of length @var{salt_length} and write @var{digest_size} bytes into the output buffer @var{dst}. Parameter @var{hash_ctx} is a context for the underlying hash function, which much be initialized by the caller. @var{update} and @var{digest} are the update and digest functions of the chosen hash algorithm. @var{digest_size} is the digest size of the chosen hash algorithm and determines the size of the output. @end deftypefun @deftypefun size_t balloon_itch (size_t @var{digest_size}, size_t @var{s_cost}) Compute the size of the scratch buffer @var{scratch}. @var{digest_size} is the digest size of the chosen hash algorithm. @var{s_cost} is the space parameter used by the @code{balloon} function. @end deftypefun @subsection Concrete @acronym{BALLOON} functions Here follows a list of the specialized @acronym{BALLOON} functions, which are more user-friendly variants of the general function. @subsubsection @acronym{BALLOON-SHA1} @deftypefun void balloon_sha1 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA1 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA256} @deftypefun void balloon_sha256 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA256 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA384} @deftypefun void balloon_sha384 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA384 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA512} @deftypefun void balloon_sha512 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA512 as the underlying hash function. @end deftypefun @node Public-key algorithms @section Public-key algorithms @cindex Public-key cryptography @cindex Digital signatures Nettle uses @acronym{GMP}, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle (with the exception of @acronym{SLH-DSA}), you must install @acronym{GMP}, at least version 6.1.0, before compiling Nettle, and you need to link your programs with @code{-lhogweed -lnettle -lgmp}. The concept of @dfn{Public-key} cryptography and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, ``symmetric'', cryptography, sender and receiver share the same key, and this key must be distributed in a secure way. And if there are many users or entities that need to communicate, each @emph{pair} needs a shared secret key known by nobody else. In public key cryptography, each user needs a ``key pair'', consisting of a private key which is kept secret, and corresponding public key that is distributed to all other users. Public and private keys can be uses in several different ways: For key agreement (e.g., Diffie-Hellman or Curve25519 key exchange), digital signatures (e.g., @acronym{RSA} signatures and Ed25519 signatures), and public key encryption (e.g., @acronym{RSA} encryption). To use a digital signature algorithm, one must first create a @dfn{key-pair}: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the ``someone'' also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as ``grant access to whoever knows the private key corresponding to this particular public key, and to no others''. @menu * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA. * SLH-DSA:: Stateless hash-based digital signatures. @end menu @node RSA @subsection @acronym{RSA} The @acronym{RSA} algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the @acronym{USA} in 1983. The patent expired on September 20, 2000, and since that day, @acronym{RSA} can be used freely, even in the @acronym{USA}. It's remarkably simple to describe the trapdoor function behind @acronym{RSA}. The ``one-way''-function used is @example F(x) = x^e mod n @end example I.e. raise x to the @code{e}'th power, while discarding all multiples of @code{n}. The pair of numbers @code{n} and @code{e} is the public key. @code{e} can be quite small, even @code{e = 3} has been used, although slightly larger numbers are recommended. @code{n} should be about 2000 bits or larger. If @code{n} is large enough, and properly chosen, the inverse of F, the computation of @code{e}'th roots modulo @code{n}, is very difficult. But, where's the trapdoor? Let's first look at how @acronym{RSA} key-pairs are generated. First @code{n} is chosen as the product of two large prime numbers @code{p} and @code{q} of roughly the same size (so if @code{n} is 2000 bits, @code{p} and @code{q} are about 1000 bits each). One also computes the number @code{phi = (p-1)(q-1)}, in mathematical speak, @code{phi} is the order of the multiplicative group of integers modulo n. Next, @code{e} is chosen. It must have no factors in common with @code{phi} (in particular, it must be odd), but can otherwise be chosen more or less randomly. @code{e = 65537} is a popular choice, because it makes raising to the @code{e}'th power particularly efficient, and being prime, it usually has no factors common with @code{phi}. Finally, a number @code{d}, @code{d < n} is computed such that @code{e d mod phi = 1}. It can be shown that such a number exists (this is why @code{e} and @code{phi} must have no common factors), and that for all @code{x}, @example (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x @end example Using Euclid's algorithm, @code{d} can be computed quite easily from @code{phi} and @code{e}. But it is still hard to get @code{d} without knowing @code{phi}, which depends on the factorization of @code{n}. So @code{d} is the trapdoor, if we know @code{d} and @code{y = F(x)}, we can recover @code{x} as @code{y^d mod n}. @code{d} is also the private half of the @acronym{RSA} key-pair. The most common signature operation for @acronym{RSA} is defined in @cite{PKCS#1}, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. @acronym{SHA256}. Next, some padding, the @acronym{ASN.1} ``Algorithm Identifier'' for the hash function, and the message digest itself, are concatenated and converted to a number @code{x}. The signature is computed from @code{x} and the private key as @code{s = x^d mod n}@footnote{Actually, the computation is not done like this, it is done more efficiently using @code{p}, @code{q} and the Chinese remainder theorem (@acronym{CRT}). But the result is the same.}. The signature, @code{s}, is a number of about the same size of @code{n}, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, @code{x} is computed from the message in the same way as above. Then @code{s^e mod n} is computed, the operation returns true if and only if the result equals @code{x}. The @acronym{RSA} algorithm can also be used for encryption. RSA encryption uses the public key @code{(n,e)} to compute the ciphertext @code{m^e mod n}. The @cite{PKCS#1} padding scheme will use at least 8 random and non-zero octets, using @var{m} of the form @code{[00 02 padding 00 plaintext]}. It is required that @code{m < n}, and therefor the plaintext must be smaller than the octet size of the modulo @code{n}, with some margin. To decrypt the message, one needs the private key to compute @code{m = c^e mod n} followed by checking and removing the padding. @subsubsection Nettle's @acronym{RSA} support Nettle represents @acronym{RSA} keys using two structures that contain large numbers (of type @code{mpz_t}). @deftp {Context struct} {rsa_public_key} size n e @code{size} is the size, in octets, of the modulo, and is used internally. @code{n} and @code{e} is the public key. @end deftp @deftp {Context struct} {rsa_private_key} size d p q a b c @code{size} is the size, in octets, of the modulo, and is used internally. @code{d} is the secret exponent, but it is not actually used when signing. Instead, the factors @code{p} and @code{q}, and the parameters @code{a}, @code{b} and @code{c} are used. They are computed from @code{p}, @code{q} and @code{e} such that @code{a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1}. @end deftp Before use, these structs must be initialized by calling one of @deftypefun void rsa_public_key_init (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_init (struct rsa_private_key *@var{key}) Calls @code{mpz_init} on all numbers in the key struct. @end deftypefun and when finished with them, the space for the numbers must be deallocated by calling one of @deftypefun void rsa_public_key_clear (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_clear (struct rsa_private_key *@var{key}) Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun In general, Nettle's @acronym{RSA} functions deviates from Nettle's ``no memory allocation''-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see @xref{Custom Allocation,,GMP Allocation,gmp, GMP Manual}. When you have assigned values to the attributes of a key, you must call @deftypefun int rsa_public_key_prepare (struct rsa_public_key *@var{pub}) @deftypefunx int rsa_private_key_prepare (struct rsa_private_key *@var{key}) Computes the octet size of the key (stored in the @code{size} attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for @acronym{RSA} operations specified by PKCS#1. @end deftypefun For each operation using the private key, there are two variants, e.g., @code{rsa_sha256_sign} and @code{rsa_sha256_sign_tr}. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized @acronym{RSA} blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function's context struct to the @acronym{RSA} signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with @acronym{RSA} signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an @acronym{RSA} signature is done with one of the following functions: @deftypefun int rsa_md5_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. The @var{random_ctx} and @var{random} pointers are used to generate the @acronym{RSA} blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature from the given hash digest. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{signature}) Similar to the above @code{_sign_digest_tr} functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun @deftypefun int rsa_md5_sign (const struct rsa_private_key *@var{key}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign (const struct rsa_private_key *@var{key}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign (const struct rsa_private_key *@var{key}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign (const struct rsa_private_key *@var{key}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}, respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign (const struct rsa_private_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{s}) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun Verifying an RSA signature is done with one of the following functions: @deftypefun int rsa_md5_verify (const struct rsa_public_key *@var{key}, struct md5_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify (const struct rsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify (const struct rsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify (const struct rsa_public_key *@var{key}, struct sha512_ctx *@var{hash}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. In either case, the hash context is reset so that it can be used for new messages. @end deftypefun @deftypefun int rsa_md5_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun @deftypefun int rsa_pkcs1_verify (const struct rsa_public_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, const mpz_t @var{signature}) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun While the above functions for the RSA signature operations use the @cite{PKCS#1} padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in @cite{RFC 8017}. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the @acronym{RSA} algorithm, a longer salt value does not always mean a better security @url{https://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf}. The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature using the PSS padding scheme. @var{salt} should point to a salt string of size @var{salt_length}. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun The following function is used to encrypt a clear text message using RSA. @deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. @end deftypefun The following function is used to decrypt a cipher text message using RSA. @deftypefun int rsa_decrypt (const struct rsa_private_key *@var{key}, size_t *@var{length}, uint8_t *@var{cleartext}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by @var{cleartext} must be of size *@var{length}. After decryption, *@var{length} will be updated with the size of the message. @end deftypefun There is also a timing resistant version of decryption that utilizes randomized RSA blinding. @deftypefun int rsa_decrypt_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t *@var{length}, uint8_t *@var{message}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. @end deftypefun While the above functions for the RSA encryption operations use the @cite{PKCS#1} padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in @cite{RFC 8017}. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs. Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions: @deftypefun int rsa_oaep_sha256_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha384_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha512_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) Returns 1 on success, 0 on failure. The label is optional and if omitted, @var{label_length} and @var{label} is set to 0 and @code{NULL} respectively. The maximum size of @var{message} can be calculated with @code{k - 2 * hLen - 2}, where @code{k} is the key size in octets obtained with @var{key}->size, and @code{hLen} is the output size of the underlying hash function (e.g., @code{SHA256_DIGEST_SIZE} for @code{rsa_oaep_sha256_encrypt}). @end deftypefun Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions: @deftypefun int rsa_oaep_sha256_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha384_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha512_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to @code{rsa_decrypt_tr}. The message buffer pointed to by @var{cleartext} must be of size *@var{length}. After decryption, *@var{length} will be updated with the size of the message. @end deftypefun If you need to use the @acronym{RSA} trapdoor, the private key, in a way that isn't supported by the above functions Nettle also includes a function that computes @code{x^d mod n} and nothing more, using the @acronym{CRT} optimization. @deftypefun int rsa_compute_root_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. Returns one on success, or zero if a failure in the computation was detected. @end deftypefun @deftypefun void rsa_compute_root (struct rsa_private_key *@var{key}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. @end deftypefun At last, how do you create new keys? @deftypefun int rsa_generate_keypair (struct rsa_public_key *@var{pub}, struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{n_size}, unsigned @var{e_size}) There are lots of parameters. @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, but you don't need to call @code{rsa_public_key_prepare} or @code{rsa_private_key_prepare} after key generation. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{size_n} is the desired size of the modulo, in bits. If @var{size_e} is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if @var{e_size} is zero, it is assumed that the caller has already chosen a value for @code{e}, and stored it in @var{pub}. Returns one on success, and zero on failure. The function can fail for example if if @var{n_size} is too small, or if @var{e_size} is zero and @code{pub->e} is an even number. @end deftypefun @node DSA @subsection @acronym{DSA} The @acronym{DSA} digital signature algorithm is more complex than @acronym{RSA}. It was specified during the early 1990s, and in 1994 NIST published @acronym{FIPS} 186 which is the authoritative specification. Sometimes @acronym{DSA} is referred to using the acronym @acronym{DSS}, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than @acronym{sha1}. For @acronym{DSA}, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime @code{p}, a small prime @code{q} which is a factor of @code{p-1}, a number @code{g} which generates a subgroup of order @code{q} modulo @code{p}, and an element @code{y} in that subgroup. In the original @acronym{DSA}, the size of @code{q} is fixed to 160 bits, to match with the @acronym{SHA1} hash algorithm. The size of @code{p} is in principle unlimited, but the standard specifies only nine specific sizes: @code{512 + l*64}, where @code{l} is between 0 and 8. Thus, the maximum size of @code{p} is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute @example g^t mod p @end example for all possible integers @code{t}, you will get precisely @code{q} distinct values. The private key is a secret exponent @code{x}, such that @example g^x = y mod p @end example In mathematical speak, @code{x} is the @dfn{discrete logarithm} of @code{y} mod @code{p}, with respect to the generator @code{g}. The size of @code{x} will also be about the same size as @code{q}. The security of the @acronym{DSA} algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack @acronym{DSA}, are of two types. The first type works directly in the (multiplicative) group of integers mod @code{p}. The best known algorithm of this type is the Number Field Sieve, and it's complexity is similar to the complexity of factoring numbers of the same size as @code{p}. The other type works in the smaller @code{q}-sized subgroup generated by @code{g}, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity @code{sqrt(q)}. The important point is that security depends on the size of @emph{both} @code{p} and @code{q}, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original @acronym{DSA} may be uncomfortably small. Using a @code{p} of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit @acronym{RSA} modulo, and using a @code{q} of size 160 bits implies that cracking using Pollard-rho will take roughly @code{2^80} group operations. With the size of @code{q} fixed, tied to the @acronym{SHA1} digest size, it may be tempting to increase the size of @code{p} to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a @acronym{DSA} signature, you need a good source for random numbers (@pxref{Randomness}). Let us describe the common case of a 160-bit @code{q}. To create a signature, one starts with the hash digest of the message, @code{h}, which is a 160 bit number, and a random number @code{k, 0}. A @acronym{DSA} group is represented using the following struct. @deftp {Context struct} {dsa_params} p q g Parameters of the @acronym{DSA} group. @end deftp @deftypefun void dsa_params_init (struct dsa_params *@var{params}) Calls @code{mpz_init} on all numbers in the struct. @end deftypefun @deftypefun void dsa_params_clear (struct dsa_params *@var{params}params) Calls @code{mpz_clear} on all numbers in the struct. @end deftypefun @deftypefun int dsa_generate_params (struct dsa_params *@var{params}, void *@var{random_ctx}, nettle_random_func *@var{random}, void *@var{progress_ctx}, nettle_progress_func *@var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) Generates parameters of a new group. The @var{params} struct should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and @code{q}. To generate keys that conform to the original @acronym{DSA} standard, you must use @code{q_bits = 160} and select @var{p_bits} of the form @code{p_bits = 512 + l*64}, for @code{0 <= l <= 8}, where the smaller sizes are no longer recommended, so you should most likely stick to @code{p_bits = 1024}. Non-standard sizes are possible, in particular @code{p_bits} larger than 1024, although @acronym{DSA} implementations can not in general be expected to support such keys. Also note that using very large @var{p_bits}, with @var{q_bits} fixed at 160, doesn't make much sense, because the security is also limited by the size of the smaller prime. To generate @acronym{DSA} keys for use with @acronym{SHA256}, use @code{q_bits = 256} and, e.g., @code{p_bits = 2048}. Returns one on success, and zero on failure. The function will fail if @var{q_bits} is too small, or too close to @var{p_bits}. @end deftypefun Signatures are represented using the structure below. @deftp {Context struct} {dsa_signature} r s The @var{r} and @var{s} fields are both of type @code{mpz_t}. @end deftp @deftypefun void dsa_signature_init (struct dsa_signature *@var{signature}) @deftypefunx void dsa_signature_clear (struct dsa_signature *@var{signature}) You must call @code{dsa_signature_init} before creating or using a signature, and call @code{dsa_signature_clear} when you are finished with it. @end deftypefun Keys are represented as bignums, of type @code{mpz_t}. A public key represents a group element, and is of the same size as @code{p}, while a private key is an exponent, of the same size as @code{q}. @deftypefun int dsa_sign (const struct dsa_params *@var{params}, const mpz_t @var{x}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_size}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Creates a signature from the given hash digest, using the private key @var{x}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo @code{q} fails. @end deftypefun @deftypefun int dsa_verify (const struct dsa_params *@var{params}, const mpz_t @var{y}, size_t @var{digest_size}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. @end deftypefun To generate a keypair, first generate a @acronym{DSA} group using @code{dsa_generate_params}. A keypair in this group is then created using @deftypefun void dsa_generate_keypair (const struct dsa_params *@var{params}, mpz_t @var{pub}, mpz_t @var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) Generates a new keypair, using the group @var{params}. The public key is stored in @var{pub}, and the private key in @var{key}. Both variables must be initialized using @code{mpz_init} before this call. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @node Elliptic curves @subsection Elliptic curves For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If @math{P} and @math{Q} are two points, and @math{k} is an integer, the point sum, @math{P + Q}, and the multiple @math{k P} can be computed efficiently, but given only two points @math{P} and @math{Q}, finding an integer @math{k} such that @math{Q = k P} is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form @math{y^2 = x^3 - 3 x + b @pmod{p}}, i.e., the points have coordinates @math{(x,y)}, both considered as integers modulo a specified prime @math{p}. Curves are represented as a @code{struct ecc_curve}. It also supports curve25519 and curve488, which uses a different form of curve. Supported curves are declared in @file{}, e.g., call @code{nettle_get_secp_256r1} for a standardized curve using the 256-bit prime @math{p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1}. The contents of these structs is not visible to nettle users. The ``bitsize of the curve'' is used as a shorthand for the bitsize of the curve's prime @math{p}, e.g., 256 bits for the SECP 256R1 curve. @menu * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448:: @end menu @node Side-channel silence @subsubsection Side-channel silence @cindex Side-channel attack Nettle's implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: @itemize @item Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. @item Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. @end itemize Nettle's ECC implementation is designed to be @dfn{side-channel silent}, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. @node ECDSA @subsubsection ECDSA ECDSA is a variant of the DSA digital signature scheme (@pxref{DSA}), which works over an elliptic curve group rather than over a (subgroup of) integers modulo @math{p}. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in @file{}. We first need to define the data types used to represent public and private keys. @deftp {struct} {struct ecc_point} Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. @end deftp @deftypefun void ecc_point_init (struct ecc_point *@var{p}, const struct ecc_curve *@var{ecc}) Initializes @var{p} to represent points on the given curve @var{ecc}. Allocates storage for the coordinates, using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_point_clear (struct ecc_point *@var{p}) Deallocate storage allocated by previous ecc_point_init. @end deftypefun @deftypefun int ecc_point_set (struct ecc_point *@var{p}, const mpz_t @var{x}, const mpz_t @var{y}) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. @end deftypefun @deftypefun void ecc_point_get (const struct ecc_point *@var{p}, mpz_t @var{x}, mpz_t @var{y}) Extracts the coordinate of the point @var{p}. The output parameters @var{x} or @var{y} may be NULL if the caller doesn't want that coordinate. @end deftypefun @deftp {struct} {struct ecc_scalar} Represents an integer in the range @math{0 < x < group order}, where the ``group order'' refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. @end deftp @deftypefun void ecc_scalar_init (struct ecc_scalar *@var{s}, const struct ecc_curve *@var{ecc}) Initializes @var{s} to represent a scalar suitable for the given curve @var{ecc}. Allocates storage using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_scalar_clear (struct ecc_scalar *@var{s}) Deallocate the storage allocated by previous ecc_scalar_init. @end deftypefun @deftypefun int ecc_scalar_set (struct ecc_scalar *@var{s}, const mpz_t @var{z}) Check that @var{z} is in the correct range. If so, copies the value to @var{s} and returns 1, otherwise returns 0. @end deftypefun @deftypefun void ecc_scalar_get (const struct ecc_scalar *@var{s}, mpz_t @var{z}) Extracts the scalar, in GMP @code{mpz_t} representation. @end deftypefun To create and verify ECDSA signatures, the following functions are used. @deftypefun void ecdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature of @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same way as for plain DSA. @end deftypefun @deftypefun int ecdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @end deftypefun Finally, generating a new ECDSA key pair: @deftypefun void ecdsa_generate_keypair (struct ecc_point *@var{pub}, struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @node GOSTDSA @subsubsection GOSTDSA @cindex GOST DSA GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC 6986}) of corresponding size (256 or 512) depending on curve size. Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use @code{ecdsa_generate_keypair()} function. To create and verify GOSTDSA signatures, the following functions are used. @deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature of @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same was as for plain DSA. @end deftypefun @deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @end deftypefun For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle's view on curves and actual identifiers defined in @cite{RFC 4357} and @cite{RFC 7836}. @deftypefun {const struct ecc_curve} nettle_get_gost_gc256b (void) Returns curve corresponding to following identifiers: @itemize @item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357}) @item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357}) @item id-tc26-gost-3410-12-256-paramSetB @end itemize @end deftypefun @deftypefun {const struct ecc_curve} nettle_get_gost_gc512a (void) Returns curve corresponding to following identifiers: @itemize @item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836}) @end itemize @end deftypefun For GOST key pairs key derivation/key agreement function (VKO) is defined in @cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). @deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) Uses private key @var{priv}, public ket @var{pub} and shared key material @var{ukm} to generate shared secret, written to buffer @var{out}. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret. @end deftypefun @node Curve 25519 and Curve 448 @subsubsection Curve25519 and Curve448 @cindex Curve 25519 @cindex Curve 448 @c FIXME: Make 2^255 pretty in all output formats. Use @sup? @c There are other places too (2^32, 2^130). Curve25519 is an elliptic curve of Montgomery type, @math{y^2 = x^3 + 486662 x^2 + x @pmod{p}}, with @math{p = 2^255 - 19}. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in @cite{RFC 7748}. The group generator is defined by @math{x = 9} (there are actually two points with @math{x = 9}, differing by the sign of the y-coordinate, but that doesn't matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range @math{2^251 <= s < 2^252}. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value @math{x} for which the the curve equation can be solved for @math{y}. The other half correspond to points on a related ``twist curve''. The function @code{curve25519_mul} uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by @cite{RFC 7748}. The output is therefore well defined for @emph{all} possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from @cite{RFC 7748}, in that bit 255 of the @math{x} coordinate of the point input to curve25519_mul was not ignored. The @file{nette/curve25519.h} defines a preprocessor symbol @code{NETTLE_CURVE25519_RFC7748} to indicate conformance with the standard. Nettle defines Curve 25519 in @file{}. @defvr Constant NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. @end defvr @defvr Constant CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. @end defvr @deftypefun void curve25519_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) Computes @math{Q = N G}, where @math{G} is the group generator and @math{N} is an integer. The input argument @var{n} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult_base} in the NaCl library. @end deftypefun @deftypefun void curve25519_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) Computes @math{Q = N P}, where @math{P} is an input point and @math{N} is an integer. The input arguments @var{n} and @var{p} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult} in the NaCl library. @end deftypefun Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, @math{y^2 = x^3 + 156326 x^2 + x @pmod{p}}, with @math{p = 2^448 - 2^224 - 1}. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in @cite{RFC 7748}. Nettle defines Curve 448 in @file{}. @defvr Constant CURVE448_SIZE The octet length of the strings representing curve448 points and scalars, 56. @end defvr @deftypefun void curve448_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) Computes @math{Q = N G}, where @math{G} is the group generator and @math{N} is an integer. The input argument @var{n} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size @code{CURVE448_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult_base} in the NaCl library. @end deftypefun @deftypefun void curve448_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) Computes @math{Q = N P}, where @math{P} is an input point and @math{N} is an integer. The input arguments @var{n} and @var{p} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size @code{CURVE448_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult} in the NaCl library. @end deftypefun @subsubsection EdDSA @cindex eddsa EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a ``Twisted Edwards curve'', of the form @math{-x^2 + y^2 = 1 + d x^2 y^2}. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. @defvr Constant ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. @end defvr @defvr Constant ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. @end defvr @deftypefun void ed25519_sha512_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) Computes the public key corresponding to the given private key. Both input and output are of size @code{ED25519_KEY_SIZE}. @end deftypefun @deftypefun void ed25519_sha512_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. @end deftypefun @deftypefun int ed25519_sha512_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448. @defvr Constant ED448_KEY_SIZE The size of a private or public Ed448 key, 57 octets. @end defvr @defvr Constant ED448_SIGNATURE_SIZE The size of an Ed448 signature, 114 octets. @end defvr @deftypefun void ed448_shake256_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) Computes the public key corresponding to the given private key. Both input and output are of size @code{ED448_KEY_SIZE}. @end deftypefun @deftypefun void ed448_shake256_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. @end deftypefun @deftypefun int ed448_shake256_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun @node SLH-DSA @subsection SLH-DSA @cindex SLH-DSA @cindex post-quantum @cindex SPHINCS+ SLH-DSA stands for Stateless hash-based digital signature algorithm. As the name suggests, its security is based on a cryptographic hash function. It is intended to be secure against an attacker with a large working quantum computer, often referred to as a ``post-quantum'' cryptographic algorithm. This is in contrast to ``classical'' public key algorithms based on the difficulty of the discrete logarithm problem or the factoring problem, because those problems can be solved efficiently if or when the attacker has a large scale quantum computer at their disposal. The SLH-DSA algorithm was standardized by NIST in 2024, as @cite{FIPS-205}, based on an algorithm proposal called SPHINCS+. Public and private keys are small, while signatures are rather large, 7856 octets for the variant with smallest signatures. The main idea is that the private key is used as the seed for a pseudorandom generation of a large number of secret values. Each secret value is hashed, and the hashes are combined pairwise into a Merkle tree. The hash at the root of the Merkle tree is one piece of the public key. The holder of the private key can then prove knowledge of the private key by revealing one of the secret values, together with a Merkle tree inclusion proof that proves that the value is included in the public hash at the root of the tree. This idea is turned into a practical signature scheme by combining several variants of hash-based signatures and Merkle trees. The selection of secret values to reveal as part of an SLH-DSA signature depends on both the message and a deterministically generated nonce (also referred to as the message ``randomizer''). Verifying an SLH-DSA signature boils down to verifying a number of Merkle inclusion proofs, which is pretty fast; performance is in the same ballpark as verifying elliptic curve signatures. Signing, on the other hand, needs to produce all those inclusion proofs, which requires traversal of all leaves of the corresponding Merkle trees, and this is several orders of magnitude slower than signing using elliptic curves or RSA. Nettle currently implements the four SLH-DSA variants designed for ``128-bit security'': There's the choice of either SHA256 (in the SHA2 family) or SHAKE256 (in the SHA3 family) as the underlying hash function. For either hash function, there's a ``small'' variant with smaller signature size and slower signing (but faster verify operation, since verify time depends directly on the signature size), and a ``fast'' variant with faster signing time, larger signatures (and a slower verify operation). Both the private and public keys are of the same size, and each consists of two halves. It's somewhat peculiar that the public key is not derived deterministically from the private key, instead, the first half of the public key is a random seed value that should be generated independently of the private key, while the second half is the Merkle tree root hash that depends both on the private key and this public seed. Nettle defines SLH-DSA in @file{nettle/slh-dsa.h}. @defvr Constant SLH_DSA_128_KEY_SIZE Size in octets of public and private keys, 32, for SLH-DSA with 128-bit security level. @end defvr @defvr Constant SLH_DSA_128_SEED_SIZE Size in octets of the ``seed'' half of a private or public key, 16. @end defvr @defvr Constant SLH_DSA_128S_SIGNATURE_SIZE Signature size in octets for SLH-DSA with 128-bit security and the ``small'' variant, 7856. @end defvr @defvr Constant SLH_DSA_128F_SIGNATURE_SIZE Signature size in octets for SLH-DSA with 128-bit security and the ``fast'' variant, 17088. @end defvr @deftypefun void slh_dsa_shake_128s_generate_keypair (uint8_t *@var{pub}, uint8_t *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) @deftypefunx void slh_dsa_shake_128f_generate_keypair (uint8_t *@var{pub}, uint8_t *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) @deftypefunx void slh_dsa_sha2_128s_generate_keypair (uint8_t *@var{pub}, uint8_t *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) @deftypefunx void slh_dsa_sha2_128f_generate_keypair (uint8_t *@var{pub}, uint8_t *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) Generate a new keypair, public key stored at @var{pub}, private key stored at @var{key}, both of size @code{SLH_DSA_128_KEY_SIZE}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. @end deftypefun @deftypefun void slh_dsa_shake_128s_root (const uint8_t *@var{public_seed}, const uint8_t *@var{private_seed}, uint8_t *@var{root}) @deftypefunx void slh_dsa_shake_128f_root (const uint8_t *@var{public_seed}, const uint8_t *@var{private_seed}, uint8_t *@var{root}) @deftypefunx void slh_dsa_sha2_128s_root (const uint8_t *@var{public_seed}, const uint8_t *@var{private_seed}, uint8_t *@var{root}) @deftypefunx void slh_dsa_sha2_128f_root (const uint8_t *@var{public_seed}, const uint8_t *@var{private_seed}, uint8_t *@var{root}) Perform the deterministic part of key generation. @var{public_seed} and @var{private_seed} are the first halves of respective key. @var{root}, the output of this function, is the second half of the public key, i.e., typically called with @var{root} = @var{public_seed} + @code{SLH_DSA_128_SEED_SIZE}. @end deftypefun @deftypefun void slh_dsa_shake_128s_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) @deftypefunx void slh_dsa_shake_128f_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) @deftypefunx void slh_dsa_sha2_128s_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) @deftypefunx void slh_dsa_sha2_128f_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. The size of the resulting signature is @code{SLH_DSA_128S_SIGNATURE_SIZE} or @code{SLH_DSA_128F_SIGNATURE_SIZE} for respective functions. @end deftypefun @deftypefun int slh_dsa_shake_128s_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) @deftypefunx int slh_dsa_shake_128f_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) @deftypefunx int slh_dsa_sha2_128s_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) @deftypefunx int slh_dsa_sha2_128f_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun @node Randomness @section Randomness @cindex Randomness A crucial ingredient in many cryptographic contexts is randomness: Let @code{p} be a random prime, choose a random initialization vector @code{iv}, a random key @code{k} and a random exponent @code{e}, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. Building a good randomness source is subtle, in particular if your program may run inside several layers of virtualization. Today, most operating system provides a good randomness source, e.g., @file{/dev/random} and the @code{getrandom} syscall on GNU/Linux. Please use that, possibly in combination with a @acronym{KDF}! If for some reason that is not possible and you @emph{have} to roll your own, the rest of this section provides some advice. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: @itemize @item It's too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that's far too easy. For example, if the process id is 16 bits, the resolution of ``current time'' is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. @item The generator output reveals too much. By observing only a small segment of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. @end itemize A randomness generator that is used for cryptographic purposes must have better properties. Let's first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called ``entropy'', or ``conditional entropy'' (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask @code{n} yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can't guess the seed correctly, then the conditional entropy is more than @code{n} bits. @cindex Entropy @cindex Conditional entropy Let's look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or ``unguessability'' to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: @table @asis @item High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it's one of the better randomness source one can find in a digital, mostly predictable, computer. @item User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, @acronym{TELNET} session, or even @acronym{SSH} session may be visible to an attacker, in full or partially. @item Audio input Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. @item Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. @item Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. @end table For all practical sources, it's difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably older versions of the Linux @file{/dev/random} generator) tries to estimate available entropy and restrict the amount of output. The goal was that if you read 512 bits from @file{/dev/random}, you should get 512 ``truly random'' bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn't matter much. For most application, there's no limit on the amount of useful ``random'' data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let's call it the generator's key. The key is initialized from the unguessable seed. Important properties of a generator are: @table @dfn @item Key-hiding An attacker observing the output should not be able to recover the generator's key. @item Independence of outputs Observing some of the output should not help the attacker to guess previous or future output. @item Forward secrecy Even if an attacker compromises the generator's key, he should not be able to guess the generator output @emph{before} the key compromise. @item Recovery from key compromise If an attacker compromises the generator's key, he can compute @emph{all} future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time @code{t_1}, there is another later time @code{t_2}, such that if the attacker observes all output generated between @code{t_1} and @code{t_2}, he still can't guess what output is generated after @code{t_2}. @end table Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. @acronym{ChaCha} (@pxref{ChaCha}), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (@pxref{Arcfour}) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key. The ``lagged Fibonacci'' generator in @file{} is a fast generator with good statistical properties, but is @strong{not} for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. @subsection Yarrow Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at @url{https://www.schneier.com/academic/yarrow/}, and it uses @acronym{SHA1} and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses @acronym{SHA256} and @acronym{AES} to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness ``pools'', referred to as the ``slow pool'' and the ``fast pool''. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a ``fast reseed'' happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a ``slow reseed'' takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using @acronym{AES} to encrypt a counter, using the generator's current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a @dfn{seed file} to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in @file{}. @deftp {Context struct} {struct yarrow256_ctx} @end deftp @deftp {Context struct} {struct yarrow_source} Information about a single source. @end deftp @defvr Constant YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. @end defvr @deftypefun void yarrow256_init (struct yarrow256_ctx *@var{ctx}, unsigned @var{nsources}, struct yarrow_source *@var{sources}) Initializes the yarrow context, and its @var{nsources} sources. It's possible to call it with @var{nsources}=0 and @var{sources}=NULL, if you don't need the update features. @end deftypefun @deftypefun void yarrow256_seed (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{seed_file}) Seeds Yarrow-256 from a previous seed file. @var{length} should be at least @code{YARROW256_SEED_FILE_SIZE}, but it can be larger. The generator will trust you that the @var{seed_file} data really is unguessable. After calling this function, you @emph{must} overwrite the old seed file with newly generated data from @code{yarrow256_random}. If it's possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. @end deftypefun @deftypefun int yarrow256_update (struct yarrow256_ctx *@var{ctx}, unsigned @var{source}, unsigned @var{entropy}, size_t @var{length}, const uint8_t *@var{data}) Updates the generator with data from source @var{SOURCE} (an index that must be smaller than the number of sources). @var{entropy} is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero @var{entropy} is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with @code{yarrow256_random} and overwrite the seed file. Otherwise, the function returns 0. @end deftypefun @deftypefun void yarrow256_random (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}) Generates @var{length} octets of output. The generator must be seeded before you call this function. If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. @end deftypefun @deftypefun int yarrow256_is_seeded (struct yarrow256_ctx *@var{ctx}) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. @end deftypefun @deftypefun unsigned yarrow256_needed_sources (struct yarrow256_ctx *@var{ctx}) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. @end deftypefun @deftypefun void yarrow256_fast_reseed (struct yarrow256_ctx *@var{ctx}) @deftypefunx void yarrow256_slow_reseed (struct yarrow256_ctx *@var{ctx}) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. @end deftypefun Nettle includes an entropy estimator for one kind of input source: User keyboard input. @deftp {Context struct} {struct yarrow_key_event_ctx} Information about recent key events. @end deftp @deftypefun void yarrow_key_event_init (struct yarrow_key_event_ctx *@var{ctx}) Initializes the context. @end deftypefun @deftypefun unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *@var{ctx}, unsigned @var{key}, unsigned @var{time}) @var{key} is the id of the key (ASCII value, hardware key code, X keysym, @dots{}, it doesn't matter), and @var{time} is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, @var{time} should be provided in units of microseconds. But if you use @code{gettimeofday} on a typical Unix system where the clock ticks 10 or so microseconds at a time, @var{time} should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling @code{yarrow256_update}. Usually, 0, 1 or 2 bits. @end deftypefun @subsection DRBG-CTR The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A. We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented. Re-seeding and personalization strings can be implemented by the caller, if desired. To implement re-seeding, use @code{drbg_ctr_aes256_update}. Similarly, personalization strings can be implemented with @code{memxor}. If you need entropy derivation, we suggest that you use Yarrow instead. The security bounds of DRBG-CTR are not intuitive, see ``Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator'' by Matthew J. Campagna, from @url{https://eprint.iacr.org/2006/379.pdf}. Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm. Nettle defines DRBG-CTR in @file{}. @deftp {Context struct} {struct drbg_ctr_aes256_ctx} @end deftp @defvr Constant DRBG_CTR_AES256_SEED_SIZE The size of the seeding material. @end defvr @deftypefun void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *@var{ctx}, uint8_t *@var{seed_material}) Initialize the DRBG-CTR-AES256 context using @code{DRBG_CTR_AES256_SEED_SIZE} bytes of @var{seed_material}. @end deftypefun @deftypefun void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *@var{ctx}, size_t n, uint8_t *@var{dst}) Generates @var{n} octets of output into @var{dst}. The generator must be initialized before you call this function. @end deftypefun @deftypefun void drbg_ctr_aes256_update (struct drbg_ctr_aes256_ctx *@var{ctx}, const uint8_t *@var{provided_data}) Updates the internal state of @var{ctx} with @var{provided_data}, which is either NULL or a pointer to data of @code{DRBG_CTR_AES256_SEED_SIZE} octets. This function is used for re-seeding. @end deftypefun @node ASCII encoding @section ASCII encoding Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There's also a ``URL safe'' variant, which is useful for encoding binary data into URLs and filenames. See @cite{RFC 4648}. The base16 encoding, also known as ``hexadecimal'', uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn't need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in @file{}. @deftp {Context struct} {struct base64_encode_ctx} @end deftp @deftypefun {void} base64_encode_init (struct base64_encode_ctx *@var{ctx}) @deftypefunx {void} base64url_encode_init (struct base64_encode_ctx *@var{ctx}) Initializes a base64 context. This is necessary before starting an encoding session. @code{base64_encode_init} selects the standard base64 alphabet, while @code{base64url_encode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {size_t} base64_encode_single (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Returns amount of output (always 1 or 2). @end deftypefun @deffn Macro BASE64_ENCODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_encode_update}. @end deffn @deftypefun {size_t} base64_encode_update (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to encode @var{length} bytes from @var{src}. The result will be placed in @var{dst}, and the return value will be the number of bytes generated. Note that @var{dst} must be at least of size BASE64_ENCODE_LENGTH(@var{length}). @end deftypefun @defvr Constant BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from @code{base64_encode_final}. @end defvr @deftypefun {size_t} base64_encode_final (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. @end deftypefun @deftp {Context struct} {struct base64_decode_ctx} @end deftp @deftypefun {void} base64_decode_init (struct base64_decode_ctx *@var{ctx}) @deftypefunx {void} base64url_decode_init (struct base64_decode_ctx *@var{ctx}) Initializes a base64 decoding context. This is necessary before starting a decoding session. @code{base64_decode_init} selects the standard base64 alphabet, while @code{base64url_decode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {int} base64_decode_single (struct base64_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte (@var{src}) and stores the result in @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE64_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_decode_update}. @end deffn @deftypefun {void} base64_decode_update (struct base64_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. The buffer pointed to by @var{dst} must be of size *@var{dst_length}, and the amount of data actually generated is returned in *@var{dst_length}. Fails if @var{dst_length} is too small; using a buffer of size BASE64_DECODE_LENGTH(@var{src_length}) is always sufficient. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base64_decode_final (struct base64_decode_ctx *@var{ctx}) Check that final padding is correct. Returns 1 on success, and 0 on error. @end deftypefun Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in @file{}. Note that there is no encoding context necessary for doing base16 encoding. @deftypefun {void} base16_encode_single (uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Always stores two digits in @var{dst}[0] and @var{dst}[1]. @end deftypefun @deffn Macro BASE16_ENCODE_LENGTH (@var{length}) The number of output bytes when passing @var{length} input bytes to @code{base16_encode_update}. @end deffn @deftypefun {void} base16_encode_update (uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) Always stores BASE16_ENCODE_LENGTH(@var{length}) digits in @var{dst}. @end deftypefun @deftp {Context struct} {struct base16_decode_ctx} @end deftp @deftypefun {void} base16_decode_init (struct base16_decode_ctx *@var{ctx}) Initializes a base16 decoding context. This is necessary before starting a decoding session. @end deftypefun @deftypefun {int} base16_decode_single (struct base16_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte from @var{src} into @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE16_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base16_decode_update}. @end deffn @deftypefun {int} base16_decode_update (struct base16_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. The buffer pointed to by @var{dst} must be of size *@var{dst_length}, and the amount of data actually generated is returned in *@var{dst_length}. Fails if @var{dst_length} is too small; using a buffer of size BASE16_DECODE_LENGTH(@var{src_length}) is always sufficient. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base16_decode_final (struct base16_decode_ctx *@var{ctx}) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error. @end deftypefun @node Miscellaneous functions @section Miscellaneous functions @deftypefun {void *} memxor (void *@var{dst}, const void *@var{src}, size_t @var{n}) XORs the source area on top of the destination area. The interface doesn't follow the Nettle conventions, because it is intended to be similar to the ANSI-C @code{memcpy} function. @end deftypefun @deftypefun {void *} memxor3 (void *@var{dst}, const void *@var{a}, const void *@var{b}, size_t @var{n}) Like @code{memxor}, but takes two source areas and separate destination area. @end deftypefun @deftypefun int memeql_sec (const void *@var{a}, const void *@var{b}, size_t @var{n}) Side-channel silent comparison of the @var{n} bytes at @var{a} and @var{b}. I.e., instructions executed and memory accesses are identical no matter where the areas differ, @pxref{Side-channel silence}. Return non-zero if the areas are equal, and zero if they differ. @end deftypefun These functions are declared in @file{}. For compatibility with earlier versions of Nettle, @code{memxor} and @code{memxor3} are also declared in @file{}. @node Nettle soup @chapter Traditional Nettle Soup For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. @itemize @w{} @item 1 liter fresh nettles (urtica dioica) @item 2 tablespoons butter @item 3 tablespoons flour @item 1 liter stock (meat or vegetable) @item 1/2 teaspoon salt @item a tad white pepper @item some cream or milk @end itemize Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves. @c And the original Swedish version. @ignore Recept på nässelsoppa 4 portioner 1 l färska nässlor 2 msk smör 3 msk vetemjöl 1 l kött- eller grönsaksbuljong 1/2 tsk salt 1-2 krm peppar (lite grädde eller mjölk) Plocka 1 liter färska nässlor. Använd handskar! Helst små och späda skott, men topparna av större nässlor går också bra. Skölj nässlorna väl. Förväll dem ca 10 minuter i lätt saltat vatten. Häll av och spara spadet. Hacka nässlorna. Smält smöret, rör i mjöl och späd med buljong och nässelspad. Lägg i de hackade nässlorna. Om så önskas, häll i en skvätt mjölk eller grädde. Koka några minuter, och smaksätt med salt och peppar. Servera med kokta ägghalvor. @end ignore @node Installation @chapter Installation Nettle uses @command{autoconf}, and the generated Makefile requires GNU make. To build Nettle, unpack the source and run @example ./configure make make check make install @end example @noindent to install it under the default prefix, @file{/usr/local}. By default, both static and shared libraries are built and installed. To get a list of configure options, use @code{./configure --help}. Some of the more interesting are: @table @option @item --prefix Change install location. @item --disable-fat Disable run-time detection of available processor features. Additional configure options can be used to select which features to require. @item --enable-mini-gmp Use the smaller and slower ``mini-gmp'' implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are @strong{not} binary compatible with regular builds of Nettle, and more likely to leak side-channel information. @item --disable-shared Omit building the shared libraries. @end table @node Index @unnumbered Function and Concept Index @printindex cp @bye Local Variables: ispell-local-dictionary: "american" End: @c LocalWords: cryptographics crypto LSH GNUPG API GPL LGPL aes rijndael ller @c LocalWords: Sevilla arcfour RC Niels Dassen Colin Kuchling Biham sha Ruud @c LocalWords: Gutmann twofish de Rooij struct MB Rivest RFC Nettle's ECB CBC @c LocalWords: RSA Daemen Rijnmen Schneier DES's ede structs oddnesses HMAC @c LocalWords: NIST Alice's GMP bignum Diffie Adi Shamir Adleman Euclid's ASN @c LocalWords: PKCS callbacks Young's urtica dioica autoconf SSH tad @c LocalWords: unguessability reseeding reseed alternatingly keysym subkeys @c LocalWords: DSA gmp FIPS DSS libdes OpenSSL ARCTWO Josefsson Nikos Andreas @c LocalWords: Mavroyanopoulos Sigfridsson Comstedt interoperability Sparc IC @c LocalWords: DES FIXME Rivest's plaintext ciphertext CTR XORed timestamp @c LocalWords: XORs cryptologists libnettle libhogweed GCM ECDSA NTT @c LocalWords: toolkits BLOWFISH Möller RIPEMD libgcrypt PBKDF Shishi @c LocalWords: GnuTLS Gutmann's GOSTHASH GOST Aleksey Kravchenko ECC @c LocalWords: rhash Mavrogiannopoulos Keccak Bertoni @c LocalWords: Michaël Peeters Assche Dobbertin Antoon Bosselaers KDF @c LocalWords: Preneel rôle McGrew Viega KDFs PBKDFs passphrase PRF @c LocalWords: th deallocate pre bitsize multi lookup secp startup @c LocalWords: typedef typedef nettle-4.0/nist-keywrap.c0000644000000000000000000001131015141166423012376 0ustar00/* nist-keywrap.c AES Key Wrap function. implements RFC 3394 https://tools.ietf.org/html/rfc3394 Copyright (C) 2021 Nicolas Mora 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "nist-keywrap.h" #include "memops.h" #include "macros.h" #include "bswap-internal.h" void nist_keywrap16 (const void *ctx, nettle_cipher_func *encrypt, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { union nettle_block16 I, B; union nettle_block8 A; size_t i, j, n; uint8_t *R = ciphertext + 8; /* ciphertext_length must be at least 16 * and be divisible by 8 */ assert (ciphertext_length >= 16); assert (!(ciphertext_length % 8)); n = (ciphertext_length - 8) / 8; memcpy (R, cleartext, (ciphertext_length - 8)); memcpy (A.b, iv, 8); for (j = 0; j < 6; j++) { for (i = 0; i < n; i++) { /* I = A | R[1] */ I.u64[0] = A.u64; memcpy (I.b + 8, R + (i * 8), 8); /* B = AES(K, I) */ encrypt (ctx, 16, B.b, I.b); /* A = MSB(64, B) ^ t where t = (n*j)+i */ A.u64 = B.u64[0] ^ bswap64_if_le ((n * j) + (i + 1)); /* R[i] = LSB(64, B) */ memcpy (R + (i * 8), B.b + 8, 8); } } memcpy (ciphertext, A.b, 8); } int nist_keyunwrap16 (const void *ctx, nettle_cipher_func *decrypt, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { union nettle_block16 I, B; union nettle_block8 A; int i, j; size_t n; uint8_t *R = cleartext; /* cleartext_length must be at least 8 * and be divisible by 8 */ assert (cleartext_length >= 8); assert (!(cleartext_length % 8)); n = (cleartext_length / 8); memcpy (A.b, ciphertext, 8); memcpy (R, ciphertext + 8, cleartext_length); for (j = 5; j >= 0; j--) { for (i = n - 1; i >= 0; i--) { /* B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i */ I.u64[0] = A.u64 ^ bswap64_if_le ((n * j) + (i + 1)); memcpy (I.b + 8, R + (i * 8), 8); decrypt (ctx, 16, B.b, I.b); /* A = MSB(64, B) */ A.u64 = B.u64[0]; /* R[i] = LSB(64, B) */ memcpy (R + (i * 8), B.b + 8, 8); } } return memeql_sec (A.b, iv, 8); } void aes128_keywrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes128_encrypt, iv, ciphertext_length, ciphertext, cleartext); } void aes192_keywrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes192_encrypt, iv, ciphertext_length, ciphertext, cleartext); } void aes256_keywrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes256_encrypt, iv, ciphertext_length, ciphertext, cleartext); } int aes128_keyunwrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes128_decrypt, iv, cleartext_length, cleartext, ciphertext); } int aes192_keyunwrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes192_decrypt, iv, cleartext_length, cleartext, ciphertext); } int aes256_keyunwrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes256_decrypt, iv, cleartext_length, cleartext, ciphertext); } nettle-4.0/nist-keywrap.h0000644000000000000000000000566115141166424012420 0ustar00/* nist-keywrap.h AES Key Wrap function. implements RFC 3394 https://tools.ietf.org/html/rfc3394 Copyright (C) 2021 Nicolas Mora 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_NIST_KEYWRAP_H_INCLUDED #define NETTLE_NIST_KEYWRAP_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define nist_keywrap16 nettle_nist_keywrap16 #define nist_keyunwrap16 nettle_nist_keyunwrap16 #define aes128_keywrap nettle_aes128_keywrap #define aes192_keywrap nettle_aes192_keywrap #define aes256_keywrap nettle_aes256_keywrap #define aes128_keyunwrap nettle_aes128_keyunwrap #define aes192_keyunwrap nettle_aes192_keyunwrap #define aes256_keyunwrap nettle_aes256_keyunwrap void nist_keywrap16 (const void *ctx, nettle_cipher_func *encrypt, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); int nist_keyunwrap16 (const void *ctx, nettle_cipher_func *decrypt, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); void aes128_keywrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); void aes192_keywrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); void aes256_keywrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); int aes128_keyunwrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); int aes192_keyunwrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); int aes256_keyunwrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); #ifdef __cplusplus } #endif #endif /* NETTLE_NIST_KEYWRAP_H_INCLUDED */ nettle-4.0/non-nettle.c0000644000000000000000000002155415141166424012040 0ustar00/* non-nettle.c Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "non-nettle.h" #include "arcfour.h" #include "blowfish.h" #include "cbc.h" #include "chacha.h" #include "des.h" #include "salsa20.h" /* Wrapper functions discarding the return value. Needed for the ciphers with weak keys. */ static void des_set_key_wrapper (void *ctx, const uint8_t *key) { des_set_key (ctx, key); } static void des3_set_key_wrapper (void *ctx, const uint8_t *key) { des3_set_key (ctx, key); } static void blowfish128_set_key_wrapper (void *ctx, const uint8_t *key) { blowfish128_set_key (ctx, key); } const struct nettle_cipher nettle_des = { "des", sizeof(struct des_ctx), DES_BLOCK_SIZE, DES_KEY_SIZE, des_set_key_wrapper, des_set_key_wrapper, (nettle_cipher_func *) des_encrypt, (nettle_cipher_func *) des_decrypt }; const struct nettle_cipher nettle_des3 = { "des3", sizeof(struct des3_ctx), DES3_BLOCK_SIZE, DES3_KEY_SIZE, des3_set_key_wrapper, des3_set_key_wrapper, (nettle_cipher_func *) des3_encrypt, (nettle_cipher_func *) des3_decrypt }; const struct nettle_cipher nettle_blowfish128 = { "blowfish128", sizeof(struct blowfish_ctx), BLOWFISH_BLOCK_SIZE, BLOWFISH128_KEY_SIZE, blowfish128_set_key_wrapper, blowfish128_set_key_wrapper, (nettle_cipher_func *) blowfish_encrypt, (nettle_cipher_func *) blowfish_decrypt }; const struct nettle_aead nettle_arcfour128 = { "arcfour128", sizeof(struct arcfour_ctx), 1, ARCFOUR128_KEY_SIZE, 0, 0, (nettle_set_key_func *) arcfour128_set_key, (nettle_set_key_func *) arcfour128_set_key, NULL, NULL, (nettle_crypt_func *) arcfour_crypt, (nettle_crypt_func *) arcfour_crypt, NULL, }; const struct nettle_aead nettle_chacha = { "chacha", sizeof(struct chacha_ctx), CHACHA_BLOCK_SIZE, CHACHA_KEY_SIZE, CHACHA_NONCE_SIZE, 0, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_nonce, NULL, (nettle_crypt_func *) chacha_crypt, (nettle_crypt_func *) chacha_crypt, NULL, }; const struct nettle_aead nettle_salsa20 = { "salsa20", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20_crypt, (nettle_crypt_func *) salsa20_crypt, NULL, }; const struct nettle_aead nettle_salsa20r12 = { "salsa20r12", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20r12_crypt, (nettle_crypt_func *) salsa20r12_crypt, NULL, }; struct cbc_aes128_ctx CBC_CTX(struct aes128_ctx, AES_BLOCK_SIZE); static void cbc_aes128_set_encrypt_key(struct cbc_aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes128_set_iv(struct cbc_aes128_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes128_encrypt_wrapper(struct cbc_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes128_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes128 = { "cbc_aes128", sizeof(struct cbc_aes128_ctx), AES_BLOCK_SIZE, AES128_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes128_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes128_set_iv, NULL, (nettle_crypt_func *) cbc_aes128_encrypt_wrapper, NULL, NULL, }; struct cbc_aes192_ctx CBC_CTX(struct aes192_ctx, AES_BLOCK_SIZE); static void cbc_aes192_set_encrypt_key(struct cbc_aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes192_set_iv(struct cbc_aes192_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes192_encrypt_wrapper(struct cbc_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes192_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes192 = { "cbc_aes192", sizeof(struct cbc_aes192_ctx), AES_BLOCK_SIZE, AES192_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes192_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes192_set_iv, NULL, (nettle_crypt_func *) cbc_aes192_encrypt_wrapper, NULL, NULL, }; struct cbc_aes256_ctx CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE); static void cbc_aes256_set_encrypt_key(struct cbc_aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes256_set_iv(struct cbc_aes256_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes256_encrypt_wrapper(struct cbc_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes256_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes256 = { "cbc_aes256", sizeof(struct cbc_aes256_ctx), AES_BLOCK_SIZE, AES256_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes256_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes256_set_iv, NULL, (nettle_crypt_func *) cbc_aes256_encrypt_wrapper, NULL, NULL, }; static void ocb_aes128_set_encrypt_key_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *key) { ocb_aes128_set_encrypt_key(&ctx->key, key); } static void ocb_aes128_set_decrypt_key_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *key) { ocb_aes128_set_decrypt_key(&ctx->key, &ctx->decrypt, key); } static void ocb_aes128_set_nonce_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *nonce) { ocb_aes128_set_nonce (&ctx->ocb, &ctx->key, OCB_DIGEST_SIZE, OCB_NONCE_SIZE, nonce); } static void ocb_aes128_update_wrapper (struct ocb_aes128_ctx *ctx, size_t length, const uint8_t *data) { ocb_aes128_update (&ctx->ocb, &ctx->key, length, data); } static void ocb_aes128_encrypt_wrapper (struct ocb_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ocb_aes128_encrypt (&ctx->ocb, &ctx->key, length, dst, src); } static void ocb_aes128_decrypt_wrapper (struct ocb_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ocb_aes128_decrypt (&ctx->ocb, &ctx->key, &ctx->decrypt, length, dst, src); } static void ocb_aes128_digest_wrapper (struct ocb_aes128_ctx *ctx, uint8_t *digest) { ocb_aes128_digest (&ctx->ocb, &ctx->key, digest); } const struct nettle_aead nettle_ocb_aes128 = { "ocb_aes128", sizeof(struct ocb_aes128_ctx), OCB_BLOCK_SIZE, AES128_KEY_SIZE, OCB_NONCE_SIZE, OCB_DIGEST_SIZE, (nettle_set_key_func *) ocb_aes128_set_encrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_set_decrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_set_nonce_wrapper, (nettle_hash_update_func *) ocb_aes128_update_wrapper, (nettle_crypt_func *) ocb_aes128_encrypt_wrapper, (nettle_crypt_func *) ocb_aes128_decrypt_wrapper, (nettle_hash_digest_func *) ocb_aes128_digest_wrapper }; /* For 96-bit tag */ static void ocb_aes128_t96_set_nonce (struct ocb_aes128_ctx *ctx, const uint8_t *nonce) { ocb_aes128_set_nonce (&ctx->ocb, &ctx->key, 12, OCB_NONCE_SIZE, nonce); } const struct nettle_aead nettle_ocb_aes128_t96 = { "ocb_aes128", sizeof(struct ocb_aes128_ctx), OCB_BLOCK_SIZE, AES128_KEY_SIZE, OCB_NONCE_SIZE, 12, (nettle_set_key_func *) ocb_aes128_set_encrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_set_decrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_t96_set_nonce, (nettle_hash_update_func *) ocb_aes128_update_wrapper, (nettle_crypt_func *) ocb_aes128_encrypt_wrapper, (nettle_crypt_func *) ocb_aes128_decrypt_wrapper, (nettle_hash_digest_func *) ocb_aes128_digest_wrapper, }; nettle-4.0/non-nettle.h0000644000000000000000000000624515141166424012045 0ustar00/* non-nettle.h Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_NON_NETTLE_H_INCLUDED #define NETTLE_NON_NETTLE_H_INCLUDED #include "nettle-meta.h" #include "ocb.h" #include "aes.h" /* Doesn't quite fit with the other algorithms, because of the weak * keys. Weak keys are not reported, the functions will simply crash * if you try to use a weak key. */ extern const struct nettle_cipher nettle_des; extern const struct nettle_cipher nettle_des3; extern const struct nettle_cipher nettle_blowfish128; extern const struct nettle_cipher nettle_unified_aes128; extern const struct nettle_cipher nettle_unified_aes192; extern const struct nettle_cipher nettle_unified_aes256; /* Stream ciphers treated as aead algorithms with no authentication. */ extern const struct nettle_aead nettle_arcfour128; extern const struct nettle_aead nettle_chacha; extern const struct nettle_aead nettle_salsa20; extern const struct nettle_aead nettle_salsa20r12; /* All-in-one CBC encrypt functinos treated as AEAD with no authentication and no decrypt method. */ extern const struct nettle_aead nettle_cbc_aes128; extern const struct nettle_aead nettle_cbc_aes192; extern const struct nettle_aead nettle_cbc_aes256; extern const struct nettle_aead nettle_openssl_gcm_aes128; extern const struct nettle_aead nettle_openssl_gcm_aes192; extern const struct nettle_aead nettle_openssl_gcm_aes256; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ extern const struct nettle_cipher nettle_openssl_aes128; extern const struct nettle_cipher nettle_openssl_aes192; extern const struct nettle_cipher nettle_openssl_aes256; extern const struct nettle_hash nettle_openssl_md5; extern const struct nettle_hash nettle_openssl_sha1; /* OCB-declarations to be moved to a public header file, once it's settled which nonce and tag sizes to use. */ #define OCB_NONCE_SIZE 12 struct ocb_aes128_ctx { struct ocb_ctx ocb; struct ocb_aes128_encrypt_key key; struct aes128_ctx decrypt; }; extern const struct nettle_aead nettle_ocb_aes128; extern const struct nettle_aead nettle_ocb_aes128_t96; #endif /* NETTLE_NON_NETTLE_H_INCLUDED */ nettle-4.0/oaep.c0000644000000000000000000001563315141166424010702 0ustar00/* oaep.c PKCS#1 RSA-OAEP (RFC-8017). Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "oaep.h" #include "gmp-glue.h" #include "memops.h" #include "memxor.h" #include "nettle-internal.h" #include "pss-mgf1.h" #include #include /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. * these macros returns 1 on success, 0 on failure */ #define NOT_EQUAL(a, b) \ ((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31) #define EQUAL(a, b) (IS_ZERO_SMALL ((a) ^ (b))) #define GREATER_OR_EQUAL(a, b) \ (1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31)) /* This is a copy of _pkcs1_sec_decrypt_variable with a slight * modification for the padding format. */ static int _oaep_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message, volatile size_t offset) { volatile int not_found = 1; volatile int ok = 1; size_t buflen, msglen; size_t shift, i; /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. */ for (i = offset; i < padded_message_length; i++) { not_found &= NOT_EQUAL(padded_message[i], 1); offset += not_found; } /* check if we ran out of buffer */ ok &= NOT_EQUAL(not_found, 1); /* skip terminator */ offset++; /* offset can be up to padded_message_length, due to the loop above, * therefore msglen can't underflow */ msglen = padded_message_length - offset; /* we always fill the whole buffer but only up to * padded_message_length length */ buflen = *length; if (buflen > padded_message_length) { /* input independent branch */ buflen = padded_message_length; } /* if the message length is larger than the buffer we must fail */ ok &= GREATER_OR_EQUAL(buflen, msglen); /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); return ok; } int _oaep_decode_mgf1 (const uint8_t *em, size_t key_size, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message) { const uint8_t *db; size_t db_length; const uint8_t *seed; TMP_GMP_DECL(db_mask, uint8_t); uint8_t seed_mask[NETTLE_MAX_HASH_DIGEST_SIZE]; uint8_t lhash[NETTLE_MAX_HASH_DIGEST_SIZE]; int ok = 1; assert (key_size >= 2 * hash->digest_size - 2); /* EM = 0x00 || maskedSeed || maskedDB */ ok &= EQUAL(*em, 0); seed = em + 1; db = seed + hash->digest_size; db_length = key_size - hash->digest_size - 1; TMP_GMP_ALLOC(db_mask, db_length); /* seedMask = MGF(maskedDB, hLen) */ hash->init (hash_ctx); hash->update (hash_ctx, db_length, db); pss_mgf1 (hash_ctx, hash, hash->digest_size, seed_mask); /* seed = maskedSeed \xor seedMask */ memxor (seed_mask, seed, hash->digest_size); /* dbMask = MGF(seed, seed - hLen - 1) */ hash->init (hash_ctx); hash->update (hash_ctx, hash->digest_size, seed_mask); pss_mgf1 (hash_ctx, hash, db_length, db_mask); /* DB = maskedDB \xor dbMask */ memxor (db_mask, db, db_length); hash->init (hash_ctx); hash->update (hash_ctx, label_length, label); hash->digest (hash_ctx, lhash); ok &= memeql_sec (db_mask, lhash, hash->digest_size); ok &= _oaep_sec_decrypt_variable (length, message, db_length, db_mask, hash->digest_size); TMP_GMP_FREE (db_mask); return ok; } int _oaep_encode_mgf1 (mpz_t m, size_t key_size, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t message_length, const uint8_t *message) { TMP_GMP_DECL(em, uint8_t); TMP_GMP_DECL(db_mask, uint8_t); uint8_t *db; size_t db_length; uint8_t *seed; uint8_t seed_mask[NETTLE_MAX_HASH_DIGEST_SIZE]; if (message_length > key_size || message_length + 2 + 2 * hash->digest_size > key_size) return 0; TMP_GMP_ALLOC(em, key_size); TMP_GMP_ALLOC(db_mask, key_size); /* EM = 0x00 || maskedSeed || maskedDB */ *em = 0; seed = em + 1; db = seed + hash->digest_size; db_length = key_size - hash->digest_size - 1; /* DB = Hash(L) || PS || 0x01 || M */ memset (db, 0, db_length); hash->init (hash_ctx); hash->update (hash_ctx, label_length, label); hash->digest (hash_ctx, db); memcpy (&db[db_length - message_length], message, message_length); db[db_length - message_length - 1] = 0x01; /* Generate seed */ random (random_ctx, hash->digest_size, seed); /* dbMask = MGF(seed, k - hLen - 1) */ hash->init (hash_ctx); hash->update (hash_ctx, hash->digest_size, seed); pss_mgf1 (hash_ctx, hash, db_length, db_mask); /* maskedDB = DB \xor dbMask */ memxor (db, db_mask, db_length); /* seedMask = MGF(maskedDB, hLen) */ hash->init (hash_ctx); hash->update (hash_ctx, db_length, db); pss_mgf1 (hash_ctx, hash, hash->digest_size, seed_mask); /* maskedSeed = seed \xor seedMask */ memxor (seed, seed_mask, hash->digest_size); nettle_mpz_set_str_256_u (m, key_size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (db_mask); return 1; } nettle-4.0/oaep.h0000644000000000000000000000353015141166424010700 0ustar00/* oaep.h PKCS#1 RSA-OAEP (RFC-8017). Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_OAEP_H_INCLUDED #define NETTLE_OAEP_H_INCLUDED #include "nettle-meta.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define _oaep_encode_mgf1 _nettle_oaep_encode_mgf1 #define _oaep_decode_mgf1 _nettle_oaep_decode_mgf1 int _oaep_decode_mgf1 (const uint8_t *em, size_t key_size, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message); int _oaep_encode_mgf1 (mpz_t m, size_t key_size, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t message_length, const uint8_t *message); #ifdef __cplusplus } #endif #endif /* NETTLE_OAEP_H_INCLUDED */ nettle-4.0/ocb-aes128.c0000644000000000000000000000734415141166424011522 0ustar00/* ocb-aes128.c Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ocb.h" void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb_key, const uint8_t *key) { aes128_set_encrypt_key (&ocb_key->encrypt, key); ocb_set_key (&ocb_key->ocb, &ocb_key->encrypt, (nettle_cipher_func *) aes128_encrypt); } void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb_key, struct aes128_ctx *decrypt, const uint8_t *key) { ocb_aes128_set_encrypt_key (ocb_key, key); aes128_invert_key (decrypt, &ocb_key->encrypt); } void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce) { ocb_set_nonce (ctx, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, tag_length, nonce_length, nonce); } void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data) { ocb_update (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, length, data); } void ocb_aes128_encrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src) { ocb_encrypt (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ocb_aes128_decrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src) { ocb_decrypt (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, decrypt, (nettle_cipher_func *) aes128_decrypt, length, dst, src); } void ocb_aes128_digest(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, uint8_t *digest) { ocb_digest (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, digest); } void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ocb_encrypt_message (&key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ocb_decrypt_message (&key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, &decrypt, (nettle_cipher_func *) aes128_decrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-4.0/ocb.c0000644000000000000000000002740115141166424010515 0ustar00/* ocb.c OCB AEAD mode, RFC 7253 Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ocb.h" #include "block-internal.h" #include "bswap-internal.h" #include "memops.h" #define OCB_MAX_BLOCKS 16 /* Returns 64 bits from the concatenation (u0, u1), starting from bit offset. */ static inline uint64_t extract(uint64_t u0, uint64_t u1, unsigned offset) { if (offset == 0) return u0; u0 = bswap64_if_le(u0); u1 = bswap64_if_le(u1); return bswap64_if_le((u0 << offset) | (u1 >> (64 - offset))); } void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, OCB_BLOCK_SIZE, key->L[0].b, zero_block.b); block16_mulx_be (&key->L[1], &key->L[0]); block16_mulx_be (&key->L[2], &key->L[1]); } static void pad_block (union nettle_block16 *block, size_t length, const uint8_t *data) { memcpy (block->b, data, length); block->b[length] = 0x80; memset (block->b + length + 1, 0, OCB_BLOCK_SIZE - 1 - length); } void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce) { union nettle_block16 top; uint64_t stretch; unsigned bottom; assert (nonce_length < 16); assert (tag_length > 0); assert (tag_length <= 16); ctx->tag_length = tag_length; /* Bit size, or zero for tag_length == 16 */ top.b[0] = (tag_length & 15) << 4; memset (top.b + 1, 0, 15 - nonce_length); top.b[15 - nonce_length] |= 1; memcpy (top.b + 16 - nonce_length, nonce, nonce_length); bottom = top.b[15] & 0x3f; top.b[15] &= 0xc0; f (cipher, OCB_BLOCK_SIZE, top.b, top.b); stretch = top.u64[0]; #if WORDS_BIGENDIAN stretch ^= (top.u64[0] << 8) | (top.u64[1] >> 56); #else stretch ^= (top.u64[0] >> 8) | (top.u64[1] << 56); #endif ctx->initial.u64[0] = extract(top.u64[0], top.u64[1], bottom); ctx->initial.u64[1] = extract(top.u64[1], stretch, bottom); ctx->sum.u64[0] = ctx->sum.u64[1] = 0; ctx->checksum.u64[0] = ctx->checksum.u64[1] = 0; ctx->data_count = ctx->message_count = 0; } /* Construct x^k L[2], where k > 0 is the number of trailing zero bits in count, where count should be even. */ static void ocb_mul_xk (const struct ocb_key *key, uint64_t count, union nettle_block16 *dst) { assert (count > 1); /* In principle, count should always be even, but since the initial shift below discards a bit, it works fine also if count is the intended even number + 1. */ block16_mulx_be (dst, &key->L[2]); for (count >>= 1; !(count&1); count >>= 1) block16_mulx_be (dst, dst); } static void ocb_fill_n (const struct ocb_key *key, union nettle_block16 *offset, uint64_t count, size_t n, union nettle_block16 *o) { union nettle_block16 diff; union nettle_block16 *prev; assert (n > 0); if (count & 1) prev = offset; else { /* Do a single block to align block count. */ count++; /* Always odd. */ block16_xor (offset, &key->L[2]); block16_set (&o[0], offset); prev = o; n--; o++; } for (; n >= 2; n -= 2, o += 2) { count += 2; /* Always odd. */ /* Based on trailing zeros of count - 1, the initial shift below discards a one bit. */ ocb_mul_xk (key, count, &diff); block16_xor3 (&o[0], prev, &diff); block16_xor3 (&o[1], &o[0], &key->L[2]); prev = &o[1]; } block16_set(offset, prev); if (n > 0) { ocb_mul_xk (key, ++count, &diff); block16_xor (offset, &diff); block16_set (o, offset); } } void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { union nettle_block16 block[OCB_MAX_BLOCKS]; size_t n = length / OCB_BLOCK_SIZE; assert (ctx->message_count == 0); if (ctx->data_count == 0) ctx->offset.u64[0] = ctx->offset.u64[1] = 0; while (n > 0) { size_t size, i; size_t blocks = (n <= OCB_MAX_BLOCKS) ? n : OCB_MAX_BLOCKS - 1 + (ctx->data_count & 1); ocb_fill_n (key, &ctx->offset, ctx->data_count, blocks, block); ctx->data_count += blocks; size = blocks * OCB_BLOCK_SIZE; memxor (block[0].b, data, size); f (cipher, size, block[0].b, block[0].b); for (i = 0; i < blocks; i++) block16_xor(&ctx->sum, &block[i]); n -= blocks; data += size; } length &= 15; if (length > 0) { union nettle_block16 block; pad_block (&block, length, data); block16_xor (&ctx->offset, &key->L[0]); block16_xor (&block, &ctx->offset); f (cipher, OCB_BLOCK_SIZE, block.b, block.b); block16_xor (&ctx->sum, &block); } } static void ocb_crypt_n (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t n, uint8_t *dst, const uint8_t *src) { union nettle_block16 o[OCB_MAX_BLOCKS], block[OCB_MAX_BLOCKS]; size_t size; while (n > 0) { size_t blocks = (n <= OCB_MAX_BLOCKS) ? n : OCB_MAX_BLOCKS - 1 + (ctx->message_count & 1); ocb_fill_n (key, &ctx->offset, ctx->message_count, blocks, o); ctx->message_count += blocks; size = blocks * OCB_BLOCK_SIZE; memxor3 (block[0].b, o[0].b, src, size); f (cipher, size, block[0].b, block[0].b); memxor3 (dst, block[0].b, o[0].b, size); n -= blocks; src += size; dst += size; } } /* Rotate bytes c positions to the right, in memory order. */ #if WORDS_BIGENDIAN # define MEM_ROTATE_RIGHT(c, s0, s1) do { \ uint64_t __rotate_t = ((s0) >> (8*(c))) | ((s1) << (64-8*(c))); \ (s1) = ((s1) >> (8*(c))) | ((s0) << (64-8*(c))); \ (s0) = __rotate_t; \ } while (0) #else # define MEM_ROTATE_RIGHT(c, s0, s1) do { \ uint64_t __rotate_t = ((s0) << (8*(c))) | ((s1) >> (64-8*(c))); \ (s1) = ((s1) << (8*(c))) | ((s0) >> (64-8*(c))); \ (s0) = __rotate_t; \ } while (0) #endif /* Mask for the first c bytes in memory */ #if WORDS_BIGENDIAN # define MEM_MASK(c) (-((uint64_t) 1 << (64 - 8*(c)))) #else # define MEM_MASK(c) (((uint64_t) 1 << (8*(c))) - 1) #endif /* Checksum of n complete blocks. */ static void ocb_checksum_n (union nettle_block16 *checksum, size_t n, const uint8_t *src) { unsigned initial; uint64_t edge_word = 0; uint64_t s0, s1; if (n == 1) { memxor (checksum->b, src, OCB_BLOCK_SIZE); return; } /* Initial unaligned bytes. */ initial = -(uintptr_t) src & 7; if (initial > 0) { /* Input not 64-bit aligned. Read initial bytes. */ unsigned i; /* Edge word is read in big-endian order */ for (i = initial; i > 0; i--) edge_word = (edge_word << 8) + *src++; n--; } /* Now src is 64-bit aligned, so do 64-bit reads. */ for (s0 = s1 = 0 ; n > 0; n--, src += OCB_BLOCK_SIZE) { s0 ^= ((const uint64_t *) src)[0]; s1 ^= ((const uint64_t *) src)[1]; } if (initial > 0) { unsigned i; uint64_t mask; s0 ^= ((const uint64_t *) src)[0]; for (i = 8 - initial, src += 8; i > 0; i--) edge_word = (edge_word << 8) + *src++; /* Rotate [s0, s1] right initial bytes. */ MEM_ROTATE_RIGHT(initial, s0, s1); /* Add in the edge bytes. */ mask = MEM_MASK(initial); edge_word = bswap64_if_le (edge_word); s0 ^= (edge_word & mask); s1 ^= (edge_word & ~mask); } checksum->u64[0] ^= s0; checksum->u64[1] ^= s1; } void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { size_t n = length / OCB_BLOCK_SIZE; if (ctx->message_count == 0) ctx->offset = ctx->initial; if (n > 0) { ocb_checksum_n (&ctx->checksum, n, src); ocb_crypt_n (ctx, key, cipher, f, n, dst, src); length &= 15; } if (length > 0) { union nettle_block16 block; src += n*OCB_BLOCK_SIZE; dst += n*OCB_BLOCK_SIZE; pad_block (&block, length, src); block16_xor (&ctx->checksum, &block); block16_xor (&ctx->offset, &key->L[0]); f (cipher, OCB_BLOCK_SIZE, block.b, ctx->offset.b); memxor3 (dst, block.b, src, length); ctx->message_count++; } } void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src) { size_t n = length / OCB_BLOCK_SIZE; if (ctx->message_count == 0) ctx->offset = ctx->initial; if (n > 0) { ocb_crypt_n (ctx, key, decrypt_ctx, decrypt, n, dst, src); ocb_checksum_n (&ctx->checksum, n, dst); length &= 15; } if (length > 0) { union nettle_block16 block; src += n*OCB_BLOCK_SIZE; dst += n*OCB_BLOCK_SIZE; block16_xor (&ctx->offset, &key->L[0]); encrypt (encrypt_ctx, OCB_BLOCK_SIZE, block.b, ctx->offset.b); memxor3 (dst, block.b, src, length); pad_block (&block, length, dst); block16_xor (&ctx->checksum, &block); ctx->message_count++; } } void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest) { union nettle_block16 block; block16_xor3 (&block, &key->L[1], (ctx->message_count > 0) ? &ctx->offset : &ctx->initial); block16_xor (&block, &ctx->checksum); f (cipher, OCB_BLOCK_SIZE, block.b, block.b); assert (ctx->tag_length <= OCB_BLOCK_SIZE); memxor3 (digest, block.b, ctx->sum.b, ctx->tag_length); } void ocb_encrypt_message (const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { struct ocb_ctx ctx; assert (clength >= tlength); ocb_set_nonce (&ctx, cipher, f, tlength, nlength, nonce); ocb_update (&ctx, key, cipher, f, alength, adata); ocb_encrypt (&ctx, key, cipher, f, clength - tlength, dst, src); ocb_digest (&ctx, key, cipher, f, dst + clength - tlength); } int ocb_decrypt_message (const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { struct ocb_ctx ctx; union nettle_block16 digest; ocb_set_nonce (&ctx, encrypt_ctx, encrypt, tlength, nlength, nonce); ocb_update (&ctx, key, encrypt_ctx, encrypt, alength, adata); ocb_decrypt (&ctx, key, encrypt_ctx, encrypt, decrypt_ctx, decrypt, mlength, dst, src); ocb_digest (&ctx, key, encrypt_ctx, encrypt, digest.b); return memeql_sec(digest.b, src + mlength, tlength); } nettle-4.0/ocb.h0000644000000000000000000001366615141166424010532 0ustar00/* ocb.h OCB AEAD mode, RFC 7253 Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_OCB_H_INCLUDED #define NETTLE_OCB_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ocb_set_key nettle_ocb_set_key #define ocb_set_nonce nettle_ocb_set_nonce #define ocb_update nettle_ocb_update #define ocb_encrypt nettle_ocb_encrypt #define ocb_decrypt nettle_ocb_decrypt #define ocb_digest nettle_ocb_digest #define ocb_encrypt_message nettle_ocb_encrypt_message #define ocb_decrypt_message nettle_ocb_decrypt_message #define ocb_aes128_set_encrypt_key nettle_ocb_aes128_set_encrypt_key #define ocb_aes128_set_decrypt_key nettle_ocb_aes128_set_decrypt_key #define ocb_aes128_set_nonce nettle_ocb_aes128_set_nonce #define ocb_aes128_update nettle_ocb_aes128_update #define ocb_aes128_encrypt nettle_ocb_aes128_encrypt #define ocb_aes128_decrypt nettle_ocb_aes128_decrypt #define ocb_aes128_digest nettle_ocb_aes128_digest #define ocb_aes128_encrypt_message nettle_ocb_aes128_encrypt_message #define ocb_aes128_decrypt_message nettle_ocb_aes128_decrypt_message #define OCB_BLOCK_SIZE 16 #define OCB_DIGEST_SIZE 16 #define OCB_MAX_NONCE_SIZE 15 struct ocb_key { /* L_*, L_$ and L_0, and one reserved entry */ union nettle_block16 L[4]; }; struct ocb_ctx { /* Initial offset, Offset_0 in the spec. */ union nettle_block16 initial; /* Offset, updated per block. */ union nettle_block16 offset; /* Authentication for the associated data */ union nettle_block16 sum; /* Authentication for the message */ union nettle_block16 checksum; unsigned short tag_length; /* Count of processed blocks. */ uint32_t data_count; uint64_t message_count; }; void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f); void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce); void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data); void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src); void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, uint8_t *digest); void ocb_encrypt_message (const struct ocb_key *ocb_key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ocb_decrypt_message (const struct ocb_key *ocb_key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* OCB-AES */ /* This struct represents an expanded key for ocb-aes encryption. For decryption, a separate decryption context is needed as well. */ struct ocb_aes128_encrypt_key { struct ocb_key ocb; struct aes128_ctx encrypt; }; void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb, const uint8_t *key); void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb, struct aes128_ctx *decrypt, const uint8_t *key); void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce); void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data); void ocb_aes128_encrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src); void ocb_aes128_decrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src); void ocb_aes128_digest(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, uint8_t *digest); void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_OCB_H_INCLUDED */ nettle-4.0/pbkdf2-hmac-gosthash94.c0000644000000000000000000000312515141166424014020 0ustar00/* pbkdf2-hmac-gosthash94.c PKCS #5 PBKDF2 used with HMAC-GOSTHASH94CP. Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_gosthash94cp_ctx gosthash94cpctx; hmac_gosthash94cp_set_key (&gosthash94cpctx, key_length, key); PBKDF2 (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-4.0/pbkdf2-hmac-sha1.c0000644000000000000000000000300515141166424012654 0ustar00/* pbkdf2-hmac-sha1.c PKCS #5 PBKDF2 used with HMAC-SHA1, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha1_ctx sha1ctx; hmac_sha1_set_key (&sha1ctx, key_length, key); PBKDF2 (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-4.0/pbkdf2-hmac-sha256.c0000644000000000000000000000304115141166424013030 0ustar00/* pbkdf2-hmac-sha256.c PKCS #5 PBKDF2 used with HMAC-SHA256, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha256_ctx sha256ctx; hmac_sha256_set_key (&sha256ctx, key_length, key); PBKDF2 (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-4.0/pbkdf2-hmac-sha384.c0000644000000000000000000000301415141166424013032 0ustar00/* pbkdf2-hmac-sha384.c Copyright (C) 2012 Simon Josefsson Copyright (C) 2021 Nicolas Mora This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha384_ctx sha384ctx; hmac_sha384_set_key (&sha384ctx, key_length, key); PBKDF2 (&sha384ctx, hmac_sha384_update, hmac_sha384_digest, SHA384_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-4.0/pbkdf2-hmac-sha512.c0000644000000000000000000000301415141166424013023 0ustar00/* pbkdf2-hmac-sha512.c Copyright (C) 2012 Simon Josefsson Copyright (C) 2021 Nicolas Mora This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha512_ctx sha512ctx; hmac_sha512_set_key (&sha512ctx, key_length, key); PBKDF2 (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-4.0/pbkdf2.c0000644000000000000000000000445715141166424011130 0ustar00/* pbkdf2.c PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pbkdf2.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { TMP_DECL(U, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(T, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); unsigned i; assert (iterations > 0); if (length == 0) return; TMP_ALLOC (U, digest_size); TMP_ALLOC (T, digest_size); for (i = 1;; i++, dst += digest_size, length -= digest_size) { uint8_t tmp[4]; uint8_t *prev; unsigned u; WRITE_UINT32 (tmp, i); update (mac_ctx, salt_length, salt); update (mac_ctx, sizeof(tmp), tmp); digest (mac_ctx, T); prev = T; for (u = 1; u < iterations; u++, prev = U) { update (mac_ctx, digest_size, prev); digest (mac_ctx, U); memxor (T, U, digest_size); } if (length <= digest_size) { memcpy (dst, T, length); return; } memcpy (dst, T, digest_size); } } nettle-4.0/pbkdf2.h0000644000000000000000000000610315141166424011123 0ustar00/* pbkdf2.h PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PBKDF2_H_INCLUDED #define NETTLE_PBKDF2_H_INCLUDED #include "nettle-meta.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pbkdf2 nettle_pbkdf2 #define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1 #define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256 #define pbkdf2_hmac_sha384 nettle_pbkdf2_hmac_sha384 #define pbkdf2_hmac_sha512 nettle_pbkdf2_hmac_sha512 #define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #define PBKDF2(ctx, update, digest, digest_size, \ iterations, salt_length, salt, length, dst) \ (0 ? ((update)((ctx), 0, (uint8_t *) 0), \ (digest)((ctx), (uint8_t *) 0)) \ : pbkdf2 ((ctx), \ (nettle_hash_update_func *)(update), \ (nettle_hash_digest_func *)(digest), \ (digest_size), (iterations), \ (salt_length), (salt), (length), (dst))) /* PBKDF2 with specific PRFs. */ void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_PBKDF2_H_INCLUDED */ nettle-4.0/pkcs1-decrypt.c0000644000000000000000000000304515141166424012441 0ustar00/* pkcs1-decrypt.c The RSA publickey algorithm. PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "pkcs1.h" #include "pkcs1-internal.h" #include "bignum.h" #include "gmp-glue.h" int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message) { TMP_GMP_DECL(em, uint8_t); int ret; TMP_GMP_ALLOC(em, key_size); nettle_mpz_get_str_256(key_size, em, m); ret = _pkcs1_sec_decrypt_variable (length, message, key_size, em); TMP_GMP_FREE(em); return ret; } nettle-4.0/pkcs1-encrypt.c0000644000000000000000000000431615141166424012455 0ustar00/* pkcs1-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pkcs1.h" #include "bignum.h" #include "gmp-glue.h" int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m) { TMP_GMP_DECL(em, uint8_t); size_t padding; size_t i; /* The message is encoded as a string of the same length as the * modulo n, of the form * * 00 02 pad 00 message * * where padding should be at least 8 pseudorandomly generated * *non-zero* octets. */ if (length + 11 > key_size) /* Message too long for this key. */ return 0; /* At least 8 octets of random padding */ padding = key_size - length - 3; assert(padding >= 8); TMP_GMP_ALLOC(em, key_size - 1); em[0] = 2; random(random_ctx, padding, em + 1); /* Replace 0-octets with 1 */ for (i = 0; i #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From pkcs-1v2 * * md5 OBJECT IDENTIFIER ::= * {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} * * The parameters part of the algorithm identifier is NULL: * * md5Identifier ::= AlgorithmIdentifier {md5, NULL} */ static const uint8_t md5_prefix[] = { /* 18 octets prefix, 16 octets hash, 34 total. */ 0x30, 32, /* SEQUENCE */ 0x30, 12, /* SEQUENCE */ 0x06, 8, /* OBJECT IDENTIFIER */ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0, /* NULL */ 0x04, 16 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_md5_encode(mpz_t m, size_t key_size, struct md5_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { md5_digest(hash, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { memcpy(p, digest, MD5_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-4.0/pkcs1-rsa-sha1.c0000644000000000000000000000544215141166424012411 0ustar00/* pkcs1-rsa-sha1.c PKCS stuff for rsa-sha1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From pkcs-1v2 * * id-sha1 OBJECT IDENTIFIER ::= * {iso(1) identified-organization(3) oiw(14) secsig(3) * algorithms(2) 26} * * The default hash function is SHA-1: * sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL} */ static const uint8_t sha1_prefix[] = { /* 15 octets prefix, 20 octets hash, total 35 */ 0x30, 33, /* SEQUENCE */ 0x30, 9, /* SEQUENCE */ 0x06, 5, /* OBJECT IDENTIFIER */ 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0, /* NULL */ 0x04, 20 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha1_encode(mpz_t m, size_t key_size, struct sha1_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { sha1_digest(hash, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA1_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-4.0/pkcs1-rsa-sha256.c0000644000000000000000000000557315141166424012572 0ustar00/* pkcs1-rsa-sha256.c PKCS stuff for rsa-sha256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha256 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} */ static const uint8_t sha256_prefix[] = { /* 19 octets prefix, 32 octets hash, total 51 */ 0x30, 49, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0, /* NULL */ 0x04, 32 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { sha256_digest(hash, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA256_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-4.0/pkcs1-rsa-sha512.c0000644000000000000000000000561415141166424012561 0ustar00/* pkcs1-rsa-sha512.c PKCS stuff for rsa-sha512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha512 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3} */ static const uint8_t sha512_prefix[] = { /* 19 octets prefix, 64 octets hash, total 83 */ 0x30, 81, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0, /* NULL */ 0x04, 64 /* OCTET STRING */ /* Here comes the raw hash value, 64 octets */ }; int pkcs1_rsa_sha512_encode(mpz_t m, size_t key_size, struct sha512_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { sha512_digest(hash, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA512_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-4.0/pkcs1-sec-decrypt.c0000644000000000000000000001157015141166424013213 0ustar00/* pkcs1-sec-decrypt.c The RSA publickey algorithm. Side channel resistant PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memops.h" #include "gmp-glue.h" #include "pkcs1-internal.h" #include "nettle-internal.h" /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. * these macros returns 1 on success, 0 on failure */ #define NOT_EQUAL(a, b) \ ((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31) #define EQUAL(a, b) (IS_ZERO_SMALL ((a) ^ (b))) #define GREATER_OR_EQUAL(a, b) \ (1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31)) int _pkcs1_sec_decrypt (size_t length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int ok; size_t i, t; /* Message independent branch */ if (length + 11 > padded_message_length) return 0; t = padded_message_length - length - 1; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); /* ok if padded_message[0] == 0 */ ok &= EQUAL(padded_message[1], 2); /* ok if padded_message[1] == 2 */ for (i = 2; i < t; i++) /* check padding has no zeros */ { ok &= NOT_EQUAL(padded_message[i], 0); } ok &= EQUAL(padded_message[t], 0); /* ok if terminator == 0 */ /* fill destination buffer regardless of outcome */ cnd_memcpy(ok, message, padded_message + t + 1, length); return ok; } int _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int not_found = 1; volatile int ok; volatile size_t offset; size_t buflen, msglen; size_t shift, i; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); ok &= EQUAL(padded_message[1], 2); /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. * offset starts at 3 as it includes the terminator and * the format bytes already */ offset = 3; for (i = 2; i < padded_message_length; i++) { not_found &= NOT_EQUAL(padded_message[i], 0); offset += not_found; } /* check if we ran out of buffer */ ok &= NOT_EQUAL(not_found, 1); /* padding must be >= 11 (2 format bytes + 8 pad bytes min. + terminator) */ ok &= GREATER_OR_EQUAL(offset, 11); /* offset can vary between 3 and padded_message_length, due to the loop * above, therefore msglen can't underflow */ msglen = padded_message_length - offset; /* we always fill the whole buffer but only up to * padded_message_length length */ buflen = *length; if (buflen > padded_message_length) { /* input independent branch */ buflen = padded_message_length; } /* if the message length is larger than the buffer we must fail */ ok &= GREATER_OR_EQUAL(buflen, msglen); /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); return ok; } nettle-4.0/pkcs1.c0000644000000000000000000000344415141166424010774 0ustar00/* pkcs1.c PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pkcs1.h" #include "hogweed-internal.h" /* Formats the PKCS#1 padding, of the form * * 0x00 0x01 0xff ... 0xff 0x00 id ...digest... * * where the 0xff ... 0xff part consists of at least 8 octets. The * total size equals the octet size of n. */ uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size) { unsigned j; if (key_size < 11 + id_size + digest_size) return NULL; j = key_size - digest_size - id_size; memcpy (buffer + j, id, id_size); buffer[0] = 0; buffer[1] = 1; buffer[j-1] = 0; assert(j >= 11); memset(buffer + 2, 0xff, j - 3); return buffer + j + id_size; } nettle-4.0/pkcs1.h0000644000000000000000000000576615141166424011012 0ustar00/* pkcs1.h PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PKCS1_H_INCLUDED #define NETTLE_PKCS1_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode #define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode #define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest #define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode #define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest #define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode #define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest #define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode #define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest #define pkcs1_encrypt nettle_pkcs1_encrypt #define pkcs1_decrypt nettle_pkcs1_decrypt struct md5_ctx; struct sha1_ctx; struct sha256_ctx; struct sha512_ctx; int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m); int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message); int pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, size_t di_length, const uint8_t *digest_info); int pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash); int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash); int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash); int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash); int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PKCS1_H_INCLUDED */ nettle-4.0/poly1305-aes.c0000644000000000000000000000451615141166424012016 0ustar00/* poly1305-aes.c Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "poly1305-internal.h" #include "macros.h" void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) { aes128_set_encrypt_key(&ctx->aes, (key)); _nettle_poly1305_set_key(&ctx->pctx, (key+16)); ctx->index = 0; } void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t * nonce) { memcpy (ctx->nonce, nonce, POLY1305_AES_NONCE_SIZE); } void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_poly1305_update (&(ctx)->pctx, ctx->block, ctx->index, length, data); } void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, uint8_t *digest) { union nettle_block16 s; /* final bytes */ if (ctx->index > 0) { assert (ctx->index < POLY1305_BLOCK_SIZE); ctx->block[ctx->index] = 1; memset (ctx->block + ctx->index + 1, 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); _nettle_poly1305_block (&ctx->pctx, ctx->block, 0); } aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); _nettle_poly1305_digest (&ctx->pctx, &s); memcpy (digest, s.b, POLY1305_AES_DIGEST_SIZE); INCREMENT (16, ctx->nonce); ctx->index = 0; } nettle-4.0/poly1305-internal.c0000644000000000000000000001662215141166424013063 0ustar00/* poly1305-internal.c Copyright: 2012-2013 Andrew M. (floodyberry) Copyright: 2013 Nikos Mavrogiannopoulos Copyright: 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on https://github.com/floodyberry/poly1305-donna. * Modified for nettle by Nikos Mavrogiannopoulos and Niels Möller. * Original license notice: * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "poly1305-internal.h" #include "macros.h" #define mul32x32_64(a,b) ((uint64_t)(a) * (b)) #define r0 r.r32[0] #define r1 r.r32[1] #define r2 r.r32[2] #define r3 r.r32[3] #define r4 r.r32[4] #define s1 r.r32[5] #define s2 s32[0] #define s3 s32[1] #define s4 s32[2] #define h0 h.h32[0] #define h1 h.h32[1] #define h2 h.h32[2] #define h3 h.h32[3] #define h4 hh /* For fat builds */ #if HAVE_NATIVE_poly1305_set_key void _nettle_poly1305_set_key_c(struct poly1305_ctx *ctx, const uint8_t key[16]); # define _nettle_poly1305_set_key _nettle_poly1305_set_key_c #endif #if HAVE_NATIVE_poly1305_block void _nettle_poly1305_block_c(struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4); # define _nettle_poly1305_block _nettle_poly1305_block_c #endif #if HAVE_NATIVE_poly1305_digest void _nettle_poly1305_digest_c(struct poly1305_ctx *ctx, union nettle_block16 *s); # define _nettle_poly1305_digest _nettle_poly1305_digest_c #endif void _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) { uint32_t t0,t1,t2,t3; t0 = LE_READ_UINT32(key); t1 = LE_READ_UINT32(key+4); t2 = LE_READ_UINT32(key+8); t3 = LE_READ_UINT32(key+12); ctx->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; ctx->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; ctx->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; ctx->r3 = t2 & 0x3f03fff; t3 >>= 8; ctx->r4 = t3 & 0x00fffff; ctx->s1 = ctx->r1 * 5; ctx->s2 = ctx->r2 * 5; ctx->s3 = ctx->r3 * 5; ctx->s4 = ctx->r4 * 5; ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } void _nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) { uint32_t t0,t1,t2,t3; uint32_t b; uint64_t t[5]; uint64_t c; t0 = LE_READ_UINT32(m); t1 = LE_READ_UINT32(m+4); t2 = LE_READ_UINT32(m+8); t3 = LE_READ_UINT32(m+12); ctx->h0 += t0 & 0x3ffffff; ctx->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; ctx->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; ctx->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; ctx->h4 += (t3 >> 8) | ((uint32_t) t4 << 24); /* poly1305_donna_mul: */ t[0] = mul32x32_64(ctx->h0,ctx->r0) + mul32x32_64(ctx->h1,ctx->s4) + mul32x32_64(ctx->h2,ctx->s3) + mul32x32_64(ctx->h3,ctx->s2) + mul32x32_64(ctx->h4,ctx->s1); t[1] = mul32x32_64(ctx->h0,ctx->r1) + mul32x32_64(ctx->h1,ctx->r0) + mul32x32_64(ctx->h2,ctx->s4) + mul32x32_64(ctx->h3,ctx->s3) + mul32x32_64(ctx->h4,ctx->s2); t[2] = mul32x32_64(ctx->h0,ctx->r2) + mul32x32_64(ctx->h1,ctx->r1) + mul32x32_64(ctx->h2,ctx->r0) + mul32x32_64(ctx->h3,ctx->s4) + mul32x32_64(ctx->h4,ctx->s3); t[3] = mul32x32_64(ctx->h0,ctx->r3) + mul32x32_64(ctx->h1,ctx->r2) + mul32x32_64(ctx->h2,ctx->r1) + mul32x32_64(ctx->h3,ctx->r0) + mul32x32_64(ctx->h4,ctx->s4); t[4] = mul32x32_64(ctx->h0,ctx->r4) + mul32x32_64(ctx->h1,ctx->r3) + mul32x32_64(ctx->h2,ctx->r2) + mul32x32_64(ctx->h3,ctx->r1) + mul32x32_64(ctx->h4,ctx->r0); ctx->h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); t[1] += c; ctx->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); t[2] += b; ctx->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); t[3] += b; ctx->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); t[4] += b; ctx->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); ctx->h0 += b * 5; } /* Adds digest to the nonce */ void _nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) { uint32_t b, nb; uint64_t f0,f1,f2,f3; uint32_t g0,g1,g2,g3,g4; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; b = ctx->h1 >> 26; ctx->h1 = ctx->h1 & 0x3ffffff; ctx->h2 += b; b = ctx->h2 >> 26; ctx->h2 = ctx->h2 & 0x3ffffff; ctx->h3 += b; b = ctx->h3 >> 26; ctx->h3 = ctx->h3 & 0x3ffffff; ctx->h4 += b; b = ctx->h4 >> 26; ctx->h4 = ctx->h4 & 0x3ffffff; ctx->h0 += b * 5; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; g0 = ctx->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; g1 = ctx->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; g2 = ctx->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; g3 = ctx->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; g4 = ctx->h4 + b - (1 << 26); b = (g4 >> 31) - 1; nb = ~b; ctx->h0 = (ctx->h0 & nb) | (g0 & b); ctx->h1 = (ctx->h1 & nb) | (g1 & b); ctx->h2 = (ctx->h2 & nb) | (g2 & b); ctx->h3 = (ctx->h3 & nb) | (g3 & b); ctx->h4 = (ctx->h4 & nb) | (g4 & b); /* FIXME: Take advantage of s being aligned as an unsigned long. */ f0 = ((ctx->h0 )|(ctx->h1<<26)) + (uint64_t)LE_READ_UINT32(s->b); f1 = ((ctx->h1>> 6)|(ctx->h2<<20)) + (uint64_t)LE_READ_UINT32(s->b+4); f2 = ((ctx->h2>>12)|(ctx->h3<<14)) + (uint64_t)LE_READ_UINT32(s->b+8); f3 = ((ctx->h3>>18)|(ctx->h4<< 8)) + (uint64_t)LE_READ_UINT32(s->b+12); LE_WRITE_UINT32(s->b, f0); f1 += (f0 >> 32); LE_WRITE_UINT32(s->b+4, f1); f2 += (f1 >> 32); LE_WRITE_UINT32(s->b+8, f2); f3 += (f2 >> 32); LE_WRITE_UINT32(s->b+12, f3); ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } nettle-4.0/poly1305-internal.h0000644000000000000000000000435515141166424013070 0ustar00/* poly1305-internal.h Poly1305 message authentication code. Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_POLY1305_INTERNAL_H_INCLUDED #define NETTLE_POLY1305_INTERNAL_H_INCLUDED #include "poly1305.h" #ifdef __cplusplus extern "C" { #endif /* Low level functions/macros for the poly1305 construction. */ #define POLY1305_DIGEST_SIZE 16 #define POLY1305_KEY_SIZE 16 /* Low-level internal interface. */ void _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); /* Extracts digest, and adds it to s, the encrypted nonce. */ void _nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); /* Process one block. */ void _nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned high); /* Updates CTX by hashing M, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. Implies 128 set on all input blocks. */ const uint8_t * _nettle_poly1305_blocks (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); unsigned _nettle_poly1305_update (struct poly1305_ctx *ctx, uint8_t *buffer, unsigned index, size_t length, const uint8_t *m); #ifdef __cplusplus } #endif #endif /* NETTLE_POLY1305_INTERNAL_H_INCLUDED */ nettle-4.0/poly1305-update.c0000644000000000000000000000422115141166424012521 0ustar00/* poly1305-update.c Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "poly1305.h" #include "poly1305-internal.h" #include "md-internal.h" #if HAVE_NATIVE_fat_poly1305_blocks const uint8_t * _nettle_poly1305_blocks_c(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); const uint8_t * _nettle_poly1305_blocks_c(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m) { for (; blocks; blocks--, m += POLY1305_BLOCK_SIZE) _nettle_poly1305_block(ctx, m, 1); return m; } #endif unsigned _nettle_poly1305_update (struct poly1305_ctx *ctx, uint8_t *block, unsigned index, size_t length, const uint8_t *m) { if (!length) return index; if (index > 0) { /* Try to fill partial block */ MD_FILL_OR_RETURN_INDEX (POLY1305_BLOCK_SIZE, block, index, length, m); _nettle_poly1305_block(ctx, block, 1); } #if HAVE_NATIVE_poly1305_blocks m = _nettle_poly1305_blocks (ctx, length >> 4, m); length &= 15; #else for (; length >= POLY1305_BLOCK_SIZE; length -= POLY1305_BLOCK_SIZE, m += POLY1305_BLOCK_SIZE) _nettle_poly1305_block (ctx, m, 1); #endif memcpy (block, m, length); return length; } nettle-4.0/poly1305.h0000644000000000000000000000601315141166424011247 0ustar00/* poly1305.h Poly1305 message authentication code. Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_POLY1305_H_INCLUDED #define NETTLE_POLY1305_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define poly1305_aes_set_key nettle_poly1305_aes_set_key #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce #define poly1305_aes_update nettle_poly1305_aes_update #define poly1305_aes_digest nettle_poly1305_aes_digest /* Low level functions/macros for the poly1305 construction. */ #define POLY1305_BLOCK_SIZE 16 struct poly1305_ctx { /* Key, 128-bit value and some cached multiples. */ union { uint32_t r32[6]; uint64_t r64[3]; } r; uint32_t s32[3]; /* State, represented as words of 26, 32 or 64 bits, depending on implementation. */ /* High bits first, to maintain alignment. */ uint32_t hh; union { uint32_t h32[4]; uint64_t h64[2]; } h; }; /* poly1305-aes */ #define POLY1305_AES_KEY_SIZE 32 #define POLY1305_AES_DIGEST_SIZE 16 #define POLY1305_AES_NONCE_SIZE 16 struct poly1305_aes_ctx { /* Keep aes context last, to make it possible to use a general poly1305_update if other variants are added. */ struct poly1305_ctx pctx; uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; uint8_t nonce[POLY1305_BLOCK_SIZE]; struct aes128_ctx aes; }; /* Also initialize the nonce to zero. */ void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce); /* Update is not aes-specific, but since this is the only implemented variant, we need no more general poly1305_update. */ void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data); /* Also increments the nonce */ void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_POLY1305_H_INCLUDED */ nettle-4.0/powerpc64/0000755000000000000000000000000015141166425011434 5ustar00nettle-4.0/powerpc64/README0000644000000000000000000001043415141166425012316 0ustar00General-Purpose Register Conventions Register Status Use GPR0 volatile In function prologs. GPR1 dedicated Stack pointer. GPR2 dedicated Table of Contents (TOC) pointer. GPR3 volatile First word of a function's argument list; first word of a scalar function return. GPR4 volatile Second word of a function's argument list; second word of a scalar function return. GPR5 volatile Third word of a function's argument list. GPR6 volatile Fourth word of a function's argument list. GPR7 volatile Fifth word of a function's argument list. GPR8 volatile Sixth word of a function's argument list. GPR9 volatile Seventh word of a function's argument list. GPR10 volatile Eighth word of a function's argument list. GPR11 volatile In calls by pointer and as an environment pointer for languages that require it (for example, PASCAL). GPR12 volatile For special exception handling required by certain languages and in glink code. GPR13 reserved Reserved under 64-bit environment; not restored across system calls. GPR14:GPR31 nonvolatile These registers must be preserved across a function call. These registers are named rX in the assembly files. Vector Register Conventions Register Status VR0:V19 Volatile VR20:VR31 Nonvolatile (extended ABI mode) their values are preserved across function calls These registers are named vX in the assembly files. Float/VSR Register Conventions FPR0:FPR13 Volatile FPR14:FPR31 Nonvolatile These registers are named fX in the assembly files, but aren't currently used by Nettle. For ISA 2.06 and later, floating point registers are mapped to the upper halves of the VSR registers. Then the corresponding VSR registers (named vsX in the assembly files) are volatile and non-volatile. (Formally, the lower halves of VSR14:VSR31 are volatile, but that is not so useful). Addressing memory There are many ways to reference data, to maintain support of position-independent code the current implementations use GOT-indirect addressing (Accessing data through the global offset table): 1. Define data in .data section 2. Load the address of data into register from the global offset table Use 32-bit offset (medium or large code model) to get maximum addressing reach of 4 GB e.g. addis r7, r2, my_var@got@ha ld r7, my_var@got@l(r7) 3. Use the address to load the value of data into register e.g. ld r3, 0(r7) Refer to [2] for more information about referencing data VSX instructions "lxvd2x/stxvd2x" are used to load and store data to memory instead of VR instructions "lvx/stvx" as it produces a fewer instructions "lvx/stvx" can be used to load/store data into storage operands but additional instructions are needed to access unaligned storage operands, refer to "6.4.1 Accessing Unaligned Storage Operands" in [3] to see an example of accessing unaligned storage operands. "lxvd2x/stxvd2x" can be used to load/store data into unaligned storage operands but permuting is needed for loading and storing data in little-endian mode VSX registers are defined with "X" suffix Function Prologue Big-endian systems usually support only ELFv1 ABI which requires the following steps in the function prologue: 1. Write the "official procedure descriptor" in ".opd","aw" section 2. Write procedure description for .my_func in my_func label 3. Switch back to ".text" section for program code 4. Label the beginning of the code .my_func Refer to [1] for more information Little-endian systems are compatible with ELFv2 ABI, an example of function prologue for ELFv2 ABI can be seen in [2] Stack There's a 288 byte "protected zone" below the stack pointer, that can be used for storage (obviously "volatile": not preserved if calling other functions). Both ELFv1 [4] and ELFv2 [3] ABIs are the same in this respect. Instruction variants: PowerPC 970 aka G5 supports ISA v2.01 Power5 supports ISA v2.02 Power6 supports ISA v2.05 Power7 (p7 subdirectory) supports ISA v2.06 Power8 (v8 subdirectory) supports ISA v2.07 Power9 (p9 subdirectory) supports ISA v3.0 Power10 (p10 subdirectory) supports ISA v3.1 [1] http://www.ibm.com/developerworks/linux/library/l-powasm1.html [2] https://openpowerfoundation.org/?resource_lib=64-bit-elf-v2-abi-specification-power-architecture [3] https://openpowerfoundation.org/specifications/64bitelfabi/ [4] https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#STACK nettle-4.0/powerpc64/ecc-curve25519-modp.asm0000644000000000000000000000437715141166425015370 0ustar00C powerpc64/ecc-curve25519-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-curve25519-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve25519-modp.asm" define(`RP', `r4') define(`XP', `r5') define(`U0', `r6') define(`U1', `r7') define(`U2', `r8') define(`U3', `r9') define(`T0', `r10') define(`T1', `r11') define(`M', `r12') define(`UN', r3) C Overlaps unused modulo input C void ecc_curve25519_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_curve25519_modp) C First fold the limbs affecting bit 255 ld UN, 56(XP) li M, 38 mulhdu T1, M, UN mulld UN, M, UN ld U3, 24(XP) li T0, 0 addc U3, UN, U3 adde T0, T1, T0 ld UN, 40(XP) mulhdu U2, M, UN mulld UN, M, UN addc U3, U3, U3 adde T0, T0, T0 srdi U3, U3, 1 C Undo shift, clear high bit C Fold the high limb again, together with RP[5] li T1, 19 mulld T0, T1, T0 ld U0, 0(XP) ld U1, 8(XP) ld T1, 16(XP) addc U0, T0, U0 adde U1, UN, U1 ld T0, 32(XP) adde U2, U2, T1 addze U3, U3 mulhdu T1, M, T0 mulld T0, M, T0 addc U0, T0, U0 adde U1, T1, U1 std U0, 0(RP) std U1, 8(RP) ld T0, 48(XP) mulhdu T1, M, T0 mulld UN, M, T0 adde U2, UN, U2 adde U3, T1, U3 std U2, 16(RP) std U3, 24(RP) blr EPILOGUE(_nettle_ecc_curve25519_modp) nettle-4.0/powerpc64/ecc-curve448-modp.asm0000644000000000000000000000650215141166425015212 0ustar00C powerpc/ecc-curve448-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Amitay Isaacs, IBM Corporation Based on x86_64/ecc-curve448-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve448-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`X0', `r3') define(`X1', `r9') define(`X2', `r10') define(`X3', `r11') define(`X4', `r12') define(`X5', `r14') define(`X6', `r15') define(`X7', `r16') define(`T0', `r6') define(`T1', `r7') define(`T2', `r8') define(`TT', `r17') define(`LO', `TT') C Overlap C void ecc_curve448_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_curve448_modp) std r14, -32(SP) std r15, -24(SP) std r16, -16(SP) std r17, -8(SP) C First load the values to be shifted by 32. ld T0, 88(XP) C use for X0, X1 ld T1, 96(XP) C use for X2 ld T2, 104(XP) C use for X3 ld X4, 56(XP) ld X5, 64(XP) ld X6, 72(XP) ld X7, 80(XP) C Multiply by 2^32 sldi X0, T0, 32 srdi LO, T0, 32 sldi X1, T1, 32 or X1, X1, LO srdi LO, T1, 32 sldi X2, T2, 32 or X2, X2, LO srdi LO, T2, 32 sldi X3, X4, 32 or X3, X3, LO srdi LO, X4, 32 sldi X4, X5, 32 or X4, X4, LO srdi LO, X5, 32 sldi X5, X6, 32 or X5, X5, LO srdi LO, X6, 32 sldi X6, X7, 32 or X6, X6, LO srdi X7, X7, 32 C Multiply by 2 addc T0, T0, T0 adde T1, T1, T1 adde T2, T2, T2 addze X7, X7 C Main additions ld TT, 56(XP) addc X0, TT, X0 ld TT, 64(XP) adde X1, TT, X1 ld TT, 72(XP) adde X2, TT, X2 ld TT, 80(XP) adde X3, TT, X3 adde X4, T0, X4 adde X5, T1, X5 adde X6, T2, X6 addze X7, X7 ld T0, 0(XP) addc X0, T0, X0 ld T1, 8(XP) adde X1, T1, X1 ld T2, 16(XP) adde X2, T2, X2 ld TT, 24(XP) adde X3, TT, X3 ld T0, 32(XP) adde X4, T0, X4 ld T1, 40(XP) adde X5, T1, X5 ld T2, 48(XP) adde X6, T2, X6 addze X7, X7 C X7 wraparound sldi T0, X7, 32 srdi T1, X7, 32 li T2, 0 addc X0, X7, X0 addze X1, X1 addze X2, X2 adde X3, T0, X3 adde X4, T1, X4 addze X5, X5 addze X6, X6 addze T2, T2 C Final carry wraparound. Carry T2 > 0 only if C X6 is zero, so carry is absorbed. sldi T0, T2, 32 addc X0, T2, X0 addze X1, X1 addze X2, X2 adde X3, T0, X3 addze X4, X4 addze X5, X5 addze X6, X6 std X0, 0(RP) std X1, 8(RP) std X2, 16(RP) std X3, 24(RP) std X4, 32(RP) std X5, 40(RP) std X6, 48(RP) ld r14, -32(SP) ld r15, -24(SP) ld r16, -16(SP) ld r17, -8(SP) blr EPILOGUE(_nettle_ecc_curve448_modp) nettle-4.0/powerpc64/ecc-secp192r1-modp.asm0000644000000000000000000000353315141166425015260 0ustar00C powerpc64/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2021 Amitay Isaacs, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" define(`RP', `r4') define(`XP', `r5') define(`T0', `r6') define(`T1', `r7') define(`T2', `r8') define(`T3', `r9') define(`C1', `r10') define(`C2', `r11') C void ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp192r1_modp) ld T0, 0(XP) ld T1, 8(XP) ld T2, 16(XP) li C1, 0 li C2, 0 ld T3, 24(XP) addc T0, T3, T0 adde T1, T3, T1 addze T2, T2 addze C1, C1 ld T3, 32(XP) addc T1, T3, T1 adde T2, T3, T2 addze C1, C1 ld T3, 40(XP) addc T0, T3, T0 adde T1, T3, T1 adde T2, T3, T2 addze C1, C1 addc T0, C1, T0 adde T1, C1, T1 addze T2, T2 addze C2, C2 addc T0, C2, T0 adde T1, C2, T1 addze T2, T2 std T0, 0(RP) std T1, 8(RP) std T2, 16(RP) blr EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-4.0/powerpc64/ecc-secp224r1-modp.asm0000644000000000000000000000471515141166425015257 0ustar00C powerpc64/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2021 Amitay Isaacs, IBM Corporation Based on x86_64/ecc-secp224r1-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`T0', `r6') define(`T1', `r7') define(`H0', `r8') define(`H1', `r9') define(`H2', `r10') define(`F0', `r11') define(`F1', `r12') define(`F2', `r14') define(`T2', `r3') C void ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp224r1_modp) std r14, -8(SP) ld H0, 48(XP) ld H1, 56(XP) C set (F2, F1, F0) <-- (H1, H0) << 32 sldi F0, H0, 32 srdi F1, H0, 32 sldi T0, H1, 32 srdi F2, H1, 32 or F1, T0, F1 li H2, 0 ld T0, 16(XP) ld T1, 24(XP) subfc T0, F0, T0 subfe T1, F1, T1 subfe H0, F2, H0 addme H1, H1 ld T2, 32(XP) addc H0, T2, H0 ld T2, 40(XP) adde H1, T2, H1 addze H2, H2 C Set (F2, F1, F0) <-- (H2, H1, H0) << 32 sldi F0, H0, 32 srdi F1, H0, 32 addc H0, T0, H0 sldi T0, H1, 32 srdi F2, H1, 32 adde H1, T1, H1 sldi T1, H2, 32 addze H2, H2 or F1, T0, F1 or F2, T1, F2 ld T0, 0(XP) ld T1, 8(XP) subfc T0, F0, T0 subfe T1, F1, T1 subfe H0, F2, H0 addme H1, H1 addme H2, H2 srdi F0, H1, 32 sldi F1, H2, 32 or F0, F1, F0 clrrdi F1, H1, 32 mr F2, H2 clrldi H1, H1, 32 subfc T0, F0, T0 addme F1, F1 addme F2, F2 addc T1, F1, T1 adde H0, F2, H0 addze H1, H1 std T0, 0(RP) std T1, 8(RP) std H0, 16(RP) std H1, 24(RP) ld r14, -8(SP) blr EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-4.0/powerpc64/ecc-secp256r1-redc.asm0000644000000000000000000000517715141166425015245 0ustar00C powerpc64/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2021 Amitay Isaacs & Martin Schwenke, IBM Corporation Based on x86_64/ecc-secp256r1-redc.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`RP', `r4') define(`XP', `r5') define(`F0', `r3') define(`F1', `r6') define(`F2', `r7') define(`T', `r8') define(`U0', `r9') define(`U1', `r10') define(`U2', `r11') define(`U3', `r12') .file "ecc-secp256r1-redc.asm" C FOLD(x), sets (x,F2,F1,F0) <-- [(x << 192) - (x << 160) + (x << 128) + (x <<32)] define(`FOLD', ` sldi F0, $1, 32 srdi F1, $1, 32 subfc F2, F0, $1 subfe $1, F1, $1 ') C FOLDC(x), sets (x,F2,F1,F0) <-- [((x+c) << 192) - (x << 160) + (x << 128) + (x <<32)] define(`FOLDC', ` sldi F0, $1, 32 srdi F1, $1, 32 addze T, $1 subfc F2, F0, $1 subfe $1, F1, T ') C void ecc_secp256r1_redc (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp256r1_redc) ld U0, 0(XP) ld U1, 8(XP) ld U2, 16(XP) ld U3, 24(XP) FOLD(U0) ld T, 32(XP) addc U1, F0, U1 adde U2, F1, U2 adde U3, F2, U3 adde U0, U0, T FOLDC(U1) ld T, 40(XP) addc U2, F0, U2 adde U3, F1, U3 adde U0, F2, U0 adde U1, U1, T FOLDC(U2) ld T, 48(XP) addc U3, F0, U3 adde U0, F1, U0 adde U1, F2, U1 adde U2, U2, T FOLDC(U3) ld T, 56(XP) addc U0, F0, U0 adde U1, F1, U1 adde U2, F2, U2 adde U3, U3, T C If carry, we need to add in C 2^256 - p = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> li F0, 0 addze F0, F0 neg F2, F0 sldi F1, F2, 32 srdi T, F2, 32 li XP, -2 and T, T, XP addc U0, F0, U0 adde U1, F1, U1 adde U2, F2, U2 adde U3, T, U3 std U0, 0(RP) std U1, 8(RP) std U2, 16(RP) std U3, 24(RP) blr EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-4.0/powerpc64/ecc-secp384r1-modp.asm0000644000000000000000000001045715141166425015266 0ustar00C powerpc64/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke, Amitay Isaacs & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-secp256r1-redc.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" C Register usage: define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`D5', `r6') define(`T0', `r7') define(`T1', `r8') define(`T2', `r9') define(`T3', `r10') define(`T4', `r11') define(`T5', `r12') define(`H0', `r14') define(`H1', `r15') define(`H2', `r16') define(`H3', `r17') define(`H4', `r18') define(`H5', `r19') define(`C2', `r3') define(`C0', H5) C Overlap define(`TMP', XP) C Overlap C void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp384r1_modp) std r14, -48(SP) std r15, -40(SP) std r16, -32(SP) std r17, -24(SP) std r18, -16(SP) std r19, -8(SP) C First get top 2 limbs, which need folding twice. C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. C We handle the terms as follow: C C B^6: Folded immediatly. C C B^4: Delayed, added in in the next folding. C C 2^32(B-1) B^4: Low half limb delayed until the next C folding. Top 1.5 limbs subtracted and shifter now, resulting C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added C in. ld H4, 80(XP) ld H5, 88(XP) C Shift right 32 bits, into H1, H0 srdi H1, H5, 32 sldi D5, H5, 32 srdi H0, H4, 32 or H0, H0, D5 C H1 H0 C - H1 H0 C -------- C H1 H0 D5 subfic D5, H0, 0 subfe H0, H1, H0 addme H1, H1 li C2, 0 addc H0, H4, H0 adde H1, H5, H1 addze C2, C2 C Add in to high part ld T1, 48(XP) ld T2, 56(XP) addc H0, T1, H0 adde H1, T2, H1 addze C2, C2 C Do C2 later C +1 term ld T0, 0(XP) ld T1, 8(XP) ld T2, 16(XP) ld T3, 24(XP) ld T4, 32(XP) ld T5, 40(XP) ld H2, 64(XP) ld H3, 72(XP) addc T0, H0, T0 adde T1, H1, T1 adde T2, H2, T2 adde T3, H3, T3 adde T4, H4, T4 adde T5, H5, T5 li C0, 0 addze C0, C0 C +B^2 term addc T2, H0, T2 adde T3, H1, T3 adde T4, H2, T4 adde T5, H3, T5 addze C0, C0 C Shift left, including low half of H4 sldi H4, H4, 32 srdi TMP, H3, 32 or H4, TMP, H4 sldi H3, H3, 32 srdi TMP, H2, 32 or H3, TMP, H3 sldi H2, H2, 32 srdi TMP, H1, 32 or H2, TMP, H2 sldi H1, H1, 32 srdi TMP, H0, 32 or H1, TMP, H1 sldi H0, H0, 32 C H4 H3 H2 H1 H0 0 C - H4 H3 H2 H1 H0 C --------------- C H4 H3 H2 H1 H0 TMP subfic TMP, H0, 0 subfe H0, H1, H0 subfe H1, H2, H1 subfe H2, H3, H2 subfe H3, H4, H3 addme H4, H4 addc T0, TMP, T0 adde T1, H0, T1 adde T2, H1, T2 adde T3, H2, T3 adde T4, H3, T4 adde T5, H4, T5 addze C0, C0 C Remains to add in C2 and C0 C Set H1, H0 = (2^96 - 2^32 + 1) C0 sldi H1, C0, 32 subfc H0, H1, C0 addme H1, H1 C Set H3, H2 = (2^96 - 2^32 + 1) C2 sldi H3, C2, 32 subfc H2, H3, C2 addme H3, H3 addc H2, C0, H2 li C0, 0 addc T0, H0, T0 adde T1, H1, T1 adde T2, H2, T2 adde T3, H3, T3 adde T4, C2, T4 adde T5, D5, T5 C Value delayed from initial folding addze C0, C0 C Final unlikely carry sldi H1, C0, 32 subfc H0, H1, C0 addme H1, H1 addc T0, H0, T0 adde T1, H1, T1 adde T2, C0, T2 addze T3, T3 addze T4, T4 addze T5, T5 std T0, 0(RP) std T1, 8(RP) std T2, 16(RP) std T3, 24(RP) std T4, 32(RP) std T5, 40(RP) ld r14, -48(SP) ld r15, -40(SP) ld r16, -32(SP) ld r17, -24(SP) ld r18, -16(SP) ld r19, -8(SP) blr EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-4.0/powerpc64/ecc-secp521r1-modp.asm0000644000000000000000000000613115141166425015251 0ustar00C powerpc64/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-secp521r1-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`U0', `r6') define(`U1', `r7') define(`U2', `r8') define(`U3', `r9') define(`U4', `r10') define(`U5', `r11') define(`U6', `r12') define(`U7', `r14') define(`U8', `r15') define(`U9', `r16') define(`T0', `r3') define(`T1', `r17') C void ecc_secp521r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp521r1_modp) std r14, -32(SP) std r15, -24(SP) std r16, -16(SP) std r17, -8(SP) C Read top 17 limbs, shift left 55 bits ld U1, 72(XP) sldi U0, U1, 55 srdi U1, U1, 9 ld T0, 80(XP) srdi U2, T0, 9 sldi T0, T0, 55 or U1, T0, U1 ld T0, 88(XP) srdi U3, T0, 9 sldi T0, T0, 55 or U2, T0, U2 ld T0, 96(XP) srdi U4, T0, 9 sldi T0, T0, 55 or U3, T0, U3 ld T0, 104(XP) srdi U5, T0, 9 sldi T0, T0, 55 or U4, T0, U4 ld T0, 112(XP) srdi U6, T0, 9 sldi T0, T0, 55 or U5, T0, U5 ld T0, 120(XP) srdi U7, T0, 9 sldi T0, T0, 55 or U6, T0, U6 ld T0, 128(XP) srdi U8, T0, 9 sldi T0, T0, 55 or U7, T0, U7 ld T0, 136(XP) srdi U9, T0, 9 sldi T0, T0, 55 or U8, T0, U8 ld T0, 0(XP) ld T1, 8(XP) addc U0, T0, U0 adde U1, T1, U1 ld T0, 16(XP) ld T1, 24(XP) adde U2, T0, U2 adde U3, T1, U3 ld T0, 32(XP) ld T1, 40(XP) adde U4, T0, U4 adde U5, T1, U5 ld T0, 48(XP) ld T1, 56(XP) adde U6, T0, U6 adde U7, T1, U7 ld T0, 64(XP) adde U8, T0, U8 addze U9, U9 C Top limbs are . Keep low 9 bits of 8, and fold the C top bits (at most 65 bits). srdi T0, U8, 9 andi. U8, U8, 0x1ff srdi T1, U9, 9 sldi U9, U9, 55 or T0, U9, T0 addc U0, T0, U0 adde U1, T1, U1 addze U2, U2 addze U3, U3 addze U4, U4 addze U5, U5 addze U6, U6 addze U7, U7 addze U8, U8 std U0, 0(RP) std U1, 8(RP) std U2, 16(RP) std U3, 24(RP) std U4, 32(RP) std U5, 40(RP) std U6, 48(RP) std U7, 56(RP) std U8, 64(RP) ld r14, -32(SP) ld r15, -24(SP) ld r16, -16(SP) ld r17, -8(SP) blr EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-4.0/powerpc64/fat/0000755000000000000000000000000015141166425012206 5ustar00nettle-4.0/powerpc64/fat/aes-decrypt-internal-2.asm0000644000000000000000000000226315141166425017104 0ustar00C powerpc64/fat/aes-decrypt-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_decrypt) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-decrypt-internal.asm') nettle-4.0/powerpc64/fat/aes-encrypt-internal-2.asm0000644000000000000000000000226315141166425017116 0ustar00C powerpc64/fat/aes-encrypt-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_encrypt) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-encrypt-internal.asm') nettle-4.0/powerpc64/fat/aes-invert-internal-2.asm0000644000000000000000000000226015141166425016736 0ustar00C powerpc64/fat/aes-invert-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_invert) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-invert-internal.asm') nettle-4.0/powerpc64/fat/chacha-2core.asm0000644000000000000000000000220215141166425015123 0ustar00C powerpc64/fat/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_2core) picked up by configure include_src(`powerpc64/p7/chacha-2core.asm') nettle-4.0/powerpc64/fat/chacha-4core.asm0000644000000000000000000000220215141166425015125 0ustar00C powerpc64/fat/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_4core) picked up by configure include_src(`powerpc64/p7/chacha-4core.asm') nettle-4.0/powerpc64/fat/chacha-core-internal-2.asm0000644000000000000000000000226515141166425017023 0ustar00C powerpc64/fat/chacha-core-internal-2.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_chacha_core) picked up by configure define(`fat_transform', `$1_altivec') include_src(`powerpc64/p7/chacha-core-internal.asm') nettle-4.0/powerpc64/fat/gcm-aes-decrypt-2.asm0000644000000000000000000000221315141166425016031 0ustar00C powerpc64/fat/gcm-aes-decrypt-2.asm ifelse(` This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_gcm_aes_decrypt) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/gcm-aes-decrypt.asm') nettle-4.0/powerpc64/fat/gcm-aes-encrypt-2.asm0000644000000000000000000000221315141166425016043 0ustar00C powerpc64/fat/gcm-aes-encrypt-2.asm ifelse(` This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_gcm_aes_encrypt) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/gcm-aes-encrypt.asm') nettle-4.0/powerpc64/fat/ghash-set-key-2.asm0000644000000000000000000000225215141166425015521 0ustar00C powerpc64/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/ghash-set-key.asm') nettle-4.0/powerpc64/fat/ghash-update-2.asm0000644000000000000000000000224715141166425015426 0ustar00C powerpc64/fat/ghash-update-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/ghash-update.asm') nettle-4.0/powerpc64/fat/poly1305-blocks.asm0000644000000000000000000000233015141166425015455 0ustar00C powerpc64/fat/poly1305-blocks.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_poly1305_blocks) dnl PROLOGUE(_nettle_fat_poly1305_blocks) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p9/poly1305-blocks.asm') nettle-4.0/powerpc64/fat/poly1305-internal-2.asm0000644000000000000000000000240015141166425016151 0ustar00C powerpc64/fat/poly1305-internal-2.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_poly1305_set_key) dnl PROLOGUE(_nettle_poly1305_block) dnl PROLOGUE(_nettle_poly1305_digest) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p9/poly1305-internal.asm') nettle-4.0/powerpc64/fat/sha256-compress-n-2.asm0000644000000000000000000000230215141166425016140 0ustar00C powerpc64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2024 Eric Richter, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/sha256-compress-n.asm') nettle-4.0/powerpc64/machine.m40000644000000000000000000000467415141166425013315 0ustar00define(`PROLOGUE', `.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) ifelse(ELFV2_ABI,yes, `ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') C_NAME($1): addis 2,12,(.TOC.-C_NAME($1))@ha addi 2,2,(.TOC.-C_NAME($1))@l .localentry C_NAME($1), .-C_NAME($1)', `.section ".opd","aw" .align 3 C_NAME($1): .quad .C_NAME($1),.TOC.@tocbase,0 .previous ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') .C_NAME($1):') undefine(`FUNC_ALIGN')') define(`EPILOGUE', `ifelse(ELFV2_ABI,yes, `.size C_NAME($1), . - C_NAME($1)', `.size .C_NAME($1), . - .C_NAME($1) .size C_NAME($1), . - .C_NAME($1)')') C Get vector-scalar register from vector register C VSR(VR) define(`VSR',`ifelse(substr($1,0,1),`v', ``vs'eval(32+substr($1,1,len($1)))', `eval(32+$1)')') C Load the quadword in DATA_SRC storage into C VEC_DST. GPR is general-purpose register C used to obtain the effective address of C DATA_SRC storage. C DATA_LOAD_VEC(VEC_DST, DATA_SRC, GPR) define(`DATA_LOAD_VEC', `addis $3,r2,$2@got@ha ld $3,$2@got@l($3) lvx $1,0,$3') dnl Usage: r0 ... r31, cr0 ... cr7 dnl dnl Registers names, either left as "r0" etc or mapped to plain 0 etc, dnl according to the result of the ASM_PPC_WANT_R_REGISTERS configure dnl test. ifelse(ASM_PPC_WANT_R_REGISTERS,no,` forloop(i,0,31,`deflit(`r'i,i)') forloop(i,0,31,`deflit(`v'i,i)') forloop(i,0,63,`deflit(`vs'i,i)') forloop(i,0,31,`deflit(`f'i,i)') forloop(i,0,7, `deflit(`cr'i,i)') ') C Increase index of general-purpose register by specific value C INC_GPR(GPR, INC) define(`INC_GPR',`ifelse(substr($1,0,1),`r', ``r'eval($2+substr($1,1,len($1)))', `eval($2+$1)')') C Increase index of vector register by specific value C INC_VR(VR, INC) define(`INC_VR',`ifelse(substr($1,0,1),`v', ``v'eval($2+substr($1,1,len($1)))', `eval($2+$1)')') C Apply op x, x, y, for each x. C OPN_XXY(OP, Y, X1, X2, ...) define(`OPN_XXY', `$1 $3, $3, $2 ifelse(eval($# > 3), 1, `OPN_XXY($1, $2, shift(shift(shift($@))))dnl ')') C Apply op x, x, x, y, for each x. C OPN_XXXY(OP, Y, X1, X2, ...) define(`OPN_XXXY', `$1 $3, $3, $3, $2 ifelse(eval($# > 3), 1, `OPN_XXXY($1, $2, shift(shift(shift($@))))dnl ')') C Polynomial reduction R += x^{-64} F mod P C where x^{-64} = x^{64} + P1 (mod P) C GHASH_REDUCE(R, F, P1, T1, T2) define(`GHASH_REDUCE', ` vpmsumd $4, $2, $3 xxswapd VSR($5),VSR($2) vxor $1, $1, $5 vxor $1, $1, $4 ') C GF multification of L/M and data C GF_MUL( C GF_MUL(F, R, HL, HM, S) define(`GF_MUL', `vpmsumd $1,$3,$5 vpmsumd $2,$4,$5') nettle-4.0/powerpc64/p7/0000755000000000000000000000000015141166425011762 5ustar00nettle-4.0/powerpc64/p7/chacha-2core.asm0000644000000000000000000001420215141166425014702 0ustar00C powerpc64/p7/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C State, even elements in X, odd elements in Y define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') define(`Y0', `v4') define(`Y1', `v5') define(`Y2', `v6') define(`Y3', `v7') define(`ROT16', `v8') define(`ROT12', `v9') define(`ROT8', `v10') define(`ROT7', `v11') C Original input state define(`S0', `v12') define(`S1', `v13') define(`S2', `v14') define(`S3', `v15') define(`S3p1', `v16') define(`T0', `v17') define(`EW_MASK', `v18') define(`OW_MASK', `v19') .text C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_2core) li r8, 0x30 C offset for x3 vspltisw X1, 1 C {1,1,...,1} vspltisw X0, 0 C {0,0,...,0} vsldoi X1, X1, X0, 12 C {1,0,...,0} lxvw4x VSR(X3), r8, SRC vaddcuw Y3, X3, X1 C Counter carry out vsldoi Y3, Y3, Y3, 12 vor Y3, Y3, X1 .Lshared_entry: DATA_LOAD_VEC(EW_MASK,.even_word_mask,r6) DATA_LOAD_VEC(OW_MASK,.odd_word_mask,r6) vadduwm Y3, Y3, X3 li r6, 0x10 C set up some... li r7, 0x20 C ...useful... lxvw4x VSR(X0), 0, SRC lxvw4x VSR(X1), r6, SRC lxvw4x VSR(X2), r7, SRC vor S0, X0, X0 vor S1, X1, X1 vor S2, X2, X2 vor S3, X3, X3 vor S3p1, Y3, Y3 vperm Y0, X0, X0, OW_MASK C 1 1 3 3 vperm X0, X0, X0, EW_MASK C 0 0 2 2 vperm Y1, X1, X1, OW_MASK C 5 5 7 7 vperm X1, X1, X1, EW_MASK C 4 4 6 6 vperm Y2, X2, X2, OW_MASK C 9 9 11 11 vperm X2, X2, X2, EW_MASK C 8 8 10 10 vperm Y3, X3, S3p1, OW_MASK C 13 13 15 15 vperm X3, X3, S3p1, EW_MASK C 12 12 14 14 vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 vadduwm X0, X0, X1 vadduwm Y0, Y0, Y1 vxor X3, X3, X0 vxor Y3, Y3, Y0 vrlw X3, X3, ROT16 vrlw Y3, Y3, ROT16 vadduwm X2, X2, X3 vadduwm Y2, Y2, Y3 vxor X1, X1, X2 vxor Y1, Y1, Y2 vrlw X1, X1, ROT12 vrlw Y1, Y1, ROT12 vadduwm X0, X0, X1 vadduwm Y0, Y0, Y1 vxor X3, X3, X0 vxor Y3, Y3, Y0 vrlw X3, X3, ROT8 vrlw Y3, Y3, ROT8 vadduwm X2, X2, X3 vadduwm Y2, Y2, Y3 vxor X1, X1, X2 vxor Y1, Y1, Y2 vrlw X1, X1, ROT7 vrlw Y1, Y1, ROT7 vsldoi X1, X1, X1, 8 vsldoi X2, X2, X2, 8 vsldoi Y2, Y2, Y2, 8 vsldoi Y3, Y3, Y3, 8 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) vadduwm X0, X0, Y1 vadduwm Y0, Y0, X1 vxor Y3, Y3, X0 vxor X3, X3, Y0 vrlw Y3, Y3, ROT16 vrlw X3, X3, ROT16 vadduwm X2, X2, Y3 vadduwm Y2, Y2, X3 vxor Y1, Y1, X2 vxor X1, X1, Y2 vrlw Y1, Y1, ROT12 vrlw X1, X1, ROT12 vadduwm X0, X0, Y1 vadduwm Y0, Y0, X1 vxor Y3, Y3, X0 vxor X3, X3, Y0 vrlw Y3, Y3, ROT8 vrlw X3, X3, ROT8 vadduwm X2, X2, Y3 vadduwm Y2, Y2, X3 vxor Y1, Y1, X2 vxor X1, X1, Y2 vrlw Y1, Y1, ROT7 vrlw X1, X1, ROT7 vsldoi X1, X1, X1, 8 vsldoi X2, X2, X2, 8 vsldoi Y2, Y2, Y2, 8 vsldoi Y3, Y3, Y3, 8 bdnz .Loop vperm T0, X0, Y0, EW_MASK vperm Y0, X0, Y0, OW_MASK vperm X0, X1, Y1, EW_MASK vperm Y1, X1, Y1, OW_MASK vperm X1, X2, Y2, EW_MASK vperm Y2, X2, Y2, OW_MASK vperm X2, X3, Y3, EW_MASK vperm Y3, X3, Y3, OW_MASK vadduwm T0, T0, S0 vadduwm Y0, Y0, S0 vadduwm X0, X0, S1 vadduwm Y1, Y1, S1 vadduwm X1, X1, S2 vadduwm Y2, Y2, S2 vadduwm X2, X2, S3 vadduwm Y3, Y3, S3p1 IF_BE(` C Output always stored in little-endian byte order. C Can reuse S0 and S1 to construct permutation mask. li r9, 0 lvsl S0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb S1, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor S1, S1, S0 C 03 02 01 00 ... 0f 0e 0d 0c vperm T0, T0, T0, S1 vperm X0, X0, X0, S1 vperm X1, X1, X1, S1 vperm X2, X2, X2, S1 vperm Y0, Y0, Y0, S1 vperm Y1, Y1, Y1, S1 vperm Y2, Y2, Y2, S1 vperm Y3, Y3, Y3, S1 ') stxvw4x VSR(T0), 0, DST stxvw4x VSR(X0), r6, DST stxvw4x VSR(X1), r7, DST stxvw4x VSR(X2), r8, DST addi DST, DST, 64 stxvw4x VSR(Y0), 0, DST stxvw4x VSR(Y1), r6, DST stxvw4x VSR(Y2), r7, DST stxvw4x VSR(Y3), r8, DST blr EPILOGUE(_nettle_chacha_2core) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_2core32) li r8, 0x30 C offset for x3 vspltisw Y3, 1 C {1,1,...,1} vspltisw X0, 0 C {0,0,...,0} vsldoi Y3, Y3, X0, 12 C {1,0,...,0} lxvw4x VSR(X3), r8, SRC b .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .rodata .align 4 .even_word_mask: IF_LE(`.byte 27,26,25,24,11,10,9,8,19,18,17,16,3,2,1,0') IF_BE(`.byte 0,1,2,3,16,17,18,19,8,9,10,11,24,25,26,27') .odd_word_mask: IF_LE(`.byte 31,30,29,28,15,14,13,12,23,22,21,20,7,6,5,4') IF_BE(`.byte 4,5,6,7,20,21,22,23,12,13,14,15,28,29,30,31') divert(-1) define core2state p/x $vs32.v4_int32 p/x $vs33.v4_int32 p/x $vs34.v4_int32 p/x $vs35.v4_int32 p/x $vs36.v4_int32 p/x $vs37.v4_int32 p/x $vs38.v4_int32 p/x $vs39.v4_int32 end nettle-4.0/powerpc64/p7/chacha-4core.asm0000644000000000000000000001572315141166425014715 0ustar00C powerpc64/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C Working state in v0,...,v15 define(`ROT16', v16) define(`ROT12', v17) define(`ROT8', v18) define(`ROT7', v19) C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `v20') define(`T1', `v21') define(`T2', `v22') define(`T3', `v23') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, v0, $1, 1, v4, $1, 2, v8, $1, 3, v12, $1, 4, v1, $1, 5, v5, $1, 6, v9, $1, 7, v13, $1, 8, v2, $1, 9, v6, $1, 10, v10, $1, 11, v14, $1, 12, v3, $1, 13, v7, $1, 14, v11, $1, 15, v15)') define(`P2', `ifelse($1, 0, v0, $1, 1, v5, $1, 2, v10, $1, 3, v15, $1, 4, v1, $1, 5, v6, $1, 6, v11, $1, 7, v12, $1, 8, v2, $1, 9, v7, $1, 10, v8, $1, 11, v13, $1, 12, v3, $1, 13, v4, $1, 14, v9, $1, 15, v14)') C Main loop for round define(`QR',` vadduwm $1(0), $1(0), $1(1) vadduwm $1(4), $1(4), $1(5) vadduwm $1(8), $1(8), $1(9) vadduwm $1(12), $1(12), $1(13) vxor $1(3), $1(3), $1(0) vxor $1(7), $1(7), $1(4) vxor $1(11), $1(11), $1(8) vxor $1(15), $1(15), $1(12) vrlw $1(3), $1(3), ROT16 vrlw $1(7), $1(7), ROT16 vrlw $1(11), $1(11), ROT16 vrlw $1(15), $1(15), ROT16 vadduwm $1(2), $1(2), $1(3) vadduwm $1(6), $1(6), $1(7) vadduwm $1(10), $1(10), $1(11) vadduwm $1(14), $1(14), $1(15) vxor $1(1), $1(1), $1(2) vxor $1(5), $1(5), $1(6) vxor $1(9), $1(9), $1(10) vxor $1(13), $1(13), $1(14) vrlw $1(1), $1(1), ROT12 vrlw $1(5), $1(5), ROT12 vrlw $1(9), $1(9), ROT12 vrlw $1(13), $1(13), ROT12 vadduwm $1(0), $1(0), $1(1) vadduwm $1(4), $1(4), $1(5) vadduwm $1(8), $1(8), $1(9) vadduwm $1(12), $1(12), $1(13) vxor $1(3), $1(3), $1(0) vxor $1(7), $1(7), $1(4) vxor $1(11), $1(11), $1(8) vxor $1(15), $1(15), $1(12) vrlw $1(3), $1(3), ROT8 vrlw $1(7), $1(7), ROT8 vrlw $1(11), $1(11), ROT8 vrlw $1(15), $1(15), ROT8 vadduwm $1(2), $1(2), $1(3) vadduwm $1(6), $1(6), $1(7) vadduwm $1(10), $1(10), $1(11) vadduwm $1(14), $1(14), $1(15) vxor $1(1), $1(1), $1(2) vxor $1(5), $1(5), $1(6) vxor $1(9), $1(9), $1(10) vxor $1(13), $1(13), $1(14) vrlw $1(1), $1(1), ROT7 vrlw $1(5), $1(5), ROT7 vrlw $1(9), $1(9), ROT7 vrlw $1(13), $1(13), ROT7 ') define(`TRANSPOSE',` vmrghw T0, $1, $3 C A0 A2 B0 B2 vmrghw T1, $2, $4 C A1 A3 B1 B3 vmrglw T2, $1, $3 C C0 C2 D0 D2 vmrglw T3, $2, $4 C C1 C3 D1 D3 vmrghw $1, T0, T1 C A0 A1 A2 A3 vmrglw $2, T0, T1 C B0 B1 B2 B3 vmrghw $3, T2, T3 C C0 C2 C1 C3 vmrglw $4, T2, T3 C D0 D1 D2 D3 ') C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_4core) vspltisw T2, 1 C Apply counter carries .Lshared_entry: li r6, 0x10 C set up some... li r7, 0x20 C ...useful... li r8, 0x30 C ...offsets C Save callee-save registers. Use the "protected zone", max C 228 bytes, below the stack pointer, accessed via r10. addi r10, SP, -0x40 stvx v20, 0, r10 stvx v21, r6, r10 stvx v22, r7, r10 stvx v23, r8, r10 vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 C Load state and splat lxvw4x VSR(v0), 0, SRC C "expa ..." lxvw4x VSR(v4), r6, SRC C key lxvw4x VSR(v8), r7, SRC C key lxvw4x VSR(v12), r8, SRC C cnt and nonce vspltw v1, v0, 1 vspltw v2, v0, 2 vspltw v3, v0, 3 vspltw v0, v0, 0 vspltw v5, v4, 1 vspltw v6, v4, 2 vspltw v7, v4, 3 vspltw v4, v4, 0 vspltw v9, v8, 1 vspltw v10, v8, 2 vspltw v11, v8, 3 vspltw v8, v8, 0 vspltw v13, v12, 1 vspltw v14, v12, 2 vspltw v15, v12, 3 vspltw v12, v12, 0 addis r9, r2, .Lcnts@got@ha ld r9, .Lcnts@got@l(r9) lxvw4x VSR(T0), 0, r9 C increments vaddcuw T1, v12, T0 C compute carry-out vadduwm v12, v12, T0 C low adds vand T1, T1, T2 C discard carries for 32-bit counter variant vadduwm v13, v13, T1 C apply carries C Save all 4x4 of the last words. vor T0, v12, v12 vor T1, v13, v13 vor T2, v14, v14 vor T3, v15, v15 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: QR(`P1') QR(`P2') bdnz .Loop C Add in saved original words, including counters, before C transpose. vadduwm v12, v12, T0 vadduwm v13, v13, T1 vadduwm v14, v14, T2 vadduwm v15, v15, T3 TRANSPOSE(v0, v1,v2, v3) TRANSPOSE(v4, v5, v6, v7) TRANSPOSE(v8, v9, v10, v11) TRANSPOSE(v12, v13, v14, v15) lxvw4x VSR(T0), 0, SRC lxvw4x VSR(T1), r6, SRC lxvw4x VSR(T2), r7, SRC vadduwm v0, v0, T0 vadduwm v1, v1, T0 vadduwm v2, v2, T0 vadduwm v3, v3, T0 vadduwm v4, v4, T1 vadduwm v5, v5, T1 vadduwm v6, v6, T1 vadduwm v7, v7, T1 vadduwm v8, v8, T2 vadduwm v9, v9, T2 vadduwm v10, v10, T2 vadduwm v11, v11, T2 IF_BE(` C Output always stored in little-endian byte order. C Can reuse T0 and T1 to construct permutation mask. li r9, 0 lvsl T0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb T1, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor T1, T1, T0 C 03 02 01 00 ... 0f 0e 0d 0c forloop(i, 0, 15, ` vperm m4_unquote(v`'i), m4_unquote(v`'i), m4_unquote(v`'i), T1 ') ') stxvw4x VSR(v0), 0, DST stxvw4x VSR(v4), r6, DST stxvw4x VSR(v8), r7, DST stxvw4x VSR(v12), r8, DST addi DST, DST, 64 stxvw4x VSR(v1), 0, DST stxvw4x VSR(v5), r6, DST stxvw4x VSR(v9), r7, DST stxvw4x VSR(v13), r8, DST addi DST, DST, 64 stxvw4x VSR(v2), 0, DST stxvw4x VSR(v6), r6, DST stxvw4x VSR(v10), r7, DST stxvw4x VSR(v14), r8, DST addi DST, DST, 64 stxvw4x VSR(v3), 0, DST stxvw4x VSR(v7), r6, DST stxvw4x VSR(v11), r7, DST stxvw4x VSR(v15), r8, DST C Restore callee-save registers lvx v20, 0, r10 lvx v21, r6, r10 lvx v22, r7, r10 lvx v23, r8, r10 blr EPILOGUE(_nettle_chacha_4core) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_4core32) vspltisw T2, 0 C Ignore counter carries b .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .section .rodata ALIGN(16) .Lcnts: .long 0,1,2,3 C increments nettle-4.0/powerpc64/p7/chacha-core-internal.asm0000644000000000000000000000653715141166425016446 0ustar00C powerpc64/p7/chacha-core-internal.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C Working state define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') define(`ROT16', `v4') define(`ROT12', `v5') define(`ROT8', `v6') define(`ROT7', `v7') C Original input state define(`S0', `v8') define(`S1', `v9') define(`S2', `v10') define(`S3', `v11') C Big-endian working state define(`LE_MASK', `v12') define(`LE_TEMP', `v13') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 vadduwm $1, $1, $2 vxor $4, $4, $1 vrlw $4, $4, ROT16 vadduwm $3, $3, $4 vxor $2, $2, $3 vrlw $2, $2, ROT12 vadduwm $1, $1, $2 vxor $4, $4, $1 vrlw $4, $4, ROT8 vadduwm $3, $3, $4 vxor $2, $2, $3 vrlw $2, $2, ROT7 ') C LE_SWAP32(X0, X1, X2, X3) define(`LE_SWAP32', `IF_BE(` vperm X0, X0, X0, LE_MASK vperm X1, X1, X1, LE_MASK vperm X2, X2, X2, LE_MASK vperm X3, X3, X3, LE_MASK ')') .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_core) li r6, 0x10 C set up some... li r7, 0x20 C ...useful... li r8, 0x30 C ...offsets vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 IF_BE(` li r9, 0 lvsl LE_MASK, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb LE_TEMP, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor LE_MASK, LE_MASK, LE_TEMP C 03 02 01 00 ... 0f 0e 0d 0c ') lxvw4x VSR(X0), 0, SRC lxvw4x VSR(X1), r6, SRC lxvw4x VSR(X2), r7, SRC lxvw4x VSR(X3), r8, SRC vor S0, X0, X0 vor S1, X1, X1 vor S2, X2, X2 vor S3, X3, X3 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 vsldoi X1, X1, X1, 4 vsldoi X2, X2, X2, 8 vsldoi X3, X3, X3, 12 QROUND(X0, X1, X2, X3) C Inverse rotation vsldoi X1, X1, X1, 12 vsldoi X2, X2, X2, 8 vsldoi X3, X3, X3, 4 bdnz .Loop vadduwm X0, X0, S0 vadduwm X1, X1, S1 vadduwm X2, X2, S2 vadduwm X3, X3, S3 LE_SWAP32(X0, X1, X2, X3) stxvw4x VSR(X0), 0, DST stxvw4x VSR(X1), r6, DST stxvw4x VSR(X2), r7, DST stxvw4x VSR(X3), r8, DST blr EPILOGUE(_nettle_chacha_core) nettle-4.0/powerpc64/p8/0000755000000000000000000000000015141166425011763 5ustar00nettle-4.0/powerpc64/p8/aes-decrypt-internal.asm0000644000000000000000000001230015141166425016513 0ustar00C powerpc64/p8/aes-decrypt-internal.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`KEYS', `r4') define(`LENGTH', `r6') define(`DST', `r7') define(`SRC', `r8') C r9 used as loop index register, r10-r12, r14-r17 as constants. define(`SWAP_MASK', `v0') define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') .file "aes-decrypt-internal.asm" .text C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_decrypt) DATA_LOAD_VEC(SWAP_MASK,.swap_mask,r5) subi ROUNDS,ROUNDS,1 srdi LENGTH,LENGTH,4 C Used as offsets for load/store, throughout this function li r10,0x10 li r11,0x20 li r12,0x30 srdi r5,LENGTH,3 #8x loop count cmpldi r5,0 beq L4x std r14,-32(SP) std r15,-24(SP) std r16,-16(SP) std r17,-8(SP) li r14,0x40 li r15,0x50 li r16,0x60 li r17,0x70 .align 5 Lx8_loop: lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC lxvd2x VSR(S4),r14,SRC lxvd2x VSR(S5),r15,SRC lxvd2x VSR(S6),r16,SRC lxvd2x VSR(S7),r17,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr ROUNDS li r9,-0x10 .align 5 L8x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipher, K, S0, S1, S2, S3, S4, S5, S6, S7) subi r9,r9,0x10 bdnz L8x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST stxvd2x VSR(S4),r14,DST stxvd2x VSR(S5),r15,DST stxvd2x VSR(S6),r16,DST stxvd2x VSR(S7),r17,DST addi SRC,SRC,0x80 addi DST,DST,0x80 subic. r5,r5,1 bne Lx8_loop ld r14,-32(SP) ld r15,-24(SP) ld r16,-16(SP) ld r17,-8(SP) clrldi LENGTH,LENGTH,61 L4x: srdi r5,LENGTH,2 cmpldi r5,0 beq L2x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') OPN_XXY(vxor, K, S0, S1, S2, S3) mtctr ROUNDS li r9,-0x10 .align 5 L4x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipher, K, S0, S1, S2, S3) subi r9,r9,0x10 bdnz L4x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipherlast, K, S0, S1, S2, S3) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST addi SRC,SRC,0x40 addi DST,DST,0x40 clrldi LENGTH,LENGTH,62 L2x: srdi r5,LENGTH,1 cmpldi r5,0 beq L1x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') vxor S0,S0,K vxor S1,S1,K mtctr ROUNDS li r9,-0x10 .align 5 L2x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipher S0,S0,K vncipher S1,S1,K subi r9,r9,0x10 bdnz L2x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipherlast S0,S0,K vncipherlast S1,S1,K IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST addi SRC,SRC,0x20 addi DST,DST,0x20 clrldi LENGTH,LENGTH,63 L1x: cmpldi LENGTH,0 beq Ldone lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK') vxor S0,S0,K mtctr ROUNDS li r9,-0x10 .align 5 L1x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipher S0,S0,K subi r9,r9,0x10 bdnz L1x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipherlast S0,S0,K IF_LE(`vperm S0,S0,S0,SWAP_MASK') stxvd2x VSR(S0),0,DST Ldone: blr EPILOGUE(_nettle_aes_decrypt) .data .align 4 .swap_mask: IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') nettle-4.0/powerpc64/p8/aes-encrypt-internal.asm0000644000000000000000000001226215141166425016534 0ustar00C powerpc64/p8/aes-encrypt-internal.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`KEYS', `r4') define(`LENGTH', `r6') define(`DST', `r7') define(`SRC', `r8') C r9 used as loop index register, r10-r12, r14-r17 as constants. define(`SWAP_MASK', `v0') define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') .file "aes-encrypt-internal.asm" .text C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_encrypt) DATA_LOAD_VEC(SWAP_MASK,.swap_mask,r5) subi ROUNDS,ROUNDS,1 srdi LENGTH,LENGTH,4 C Used as offsets for load/store, throughout this function li r10,0x10 li r11,0x20 li r12,0x30 srdi r5,LENGTH,3 #8x loop count cmpldi r5,0 beq L4x std r14,-32(SP) std r15,-24(SP) std r16,-16(SP) std r17,-8(SP) li r14,0x40 li r15,0x50 li r16,0x60 li r17,0x70 .align 5 Lx8_loop: lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC lxvd2x VSR(S4),r14,SRC lxvd2x VSR(S5),r15,SRC lxvd2x VSR(S6),r16,SRC lxvd2x VSR(S7),r17,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr ROUNDS li r9,0x10 .align 5 L8x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi r9,r9,0x10 bdnz L8x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST stxvd2x VSR(S4),r14,DST stxvd2x VSR(S5),r15,DST stxvd2x VSR(S6),r16,DST stxvd2x VSR(S7),r17,DST addi SRC,SRC,0x80 addi DST,DST,0x80 subic. r5,r5,1 bne Lx8_loop ld r14,-32(SP) ld r15,-24(SP) ld r16,-16(SP) ld r17,-8(SP) clrldi LENGTH,LENGTH,61 L4x: srdi r5,LENGTH,2 cmpldi r5,0 beq L2x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') OPN_XXY(vxor, K, S0, S1, S2, S3) mtctr ROUNDS li r9,0x10 .align 5 L4x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3) addi r9,r9,0x10 bdnz L4x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST addi SRC,SRC,0x40 addi DST,DST,0x40 clrldi LENGTH,LENGTH,62 L2x: srdi r5,LENGTH,1 cmpldi r5,0 beq L1x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') vxor S0,S0,K vxor S1,S1,K mtctr ROUNDS li r9,0x10 .align 5 L2x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipher S0,S0,K vcipher S1,S1,K addi r9,r9,0x10 bdnz L2x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipherlast S0,S0,K vcipherlast S1,S1,K IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST addi SRC,SRC,0x20 addi DST,DST,0x20 clrldi LENGTH,LENGTH,63 L1x: cmpldi LENGTH,0 beq Ldone lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK') vxor S0,S0,K mtctr ROUNDS li r9,0x10 .align 5 L1x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipher S0,S0,K addi r9,r9,0x10 bdnz L1x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipherlast S0,S0,K IF_LE(`vperm S0,S0,S0,SWAP_MASK') stxvd2x VSR(S0),0,DST Ldone: blr EPILOGUE(_nettle_aes_encrypt) .data .align 4 .swap_mask: IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') nettle-4.0/powerpc64/p8/aes-invert-internal.asm0000644000000000000000000000315215141166425016355 0ustar00C powerpc64/p8/aes-invert-internal.asm ifelse(` Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`DST', `r4') define(`SRC', `r5') define(`KEY', `v1') .file "aes-invert-internal.asm" .text C _aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_invert) C Since decrypt wants the same subkeys, just copy, or do C nothing if SRC == DST. cmpld SRC, DST beq .Ldone sldi ROUNDS, ROUNDS, 4 .Loop: lxvd2x VSR(KEY),ROUNDS,SRC stxvd2x VSR(KEY),ROUNDS,DST subic. ROUNDS, ROUNDS, 0x10 bge .Loop .Ldone: blr EPILOGUE(_nettle_aes_invert) nettle-4.0/powerpc64/p8/gcm-aes-decrypt.asm0000644000000000000000000002406715141166425015462 0ustar00C powerpc64/p8/gcm-aes-decrypt.asm ifelse(` Copyright (C) 2023- IBM Inc. Copyright (C) 2024 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Input arguments. define(`HT', `r3') define(`SRND', `r4') define(`SLEN', `r5') define(`SDST', `r6') define(`SSRC', `r7') define(`RK', `r8') C Round key, also used as temporary in prologue. C r9-r11 used as constant indices. define(`LOOP', `r12') C C vectors used in aes encrypt output C define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') C C ghash assigned registers and vectors C define(`ZERO', `v21') C Overlap R2 (only used in setup phase) define(`POLY', `v22') C Overlap F2 (only used in setup phase) define(`POLY_L', `v0') define(`D', `v10') define(`H1M', `v11') define(`H1L', `v12') define(`H2M', `v13') define(`H2L', `v14') define(`H3M', `v15') define(`H3L', `v16') define(`H4M', `v17') define(`H4L', `v18') define(`R', `v19') define(`F', `v20') define(`R2', `v21') define(`F2', `v22') define(`LE_TEMP', `v1') C Overlap K (only used in setup phase) define(`LE_MASK', `v23') define(`CNT1', `v24') define(`LASTCNT', `v25') .file "gcm-aes-decrypt.asm" .text C size_t C _gcm_aes_decrypt(struct gcm_key *key, size_t rounds, C size_t len, uint8_t *dst, const uint8_t *src) C define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_gcm_aes_decrypt) srdi. LOOP, SLEN, 7 C loop n 8 blocks sldi SLEN, LOOP, 7 beq end li r9,1*16 li r10,2*16 li r11,3*16 C 288 byte "protected zone" is sufficient for storage. subi RK, SP, 64 stxvd2x VSR(v20), r11, RK stxvd2x VSR(v21), r10, RK stxvd2x VSR(v22), r9, RK stxvd2x VSR(v23), 0, RK subi RK, SP, 96 stxvd2x VSR(v24), r9, RK stxvd2x VSR(v25), 0, RK vxor ZERO,ZERO,ZERO vspltisb CNT1, 1 vsldoi CNT1, ZERO, CNT1, 1 C counter 1 DATA_LOAD_VEC(POLY,.polynomial,RK) li RK,0 lvsl LE_MASK,0,RK IF_LE(`vspltisb LE_TEMP,0x07') IF_BE(`vspltisb LE_TEMP,0x03') vxor LE_MASK,LE_MASK,LE_TEMP xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C load table elements lxvd2x VSR(H1M),0,HT lxvd2x VSR(H1L),r9,HT lxvd2x VSR(H2M),r10,HT lxvd2x VSR(H2L),r11,HT addi HT, HT, 64 lxvd2x VSR(H3M),0,HT lxvd2x VSR(H3L),r9,HT lxvd2x VSR(H4M),r10,HT lxvd2x VSR(H4L),r11,HT addi HT, HT, 2000 C Advance to point to the 'CTR' field in the context lxvd2x VSR(D),r9,HT C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') lxvd2x VSR(S0), 0, HT C Load 'CTR' IF_LE(`vperm S0, S0, S0, LE_MASK') addi LOOP, LOOP, -1 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK .align 5 C increase ctr value as input to aes_encrypt vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) addi SRND, SRND, -1 mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop1: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop1 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) cmpdi LOOP, 0 beq do_ghash .align 5 Loop8x_de: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') C do two 4x ghash C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST addi SDST, SDST, 0x40 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK vadduwm S0, LASTCNT, CNT1 vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt to v29 OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop2: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop2 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) addi LOOP, LOOP, -1 cmpdi LOOP, 0 bne Loop8x_de do_ghash: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST gcm_aes_out: vadduwm LASTCNT, LASTCNT, CNT1 C increase ctr C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') stxvd2x VSR(D),r9,HT C store digest 'D' IF_LE(` vperm LASTCNT,LASTCNT,LASTCNT,LE_MASK ') stxvd2x VSR(LASTCNT), 0, HT C store ctr subi RK, SP, 64 lxvd2x VSR(v20), r11, RK lxvd2x VSR(v21), r10, RK lxvd2x VSR(v22), r9, RK lxvd2x VSR(v23), 0, RK subi RK, SP, 96 lxvd2x VSR(v24), r9, RK lxvd2x VSR(v25), 0, RK end: mr r3, SLEN blr EPILOGUE(_nettle_gcm_aes_decrypt) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-4.0/powerpc64/p8/gcm-aes-encrypt.asm0000644000000000000000000002417715141166425015476 0ustar00C powerpc64/p8/gcm-aes-encrypt.asm ifelse(` Copyright (C) 2023- IBM Inc. Copyright (C) 2024 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Input arguments. define(`HT', `r3') define(`SRND', `r4') define(`SLEN', `r5') define(`SDST', `r6') define(`SSRC', `r7') define(`RK', `r8') C Round key, also used as temporary in prologue. C r9-r11 used as constant indices. define(`LOOP', `r12') C C vectors used in aes encrypt output C define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') C C ghash assigned registers and vectors C define(`ZERO', `v21') C Overlap R2 (only used in setup phase) define(`POLY', `v22') C Overlap F2 (only used in setup phase) define(`POLY_L', `v0') define(`D', `v10') define(`H1M', `v11') define(`H1L', `v12') define(`H2M', `v13') define(`H2L', `v14') define(`H3M', `v15') define(`H3L', `v16') define(`H4M', `v17') define(`H4L', `v18') define(`R', `v19') define(`F', `v20') define(`R2', `v21') define(`F2', `v22') define(`LE_TEMP', `v1') C Overlap K (only used in setup phase) define(`LE_MASK', `v23') define(`CNT1', `v24') define(`LASTCNT', `v25') .file "gcm-aes-encrypt.asm" .text C size_t C _gcm_aes_encrypt(struct gcm_key *key, size_t rounds, C size_t len, uint8_t *dst, const uint8_t *src) C define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_gcm_aes_encrypt) srdi. LOOP, SLEN, 7 C loop n 8 blocks sldi SLEN, LOOP, 7 beq end li r9,1*16 li r10,2*16 li r11,3*16 C 288 byte "protected zone" is sufficient for storage. subi RK, SP, 64 stxvd2x VSR(v20), r11, RK stxvd2x VSR(v21), r10, RK stxvd2x VSR(v22), r9, RK stxvd2x VSR(v23), 0, RK subi RK, SP, 96 stxvd2x VSR(v24), r9, RK stxvd2x VSR(v25), 0, RK vxor ZERO,ZERO,ZERO vspltisb CNT1, 1 vsldoi CNT1, ZERO, CNT1, 1 C counter 1 DATA_LOAD_VEC(POLY,.polynomial,RK) li RK,0 lvsl LE_MASK,0,RK IF_LE(`vspltisb LE_TEMP,0x07') IF_BE(`vspltisb LE_TEMP,0x03') vxor LE_MASK,LE_MASK,LE_TEMP xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C load table elements lxvd2x VSR(H1M),0,HT lxvd2x VSR(H1L),r9,HT lxvd2x VSR(H2M),r10,HT lxvd2x VSR(H2L),r11,HT addi HT, HT, 64 lxvd2x VSR(H3M),0,HT lxvd2x VSR(H3L),r9,HT lxvd2x VSR(H4M),r10,HT lxvd2x VSR(H4L),r11,HT addi HT, HT, 2000 C Advance to point to the 'CTR' field in the context lxvd2x VSR(D),r9,HT C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') lxvd2x VSR(S0), 0, HT C Load 'CTR' IF_LE(`vperm S0, S0, S0, LE_MASK') addi LOOP, LOOP, -1 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK .align 5 C increase ctr value as input to aes_encrypt vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) addi SRND, SRND, -1 mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop1: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop1 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) cmpdi LOOP, 0 beq do_ghash .align 5 Loop8x_en: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') C do two 4x ghash C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST addi SDST, SDST, 0x40 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK vadduwm S0, LASTCNT, CNT1 vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt to v29 OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop2: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop2 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) addi LOOP, LOOP, -1 cmpdi LOOP, 0 bne Loop8x_en do_ghash: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST gcm_aes_out: vadduwm LASTCNT, LASTCNT, CNT1 C increase ctr C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') stxvd2x VSR(D),r9,HT C store digest 'D' IF_LE(` vperm LASTCNT,LASTCNT,LASTCNT,LE_MASK ') stxvd2x VSR(LASTCNT), 0, HT C store ctr subi RK, SP, 64 lxvd2x VSR(v20), r11, RK lxvd2x VSR(v21), r10, RK lxvd2x VSR(v22), r9, RK lxvd2x VSR(v23), 0, RK subi RK, SP, 96 lxvd2x VSR(v24), r9, RK lxvd2x VSR(v25), 0, RK end: mr r3, SLEN blr EPILOGUE(_nettle_gcm_aes_encrypt) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-4.0/powerpc64/p8/ghash-set-key.asm0000644000000000000000000001666615141166425015155 0ustar00C powerpc64/p8/ghash-set-key.asm ifelse(` Copyright (C) 2020, 2022 Niels Möller and Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`CTX', `r3') define(`KEY', `r4') define(`ZERO', `v0') define(`B1', `v1') define(`EMSB', `v16') define(`POLY', `v17') define(`POLY_L', `v1') define(`H', `v2') define(`H2', `v3') define(`H3', `v4') define(`H4', `v5') define(`H1M', `v6') define(`H1L', `v7') define(`H2M', `v8') define(`H2L', `v9') define(`Hl', `v10') define(`Hm', `v11') define(`Hp', `v12') define(`Hl2', `v13') define(`Hm2', `v14') define(`Hp2', `v15') define(`R', `v13') define(`F', `v14') define(`T', `v15') define(`R2', `v16') define(`F2', `v17') define(`T2', `v18') define(`LE_TEMP', `v18') define(`LE_MASK', `v19') .file "ghash-set-key.asm" .text C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) C This function populates the gcm table as the following layout C ******************************************************************************* C | H1M = (H1 div x⁶⁴)||((H1 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H1L = (H1 mod x⁶⁴)||(((H1 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H1 div x⁶⁴) | C | | C | H2M = (H2 div x⁶⁴)||((H2 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H2L = (H2 mod x⁶⁴)||(((H2 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H2 div x⁶⁴) | C | | C | H3M = (H3 div x⁶⁴)||((H3 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H3L = (H3 mod x⁶⁴)||(((H3 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H3 div x⁶⁴) | C | | C | H4M = (H3 div x⁶⁴)||((H4 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H4L = (H3 mod x⁶⁴)||(((H4 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H4 div x⁶⁴) | C ******************************************************************************* define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ghash_set_key) DATA_LOAD_VEC(POLY,.polynomial,r7) C 0xC2000000000000000000000000000001 IF_LE(` li r8,0 lvsl LE_MASK,0,r8 C 0x000102030405060708090A0B0C0D0E0F vspltisb LE_TEMP,0x07 C 0x07070707070707070707070707070707 vxor LE_MASK,LE_MASK,LE_TEMP C 0x07060504030201000F0E0D0C0B0A0908 ') lxvd2x VSR(H),0,KEY C load 'H' C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm H,H,H,LE_MASK ') C --- calculate H = H << 1 mod P(X), P(X) = (x¹²⁸+x¹²⁷+x¹²⁶+x¹²¹+1) --- vupkhsb EMSB,H C extend most significant bit to first byte vspltisb B1,1 C 0x01010101010101010101010101010101 vspltb EMSB,EMSB,0 C first byte quadword-extend vsl H,H,B1 C H = H << 1 vand EMSB,EMSB,POLY C EMSB &= 0xC2000000000000000000000000000001 vxor ZERO,ZERO,ZERO C 0x00000000000000000000000000000000 vxor H,H,EMSB C H ^= EMSB C --- calculate H^2 = H*H --- xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C 0x0000000000000000C200000000000000 C --- Hp = (H mod x⁶⁴) / x⁶⁴ mod P(X) --- C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) mod P(X), deg(Hp) ≤ 127 --- C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) --- vpmsumd Hp,H,POLY_L C Hp = (H mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) xxswapd VSR(Hm),VSR(H) xxmrgld VSR(Hl),VSR(H),VSR(ZERO) C Hl = (H mod x⁶⁴) × x⁶⁴ vxor Hm,Hm,Hp C Hm = Hm + Hp vxor Hl,Hl,Hp C Hl = Hl + Hp xxmrgld VSR(H1L),VSR(H),VSR(Hm) C H1L = (H mod x⁶⁴)||(Hl mod x⁶⁴) xxmrghd VSR(H1M),VSR(H),VSR(Hl) C H1M = (H div x⁶⁴)||(Hl div x⁶⁴) vpmsumd F,H1L,H C F = (H1Lh × Hh) + (H1Ll × Hl) vpmsumd R,H1M,H C R = (H1Mh × Hh) + (H1Ml × Hl) C --- rduction --- vpmsumd T,F,POLY_L C T = (F mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) xxswapd VSR(H2),VSR(F) vxor R,R,T C R = R + T vxor H2,R,H2 xxmrgld VSR(Hl),VSR(H2),VSR(ZERO) xxswapd VSR(Hm),VSR(H2) vpmsumd Hp,H2,POLY_L vxor Hl,Hl,Hp vxor Hm,Hm,Hp xxmrghd VSR(H2M),VSR(H2),VSR(Hl) xxmrgld VSR(H2L),VSR(H2),VSR(Hm) C store H1M, H1L, H2M, H2L li r8,1*16 li r9,2*16 li r10,3*16 stxvd2x VSR(H1M),0,CTX stxvd2x VSR(H1L),r8,CTX stxvd2x VSR(H2M),r9,CTX stxvd2x VSR(H2L),r10,CTX C --- calculate H^3 = H^1*H^2, H^4 = H^2*H^2 --- vpmsumd F,H1L,H2 vpmsumd F2,H2L,H2 vpmsumd R,H1M,H2 vpmsumd R2,H2M,H2 vpmsumd T,F,POLY_L vpmsumd T2,F2,POLY_L xxswapd VSR(H3),VSR(F) xxswapd VSR(H4),VSR(F2) vxor R,R,T vxor R2,R2,T2 vxor H3,R,H3 vxor H4,R2,H4 xxmrgld VSR(Hl),VSR(H3),VSR(ZERO) xxmrgld VSR(Hl2),VSR(H4),VSR(ZERO) xxswapd VSR(Hm),VSR(H3) xxswapd VSR(Hm2),VSR(H4) vpmsumd Hp,H3,POLY_L vpmsumd Hp2,H4,POLY_L vxor Hl,Hl,Hp vxor Hl2,Hl2,Hp2 vxor Hm,Hm,Hp vxor Hm2,Hm2,Hp2 xxmrghd VSR(H1M),VSR(H3),VSR(Hl) xxmrghd VSR(H2M),VSR(H4),VSR(Hl2) xxmrgld VSR(H1L),VSR(H3),VSR(Hm) xxmrgld VSR(H2L),VSR(H4),VSR(Hm2) C store H3M, H3L, H4M, H4L addi CTX, CTX, 0x40 stxvd2x VSR(H1M),0,CTX stxvd2x VSR(H1L),r8,CTX stxvd2x VSR(H2M),r9,CTX stxvd2x VSR(H2L),r10,CTX blr EPILOGUE(_nettle_ghash_set_key) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-4.0/powerpc64/p8/ghash-update.asm0000644000000000000000000001524615141166425015047 0ustar00C powerpc64/p8/ghash-update.asm ifelse(` Copyright (C) 2020, 2020 Niels Möller and Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`CTX', `r3') .file "ghash-update.asm" .text define(`CTX', `r3') define(`X', `r4') define(`BLOCKS', `r5') define(`DATA', `r6') define(`ZERO', `v16') define(`LE_TEMP', `v17') define(`POLY_L', `v0') define(`LE_MASK', `v1') define(`C0', `v2') define(`C1', `v3') define(`C2', `v4') define(`C3', `v5') define(`H1M', `v6') define(`H1L', `v7') define(`H2M', `v8') define(`H2L', `v9') define(`H3M', `v10') define(`H3L', `v11') define(`H4M', `v12') define(`H4L', `v13') define(`R', `v14') define(`F', `v15') define(`R2', `v16') define(`F2', `v17') define(`R3', `v18') define(`F3', `v19') define(`R4', `v20') define(`F4', `v21') C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ghash_update) vxor ZERO,ZERO,ZERO DATA_LOAD_VEC(POLY_L,.polynomial,r7) IF_LE(` li r8,0 lvsl LE_MASK,0,r8 vspltisb LE_TEMP,0x07 vxor LE_MASK,LE_MASK,LE_TEMP ') xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY_L) lxvd2x VSR(R),0,X C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm R,R,R,LE_MASK ') C Used as offsets for load/store, throughout this function li r8,1*16 li r9,2*16 li r10,3*16 C --- process 4 blocks '128-bit each' per one loop --- srdi. r7,BLOCKS,2 C 4-blocks loop count 'BLOCKS / 4' beq L2x mtctr r7 C assign counter register to loop count C store non-volatile vector registers addi r7,SP,-32 stvx v20,0,r7 stvx v21,r8,r7 C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX lxvd2x VSR(H2M),r9,CTX lxvd2x VSR(H2L),r10,CTX addi r7,CTX,64 lxvd2x VSR(H3M),0,r7 lxvd2x VSR(H3L),r8,r7 lxvd2x VSR(H4M),r9,r7 lxvd2x VSR(H4L),r10,r7 .align 5 L4x_loop: C input loading lxvd2x VSR(C0),0,DATA C load C0 lxvd2x VSR(C1),r8,DATA C load C1 lxvd2x VSR(C2),r9,DATA C load C2 lxvd2x VSR(C3),r10,DATA C load C3 IF_LE(` vperm C0,C0,C0,LE_MASK vperm C1,C1,C1,LE_MASK vperm C2,C2,C2,LE_MASK vperm C3,C3,C3,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F2,H3L,C1 vpmsumd R2,H3M,C1 vpmsumd F3,H2L,C2 vpmsumd R3,H2M,C2 vpmsumd F4,H1L,C3 vpmsumd R4,H1M,C3 vpmsumd F,H4L,C0 vpmsumd R,H4M,C0 C deferred recombination of partial products vxor F3,F3,F4 vxor R3,R3,R4 vxor F,F,F2 vxor R,R,R2 vxor F,F,F3 vxor R,R,R3 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x40 bdnz L4x_loop C restore non-volatile vector registers addi r7,SP,-32 lvx v20,0,r7 addi r7,r7,16 lvx v21,0,r7 clrldi BLOCKS,BLOCKS,62 C 'set the high-order 62 bits to zeros' L2x: C --- process 2 blocks --- srdi. r7,BLOCKS,1 C 'BLOCKS / 2' beq L1x C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX lxvd2x VSR(H2M),r9,CTX lxvd2x VSR(H2L),r10,CTX C input loading lxvd2x VSR(C0),0,DATA C load C0 lxvd2x VSR(C1),r8,DATA C load C1 IF_LE(` vperm C0,C0,C0,LE_MASK vperm C1,C1,C1,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F2,H1L,C1 vpmsumd R2,H1M,C1 vpmsumd F,H2L,C0 vpmsumd R,H2M,C0 C deferred recombination of partial products vxor F,F,F2 vxor R,R,R2 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x20 clrldi BLOCKS,BLOCKS,63 C 'set the high-order 63 bits to zeros' L1x: C --- process 1 block --- srdi. r7,BLOCKS,0 C 'LENGTH / 1' beq Ldone C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX C input loading lxvd2x VSR(C0),0,DATA C load C0 IF_LE(` vperm C0,C0,C0,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F,H1L,C0 vpmsumd R,H1M,C0 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x10 clrldi BLOCKS,BLOCKS,60 C 'set the high-order 60 bits to zeros' Ldone: C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm R,R,R,LE_MASK ') stxvd2x VSR(R),0,X C store digest 'R' mr r3, DATA blr EPILOGUE(_nettle_ghash_update) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-4.0/powerpc64/p8/sha256-compress-n.asm0000644000000000000000000002151215141166425015562 0ustar00C x86_64/sha256-compress-n.asm ifelse(` Copyright (C) 2024 Eric Richter, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" C Parameters in define(`SP', `r1') define(`STATE', `r3') define(`K', `r4') define(`NUMBLOCKS', `r5') define(`INPUT', `r6') define(`T0', `r7') define(`T1', `r8') define(`TK', `r9') define(`COUNT', `r10') define(`TC0', `0') C Index instructions allow literal 0 instead of a GPR define(`TC16', `r11') C State registers define(`VSA', `v0') define(`VSB', `v1') define(`VSC', `v2') define(`VSD', `v3') define(`VSE', `v4') define(`VSF', `v5') define(`VSG', `v6') define(`VSH', `v7') C Previous state value registers stored in VSX define(`VSXA', `vs0') define(`VSXB', `vs1') define(`VSXC', `vs2') define(`VSXD', `vs3') define(`VSXE', `vs4') define(`VSXF', `vs5') define(`VSXG', `vs6') define(`VSXH', `vs7') C Current K values define(`VK', `v8') C Temp registers for math define(`VT0', `v9') define(`VT1', `v10') define(`VT2', `v11') define(`VT3', `v12') define(`VT4', `v13') C Convenience named registers for sigma(a) and sigma(e) define(`SIGA', `v14') define(`SIGE', `v15') C Registers v16-v31 are used for input words W[0] through W[15] C Convert an index for W[i] to the corresponding vector register v[16 + i] define(`IV', `m4_unquote(v`'eval((($1) % 16) + 16))') C ROUND(A B C D E F G H R) define(`ROUND', ` vadduwm VT1, VK, IV($9) C VT1: k+W vadduwm VT4, $8, VT1 C VT4: H+k+W lxvw4x VSR(VK), TK, K C Load Key addi TK, TK, 4 C Increment Pointer to next key vadduwm VT2, $4, $8 C VT2: H+D vadduwm VT2, VT2, VT1 C VT2: H+D+k+W vshasigmaw SIGE, $5, 1, 0b1111 C Sigma(E) Se vshasigmaw SIGA, $1, 1, 0 C Sigma(A) Sa vxor VT3, $2, $3 C VT3: b^c vsel VT0, $7, $6, $5 C VT0: Ch. vsel VT3, $3, $1, VT3 C VT3: Maj(a,b,c) vadduwm VT4, VT4, VT0 C VT4: Hkw + Ch. vadduwm VT3, VT3, VT4 C VT3: HkW + Ch. + Maj. vadduwm VT0, VT0, VT2 C VT0: Ch. + DHKW vadduwm $8, SIGE, SIGA C Anext: Se + Sa vadduwm $4, VT0, SIGE C Dnext: Ch. + DHKW + Se vadduwm $8, $8, VT3 C Anext: Se+Sa+HkW+Ch.+Maj. ') C Extend W[i] define(`EXTEND', ` vshasigmaw SIGE, IV($1 + 14), 0, 0b1111 vshasigmaw SIGA, IV($1 + 1), 0, 0b0000 vadduwm IV($1), IV($1), SIGE vadduwm IV($1), IV($1), SIGA vadduwm IV($1), IV($1), IV($1 + 9) ') define(`EXTENDROUND', ` ROUND($1, $2, $3, $4, $5, $6, $7, $8, $9) C Schedule (data) for 16th round in future EXTEND($9) ') define(`NOEXTENDROUND', `ROUND($1, $2, $3, $4, $5, $6, $7, $8, $9)') define(`NOEXTENDROUNDS', ` NOEXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 0) NOEXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 1) NOEXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 2) NOEXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 3) NOEXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 4) NOEXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 5) NOEXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 6) NOEXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 7) NOEXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 8) NOEXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 9) NOEXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 10) NOEXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 11) NOEXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 12) NOEXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 13) NOEXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 14) NOEXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 15) ') define(`EXTENDROUNDS', ` EXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 0) EXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 1) EXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 2) EXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 3) EXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 4) EXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 5) EXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 6) EXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 7) EXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 8) EXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 9) EXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 10) EXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 11) EXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 12) EXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 13) EXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 14) EXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 15) ') define(`LOAD', ` IF_BE(`lxvw4x VSR(IV($1)), $2, INPUT') IF_LE(` lxvd2x VSR(IV($1)), $2, INPUT vperm IV($1), IV($1), IV($1), VT0 ') ') define(`DOLOADS', ` IF_LE(`DATA_LOAD_VEC(VT0, .load_swap, T1)') LOAD(0, TC0) vsldoi IV(1), IV(0), IV(0), 4 vsldoi IV(2), IV(0), IV(0), 8 vsldoi IV(3), IV(0), IV(0), 12 addi INPUT, INPUT, 16 LOAD(4, TC0) vsldoi IV(5), IV(4), IV(4), 4 vsldoi IV(6), IV(4), IV(4), 8 vsldoi IV(7), IV(4), IV(4), 12 addi INPUT, INPUT, 16 LOAD(8, TC0) vsldoi IV(9), IV(8), IV(8), 4 vsldoi IV(10), IV(8), IV(8), 8 vsldoi IV(11), IV(8), IV(8), 12 addi INPUT, INPUT, 16 LOAD(12, TC0) vsldoi IV(13), IV(12), IV(12), 4 vsldoi IV(14), IV(12), IV(12), 8 vsldoi IV(15), IV(12), IV(12), 12 addi INPUT, INPUT, 16 ') .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_sha256_compress_n) cmpldi NUMBLOCKS, 0 ble .done mtctr NUMBLOCKS C Store non-volatile registers ALIGN(16) C Appears necessary for optimal stores li TC16, 16 li T0, -16 li T1, -32 stvx v20, T0, SP stvx v21, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v22, T0, SP stvx v23, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v24, T0, SP stvx v25, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v26, T0, SP stvx v27, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v28, T0, SP stvx v29, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v30, T0, SP stvx v31, T1, SP ALIGN(16) C Appears necessary for optimal loads C Load state values lxvw4x VSR(VSA), 0, STATE C VSA contains A,B,C,D lxvw4x VSR(VSE), TC16, STATE C VSE contains E,F,G,H C "permute" state from VSA containing A,B,C,D into VSA,VSB,VSC,VSD vsldoi VSB, VSA, VSA, 4 vsldoi VSF, VSE, VSE, 4 vsldoi VSC, VSA, VSA, 8 vsldoi VSG, VSE, VSE, 8 vsldoi VSD, VSA, VSA, 12 vsldoi VSH, VSE, VSE, 12 .loop: xxlor VSXA, VSR(VSA), VSR(VSA) xxlor VSXB, VSR(VSB), VSR(VSB) xxlor VSXC, VSR(VSC), VSR(VSC) xxlor VSXD, VSR(VSD), VSR(VSD) xxlor VSXE, VSR(VSE), VSR(VSE) xxlor VSXF, VSR(VSF), VSR(VSF) xxlor VSXG, VSR(VSG), VSR(VSG) xxlor VSXH, VSR(VSH), VSR(VSH) li TK, 0 lxvw4x VSR(VK), TK, K addi TK, TK, 4 DOLOADS EXTENDROUNDS EXTENDROUNDS EXTENDROUNDS NOEXTENDROUNDS C Reload initial state from VSX registers xxlor VSR(VT0), VSXA, VSXA xxlor VSR(VT1), VSXB, VSXB xxlor VSR(VT2), VSXC, VSXC xxlor VSR(VT3), VSXD, VSXD xxlor VSR(VT4), VSXE, VSXE xxlor VSR(SIGA), VSXF, VSXF xxlor VSR(SIGE), VSXG, VSXG xxlor VSR(VK), VSXH, VSXH vadduwm VSA, VSA, VT0 vadduwm VSB, VSB, VT1 vadduwm VSC, VSC, VT2 vadduwm VSD, VSD, VT3 vadduwm VSE, VSE, VT4 vadduwm VSF, VSF, SIGA vadduwm VSG, VSG, SIGE vadduwm VSH, VSH, VK bdnz .loop C Repack VSA,VSB,VSC,VSD into VSA,VSE for storing vmrghw VSA, VSA, VSB vmrghw VSC, VSC, VSD vmrghw VSE, VSE, VSF vmrghw VSG, VSG, VSH xxmrghd VSR(VSA), VSR(VSA), VSR(VSC) xxmrghd VSR(VSE), VSR(VSE), VSR(VSG) stxvw4x VSR(VSA), 0, STATE stxvw4x VSR(VSE), TC16, STATE C Restore nonvolatile registers li T0, -16 li T1, -32 lvx v20, T0, SP lvx v21, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v22, T0, SP lvx v23, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v24, T0, SP lvx v25, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v26, T0, SP lvx v27, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v28, T0, SP lvx v29, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v30, T0, SP lvx v31, T1, SP .done: mr r3, INPUT blr EPILOGUE(_nettle_sha256_compress_n) IF_LE(` .data .align 4 .load_swap: .byte 8,9,10,11, 12,13,14,15, 0,1,2,3, 4,5,6,7 ') nettle-4.0/powerpc64/p9/0000755000000000000000000000000015141166425011764 5ustar00nettle-4.0/powerpc64/p9/poly1305-blocks.asm0000644000000000000000000002241515141166425015241 0ustar00C powerpc64/p9/poly1305-blocks.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`powerpc64/p9/poly1305.m4') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`CTX', `r3') define(`BLOCKS', `r4') define(`DATA', `r5') define(`PADBYTE', `r6') C Padding byte register define(`DEFINES_BLOCK_R44', ` define(`R0', `v0') define(`R1', `v1') define(`R2', `v2') define(`S1', `v3') define(`S2', `v4') define(`H0', `v5') define(`H1', `v6') define(`H2', `v7') define(`R3', `v8') define(`R4', `v9') define(`R5', `v10') define(`S4', `v11') define(`S5', `v12') define(`T0', `v13') define(`T1', `v14') define(`T2', `v15') define(`T3', `v16') define(`T4', `v17') define(`T5', `v18') define(`TMP', `v19') define(`TMP2', `v20') define(`ZERO', `v21') define(`MASK44', `v22') define(`MASK42L', `v23') define(`MASK44L', `v24') define(`T4PAD', `v25') define(`D40', `v26') define(`D20', `v27') define(`D24', `v28') define(`D44', `v29') define(`D2', `v30') define(`D4', `v31') ') C Compute S_1 = 20 * R_1 and S_2 = 20 * R_2 C COMPUTE_S(S1, S2, R1, R2) define(`COMPUTE_S', ` vsld $1, $3, D2 vsld $2, $4, D2 vaddudm $1, $1, $3 vaddudm $2, $2, $4 vsld $1, $1, D2 vsld $2, $2, D2 ') C Convert two-part radix 2^64 to three-part radix 2^44 of four blocks C R64_TO_R44_4B(VR0, VR1, VR2, VR3, VR4, VR5) define(`R64_TO_R44_4B', ` vsrd $3, $2, D24 vsrd $6, $5, D24 vsrd TMP, $1, D44 vsrd TMP2, $4, D44 vsld $2, $2, D20 vsld $5, $5, D20 vor $2, $2, TMP vor $5, $5, TMP2 vand $1, $1, MASK44 vand $4, $4, MASK44 vand $2, $2, MASK44 vand $5, $5, MASK44 ') C T_0 = R_0 H_0 + S_2 H_1 + S_1 H_2 C T_1 = R_1 H_0 + R_0 H_1 + S_2 H_2 C T_2 = R_2 H_0 + R_1 H_1 + R_0 H_2 C MUL(T0, T1, T2, H0, H1, H2) define(`MUL', ` vmsumudm $1, $4, R0, ZERO vmsumudm $2, $4, R1, ZERO vmsumudm $3, $4, R2, ZERO vmsumudm $1, $5, S2, $1 vmsumudm $2, $5, R0, $2 vmsumudm $3, $5, R1, $3 vmsumudm $1, $6, S1, $1 vmsumudm $2, $6, S2, $2 vmsumudm $3, $6, R0, $3 ') C Apply aforenamed equations on four-blocks C Each two successive blocks are interleaved horizontally C MUL_4B(T0, T1, T2, H0, H1, H2, H3, H4, H5) define(`MUL_4B', ` vmsumudm $1, $7, R0, ZERO vmsumudm $2, $7, R1, ZERO vmsumudm $3, $7, R2, ZERO vmsumudm $1, $8, S2, $1 vmsumudm $2, $8, R0, $2 vmsumudm $3, $8, R1, $3 vmsumudm $1, $9, S1, $1 vmsumudm $2, $9, S2, $2 vmsumudm $3, $9, R0, $3 vmsumudm $1, $4, R3, $1 vmsumudm $2, $4, R4, $2 vmsumudm $3, $4, R5, $3 vmsumudm $1, $5, S5, $1 vmsumudm $2, $5, R3, $2 vmsumudm $3, $5, R4, $3 vmsumudm $1, $6, S4, $1 vmsumudm $2, $6, S5, $2 vmsumudm $3, $6, R3, $3 ') C Reduction phase of two interleaved chains C RED(H0, H1, H2, T0, T1, T2) define(`RED', ` vand $1, $4, MASK44L vsro $4, $4, D40 vsrd $4, $4, D4 vadduqm $5, $5, $4 vand $2, $5, MASK44L vsro $5, $5, D40 vsrd $5, $5, D4 vadduqm $6, $6, $5 vand $3, $6, MASK42L vsro $6, $6, D40 vsrd $6, $6, D2 vadduqm $1, $1, $6 vsld $6, $6, D2 vadduqm $1, $1, $6 vsrd TMP, $1, D44 vand $1, $1, MASK44L vadduqm $2, $2, TMP ') .text C void _nettle_poly1305_blocks(struct poly1305_ctx *ctx, C size_t length, const uint8_t *data) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_blocks) C Save non-volatile vector registers std r31,-8(SP) stxv VSR(v31),-32(SP) stxv VSR(v30),-48(SP) stxv VSR(v29),-64(SP) stxv VSR(v28),-80(SP) stxv VSR(v27),-96(SP) stxv VSR(v26),-112(SP) stxv VSR(v25),-128(SP) stxv VSR(v24),-144(SP) stxv VSR(v23),-160(SP) stxv VSR(v22),-176(SP) stxv VSR(v21),-192(SP) stxv VSR(v20),-208(SP) C Initialize padding byte register li PADBYTE, 1 C Process data blocks of number of multiple 4 DEFINES_BLOCK_R44() cmpldi BLOCKS, POLY1305_BLOCK_THRESHOLD blt Ldata_r64 srdi r9, BLOCKS, 2 andi. BLOCKS, BLOCKS, 3 mtctr r9 C Initialize constants vxor ZERO, ZERO, ZERO vspltisb D2, 2 vspltisb D4, 4 addis r9, TOCP, .mask44@got@ha ld r9, .mask44@got@l(r9) lxvd2x VSR(MASK44), 0, r9 addi r9, r9, 16 lxvd2x VSR(MASK42L), 0, r9 addi r9, r9, 16 lxvd2x VSR(D40), 0, r9 addi r9, r9, 16 lxvd2x VSR(D20), 0, r9 addi r9, r9, 16 lxvd2x VSR(D24), 0, r9 addi r9, r9, 16 lxvd2x VSR(D44), 0, r9 xxmrghd VSR(MASK44L), VSR(ZERO), VSR(MASK44) sldi r10, PADBYTE, 40 mtvsrdd VSR(T4PAD), r10, r10 C Load key of radix 2^44 lxsd R0, 0(CTX) lxsd R1, 8(CTX) vsrd R2, R1, D24 vsrd TMP, R0, D44 vsld R1, R1, D20 vor R1, R1, TMP vand R0, R0, MASK44 vand R1, R1, MASK44 xxmrghd VSR(R0), VSR(R0), VSR(ZERO) xxmrghd VSR(R1), VSR(R1), VSR(ZERO) xxmrghd VSR(R2), VSR(R2), VSR(ZERO) COMPUTE_S(S1, S2, R1, R2) C Calculate R^2 = R R MUL(T0, T1, T2, R0, R1, R2) RED(H0, H1, H2, T0, T1, T2) xxpermdi VSR(R0), VSR(R0), VSR(H0), 0b01 xxpermdi VSR(R1), VSR(R1), VSR(H1), 0b01 xxpermdi VSR(R2), VSR(R2), VSR(H2), 0b01 COMPUTE_S(S1, S2, R1, R2) C Calculate R^3 = R^2 R xxmrghd VSR(R3), VSR(ZERO), VSR(R0) xxmrghd VSR(R4), VSR(ZERO), VSR(R1) xxmrghd VSR(R5), VSR(ZERO), VSR(R2) MUL(T0, T1, T2, R3, R4, R5) RED(H0, H1, H2, T0, T1, T2) C Calculate R^4 = R^2 R^2 xxmrgld VSR(R3), VSR(ZERO), VSR(R0) xxmrgld VSR(R4), VSR(ZERO), VSR(R1) xxmrgld VSR(R5), VSR(ZERO), VSR(R2) MUL(T0, T1, T2, R3, R4, R5) RED(R3, R4, R5, T0, T1, T2) xxmrgld VSR(R3), VSR(H0), VSR(R3) xxmrgld VSR(R4), VSR(H1), VSR(R4) xxmrgld VSR(R5), VSR(H2), VSR(R5) COMPUTE_S(S4, S5, R4, R5) C Load state ld r7, 32(CTX) ld r8, 40(CTX) ld r31, 48(CTX) C Fold high part of H2 srdi r9, r31, 2 sldi r10, r9, 2 add r10, r10, r9 andi. r31, r31, 3 li r9, 0 addc r7, r7, r10 adde r8, r8, r9 adde r31, r31, r9 mtvsrdd VSR(H0), 0, r7 mtvsrdd VSR(H1), 0, r8 mtvsrdd VSR(H2), 0, r31 C Convert state of radix 2^64 to 2^44 vsrd TMP, H1, D24 vsld H2, H2, D40 vor H2, H2, TMP vsrd TMP2, H0, D44 vsld H1, H1, D20 vor H1, H1, TMP2 vand H0, H0, MASK44 vand H1, H1, MASK44 li r8, 0x10 li r9, 0x20 li r10, 0x30 L4B_loop: C Load four blocks lxvd2x VSR(T3), 0, DATA lxvd2x VSR(T4), r8, DATA lxvd2x VSR(T5), r9, DATA lxvd2x VSR(TMP), r10, DATA IF_BE(` xxbrd VSR(T3), VSR(T3) xxbrd VSR(T4), VSR(T4) xxbrd VSR(T5), VSR(T5) xxbrd VSR(TMP), VSR(TMP) ') C Permute blocks in little-endian and line each two successive C blocks horizontally xxmrghd VSR(T0), VSR(T4), VSR(T3) xxmrgld VSR(T1), VSR(T4), VSR(T3) xxmrghd VSR(T3), VSR(TMP), VSR(T5) xxmrgld VSR(T4), VSR(TMP), VSR(T5) R64_TO_R44_4B(T0, T1, T2, T3, T4, T5) vor T2, T2, T4PAD vor T5, T5, T4PAD C Combine first block with previous state vaddudm H0, H0, T0 vaddudm H1, H1, T1 vaddudm H2, H2, T2 MUL_4B(T0, T1, T2, H0, H1, H2, T3, T4, T5) RED(H0, H1, H2, T0, T1, T2) addi DATA, DATA, 64 bdnz L4B_loop C Moving carry vsrd TMP, H1, D44 vaddudm H2, H2, TMP vsrd TMP2, H2, D40 vsrd TMP2, TMP2, D2 vsld TMP, TMP2, D2 vand H1, H1, MASK44 vaddudm TMP2, TMP2, TMP vaddudm H0, H0, TMP2 vsrd TMP, H0, D44 vaddudm H1, H1, TMP vand H2, H2, MASK42L vand H0, H0, MASK44 C Convert state of radix 2^44 to 2^64 vsld TMP, H1, D44 vor H0, H0, TMP vsrd H1, H1, D20 vsld TMP2, H2, D24 vor H1, H1, TMP2 vsrd H2, H2, D40 xxswapd VSR(H0), VSR(H0) xxswapd VSR(H1), VSR(H1) xxswapd VSR(H2), VSR(H2) C Store state stxsd H0, 32(CTX) stxsd H1, 40(CTX) stxsd H2, 48(CTX) Ldata_r64: cmpldi BLOCKS, 0 beq Ldone mtctr BLOCKS mr r4, PADBYTE ld r6, P1305_H0 (CTX) ld r7, P1305_H1 (CTX) ld r8, P1305_H2 (CTX) L1B_loop: BLOCK_R64(CTX,DATA,r4,r6,v0) mfvsrld r6, VSR(v0) mfvsrld r7, VSR(v1) mfvsrd r8, VSR(v1) addi DATA, DATA, 16 bdnz L1B_loop std r6, P1305_H0 (CTX) std r7, P1305_H1 (CTX) std r8, P1305_H2 (CTX) Ldone: C Restore non-volatile vector registers ld r31, -8(SP) lxv VSR(v31),-32(SP) lxv VSR(v30),-48(SP) lxv VSR(v29),-64(SP) lxv VSR(v28),-80(SP) lxv VSR(v27),-96(SP) lxv VSR(v26),-112(SP) lxv VSR(v25),-128(SP) lxv VSR(v24),-144(SP) lxv VSR(v23),-160(SP) lxv VSR(v22),-176(SP) lxv VSR(v21),-192(SP) lxv VSR(v20),-208(SP) mr r3, DATA blr EPILOGUE(_nettle_poly1305_blocks) .rodata .align 4 .mask44: .quad 0x00000FFFFFFFFFFF,0x00000FFFFFFFFFFF .mask42l: .quad 0x0000000000000000,0x000003FFFFFFFFFF .d40: .quad 0x0000000000000028,0x0000000000000028 .d20: .quad 0x0000000000000014,0x0000000000000014 .d24: .quad 0x0000000000000018,0x0000000000000018 .d44: .quad 0x000000000000002C,0x000000000000002C nettle-4.0/powerpc64/p9/poly1305-internal.asm0000644000000000000000000000700015141166425015571 0ustar00C powerpc64/p9/poly1305-internal.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`powerpc64/p9/poly1305.m4') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`CTX', `r3') define(`DATA', `r4') define(`PADBYTE', `r5') C Padding byte register .text C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_set_key) li r9, 0 addis r5, TOCP, .key_mask@got@ha ld r5, .key_mask@got@l(r5) ld r8, 0(r5) ori r7, r8, 3 C Load R_0 and R_1 IF_LE(` ld r5, 0(r4) ld r6, 8(r4) ') IF_BE(` ldbrx r5, 0, r4 addi r4, r4, 8 ldbrx r6, 0, r4 ') and r5, r5, r7 C R_0 &= 0x0FFFFFFC0FFFFFFF and r6, r6, r8 C R_1 &= 0x0FFFFFFC0FFFFFFC srdi r10, r6, 2 sldi r7, r5, 2 sldi r8, r10, 2 add r7, r7, r5 add r8, r8, r10 C Store key std r5, P1305_R0 (r3) std r6, P1305_R1 (r3) std r7, P1305_S0 (r3) std r8, P1305_S1 (r3) C Reset state std r9, P1305_H0 (r3) std r9, P1305_H1 (r3) std r9, P1305_H2 (r3) blr EPILOGUE(_nettle_poly1305_set_key) C void _nettle_poly1305_block(struct poly1305_ctx *ctx, const uint8_t *m, unsigned m128) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_block) ld r6, P1305_H0 (CTX) ld r7, P1305_H1 (CTX) ld r8, P1305_H2 (CTX) BLOCK_R64(CTX,DATA,PADBYTE,r6,v0) li r10, P1305_H1 xxswapd VSR(v0), VSR(v0) xxswapd VSR(v1), VSR(v1) stxsd v0, P1305_H0 (CTX) stxvd2x VSR(v1), r10, CTX blr EPILOGUE(_nettle_poly1305_block) C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_digest) C Load current state ld r5, P1305_H0 (r3) ld r6, P1305_H1 (r3) ld r7, P1305_H2 (r3) C Fold high part of H2 li r10, 0 srdi r9, r7, 2 sldi r8, r9, 2 add r8, r8, r9 andi. r7, r7, 3 addc r5, r5, r8 adde r6, r6, r10 adde r7, r7, r10 C Add 5 to state, save result if it carries li r8, 5 li r9, 0 li r10, -4 addc r8, r8, r5 adde r9, r9, r6 adde. r10, r10, r7 iseleq r5, r8, r5 iseleq r6, r9, r6 C Load digest IF_LE(` ld r7, 0(r4) ld r8, 8(r4) ') IF_BE(` li r10, 8 ldbrx r7, 0, r4 ldbrx r8, r10, r4 ') C Add hash to digest addc r5, r5, r7 adde r6, r6, r8 C Store digest IF_LE(` std r5, 0(r4) std r6, 8(r4) ') IF_BE(` stdbrx r5, 0, r4 stdbrx r6, r10, r4 ') C Reset hash li r9, 0 std r9, P1305_H0 (r3) std r9, P1305_H1 (r3) std r9, P1305_H2 (r3) blr EPILOGUE(_nettle_poly1305_digest) .rodata .align 3 .key_mask: .quad 0x0FFFFFFC0FFFFFFC nettle-4.0/powerpc64/p9/poly1305.m40000644000000000000000000000503215141166425013522 0ustar00C Threshold of processing multiple blocks in parallel C of a multiple of 4 define(`POLY1305_BLOCK_THRESHOLD', `12') C DEFINES_BLOCK_R64(GPR0, VR0) define(`DEFINES_BLOCK_R64', ` define(`H0', `$1') define(`H1', `INC_GPR($1,1)') define(`H2', `INC_GPR($1,2)') define(`T0', `INC_GPR($1,3)') define(`T1', `INC_GPR($1,4)') define(`T2', `H2') define(`T2A', `INC_GPR($1,3)') define(`T2S', `INC_GPR($1,4)') define(`RZ', `H0') define(`IDX', `INC_GPR($1,4)') define(`F0', `$2') define(`F1', `INC_VR($2,1)') define(`ZERO', `INC_VR($2,2)') define(`F0S', `INC_VR($2,3)') define(`F11', `INC_VR($2,4)') define(`T', `INC_VR($2,5)') define(`R', `INC_VR($2,6)') define(`S', `INC_VR($2,7)') define(`T00', `INC_VR($2,8)') define(`T10', `INC_VR($2,9)') define(`T11', `INC_VR($2,10)') define(`MU0', `INC_VR($2,11)') define(`MU1', `INC_VR($2,12)') ') C CTX is the address of context where key and pre-computed values are stored C DATA is the address of input block C PADBYTE is padding byte for input block C GPR0 is the starting register of sequential general-purpose registers C used in the macro of following layout C GPR0, GPR1, GPR2 are inputs representing the previous state radix 2^64 C GPR3, GPR4 are temporary registers C VR0 is the starting register of sequential vector resigers used in C the macro of following layout C VR0, VR1 are outputs representing the result state radix 2^64 sorted as follows C (low 64-bit of VR0) + (low 64-bit of VR1) + (high 64-bit of VR1) C VR2..VR12 are temporary registers C BLOCK_R64(CTX, DATA, PADBYTE, GPR0, VR0) define(`BLOCK_R64', ` DEFINES_BLOCK_R64($4,$5) C Load 128-bit input block IF_LE(` ld T0, 0($2) ld T1, 8($2) ') IF_BE(` li IDX, 8 ldbrx T1, IDX, $2 ldbrx T0, 0, $2 ') C Combine state with input block, latter is padded to 17-bytes C by low-order byte of PADBYTE register addc T0, T0, H0 adde T1, T1, H1 adde T2, $3, H2 mtvsrdd VSR(T), T0, T1 C Load key and pre-computed values li IDX, 16 lxvd2x VSR(R), 0, $1 lxvd2x VSR(S), IDX, $1 andi. T2A, T2, 3 srdi T2S, T2, 2 li RZ, 0 vxor ZERO, ZERO, ZERO xxpermdi VSR(MU0), VSR(R), VSR(S), 0b01 xxswapd VSR(MU1), VSR(R) mtvsrdd VSR(T11), 0, T2A mtvsrdd VSR(T00), T2S, RZ mtvsrdd VSR(T10), 0, T2 C Multiply key by combined state and block vmsumudm F0, T, MU0, ZERO vmsumudm F1, T, MU1, ZERO vmsumudm F11, T11, MU1, ZERO vmsumudm F0, T00, S, F0 vmsumudm F1, T10, MU0, F1 C Product addition xxmrgld VSR(F11), VSR(F11), VSR(ZERO) vadduqm F1, F1, F11 xxmrghd VSR(F0S), VSR(ZERO), VSR(F0) vadduqm F1, F1, F0S ') nettle-4.0/pss-mgf1.c0000644000000000000000000000357615141166424011416 0ustar00/* pss-mgf1.c PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pss-mgf1.h" #include #include #include "nettle-internal.h" #include "macros.h" void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask) { TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t i; uint8_t c[4]; TMP_ALLOC(h, hash->digest_size); TMP_ALLOC_ALIGN(state, hash->context_size); for (i = 0; length > 0; i++, mask += hash->digest_size, length -= hash->digest_size) { WRITE_UINT32(c, i); memcpy(state, seed, hash->context_size); hash->update(state, 4, c); if (length < hash->digest_size) { hash->digest(state, h); memcpy(mask, h, length); return; } hash->digest(state, mask); } } nettle-4.0/pss-mgf1.h0000644000000000000000000000271115141166424011411 0ustar00/* pss-mgf1.h PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_MGF1_H_INCLUDED #define NETTLE_PSS_MGF1_H_INCLUDED #include "nettle-meta.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_mgf1 nettle_pss_mgf1 void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_MGF1_H_INCLUDED */ nettle-4.0/pss.c0000644000000000000000000001237315141166424010561 0ustar00/* pss.c PKCS#1 RSA-PSS padding (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pss.h" #include "pss-mgf1.h" #include "bignum.h" #include "gmp-glue.h" #include "memxor.h" #include "nettle-internal.h" /* Masks to clear the leftmost N bits. */ static const uint8_t pss_masks[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1 }; static const uint8_t pss_pad[8] = {0, 0, 0, 0, 0, 0, 0, 0}; /* Format the PKCS#1 PSS padding for given salt and digest, using * pss_mgf1() as the mask generation function. * * The encoded messsage is stored in M, and the consistency can be * checked with pss_verify_mgf1(), which takes the encoded message, * the length of salt, and the digest. */ int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t key_size = (bits + 7) / 8; size_t j; TMP_GMP_ALLOC(em, key_size); TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) { TMP_GMP_FREE(em); return 0; } /* Compute M'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); /* Store H in EM, right after maskedDB. */ hash->digest(state, em + key_size - hash->digest_size - 1); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1); pss_mgf1(state, hash, key_size - hash->digest_size - 1, em); /* Compute maskedDB and store it in front of H in EM. */ j = key_size - salt_length - hash->digest_size - 2; em[j++] ^= 1; memxor(em + j, salt, salt_length); j += salt_length; /* Store the trailer field following H. */ j += hash->digest_size; em[j] = 0xbc; /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */ *em &= pss_masks[(8 * key_size - bits)]; nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } /* Check the consistency of given PKCS#1 PSS encoded message, created * with pss_encode_mgf1(). * * Returns 1 if the encoded message is consistent, 0 if it is * inconsistent. */ int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); uint8_t *h, *db, *salt; size_t key_size = (bits + 7) / 8; size_t j; int ret = 0; /* Allocate twice the key size to store the intermediate data DB * following the EM value. */ TMP_GMP_ALLOC(em, key_size * 2); TMP_ALLOC(h2, hash->digest_size); TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) goto cleanup; if (mpz_sizeinbase(m, 2) > bits) goto cleanup; nettle_mpz_get_str_256(key_size, em, m); /* Check the trailer field. */ if (em[key_size - 1] != 0xbc) goto cleanup; /* Extract H. */ h = em + (key_size - hash->digest_size - 1); /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM * must all equal to zero. Always true here, thanks to the above * check on the bit size of m. */ assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, h); db = em + key_size; pss_mgf1(state, hash, key_size - hash->digest_size - 1, db); /* Compute DB. */ memxor(db, em, key_size - hash->digest_size - 1); *db &= pss_masks[(8 * key_size - bits)]; for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) if (db[j] != 0) goto cleanup; /* Check the octet right after PS is 0x1. */ if (db[j] != 0x1) goto cleanup; salt = db + j + 1; /* Compute H'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); hash->digest(state, h2); /* Check if H' = H. */ if (memcmp(h2, h, hash->digest_size) != 0) goto cleanup; ret = 1; cleanup: TMP_GMP_FREE(em); return ret; } nettle-4.0/pss.h0000644000000000000000000000316015141166424010560 0ustar00/* pss.h PKCS#1 RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_H_INCLUDED #define NETTLE_PSS_H_INCLUDED #include "nettle-meta.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_encode_mgf1 nettle_pss_encode_mgf1 #define pss_verify_mgf1 nettle_pss_verify_mgf1 int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest); int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_H_INCLUDED */ nettle-4.0/realloc.c0000644000000000000000000000320515141166424011367 0ustar00/* realloc.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "realloc.h" /* NOTE: Calling libc realloc with size == 0 is not required to totally free the object, it is allowed to return a valid pointer. */ void * nettle_realloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) return realloc(p, length); free(p); return NULL; } void * nettle_xrealloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) { void *n = realloc(p, length); if (!n) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return n; } free(p); return NULL; } nettle-4.0/realloc.h0000644000000000000000000000241715141166424011400 0ustar00/* realloc.h Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_REALLOC_H_INCLUDED #define NETTLE_REALLOC_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif nettle_realloc_func nettle_realloc; nettle_realloc_func nettle_xrealloc; #ifdef __cplusplus } #endif #endif /* NETTLE_REALLOC_H_INCLUDED */ nettle-4.0/ripemd160-compress.c0000644000000000000000000002136315141166424013313 0ustar00/* ripemd160-compress.c RIPE-MD160 (Transform function) Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Ported from libgcrypt by Andres Mejia */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ripemd160.h" #include "ripemd160-internal.h" #include "macros.h" /**************** * Transform the message X which consists of 16 32-bit-words */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data) { register uint32_t a,b,c,d,e; uint32_t aa,bb,cc,dd,ee,t; uint32_t x[16]; #ifdef WORDS_BIGENDIAN { int i; for (i=0; i < 16; i++, data += 4 ) x[i] = LE_READ_UINT32(data); } #else /* memcpy seems a bit faster. Benchmarked on Intel SU4100, it makes the entire update function roughly 6% faster. */ memcpy(x, data, sizeof(x)); #endif #define K0 0x00000000 #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC #define K4 0xA953FD4E #define KK0 0x50A28BE6 #define KK1 0x5C4DD124 #define KK2 0x6D703EF3 #define KK3 0x7A6D76E9 #define KK4 0x00000000 #define F0(x,y,z) ( (x) ^ (y) ^ (z) ) #define F1(x,y,z) ( ((x) & (y)) | (~(x) & (z)) ) #define F2(x,y,z) ( ((x) | ~(y)) ^ (z) ) #define F3(x,y,z) ( ((x) & (z)) | ((y) & ~(z)) ) #define F4(x,y,z) ( (x) ^ ((y) | ~(z)) ) #define R(a,b,c,d,e,f,k,r,s) do { t = a + f(b,c,d) + k + x[r]; \ a = ROTL32(s,t) + e; \ c = ROTL32(10,c); \ } while(0) /* left lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F0, K0, 0, 11 ); R( e, a, b, c, d, F0, K0, 1, 14 ); R( d, e, a, b, c, F0, K0, 2, 15 ); R( c, d, e, a, b, F0, K0, 3, 12 ); R( b, c, d, e, a, F0, K0, 4, 5 ); R( a, b, c, d, e, F0, K0, 5, 8 ); R( e, a, b, c, d, F0, K0, 6, 7 ); R( d, e, a, b, c, F0, K0, 7, 9 ); R( c, d, e, a, b, F0, K0, 8, 11 ); R( b, c, d, e, a, F0, K0, 9, 13 ); R( a, b, c, d, e, F0, K0, 10, 14 ); R( e, a, b, c, d, F0, K0, 11, 15 ); R( d, e, a, b, c, F0, K0, 12, 6 ); R( c, d, e, a, b, F0, K0, 13, 7 ); R( b, c, d, e, a, F0, K0, 14, 9 ); R( a, b, c, d, e, F0, K0, 15, 8 ); R( e, a, b, c, d, F1, K1, 7, 7 ); R( d, e, a, b, c, F1, K1, 4, 6 ); R( c, d, e, a, b, F1, K1, 13, 8 ); R( b, c, d, e, a, F1, K1, 1, 13 ); R( a, b, c, d, e, F1, K1, 10, 11 ); R( e, a, b, c, d, F1, K1, 6, 9 ); R( d, e, a, b, c, F1, K1, 15, 7 ); R( c, d, e, a, b, F1, K1, 3, 15 ); R( b, c, d, e, a, F1, K1, 12, 7 ); R( a, b, c, d, e, F1, K1, 0, 12 ); R( e, a, b, c, d, F1, K1, 9, 15 ); R( d, e, a, b, c, F1, K1, 5, 9 ); R( c, d, e, a, b, F1, K1, 2, 11 ); R( b, c, d, e, a, F1, K1, 14, 7 ); R( a, b, c, d, e, F1, K1, 11, 13 ); R( e, a, b, c, d, F1, K1, 8, 12 ); R( d, e, a, b, c, F2, K2, 3, 11 ); R( c, d, e, a, b, F2, K2, 10, 13 ); R( b, c, d, e, a, F2, K2, 14, 6 ); R( a, b, c, d, e, F2, K2, 4, 7 ); R( e, a, b, c, d, F2, K2, 9, 14 ); R( d, e, a, b, c, F2, K2, 15, 9 ); R( c, d, e, a, b, F2, K2, 8, 13 ); R( b, c, d, e, a, F2, K2, 1, 15 ); R( a, b, c, d, e, F2, K2, 2, 14 ); R( e, a, b, c, d, F2, K2, 7, 8 ); R( d, e, a, b, c, F2, K2, 0, 13 ); R( c, d, e, a, b, F2, K2, 6, 6 ); R( b, c, d, e, a, F2, K2, 13, 5 ); R( a, b, c, d, e, F2, K2, 11, 12 ); R( e, a, b, c, d, F2, K2, 5, 7 ); R( d, e, a, b, c, F2, K2, 12, 5 ); R( c, d, e, a, b, F3, K3, 1, 11 ); R( b, c, d, e, a, F3, K3, 9, 12 ); R( a, b, c, d, e, F3, K3, 11, 14 ); R( e, a, b, c, d, F3, K3, 10, 15 ); R( d, e, a, b, c, F3, K3, 0, 14 ); R( c, d, e, a, b, F3, K3, 8, 15 ); R( b, c, d, e, a, F3, K3, 12, 9 ); R( a, b, c, d, e, F3, K3, 4, 8 ); R( e, a, b, c, d, F3, K3, 13, 9 ); R( d, e, a, b, c, F3, K3, 3, 14 ); R( c, d, e, a, b, F3, K3, 7, 5 ); R( b, c, d, e, a, F3, K3, 15, 6 ); R( a, b, c, d, e, F3, K3, 14, 8 ); R( e, a, b, c, d, F3, K3, 5, 6 ); R( d, e, a, b, c, F3, K3, 6, 5 ); R( c, d, e, a, b, F3, K3, 2, 12 ); R( b, c, d, e, a, F4, K4, 4, 9 ); R( a, b, c, d, e, F4, K4, 0, 15 ); R( e, a, b, c, d, F4, K4, 5, 5 ); R( d, e, a, b, c, F4, K4, 9, 11 ); R( c, d, e, a, b, F4, K4, 7, 6 ); R( b, c, d, e, a, F4, K4, 12, 8 ); R( a, b, c, d, e, F4, K4, 2, 13 ); R( e, a, b, c, d, F4, K4, 10, 12 ); R( d, e, a, b, c, F4, K4, 14, 5 ); R( c, d, e, a, b, F4, K4, 1, 12 ); R( b, c, d, e, a, F4, K4, 3, 13 ); R( a, b, c, d, e, F4, K4, 8, 14 ); R( e, a, b, c, d, F4, K4, 11, 11 ); R( d, e, a, b, c, F4, K4, 6, 8 ); R( c, d, e, a, b, F4, K4, 15, 5 ); R( b, c, d, e, a, F4, K4, 13, 6 ); aa = a; bb = b; cc = c; dd = d; ee = e; /* right lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F4, KK0, 5, 8); R( e, a, b, c, d, F4, KK0, 14, 9); R( d, e, a, b, c, F4, KK0, 7, 9); R( c, d, e, a, b, F4, KK0, 0, 11); R( b, c, d, e, a, F4, KK0, 9, 13); R( a, b, c, d, e, F4, KK0, 2, 15); R( e, a, b, c, d, F4, KK0, 11, 15); R( d, e, a, b, c, F4, KK0, 4, 5); R( c, d, e, a, b, F4, KK0, 13, 7); R( b, c, d, e, a, F4, KK0, 6, 7); R( a, b, c, d, e, F4, KK0, 15, 8); R( e, a, b, c, d, F4, KK0, 8, 11); R( d, e, a, b, c, F4, KK0, 1, 14); R( c, d, e, a, b, F4, KK0, 10, 14); R( b, c, d, e, a, F4, KK0, 3, 12); R( a, b, c, d, e, F4, KK0, 12, 6); R( e, a, b, c, d, F3, KK1, 6, 9); R( d, e, a, b, c, F3, KK1, 11, 13); R( c, d, e, a, b, F3, KK1, 3, 15); R( b, c, d, e, a, F3, KK1, 7, 7); R( a, b, c, d, e, F3, KK1, 0, 12); R( e, a, b, c, d, F3, KK1, 13, 8); R( d, e, a, b, c, F3, KK1, 5, 9); R( c, d, e, a, b, F3, KK1, 10, 11); R( b, c, d, e, a, F3, KK1, 14, 7); R( a, b, c, d, e, F3, KK1, 15, 7); R( e, a, b, c, d, F3, KK1, 8, 12); R( d, e, a, b, c, F3, KK1, 12, 7); R( c, d, e, a, b, F3, KK1, 4, 6); R( b, c, d, e, a, F3, KK1, 9, 15); R( a, b, c, d, e, F3, KK1, 1, 13); R( e, a, b, c, d, F3, KK1, 2, 11); R( d, e, a, b, c, F2, KK2, 15, 9); R( c, d, e, a, b, F2, KK2, 5, 7); R( b, c, d, e, a, F2, KK2, 1, 15); R( a, b, c, d, e, F2, KK2, 3, 11); R( e, a, b, c, d, F2, KK2, 7, 8); R( d, e, a, b, c, F2, KK2, 14, 6); R( c, d, e, a, b, F2, KK2, 6, 6); R( b, c, d, e, a, F2, KK2, 9, 14); R( a, b, c, d, e, F2, KK2, 11, 12); R( e, a, b, c, d, F2, KK2, 8, 13); R( d, e, a, b, c, F2, KK2, 12, 5); R( c, d, e, a, b, F2, KK2, 2, 14); R( b, c, d, e, a, F2, KK2, 10, 13); R( a, b, c, d, e, F2, KK2, 0, 13); R( e, a, b, c, d, F2, KK2, 4, 7); R( d, e, a, b, c, F2, KK2, 13, 5); R( c, d, e, a, b, F1, KK3, 8, 15); R( b, c, d, e, a, F1, KK3, 6, 5); R( a, b, c, d, e, F1, KK3, 4, 8); R( e, a, b, c, d, F1, KK3, 1, 11); R( d, e, a, b, c, F1, KK3, 3, 14); R( c, d, e, a, b, F1, KK3, 11, 14); R( b, c, d, e, a, F1, KK3, 15, 6); R( a, b, c, d, e, F1, KK3, 0, 14); R( e, a, b, c, d, F1, KK3, 5, 6); R( d, e, a, b, c, F1, KK3, 12, 9); R( c, d, e, a, b, F1, KK3, 2, 12); R( b, c, d, e, a, F1, KK3, 13, 9); R( a, b, c, d, e, F1, KK3, 9, 12); R( e, a, b, c, d, F1, KK3, 7, 5); R( d, e, a, b, c, F1, KK3, 10, 15); R( c, d, e, a, b, F1, KK3, 14, 8); R( b, c, d, e, a, F0, KK4, 12, 8); R( a, b, c, d, e, F0, KK4, 15, 5); R( e, a, b, c, d, F0, KK4, 10, 12); R( d, e, a, b, c, F0, KK4, 4, 9); R( c, d, e, a, b, F0, KK4, 1, 12); R( b, c, d, e, a, F0, KK4, 5, 5); R( a, b, c, d, e, F0, KK4, 8, 14); R( e, a, b, c, d, F0, KK4, 7, 6); R( d, e, a, b, c, F0, KK4, 6, 8); R( c, d, e, a, b, F0, KK4, 2, 13); R( b, c, d, e, a, F0, KK4, 13, 6); R( a, b, c, d, e, F0, KK4, 14, 5); R( e, a, b, c, d, F0, KK4, 0, 15); R( d, e, a, b, c, F0, KK4, 3, 13); R( c, d, e, a, b, F0, KK4, 9, 11); R( b, c, d, e, a, F0, KK4, 11, 11); t = state[1] + d + cc; state[1] = state[2] + e + dd; state[2] = state[3] + a + ee; state[3] = state[4] + b + aa; state[4] = state[0] + c + bb; state[0] = t; } nettle-4.0/ripemd160-internal.h0000644000000000000000000000257715141166424013307 0ustar00/* ripemd160-internal.h RIPEMD-160 hash function. Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RIPEMD160_INTERNAL_H_INCLUDED #define NETTLE_RIPEMD160_INTERNAL_H_INCLUDED /* Internal compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data); #endif /* NETTLE_RIPEMD160_INTERNAL_H_INCLUDED */ nettle-4.0/ripemd160-meta.c0000644000000000000000000000225715141166424012407 0ustar00/* ripemd160-meta.c Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "ripemd160.h" const struct nettle_hash nettle_ripemd160 = _NETTLE_HASH(ripemd160, RIPEMD160); nettle-4.0/ripemd160.c0000644000000000000000000001605215141166424011461 0ustar00/* ripemd160.c RIPE-MD160 Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ripemd160.h" #include "ripemd160-internal.h" #include "macros.h" #include "nettle-write.h" /********************************* * RIPEMD-160 is not patented, see (as of 2011-08-28) * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html * Note that the code uses Little Endian byteorder, which is good for * 386 etc, but we must add some conversion when used on a big endian box. * * * Pseudo-code for RIPEMD-160 * * RIPEMD-160 is an iterative hash function that operates on 32-bit words. * The round function takes as input a 5-word chaining variable and a 16-word * message block and maps this to a new chaining variable. All operations are * defined on 32-bit words. Padding is identical to that of MD4. * * * RIPEMD-160: definitions * * * nonlinear functions at bit level: exor, mux, -, mux, - * * f(j, x, y, z) = x XOR y XOR z (0 <= j <= 15) * f(j, x, y, z) = (x AND y) OR (NOT(x) AND z) (16 <= j <= 31) * f(j, x, y, z) = (x OR NOT(y)) XOR z (32 <= j <= 47) * f(j, x, y, z) = (x AND z) OR (y AND NOT(z)) (48 <= j <= 63) * f(j, x, y, z) = x XOR (y OR NOT(z)) (64 <= j <= 79) * * * added constants (hexadecimal) * * K(j) = 0x00000000 (0 <= j <= 15) * K(j) = 0x5A827999 (16 <= j <= 31) int(2**30 x sqrt(2)) * K(j) = 0x6ED9EBA1 (32 <= j <= 47) int(2**30 x sqrt(3)) * K(j) = 0x8F1BBCDC (48 <= j <= 63) int(2**30 x sqrt(5)) * K(j) = 0xA953FD4E (64 <= j <= 79) int(2**30 x sqrt(7)) * K'(j) = 0x50A28BE6 (0 <= j <= 15) int(2**30 x cbrt(2)) * K'(j) = 0x5C4DD124 (16 <= j <= 31) int(2**30 x cbrt(3)) * K'(j) = 0x6D703EF3 (32 <= j <= 47) int(2**30 x cbrt(5)) * K'(j) = 0x7A6D76E9 (48 <= j <= 63) int(2**30 x cbrt(7)) * K'(j) = 0x00000000 (64 <= j <= 79) * * * selection of message word * * r(j) = j (0 <= j <= 15) * r(16..31) = 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8 * r(32..47) = 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12 * r(48..63) = 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2 * r(64..79) = 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13 * r0(0..15) = 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12 * r0(16..31)= 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2 * r0(32..47)= 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13 * r0(48..63)= 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14 * r0(64..79)= 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11 * * * amount for rotate left (rol) * * s(0..15) = 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8 * s(16..31) = 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12 * s(32..47) = 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5 * s(48..63) = 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12 * s(64..79) = 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6 * s'(0..15) = 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6 * s'(16..31)= 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11 * s'(32..47)= 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5 * s'(48..63)= 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8 * s'(64..79)= 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11 * * * initial value (hexadecimal) * * h0 = 0x67452301; h1 = 0xEFCDAB89; h2 = 0x98BADCFE; h3 = 0x10325476; * h4 = 0xC3D2E1F0; * * * RIPEMD-160: pseudo-code * * It is assumed that the message after padding consists of t 16-word blocks * that will be denoted with X[i][j], with 0 <= i <= t-1 and 0 <= j <= 15. * The symbol [+] denotes addition modulo 2**32 and rol_s denotes cyclic left * shift (rotate) over s positions. * * * for i := 0 to t-1 { * A := h0; B := h1; C := h2; D = h3; E = h4; * A' := h0; B' := h1; C' := h2; D' = h3; E' = h4; * for j := 0 to 79 { * T := rol_s(j)(A [+] f(j, B, C, D) [+] X[i][r(j)] [+] K(j)) [+] E; * A := E; E := D; D := rol_10(C); C := B; B := T; * T := rol_s'(j)(A' [+] f(79-j, B', C', D') [+] X[i][r'(j)] [+] K'(j)) [+] E'; * A' := E'; E' := D'; D' := rol_10(C'); C' := B'; B' := T; * } * T := h1 [+] C [+] D'; h1 := h2 [+] D [+] E'; h2 := h3 [+] E [+] A'; * h3 := h4 [+] A [+] B'; h4 := h0 [+] B [+] C'; h0 := T; * } */ /* Some examples: * "" 9c1185a5c5e9fc54612808977ee8f548b2258d31 * "a" 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe * "abc" 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc * "message digest" 5d0689ef49d2fae572b881b123a85ffa21595f36 * "a...z" f71c27109c692c1b56bbdceb5b9d2865b3708dbc * "abcdbcde...nopq" 12a053384a9c0c88e405a06c27dcf49ada62eb2b * "A...Za...z0...9" b0e20b6e3116640286ed3a87a5713079b21f5189 * 8 times "1234567890" 9b752e45573d4b39f4dbd3323cab82bf63326bfb * 1 million times "a" 52783243c1697bdbe16d37f97f68f08325dc1528 */ void ripemd160_init(struct ripemd160_ctx *ctx) { static const uint32_t iv[_RIPEMD160_DIGEST_LENGTH] = { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (_nettle_ripemd160_compress((ctx)->state, (data))) /* Update the message digest with the contents * of DATA with length LENGTH. */ void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void ripemd160_digest(struct ripemd160_ctx *ctx, uint8_t *digest) { uint64_t bit_count; MD_PAD(ctx, 8, COMPRESS); /* There are 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); \ /* append the 64 bit count */ LE_WRITE_UINT64(ctx->block + 56, bit_count); _nettle_ripemd160_compress(ctx->state, ctx->block); _nettle_write_le32(RIPEMD160_DIGEST_SIZE, digest, ctx->state); ripemd160_init(ctx); } nettle-4.0/ripemd160.h0000644000000000000000000000370315141166424011465 0ustar00/* ripemd160.h RIPEMD-160 hash function. Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RIPEMD160_H_INCLUDED #define NETTLE_RIPEMD160_H_INCLUDED #ifdef __cplusplus extern "C" { #endif #include "nettle-types.h" /* Name mangling */ #define ripemd160_init nettle_ripemd160_init #define ripemd160_update nettle_ripemd160_update #define ripemd160_digest nettle_ripemd160_digest /* RIPEMD160 */ #define RIPEMD160_DIGEST_SIZE 20 #define RIPEMD160_BLOCK_SIZE 64 /* Digest is kept internally as 5 32-bit words. */ #define _RIPEMD160_DIGEST_LENGTH 5 struct ripemd160_ctx { uint32_t state[_RIPEMD160_DIGEST_LENGTH]; uint64_t count; /* 64-bit block count */ unsigned int index; uint8_t block[RIPEMD160_BLOCK_SIZE]; }; void ripemd160_init(struct ripemd160_ctx *ctx); void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data); void ripemd160_digest(struct ripemd160_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_RIPEMD160_H_INCLUDED */ nettle-4.0/rotors.h0000644000000000000000000000620215141166424011303 0ustar00/* automagically made - do not fuss with this */ 34, 13, 5, 46, 47, 18, 32, 41, 11, 53, 33, 20, 14, 36, 30, 24, 49, 2, 15, 37, 42, 50, 0, 21, 38, 48, 6, 26, 39, 4, 52, 25, 12, 27, 31, 40, 1, 17, 28, 29, 23, 51, 35, 7, 3, 22, 9, 43, 41, 20, 12, 53, 54, 25, 39, 48, 18, 31, 40, 27, 21, 43, 37, 0, 1, 9, 22, 44, 49, 2, 7, 28, 45, 55, 13, 33, 46, 11, 6, 32, 19, 34, 38, 47, 8, 24, 35, 36, 30, 3, 42, 14, 10, 29, 16, 50, 55, 34, 26, 38, 11, 39, 53, 5, 32, 45, 54, 41, 35, 2, 51, 14, 15, 23, 36, 3, 8, 16, 21, 42, 6, 12, 27, 47, 31, 25, 20, 46, 33, 48, 52, 4, 22, 7, 49, 50, 44, 17, 1, 28, 24, 43, 30, 9, 12, 48, 40, 52, 25, 53, 38, 19, 46, 6, 11, 55, 49, 16, 10, 28, 29, 37, 50, 17, 22, 30, 35, 1, 20, 26, 41, 4, 45, 39, 34, 31, 47, 5, 13, 18, 36, 21, 8, 9, 3, 0, 15, 42, 7, 2, 44, 23, 26, 5, 54, 13, 39, 38, 52, 33, 31, 20, 25, 12, 8, 30, 24, 42, 43, 51, 9, 0, 36, 44, 49, 15, 34, 40, 55, 18, 6, 53, 48, 45, 4, 19, 27, 32, 50, 35, 22, 23, 17, 14, 29, 1, 21, 16, 3, 37, 40, 19, 11, 27, 53, 52, 13, 47, 45, 34, 39, 26, 22, 44, 7, 1, 2, 10, 23, 14, 50, 3, 8, 29, 48, 54, 12, 32, 20, 38, 5, 6, 18, 33, 41, 46, 9, 49, 36, 37, 0, 28, 43, 15, 35, 30, 17, 51, 54, 33, 25, 41, 38, 13, 27, 4, 6, 48, 53, 40, 36, 3, 21, 15, 16, 24, 37, 28, 9, 17, 22, 43, 5, 11, 26, 46, 34, 52, 19, 20, 32, 47, 55, 31, 23, 8, 50, 51, 14, 42, 2, 29, 49, 44, 0, 10, 11, 47, 39, 55, 52, 27, 41, 18, 20, 5, 38, 54, 50, 17, 35, 29, 30, 7, 51, 42, 23, 0, 36, 2, 19, 25, 40, 31, 48, 13, 33, 34, 46, 4, 12, 45, 37, 22, 9, 10, 28, 1, 16, 43, 8, 3, 14, 24, 18, 54, 46, 5, 6, 34, 48, 25, 27, 12, 45, 4, 2, 24, 42, 36, 37, 14, 3, 49, 30, 7, 43, 9, 26, 32, 47, 38, 55, 20, 40, 41, 53, 11, 19, 52, 44, 29, 16, 17, 35, 8, 23, 50, 15, 10, 21, 0, 32, 11, 31, 19, 20, 48, 5, 39, 41, 26, 6, 18, 16, 7, 1, 50, 51, 28, 17, 8, 44, 21, 2, 23, 40, 46, 4, 52, 12, 34, 54, 55, 38, 25, 33, 13, 3, 43, 30, 0, 49, 22, 37, 9, 29, 24, 35, 14, 46, 25, 45, 33, 34, 5, 19, 53, 55, 40, 20, 32, 30, 21, 15, 9, 10, 42, 0, 22, 3, 35, 16, 37, 54, 31, 18, 13, 26, 48, 11, 12, 52, 39, 47, 27, 17, 2, 44, 14, 8, 36, 51, 23, 43, 7, 49, 28, 31, 39, 6, 47, 48, 19, 33, 38, 12, 54, 34, 46, 44, 35, 29, 23, 24, 1, 14, 36, 17, 49, 30, 51, 11, 45, 32, 27, 40, 5, 25, 26, 13, 53, 4, 41, 0, 16, 3, 28, 22, 50, 10, 37, 2, 21, 8, 42, 45, 53, 20, 4, 5, 33, 47, 52, 26, 11, 48, 31, 3, 49, 43, 37, 7, 15, 28, 50, 0, 8, 44, 10, 25, 6, 46, 41, 54, 19, 39, 40, 27, 38, 18, 55, 14, 30, 17, 42, 36, 9, 24, 51, 16, 35, 22, 1, 6, 38, 34, 18, 19, 47, 4, 13, 40, 25, 5, 45, 17, 8, 2, 51, 21, 29, 42, 9, 14, 22, 3, 24, 39, 20, 31, 55, 11, 33, 53, 54, 41, 52, 32, 12, 28, 44, 0, 1, 50, 23, 7, 10, 30, 49, 36, 15, 20, 52, 48, 32, 33, 4, 18, 27, 54, 39, 19, 6, 0, 22, 16, 10, 35, 43, 1, 23, 28, 36, 17, 7, 53, 34, 45, 12, 25, 47, 38, 11, 55, 13, 46, 26, 42, 3, 14, 15, 9, 37, 21, 24, 44, 8, 50, 29, 27, 6, 55, 39, 40, 11, 25, 34, 4, 46, 26, 13, 7, 29, 23, 17, 42, 50, 8, 30, 35, 43, 24, 14, 31, 41, 52, 19, 32, 54, 45, 18, 5, 20, 53, 33, 49, 10, 21, 22, 16, 44, 28, 0, 51, 15, 2, 36, nettle-4.0/rsa-decrypt-tr.c0000644000000000000000000000412315141166424012626 0ustar00/* rsa-decrypt-tr.c RSA decryption, using randomized RSA blinding to be more resistant to timing attacks. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa-internal.h" #include "pkcs1-internal.h" #include "gmp-glue.h" int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); mp_size_t key_limb_size; int res; /* First check that input is in range. */ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) return 0; key_limb_size = mpz_size(pub->n); TMP_GMP_ALLOC (m, key_limb_size); TMP_GMP_ALLOC (em, key->size); mpz_limbs_copy(m, gibberish, key_limb_size); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, key_limb_size); res &= _pkcs1_sec_decrypt_variable (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-4.0/rsa-decrypt.c0000644000000000000000000000326615141166424012212 0ustar00/* rsa-decrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *message, const mpz_t gibberish) { mpz_t m; int res; mpz_init(m); /* First check that input is in range. Since we don't have the public key available here, we need to reconstruct n. */ mpz_mul (m, key->p, key->q); if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) { mpz_clear (m); return 0; } rsa_compute_root(key, m, gibberish); res = pkcs1_decrypt (key->size, m, length, message); mpz_clear(m); return res; } nettle-4.0/rsa-encrypt.c0000644000000000000000000000304015141166424012212 0ustar00/* rsa-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t gibberish) { if (pkcs1_encrypt (key->size, random_ctx, random, length, message, gibberish)) { mpz_powm(gibberish, gibberish, key->e, key->n); return 1; } else return 0; } nettle-4.0/rsa-internal.h0000644000000000000000000000606515141166424012361 0ustar00/* rsa-internal.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_INTERNAL_H_INCLUDED #define NETTLE_RSA_INTERNAL_H_INCLUDED #include "rsa.h" #include "nettle-meta.h" #define _rsa_verify _nettle_rsa_verify #define _rsa_verify_recover _nettle_rsa_verify_recover #define _rsa_check_size _nettle_rsa_check_size #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr #define _rsa_oaep_encrypt _nettle_rsa_oaep_encrypt #define _rsa_oaep_decrypt _nettle_rsa_oaep_decrypt /* Internal functions. */ int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s); int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s); size_t _rsa_check_size(mpz_t n); /* side-channel silent root computation */ mp_size_t _rsa_sec_compute_root_itch(const struct rsa_private_key *key); void _rsa_sec_compute_root(const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch); /* Safe side-channel silent variant, using RSA blinding, and checking the * result after CRT. In-place calls, with x == m, is allowed. */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m); int _rsa_oaep_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); int _rsa_oaep_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ nettle-4.0/rsa-keygen.c0000644000000000000000000001132215141166424012012 0ustar00/* rsa-keygen.c Generation of RSA keypairs Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #ifndef DEBUG # define DEBUG 0 #endif #if DEBUG # include #endif int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned n_size, unsigned e_size) { mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; if (e_size) { /* We should choose e randomly. Is the size reasonable? */ if ((e_size < 16) || (e_size >= n_size) ) return 0; } else { /* We have a fixed e. Check that it makes sense */ /* It must be odd */ if (!mpz_tstbit(pub->e, 0)) return 0; /* And 3 or larger */ if (mpz_cmp_ui(pub->e, 3) < 0) return 0; /* And size less than n */ if (mpz_sizeinbase(pub->e, 2) >= n_size) return 0; } if (n_size < RSA_MINIMUM_N_BITS) return 0; mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp); /* Generate primes */ for (;;) { /* Generate p, such that gcd(p-1, e) = 1 */ for (;;) { nettle_random_prime(key->p, (n_size+1)/2, 1, random_ctx, random, progress_ctx, progress); mpz_sub_ui(p1, key->p, 1); /* If e was given, we must choose p such that p-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, p1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } if (progress) progress(progress_ctx, '\n'); /* Generate q, such that gcd(q-1, e) = 1 */ for (;;) { nettle_random_prime(key->q, n_size/2, 1, random_ctx, random, progress_ctx, progress); mpz_sub_ui(q1, key->q, 1); /* If e was given, we must choose q such that q-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, q1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } /* Now we have the primes. Is the product of the right size? */ mpz_mul(pub->n, key->p, key->q); assert (mpz_sizeinbase(pub->n, 2) == n_size); if (progress) progress(progress_ctx, '\n'); /* c = q^{-1} (mod p) */ if (mpz_invert(key->c, key->q, key->p)) /* This should succeed everytime. But if it doesn't, * we try again. */ break; else if (progress) progress(progress_ctx, '?'); } mpz_mul(phi, p1, q1); /* If we didn't have a given e, generate one now. */ if (e_size) { int retried = 0; for (;;) { nettle_mpz_random_size(pub->e, random_ctx, random, e_size); /* Make sure it's odd and that the most significant bit is * set */ mpz_setbit(pub->e, 0); mpz_setbit(pub->e, e_size - 1); /* Needs gmp-3, or inverse might be negative. */ if (mpz_invert(key->d, pub->e, phi)) break; if (progress) progress(progress_ctx, 'e'); retried = 1; } if (retried && progress) progress(progress_ctx, '\n'); } else { /* Must always succeed, as we already that e * doesn't have any common factor with p-1 or q-1. */ int res = mpz_invert(key->d, pub->e, phi); assert(res); } /* Done! Almost, we must compute the auxillary private values. */ /* a = d % (p-1) */ mpz_fdiv_r(key->a, key->d, p1); /* b = d % (q-1) */ mpz_fdiv_r(key->b, key->d, q1); /* c was computed earlier */ pub->size = key->size = (n_size + 7) / 8; assert(pub->size >= RSA_MINIMUM_N_OCTETS); mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp); return 1; } nettle-4.0/rsa-md5-sign-tr.c0000644000000000000000000000372315141166424012604 0ustar00/* rsa-md5-sign-tr.c Signatures using RSA and MD5. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-md5-sign.c0000644000000000000000000000337115141166424012160 0ustar00/* rsa-md5-sign.c Signatures using RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t s) { if (pkcs1_rsa_md5_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_md5_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-4.0/rsa-md5-verify.c0000644000000000000000000000337415141166424012527 0ustar00/* rsa-md5-verify.c Verifying signatures created with RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-4.0/rsa-oaep-decrypt.c0000644000000000000000000000714515141166424013134 0ustar00/* rsa-oaep-decrypt.c The RSA publickey algorithm. OAEP decryption. Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "rsa.h" #include "gmp-glue.h" #include "nettle-internal.h" #include "oaep.h" #include "rsa-internal.h" int _rsa_oaep_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); int res; TMP_GMP_ALLOC (m, mpz_size (pub->n)); TMP_GMP_ALLOC (em, key->size); mpn_set_base256 (m, mpz_size (pub->n), ciphertext, pub->size); /* Check that input is in range. */ if (mpn_cmp (m, mpz_limbs_read (pub->n), mpz_size (pub->n)) >= 0) { TMP_GMP_FREE (em); TMP_GMP_FREE (m); return 0; } res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, mpz_size (pub->n)); res &= _oaep_decode_mgf1 (em, key->size, hash_ctx, hash, label_length, label, length, message); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha256_ctx ctx; sha256_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha256, label_length, label, length, message, ciphertext); } int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha384_ctx ctx; sha384_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha384, label_length, label, length, message, ciphertext); } int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha512_ctx ctx; sha512_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha512, label_length, label, length, message, ciphertext); } nettle-4.0/rsa-oaep-encrypt.c0000644000000000000000000000627415141166424013150 0ustar00/* rsa-oaep-encrypt.c The RSA publickey algorithm. OAEP encryption. Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "rsa.h" #include "nettle-internal.h" #include "oaep.h" #include "rsa-internal.h" int _rsa_oaep_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { mpz_t gibberish; mpz_init (gibberish); if (_oaep_encode_mgf1 (gibberish, key->size, random_ctx, random, hash_ctx, hash, label_length, label, length, message)) { mpz_powm (gibberish, gibberish, key->e, key->n); nettle_mpz_get_str_256 (key->size, ciphertext, gibberish); mpz_clear (gibberish); return 1; } mpz_clear (gibberish); return 0; } int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha256_ctx ctx; sha256_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha256, label_length, label, length, message, ciphertext); } int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha384_ctx ctx; sha384_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha384, label_length, label, length, message, ciphertext); } int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha512_ctx ctx; sha512_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha512, label_length, label, length, message, ciphertext); } nettle-4.0/rsa-pkcs1-sign-tr.c0000644000000000000000000000324215141166424013134 0ustar00/* rsa-pkcs1-sign-tr.c Creating timing resistant RSA signatures. Copyright (C) 2012 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" /* Side-channel resistant version of rsa_pkcs1_sign() */ int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s) { mpz_t m; int ret; mpz_init(m); ret = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear(m); return ret; } nettle-4.0/rsa-pkcs1-sign.c0000644000000000000000000000272215141166424012513 0ustar00/* rsa-pkcs1-sign.c PKCS#1 version 1.5 signatures. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s) { if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-4.0/rsa-pkcs1-verify.c0000644000000000000000000000267015141166424013061 0ustar00/* rsa-pkcs1-sign.c PKCS#1 version 1.5 signatures. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t s) { int res; mpz_t m; mpz_init (m); res = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) && _rsa_verify (key, m, s)); mpz_clear(m); return res; } nettle-4.0/rsa-pss-sha256-sign-tr.c0000644000000000000000000000331015141166424013722 0ustar00/* rsa-pss-sha256-sign-tr.c Signatures using RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha256, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-pss-sha256-verify.c0000644000000000000000000000311015141166424013641 0ustar00/* rsa-pss-sha256-verify.c Verifying signatures created with RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha256, salt_length, digest)); mpz_clear (m); return res; } nettle-4.0/rsa-pss-sha512-sign-tr.c0000644000000000000000000000433415141166424013724 0ustar00/* rsa-pss-sha512-sign-tr.c Signatures using RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha384, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha512, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-pss-sha512-verify.c0000644000000000000000000000371415141166424013646 0ustar00/* rsa-pss-sha512-verify.c Verifying signatures created with RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha384, salt_length, digest)); mpz_clear (m); return res; } int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha512, salt_length, digest)); mpz_clear (m); return res; } nettle-4.0/rsa-sec-compute-root.c0000644000000000000000000001335015141166424013740 0ustar00/* rsa-sec-compute-root.c Side-channel silent RSA root computation. Copyright (C) 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" #if !NETTLE_USE_MINI_GMP #define MAX(a, b) ((a) > (b) ? (a) : (b)) /* Like mpn_sec_mul_itch, monotonously increasing in operand sizes. */ static mp_size_t sec_mul_itch (mp_size_t an, mp_size_t bn) { if (an >= bn) return mpn_sec_mul_itch (an, bn); else return mpn_sec_mul_itch (bn, an); } /* Writes an + bn limbs to the rp area */ static void sec_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, mp_limb_t *scratch) { if (an >= bn) mpn_sec_mul (rp, ap, an, bp, bn, scratch); else mpn_sec_mul (rp, bp, bn, ap, an, scratch); } static mp_size_t sec_mod_mul_itch (mp_size_t an, mp_size_t bn, mp_size_t mn) { mp_size_t mul_itch = sec_mul_itch (an, bn); mp_size_t mod_itch = mpn_sec_div_r_itch (an + bn, mn); return MAX(mul_itch, mod_itch); } /* Sets r <-- a b % m. Needs space for an + bn limbs at rp. It is required than an + bn >= mn. */ static void sec_mod_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (an + bn >= mn); sec_mul (rp, ap, an, bp, bn, scratch); mpn_sec_div_r (rp, an + bn, mp, mn, scratch); } static mp_size_t sec_powm_itch (mp_size_t bn, mp_size_t en, mp_size_t mn) { mp_size_t mod_itch = bn + mpn_sec_div_r_itch (bn, mn); mp_size_t pow_itch = mn + mpn_sec_powm_itch (mn, en * GMP_NUMB_BITS, mn); return MAX (mod_itch, pow_itch); } /* Sets r <-- b ^ e % m. Performs an initial reduction b mod m, and requires bn >= mn. */ static void sec_powm (mp_limb_t *rp, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *ep, mp_size_t en, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (bn >= mn); assert (en <= mn); mpn_copyi (scratch, bp, bn); mpn_sec_div_r (scratch, bn, mp, mn, scratch + bn); mpn_sec_powm (rp, scratch, mn, ep, en * GMP_NUMB_BITS, mp, mn, scratch + mn); } mp_size_t _rsa_sec_compute_root_itch (const struct rsa_private_key *key) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_size_t powm_p_itch = sec_powm_itch (nn, an, pn); mp_size_t powm_q_itch = sec_powm_itch (nn, bn, qn); mp_size_t mod_mul_itch = cn + MAX(pn, qn) + sec_mod_mul_itch (MAX(pn, qn), cn, pn); mp_size_t mul_itch = sec_mul_itch (qn, pn); mp_size_t add_1_itch = mpn_sec_add_1_itch (nn - qn); /* pn + qn for the product q * r_mod_p' */ mp_size_t itch = pn + qn + MAX (mul_itch, add_1_itch); itch = MAX (itch, powm_p_itch); itch = MAX (itch, powm_q_itch); itch = MAX (itch, mod_mul_itch); /* pn + qn for the r_mod_p and r_mod_q temporaries. */ return pn + qn + itch; } void _rsa_sec_compute_root (const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); /* The common case is pn = qn. This function would be simpler if we * could require that pn >= qn. */ const mp_limb_t *pp = mpz_limbs_read (key->p); const mp_limb_t *qp = mpz_limbs_read (key->q); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_limb_t *r_mod_p = scratch; mp_limb_t *r_mod_q = scratch + pn; mp_limb_t *scratch_out = r_mod_q + qn; mp_limb_t cy; assert (pn <= nn); assert (qn <= nn); assert (an <= pn); assert (bn <= qn); assert (cn <= pn); /* Compute r_mod_p = m^d % p = (m%p)^a % p */ sec_powm (r_mod_p, mp, nn, mpz_limbs_read (key->a), an, pp, pn, scratch_out); /* Compute r_mod_q = m^d % q = (m%q)^b % q */ sec_powm (r_mod_q, mp, nn, mpz_limbs_read (key->b), bn, qp, qn, scratch_out); /* Set r_mod_p' = r_mod_p * c % p - r_mod_q * c % p . */ sec_mod_mul (scratch_out, r_mod_p, pn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + pn); mpn_copyi (r_mod_p, scratch_out, pn); sec_mod_mul (scratch_out, r_mod_q, qn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + qn); cy = mpn_sub_n (r_mod_p, r_mod_p, scratch_out, pn); mpn_cnd_add_n (cy, r_mod_p, r_mod_p, pp, pn); /* Finally, compute x = r_mod_q + q r_mod_p' */ sec_mul (scratch_out, qp, qn, r_mod_p, pn, scratch_out + pn + qn); cy = mpn_add_n (rp, scratch_out, r_mod_q, qn); mpn_sec_add_1 (rp + qn, scratch_out + qn, nn - qn, cy, scratch_out + pn + qn); } #endif nettle-4.0/rsa-sec-decrypt.c0000644000000000000000000000450115141166424012753 0ustar00/* rsa-sec-decrypt.c RSA decryption, using randomized RSA blinding to be more resistant to side-channel attacks like timing attacks or cache based memory access measurements. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1-internal.h" #include "rsa-internal.h" #include "gmp-glue.h" int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); int res; /* First check that input is in range. */ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) return 0; TMP_GMP_ALLOC (m, mpz_size(pub->n)); TMP_GMP_ALLOC (em, key->size); /* We need a copy because m can be shorter than key_size, * but _rsa_sec_compute_root_tr expect all inputs to be * normalized to a key_size long buffer length */ mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); res &= _pkcs1_sec_decrypt (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-4.0/rsa-sha1-sign-tr.c0000644000000000000000000000372115141166424012751 0ustar00/* rsa-sha1-sign-tr.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-sha1-sign.c0000644000000000000000000000340215141166424012322 0ustar00/* rsa-sha1-sign.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha1_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha1_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-4.0/rsa-sha1-verify.c0000644000000000000000000000341515141166424012672 0ustar00/* rsa-sha1-verify.c Verifying signatures created with RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-4.0/rsa-sha256-sign-tr.c0000644000000000000000000000375715141166424013136 0ustar00/* rsa-sha256-sign-tr.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-sha256-sign.c0000644000000000000000000000340615141166424012502 0ustar00/* rsa-sha256-sign.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha256_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-4.0/rsa-sha256-verify.c0000644000000000000000000000337415141166424013052 0ustar00/* rsa-sha256-verify.c Verifying signatures created with RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) &&_rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-4.0/rsa-sha512-sign-tr.c0000644000000000000000000000375715141166424013131 0ustar00/* rsa-sha512-sign-tr.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-4.0/rsa-sha512-sign.c0000644000000000000000000000341415141166424012474 0ustar00/* rsa-sha512-sign.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha512_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha512_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-4.0/rsa-sha512-verify.c0000644000000000000000000000340615141166424013041 0ustar00/* rsa-sha512-verify.c Verifying signatures created with RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-4.0/rsa-sign-tr.c0000644000000000000000000002241415141166424012117 0ustar00/* rsa-sign-tr.c Creating RSA signatures, with some additional checks. Copyright (C) 2001, 2015 Niels Möller Copyright (C) 2012 Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gmp-glue.h" #include "rsa.h" #include "rsa-internal.h" #define MAX(a, b) ((a) > (b) ? (a) : (b)) #if NETTLE_USE_MINI_GMP /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ static void rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri, const mpz_t m) { mpz_t r; mpz_init(r); /* c = m*(r^e) * ri = r^(-1) */ do { nettle_mpz_random(r, random_ctx, random, pub->n); /* invert r */ } while (!mpz_invert (ri, r, pub->n)); /* c = c*(r^e) mod n */ mpz_powm_sec(r, r, pub->e, pub->n); mpz_mul(c, m, r); mpz_fdiv_r(c, c, pub->n); mpz_clear(r); } /* m = c ri mod n */ static void rsa_unblind (const struct rsa_public_key *pub, mpz_t m, const mpz_t ri, const mpz_t c) { mpz_mul(m, c, ri); mpz_fdiv_r(m, m, pub->n); } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { int res; mpz_t t, mb, xb, ri; /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) return 0; mpz_init (mb); mpz_init (xb); mpz_init (ri); mpz_init (t); rsa_blind (pub, random_ctx, random, mb, ri, m); rsa_compute_root (key, xb, mb); mpz_powm_sec(t, xb, pub->e, pub->n); res = (mpz_cmp(mb, t) == 0); if (res) rsa_unblind (pub, x, ri, xb); mpz_clear (mb); mpz_clear (xb); mpz_clear (ri); mpz_clear (t); return res; } int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m) { mp_size_t nn; mpz_t mz; mpz_t xz; int res; mpz_init(xz); nn = mpz_size (pub->n); res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mpz_roinit_n(mz, m, nn)); if (res) mpz_limbs_copy(x, xz, nn); mpz_clear(xz); return res; } #else /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. Must have c != m, no in-place operation.*/ static void rsa_sec_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) { const mp_limb_t *ep = mpz_limbs_read (pub->e); const mp_limb_t *np = mpz_limbs_read (pub->n); mp_bitcnt_t ebn = mpz_sizeinbase (pub->e, 2); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL (tp, mp_limb_t); TMP_GMP_DECL (rp, mp_limb_t); TMP_GMP_DECL (r, uint8_t); TMP_GMP_ALLOC (rp, nn); TMP_GMP_ALLOC (r, nn * sizeof(mp_limb_t)); /* c = m*(r^e) mod n */ itch = mpn_sec_powm_itch(nn, ebn, nn); i2 = mpn_sec_mul_itch(nn, nn); itch = MAX(itch, i2); i2 = mpn_sec_div_r_itch(2*nn, nn); itch = MAX(itch, i2); i2 = mpn_sec_invert_itch(nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, 2*nn + itch); scratch = tp + 2*nn; /* ri = r^(-1) */ do { random(random_ctx, nn * sizeof(mp_limb_t), (uint8_t *)r); mpn_set_base256(rp, nn, r, nn * sizeof(mp_limb_t)); mpn_copyi(tp, rp, nn); /* invert r */ } while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); mpn_sec_mul (tp, c, nn, m, nn, scratch); mpn_sec_div_r (tp, 2*nn, np, nn, scratch); mpn_copyi(c, tp, nn); TMP_GMP_FREE (r); TMP_GMP_FREE (rp); TMP_GMP_FREE (tp); } /* m = c ri mod n. Allows x == c. */ static void rsa_sec_unblind (const struct rsa_public_key *pub, mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) { const mp_limb_t *np = mpz_limbs_read (pub->n); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_mul_itch(nn, nn); i2 = mpn_sec_div_r_itch(nn + nn, nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, nn + nn + itch); scratch = tp + nn + nn; mpn_sec_mul (tp, c, nn, ri, nn, scratch); mpn_sec_div_r (tp, nn + nn, np, nn, scratch); mpn_copyi(x, tp, nn); TMP_GMP_FREE (tp); } static int sec_equal(const mp_limb_t *a, const mp_limb_t *b, size_t limbs) { volatile mp_limb_t z = 0; size_t i; for (i = 0; i < limbs; i++) { z |= (a[i] ^ b[i]); } return z == 0; } static int rsa_sec_check_root(const struct rsa_public_key *pub, const mp_limb_t *x, const mp_limb_t *m) { mp_size_t nn = mpz_size (pub->n); mp_size_t ebn = mpz_sizeinbase (pub->e, 2); const mp_limb_t *np = mpz_limbs_read (pub->n); const mp_limb_t *ep = mpz_limbs_read (pub->e); int ret; mp_size_t itch; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_powm_itch (nn, ebn, nn); TMP_GMP_ALLOC (tp, nn + itch); scratch = tp + nn; mpn_sec_powm(tp, x, nn, ep, ebn, np, nn, scratch); ret = sec_equal(tp, m, nn); TMP_GMP_FREE (tp); return ret; } static void cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n) { volatile mp_limb_t c; volatile mp_limb_t mask = (mp_limb_t) cnd - 1; while (--n >= 0) { c = rp[n]; c &= mask; rp[n] = c; } } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is side-channel silent even in case of error, * the destination buffer is always overwritten */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m) { TMP_GMP_DECL (c, mp_limb_t); TMP_GMP_DECL (ri, mp_limb_t); TMP_GMP_DECL (scratch, mp_limb_t); size_t key_limb_size; int ret; key_limb_size = mpz_size(pub->n); /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) { mpn_zero(x, key_limb_size); return 0; } assert(mpz_size(pub->n) == key_limb_size); TMP_GMP_ALLOC (c, key_limb_size); TMP_GMP_ALLOC (ri, key_limb_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); rsa_sec_blind (pub, random_ctx, random, c, ri, m); _rsa_sec_compute_root(key, x, c, scratch); ret = rsa_sec_check_root(pub, x, c); rsa_sec_unblind(pub, x, ri, x); cnd_mpn_zero(1 - ret, x, key_limb_size); TMP_GMP_FREE (scratch); TMP_GMP_FREE (ri); TMP_GMP_FREE (c); return ret; } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is maintained for API compatibility reasons. It * is not completely side-channel silent. There are conditionals * in buffer copying both in case of success or error. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { TMP_GMP_DECL (l, mp_limb_t); mp_size_t nn = mpz_size(pub->n); int res; TMP_GMP_ALLOC (l, nn); mpz_limbs_copy(l, m, nn); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); if (res) { mp_limb_t *xp = mpz_limbs_write (x, nn); mpn_copyi (xp, l, nn); mpz_limbs_finish (x, nn); } TMP_GMP_FREE (l); return res; } #endif nettle-4.0/rsa-sign.c0000644000000000000000000001067215141166424011477 0ustar00/* rsa-sign.c Creating RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" void rsa_private_key_init(struct rsa_private_key *key) { mpz_init(key->d); mpz_init(key->p); mpz_init(key->q); mpz_init(key->a); mpz_init(key->b); mpz_init(key->c); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_private_key_clear(struct rsa_private_key *key) { mpz_clear(key->d); mpz_clear(key->p); mpz_clear(key->q); mpz_clear(key->a); mpz_clear(key->b); mpz_clear(key->c); } int rsa_private_key_prepare(struct rsa_private_key *key) { mpz_t n; /* A key is invalid if the sizes of q and c are smaller than * the size of n, we rely on that property in calculations so * fail early if that happens. */ if (mpz_size (key->q) + mpz_size (key->c) < mpz_size(key->p)) return 0; /* The size of the product is the sum of the sizes of the factors, * or sometimes one less. It's possible but tricky to compute the * size without computing the full product. */ mpz_init(n); mpz_mul(n, key->p, key->q); key->size = _rsa_check_size(n); mpz_clear(n); return (key->size > 0); } #if NETTLE_USE_MINI_GMP /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { mpz_t xp; /* modulo p */ mpz_t xq; /* modulo q */ mpz_init(xp); mpz_init(xq); /* Compute xq = m^d % q = (m%q)^b % q */ mpz_fdiv_r(xq, m, key->q); mpz_powm_sec(xq, xq, key->b, key->q); /* Compute xp = m^d % p = (m%p)^a % p */ mpz_fdiv_r(xp, m, key->p); mpz_powm_sec(xp, xp, key->a, key->p); /* Set xp' = (xp - xq) c % p. */ mpz_sub(xp, xp, xq); mpz_mul(xp, xp, key->c); mpz_fdiv_r(xp, xp, key->p); /* Finally, compute x = xq + q xp' * * To prove that this works, note that * * xp = x + i p, * xq = x + j q, * c q = 1 + k p * * for some integers i, j and k. Now, for some integer l, * * xp' = (xp - xq) c + l p * = (x + i p - (x + j q)) c + l p * = (i p - j q) c + l p * = (i c + l) p - j (c q) * = (i c + l) p - j (1 + kp) * = (i c + l - j k) p - j * * which shows that xp' = -j (mod p). We get * * xq + q xp' = x + j q + (i c + l - j k) p q - j q * = x + (i c + l - j k) p q * * so that * * xq + q xp' = x (mod pq) * * We also get 0 <= xq + q xp' < p q, because * * 0 <= xq < q and 0 <= xp' < p. */ mpz_mul(x, key->q, xp); mpz_add(x, x, xq); mpz_clear(xp); mpz_clear(xq); } #else /* !NETTLE_USE_MINI_GMP */ /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { TMP_GMP_DECL (scratch, mp_limb_t); TMP_GMP_DECL (ml, mp_limb_t); mp_limb_t *xl; size_t key_size; key_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); assert(mpz_size (m) <= key_size); /* we need a copy because m can be shorter than key_size, * but _rsa_sec_compute_root expect all inputs to be * normalized to a key_size long buffer length */ TMP_GMP_ALLOC (ml, key_size); mpz_limbs_copy(ml, m, key_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); xl = mpz_limbs_write (x, key_size); _rsa_sec_compute_root (key, xl, ml, scratch); mpz_limbs_finish (x, key_size); TMP_GMP_FREE (ml); TMP_GMP_FREE (scratch); } #endif /* !NETTLE_USE_MINI_GMP */ nettle-4.0/rsa-verify.c0000644000000000000000000000326015141166424012036 0ustar00/* rsa-verify.c Verifying RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s) { int res; mpz_t m1; if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_init(m1); mpz_powm(m1, s, key->e, key->n); res = !mpz_cmp(m, m1); mpz_clear(m1); return res; } int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s) { if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_powm(m, s, key->e, key->n); return 1; } nettle-4.0/rsa.c0000644000000000000000000000373415141166424010542 0ustar00/* rsa.c The RSA publickey algorithm. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" void rsa_public_key_init(struct rsa_public_key *key) { mpz_init(key->n); mpz_init(key->e); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_public_key_clear(struct rsa_public_key *key) { mpz_clear(key->n); mpz_clear(key->e); } /* Computes the size, in octets, of a the modulo. Returns 0 if the * modulo is too small to be useful, or otherwise appears invalid. */ size_t _rsa_check_size(mpz_t n) { /* Round upwards */ size_t size; /* Even moduli are invalid, and not supported by mpz_powm_sec. */ if (mpz_even_p (n)) return 0; size = (mpz_sizeinbase(n, 2) + 7) / 8; if (size < RSA_MINIMUM_N_OCTETS) return 0; return size; } int rsa_public_key_prepare(struct rsa_public_key *key) { key->size = _rsa_check_size(key->n); return (key->size > 0); } nettle-4.0/rsa.h0000644000000000000000000004271715141166424010553 0ustar00/* rsa.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_H_INCLUDED #define NETTLE_RSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "md5.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define rsa_public_key_init nettle_rsa_public_key_init #define rsa_public_key_clear nettle_rsa_public_key_clear #define rsa_public_key_prepare nettle_rsa_public_key_prepare #define rsa_private_key_init nettle_rsa_private_key_init #define rsa_private_key_clear nettle_rsa_private_key_clear #define rsa_private_key_prepare nettle_rsa_private_key_prepare #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr #define rsa_md5_sign nettle_rsa_md5_sign #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr #define rsa_md5_verify nettle_rsa_md5_verify #define rsa_sha1_sign nettle_rsa_sha1_sign #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr #define rsa_sha1_verify nettle_rsa_sha1_verify #define rsa_sha256_sign nettle_rsa_sha256_sign #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr #define rsa_sha256_verify nettle_rsa_sha256_verify #define rsa_sha512_sign nettle_rsa_sha512_sign #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr #define rsa_sha512_verify nettle_rsa_sha512_verify #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt #define rsa_decrypt_tr nettle_rsa_decrypt_tr #define rsa_oaep_sha256_encrypt nettle_rsa_oaep_sha256_encrypt #define rsa_oaep_sha256_decrypt nettle_rsa_oaep_sha256_decrypt #define rsa_oaep_sha384_encrypt nettle_rsa_oaep_sha384_encrypt #define rsa_oaep_sha384_decrypt nettle_rsa_oaep_sha384_decrypt #define rsa_oaep_sha512_encrypt nettle_rsa_oaep_sha512_encrypt #define rsa_oaep_sha512_decrypt nettle_rsa_oaep_sha512_decrypt #define rsa_sec_decrypt nettle_rsa_sec_decrypt #define rsa_compute_root nettle_rsa_compute_root #define rsa_compute_root_tr nettle_rsa_compute_root_tr #define rsa_generate_keypair nettle_rsa_generate_keypair #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator #define rsa_keypair_from_der nettle_rsa_keypair_from_der /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But for ridiculously small keys, not all odd e are possible (e.g., for 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e = 3 don't work). The smallest size that makes sense with pkcs#1, and which allows RSA encryption of one byte messages, is 12 octets, 89 bits. */ #define RSA_MINIMUM_N_OCTETS 12 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7) struct rsa_public_key { /* Size of the modulo, in octets. This is also the size of all * signatures that are created or verified with this key. */ size_t size; /* Modulo */ mpz_t n; /* Public exponent */ mpz_t e; }; struct rsa_private_key { size_t size; /* d is filled in by the key generation function; otherwise it's * completely unused. */ mpz_t d; /* The two factors */ mpz_t p; mpz_t q; /* d % (p-1), i.e. a e = 1 (mod (p-1)) */ mpz_t a; /* d % (q-1), i.e. b e = 1 (mod (q-1)) */ mpz_t b; /* modular inverse of q , i.e. c q = 1 (mod p) */ mpz_t c; }; /* Signing a message works as follows: * * Store the private key in a rsa_private_key struct. * * Call rsa_private_key_prepare. This initializes the size attribute * to the length of a signature. * * Initialize a hashing context, by callling * md5_init * * Hash the message by calling * md5_update * * Create the signature by calling * rsa_md5_sign * * The signature is represented as a mpz_t bignum. This call also * resets the hashing context. * * When done with the key and signature, don't forget to call * mpz_clear. */ /* Calls mpz_init to initialize bignum storage. */ void rsa_public_key_init(struct rsa_public_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_public_key_clear(struct rsa_public_key *key); int rsa_public_key_prepare(struct rsa_public_key *key); /* Calls mpz_init to initialize bignum storage. */ void rsa_private_key_init(struct rsa_private_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_private_key_clear(struct rsa_private_key *key); int rsa_private_key_prepare(struct rsa_private_key *key); /* PKCS#1 style signatures */ int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature); int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature); int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s); int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature); int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature); int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s); int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature); int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature); int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s); int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature); int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature); int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s); int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature); /* Variants taking the digest as argument. */ int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); /* PSS style signatures */ int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); /* RSA encryption, using PKCS#1 */ /* Returns 1 on success, 0 on failure, which happens if the * message is too long for the key. */ int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t cipher); /* Message must point to a buffer of size *LENGTH. KEY->size is enough * for all valid messages. On success, *LENGTH is updated to reflect * the actual length of the message. Returns 1 on success, 0 on * failure, which happens if decryption failed or if the message * didn't fit. */ int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext); /* Timing-resistant version, using randomized RSA blinding. */ int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish); /* like rsa_decrypt_tr but with additional side-channel resistance. * NOTE: the length of the final message must be known in advance. */ int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish); /* RSA encryption, using OAEP */ int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t * message, uint8_t *ciphertext); int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t * message, uint8_t *ciphertext); int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); /* Compute x, the e:th root of m. Calling it with x == m is allowed. It is required that 0 <= m < n. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); /* Safer variant, using RSA blinding, and checking the result after CRT. It is required that 0 <= m < n. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m); /* Key generation */ /* Note that the key structs must be initialized first. */ int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, /* Desired size of modulo, in bits */ unsigned n_size, /* Desired size of public exponent, in bits. If * zero, the passed in value pub->e is used. */ unsigned e_size); #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_sign(key, ctx, signature) \ ) #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_verify(key, ctx, signature) \ ) /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "rsa" */ const struct rsa_public_key *pub, const struct rsa_private_key *priv); struct sexp_iterator; int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr); /* Keys in PKCS#1 format. */ struct asn1_der_iterator; int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i); int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i); /* For public keys, use PRIV == NULL */ int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_RSA_H_INCLUDED */ nettle-4.0/rsa2sexp.c0000644000000000000000000000322615141166424011520 0ustar00/* rsa2sexp.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "sexp.h" int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct rsa_public_key *pub, const struct rsa_private_key *priv) { if (!algorithm_name) algorithm_name = "rsa-pkcs1"; if (priv) return sexp_format(buffer, "(private-key(%0s(n%b)(e%b)" "(d%b)(p%b)(q%b)(a%b)(b%b)(c%b)))", algorithm_name, pub->n, pub->e, priv->d, priv->p, priv->q, priv->a, priv->b, priv->c); else return sexp_format(buffer, "(public-key(%0s(n%b)(e%b)))", algorithm_name, pub->n, pub->e); } nettle-4.0/run-tests0000755000000000000000000000533315141166424011500 0ustar00#! /bin/sh # Copyright (C) 2000-2002, 2004, 2005, 2011, 2012, 2016, 2020 Niels Möller # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. failed=0 all=0 debug='no' testflags='' if [ -z "$srcdir" ] ; then srcdir=$(pwd) fi export srcdir if [ -n "$TEST_SHLIB_DIR" ] ; then # Prepend to LD_LIBRARY_PATH, if it is alredy set. LD_LIBRARY_PATH="${TEST_SHLIB_DIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" # For MACOS DYLD_LIBRARY_PATH="$TEST_SHLIB_DIR" # For Windows PATH="${TEST_SHLIB_DIR}:${PATH}" # For Wine WINEPATH="${TEST_SHLIB_DIR}${WINEPATH:+;$WINEPATH}" export LD_LIBRARY_PATH export DYLD_LIBRARY_PATH export PATH export WINEPATH fi # When used in make rules, we sometimes get the filenames VPATH # expanded, but usually not. find_program () { case "$1" in */*) echo "$1" ;; *) if [ -x "$1" ] ; then echo "./$1" elif [ -x "$1.exe" ] ; then echo "./$1.exe" else echo "$srcdir/$1" fi ;; esac } env_program () { if [ -x "$1" ] ; then if "$1"; then : ; else echo "FAIL: $1" exit 1 fi fi } test_program () { testname=$(basename "$1" .exe) testname=$(basename "$testname" -test) if [ -z "$EMULATOR" ] || head -1 "$1" | grep '^#!' > /dev/null; then "$1" $testflags else $EMULATOR "$1" $testflags fi case "$?" in 0) echo "PASS: $testname" all=$((all + 1)) ;; 77) echo "SKIP: $testname" ;; *) echo "FAIL: $testname" failed=$((failed + 1)) all=$((all + 1)) ;; esac } env_program "$(find_program setup-env)" while test $# != 0 do case "$1" in --debug) debug=yes ;; -v) testflags='-v' ;; -*) echo >&2 'Unknown option `'"$1'" exit 1 ;; *) break ;; esac shift done for f in "$@" ; do test_program "$(find_program "$f")"; done if [ "$failed" -eq 0 ] ; then banner="All $all tests passed" else banner="$failed of $all tests failed" fi dashes=$(echo "$banner" | sed s/./=/g) echo "$dashes" echo "$banner" echo "$dashes" if [ "$debug" = no ] ; then env_program "$(find_program teardown-env)" fi [ "$failed" -eq 0 ] nettle-4.0/s390x/0000755000000000000000000000000015141166425010471 5ustar00nettle-4.0/s390x/README0000644000000000000000000000503315141166425011352 0ustar00Registers Conventions[1] Register Status Use r0, r1 General purpose Volatile r2 Parameter passing and return values Volatile r3, r4, r5 Parameter passing Volatile r6 Parameter passing Saved r7 - r11 Local variables Saved r12 Local variable, commonly used as GOT pointer Saved r13 Local variable, commonly used as Literal Pool pointer Saved r14 Return address Volatile r15 Stack pointer Saved f0, f2, f4, f6 Parameter passing and return values Volatile f1, f3, f5, f7 General purpose Volatile f8 – f15 General purpose Saved Vector Register Conventions Register Use VR0 - VR7 Volatile VR8 - VR15 Bytes 0-7 are non-volatile, Bytes 8-15 are volatile VR16 - VR23 Non-volatile VR24 - VR31 Volatile General Registers[2] In addition to their use as accumulators in general arithmetic and logical operations, 15 of the 16 general registers are also used as base-address and index registers in address generation. In these cases, the registers are designated by a four-bit B field or X field in an instruction. A value of zero in the B or X field specifies that no base or index is to be applied, and, thus, general register 0 cannot be designated as containing a base address or index. Parameter passing[1] Values shorter than 64 bits are sign- or zero-extended (as appropriate) to 64 bits. Arguments not handled in the registers are passed in the parameter words of the caller’s stack frame. Dynamic stack space allocation[1] 1. After a new stack frame is acquired, and before the first dynamic space allocation, a new register, the frame pointer or FP, is set to the value of the stack pointer. 2. The amount of dynamic space to be allocated is rounded up to a multiple of 8 bytes, so that 8-byte stack alignment is maintained. 3. The stack pointer is decreased by the rounded byte count, and the address of the previous stack frame (the back chain) may be stored at the word addressed by the new stack pointer. The back chain is not necessary to restore from this allocation at the end of the function since the frame pointer can be used to restore the stack pointer. [1] http://legacy.redhat.com/pub/redhat/linux/7.1/es/os/s390x/doc/lzsabi0.pdf [2] https://www.ibm.com/support/pages/zarchitecture-principles-operation nettle-4.0/s390x/fat/0000755000000000000000000000000015141166425011243 5ustar00nettle-4.0/s390x/fat/aes128-decrypt-2.asm0000644000000000000000000000224315141166425014560 0ustar00C s390x/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-decrypt.asm') nettle-4.0/s390x/fat/aes128-encrypt-2.asm0000644000000000000000000000224315141166425014572 0ustar00C s390x/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-encrypt.asm') nettle-4.0/s390x/fat/aes128-set-decrypt-key-2.asm0000644000000000000000000000234615141166425016143 0ustar00C s390x/fat/aes128-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes128_invert_key) dnl PROLOGUE(nettle_aes128_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-set-decrypt-key.asm') nettle-4.0/s390x/fat/aes128-set-encrypt-key-2.asm0000644000000000000000000000227315141166425016154 0ustar00C s390x/fat/aes128-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-set-encrypt-key.asm') nettle-4.0/s390x/fat/aes192-decrypt-2.asm0000644000000000000000000000224315141166425014561 0ustar00C s390x/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-decrypt.asm') nettle-4.0/s390x/fat/aes192-encrypt-2.asm0000644000000000000000000000224315141166425014573 0ustar00C s390x/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-encrypt.asm') nettle-4.0/s390x/fat/aes192-set-decrypt-key-2.asm0000644000000000000000000000234615141166425016144 0ustar00C s390x/fat/aes192-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes192_invert_key) dnl PROLOGUE(nettle_aes192_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-set-decrypt-key.asm') nettle-4.0/s390x/fat/aes192-set-encrypt-key-2.asm0000644000000000000000000000227315141166425016155 0ustar00C s390x/fat/aes192-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-set-encrypt-key.asm') nettle-4.0/s390x/fat/aes256-decrypt-2.asm0000644000000000000000000000224315141166425014562 0ustar00C s390x/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-decrypt.asm') nettle-4.0/s390x/fat/aes256-encrypt-2.asm0000644000000000000000000000224315141166425014574 0ustar00C s390x/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-encrypt.asm') nettle-4.0/s390x/fat/aes256-set-decrypt-key-2.asm0000644000000000000000000000234615141166425016145 0ustar00C s390x/fat/aes256-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes256_invert_key) dnl PROLOGUE(nettle_aes256_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-set-decrypt-key.asm') nettle-4.0/s390x/fat/aes256-set-encrypt-key-2.asm0000644000000000000000000000227315141166425016156 0ustar00C s390x/fat/aes256-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-set-encrypt-key.asm') nettle-4.0/s390x/fat/chacha-2core.asm0000644000000000000000000000217115141166425014165 0ustar00C s390x/fat/chacha-2core.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_2core) picked up by configure include_src(`s390x/vf/chacha-2core.asm') nettle-4.0/s390x/fat/chacha-4core.asm0000644000000000000000000000217115141166425014167 0ustar00C s390x/fat/chacha-4core.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_4core) picked up by configure include_src(`s390x/vf/chacha-4core.asm') nettle-4.0/s390x/fat/chacha-core-internal-2.asm0000644000000000000000000000225215141166425016054 0ustar00C s390x/fat/chacha-core-internal-2.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_chacha_core) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/vf/chacha-core-internal.asm') nettle-4.0/s390x/fat/cpu-facility.asm0000644000000000000000000000402615141166425014340 0ustar00C s390x/fat/cpu-facility.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "cpu-facility.asm" .text C void _nettle_stfle(uint64_t *facility, uint64_t facility_size) PROLOGUE(_nettle_stfle) lgr %r0,%r3 C facility_size aghi %r0,-1 C facility_size - 1 .long 0xb2b02000 C stfle 0(%r2) br RA EPILOGUE(_nettle_stfle) C void _nettle_km_status(uint64_t *status) PROLOGUE(_nettle_km_status) lghi %r0,0 C query code lgr %r1,%r2 C status .long 0xb92e0022 C km %r2,%r2. Operands are ignored br RA EPILOGUE(_nettle_km_status) C void _nettle_kimd_status(uint64_t *status) PROLOGUE(_nettle_kimd_status) lghi %r0,0 C query code lgr %r1,%r2 C status .long 0xb93e0002 C kimd %r0,%r2. Operands are ignored br RA EPILOGUE(_nettle_kimd_status) nettle-4.0/s390x/fat/ghash-set-key-2.asm0000644000000000000000000000224615141166425014561 0ustar00C s390x/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x4/ghash-set-key.asm') nettle-4.0/s390x/fat/ghash-update-2.asm0000644000000000000000000000224115141166425014455 0ustar00C s390x/fat/ghash-update.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x4/ghash-update.asm') nettle-4.0/s390x/fat/memxor3-2.asm0000644000000000000000000000221415141166425013475 0ustar00C s390x/fat/memxor3-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_memxor3) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/vf/memxor3.asm') nettle-4.0/s390x/fat/sha1-compress-2.asm0000644000000000000000000000223715141166425014575 0ustar00C s390x/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa/sha1-compress.asm') nettle-4.0/s390x/fat/sha256-compress-n-2.asm0000644000000000000000000000225615141166425015205 0ustar00C s390x/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x1/sha256-compress-n.asm') nettle-4.0/s390x/fat/sha3-permute-2.asm0000644000000000000000000000223415141166425014422 0ustar00C s390x/fat/sha3-permute-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha3_permute) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/vf/sha3-permute.asm') nettle-4.0/s390x/fat/sha512-compress-2.asm0000644000000000000000000000225015141166425014737 0ustar00C s390x/fat/sha512-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha512_compress) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x2/sha512-compress.asm') nettle-4.0/s390x/machine.m40000644000000000000000000000231215141166425012335 0ustar00C Register usage: define(`RA', `%r14') C Return address define(`SP', `%r15') C Stack pointer define(`STANDARD_STACK_FRAME',`160') C Dynamic stack space allocation C AP is a general register to which the allocated space is assigned C SPACE_LEN is the length of space, must be a multiple of 8 C FREE_STACK macro can be used to free the allocated space C ALLOC_STACK(AP, SPACE_LEN) define(`ALLOC_STACK', `lgr $1,SP aghi SP,-(STANDARD_STACK_FRAME+$2) stg $1,0(SP) la $1,STANDARD_STACK_FRAME (SP)') C Free allocated stack space C FREE_STACK(SPACE_LEN) define(`FREE_STACK', `aghi SP,STANDARD_STACK_FRAME+$1') C XOR contents of two areas in storage with specific length C DST: The destination area of storage C SRC: The source area of storage C LEN: The length of storage area. LEN <= 256 C TMP_ADDR: A temporary register that handles the XOR instrcution address C All parameters are general registers and cannot be assigned to C general register 0 C XOR_LEN(DST, SRC, LEN, TMP_ADDR) define(`XOR_LEN', `larl $4,18f aghi $3,-1 jm 19f ex $3,0($4) j 19f 18: xc 0(1,$1),0($2) 19:') nettle-4.0/s390x/memxor.asm0000644000000000000000000000272615141166425012511 0ustar00C s390x/memxor.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "memxor.asm" .machine "z10" .text C void * memxor(void *dst, const void *src, size_t n) PROLOGUE(nettle_memxor) srlg %r5,%r4,8 clgije %r5,0,Llen L256_loop: xc 0(256,%r2),0(%r3) aghi %r2,256 aghi %r3,256 brctg %r5,L256_loop Llen: risbg %r5,%r4,56,191,0 jz Ldone XOR_LEN(%r2,%r3,%r5,%r1) Ldone: br RA EPILOGUE(nettle_memxor) nettle-4.0/s390x/msa/0000755000000000000000000000000015141166425011251 5ustar00nettle-4.0/s390x/msa/sha1-compress.asm0000644000000000000000000000534515141166425014447 0ustar00C s390x/msa/sha1-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-1 function. C The parameter block used for the KIMD-SHA-1 function has the following format: C *----------------------------------------------* C | H0 (4 bytes) | C |----------------------------------------------| C | H1 (4 bytes) | C |----------------------------------------------| C | H2 (4 bytes) | C |----------------------------------------------| C | H3 (4 bytes) | C |----------------------------------------------| C | H4 (4 bytes) | C *----------------------------------------------* .file "sha1-compress.asm" .text C SHA function code define(`SHA1_FUNCTION_CODE', `1') C Size of block define(`SHA1_BLOCK_SIZE', `64') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) PROLOGUE(nettle_sha1_compress) lghi %r0,SHA1_FUNCTION_CODE C FUNCTION_CODE lgr %r1,%r2 lgr %r4,%r3 lghi %r5,SHA1_BLOCK_SIZE 1: .long 0xb93e0004 C kimd %r0,%r4. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(nettle_sha1_compress) nettle-4.0/s390x/msa_x1/0000755000000000000000000000000015141166425011661 5ustar00nettle-4.0/s390x/msa_x1/aes128-decrypt.asm0000644000000000000000000000466015141166425015044 0ustar00C s390x/msa_x1/aes128-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-128 function. C The parameter block used for the KM-AES-128 function has the following format: C *----------------------------------------------* C | Cryptographic Key (16 bytes) | C *----------------------------------------------* .file "aes128-decrypt.asm" .text C void C aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_decrypt) lghi %r0,128|18 C KM function code (KM-AES-128), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-15 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes128_decrypt) nettle-4.0/s390x/msa_x1/aes128-encrypt.asm0000644000000000000000000000457315141166425015061 0ustar00C s390x/msa_x1/aes128-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-128 function. C The parameter block used for the KM-AES-128 function has the following format: C *----------------------------------------------* C | Cryptographic Key (16 bytes) | C *----------------------------------------------* .file "aes128-encrypt.asm" .text C void C aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_encrypt) lghi %r0,18 C KM function code (KM-AES-128) lgr %r1,%r2 C parameter block: byte offsets 0-15 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes128_encrypt) nettle-4.0/s390x/msa_x1/aes128-set-decrypt-key.asm0000644000000000000000000000342015141166425016414 0ustar00C s390x/msa_x1/aes128-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-set-decrypt-key.asm" .text C void C aes128_invert_key(struct aes128_ctx *dst, const struct aes128_ctx *src) PROLOGUE(nettle_aes128_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_invert_key) C void C aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes128_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_set_decrypt_key) nettle-4.0/s390x/msa_x1/aes128-set-encrypt-key.asm0000644000000000000000000000265615141166425016440 0ustar00C s390x/msa_x1/aes128-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-set-encrypt-key.asm" .text C void C aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes128_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_set_encrypt_key) nettle-4.0/s390x/msa_x1/sha256-compress-n.asm0000644000000000000000000000616115141166425015463 0ustar00C s390x/msa_x1/sha256-compress-n.asm ifelse(` Copyright (C) 2021, 2022 Mamone Tarsha, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-256 function. C The parameter block used for the KIMD-SHA-256 function has the following format: C *----------------------------------------------* C | H0 (4 bytes) | C |----------------------------------------------| C | H1 (4 bytes) | C |----------------------------------------------| C | H2 (4 bytes) | C |----------------------------------------------| C | H3 (4 bytes) | C |----------------------------------------------| C | H4 (4 bytes) | C |----------------------------------------------| C | H5 (4 bytes) | C |----------------------------------------------| C | H6 (4 bytes) | C |----------------------------------------------| C | H7 (4 bytes) | C *----------------------------------------------* .file "sha256-compress-n.asm" .text C SHA function code define(`SHA256_FUNCTION_CODE', `2') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) PROLOGUE(_nettle_sha256_compress_n) lghi %r0,SHA256_FUNCTION_CODE C SHA-256 Function Code lgr %r1,%r2 lgr %r2, %r5 sllg %r3, %r4, 6 C 64 * block size 1: .long 0xb93e0002 C kimd %r0,%r2. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(_nettle_sha256_compress_n) nettle-4.0/s390x/msa_x2/0000755000000000000000000000000015141166425011662 5ustar00nettle-4.0/s390x/msa_x2/aes192-decrypt.asm0000644000000000000000000000466015141166425015046 0ustar00C s390x/msa_x2/aes192-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-192 function. C The parameter block used for the KM-AES-192 function has the following format: C *----------------------------------------------* C | Cryptographic Key (24 bytes) | C *----------------------------------------------* .file "aes192-decrypt.asm" .text C void C aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_decrypt) lghi %r0,128|19 C KM function code (KM-AES-192), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-23 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes192_decrypt) nettle-4.0/s390x/msa_x2/aes192-encrypt.asm0000644000000000000000000000457315141166425015063 0ustar00C s390x/msa_x2/aes192-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-192 function. C The parameter block used for the KM-AES-192 function has the following format: C *----------------------------------------------* C | Cryptographic Key (24 bytes) | C *----------------------------------------------* .file "aes192-encrypt.asm" .text C void C aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_encrypt) lghi %r0,19 C KM function code (KM-AES-192) lgr %r1,%r2 C parameter block: byte offsets 0-23 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes192_encrypt) nettle-4.0/s390x/msa_x2/aes192-set-decrypt-key.asm0000644000000000000000000000342015141166425016416 0ustar00C s390x/msa_x2/aes192-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-set-decrypt-key.asm" .text C void C aes192_invert_key(struct aes192_ctx *dst, const struct aes192_ctx *src) PROLOGUE(nettle_aes192_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_invert_key) C void C aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes192_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_set_decrypt_key) nettle-4.0/s390x/msa_x2/aes192-set-encrypt-key.asm0000644000000000000000000000265615141166425016442 0ustar00C s390x/msa_x2/aes192-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-set-encrypt-key.asm" .text C void C aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes192_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_set_encrypt_key) nettle-4.0/s390x/msa_x2/aes256-decrypt.asm0000644000000000000000000000466015141166425015047 0ustar00C s390x/msa_x2/aes256-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-256 function. C The parameter block used for the KM-AES-256 function has the following format: C *----------------------------------------------* C | Cryptographic Key (32 bytes) | C *----------------------------------------------* .file "aes256-decrypt.asm" .text C void C aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_decrypt) lghi %r0,128|20 C KM function code (KM-AES-256), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-31 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes256_decrypt) nettle-4.0/s390x/msa_x2/aes256-encrypt.asm0000644000000000000000000000457315141166425015064 0ustar00C s390x/msa_x2/aes256-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-256 function. C The parameter block used for the KM-AES-256 function has the following format: C *----------------------------------------------* C | Cryptographic Key (32 bytes) | C *----------------------------------------------* .file "aes256-encrypt.asm" .text C void C aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_encrypt) lghi %r0,20 C KM function code (KM-AES-256) lgr %r1,%r2 C parameter block: byte offsets 0-31 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes256_encrypt) nettle-4.0/s390x/msa_x2/aes256-set-decrypt-key.asm0000644000000000000000000000342015141166425016417 0ustar00C s390x/msa_x2/aes256-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-set-decrypt-key.asm" .text C void C aes256_invert_key(struct aes256_ctx *dst, const struct aes256_ctx *src) PROLOGUE(nettle_aes256_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_invert_key) C void C aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes256_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_set_decrypt_key) nettle-4.0/s390x/msa_x2/aes256-set-encrypt-key.asm0000644000000000000000000000265615141166425016443 0ustar00C s390x/msa_x2/aes256-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-set-encrypt-key.asm" .text C void C aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes256_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_set_encrypt_key) nettle-4.0/s390x/msa_x2/sha512-compress.asm0000644000000000000000000000615215141166425015224 0ustar00C s390x/msa_x2/sha512-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-512 function. C The parameter block used for the KIMD-SHA-512 function has the following format: C *----------------------------------------------* C | H0 (8 bytes) | C |----------------------------------------------| C | H1 (8 bytes) | C |----------------------------------------------| C | H2 (8 bytes) | C |----------------------------------------------| C | H3 (8 bytes) | C |----------------------------------------------| C | H4 (8 bytes) | C |----------------------------------------------| C | H5 (8 bytes) | C |----------------------------------------------| C | H6 (8 bytes) | C |----------------------------------------------| C | H7 (8 bytes) | C *----------------------------------------------* .file "sha512-compress.asm" .text C SHA function code define(`SHA512_FUNCTION_CODE', `3') C Size of block define(`SHA512_BLOCK_SIZE', `128') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, C const uint64_t *k) PROLOGUE(_nettle_sha512_compress) lghi %r0,SHA512_FUNCTION_CODE C SHA-512 Function Code lgr %r1,%r2 lgr %r4,%r3 lghi %r5,SHA512_BLOCK_SIZE 1: .long 0xb93e0004 C kimd %r0,%r4. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(_nettle_sha512_compress) nettle-4.0/s390x/msa_x4/0000755000000000000000000000000015141166425011664 5ustar00nettle-4.0/s390x/msa_x4/ghash-set-key.asm0000644000000000000000000000266715141166425015052 0ustar00C s390x/msa_x4/ghash-set-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-set-key.asm" .text C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) PROLOGUE(_nettle_ghash_set_key) C Except for Hash Subkey (H), KIMD-GHASH function does not need C any pre-computed values so just copy H into the first element C of context table and return to the caller. mvc 0(16,%r2),0(%r3) br RA EPILOGUE(_nettle_ghash_set_key) nettle-4.0/s390x/msa_x4/ghash-update.asm0000644000000000000000000000660115141166425014743 0ustar00C s390x/msa_x4/ghash-update.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-GHASH function. C The parameter block used for the KIMD-GHASH function has the following format: C *----------------------------------------------* C | Initial Chaining Value (16 bytes) | C |----------------------------------------------| C | Hash Subkey (16 bytes) | C *----------------------------------------------* C Size of parameter block define(`PB_SIZE', `32') .file "ghash-update.asm" .text C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) PROLOGUE(_nettle_ghash_update) C --- allocate a stack space for parameter block in addition to 16-byte buffer to handle leftover bytes --- ALLOC_STACK(%r1,PB_SIZE) C parameter block (must be general register 1) mvc 0(16,%r1),0(%r3) C copy x Initial Chaining Value field mvc 16(16,%r1),0(%r2) C copy H to Hash Subkey field lghi %r0,65 C GHASH function code (must be general register 0) lgr %r2,%r5 C location of leftmost byte of data (must not be odd-numbered general register nor be general register 0) lgr %r5,%r3 C number of bytes (must be general register of data + 1). length must be a multiple of the data block size (16). sllg %r3,%r4,4 C LEN = 16*BLOCKS 1: .long 0xb93e0002 C kimd %r0,%r2 brc 1,1b C safely branch back in case of partial completion mvc 0(16,%r5),0(%r1) C store x xc 0(PB_SIZE,%r1),0(%r1) C wipe parameter block content from stack FREE_STACK(PB_SIZE) br RA EPILOGUE(_nettle_ghash_update) nettle-4.0/s390x/vf/0000755000000000000000000000000015141166425011104 5ustar00nettle-4.0/s390x/vf/chacha-2core.asm0000644000000000000000000001134715141166425014033 0ustar00C s390x/vf/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C State, even elements in X, odd elements in Y define(`X0', `%v1') define(`X1', `%v2') define(`X2', `%v3') define(`X3', `%v29') define(`Y0', `%v4') define(`Y1', `%v5') define(`Y2', `%v6') define(`Y3', `%v7') C Original input state define(`S0', `%v24') define(`S1', `%v25') define(`S2', `%v26') define(`S3', `%v27') define(`S3p1', `%v28') define(`T0', `%v0') define(`BRW', `%v30') define(`EW', `%v30') define(`OW', `%v31') .file "chacha-2core.asm" .machine "z13" .text C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_2core) vzero X1 vleif X1, 1, 0 vl X3, 48(SRC) vaccf Y3, X3, X1 C Counter carry out vsldb Y3, Y3, Y3, 12 vo Y3, Y3, X1 .Lshared_entry: vaf Y3, Y3, X3 vlm X0, X2, 0(SRC) vlr S0, X0 vlr S1, X1 vlr S2, X2 vlr S3, X3 vlr S3p1, Y3 larl %r5,.Lword_even vlm EW, OW, 0(%r5) vperm Y0, X0, X0, OW C 1 1 3 3 vperm X0, X0, X0, EW C 0 0 2 2 vperm Y1, X1, X1, OW C 5 5 7 7 vperm X1, X1, X1, EW C 4 4 6 6 vperm Y2, X2, X2, OW C 9 9 11 11 vperm X2, X2, X2, EW C 8 8 10 10 vperm Y3, X3, S3p1, OW C 13 13 15 15 vperm X3, X3, S3p1, EW C 12 12 14 14 srlg ROUNDS, ROUNDS, 1 .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 vaf X0, X0, X1 vaf Y0, Y0, Y1 vx X3, X3, X0 vx Y3, Y3, Y0 verllf X3, X3, 16 verllf Y3, Y3, 16 vaf X2, X2, X3 vaf Y2, Y2, Y3 vx X1, X1, X2 vx Y1, Y1, Y2 verllf X1, X1, 12 verllf Y1, Y1, 12 vaf X0, X0, X1 vaf Y0, Y0, Y1 vx X3, X3, X0 vx Y3, Y3, Y0 verllf X3, X3, 8 verllf Y3, Y3, 8 vaf X2, X2, X3 vaf Y2, Y2, Y3 vx X1, X1, X2 vx Y1, Y1, Y2 verllf X1, X1, 7 verllf Y1, Y1, 7 vpdi X1, X1, X1, 0b0100 vpdi X2, X2, X2, 0b0100 vpdi Y2, Y2, Y2, 0b0100 vpdi Y3, Y3, Y3, 0b0100 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) vaf X0, X0, Y1 vaf Y0, Y0, X1 vx Y3, Y3, X0 vx X3, X3, Y0 verllf Y3, Y3, 16 verllf X3, X3, 16 vaf X2, X2, Y3 vaf Y2, Y2, X3 vx Y1, Y1, X2 vx X1, X1, Y2 verllf Y1, Y1, 12 verllf X1, X1, 12 vaf X0, X0, Y1 vaf Y0, Y0, X1 vx Y3, Y3, X0 vx X3, X3, Y0 verllf Y3, Y3, 8 verllf X3, X3, 8 vaf X2, X2, Y3 vaf Y2, Y2, X3 vx Y1, Y1, X2 vx X1, X1, Y2 verllf Y1, Y1, 7 verllf X1, X1, 7 vpdi X1, X1, X1, 0b0100 vpdi X2, X2, X2, 0b0100 vpdi Y2, Y2, Y2, 0b0100 vpdi Y3, Y3, Y3, 0b0100 brctg ROUNDS, .Loop vperm T0, X0, Y0, EW vperm Y0, X0, Y0, OW vperm X0, X1, Y1, EW vperm Y1, X1, Y1, OW vperm X1, X2, Y2, EW vperm Y2, X2, Y2, OW vperm X2, X3, Y3, EW vperm Y3, X3, Y3, OW vaf T0, T0, S0 vaf Y0, Y0, S0 vaf X0, X0, S1 vaf Y1, Y1, S1 vaf X1, X1, S2 vaf Y2, Y2, S2 vaf X2, X2, S3 vaf Y3, Y3, S3p1 vl BRW, 32(%r5) vperm T0, T0, T0, BRW vperm X0, X0, X0, BRW vperm X1, X1, X1, BRW vperm X2, X2, X2, BRW vperm Y0, Y0, Y0, BRW vperm Y1, Y1, Y1, BRW vperm Y2, Y2, Y2, BRW vperm Y3, Y3, Y3, BRW vstm T0, Y3, 0(DST) br RA EPILOGUE(_nettle_chacha_2core) PROLOGUE(_nettle_chacha_2core32) vzero Y3 vleif Y3, 1, 0 vl X3, 48(SRC) j .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .align 16 .Lword_even: .long 0x00010203,0x10111213,0x08090A0B,0x18191A1B .Lword_odd: .long 0x04050607,0x14151617,0x0C0D0E0F,0x1C1D1E1F .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C nettle-4.0/s390x/vf/chacha-4core.asm0000644000000000000000000001445715141166425014042 0ustar00C s390x/vf/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C Working state define(`BRW', `%v24') C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `%v25') define(`T1', `%v26') define(`T2', `%v27') define(`T3', `%v28') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, %v0, $1, 1, %v1, $1, 2, %v2, $1, 3, %v3, $1, 4, %v4, $1, 5, %v5, $1, 6, %v6, $1, 7, %v7, $1, 8, %v8, $1, 9, %v9, $1, 10, %v10, $1, 11, %v11, $1, 12, %v12, $1, 13, %v13, $1, 14, %v14, $1, 15, %v15)') define(`P2', `ifelse($1, 0, %v0, $1, 1, %v5, $1, 2, %v10, $1, 3, %v15, $1, 4, %v4, $1, 5, %v9, $1, 6, %v14, $1, 7, %v3, $1, 8, %v8, $1, 9, %v13, $1, 10, %v2, $1, 11, %v7, $1, 12, %v12, $1, 13, %v1, $1, 14, %v6, $1, 15, %v11)') C Main loop for round define(`QR',` vaf $1(0), $1(0), $1(1) vaf $1(4), $1(4), $1(5) vaf $1(8), $1(8), $1(9) vaf $1(12), $1(12), $1(13) vx $1(3), $1(3), $1(0) vx $1(7), $1(7), $1(4) vx $1(11), $1(11), $1(8) vx $1(15), $1(15), $1(12) verllf $1(3), $1(3), 16 verllf $1(7), $1(7), 16 verllf $1(11), $1(11), 16 verllf $1(15), $1(15), 16 vaf $1(2), $1(2), $1(3) vaf $1(6), $1(6), $1(7) vaf $1(10), $1(10), $1(11) vaf $1(14), $1(14), $1(15) vx $1(1), $1(1), $1(2) vx $1(5), $1(5), $1(6) vx $1(9), $1(9), $1(10) vx $1(13), $1(13), $1(14) verllf $1(1), $1(1), 12 verllf $1(5), $1(5), 12 verllf $1(9), $1(9), 12 verllf $1(13), $1(13), 12 vaf $1(0), $1(0), $1(1) vaf $1(4), $1(4), $1(5) vaf $1(8), $1(8), $1(9) vaf $1(12), $1(12), $1(13) vx $1(3), $1(3), $1(0) vx $1(7), $1(7), $1(4) vx $1(11), $1(11), $1(8) vx $1(15), $1(15), $1(12) verllf $1(3), $1(3), 8 verllf $1(7), $1(7), 8 verllf $1(11), $1(11), 8 verllf $1(15), $1(15), 8 vaf $1(2), $1(2), $1(3) vaf $1(6), $1(6), $1(7) vaf $1(10), $1(10), $1(11) vaf $1(14), $1(14), $1(15) vx $1(1), $1(1), $1(2) vx $1(5), $1(5), $1(6) vx $1(9), $1(9), $1(10) vx $1(13), $1(13), $1(14) verllf $1(1), $1(1), 7 verllf $1(5), $1(5), 7 verllf $1(9), $1(9), 7 verllf $1(13), $1(13), 7 ') define(`TRANSPOSE',` vmrhf T0, $1, $3 C A0 A2 B0 B2 vmrhf T1, $2, $4 C A1 A3 B1 B3 vmrlf T2, $1, $3 C C0 C2 D0 D2 vmrlf T3, $2, $4 C C1 C3 D1 D3 vmrhf $1, T0, T1 C A0 A1 A2 A3 vmrlf $2, T0, T1 C B0 B1 B2 B3 vmrhf $3, T2, T3 C C0 C2 C1 C3 vmrlf $4, T2, T3 C D0 D1 D2 D3 ') .file "chacha-4core.asm" .machine "z13" .text C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_4core) vrepif T2, 1 C Apply counter carries .Lshared_entry: C Save callee-save registers ALLOC_STACK(%r1,64) C Allocate 64-byte space on stack C Save non-volatile floating point registers std %f8,0(%r1) std %f9,8(%r1) std %f10,16(%r1) std %f11,24(%r1) std %f12,32(%r1) std %f13,40(%r1) std %f14,48(%r1) std %f15,56(%r1) larl %r5,.Lword_byte_reverse vlm BRW, T0, 0(%r5) C Load state and splat vlm %v0, %v3, 0(SRC) vrepf %v4, %v0, 1 vrepf %v8, %v0, 2 vrepf %v12, %v0, 3 vrepf %v0, %v0, 0 vrepf %v5, %v1, 1 vrepf %v9, %v1, 2 vrepf %v13, %v1, 3 vrepf %v1, %v1, 0 vrepf %v6, %v2, 1 vrepf %v10, %v2, 2 vrepf %v14, %v2, 3 vrepf %v2, %v2, 0 vrepf %v7, %v3, 1 vrepf %v11, %v3, 2 vrepf %v15, %v3, 3 vrepf %v3, %v3, 0 vaccf T1, %v3, T0 C low adds vaf %v3, %v3, T0 C compute carry-out vn T1, T1, T2 C discard carries for 32-bit counter variant vaf %v7, %v7, T1 C apply carries C Save all 4x4 of the last words. vlr T0, %v3 vlr T1, %v7 vlr T2, %v11 vlr T3, %v15 srlg ROUNDS, ROUNDS, 1 .Loop: QR(`P1') QR(`P2') brctg ROUNDS, .Loop C Add in saved original words, including counters, before C transpose. vaf %v3, %v3, T0 vaf %v7, %v7, T1 vaf %v11, %v11, T2 vaf %v15, %v15, T3 TRANSPOSE(%v0, %v4, %v8, %v12) TRANSPOSE(%v1, %v5, %v9, %v13) TRANSPOSE(%v2, %v6, %v10, %v14) TRANSPOSE(%v3, %v7, %v11, %v15) vlm T0, T2, 0(SRC) vaf %v0, %v0, T0 vaf %v4, %v4, T0 vaf %v8, %v8, T0 vaf %v12, %v12, T0 vperm %v0, %v0, %v0, BRW vperm %v4, %v4, %v4, BRW vperm %v8, %v8, %v8, BRW vperm %v12, %v12, %v12, BRW vaf %v1, %v1, T1 vaf %v5, %v5, T1 vaf %v9, %v9, T1 vaf %v13, %v13, T1 vperm %v1, %v1, %v1, BRW vperm %v5, %v5, %v5, BRW vperm %v9, %v9, %v9, BRW vperm %v13, %v13, %v13, BRW vaf %v2, %v2, T2 vaf %v6, %v6, T2 vaf %v10, %v10, T2 vaf %v14, %v14, T2 vperm %v2, %v2, %v2, BRW vperm %v6, %v6, %v6, BRW vperm %v10, %v10, %v10, BRW vperm %v14, %v14, %v14, BRW vperm %v3, %v3, %v3, BRW vperm %v7, %v7, %v7, BRW vperm %v11, %v11, %v11, BRW vperm %v15, %v15, %v15, BRW vstm %v0, %v15, 0(DST) C Restore callee-save registers ld %f8,0(%r1) ld %f9,8(%r1) ld %f10,16(%r1) ld %f11,24(%r1) ld %f12,32(%r1) ld %f13,40(%r1) ld %f14,48(%r1) ld %f15,56(%r1) FREE_STACK(64) C Deallocate stack space br RA EPILOGUE(_nettle_chacha_4core) PROLOGUE(_nettle_chacha_4core32) vzero T2 C Ignore counter carries j .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .align 16 .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C .Lcnts: .long 0,1,2,3 C increments nettle-4.0/s390x/vf/chacha-core-internal.asm0000644000000000000000000000527215141166425015563 0ustar00C s390x/vf/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C Working state define(`X0', `%v0') define(`X1', `%v1') define(`X2', `%v2') define(`X3', `%v3') C Original input state define(`S0', `%v4') define(`S1', `%v5') define(`S2', `%v6') define(`S3', `%v7') define(`BRW', `%v24') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 vaf $1, $1, $2 vx $4, $4, $1 verllf $4, $4, 16 vaf $3, $3, $4 vx $2, $2, $3 verllf $2, $2, 12 vaf $1, $1, $2 vx $4, $4, $1 verllf $4, $4, 8 vaf $3, $3, $4 vx $2, $2, $3 verllf $2, $2, 7 ') .file "chacha-core-internal.asm" .machine "z13" .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_core) vlm X0, X3, 0(SRC) vlr S0, X0 vlr S1, X1 vlr S2, X2 vlr S3, X3 srlg ROUNDS, ROUNDS, 1 .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 vsldb X1, X1, X1, 4 vsldb X2, X2, X2, 8 vsldb X3, X3, X3, 12 QROUND(X0, X1, X2, X3) C Inverse rotation vsldb X1, X1, X1, 12 vsldb X2, X2, X2, 8 vsldb X3, X3, X3, 4 brctg ROUNDS, .Loop vaf X0, X0, S0 vaf X1, X1, S1 vaf X2, X2, S2 vaf X3, X3, S3 larl %r5,.Lword_byte_reverse vl BRW, 0(%r5) vperm X0, X0, X0, BRW vperm X1, X1, X1, BRW vperm X2, X2, X2, BRW vperm X3, X3, X3, BRW vstm X0, X3, 0(DST) br RA EPILOGUE(_nettle_chacha_core) .align 16 .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C nettle-4.0/s390x/vf/memxor3.asm0000644000000000000000000000503615141166425013204 0ustar00C s390/vf/memxor3.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "memxor3.asm" .machine "z13" .text C void * memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) PROLOGUE(nettle_memxor3) agr %r2,%r5 agr %r3,%r5 agr %r4,%r5 Lmod: risbg %r1,%r5,60,191,0 jz L1x sgr %r3,%r1 sgr %r4,%r1 sgr %r2,%r1 aghi %r1,-1 C highest index vll %v24,%r1,0(%r3) vll %v28,%r1,0(%r4) vx %v24,%v24,%v28 vstl %v24,%r1,0(%r2) L1x: risbg %r1,%r5,58,187,0 jz L4x srlg %r1,%r1,4 C 1-block loop count 'n / 16' L1x_loop: aghi %r3,-16 aghi %r4,-16 aghi %r2,-16 vl %v24,0(%r3),0 vl %v28,0(%r4),0 vx %v24,%v24,%v28 vst %v24,0(%r2),0 brctg %r1,L1x_loop L4x: risbg %r1,%r5,0,185,0 jz Ldone srlg %r1,%r1,6 C 4-blocks loop count 'n / (16 * 4)' L4x_loop: aghi %r3,-64 aghi %r4,-64 aghi %r2,-64 vlm %v24,%v27,0(%r3),0 vlm %v28,%v31,0(%r4),0 vx %v24,%v24,%v28 vx %v25,%v25,%v29 vx %v26,%v26,%v30 vx %v27,%v27,%v31 vstm %v24,%v27,0(%r2),0 brctg %r1,L4x_loop Ldone: br RA EPILOGUE(nettle_memxor3) nettle-4.0/s390x/vf/sha3-permute.asm0000644000000000000000000002744715141166425014141 0ustar00C s390x/vf/sha3-permute.asm ifelse(` Copyright (C) 2012 Niels Möller Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`STATE', `%r2') C 25 64-bit values, 200 bytes. define(`COUNT', `%r3') define(`A00', `%r0') define(`A0102', `%v0') define(`A0304', `%v1') define(`A05', `%r4') define(`A0607', `%v2') define(`A0809', `%v3') define(`A10', `%r5') define(`A1112', `%v4') define(`A1314', `%v5') define(`A15', `%r6') define(`A1617', `%v6') define(`A1819', `%v7') define(`A20', `%r7') define(`A2122', `%v8') define(`A2324', `%v9') define(`C0', `%r8') define(`C12', `%v24') define(`C34', `%v25') define(`D0', `%r9') define(`D12', `%v26') define(`D34', `%v27') C Wide temporaries define(`W0', `%v28') define(`W1', `%v29') define(`W2', `%v30') define(`W3', `%v31') define(`TMP', `%r9') define(`T0', `%r10') define(`T1', `%r11') define(`T2', `%r12') define(`T3', `%r13') define(`RC', `%r14') .file "sha3-permute.asm" .machine "z13" .text C void C sha3_permute(struct sha3_ctx *ctx) PROLOGUE(nettle_sha3_permute) stmg %r6,%r14,48(SP) C Save non-volatile general registers ALLOC_STACK(%r1,16) C Allocate 16-byte space on stack C Save non-volatile floating point registers std %f8,0(%r1) std %f9,8(%r1) lghi COUNT,24*8 larl RC,.rc C Load address of rc data aghi RC,-8 C Load state data lg A00,0*8(STATE) vl A0102,1*8(STATE) vl A0304,3*8(STATE) lg A05,5*8(STATE) vl A0607,6*8(STATE) vl A0809,8*8(STATE) xgrk C0,A00,A05 vx C12,A0102,A0607 vx C34,A0304,A0809 lg A10,10*8(STATE) vl A1112,11*8(STATE) vl A1314,13*8(STATE) xgr C0,A10 vx C12,C12,A1112 vx C34,C34,A1314 lg A15,15*8(STATE) vl A1617,16*8(STATE) vl A1819,18*8(STATE) xgr C0,A15 vx C12,C12,A1617 vx C34,C34,A1819 lg A20,20*8(STATE) vl A2122,21*8(STATE) vl A2324,23*8(STATE) xgr C0,A20 vx C12,C12,A2122 vx C34,C34,A2324 j .Loop .align 16 .Loop: C The theta step. Combine parity bits, then xor to state. C D0 = C4 ^ (C1 <<< 1) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) C Shift the words around, putting (C0, C1) in D12, (C2, C3) in C D34, and (C4, C0) in C34. vlvgg D12,C0,0 vmrhg D12,D12,C12 C Holds C0, C1 vpdi D34,C12,C34,0b0100 C Holds C2, C3 vpdi C34,C34,D12,0b0100 C Holds C4, C0 vlgvg T0,C12,0 vlgvg D0,C34,0 rllg T0,T0,1 xgr D0,T0 verllg W0,D34,1 vx D12,D12,W0 C Done D12 verllg W1,C34,1 vx D34,D34,W1 C Done D34 xgr A00,D0 xgr A05,D0 xgr A10,D0 xgr A15,D0 xgr A20,D0 vx A0102,A0102,D12 vx A0607,A0607,D12 vx A1112,A1112,D12 vx A1617,A1617,D12 vx A2122,A2122,D12 vx A0304,A0304,D34 vx A0809,A0809,D34 vx A1314,A1314,D34 vx A1819,A1819,D34 vx A2324,A2324,D34 C theta step done, no C, D or W temporaries alive. C rho step. When doing the permutations, also C transpose the rows of matrix into temporary C coordinates to assist the chi step. C Defer pi step to the last phase. C The combined permutation + transpose gives the following C cycles (rotation counts in parenthesis) C 0 <- 0(0) C 1 <- 3(28) <- 4(27) <- 2(62) <- 1(1) C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C Do the 1,2,3,4 row. First rotate (permute), then transpose. verllg W0,A0102,1 C verllg 1 (A01) verllg W2,A0102,62 C verllg 62 (A02) verllg A0102,A0304,28 C verllg 28 (A03) verllg A0304,A0304,27 C verllg 27 (A04) vmrhg A0102,A0102,W0 vmrlg A0304,A0304,W2 C Do the 5,6,7,8,9 row. rllg A05,A05,36 vlvgg W0,A05,0 vlgvg A05,A0607,0 rllg A05,A05,44 C Done A05 verllg W1,A0607,6 verllg A0607,A0809,20 vmrlg A0607,A0607,W1 C Done A0607 verllg W1,A0809,55 vmrhg A0809,W0,W1 C Done A0809 C Do the 10,11,12,13,14 row. C Roatated using verllg with (25) later. 42 + 25 = 3 (mod 64) rllg A10,A10,42 verllg W0,A1112,10 vlvgg A1112,A10,0 vlgvg A10,A1112,1 rllg A10,A10,43 C Done A10 vmrhg A1112,A1112,A1314 verllg A1112,A1112,25 C Done A1112 verllg W2,A1314,39 vpdi A1314,W0,W2,0b0001 C Done A1314 C Do the 15,16,17,18,19 row. verllg W0,A1819,8 rllg A15,A15,41 vlvgg W1,A15,1 vlgvg A15,A1819,0 rllg A15,A15,21 C Done A15 verllg A1819,A1617,15 verllg A1617,A1617,45 vpdi A1617,A1617,W0,0b0001 C Done A1617 vmrlg A1819,A1819,W1 C Done A1819 C Do the 20,21,22,23,24 row. rllg A20,A20,18 vlvgg W0,A20,1 vlgvg A20,A2324,1 rllg A20,A20,14 C Done A20 verllg A2324,A2324,56 verllg W2,A2122,2 vmrhg A2324,A2324,W2 C Done A2324 verllg A2122,A2122,61 vmrlg A2122,A2122,W0 C Done A2122 C chi step. With the transposed matrix, applied independently C to each column. lghi TMP,-1 xgrk T0,A05,TMP ngr T0,A10 xgrk T1,A10,TMP ngr T1,A15 xgrk T2,A15,TMP ngr T2,A20 xgr A10,T2 xgrk T3,A20,TMP ngr T3,A00 xgr A15,T3 xgrk T2,A00,TMP ngr T2,A05 xgr A20,T2 xgr A00,T0 xgr A05,T1 vnc W0,A1112,A0607 vnc W1,A1617,A1112 vnc W2,A2122,A1617 vx A1112,A1112,W2 vnc W3,A0102,A2122 vx A1617,A1617,W3 vnc W2,A0607,A0102 vx A2122,A2122,W2 vx A0102,A0102,W0 vx A0607,A0607,W1 vnc W0,A1314,A0809 vnc W1,A1819,A1314 vnc W2,A2324,A1819 vx A1314,A1314,W2 vnc W3,A0304,A2324 vx A1819,A1819,W3 vnc W2,A0809,A0304 vx A2324,A2324,W2 vx A0304,A0304,W0 vx A0809,A0809,W1 C iota step. lg TMP,0(COUNT,RC) xgr A00,TMP C Deferred pi step. Transpose the matrix from the temporary C positions. The transpose gives the matrix with the C following (x,y) coordinates. C (0,0) <- (0,0), (0,2) <- (2,0), (0,4) <- (4,0) C (0,3) <- (3,0), (0,1) <- (1,0), (1,3) <- (3,1) C (1,0) <- (0,1), (1,2) <- (2,1), (1,4) <- (4,1) C (1,1) <- (1,1), (2,1) <- (1,2), (2,3) <- (3,2) C (2,0) <- (0,2), (2,2) <- (2,2), (2,4) <- (4,2) C (3,4) <- (4,3), (3,1) <- (1,3), (3,3) <- (3,3) C (3,0) <- (0,3), (3,2) <- (2,3), (4,2) <- (2,4) C (4,4) <- (4,4), (4,1) <- (1,4), (4,3) <- (3,4) C (4,0) <- (0,4) C Swap (A05, A10) <-> A0102, and (A15, A20) <-> A0304, C and also copy to C12 and C34 while at it. vlvgg C12,A05,0 vlvgg C34,A15,0 vlvgg W0,A10,0 vlvgg W1,A20,0 vlgvg A05,A0102,0 vlgvg A15,A0304,0 xgrk C0,A00,A05 xgr C0,A15 vlgvg A10,A0102,1 vlgvg A20,A0304,1 vmrhg A0102,C12,W0 vmrhg A0304,C34,W1 C Transpose (A0607, A1112) vlr W0,A0607 vmrhg A0607,A0607,A1112 xgr C0,A10 xgr C0,A20 vmrlg A1112,W0,A1112 C Transpose (A1819, A2324) vlr W0,A1819 vmrhg A1819,A1819,A2324 vx C12,A0102,A0607 vx C12,C12,A1112 vmrlg A2324,W0,A2324 C Transpose (A0809, A1314) and (A1617, A2122), and swap vlr W0,A0809 vlr W1,A1314 vx C34,A0304,A1819 vx C34,C34,A2324 vmrhg A0809,A1617,A2122 vmrlg A1314,A1617,A2122 vx C34,C34,A0809 vx C34,C34,A1314 vmrhg A1617,W0,W1 vmrlg A2122,W0,W1 ahi COUNT,-8 vx C12,C12,A1617 vx C12,C12,A2122 clijne COUNT,0,.Loop C Save state data stg A00,0*8(STATE) vst A0102,1*8(STATE) vst A0304,3*8(STATE) stg A05,5*8(STATE) vst A0607,6*8(STATE) vst A0809,8*8(STATE) stg A10,10*8(STATE) vst A1112,11*8(STATE) vst A1314,13*8(STATE) stg A15,15*8(STATE) vst A1617,16*8(STATE) vst A1819,18*8(STATE) stg A20,20*8(STATE) vst A2122,21*8(STATE) vst A2324,23*8(STATE) C Load non-volatile floating point registers ld %f8,0(%r1) ld %f9,8(%r1) FREE_STACK(16) C Deallocate stack space lmg %r6,%r14,48(SP) C Load non-volatile general registers br RA EPILOGUE(nettle_sha3_permute) .align 16 .rc: C In reverse order .quad 0x8000000080008008 .quad 0x0000000080000001 .quad 0x8000000000008080 .quad 0x8000000080008081 .quad 0x800000008000000A .quad 0x000000000000800A .quad 0x8000000000000080 .quad 0x8000000000008002 .quad 0x8000000000008003 .quad 0x8000000000008089 .quad 0x800000000000008B .quad 0x000000008000808B .quad 0x000000008000000A .quad 0x0000000080008009 .quad 0x0000000000000088 .quad 0x000000000000008A .quad 0x8000000000008009 .quad 0x8000000080008081 .quad 0x0000000080000001 .quad 0x000000000000808B .quad 0x8000000080008000 .quad 0x800000000000808A .quad 0x0000000000008082 .quad 0x0000000000000001 .size .rc,.-.rc nettle-4.0/salsa20-128-set-key.c0000644000000000000000000000335715141166424013112 0ustar00/* salsa20-128-set-key.c The Salsa20 stream cipher. Key setup for 256-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[11] = ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[12] = ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[13] = ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[14] = ctx->input[4] = LE_READ_UINT32(key + 12); /* "expand 16-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3120646e; ctx->input[10] = 0x79622d36; ctx->input[15] = 0x6b206574; } nettle-4.0/salsa20-256-set-key.c0000644000000000000000000000354015141166424013106 0ustar00/* salsa20-256-set-key.c The Salsa20 stream cipher. Key setup for 128-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[4] = LE_READ_UINT32(key + 12); ctx->input[11] = LE_READ_UINT32(key + 16); ctx->input[12] = LE_READ_UINT32(key + 20); ctx->input[13] = LE_READ_UINT32(key + 24); ctx->input[14] = LE_READ_UINT32(key + 28); /* "expand 32-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3320646e; ctx->input[10] = 0x79622d32; ctx->input[15] = 0x6b206574; } nettle-4.0/salsa20-core-internal.c0000644000000000000000000000562015141166424013756 0ustar00/* salsa20-core-internal.c Internal interface to the Salsa20 core function. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "salsa20.h" #include "salsa20-internal.h" #include "bswap-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_salsa20_core void _nettle_salsa20_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); #define _nettle_salsa20_core _nettle_salsa20_core_c #endif #ifndef SALSA20_DEBUG # define SALSA20_DEBUG 0 #endif #if SALSA20_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #define QROUND(x0, x1, x2, x3) do { \ x1 ^= ROTL32(7, x0 + x3); \ x2 ^= ROTL32(9, x1 + x0); \ x3 ^= ROTL32(13, x2 + x1); \ x0 ^= ROTL32(18, x3 + x2); \ } while(0) void _nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_SALSA20_INPUT_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[5], x[9], x[13], x[1]); QROUND(x[10], x[14], x[2], x[6]); QROUND(x[15], x[3], x[7], x[11]); DEBUG (i+1); QROUND(x[0], x[1], x[2], x[3]); QROUND(x[5], x[6], x[7], x[4]); QROUND(x[10], x[11], x[8], x[9]); QROUND(x[15], x[12], x[13], x[14]); } DEBUG (i); for (i = 0; i < _SALSA20_INPUT_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = bswap32_if_be (t); } } nettle-4.0/salsa20-crypt-internal.c0000644000000000000000000000555415141166424014175 0ustar00/* salsa20-crypt-internal.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "salsa20-internal.h" #include "macros.h" #include "memxor.h" #if HAVE_NATIVE_salsa20_2core #define _nettle_salsa20_crypt_2core _nettle_salsa20_crypt #elif !HAVE_NATIVE_fat_salsa20_2core #define _nettle_salsa20_crypt_1core _nettle_salsa20_crypt #endif #if HAVE_NATIVE_salsa20_2core || HAVE_NATIVE_fat_salsa20_2core void _nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[2*_SALSA20_INPUT_LENGTH]; while (length > SALSA20_BLOCK_SIZE) { _nettle_salsa20_2core (x, ctx->input, rounds); ctx->input[8] += 2; ctx->input[9] += (ctx->input[8] < 2); if (length <= 2 * SALSA20_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 2*SALSA20_BLOCK_SIZE); length -= 2*SALSA20_BLOCK_SIZE; dst += 2*SALSA20_BLOCK_SIZE; src += 2*SALSA20_BLOCK_SIZE; } _nettle_salsa20_core (x, ctx->input, rounds); ctx->input[9] += (++ctx->input[8] == 0); memxor3 (dst, src, x, length); } #endif #if !HAVE_NATIVE_salsa20_2core void _nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src) { for (;;) { uint32_t x[_SALSA20_INPUT_LENGTH]; _nettle_salsa20_core (x, ctx->input, rounds); ctx->input[9] += (++ctx->input[8] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= SALSA20_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; dst += SALSA20_BLOCK_SIZE; src += SALSA20_BLOCK_SIZE; } } #endif nettle-4.0/salsa20-crypt.c0000644000000000000000000000263115141166424012354 0ustar00/* salsa20-crypt.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "salsa20-internal.h" void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; _nettle_salsa20_crypt (ctx, 20, length, c, m); } nettle-4.0/salsa20-internal.h0000644000000000000000000000356515141166424013043 0ustar00/* salsa20-internal.h The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SALSA20_INTERNAL_H_INCLUDED #define NETTLE_SALSA20_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "salsa20.h" void _nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_salsa20_crypt(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); /* Functions available only in some configurations */ void _nettle_salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_SALSA20_INTERNAL_H_INCLUDED */ nettle-4.0/salsa20-set-key.c0000644000000000000000000000305415141166424012574 0ustar00/* salsa20-set-key.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "macros.h" void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key) { switch (length) { case SALSA20_128_KEY_SIZE: salsa20_128_set_key (ctx, key); break; case SALSA20_256_KEY_SIZE: salsa20_256_set_key (ctx, key); break; default: abort(); } } nettle-4.0/salsa20-set-nonce.c0000644000000000000000000000266215141166424013112 0ustar00/* salsa20-set-nonce.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce) { ctx->input[6] = LE_READ_UINT32(nonce + 0); ctx->input[7] = LE_READ_UINT32(nonce + 4); ctx->input[8] = 0; ctx->input[9] = 0; } nettle-4.0/salsa20.h0000644000000000000000000000525315141166424011225 0ustar00/* salsa20.h The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SALSA20_H_INCLUDED #define NETTLE_SALSA20_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define salsa20_set_key nettle_salsa20_set_key #define salsa20_128_set_key nettle_salsa20_128_set_key #define salsa20_256_set_key nettle_salsa20_256_set_key #define salsa20_set_nonce nettle_salsa20_set_nonce #define salsa20_crypt nettle_salsa20_crypt #define salsa20r12_crypt nettle_salsa20r12_crypt /* In octets.*/ #define SALSA20_128_KEY_SIZE 16 #define SALSA20_256_KEY_SIZE 32 #define SALSA20_BLOCK_SIZE 64 #define SALSA20_NONCE_SIZE 8 /* Aliases */ #define SALSA20_MIN_KEY_SIZE 16 #define SALSA20_MAX_KEY_SIZE 32 #define SALSA20_KEY_SIZE 32 #define _SALSA20_INPUT_LENGTH 16 struct salsa20_ctx { /* Indices 1-4 and 11-14 holds the key (two identical copies for the shorter key size), indices 0, 5, 10, 15 are constant, indices 6, 7 are the IV, and indices 8, 9 are the block counter: C K K K K C I I B B C K K K K C */ uint32_t input[_SALSA20_INPUT_LENGTH]; }; void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key); void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce); void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SALSA20_H_INCLUDED */ nettle-4.0/salsa20r12-crypt.c0000644000000000000000000000266215141166424012705 0ustar00/* salsa20r12-crypt.c The Salsa20 stream cipher, reduced round variant. Copyright (C) 2013 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "salsa20-internal.h" void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; _nettle_salsa20_crypt (ctx, 12, length, c, m); } nettle-4.0/sec-add-1.c0000644000000000000000000000255115141166424011407 0ustar00/* sec-add-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = ap[i] + b; b = (r < b); rp[i] = r; } return b; } nettle-4.0/sec-sub-1.c0000644000000000000000000000256015141166424011450 0ustar00/* sec-sub-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a; a = ap[i]; rp[i] = a - b; b = a < b; } return b; } nettle-4.0/serpent-decrypt.c0000644000000000000000000003733415141166424013110 0ustar00/* serpent-decrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0 inverse: 13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2 */ /* Original single-assignment form: t01 = x2 ^ x3; t02 = x0 | x1; t03 = x1 | x2; t04 = x2 & t01; t05 = t02 ^ t01; t06 = x0 | t04; y2 = ~ t05; t08 = x1 ^ x3; t09 = t03 & t08; t10 = x3 | y2; y1 = t09 ^ t06; t12 = x0 | t05; t13 = y1 ^ t12; t14 = t03 ^ t10; t15 = x0 ^ x2; y3 = t14 ^ t13; t17 = t05 & t13; t18 = t14 | t17; y0 = t15 ^ t18; */ #define SBOX0_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x2; \ y2 = x0 | x1; \ y1 = x2 ^ x3; \ y2 ^= y1; \ y1 &= x2; \ x2 |= x1; \ x1 ^= x3; \ y1 |= x0; \ x1 &= x2; \ y1 ^= x1; \ x0 |= y2; \ x0 ^= y1; \ x1 = y2 & x0; \ y2 = ~ y2; \ x3 |= y2; \ x3 ^= x2; \ y3 = x3 ^ x0; \ x1 |= x3; \ y0 ^= x1; \ } while (0) /* S1 inverse: 5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0 */ /* Original single-assignment form: t01 = x0 ^ x1; t02 = x1 | x3; t03 = x0 & x2; t04 = x2 ^ t02; t05 = x0 | t04; t06 = t01 & t05; t07 = x3 | t03; t08 = x1 ^ t06; t09 = t07 ^ t06; t10 = t04 | t03; t11 = x3 & t08; y2 = ~ t09; y1 = t10 ^ t11; t14 = x0 | y2; t15 = t06 ^ y1; y3 = t01 ^ t04; t17 = x2 ^ t15; y0 = t14 ^ t17; */ #define SBOX1_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x1 | x3; \ y1 ^= x2; \ y3 = x0 ^ x1; \ y0 = x0 | y1; \ y0 &= y3; \ x1 ^= y0; \ y3 ^= y1; \ x1 &= x3; \ y2 = x0 & x2; \ y1 |= y2; \ y2 |= x3; \ y2 ^= y0; \ y2 = ~ y2; \ y1 ^= x1; \ y0 ^= y1; \ y0 ^= x2; \ x0 |= y2; \ y0 ^= x0; \ } while (0) /* S2 inverse: 12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7 */ /* Original single-assignment form: t01 = x0 ^ x3; t02 = x2 ^ x3; t03 = x0 & x2; t04 = x1 | t02; y0 = t01 ^ t04; t06 = x0 | x2; t07 = x3 | y0; t08 = ~ x3; t09 = x1 & t06; t10 = t08 | t03; t11 = x1 & t07; t12 = t06 & t02; y3 = t09 ^ t10; y1 = t12 ^ t11; t15 = x2 & y3; t16 = y0 ^ y1; t17 = t10 ^ t15; y2 = t16 ^ t17; */ #define SBOX2_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y2 = x2 ^ x3; \ y1 = x1 | y2; \ y0 ^= y1; \ y1 = x3 | y0; \ y1 &= x1; \ x3 = ~ x3; \ y3 = x0 | x2; \ y2 &= y3; \ y1 ^= y2; \ y3 &= x1; \ x0 &= x2; \ x0 |= x3; \ y3 ^= x0; \ x2 &= y3; \ x2 ^= x0; \ y2 = y0 ^ y1; \ y2 ^= x2; \ } while (0) /* S3 inverse: 0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1 */ /* Original single-assignment form: t01 = x2 | x3; t02 = x0 | x3; t03 = x2 ^ t02; t04 = x1 ^ t02; t05 = x0 ^ x3; t06 = t04 & t03; t07 = x1 & t01; y2 = t05 ^ t06; t09 = x0 ^ t03; y0 = t07 ^ t03; t11 = y0 | t05; t12 = t09 & t11; t13 = x0 & y2; t14 = t01 ^ t05; y1 = x1 ^ t12; t16 = x1 | t13; y3 = t14 ^ t16; */ #define SBOX3_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x2 | x3; \ y0 = x1 & y3; \ y2 = x0 | x3; \ y1 = x2 ^ y2; \ y0 ^= y1; \ x3 ^= x0; \ y3 ^= x3; \ y2 ^= x1; \ y2 &= y1; \ y2 ^= x3; \ y1 ^= x0; \ x3 |= y0; \ y1 &= x3; \ y1 ^= x1; \ x0 &= y2; \ x0 |= x1; \ y3 ^= x0; \ } while (0) /* S4 inverse: 5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1 */ /* Original single-assignment form: t01 = x1 | x3; t02 = x2 | x3; t03 = x0 & t01; t04 = x1 ^ t02; t05 = x2 ^ x3; t06 = ~ t03; t07 = x0 & t04; y1 = t05 ^ t07; t09 = y1 | t06; t10 = x0 ^ t07; t11 = t01 ^ t09; t12 = x3 ^ t04; t13 = x2 | t10; y3 = t03 ^ t12; t15 = x0 ^ t04; y2 = t11 ^ t13; y0 = t15 ^ t09; */ #define SBOX4_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x2 ^ x3; \ y2 = x2 | x3; \ y2 ^= x1; \ x1 |= x3; \ y0 = x0 ^ y2; \ x3 ^= y2; \ y2 &= x0; \ y1 ^= y2; \ y2 ^= x0; \ y2 |= x2; \ x0 &= x1; \ y3 = x0 ^ x3; \ x0 = ~ x0; \ x0 |= y1; \ y0 ^= x0; \ x0 ^= x1; \ y2 ^= x0; \ } while (0) /* S5 inverse: 8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x2 ^ t01; t03 = x0 ^ x3; t04 = x1 & t02; t05 = x0 & x2; y0 = t03 ^ t04; t07 = x0 & y0; t08 = t01 ^ y0; t09 = x1 | t05; t10 = ~ x1; y1 = t08 ^ t09; t12 = t10 | t07; t13 = y0 | y1; y3 = t02 ^ t12; t15 = t02 ^ t13; t16 = x1 ^ x3; y2 = t16 ^ t15; */ #define SBOX5_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 & x3; \ y3 = x2 ^ y1; \ y0 = x1 & y3; \ y2 = x0 ^ x3; \ x3 ^= x1; \ y0 ^= y2; \ x2 &= x0; \ x0 &= y0; \ x2 |= x1; \ y1 ^= y0; \ y1 ^= x2; \ y2 = y0 | y1; \ y2 ^= y3; \ y2 ^= x3; \ x1 = ~ x1; \ x1 |= x0; \ y3 ^= x1; \ } while (0) /* S6 inverse: 15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = ~ x2; t03 = x1 & t01; t04 = x1 | t02; t05 = x3 | t03; t06 = x1 ^ x3; t07 = x0 & t04; t08 = x0 | t02; t09 = t07 ^ t05; y1 = t06 ^ t08; y0 = ~ t09; t12 = x1 & y0; t13 = t01 & t05; t14 = t01 ^ t12; t15 = t07 ^ t13; t16 = x3 | t02; t17 = x0 ^ y1; y3 = t17 ^ t15; y2 = t16 ^ t14; */ #define SBOX6_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 ^ x2; \ x2 = ~ x2; \ y0 = x1 ^ x3; \ y1 = x0 | x2; \ y1 ^= y0; \ y3 = x1 & y2; \ y3 |= x3; \ x3 |= x2; \ x2 |= x1; \ x2 &= x0; \ y0 = x2 ^ y3; \ y0 = ~ y0; \ y3 &= y2; \ y3 ^= x2; \ x0 ^= y1; \ y3 ^= x0; \ x1 &= y0; \ y2 ^= x1; \ y2 ^= x3; \ } while (0) /* S7 inverse: 3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2 */ /* Original single-assignment form: t01 = x0 & x1; t02 = x0 | x1; t03 = x2 | t01; t04 = x3 & t02; y3 = t03 ^ t04; t06 = x1 ^ t04; t07 = x3 ^ y3; t08 = ~ t07; t09 = t06 | t08; t10 = x1 ^ x3; t11 = x0 | x3; y1 = x0 ^ t09; t13 = x2 ^ t06; t14 = x2 & t11; t15 = x3 | y1; t16 = t01 | t10; y0 = t13 ^ t15; y2 = t14 ^ t16; */ #define SBOX7_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 & x1; \ y2 = x1 ^ x3; \ y2 |= y3; \ y1 = x0 | x3; \ y1 &= x2; \ y2 ^= y1; \ y3 |= x2; \ y0 = x0 | x1; \ y0 &= x3; \ y3 ^= y0; \ y0 ^= x1; \ y1 = x3 ^ y3; \ y1 = ~ y1; \ y1 |= y0; \ y0 ^= x2; \ y1 ^= x0; \ x3 |= y1; \ y0 ^= x3; \ } while (0) /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION_INVERSE(x0,x1,x2,x3) \ do { \ x2 = ROTL32 (10, x2); \ x0 = ROTL32 (27, x0); \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = x0 ^ x1 ^ x3; \ x3 = ROTL32 (25, x3); \ x1 = ROTL32 (31, x1); \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = x1 ^ x0 ^ x2; \ x2 = ROTL32 (29, x2); \ x0 = ROTL32 (19, x0); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR(y0,y1,y2,y3, subkey); \ } while (0) #if HAVE_NATIVE_64_BIT /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION64_INVERSE(x0,x1,x2,x3) \ do { \ x2 = DROTL32 (10, x2); \ x0 = DROTL32 (27, x0); \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = x0 ^ x1 ^ x3; \ x3 = DROTL32 (25, x3); \ x1 = DROTL32 (31, x1); \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = x1 ^ x0 ^ x2; \ x2 = DROTL32 (29, x2); \ x0 = DROTL32 (19, x0); \ } while (0) #define ROUND64_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION64_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR64(y0,y1,y2,y3, subkey); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_decrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); /* Inverse of special round */ KEYXOR (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start32; while (k > 0) { k -= 8; ROUND_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start32: ROUND_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); /* Inverse of special round */ KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start64; while (k > 0) { k -= 8; ROUND64_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start64: ROUND64_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-4.0/serpent-encrypt.c0000644000000000000000000003476715141166424013131 0ustar00/* serpent-encrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0: 3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12 */ /* Could easily let y0, y1 overlap with x0, x1, and possibly also x2 and y2 */ #define SBOX0(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x1 ^ x2; \ y0 = x0 | x3; \ y1 = x0 ^ x1; \ y3 ^= y0; \ y2 = x2 | y3; \ x0 ^= x3; \ y2 &= x3; \ x3 ^= x2; \ x2 |= x1; \ y0 = y1 & x2; \ y2 ^= y0; \ y0 &= y2; \ y0 ^= x2; \ x1 &= x0; \ y0 ^= x0; \ y0 = ~ y0; \ y1 = y0 ^ x1; \ y1 ^= x3; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S1: 15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4 */ /* Original single-assignment form: t01 = x0 | x3; t02 = x2 ^ x3; t03 = ~ x1; t04 = x0 ^ x2; t05 = x0 | t03; t06 = x3 & t04; t07 = t01 & t02; t08 = x1 | t06; y2 = t02 ^ t05; t10 = t07 ^ t08; t11 = t01 ^ t10; t12 = y2 ^ t11; t13 = x1 & x3; y3 = ~ t10; y1 = t13 ^ t12; t16 = t10 | y1; t17 = t05 & t16; y0 = x2 ^ t17; */ #define SBOX1(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 | x3; \ y2 = x2 ^ x3; \ y0 = ~ x1; \ y3 = x0 ^ x2; \ y0 |= x0; \ y3 &= x3; \ x0 = y1 & y2; \ y3 |= x1; \ y2 ^= y0; \ y3 ^= x0; \ x0 = y1 ^ y3; \ x0 ^= y2; \ y1 = x1 & x3; \ y1 ^= x0; \ x3 = y1 | y3; \ y3 = ~ y3; \ y0 &= x3; \ y0 ^= x2; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S2: 8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2 */ #define SBOX2(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 | x2; \ y1 = x0 ^ x1; \ y3 = x3 ^ y2; \ y0 = y1 ^ y3; \ x3 |= x0; \ x2 ^= y0; \ x0 = x1 ^ x2; \ x2 |= x1; \ x0 &= y2; \ y3 ^= x2; \ y1 |= y3; \ y1 ^= x0; \ y2 = y3 ^ y1; \ y2 ^= x1; \ y3 = ~ y3; \ y2 ^= x3; \ } while (0) /* S3: 0 15 11 8 12 9 6 3 13 1 2 4 10 7 5 14 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = x0 | x3; t03 = x0 & x3; t04 = t01 & t02; t05 = x1 | t03; t06 = x0 & x1; t07 = x3 ^ t04; t08 = x2 | t06; t09 = x1 ^ t07; t10 = x3 & t05; t11 = t02 ^ t10; y3 = t08 ^ t09; t13 = x3 | y3; t14 = x0 | t07; t15 = x1 & t13; y2 = t08 ^ t11; y0 = t14 ^ t15; y1 = t05 ^ t04; */ #define SBOX3(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 ^ x2; \ y0 = x0 | x3; \ y3 = x0 & x3; \ y1 &= y0; \ y3 |= x1; \ y2 = x0 & x1; \ y2 |= x2; \ x2 = x3 ^ y1; \ y1 ^= y3; \ x0 |= x2; \ x2 ^= x1; \ y3 &= x3; \ y0 ^= y3; \ y3 = y2 ^ x2; \ y2 ^= y0; \ x3 |= y3; \ x1 &= x3; \ y0 = x0 ^ x1; \ } while (0) /* S4: 1 15 8 3 12 0 11 6 2 5 4 10 9 14 7 13 */ /* Original single-assignment form: t01 = x0 | x1; t02 = x1 | x2; t03 = x0 ^ t02; t04 = x1 ^ x3; t05 = x3 | t03; t06 = x3 & t01; y3 = t03 ^ t06; t08 = y3 & t04; t09 = t04 & t05; t10 = x2 ^ t06; t11 = x1 & x2; t12 = t04 ^ t08; t13 = t11 | t03; t14 = t10 ^ t09; t15 = x0 & t05; t16 = t11 | t12; y2 = t13 ^ t08; y1 = t15 ^ t16; y0 = ~ t14; */ #define SBOX4(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 | x1; \ y2 = x1 | x2; \ y2 ^= x0; \ y3 &= x3; \ y0 = x1 ^ x3; \ x3 |= y2; \ x0 &= x3; \ x1 &= x2; \ x2 ^= y3; \ y3 ^= y2; \ y2 |= x1; \ y1 = y3 & y0; \ y2 ^= y1; \ y1 ^= y0; \ y1 |= x1; \ y1 ^= x0; \ y0 &= x3; \ y0 ^= x2; \ y0 = ~y0; \ } while (0) /* S5: 15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1 */ /* Original single-assignment form: t01 = x1 ^ x3; t02 = x1 | x3; t03 = x0 & t01; t04 = x2 ^ t02; t05 = t03 ^ t04; y0 = ~ t05; t07 = x0 ^ t01; t08 = x3 | y0; t09 = x1 | t05; t10 = x3 ^ t08; t11 = x1 | t07; t12 = t03 | y0; t13 = t07 | t10; t14 = t01 ^ t11; y2 = t09 ^ t13; y1 = t07 ^ t08; y3 = t12 ^ t14; */ #define SBOX5(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x1 | x3; \ y0 ^= x2; \ x2 = x1 ^ x3; \ y2 = x0 ^ x2; \ x0 &= x2; \ y0 ^= x0; \ y3 = x1 | y2; \ x1 |= y0; \ y0 = ~y0; \ x0 |= y0; \ y3 ^= x2; \ y3 ^= x0; \ y1 = x3 | y0; \ x3 ^= y1; \ y1 ^= y2; \ y2 |= x3; \ y2 ^= x1; \ } while (0) /* S6: 7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x1 ^ x2; t03 = x0 ^ x3; t04 = t01 ^ t02; t05 = x1 | x2; y1 = ~ t04; t07 = t03 & t05; t08 = x1 & y1; t09 = x0 | x2; t10 = t07 ^ t08; t11 = x1 | x3; t12 = x2 ^ t11; t13 = t09 ^ t10; y2 = ~ t13; t15 = y1 & t03; y3 = t12 ^ t07; t17 = x0 ^ x1; t18 = y2 ^ t15; y0 = t17 ^ t18; */ #define SBOX6(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y1 = x0 & x3; \ y2 = x0 | x2; \ x3 |= x1; \ x3 ^= x2; \ x0 ^= x1; \ y3 = x1 | x2; \ x2 ^= x1; \ y3 &= y0; \ y1 ^= x2; \ y1 = ~y1; \ y0 &= y1; \ x1 &= y1; \ x1 ^= y3; \ y3 ^= x3; \ y2 ^= x1; \ y2 = ~y2; \ y0 ^= y2; \ y0 ^= x0; \ } while (0) /* S7: 1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6 */ /* Original single-assignment form: t01 = x0 & x2; t02 = ~ x3; t03 = x0 & t02; t04 = x1 | t01; t05 = x0 & x1; t06 = x2 ^ t04; y3 = t03 ^ t06; t08 = x2 | y3; t09 = x3 | t05; t10 = x0 ^ t08; t11 = t04 & y3; y1 = t09 ^ t10; t13 = x1 ^ y1; t14 = t01 ^ y1; t15 = x2 ^ t05; t16 = t11 | t13; t17 = t02 | t14; y0 = t15 ^ t17; y2 = x0 ^ t16; */ /* It appears impossible to do this with only 8 registers. We recompute t02, and t04 (if we have spare registers, hopefully the compiler can recognize them as common subexpressions). */ #define SBOX7(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 & x2; \ y3 = x1 | y0; /* t04 */ \ y3 ^= x2; \ y1 = ~x3; /* t02 */ \ y1 &= x0; \ y3 ^= y1; \ y1 = x2 | y3; \ y1 ^= x0; \ y2 = x0 & x1; \ x2 ^= y2; \ y2 |= x3; \ y1 ^= y2; \ y2 = x1 | y0; /* t04 */ \ y2 &= y3; \ x1 ^= y1; \ y2 |= x1; \ y2 ^= x0; \ y0 ^= y1; \ x3 = ~x3; /* t02 */ \ y0 |= x3; \ y0 ^= x2; \ } while (0) /* In-place linear transformation. */ #define LINEAR_TRANSFORMATION(x0,x1,x2,x3) \ do { \ x0 = ROTL32 (13, x0); \ x2 = ROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = ROTL32 (1, x1); \ x3 = ROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = ROTL32 (5, x0); \ x2 = ROTL32 (22, x2); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION(y0,y1,y2,y3); \ } while (0) #if HAVE_NATIVE_64_BIT #define LINEAR_TRANSFORMATION64(x0,x1,x2,x3) \ do { \ x0 = DROTL32 (13, x0); \ x2 = DROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = DROTL32 (1, x1); \ x3 = DROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = DROTL32 (5, x0); \ x2 = DROTL32 (22, x2); \ } while (0) #define ROUND64(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR64(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION64(y0,y1,y2,y3); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_encrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); for (k = 0; ; k += 8) { ROUND (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); for (k = 0; ; k += 8) { ROUND64 (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND64 (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-4.0/serpent-internal.h0000644000000000000000000000554715141166424013260 0ustar00/* serpent-internal-h The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #ifndef NETTLE_SERPENT_INTERNAL_H_INCLUDED #define NETTLE_SERPENT_INTERNAL_H_INCLUDED #define KEYXOR(x0,x1,x2,x3, subkey) \ do { \ (x0) ^= (subkey)[0]; \ (x1) ^= (subkey)[1]; \ (x2) ^= (subkey)[2]; \ (x3) ^= (subkey)[3]; \ } while (0) #if HAVE_NATIVE_64_BIT /* Operate independently on both halves of a 64-bit word. */ #define DROTL32(n,x) \ (((x) << (n) & ~((((uint64_t) 1 << (n))-1) << 32)) \ |(((x) >> (32-(n))) & ~((((uint64_t) 1 << (32-(n)))-1) << (n)))) #define KEYXOR64(x0,x1,x2,x3, subkey) \ do { \ uint64_t _sk; \ _sk = (subkey)[0]; _sk |= _sk << 32; (x0) ^= _sk; \ _sk = (subkey)[1]; _sk |= _sk << 32; (x1) ^= _sk; \ _sk = (subkey)[2]; _sk |= _sk << 32; (x2) ^= _sk; \ _sk = (subkey)[3]; _sk |= _sk << 32; (x3) ^= _sk; \ } while (0) #define DRSHIFT32(n,x) \ ( ((x) << (n)) & ~((((uint64_t) 1 << (n)) - 1) << 32)) #endif /* HAVE_NATIVE_64_BIT */ #endif /* NETTLE_SERPENT_INTERNAL_H_INCLUDED */ nettle-4.0/serpent-meta.c0000644000000000000000000000320215141166424012347 0ustar00/* serpent-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "serpent.h" #define SERPENT(bits) { \ "serpent" #bits, \ sizeof(struct serpent_ctx), \ SERPENT_BLOCK_SIZE, \ SERPENT ## bits ##_KEY_SIZE, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_cipher_func *) serpent_encrypt, \ (nettle_cipher_func *) serpent_decrypt \ } const struct nettle_cipher nettle_serpent128 = SERPENT(128); const struct nettle_cipher nettle_serpent192 = SERPENT(192); const struct nettle_cipher nettle_serpent256 = SERPENT(256); nettle-4.0/serpent-set-key.c0000644000000000000000000002402015141166424013003 0ustar00/* serpent-set-key.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011, 2014 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* Magic number, used during generating of the subkeys. */ #define PHI 0x9E3779B9 /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* FIXME: Except when used within the key schedule, the inputs are not used after the substitution, and hence we could allow them to be destroyed. Can this freedom be used to optimize the sboxes? */ #define SBOX0(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08, t09; \ type t11, t12, t13, t14, t15, t17, t01; \ t01 = b ^ c ; \ t02 = a | d ; \ t03 = a ^ b ; \ z = t02 ^ t01; \ t05 = c | z ; \ t06 = a ^ d ; \ t07 = b | c ; \ t08 = d & t05; \ t09 = t03 & t07; \ y = t09 ^ t08; \ t11 = t09 & y ; \ t12 = c ^ d ; \ t13 = t07 ^ t11; \ t14 = b & t06; \ t15 = t06 ^ t13; \ w = ~ t15; \ t17 = w ^ t14; \ x = t12 ^ t17; \ } while (0) #define SBOX1(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t10, t11, t12, t13, t16, t17, t01; \ t01 = a | d ; \ t02 = c ^ d ; \ t03 = ~ b ; \ t04 = a ^ c ; \ t05 = a | t03; \ t06 = d & t04; \ t07 = t01 & t02; \ t08 = b | t06; \ y = t02 ^ t05; \ t10 = t07 ^ t08; \ t11 = t01 ^ t10; \ t12 = y ^ t11; \ t13 = b & d ; \ z = ~ t10; \ x = t13 ^ t12; \ t16 = t10 | x ; \ t17 = t05 & t16; \ w = c ^ t17; \ } while (0) #define SBOX2(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08; \ type t09, t10, t12, t13, t14, t01; \ t01 = a | c ; \ t02 = a ^ b ; \ t03 = d ^ t01; \ w = t02 ^ t03; \ t05 = c ^ w ; \ t06 = b ^ t05; \ t07 = b | t05; \ t08 = t01 & t06; \ t09 = t03 ^ t07; \ t10 = t02 | t09; \ x = t10 ^ t08; \ t12 = a | d ; \ t13 = t09 ^ x ; \ t14 = b ^ t13; \ z = ~ t09; \ y = t12 ^ t14; \ } while (0) #define SBOX3(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t09, t10, t11, t13, t14, t15, t01; \ t01 = a ^ c ; \ t02 = a | d ; \ t03 = a & d ; \ t04 = t01 & t02; \ t05 = b | t03; \ t06 = a & b ; \ t07 = d ^ t04; \ t08 = c | t06; \ t09 = b ^ t07; \ t10 = d & t05; \ t11 = t02 ^ t10; \ z = t08 ^ t09; \ t13 = d | z ; \ t14 = a | t07; \ t15 = b & t13; \ y = t08 ^ t11; \ w = t14 ^ t15; \ x = t05 ^ t04; \ } while (0) #define SBOX4(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09; \ type t10, t11, t12, t13, t14, t15, t16, t01; \ t01 = a | b ; \ t02 = b | c ; \ t03 = a ^ t02; \ t04 = b ^ d ; \ t05 = d | t03; \ t06 = d & t01; \ z = t03 ^ t06; \ t08 = z & t04; \ t09 = t04 & t05; \ t10 = c ^ t06; \ t11 = b & c ; \ t12 = t04 ^ t08; \ t13 = t11 | t03; \ t14 = t10 ^ t09; \ t15 = a & t05; \ t16 = t11 | t12; \ y = t13 ^ t08; \ x = t15 ^ t16; \ w = ~ t14; \ } while (0) #define SBOX5(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09; \ type t10, t11, t12, t13, t14, t01; \ t01 = b ^ d ; \ t02 = b | d ; \ t03 = a & t01; \ t04 = c ^ t02; \ t05 = t03 ^ t04; \ w = ~ t05; \ t07 = a ^ t01; \ t08 = d | w ; \ t09 = b | t05; \ t10 = d ^ t08; \ t11 = b | t07; \ t12 = t03 | w ; \ t13 = t07 | t10; \ t14 = t01 ^ t11; \ y = t09 ^ t13; \ x = t07 ^ t08; \ z = t12 ^ t14; \ } while (0) #define SBOX6(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09, t10; \ type t11, t12, t13, t15, t17, t18, t01; \ t01 = a & d ; \ t02 = b ^ c ; \ t03 = a ^ d ; \ t04 = t01 ^ t02; \ t05 = b | c ; \ x = ~ t04; \ t07 = t03 & t05; \ t08 = b & x ; \ t09 = a | c ; \ t10 = t07 ^ t08; \ t11 = b | d ; \ t12 = c ^ t11; \ t13 = t09 ^ t10; \ y = ~ t13; \ t15 = x & t03; \ z = t12 ^ t07; \ t17 = a ^ b ; \ t18 = y ^ t15; \ w = t17 ^ t18; \ } while (0) #define SBOX7(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09, t10; \ type t11, t13, t14, t15, t16, t17, t01; \ t01 = a & c ; \ t02 = ~ d ; \ t03 = a & t02; \ t04 = b | t01; \ t05 = a & b ; \ t06 = c ^ t04; \ z = t03 ^ t06; \ t08 = c | z ; \ t09 = d | t05; \ t10 = a ^ t08; \ t11 = t04 & z ; \ x = t09 ^ t10; \ t13 = b ^ x ; \ t14 = t01 ^ x ; \ t15 = c ^ t05; \ t16 = t11 | t13; \ t17 = t02 | t14; \ w = t15 ^ t17; \ y = a ^ t16; \ } while (0) /* Key schedule */ /* Note: Increments k */ #define KS_RECURRENCE(w, i, k) \ do { \ uint32_t _wn = (w)[(i)] ^ (w)[((i)+3)&7] ^ w[((i)+5)&7] \ ^ w[((i)+7)&7] ^ PHI ^ (k)++; \ ((w)[(i)] = ROTL32(11, _wn)); \ } while (0) /* Note: Increments k four times and keys once */ #define KS(keys, s, w, i, k) \ do { \ KS_RECURRENCE(w, (i), (k)); \ KS_RECURRENCE(w, (i)+1, (k)); \ KS_RECURRENCE(w, (i)+2, (k)); \ KS_RECURRENCE(w, (i)+3, (k)); \ SBOX##s(uint32_t, w[(i)],w[(i)+1],w[(i)+2],w[(i)+3], \ (*keys)[0],(*keys)[1],(*keys)[2],(*keys)[3]); \ (keys)++; \ } while (0) /* Pad user key and convert to an array of 8 uint32_t. */ static void serpent_key_pad (const uint8_t *key, unsigned int key_length, uint32_t *w) { unsigned int i; assert (key_length <= SERPENT_MAX_KEY_SIZE); for (i = 0; key_length >= 4; key_length -=4, key += 4) w[i++] = LE_READ_UINT32(key); if (i < 8) { /* Key must be padded according to the Serpent specification. "aabbcc" -> "aabbcc0100...00" -> 0x01ccbbaa. */ uint32_t pad = 0x01; while (key_length > 0) pad = pad << 8 | key[--key_length]; w[i++] = pad; while (i < 8) w[i++] = 0; } } /* Initialize CONTEXT with the key KEY of LENGTH bytes. */ void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t * key) { uint32_t w[8]; uint32_t (*keys)[4]; unsigned k; serpent_key_pad (key, length, w); /* Derive the 33 subkeys from KEY and store them in SUBKEYS. We do the recurrence in the key schedule using W as a circular buffer of just 8 uint32_t. */ /* FIXME: Would be better to invoke SBOX with scalar variables as arguments, no arrays. To do that, unpack w into separate variables, use temporary variables as the SBOX destination. */ keys = ctx->keys; k = 0; for (;;) { KS(keys, 3, w, 0, k); if (k == 132) break; KS(keys, 2, w, 4, k); KS(keys, 1, w, 0, k); KS(keys, 0, w, 4, k); KS(keys, 7, w, 0, k); KS(keys, 6, w, 4, k); KS(keys, 5, w, 0, k); KS(keys, 4, w, 4, k); } assert (keys == ctx->keys + 33); } void serpent128_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT128_KEY_SIZE, key); } void serpent192_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT192_KEY_SIZE, key); } void serpent256_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT256_KEY_SIZE, key); } nettle-4.0/serpent.h0000644000000000000000000000570715141166424011444 0ustar00/* serpent.h The serpent block cipher. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Serpent is a 128-bit block cipher that accepts a key size of 256 * bits, designed by Ross Anderson, Eli Biham, and Lars Knudsen. See * http://www.cl.cam.ac.uk/~rja14/serpent.html for details. */ #ifndef NETTLE_SERPENT_H_INCLUDED #define NETTLE_SERPENT_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define serpent_set_key nettle_serpent_set_key #define serpent128_set_key nettle_serpent128_set_key #define serpent192_set_key nettle_serpent192_set_key #define serpent256_set_key nettle_serpent256_set_key #define serpent_encrypt nettle_serpent_encrypt #define serpent_decrypt nettle_serpent_decrypt #define SERPENT_BLOCK_SIZE 16 /* Other key lengths are possible, but the design of Serpent makes * smaller key lengths quite pointless; they cheated with the AES * requirements, using a 256-bit key length exclusively and just * padding it out if the desired key length was less, so there really * is no advantage to using key lengths less than 256 bits. */ #define SERPENT_KEY_SIZE 32 /* Allow keys of size 128 <= bits <= 256 */ #define SERPENT_MIN_KEY_SIZE 16 #define SERPENT_MAX_KEY_SIZE 32 #define SERPENT128_KEY_SIZE 16 #define SERPENT192_KEY_SIZE 24 #define SERPENT256_KEY_SIZE 32 struct serpent_ctx { uint32_t keys[33][4]; /* key schedule */ }; void serpent_set_key(struct serpent_ctx *ctx, size_t length, const uint8_t *key); void serpent128_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent192_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent256_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent_encrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void serpent_decrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SERPENT_H_INCLUDED */ nettle-4.0/sexp-format.c0000644000000000000000000001466515141166424012227 0ustar00/* sexp-format.c Writing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "sexp.h" #include "buffer.h" #include "bignum.h" static unsigned format_prefix(struct nettle_buffer *buffer, size_t length) { size_t digit = 1; unsigned prefix_length = 1; for (;;) { size_t next = digit * 10; if (next > length) break; prefix_length++; digit = next; } if (buffer) { for (; digit; length %= digit, digit /= 10) if (!NETTLE_BUFFER_PUTC(buffer, '0' + length / digit)) return 0; if (!NETTLE_BUFFER_PUTC(buffer, ':')) return 0; } return prefix_length + 1; } static size_t format_string(struct nettle_buffer *buffer, size_t length, const uint8_t *s) { unsigned prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; return prefix_length + length; } static inline size_t strlen_u8 (const uint8_t *s) { return strlen((const char*) s); } size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { unsigned nesting = 0; size_t done = 0; for (;;) switch (*format++) { default: { const char *start = format - 1; size_t length = 1 + strcspn(format, "()% \t"); size_t output_length = format_string(buffer, length, (const uint8_t *) start); if (!output_length) return 0; done += output_length; format = start + length; break; } case ' ': case '\t': break; case '\0': assert(!nesting); return done; case '(': if (buffer && !NETTLE_BUFFER_PUTC(buffer, '(')) return 0; done++; nesting++; break; case ')': assert (nesting); if (buffer && !NETTLE_BUFFER_PUTC(buffer, ')')) return 0; done++; nesting--; break; case '%': { int nul_flag = 0; if (*format == '0') { format++; nul_flag = 1; } switch (*format++) { default: abort(); case '(': case ')': /* Allow unbalanced parenthesis */ if (buffer && !NETTLE_BUFFER_PUTC(buffer, format[-1])) return 0; done++; break; case 's': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; break; } case 't': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); if (!s) break; length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); if (!s) break; } if (buffer && !NETTLE_BUFFER_PUTC(buffer, '[')) return 0; done++; output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; if (buffer && !NETTLE_BUFFER_PUTC(buffer, ']')) return 0; done++; break; } case 'l': { const uint8_t *s; size_t length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; done += length; break; } case 'i': { uint32_t x = va_arg(args, uint32_t); unsigned length; if (x < 0x80) length = 1; else if (x < 0x8000L) length = 2; else if (x < 0x800000L) length = 3; else if (x < 0x80000000L) length = 4; else length = 5; if (buffer && !(NETTLE_BUFFER_PUTC(buffer, '0' + length) && NETTLE_BUFFER_PUTC(buffer, ':'))) return 0; done += (2 + length); if (buffer) switch(length) { case 5: /* Leading byte needed for the sign. */ if (!NETTLE_BUFFER_PUTC(buffer, 0)) return 0; /* Fall through */ case 4: if (!NETTLE_BUFFER_PUTC(buffer, x >> 24)) return 0; /* Fall through */ case 3: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 16) & 0xff)) return 0; /* Fall through */ case 2: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 8) & 0xff)) return 0; /* Fall through */ case 1: if (!NETTLE_BUFFER_PUTC(buffer, x & 0xff)) return 0; break; default: abort(); } break; } case 'b': { mpz_srcptr n = va_arg(args, mpz_srcptr); size_t length; unsigned prefix_length; length = nettle_mpz_sizeinbase_256_s(n); prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; done += prefix_length; if (buffer) { uint8_t *space = nettle_buffer_space(buffer, length); if (!space) return 0; nettle_mpz_get_str_256(length, space, n); } done += length; break; } } } } } size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...) { va_list args; size_t done; va_start(args, format); done = sexp_vformat(buffer, format, args); va_end(args); return done; } nettle-4.0/sexp-transport-format.c0000644000000000000000000000426515141166424014254 0ustar00/* sexp-transport-format.c Writing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "base64.h" #include "buffer.h" static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { size_t start = 0; size_t length; size_t base64_length; if (buffer) { if (!NETTLE_BUFFER_PUTC(buffer, '{')) return 0; start = buffer->size; } length = sexp_vformat(buffer, format, args); if (!length) return 0; base64_length = BASE64_ENCODE_RAW_LENGTH(length); if (buffer) { if (!nettle_buffer_space(buffer, base64_length - length)) return 0; base64_encode_in_place(length, buffer->contents + start); if (!NETTLE_BUFFER_PUTC(buffer, '}')) return 0; } return base64_length + 2; } size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...) { size_t done; va_list args; va_start(args, format); done = sexp_transport_vformat(buffer, format, args); va_end(args); return done; } nettle-4.0/sexp-transport.c0000644000000000000000000000607115141166424012763 0ustar00/* sexp-transport.c Parsing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "base64.h" /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input) { /* We first base64 decode any transport encoded sexp at the start of * the input. */ size_t in = 0; size_t out = 0; while (in < length) switch(input[in]) { case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': in++; break; case ';': /* Comments */ while (++in < length && input[in] != '\n') ; break; case '{': { /* Found transport encoding */ struct base64_decode_ctx ctx; size_t coded_length; size_t end; for (end = ++in; end < length && input[end] != '}'; end++) ; if (end == length) return 0; base64_decode_init(&ctx); coded_length = end - in; if (base64_decode_update(&ctx, &coded_length, input + out, end - in, (const char*) (input + in)) && base64_decode_final(&ctx)) { out += coded_length; in = end + 1; } else return 0; break; } default: /* Expression isn't in transport encoding. Rest of the input * should be in canonical encoding. */ goto transport_done; } transport_done: /* Here, we have two, possibly empty, input parts in canonical * encoding: * * 0...out-1, in...length -1 * * If the input was already in canonical encoding, out = 0 and in = * amount of leading space. * * If all input was in transport encoding, in == length. */ if (!out) { input += in; length -= in; } else if (in == length) length = out; else if (out == in) /* Unusual case, nothing happens */ ; else { /* Both parts non-empty */ assert(out < in); memmove(input + out, input + in, length - in); length -= (in - out); } return sexp_iterator_first(iterator, length, input); } nettle-4.0/sexp.c0000644000000000000000000002052615141166424010732 0ustar00/* sexp.c Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "macros.h" #include "nettle-internal.h" /* Initializes the iterator, but one has to call next to get to the * first element. */ static void sexp_iterator_init(struct sexp_iterator *iterator, unsigned length, const uint8_t *input) { iterator->length = length; iterator->buffer = input; iterator->pos = 0; iterator->level = 0; iterator->type = SEXP_END; /* Value doesn't matter */ iterator->display_length = 0; iterator->display = NULL; iterator->atom_length = 0; iterator->atom = NULL; } #define EMPTY(i) ((i)->pos == (i)->length) #define NEXT(i) ((i)->buffer[(i)->pos++]) static int sexp_iterator_simple(struct sexp_iterator *iterator, size_t *size, const uint8_t **string) { unsigned length = 0; uint8_t c; if (EMPTY(iterator)) return 0; c = NEXT(iterator); if (EMPTY(iterator)) return 0; if (c >= '1' && c <= '9') do { length = length * 10 + (c - '0'); /* >= to account for ':' character */ if (length >= (iterator->length - iterator->pos)) return 0; if (EMPTY(iterator)) return 0; c = NEXT(iterator); } while (c >= '0' && c <= '9'); else if (c == '0') /* There can be only one */ c = NEXT(iterator); else return 0; if (c != ':') return 0; *size = length; *string = iterator->buffer + iterator->pos; iterator->pos += length; return 1; } /* All these functions return 1 on success, 0 on failure */ /* Look at the current position in the data. Sets iterator->type, and * ignores the old value. */ static int sexp_iterator_parse(struct sexp_iterator *iterator) { iterator->start = iterator->pos; if (EMPTY(iterator)) { if (iterator->level) return 0; iterator->type = SEXP_END; return 1; } switch (iterator->buffer[iterator->pos]) { case '(': /* A list */ iterator->type = SEXP_LIST; return 1; case ')': if (!iterator->level) return 0; iterator->pos++; iterator->type = SEXP_END; return 1; case '[': /* Atom with display type */ iterator->pos++; if (!sexp_iterator_simple(iterator, &iterator->display_length, &iterator->display)) return 0; if (EMPTY(iterator) || NEXT(iterator) != ']') return 0; break; default: /* Must be either a decimal digit or a syntax error. * Errors are detected by sexp_iterator_simple. */ iterator->display_length = 0; iterator->display = NULL; break; } iterator->type = SEXP_ATOM; return sexp_iterator_simple(iterator, &iterator->atom_length, &iterator->atom); } int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input) { sexp_iterator_init(iterator, length, input); return sexp_iterator_parse(iterator); } int sexp_iterator_next(struct sexp_iterator *iterator) { switch (iterator->type) { case SEXP_END: return 1; case SEXP_LIST: /* Skip this list */ return sexp_iterator_enter_list(iterator) && sexp_iterator_exit_list(iterator); case SEXP_ATOM: /* iterator->pos should already point at the start of the next * element. */ return sexp_iterator_parse(iterator); } /* If we get here, we have a bug. */ abort(); } /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator) { if (iterator->type != SEXP_LIST) return 0; if (EMPTY(iterator) || NEXT(iterator) != '(') /* Internal error */ abort(); iterator->level++; return sexp_iterator_parse(iterator); } /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator) { if (!iterator->level) return 0; unsigned start_level = iterator->level; for (;;) switch (iterator->type) { case SEXP_END: iterator->level--; if (!sexp_iterator_parse (iterator)) return 0; if (iterator->level < start_level) return 1; break; case SEXP_ATOM: if (!sexp_iterator_parse (iterator)) return 0; break; case SEXP_LIST: if (!sexp_iterator_enter_list (iterator)) return 0; break; default: abort (); } } const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length) { size_t start = iterator->start; if (!sexp_iterator_next(iterator)) return 0; *length = iterator->start - start; return iterator->buffer + start; } int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x) { if (iterator->type == SEXP_ATOM && !iterator->display && iterator->atom_length && iterator->atom[0] < 0x80) { size_t length = iterator->atom_length; const uint8_t *p = iterator->atom; /* Skip leading zeros. */ while(length && !*p) { length--; p++; } switch(length) { case 0: *x = 0; break; case 1: *x = p[0]; break; case 2: *x = READ_UINT16(p); break; case 3: *x = READ_UINT24(p); break; case 4: *x = READ_UINT32(p); break; default: return 0; } return sexp_iterator_next(iterator); } return 0; } int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type) { return (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display && strlen(type) == iterator->atom_length && !memcmp(type, iterator->atom, iterator->atom_length) && sexp_iterator_next(iterator)); } const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types) { if (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display) { unsigned i; for (i = 0; iatom_length && !memcmp(types[i], iterator->atom, iterator->atom_length)) return sexp_iterator_next(iterator) ? types[i] : NULL; } return NULL; } int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values) { TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC); unsigned nfound; unsigned i; TMP_ALLOC(found, nkeys); for (i = 0; itype) { case SEXP_LIST: if (!sexp_iterator_enter_list(iterator)) return 0; if (iterator->type == SEXP_ATOM && !iterator->display) { /* Compare to the given keys */ for (i = 0; iatom_length && !memcmp(keys[i], iterator->atom, iterator->atom_length)) { if (found[i]) /* We don't allow duplicates */ return 0; /* Advance to point to value */ if (!sexp_iterator_next(iterator)) return 0; found[i] = 1; nfound++; /* Record this position. */ values[i] = *iterator; break; } } } if (!sexp_iterator_exit_list(iterator)) return 0; break; case SEXP_ATOM: /* Just ignore */ if (!sexp_iterator_next(iterator)) return 0; break; case SEXP_END: return sexp_iterator_exit_list(iterator) && (nfound == nkeys); default: abort(); } } } nettle-4.0/sexp.h0000644000000000000000000001324515141166424010737 0ustar00/* sexp.h Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SEXP_H_INCLUDED #define NETTLE_SEXP_H_INCLUDED #include #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sexp_iterator_first nettle_sexp_iterator_first #define sexp_transport_iterator_first nettle_sexp_transport_iterator_first #define sexp_iterator_next nettle_sexp_iterator_next #define sexp_iterator_enter_list nettle_sexp_iterator_enter_list #define sexp_iterator_exit_list nettle_sexp_iterator_exit_list #define sexp_iterator_subexpr nettle_sexp_iterator_subexpr #define sexp_iterator_get_uint32 nettle_sexp_iterator_get_uint32 #define sexp_iterator_check_type nettle_sexp_iterator_check_type #define sexp_iterator_check_types nettle_sexp_iterator_check_types #define sexp_iterator_assoc nettle_sexp_iterator_assoc #define sexp_format nettle_sexp_format #define sexp_vformat nettle_sexp_vformat #define sexp_transport_format nettle_sexp_transport_format #define sexp_transport_vformat nettle_sexp_transport_vformat #define sexp_token_chars nettle_sexp_token_chars enum sexp_type { SEXP_ATOM, SEXP_LIST, SEXP_END }; struct sexp_iterator { size_t length; const uint8_t *buffer; /* Points at the start of the current sub expression. */ size_t start; /* If type is SEXP_LIST, pos points at the start of the current * element. Otherwise, it points at the end. */ size_t pos; unsigned level; enum sexp_type type; size_t display_length; const uint8_t *display; size_t atom_length; const uint8_t *atom; }; /* All these functions return 1 on success, 0 on failure */ /* Initializes the iterator. */ int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input); /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input); int sexp_iterator_next(struct sexp_iterator *iterator); /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator); /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator); /* Gets start and length of the current subexpression. Implies * sexp_iterator_next. */ const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length); int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x); /* Checks the type of the current expression, which should be a list * * ( ...) */ int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type); const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types); /* Current element must be a list. Looks up element of type * * (key rest...) * * For a matching key, the corresponding iterator is initialized * pointing at the start of REST. * * On success, exits the current list. */ int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values); /* Output functions. What is a reasonable API for this? It seems * ugly to have to reimplement string streams. */ /* Declared for real in buffer.h */ struct nettle_buffer; /* Returns the number of output characters, or 0 on out of memory. If * buffer == NULL, just compute length. * * Format strings can contained matched parentheses, tokens ("foo" in * the format string is formatted as "3:foo"), whitespace (which * separates tokens but is otherwise ignored) and the following * formatting specifiers: * * %s String represented as size_t length, const uint8_t *data. * * %t Optional display type, represented as * size_t display_length, const uint8_t *display, * display == NULL means no display type. * * %i Non-negative small integer, uint32_t. * * %b Non-negative bignum, mpz_t. * * %l Literal string (no length added), typically a balanced * subexpression. Represented as size_t length, const uint8_t * *data. * * %(, %) Allows insertion of unbalanced parenthesis. * * Modifiers: * * %0 For %s, %t and %l, says that there's no length argument, * instead the string is NUL-terminated, and there's only one * const uint8_t * argument. */ size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args); size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args); #ifdef __cplusplus } #endif #endif /* NETTLE_SEXP_H_INCLUDED */ nettle-4.0/sexp2bignum.c0000644000000000000000000000316615141166424012217 0ustar00/* sexp2bignum.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "bignum.h" int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i) { if (i->type == SEXP_ATOM && i->atom_length && !i->display) { /* Allow some extra here, for leading sign octets. */ if (limit && (8 * i->atom_length > (16 + limit))) return 0; nettle_mpz_set_str_256_s(x, i->atom_length, i->atom); /* FIXME: How to interpret a limit for negative numbers? */ if (limit && mpz_sizeinbase(x, 2) > limit) return 0; return sexp_iterator_next(i); } else return 0; } nettle-4.0/sexp2dsa.c0000644000000000000000000000715715141166424011511 0ustar00/* sexp2dsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (dsa (p |xxxx|) ...) * ^ here */ int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i) { static const char * const names[5] = { "p", "q", "g", "y", "x" }; struct sexp_iterator values[5]; unsigned nvalues = priv ? 5 : 4; unsigned p_bits; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; GET(params->p, p_max_bits, &values[0]); p_bits = mpz_sizeinbase (params->p, 2); GET(params->q, q_bits ? q_bits : p_bits, &values[1]); if (q_bits > 0 && mpz_sizeinbase(params->q, 2) != q_bits) return 0; if (mpz_cmp (params->q, params->p) >= 0) return 0; GET(params->g, p_bits, &values[2]); if (mpz_cmp (params->g, params->p) >= 0) return 0; GET(pub, p_bits, &values[3]); if (mpz_cmp (pub, params->p) >= 0) return 0; if (priv) { GET(priv, mpz_sizeinbase (params->q, 2), &values[4]); if (mpz_cmp (priv, params->q) >= 0) return 0; } return 1; } int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA1_Q_BITS, &i); } int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa-sha256") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA256_Q_BITS, &i); } int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits) { static const char * const names[2] = { "r", "s" }; struct sexp_iterator values[2]; if (!sexp_iterator_assoc(i, 2, names, values)) return 0; GET(rs->r, q_bits, &values[0]); GET(rs->s, q_bits, &values[1]); return 1; } nettle-4.0/sexp2rsa.c0000644000000000000000000000542715141166424011525 0ustar00/* sexp2rsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (rsa (n |xxxx|) (e |xxxx|)) * ^ here */ int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i) { static const char * const names[8] = { "n", "e", "d", "p", "q", "a", "b", "c" }; struct sexp_iterator values[8]; unsigned nvalues = priv ? 8 : 2; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; if (priv) { GET(priv->d, limit, &values[2]); GET(priv->p, limit, &values[3]); GET(priv->q, limit, &values[4]); GET(priv->a, limit, &values[5]); GET(priv->b, limit, &values[6]); GET(priv->c, limit, &values[7]); if (!rsa_private_key_prepare(priv)) return 0; } if (pub) { GET(pub->n, limit, &values[0]); GET(pub->e, limit, &values[1]); if (!rsa_public_key_prepare(pub)) return 0; } return 1; } int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr) { struct sexp_iterator i; static const char * const names[3] = { "rsa", "rsa-pkcs1", "rsa-pkcs1-sha1" }; if (!sexp_iterator_first(&i, length, expr)) return 0; if (!sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")) return 0; if (!sexp_iterator_check_types(&i, 3, names)) return 0; return rsa_keypair_from_sexp_alist(pub, priv, limit, &i); } nettle-4.0/sha-example.c0000644000000000000000000000127115141166424012153 0ustar00#include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; i: * * The following is my SHA (FIPS 180) code updated to allow use of the "fixed" * SHA, thanks to Jim Gillogly and an anonymous contributor for the information on * what's changed in the new version. The fix is a simple change which involves * adding a single rotate in the initial expansion function. It is unknown * whether this is an optimal solution to the problem which was discovered in the * SHA or whether it's simply a bandaid which fixes the problem with a minimum of * effort (for example the reengineering of a great many Capstone chips). */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA1_DEBUG # define SHA1_DEBUG 0 #endif #if SHA1_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x\n", i, A, B, C, D ,E) #else # define DEBUG(i) #endif #include #include #include #include "sha1.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA1_DATA_LENGTH 16 /* The SHA f()-functions. The f1 and f3 functions can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* FIXME: Can save a temporary in f3 by using ( (x & y) + (z & (x ^ y)) ), and then, in the round, compute one of the terms and add it into the destination word before computing the second term. Credits to George Spelvin for pointing this out. Unfortunately, gcc doesn't seem to be smart enough to take advantage of this. */ /* #define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) Rounds 0-19 */ #define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */ #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ /* #define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) Rounds 40-59 */ #define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */ #define f4 f2 /* The SHA Mysterious Constants */ #define K1 0x5A827999L /* Rounds 0-19 */ #define K2 0x6ED9EBA1L /* Rounds 20-39 */ #define K3 0x8F1BBCDCL /* Rounds 40-59 */ #define K4 0xCA62C1D6L /* Rounds 60-79 */ /* The initial expanding function. The hash function is defined over an 80-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. The updated SHA changes the expanding function by adding a rotate of 1 bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor for this information */ #define expand(W,i) ( W[ i & 15 ] = \ ROTL32( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \ W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) ) /* The prototype SHA sub-round. The fundamental sub-round is: a' = e + ROTL32( 5, a ) + f( b, c, d ) + k + data; b' = a; c' = ROTL32( 30, b ); d' = c; e' = d; but this is implemented by unrolling the loop 5 times and renaming the variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration. This code is then replicated 20 times for each of the 4 functions, using the next 20 values from the W[] array each time */ #define subRound(a, b, c, d, e, f, k, data) \ ( e += ROTL32( 5, a ) + f( b, c, d ) + k + data, b = ROTL32( 30, b ) ) /* For fat builds */ #if HAVE_NATIVE_sha1_compress void _nettle_sha1_compress_c(uint32_t *state, const uint8_t *input); #define nettle_sha1_compress _nettle_sha1_compress_c #endif /* Perform the SHA transformation. Note that this code, like MD5, seems to break some optimizing compilers due to the complexity of the expressions and the size of the basic block. It may be necessary to split it into sections, e.g. based on the four subrounds. */ void nettle_sha1_compress(uint32_t *state, const uint8_t *input) { uint32_t data[SHA1_DATA_LENGTH]; uint32_t A, B, C, D, E; /* Local vars */ int i; for (i = 0; i < SHA1_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; DEBUG(-1); /* Heavy mangling, in 4 sub-rounds of 20 interations each. */ subRound( A, B, C, D, E, f1, K1, data[ 0] ); DEBUG(0); subRound( E, A, B, C, D, f1, K1, data[ 1] ); DEBUG(1); subRound( D, E, A, B, C, f1, K1, data[ 2] ); subRound( C, D, E, A, B, f1, K1, data[ 3] ); subRound( B, C, D, E, A, f1, K1, data[ 4] ); subRound( A, B, C, D, E, f1, K1, data[ 5] ); subRound( E, A, B, C, D, f1, K1, data[ 6] ); subRound( D, E, A, B, C, f1, K1, data[ 7] ); subRound( C, D, E, A, B, f1, K1, data[ 8] ); subRound( B, C, D, E, A, f1, K1, data[ 9] ); subRound( A, B, C, D, E, f1, K1, data[10] ); subRound( E, A, B, C, D, f1, K1, data[11] ); subRound( D, E, A, B, C, f1, K1, data[12] ); subRound( C, D, E, A, B, f1, K1, data[13] ); subRound( B, C, D, E, A, f1, K1, data[14] ); subRound( A, B, C, D, E, f1, K1, data[15] ); DEBUG(15); subRound( E, A, B, C, D, f1, K1, expand( data, 16 ) ); DEBUG(16); subRound( D, E, A, B, C, f1, K1, expand( data, 17 ) ); DEBUG(17); subRound( C, D, E, A, B, f1, K1, expand( data, 18 ) ); DEBUG(18); subRound( B, C, D, E, A, f1, K1, expand( data, 19 ) ); DEBUG(19); subRound( A, B, C, D, E, f2, K2, expand( data, 20 ) ); DEBUG(20); subRound( E, A, B, C, D, f2, K2, expand( data, 21 ) ); DEBUG(21); subRound( D, E, A, B, C, f2, K2, expand( data, 22 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 23 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 24 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 25 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 26 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 27 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 28 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 29 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 30 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 31 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 32 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 33 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 34 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 35 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 36 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 37 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 38 ) ); DEBUG(38); subRound( B, C, D, E, A, f2, K2, expand( data, 39 ) ); DEBUG(39); subRound( A, B, C, D, E, f3, K3, expand( data, 40 ) ); DEBUG(40); subRound( E, A, B, C, D, f3, K3, expand( data, 41 ) ); DEBUG(41); subRound( D, E, A, B, C, f3, K3, expand( data, 42 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 43 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 44 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 45 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 46 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 47 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 48 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 49 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 50 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 51 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 52 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 53 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 54 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 55 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 56 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 57 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 58 ) ); DEBUG(58); subRound( B, C, D, E, A, f3, K3, expand( data, 59 ) ); DEBUG(59); subRound( A, B, C, D, E, f4, K4, expand( data, 60 ) ); DEBUG(60); subRound( E, A, B, C, D, f4, K4, expand( data, 61 ) ); DEBUG(61); subRound( D, E, A, B, C, f4, K4, expand( data, 62 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 63 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 64 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 65 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 66 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 67 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 68 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 69 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 70 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 71 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 72 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 73 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 74 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 75 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 76 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 77 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 78 ) ); DEBUG(78); subRound( B, C, D, E, A, f4, K4, expand( data, 79 ) ); DEBUG(79); /* Build message digest */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; #if SHA1_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4]); #endif } nettle-4.0/sha1-meta.c0000644000000000000000000000222715141166424011531 0ustar00/* sha1-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha1.h" const struct nettle_hash nettle_sha1 = _NETTLE_HASH(sha1, SHA1); nettle-4.0/sha1.c0000644000000000000000000000463215141166424010607 0ustar00/* sha1.c The sha1 hash function. Defined by http://www.itl.nist.gov/fipspubs/fip180-1.htm. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha1.h" #include "macros.h" #include "nettle-write.h" /* Initialize the SHA values */ void sha1_init(struct sha1_ctx *ctx) { /* FIXME: Put the buffer last in the struct, and arrange so that we can initialize with a single memcpy. */ static const uint32_t iv[_SHA1_DIGEST_LENGTH] = { /* SHA initial values, first 4 identical to md5's. */ 0x67452301L, 0xEFCDAB89L, 0x98BADCFEL, 0x10325476L, 0xC3D2E1F0L, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } #define COMPRESS(ctx, data) (nettle_sha1_compress((ctx)->state, data)) void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); } void sha1_digest(struct sha1_ctx *ctx, uint8_t *digest) { uint64_t bit_count; MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* append the 64 bit count */ WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); nettle_sha1_compress(ctx->state, ctx->block); _nettle_write_be32(SHA1_DIGEST_SIZE, digest, ctx->state); sha1_init(ctx); } nettle-4.0/sha1.h0000644000000000000000000000427315141166424010615 0ustar00/* sha1.h The sha1 hash function. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA1_H_INCLUDED #define NETTLE_SHA1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha1_init nettle_sha1_init #define sha1_update nettle_sha1_update #define sha1_digest nettle_sha1_digest #define sha1_compress nettle_sha1_compress /* SHA1 */ #define SHA1_DIGEST_SIZE 20 #define SHA1_BLOCK_SIZE 64 /* Digest is kept internally as 5 32-bit words. */ #define _SHA1_DIGEST_LENGTH 5 struct sha1_ctx { uint32_t state[_SHA1_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ }; void sha1_init(struct sha1_ctx *ctx); void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data); void sha1_digest(struct sha1_ctx *ctx, uint8_t *digest); /* SHA1 compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void sha1_compress(uint32_t *state, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA1_H_INCLUDED */ nettle-4.0/sha2-internal.h0000644000000000000000000000336715141166424012433 0ustar00/* sha2-internal.h The sha2 family of hash functions. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA2_INTERNAL_H_INCLUDED #define NETTLE_SHA2_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Internal compression function. STATE points to 8 uint32_t words, DATA points to 64 bytes of input data, possibly unaligned, and K points to the table of constants. */ const uint8_t * _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *data); /* Internal compression function. STATE points to 8 uint64_t words, DATA points to 128 bytes of input data, possibly unaligned, and K points to the table of constants. */ void _nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); #endif /* NETTLE_SHA2_INTERNAL_H_INCLUDED */ nettle-4.0/sha2.h0000644000000000000000000001127315141166424010614 0ustar00/* sha2.h The sha2 family of hash functions. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA2_H_INCLUDED #define NETTLE_SHA2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha224_init nettle_sha224_init #define sha224_digest nettle_sha224_digest #define sha256_init nettle_sha256_init #define sha256_update nettle_sha256_update #define sha256_digest nettle_sha256_digest #define sha256_compress nettle_sha256_compress #define sha384_init nettle_sha384_init #define sha384_digest nettle_sha384_digest #define sha512_init nettle_sha512_init #define sha512_update nettle_sha512_update #define sha512_digest nettle_sha512_digest #define sha512_compress nettle_sha512_compress #define sha512_224_init nettle_sha512_224_init #define sha512_224_digest nettle_sha512_224_digest #define sha512_256_init nettle_sha512_256_init #define sha512_256_digest nettle_sha512_256_digest /* SHA256 */ #define SHA256_DIGEST_SIZE 32 #define SHA256_BLOCK_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SHA256_DIGEST_LENGTH 8 struct sha256_ctx { uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ }; void sha256_init(struct sha256_ctx *ctx); void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data); void sha256_digest(struct sha256_ctx *ctx, uint8_t *digest); void sha256_compress(uint32_t *state, const uint8_t *input); /* SHA224, a truncated SHA256 with different initial state. */ #define SHA224_DIGEST_SIZE 28 #define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE #define sha224_ctx sha256_ctx void sha224_init(struct sha256_ctx *ctx); #define sha224_update nettle_sha256_update void sha224_digest(struct sha256_ctx *ctx, uint8_t *digest); /* SHA512 */ #define SHA512_DIGEST_SIZE 64 #define SHA512_BLOCK_SIZE 128 /* Digest is kept internally as 8 64-bit words. */ #define _SHA512_DIGEST_LENGTH 8 struct sha512_ctx { uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ uint64_t count_low, count_high; /* 128-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ }; void sha512_init(struct sha512_ctx *ctx); void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data); void sha512_digest(struct sha512_ctx *ctx, uint8_t *digest); void sha512_compress(uint64_t *state, const uint8_t *input); /* SHA384, a truncated SHA512 with different initial state. */ #define SHA384_DIGEST_SIZE 48 #define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha384_ctx sha512_ctx void sha384_init(struct sha512_ctx *ctx); #define sha384_update nettle_sha512_update void sha384_digest(struct sha512_ctx *ctx, uint8_t *digest); /* SHA512_224 and SHA512_256, two truncated versions of SHA512 with different initial states. */ #define SHA512_224_DIGEST_SIZE 28 #define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_224_ctx sha512_ctx void sha512_224_init(struct sha512_224_ctx *ctx); #define sha512_224_update nettle_sha512_update void sha512_224_digest(struct sha512_224_ctx *ctx, uint8_t *digest); #define SHA512_256_DIGEST_SIZE 32 #define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_256_ctx sha512_ctx void sha512_256_init(struct sha512_256_ctx *ctx); #define sha512_256_update nettle_sha512_update void sha512_256_digest(struct sha512_256_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA2_H_INCLUDED */ nettle-4.0/sha224-meta.c0000644000000000000000000000224515141166424011700 0ustar00/* sha224-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha224 = _NETTLE_HASH(sha224, SHA224); nettle-4.0/sha256-compress-n.c0000644000000000000000000001477115141166424013054 0ustar00/* sha256-compress-n.c The compression function of the sha256 hash function. Copyright (C) 2001, 2010, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA256_DEBUG # define SHA256_DEBUG 0 #endif #if SHA256_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA256_DATA_LENGTH 16 /* The SHA256 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function. They can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) /* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x))) #define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x))) #define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3)) #define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) /* For fat builds */ #if HAVE_NATIVE_sha256_compress_n const uint8_t * _nettle_sha256_compress_n_c(uint32_t *state, const uint32_t *table, size_t blocks, const uint8_t *input); #define _nettle_sha256_compress_n _nettle_sha256_compress_n_c #endif const uint8_t * _nettle_sha256_compress_n(uint32_t *state, const uint32_t *table, size_t blocks, const uint8_t *input) { uint32_t A, B, C, D, E, F, G, H; /* Local vars */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; for (; blocks > 0; blocks--) { uint32_t data[SHA256_DATA_LENGTH]; unsigned i; const uint32_t *k; uint32_t *d; for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data, k = table; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<64; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] = A = state[0] + A; state[1] = B = state[1] + B; state[2] = C = state[2] + C; state[3] = D = state[3] + D; state[4] = E = state[4] + E; state[5] = F = state[5] + F; state[6] = G = state[6] + G; state[7] = H = state[7] + H; #if SHA256_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } return input; } nettle-4.0/sha256-meta.c0000644000000000000000000000223715141166424011706 0ustar00/* sha256-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha256 = _NETTLE_HASH(sha256, SHA256); nettle-4.0/sha256.c0000644000000000000000000001154715141166424010766 0ustar00/* sha256.c The sha256 hash function. See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" #include "md-internal.h" #include "nettle-write.h" /* Generated by the shadata program. */ static const uint32_t K[64] = { 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, }; void sha256_compress(uint32_t *state, const uint8_t *input) { _nettle_sha256_compress_n(state, K, 1, input); } #define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data))) /* Initialize the SHA values */ void sha256_init(struct sha256_ctx *ctx) { /* Initial values, also generated by the shadata program. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data) { size_t blocks; if (!length) return; if (ctx->index > 0) { /* Try to fill partial block */ MD_FILL_OR_RETURN (ctx, length, data); sha256_compress (ctx->state, ctx->block); ctx->count++; } blocks = length >> 6; data = _nettle_sha256_compress_n (ctx->state, K, blocks, data); ctx->count += blocks; length &= 63; memcpy (ctx->block, data, length); ctx->index = length; } static void sha256_write_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SHA256_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); sha256_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); } void sha256_digest(struct sha256_ctx *ctx, uint8_t *digest) { sha256_write_digest(ctx, SHA256_DIGEST_SIZE, digest); sha256_init(ctx); } /* sha224 variant. */ void sha224_init(struct sha256_ctx *ctx) { /* Initial values. Low 32 bits of the initial values for sha384. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha224_digest(struct sha256_ctx *ctx, uint8_t *digest) { sha256_write_digest(ctx, SHA224_DIGEST_SIZE, digest); sha224_init(ctx); } nettle-4.0/sha3-224-meta.c0000644000000000000000000000230715141166424012037 0ustar00/* sha3-224-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_224 = _NETTLE_SHA3_HASH(sha3_224, SHA3_224); nettle-4.0/sha3-224.c0000644000000000000000000000266115141166424011116 0ustar00/* sha3-224.c The sha3 hash function, 224 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_224_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data) { _nettle_sha3_update (ctx, SHA3_224_BLOCK_SIZE >> 3, length, data); } void sha3_224_digest(struct sha3_ctx *ctx, uint8_t *digest) { _nettle_sha3_digest (ctx, SHA3_224_BLOCK_SIZE >> 3, SHA3_224_DIGEST_SIZE, digest); } nettle-4.0/sha3-256-meta.c0000644000000000000000000000230715141166424012044 0ustar00/* sha3-256-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_256 = _NETTLE_SHA3_HASH(sha3_256, SHA3_256); nettle-4.0/sha3-256.c0000644000000000000000000000266415141166424011126 0ustar00/* sha3-256.c The sha3 hash function, 256 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_256_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data) { _nettle_sha3_update (ctx, SHA3_256_BLOCK_SIZE >> 3, length, data); } void sha3_256_digest(struct sha3_ctx *ctx, uint8_t *digest) { _nettle_sha3_digest (ctx, SHA3_256_BLOCK_SIZE >> 3, SHA3_256_DIGEST_SIZE, digest); } nettle-4.0/sha3-384-meta.c0000644000000000000000000000230715141166424012046 0ustar00/* sha3-384-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_384 = _NETTLE_SHA3_HASH(sha3_384, SHA3_384); nettle-4.0/sha3-384.c0000644000000000000000000000266115141166424011125 0ustar00/* sha3-384.c The sha3 hash function, 384 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_384_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data) { _nettle_sha3_update (ctx, SHA3_384_BLOCK_SIZE >> 3, length, data); } void sha3_384_digest(struct sha3_ctx *ctx, uint8_t *digest) { _nettle_sha3_digest (ctx, SHA3_384_BLOCK_SIZE >> 3, SHA3_384_DIGEST_SIZE, digest); } nettle-4.0/sha3-512-meta.c0000644000000000000000000000230715141166424012037 0ustar00/* sha3-512-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_512 = _NETTLE_SHA3_HASH(sha3_512, SHA3_512); nettle-4.0/sha3-512.c0000644000000000000000000000266115141166424011116 0ustar00/* sha3-512.c The sha3 hash function, 512 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_512_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data) { _nettle_sha3_update (ctx, SHA3_512_BLOCK_SIZE >> 3, length, data); } void sha3_512_digest(struct sha3_ctx *ctx, uint8_t *digest) { _nettle_sha3_digest (ctx, SHA3_512_BLOCK_SIZE >> 3, SHA3_512_DIGEST_SIZE, digest); } nettle-4.0/sha3-internal.h0000644000000000000000000000415715141166424012432 0ustar00/* sha3-internal.h The sha3 hash function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA3_INTERNAL_H_INCLUDED #define NETTLE_SHA3_INTERNAL_H_INCLUDED #include "nettle-types.h" #define SHA3_HASH_MAGIC 6 #define SHA3_SHAKE_MAGIC 0x1f void _nettle_sha3_init (struct sha3_ctx *ctx); /* For all functions, the block_size is in units of uint64_t words. */ void _nettle_sha3_update (struct sha3_ctx *ctx, unsigned block_size, size_t length, const uint8_t *data); void _nettle_sha3_pad (struct sha3_ctx *ctx, unsigned block_size, uint8_t magic); void _nettle_sha3_digest (struct sha3_ctx *ctx, unsigned block_size, unsigned digest_size, uint8_t *digest); void _nettle_sha3_shake (struct sha3_ctx *ctx, unsigned block_size, size_t length, uint8_t *dst); void _nettle_sha3_shake_output (struct sha3_ctx *ctx, unsigned block_size, size_t length, uint8_t *dst); #define _NETTLE_SHA3_HASH(name, NAME) { \ #name, \ sizeof(struct sha3_ctx), \ NAME##_DIGEST_SIZE, \ NAME##_BLOCK_SIZE, \ (nettle_hash_init_func *) sha3_init, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest \ } #endif nettle-4.0/sha3-permute.c0000644000000000000000000001241415141166424012265 0ustar00/* sha3-permute.c The sha3 permutation function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" #include "macros.h" #define SHA3_ROUNDS 24 /* For fat builds */ #if HAVE_NATIVE_sha3_permute void _nettle_sha3_permute_c(struct sha3_state *state); #define nettle_sha3_permute _nettle_sha3_permute_c #endif void sha3_permute (struct sha3_state *state) { static const uint64_t rc[SHA3_ROUNDS] = { 0x0000000000000001ULL, 0X0000000000008082ULL, 0X800000000000808AULL, 0X8000000080008000ULL, 0X000000000000808BULL, 0X0000000080000001ULL, 0X8000000080008081ULL, 0X8000000000008009ULL, 0X000000000000008AULL, 0X0000000000000088ULL, 0X0000000080008009ULL, 0X000000008000000AULL, 0X000000008000808BULL, 0X800000000000008BULL, 0X8000000000008089ULL, 0X8000000000008003ULL, 0X8000000000008002ULL, 0X8000000000000080ULL, 0X000000000000800AULL, 0X800000008000000AULL, 0X8000000080008081ULL, 0X8000000000008080ULL, 0X0000000080000001ULL, 0X8000000080008008ULL, }; /* Original permutation: 0,10,20, 5,15, 16, 1,11,21, 6, 7,17, 2,12,22, 23, 8,18, 3,13, 14,24, 9,19, 4 Rotation counts: 0, 1, 62, 28, 27, 36, 44, 6, 55, 20, 3, 10, 43, 25, 39, 41, 45, 15, 21, 8, 18, 2, 61, 56, 14, */ /* In-place implementation. Permutation done as a long sequence of 25 moves "following" the permutation. T <-- 1 1 <-- 6 6 <-- 9 9 <-- 22 22 <-- 14 14 <-- 20 20 <-- 2 2 <-- 12 12 <-- 13 13 <-- 19 19 <-- 23 23 <-- 15 15 <-- 4 4 <-- 24 24 <-- 21 21 <-- 8 8 <-- 16 16 <-- 5 5 <-- 3 3 <-- 18 18 <-- 17 17 <-- 11 11 <-- 7 7 <-- 10 10 <-- T */ uint64_t C[5], D[5], T, X; unsigned i, y; #define A state->a C[0] = A[0] ^ A[5+0] ^ A[10+0] ^ A[15+0] ^ A[20+0]; C[1] = A[1] ^ A[5+1] ^ A[10+1] ^ A[15+1] ^ A[20+1]; C[2] = A[2] ^ A[5+2] ^ A[10+2] ^ A[15+2] ^ A[20+2]; C[3] = A[3] ^ A[5+3] ^ A[10+3] ^ A[15+3] ^ A[20+3]; C[4] = A[4] ^ A[5+4] ^ A[10+4] ^ A[15+4] ^ A[20+4]; for (i = 0; i < SHA3_ROUNDS; i++) { D[0] = C[4] ^ ROTL64(1, C[1]); D[1] = C[0] ^ ROTL64(1, C[2]); D[2] = C[1] ^ ROTL64(1, C[3]); D[3] = C[2] ^ ROTL64(1, C[4]); D[4] = C[3] ^ ROTL64(1, C[0]); A[0] ^= D[0]; X = A[ 1] ^ D[1]; T = ROTL64(1, X); X = A[ 6] ^ D[1]; A[ 1] = ROTL64 (44, X); X = A[ 9] ^ D[4]; A[ 6] = ROTL64 (20, X); X = A[22] ^ D[2]; A[ 9] = ROTL64 (61, X); X = A[14] ^ D[4]; A[22] = ROTL64 (39, X); X = A[20] ^ D[0]; A[14] = ROTL64 (18, X); X = A[ 2] ^ D[2]; A[20] = ROTL64 (62, X); X = A[12] ^ D[2]; A[ 2] = ROTL64 (43, X); X = A[13] ^ D[3]; A[12] = ROTL64 (25, X); X = A[19] ^ D[4]; A[13] = ROTL64 ( 8, X); X = A[23] ^ D[3]; A[19] = ROTL64 (56, X); X = A[15] ^ D[0]; A[23] = ROTL64 (41, X); X = A[ 4] ^ D[4]; A[15] = ROTL64 (27, X); X = A[24] ^ D[4]; A[ 4] = ROTL64 (14, X); X = A[21] ^ D[1]; A[24] = ROTL64 ( 2, X); X = A[ 8] ^ D[3]; A[21] = ROTL64 (55, X); /* row 4 done */ X = A[16] ^ D[1]; A[ 8] = ROTL64 (45, X); X = A[ 5] ^ D[0]; A[16] = ROTL64 (36, X); X = A[ 3] ^ D[3]; A[ 5] = ROTL64 (28, X); X = A[18] ^ D[3]; A[ 3] = ROTL64 (21, X); /* row 0 done */ X = A[17] ^ D[2]; A[18] = ROTL64 (15, X); X = A[11] ^ D[1]; A[17] = ROTL64 (10, X); /* row 3 done */ X = A[ 7] ^ D[2]; A[11] = ROTL64 ( 6, X); /* row 1 done */ X = A[10] ^ D[0]; A[ 7] = ROTL64 ( 3, X); A[10] = T; /* row 2 done */ D[0] = ~A[1] & A[2]; D[1] = ~A[2] & A[3]; D[2] = ~A[3] & A[4]; D[3] = ~A[4] & A[0]; D[4] = ~A[0] & A[1]; A[0] ^= D[0] ^ rc[i]; C[0] = A[0]; A[1] ^= D[1]; C[1] = A[1]; A[2] ^= D[2]; C[2] = A[2]; A[3] ^= D[3]; C[3] = A[3]; A[4] ^= D[4]; C[4] = A[4]; for (y = 5; y < 25; y+= 5) { D[0] = ~A[y+1] & A[y+2]; D[1] = ~A[y+2] & A[y+3]; D[2] = ~A[y+3] & A[y+4]; D[3] = ~A[y+4] & A[y+0]; D[4] = ~A[y+0] & A[y+1]; A[y+0] ^= D[0]; C[0] ^= A[y+0]; A[y+1] ^= D[1]; C[1] ^= A[y+1]; A[y+2] ^= D[2]; C[2] ^= A[y+2]; A[y+3] ^= D[3]; C[3] ^= A[y+3]; A[y+4] ^= D[4]; C[4] ^= A[y+4]; } } #undef A } nettle-4.0/sha3-shake.c0000644000000000000000000000725015141166424011701 0ustar00/* sha3-shake.c Copyright (C) 2017, 2024 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "bswap-internal.h" #include "macros.h" #include "nettle-write.h" void _nettle_sha3_shake (struct sha3_ctx *ctx, unsigned block_size, size_t length, uint8_t *dst) { _nettle_sha3_pad (ctx, block_size, SHA3_SHAKE_MAGIC); /* Use byte units. */ block_size <<= 3; while (length > block_size) { sha3_permute (&ctx->state); _nettle_write_le64 (block_size, dst, ctx->state.a); length -= block_size; dst += block_size; } sha3_permute (&ctx->state); _nettle_write_le64 (length, dst, ctx->state.a); sha3_init (ctx); } void _nettle_sha3_shake_output (struct sha3_ctx *ctx, unsigned block_size, size_t length, uint8_t *dst) { unsigned index = ctx->index; unsigned block_bytes = block_size << 3; if (!ctx->shake_flag) { /* This is the first call of _shake_output. */ _nettle_sha3_pad (ctx, block_size, SHA3_SHAKE_MAGIC); /* Point at the end of block to trigger fill in of the buffer. */ index = block_bytes; ctx->shake_flag = 1; } assert (index <= block_bytes); { #if WORDS_BIGENDIAN unsigned byte_index = index & 7; if (byte_index) { unsigned left = 8 - byte_index; if (length <= left) { memcpy (dst, ctx->block.b + byte_index, length); ctx->index = index + length; return; } memcpy (dst, ctx->block.b + byte_index, left); dst += left; length -= left; index += left; } /* Switch to units of words */ index >>= 3; for (; length > 0; length -= 8, dst += 8, index++) { if (index == block_size) { sha3_permute (&ctx->state); index = 0; } if (length < 8) { ctx->block.u64 = nettle_bswap64 (ctx->state.a[index]); memcpy (dst, ctx->block.b, length); break; } LE_WRITE_UINT64(dst, ctx->state.a[index]); } ctx->index = (index << 3) + length; #else /* !WORDS_BIGENDIAN */ size_t left = block_bytes - index; if (length <= left) { memcpy (dst, ((const uint8_t *) ctx->state.a) + index, length); ctx->index = index + length; return; } else { memcpy (dst, ((const uint8_t *) ctx->state.a) + index, left); length -= left; dst += left; } /* Write full blocks. */ for (; length > block_bytes; length -= block_bytes, dst += block_bytes) { sha3_permute (&ctx->state); _nettle_write_le64 (block_bytes, dst, ctx->state.a); } sha3_permute (&ctx->state); memcpy (dst, ctx->state.a, length); ctx->index = length; #endif /* !WORDS_BIGENDIAN */ } } nettle-4.0/sha3.c0000644000000000000000000000733715141166424010616 0ustar00/* sha3.c The sha3 hash function. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "sha3.h" #include "sha3-internal.h" #include "bswap-internal.h" #include "macros.h" #include "memxor.h" #include "nettle-write.h" void sha3_init (struct sha3_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_ctx, block)); } void _nettle_sha3_update (struct sha3_ctx *ctx, unsigned block_size, size_t length, const uint8_t *data) { #if WORDS_BIGENDIAN unsigned byte_index = ctx->index & 7; unsigned index = ctx->index >> 3; if (byte_index > 0) { unsigned left = sizeof (ctx->block) - byte_index; if (length < left) { memcpy (ctx->block.b + byte_index, data, length); ctx->index += length; return; } memcpy (ctx->block.b + byte_index, data, left); data += left; length -= left; ctx->state.a[index++] ^= nettle_bswap64 (ctx->block.u64); if (index == block_size) { sha3_permute (&ctx->state); index = 0; } } for (; length >= 8; length -= 8, data += 8) { ctx->state.a[index++] ^= LE_READ_UINT64 (data); if (index == block_size) { sha3_permute (&ctx->state); index = 0; } } memcpy (ctx->block.b, data, length); ctx->index = (index << 3) + length; #else /* !WORDS_BIGENDIAN */ /* Switch to units of bytes. */ block_size <<= 3; if (ctx->index > 0) { unsigned left = block_size - ctx->index; if (length < left) { memxor ((uint8_t *) ctx->state.a + ctx->index, data, length); ctx->index += length; return; } memxor ((uint8_t *) ctx->state.a + ctx->index, data, left); data += left; length -= left; ctx->index = 0; sha3_permute (&ctx->state); } for (; length >= block_size; length -= block_size, data += block_size) { memxor ((uint8_t *) ctx->state.a, data, block_size); sha3_permute (&ctx->state); } memxor ((uint8_t *) ctx->state.a, data, length); ctx->index = length; #endif /* !WORDS_BIGENDIAN */ } void _nettle_sha3_pad (struct sha3_ctx *ctx, unsigned block_size, uint8_t magic) { #if WORDS_BIGENDIAN unsigned byte_index = ctx->index & 7; unsigned word_index = ctx->index >> 3; ctx->block.b[byte_index++] = magic; memset (ctx->block.b + byte_index, 0, 8 - byte_index); ctx->state.a[word_index] ^= nettle_bswap64 (ctx->block.u64); #else /* !WORDS_BIGENDIAN */ ((uint8_t *) ctx->state.a)[ctx->index] ^= magic; #endif /* !WORDS_BIGENDIAN */ ctx->state.a[block_size - 1] ^= (uint64_t) 1 << 63; } void _nettle_sha3_digest (struct sha3_ctx *ctx, unsigned block_size, unsigned digest_size, uint8_t *digest) { _nettle_sha3_pad (ctx, block_size, SHA3_HASH_MAGIC); sha3_permute (&ctx->state); _nettle_write_le64 (digest_size, digest, ctx->state.a); sha3_init (ctx); } nettle-4.0/sha3.h0000644000000000000000000001147115141166424010615 0ustar00/* sha3.h The sha3 hash function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA3_H_INCLUDED #define NETTLE_SHA3_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha3_permute nettle_sha3_permute #define sha3_init nettle_sha3_init #define sha3_128_update nettle_sha3_128_update #define sha3_128_shake nettle_sha3_128_shake #define sha3_128_shake_output nettle_sha3_128_shake_output #define sha3_224_update nettle_sha3_224_update #define sha3_224_digest nettle_sha3_224_digest #define sha3_256_update nettle_sha3_256_update #define sha3_256_digest nettle_sha3_256_digest #define sha3_256_shake nettle_sha3_256_shake #define sha3_256_shake_output nettle_sha3_256_shake_output #define sha3_384_update nettle_sha3_384_update #define sha3_384_digest nettle_sha3_384_digest #define sha3_512_update nettle_sha3_512_update #define sha3_512_digest nettle_sha3_512_digest /* Indicates that SHA3 is the NIST FIPS 202 version. */ #define NETTLE_SHA3_FIPS202 1 /* The sha3 state is a 5x5 matrix of 64-bit words. In the notation of Keccak description, S[x,y] is element x + 5*y, so if x is interpreted as the row index and y the column index, it is stored in column-major order. */ #define SHA3_STATE_LENGTH 25 /* The "width" is 1600 bits or 200 octets */ struct sha3_state { uint64_t a[SHA3_STATE_LENGTH]; }; void sha3_permute (struct sha3_state *state); /* The "capacity" is set to 2*(digest size), 512 bits or 64 octets. The "rate" is the width - capacity, or width - 2 * (digest size). */ #define SHA3_128_DIGEST_SIZE 16 #define SHA3_128_BLOCK_SIZE 168 #define SHA3_224_DIGEST_SIZE 28 #define SHA3_224_BLOCK_SIZE 144 #define SHA3_256_DIGEST_SIZE 32 #define SHA3_256_BLOCK_SIZE 136 #define SHA3_384_DIGEST_SIZE 48 #define SHA3_384_BLOCK_SIZE 104 #define SHA3_512_DIGEST_SIZE 64 #define SHA3_512_BLOCK_SIZE 72 struct sha3_ctx { struct sha3_state state; /* The position in current block of next input byte (for update) or next output byte (for shake). */ unsigned index; /* Set when shake output has been initialized. */ int shake_flag; /* Buffer for partial words; input and output from the state is handled one uint64_t at a time. */ union nettle_block8 block; }; void sha3_init (struct sha3_ctx *ctx); void sha3_128_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data); void sha3_128_shake (struct sha3_ctx *ctx, size_t length, uint8_t *digest); void sha3_128_shake_output (struct sha3_ctx *ctx, size_t length, uint8_t *digest); void sha3_224_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data); void sha3_224_digest(struct sha3_ctx *ctx, uint8_t *digest); void sha3_256_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data); void sha3_256_digest(struct sha3_ctx *ctx, uint8_t *digest); /* Alternative digest function implementing shake256, with arbitrary digest size */ void sha3_256_shake(struct sha3_ctx *ctx, size_t length, uint8_t *digest); /* Unlike sha3_256_shake, this function can be called multiple times to retrieve output from shake256 in an incremental manner */ void sha3_256_shake_output(struct sha3_ctx *ctx, size_t length, uint8_t *digest); void sha3_384_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data); void sha3_384_digest(struct sha3_ctx *ctx, uint8_t *digest); void sha3_512_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data); void sha3_512_digest(struct sha3_ctx *ctx, uint8_t *digest); /* Old names, for compatibility with nettle-3. */ #define sha3_128_ctx sha3_ctx #define sha3_224_ctx sha3_ctx #define sha3_256_ctx sha3_ctx #define sha3_384_ctx sha3_ctx #define sha3_512_ctx sha3_ctx #define sha3_128_init sha3_init #define sha3_224_init sha3_init #define sha3_256_init sha3_init #define sha3_384_init sha3_init #define sha3_512_init sha3_init #ifdef __cplusplus } #endif #endif /* NETTLE_SHA3_H_INCLUDED */ nettle-4.0/sha384-meta.c0000644000000000000000000000224515141166424011707 0ustar00/* sha384-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha384 = _NETTLE_HASH(sha384, SHA384); nettle-4.0/sha512-224-meta.c0000644000000000000000000000261315141166424012204 0ustar00/* sha512-224-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_224 = { "sha512_224", sizeof(struct sha512_ctx), SHA512_224_DIGEST_SIZE, SHA512_224_BLOCK_SIZE, (nettle_hash_init_func *) sha512_224_init, (nettle_hash_update_func *) sha512_224_update, (nettle_hash_digest_func *) sha512_224_digest }; nettle-4.0/sha512-256-meta.c0000644000000000000000000000261315141166424012211 0ustar00/* sha512-256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_256 = { "sha512_256", sizeof(struct sha512_ctx), SHA512_256_DIGEST_SIZE, SHA512_256_BLOCK_SIZE, (nettle_hash_init_func *) sha512_256_init, (nettle_hash_update_func *) sha512_256_update, (nettle_hash_digest_func *) sha512_256_digest }; nettle-4.0/sha512-compress.c0000644000000000000000000001366715141166424012617 0ustar00/* sha512-compress.c The compression function of the sha512 hash function. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA512_DEBUG # define SHA512_DEBUG 0 #endif #if SHA512_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* A block, treated as a sequence of 64-bit words. */ #define SHA512_DATA_LENGTH 16 /* For fat builds */ #if HAVE_NATIVE_sha512_compress void _nettle_sha512_compress_c (uint64_t *state, const uint8_t *input, const uint64_t *k); #define _nettle_sha512_compress _nettle_sha512_compress_c #endif /* The SHA512 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function, and the same as for SHA256. */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL64(36,(x)) ^ ROTL64(30,(x)) ^ ROTL64(25,(x))) #define S1(x) (ROTL64(50,(x)) ^ ROTL64(46,(x)) ^ ROTL64(23,(x))) #define s0(x) (ROTL64(63,(x)) ^ ROTL64(56,(x)) ^ ((x) >> 7)) #define s1(x) (ROTL64(45,(x)) ^ ROTL64(3,(x)) ^ ((x) >> 6)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. This code is then replicated 8, using the next 8 values from the W[] array each time */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) void _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) { uint64_t data[SHA512_DATA_LENGTH]; uint64_t A, B, C, D, E, F, G, H; /* Local vars */ unsigned i; uint64_t *d; for (i = 0; i < SHA512_DATA_LENGTH; i++, input += 8) { data[i] = READ_UINT64(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<80; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; state[5] += F; state[6] += G; state[7] += H; #if SHA512_DEBUG fprintf(stderr, "99: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } nettle-4.0/sha512-meta.c0000644000000000000000000000224515141166424011700 0ustar00/* sha512-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512 = _NETTLE_HASH(sha512, SHA512); nettle-4.0/sha512.c0000644000000000000000000001765515141166424010767 0ustar00/* sha512.c The sha512 hash function. See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf Copyright (C) 2001, 2010 Niels Möller Copyright (C) 2014 Joachim Strömbergson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* Generated by the gp script { print("obase=16"); for (i = 1,80, root = prime(i)^(1/3); fraction = root - floor(root); print(floor(2^64 * fraction)); ); quit(); } piped through |grep -v '^[' | bc \ |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}' to convert it to hex. */ static const uint64_t K[80] = { 0x428A2F98D728AE22ULL,0x7137449123EF65CDULL, 0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL, 0x3956C25BF348B538ULL,0x59F111F1B605D019ULL, 0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL, 0xD807AA98A3030242ULL,0x12835B0145706FBEULL, 0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL, 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL, 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL, 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL, 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL, 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL, 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL, 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL, 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL, 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL, 0x06CA6351E003826FULL,0x142929670A0E6E70ULL, 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL, 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL, 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL, 0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL, 0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL, 0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL, 0xD192E819D6EF5218ULL,0xD69906245565A910ULL, 0xF40E35855771202AULL,0x106AA07032BBD1B8ULL, 0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL, 0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL, 0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL, 0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL, 0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL, 0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL, 0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL, 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL, 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL, 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL, 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL, 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL, 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL, 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL, 0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL, 0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL, }; #define COMPRESS(ctx, data) (sha512_compress((ctx)->state, (data))) void sha512_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 1,8, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL, 0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL, 0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL, 0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } static void sha512_write_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { uint64_t high, low; unsigned i; unsigned words; unsigned leftover; assert(length <= SHA512_DIGEST_SIZE); MD_PAD(ctx, 16, COMPRESS); /* There are 1024 = 2^10 bits in one block */ high = (ctx->count_high << 10) | (ctx->count_low >> 54); low = (ctx->count_low << 10) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high); WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low); sha512_compress(ctx->state, ctx->block); words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, digest += 8) WRITE_UINT64(digest, ctx->state[i]); if (leftover) { /* Truncate to the right size */ uint64_t word = ctx->state[i] >> (8*(8 - leftover)); do { digest[--leftover] = word & 0xff; word >>= 8; } while (leftover); } } void sha512_digest(struct sha512_ctx *ctx, uint8_t *digest) { sha512_write_digest(ctx, SHA512_DIGEST_SIZE, digest); sha512_init(ctx); } /* sha384 variant. */ void sha384_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 9,16, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL, 0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL, 0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL, 0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha384_digest(struct sha512_ctx *ctx, uint8_t *digest) { sha512_write_digest(ctx, SHA384_DIGEST_SIZE, digest); sha384_init(ctx); } /* sha-512/224 variant. */ void sha512_224_init(struct sha512_224_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL, 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL, 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL, 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_224_digest(struct sha512_224_ctx *ctx, uint8_t *digest) { sha512_write_digest(ctx, SHA512_224_DIGEST_SIZE, digest); sha512_224_init(ctx); } /* sha-512/256 variant. */ void sha512_256_init(struct sha512_256_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL, 0x2393b86b6f53b151ULL, 0x963877195940eabdULL, 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL, 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_256_digest(struct sha512_256_ctx *ctx, uint8_t *digest) { sha512_write_digest(ctx, SHA512_256_DIGEST_SIZE, digest); sha512_256_init(ctx); } void sha512_compress(uint64_t *state, const uint8_t *input) { _nettle_sha512_compress(state, input, K); } nettle-4.0/shadata.c0000644000000000000000000000210115141166424011345 0ustar00#include #include static const unsigned primes[64] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311 }; int main(int argc, char **argv) { int i; static const double third = 1.0/3; printf("SHA-256 constants: \n"); for (i = 0; i < 64; ) { double root = pow(primes[i++], third); double fraction = root - floor(root); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } printf("\nSHA-256 initial values: \n"); for (i = 0; i < 8; ) { double root = pow(primes[i++], 0.5); double fraction = root - (floor(root)); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } return 0; } nettle-4.0/shake128.c0000644000000000000000000000317515141166424011302 0ustar00/* shake128.c The SHAKE128 hash function, arbitrary length output. Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_128_update (struct sha3_ctx *ctx, size_t length, const uint8_t *data) { _nettle_sha3_update (ctx, SHA3_128_BLOCK_SIZE >> 3, length, data); } void sha3_128_shake (struct sha3_ctx *ctx, size_t length, uint8_t *dst) { _nettle_sha3_shake (ctx, SHA3_128_BLOCK_SIZE >> 3, length, dst); } void sha3_128_shake_output (struct sha3_ctx *ctx, size_t length, uint8_t *digest) { _nettle_sha3_shake_output (ctx, SHA3_128_BLOCK_SIZE >> 3, length, digest); } nettle-4.0/shake256.c0000644000000000000000000000274315141166424011304 0ustar00/* shake256.c The SHAKE256 hash function, arbitrary length output. Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_256_shake (struct sha3_ctx *ctx, size_t length, uint8_t *dst) { _nettle_sha3_shake (ctx, SHA3_256_BLOCK_SIZE >> 3, length, dst); } void sha3_256_shake_output (struct sha3_ctx *ctx, size_t length, uint8_t *digest) { _nettle_sha3_shake_output (ctx, SHA3_256_BLOCK_SIZE >> 3, length, digest); } nettle-4.0/siv-cmac-aes128.c0000644000000000000000000000424615141166423012456 0ustar00/* siv-cmac-aes128.c AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" void siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) { siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes128, key); } void siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes128, &ctx->ctr_cipher, nlength, nonce, alength, adata, clength, dst, src); } int siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes128, &ctx->ctr_cipher, nlength, nonce, alength, adata, mlength, dst, src); } nettle-4.0/siv-cmac-aes256.c0000644000000000000000000000424615141166423012460 0ustar00/* siv-cmac-aes256.c AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" void siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key) { siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes256, key); } void siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes256, &ctx->ctr_cipher, nlength, nonce, alength, adata, clength, dst, src); } int siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes256, &ctx->ctr_cipher, nlength, nonce, alength, adata, mlength, dst, src); } nettle-4.0/siv-cmac.c0000644000000000000000000001131115141166423011444 0ustar00/* siv-cmac.c SIV-CMAC, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" #include "nettle-internal.h" #include "block-internal.h" /* This is an implementation of S2V for the AEAD case where * vectors if zero, are considered as S empty components */ static void _siv_s2v (const struct nettle_cipher *nc, const struct cmac128_key *cmac_key, const void *cmac_cipher, size_t alength, const uint8_t * adata, size_t nlength, const uint8_t * nonce, size_t plength, const uint8_t * pdata, uint8_t * v) { union nettle_block16 D, S, T; static const union nettle_block16 const_zero = {.b = 0 }; struct cmac128_ctx cmac_ctx; assert (nlength >= SIV_MIN_NONCE_SIZE); cmac128_init(&cmac_ctx); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, const_zero.b); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, D.b); block16_mulx_be (&D, &D); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, alength, adata); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, S.b); block16_xor (&D, &S); block16_mulx_be (&D, &D); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, nlength, nonce); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, S.b); block16_xor (&D, &S); /* Sn */ if (plength >= 16) { cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, plength - 16, pdata); pdata += plength - 16; block16_xor_bytes (&T, &D, pdata); } else { union nettle_block16 pad; block16_mulx_be (&T, &D); memcpy (pad.b, pdata, plength); pad.b[plength] = 0x80; if (plength + 1 < 16) memset (&pad.b[plength + 1], 0, 16 - plength - 1); block16_xor (&T, &pad); } cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, T.b); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, v); } void siv_cmac_set_key (struct cmac128_key *cmac_key, void *cmac_cipher, void *siv_cipher, const struct nettle_cipher *nc, const uint8_t * key) { nc->set_encrypt_key (cmac_cipher, key); cmac128_set_key (cmac_key, cmac_cipher, nc->encrypt); nc->set_encrypt_key (siv_cipher, key + nc->key_size); } void siv_cmac_encrypt_message (const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t * nonce, size_t alength, const uint8_t * adata, size_t clength, uint8_t * dst, const uint8_t * src) { union nettle_block16 siv; size_t slength; assert (clength >= SIV_DIGEST_SIZE); slength = clength - SIV_DIGEST_SIZE; /* create CTR nonce */ _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, slength, src, siv.b); memcpy (dst, siv.b, SIV_DIGEST_SIZE); siv.b[8] &= ~0x80; siv.b[12] &= ~0x80; ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, siv.b, slength, dst + SIV_DIGEST_SIZE, src); } int siv_cmac_decrypt_message (const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t * nonce, size_t alength, const uint8_t * adata, size_t mlength, uint8_t * dst, const uint8_t * src) { union nettle_block16 siv; union nettle_block16 ctr; memcpy (ctr.b, src, SIV_DIGEST_SIZE); ctr.b[8] &= ~0x80; ctr.b[12] &= ~0x80; ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, ctr.b, mlength, dst, src + SIV_DIGEST_SIZE); /* create CTR nonce */ _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, mlength, dst, siv.b); return memeql_sec (siv.b, src, SIV_DIGEST_SIZE); } nettle-4.0/siv-cmac.h0000644000000000000000000001040415141166424011454 0ustar00/* siv-cmac.h AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SIV_H_INCLUDED #define NETTLE_SIV_H_INCLUDED #include "nettle-types.h" #include "nettle-meta.h" #include "cmac.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define siv_cmac_set_key nettle_siv_cmac_set_key #define siv_cmac_encrypt_message nettle_siv_cmac_encrypt_message #define siv_cmac_decrypt_message nettle_siv_cmac_decrypt_message #define siv_cmac_aes128_set_key nettle_siv_cmac_aes128_set_key #define siv_cmac_aes128_encrypt_message nettle_siv_cmac_aes128_encrypt_message #define siv_cmac_aes128_decrypt_message nettle_siv_cmac_aes128_decrypt_message #define siv_cmac_aes256_set_key nettle_siv_cmac_aes256_set_key #define siv_cmac_aes256_encrypt_message nettle_siv_cmac_aes256_encrypt_message #define siv_cmac_aes256_decrypt_message nettle_siv_cmac_aes256_decrypt_message /* For SIV, the block size of the underlying cipher shall be 128 bits. */ #define SIV_BLOCK_SIZE 16 #define SIV_DIGEST_SIZE 16 #define SIV_MIN_NONCE_SIZE 1 void siv_cmac_set_key(struct cmac128_key *cmac_key, void *cmac_cipher, void *ctr_cipher, const struct nettle_cipher *nc, const uint8_t *key); void siv_cmac_encrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher_ctx, const struct nettle_cipher *nc, const void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_decrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* * SIV mode requires the aad and plaintext when building the IV, which * prevents streaming processing and it incompatible with the AEAD API. */ #define SIV_CMAC_CTX(type) { struct cmac128_key cmac_key; type cmac_cipher; type ctr_cipher; } /* SIV_CMAC_AES128 */ #define SIV_CMAC_AES128_KEY_SIZE 32 struct siv_cmac_aes128_ctx SIV_CMAC_CTX(struct aes128_ctx); void siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key); void siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* SIV_CMAC_AES256 */ #define SIV_CMAC_AES256_KEY_SIZE 64 struct siv_cmac_aes256_ctx SIV_CMAC_CTX(struct aes256_ctx); void siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key); void siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SIV_H_INCLUDED */ nettle-4.0/siv-gcm-aes128.c0000644000000000000000000000353115141166423012315 0ustar00/* siv-gcm-aes128.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "siv-gcm.h" void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { struct aes128_ctx ctr_ctx; siv_gcm_encrypt_message (&nettle_aes128, ctx, &ctr_ctx, nlength, nonce, alength, adata, clength, dst, src); } int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { struct aes128_ctx ctr_ctx; return siv_gcm_decrypt_message (&nettle_aes128, ctx, &ctr_ctx, nlength, nonce, alength, adata, mlength, dst, src); } nettle-4.0/siv-gcm-aes256.c0000644000000000000000000000353115141166423012317 0ustar00/* siv-gcm-aes256.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "siv-gcm.h" void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { struct aes256_ctx ctr_ctx; siv_gcm_encrypt_message (&nettle_aes256, ctx, &ctr_ctx, nlength, nonce, alength, adata, clength, dst, src); } int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { struct aes256_ctx ctr_ctx; return siv_gcm_decrypt_message (&nettle_aes256, ctx, &ctr_ctx, nlength, nonce, alength, adata, mlength, dst, src); } nettle-4.0/siv-gcm.c0000644000000000000000000001432515141166423011317 0ustar00/* siv-gcm.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "siv-gcm.h" #include "ghash-internal.h" #include "block-internal.h" #include "nettle-internal.h" #include "macros.h" #include "memops.h" #include "ctr-internal.h" #include #define MIN(a,b) (((a) < (b)) ? (a) : (b)) static void siv_gcm_derive_keys (const void *ctx, nettle_cipher_func *f, size_t key_size, size_t nlength, const uint8_t *nonce, union nettle_block16 *auth_key, uint8_t *encryption_key) { union nettle_block16 block; union nettle_block16 out; size_t i; block16_zero (&block); memcpy (block.b + 4, nonce, MIN(nlength, SIV_GCM_NONCE_SIZE)); f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); auth_key->u64[0] = out.u64[0]; block.b[0] = 1; f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); auth_key->u64[1] = out.u64[0]; assert (key_size % 8 == 0 && key_size / 8 + 2 <= UINT8_MAX); for (i = 0; i < key_size; i += 8) { block.b[0]++; f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); memcpy (encryption_key + i, out.b, 8); } } static nettle_fill16_func siv_gcm_fill; static void siv_gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint32_t c; c = LE_READ_UINT32(ctr); for (; blocks-- > 0; buffer++, c++) { memcpy(buffer->b + 4, ctr + 4, SIV_GCM_BLOCK_SIZE - 4); LE_WRITE_UINT32(buffer->b, c); } LE_WRITE_UINT32(ctr, c); } static void siv_ghash_pad_update (struct gcm_key *ctx, union nettle_block16 *state, size_t length, const uint8_t *data) { size_t blocks; blocks = length / SIV_GCM_BLOCK_SIZE; if (blocks > 0) { data = _siv_ghash_update (ctx, state, blocks, data); length &= 0xf; } if (length > 0) { uint8_t block[SIV_GCM_BLOCK_SIZE]; memset (block + length, 0, SIV_GCM_BLOCK_SIZE - length); memcpy (block, data, length); _siv_ghash_update (ctx, state, 1, block); } } static void siv_gcm_authenticate (const void *ctx, const struct nettle_cipher *nc, const union nettle_block16 *authentication_key, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, const uint8_t *mdata, uint8_t *tag) { union nettle_block16 state; struct gcm_key siv_ghash_key; union nettle_block16 block; _siv_ghash_set_key (&siv_ghash_key, authentication_key); block16_zero (&state); siv_ghash_pad_update (&siv_ghash_key, &state, alength, adata); siv_ghash_pad_update (&siv_ghash_key, &state, mlength, mdata); block.u64[0] = bswap64_if_be (alength * 8); block.u64[1] = bswap64_if_be (mlength * 8); _siv_ghash_update (&siv_ghash_key, &state, 1, block.b); block16_bswap (&state, &state); memxor (state.b, nonce, SIV_GCM_NONCE_SIZE); state.b[15] &= 0x7f; nc->encrypt (ctx, SIV_GCM_BLOCK_SIZE, tag, state.b); } void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { union nettle_block16 authentication_key; TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE); uint8_t ctr[SIV_GCM_DIGEST_SIZE]; uint8_t *tag = dst + clength - SIV_GCM_BLOCK_SIZE; assert (clength >= SIV_GCM_DIGEST_SIZE); assert (nlength == SIV_GCM_NONCE_SIZE); TMP_ALLOC(encryption_key, nc->key_size); siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce, &authentication_key, encryption_key); /* Calculate authentication tag. */ nc->set_encrypt_key (ctr_ctx, encryption_key); siv_gcm_authenticate (ctr_ctx, nc, &authentication_key, nonce, alength, adata, clength - SIV_GCM_BLOCK_SIZE, src, tag); /* Encrypt the plaintext. */ /* The initial counter block is the tag with the most significant bit of the last byte set to one. */ memcpy (ctr, tag, SIV_GCM_DIGEST_SIZE); ctr[15] |= 0x80; _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, ctr, clength - SIV_GCM_BLOCK_SIZE, dst, src); } int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { union nettle_block16 authentication_key; TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE); union nettle_block16 state; uint8_t tag[SIV_GCM_DIGEST_SIZE]; assert (nlength == SIV_GCM_NONCE_SIZE); TMP_ALLOC(encryption_key, nc->key_size); siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce, &authentication_key, encryption_key); memcpy (state.b, src + mlength, SIV_GCM_DIGEST_SIZE); /* The initial counter block is the tag with the most significant bit of the last byte set to one. */ state.b[15] |= 0x80; /* Decrypt the ciphertext. */ nc->set_encrypt_key (ctr_ctx, encryption_key); _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, state.b, mlength, dst, src); /* Calculate authentication tag. */ siv_gcm_authenticate (ctr_ctx, nc, &authentication_key, nonce, alength, adata, mlength, dst, tag); return memeql_sec (tag, src + mlength, SIV_GCM_DIGEST_SIZE); } nettle-4.0/siv-gcm.h0000644000000000000000000000654615141166424011333 0ustar00/* siv-gcm.h AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SIV_GCM_H_INCLUDED #define NETTLE_SIV_GCM_H_INCLUDED #include "nettle-types.h" #include "nettle-meta.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define siv_gcm_encrypt_message nettle_siv_gcm_encrypt_message #define siv_gcm_decrypt_message nettle_siv_gcm_decrypt_message #define siv_gcm_aes128_encrypt_message nettle_siv_gcm_aes128_encrypt_message #define siv_gcm_aes128_decrypt_message nettle_siv_gcm_aes128_decrypt_message #define siv_gcm_aes256_encrypt_message nettle_siv_gcm_aes256_encrypt_message #define siv_gcm_aes256_decrypt_message nettle_siv_gcm_aes256_decrypt_message /* For AES-GCM-SIV, the block size of the underlying cipher shall be 128 bits. */ #define SIV_GCM_BLOCK_SIZE 16 #define SIV_GCM_DIGEST_SIZE 16 #define SIV_GCM_NONCE_SIZE 12 /* Generic interface. NC must be a block cipher with 128-bit block size, and keysize that is a multiple of 64 bits, such as AES-128 or AES-256. */ void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* AEAD_AES_128_GCM_SIV */ void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* AEAD_AES_256_GCM_SIV */ void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SIV_H_INCLUDED */ nettle-4.0/siv-ghash-set-key.c0000644000000000000000000000273315141166423013222 0ustar00/* siv-ghash-set-key.c POLYVAL implementation for AES-GCM-SIV, based on GHASH Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018, 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" void _siv_ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) { union nettle_block16 h; block16_bswap (&h, key); block16_mulx_ghash (&h, &h); _ghash_set_key (ctx, &h); } nettle-4.0/siv-ghash-update.c0000644000000000000000000000340415141166423013117 0ustar00/* siv-ghash-update.c POLYVAL implementation for AES-GCM-SIV, based on GHASH Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018, 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" #include "macros.h" const uint8_t * _siv_ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data) { for (; blocks-- > 0; data += GCM_BLOCK_SIZE) { union nettle_block16 b; #if WORDS_BIGENDIAN b.u64[1] = LE_READ_UINT64(data); b.u64[0] = LE_READ_UINT64(data + 8); #else b.u64[1] = READ_UINT64(data); b.u64[0] = READ_UINT64(data + 8); #endif _ghash_update (ctx, state, 1, b.b); } return data; } nettle-4.0/slh-dsa-128f.c0000644000000000000000000000436715141166424011771 0ustar00/* slh-dsa-128f.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #define SLH_DSA_D 22 #define XMSS_H 3 /* Use k Merkle trees, each of size 2^a. Signs messages of size k * a = 198 bits or 25 octets (with 2 left-over bits). */ #define FORS_A 6 #define FORS_K 33 #define FORS_MSG_SIZE 25 static void parse_digest (const uint8_t *digest, uint64_t *tree_idx, unsigned *leaf_idx) { uint64_t x; unsigned i; /* Split digest as +----+------+-----+ | md | tree | leaf| +----+------+-----+ 25 8 1 The first 25 octets are the digest signed with fors (and not processed by this function), the next 8 octets represent 63 bits selecting the tree, the last octet represent 3 bits selecting the key in that tree. Left over high bits are discarded. */ x = digest[0] & 0x7f; /* Discard high-most bit of 64 */ for (i = 1; i < 8; i++) x = (x << 8) + digest[i]; *tree_idx = x; /* Discard 5 high-most bits */ *leaf_idx = digest[8] & 7; } const struct slh_dsa_params _slh_dsa_128f_params = { parse_digest, { SLH_DSA_D, XMSS_H, XMSS_SIGNATURE_SIZE (XMSS_H) }, { FORS_A, FORS_K, FORS_MSG_SIZE, FORS_SIGNATURE_SIZE (FORS_A, FORS_K) }, }; nettle-4.0/slh-dsa-128s.c0000644000000000000000000000437215141166424012002 0ustar00/* slh-dsa-128s.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #define SLH_DSA_D 7 #define XMSS_H 9 /* Use k Merkle trees, each of size 2^a. Signs messages of size k * a = 168 bits or 21 octets. */ #define FORS_A 12 #define FORS_K 14 #define FORS_MSG_SIZE 21 static void parse_digest (const uint8_t *digest, uint64_t *tree_idx, unsigned *leaf_idx) { uint64_t x; unsigned i; /* Split digest as +----+------+-----+ | md | tree | leaf| +----+------+-----+ 21 7 2 The first 21 octets are the digest signed with fors (and skipped by this function), the next 7 octets represent 54 bits selecting the tree, the last 2 octets represent 9 bits selecting the key in that tree. Left over high bits are discarded. */ x = digest[0] & 0x3f; /* Discard 2 high-most bits of 56 */ for (i = 1; i < 7; i++) x = (x << 8) + digest[i]; *tree_idx = x; /* Discard 7 high-most bits of 16 */ *leaf_idx = ((digest[7] & 1) << 8) + digest[8]; } const struct slh_dsa_params _slh_dsa_128s_params = { parse_digest, { SLH_DSA_D, XMSS_H, XMSS_SIGNATURE_SIZE (XMSS_H) }, { FORS_A, FORS_K, FORS_MSG_SIZE, FORS_SIGNATURE_SIZE (FORS_A, FORS_K) }, }; nettle-4.0/slh-dsa-internal.h0000644000000000000000000002474615141166424013135 0ustar00/* slh-dsa-internal.h Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SLH_DSA_INTERNAL_H_INCLUDED #define NETTLE_SLH_DSA_INTERNAL_H_INCLUDED #include #include "nettle-types.h" /* Name mangling */ #define _wots_gen _nettle_wots_gen #define _wots_sign _nettle_wots_sign #define _wots_verify _nettle_wots_verify #define _merkle_root _nettle_merkle_root #define _merkle_sign _nettle_merkle_sign #define _merkle_verify _nettle_merkle_verify #define _fors_gen _nettle_fors_gen #define _fors_sign _nettle_fors_sign #define _fors_verify _nettle_fors_verify #define _xmss_gen _nettle_xmss_gen #define _xmss_sign _nettle_xmss_sign #define _xmss_verify _nettle_xmss_verify #define _slh_dsa_pure_digest _nettle_slh_dsa_pure_digest #define _slh_dsa_pure_rdigest _nettle_slh_dsa_pure_rdigest #define _slh_dsa_sign _nettle_slh_dsa_sign #define _slh_dsa_verify _nettle_slh_dsa_verify #define _slh_dsa_128s_params _nettle_slh_dsa_128s_params #define _slh_dsa_128f_params _nettle_slh_dsa_128f_params #define _slh_hash_shake _nettle_slh_hash_shake #define _slh_hash_sha256 _nettle_slh_hash_sha256 /* Size of a single hash, including the seed and prf parameters */ #define _SLH_DSA_128_SIZE 16 /* Fields always big-endian */ struct slh_address_hash { uint32_t type; uint32_t keypair; /* height for XMSS_TREE and FORS_TREE, chain address for WOTS_HASH. */ uint32_t height_chain; /* index for XMSS_TREE and FORS_TREE, hash address for WOTS_HASH. */ uint32_t index_hash; }; enum slh_addr_type { SLH_WOTS_HASH = 0, SLH_WOTS_PK = 1, SLH_XMSS_TREE = 2, SLH_FORS_TREE = 3, SLH_FORS_ROOTS = 4, SLH_WOTS_PRF = 5, SLH_FORS_PRF = 6, }; /* Compute the randomizer for a prefix + message, from secret PRF. */ typedef void slh_hash_randomizer_func (const uint8_t *public_seed, const uint8_t *secret_prf, size_t prefix_length, const uint8_t *prefix, size_t msg_length, const uint8_t *msg, uint8_t *randomizer); /* Compute the message digest, with the randomizer and public key (both seed and root) as input. */ typedef void slh_hash_msg_digest_func (const uint8_t *randomizer, const uint8_t *pub, size_t prefix_length, const uint8_t *prefix, size_t msg_length, const uint8_t *msg, size_t digest_size, uint8_t *digest); /* Initialize context with public seed and first part of the ADRS. */ typedef void slh_hash_init_tree_func (void *tree_ctx, const uint8_t *public_seed, uint32_t layer, uint64_t tree_idx); /* Initialize a new context starting from the tree_ctx, extending it with the rest of the ADRS. */ typedef void slh_hash_init_hash_func (const void *tree_ctx, void *ctx, const struct slh_address_hash *ah); /* Initialize a temporary context like above _init_hash, and hash a single value, e.g., the secret seed or a secret wots value. */ typedef void slh_hash_secret_func (const void *tree_ctx, const struct slh_address_hash *ah, const uint8_t *secret, uint8_t *out); /* Initialize a temporary context like above _init_hash, and hash two values: The left and right child hashes of a merkle tree node. */ typedef void slh_hash_node_func (const void *tree_ctx, const struct slh_address_hash *ah, const uint8_t *left, const uint8_t *right, uint8_t *out); struct slh_hash { slh_hash_init_tree_func *init_tree; slh_hash_init_hash_func *init_hash; nettle_hash_update_func *update; nettle_hash_digest_func *digest; slh_hash_secret_func *secret; slh_hash_node_func *node; slh_hash_randomizer_func *randomizer; slh_hash_msg_digest_func *msg_digest; }; extern const struct slh_hash _slh_hash_shake; /* For sha3_ctx. */ extern const struct slh_hash _slh_hash_sha256; /* For sha256_ctx. */ struct slh_merkle_ctx_public { const struct slh_hash *hash; /* Initialized based on public seed and slh_address_tree. */ const void *tree_ctx; unsigned keypair; /* Used only by fors_leaf and fors_node. */ }; struct slh_merkle_ctx_secret { struct slh_merkle_ctx_public pub; const uint8_t *secret_seed; /* Scratch hashing context, used only by xmss_leaf and _xmss_sign (where it is passed on to wots operations). */ void *scratch_ctx; }; struct slh_xmss_params { unsigned short d; /* Levels of xmss trees. */ unsigned short h; /* Height of each tree. */ unsigned short signature_size; }; struct slh_fors_params { unsigned short a; /* Height of tree. */ unsigned short k; /* Number of trees. */ unsigned short msg_size; unsigned short signature_size; }; typedef void slh_parse_digest_func (const uint8_t *digest, uint64_t *tree_idx, unsigned *leaf_idx); struct slh_dsa_params { slh_parse_digest_func *parse_digest; struct slh_xmss_params xmss; struct slh_fors_params fors; }; extern const struct slh_dsa_params _slh_dsa_128s_params; extern const struct slh_dsa_params _slh_dsa_128f_params; #define _WOTS_SIGNATURE_LENGTH 35 /* 560 bytes */ #define WOTS_SIGNATURE_SIZE (_WOTS_SIGNATURE_LENGTH*_SLH_DSA_128_SIZE) void _wots_gen (const struct slh_hash *hash, const void *tree_ctx, const uint8_t *secret_seed, uint32_t keypair, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *pub_ctx); void _wots_sign (const struct slh_hash *hash, const void *tree_ctx, const uint8_t *secret_seed, unsigned keypair, const uint8_t *msg, uint8_t *signature, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *pub_ctx); /* Computes candidate public key from signature. */ void _wots_verify (const struct slh_hash *hash, const void *tree_ctx, unsigned keypair, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *pub_ctx); /* Merkle tree functions. Could be generalized for other merkle tree applications, by using const void* for the ctx argument. */ typedef void merkle_leaf_hash_func (const struct slh_merkle_ctx_secret *ctx, unsigned index, uint8_t *out); typedef void merkle_node_hash_func (const struct slh_merkle_ctx_public *ctx, unsigned height, unsigned index, const uint8_t *left, const uint8_t *right, uint8_t *out); void _merkle_root (const struct slh_merkle_ctx_secret *ctx, merkle_leaf_hash_func *leaf_hash, merkle_node_hash_func *node_hash, unsigned height, unsigned start, uint8_t *root, /* Must have space for (height + 1) node hashes */ uint8_t *stack); void _merkle_sign (const struct slh_merkle_ctx_secret *ctx, merkle_leaf_hash_func *leaf_hash, merkle_node_hash_func *node_hash, unsigned height, unsigned idx, uint8_t *signature); /* The hash argument is both input (leaf hash to be verified) and output (resulting root hash). */ void _merkle_verify (const struct slh_merkle_ctx_public *ctx, merkle_node_hash_func *node_hash, unsigned height, unsigned idx, const uint8_t *signature, uint8_t *hash); #define FORS_SIGNATURE_SIZE(a, k) ((k) * ((a) + 1) * _SLH_DSA_128_SIZE) /* Generates a single secret value, and corresponding leaf hash. */ void _fors_gen (const struct slh_merkle_ctx_secret *ctx, unsigned index, uint8_t *sk, uint8_t *leaf); /* Computes a fors signature as well as the public key. */ void _fors_sign (const struct slh_merkle_ctx_secret *ctx, const struct slh_fors_params *fors, const uint8_t *msg, uint8_t *signature, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *pub_ctx); /* Computes candidate public key from signature. */ void _fors_verify (const struct slh_merkle_ctx_public *ctx, const struct slh_fors_params *fors, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *pub_ctx); /* Just the auth path, excluding the wots signature, 144 bytes. */ #define XMSS_AUTH_SIZE(h) ((h) * _SLH_DSA_128_SIZE) #define XMSS_SIGNATURE_SIZE(h) (WOTS_SIGNATURE_SIZE + XMSS_AUTH_SIZE (h)) /* Provided scratch must be of size (xmss->h + 1) * _SLH_DSA_128_SIZE. */ void _xmss_gen (const struct slh_hash *hash, const uint8_t *public_seed, const uint8_t *secret_seed, const struct slh_xmss_params *xmss, uint8_t *root, void *tree_ctx, void *scratch_ctx, uint8_t *scratch); /* Signs using wots, then signs wots public key using xmss. Also returns the xmss public key (i.e., root hash).*/ void _xmss_sign (const struct slh_merkle_ctx_secret *ctx, unsigned h, unsigned idx, const uint8_t *msg, uint8_t *signature, uint8_t *pub); void _xmss_verify (const struct slh_merkle_ctx_public *ctx, unsigned h, unsigned idx, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, /* Allocated by caller, initialized and clobbered by callee. */ void *scratch_ctx); void _slh_dsa_pure_digest (const struct slh_hash *hash, const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *randomizer, size_t digest_size, uint8_t *digest); void _slh_dsa_pure_rdigest (const struct slh_hash *hash, const uint8_t *pub, const uint8_t *prf, size_t length, const uint8_t *msg, uint8_t *randomizer, size_t digest_size, uint8_t *digest); void _slh_dsa_sign (const struct slh_dsa_params *params, const struct slh_hash *hash, const uint8_t *pub, const uint8_t *priv, const uint8_t *digest, uint8_t *signature, void *tree_ctx, void *scratch_ctx); int _slh_dsa_verify (const struct slh_dsa_params *params, const struct slh_hash *hash, const uint8_t *pub, const uint8_t *digest, const uint8_t *signature, void *tree_ctx, void *scratch_ctx); #endif /* NETTLE_SLH_DSA_INTERNAL_H_INCLUDED */ nettle-4.0/slh-dsa-sha2-128f.c0000644000000000000000000000543415141166424012620 0ustar00/* slh-dsa-sha2-128f.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #include "sha2.h" #define SLH_DSA_M 34 #define XMSS_H 3 void slh_dsa_sha2_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t scratch[(XMSS_H + 1)*_SLH_DSA_128_SIZE]; _xmss_gen (&_slh_hash_sha256, public_seed, private_seed, &_slh_dsa_128f_params.xmss, root, &tree_ctx, &scratch_ctx, scratch); } void slh_dsa_sha2_128f_generate_keypair (uint8_t *pub, uint8_t *priv, void *random_ctx, nettle_random_func *random) { random (random_ctx, SLH_DSA_128_SEED_SIZE, pub); random (random_ctx, 2*SLH_DSA_128_SEED_SIZE, priv); slh_dsa_sha2_128f_root (pub, priv, pub + SLH_DSA_128_SEED_SIZE); } /* Only the "pure" and deterministic variant. */ void slh_dsa_sha2_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_rdigest (&_slh_hash_sha256, pub, priv + _SLH_DSA_128_SIZE, length, msg, signature, sizeof (digest), digest); _slh_dsa_sign (&_slh_dsa_128f_params, &_slh_hash_sha256, pub, priv, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } int slh_dsa_sha2_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_digest (&_slh_hash_sha256, pub, length, msg, signature, sizeof (digest), digest); return _slh_dsa_verify (&_slh_dsa_128f_params, &_slh_hash_sha256, pub, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } nettle-4.0/slh-dsa-sha2-128s.c0000644000000000000000000000543015141166424012631 0ustar00/* slh-dsa-sha2-128s.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #include "sha2.h" #define SLH_DSA_M 30 #define XMSS_H 9 void slh_dsa_sha2_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t scratch[(XMSS_H + 1)*_SLH_DSA_128_SIZE]; _xmss_gen (&_slh_hash_sha256, public_seed, private_seed, &_slh_dsa_128s_params.xmss, root, &tree_ctx, &scratch_ctx, scratch); } void slh_dsa_sha2_128s_generate_keypair (uint8_t *pub, uint8_t *priv, void *random_ctx, nettle_random_func *random) { random (random_ctx, SLH_DSA_128_SEED_SIZE, pub); random (random_ctx, 2*SLH_DSA_128_SEED_SIZE, priv); slh_dsa_sha2_128s_root (pub, priv, pub + SLH_DSA_128_SEED_SIZE); } /* Only the "pure" and deterministic variant. */ void slh_dsa_sha2_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_rdigest (&_slh_hash_sha256, pub, priv + _SLH_DSA_128_SIZE, length, msg, signature, sizeof (digest), digest); _slh_dsa_sign (&_slh_dsa_128s_params, &_slh_hash_sha256, pub, priv, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } int slh_dsa_sha2_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { struct sha256_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_digest (&_slh_hash_sha256, pub, length, msg, signature, sizeof (digest), digest); return _slh_dsa_verify (&_slh_dsa_128s_params, &_slh_hash_sha256, pub, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } nettle-4.0/slh-dsa-shake-128f.c0000644000000000000000000000543115141166424013053 0ustar00/* slh-dsa-shake-128f.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #include "sha3.h" #define SLH_DSA_M 34 #define XMSS_H 3 void slh_dsa_shake_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t scratch[(XMSS_H + 1)*_SLH_DSA_128_SIZE]; _xmss_gen (&_slh_hash_shake, public_seed, private_seed, &_slh_dsa_128f_params.xmss, root, &tree_ctx, &scratch_ctx, scratch); } void slh_dsa_shake_128f_generate_keypair (uint8_t *pub, uint8_t *priv, void *random_ctx, nettle_random_func *random) { random (random_ctx, SLH_DSA_128_SEED_SIZE, pub); random (random_ctx, 2*SLH_DSA_128_SEED_SIZE, priv); slh_dsa_shake_128f_root (pub, priv, pub + SLH_DSA_128_SEED_SIZE); } /* Only the "pure" and deterministic variant. */ void slh_dsa_shake_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_rdigest (&_slh_hash_shake, pub, priv + _SLH_DSA_128_SIZE, length, msg, signature, sizeof (digest), digest); _slh_dsa_sign (&_slh_dsa_128f_params, &_slh_hash_shake, pub, priv, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } int slh_dsa_shake_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_digest (&_slh_hash_shake, pub, length, msg, signature, sizeof (digest), digest); return _slh_dsa_verify (&_slh_dsa_128f_params, &_slh_hash_shake, pub, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } nettle-4.0/slh-dsa-shake-128s.c0000644000000000000000000000543115141166424013070 0ustar00/* slh-dsa-shake-128s.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa.h" #include "slh-dsa-internal.h" #include "sha3.h" #define SLH_DSA_M 30 #define XMSS_H 9 void slh_dsa_shake_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t scratch[(XMSS_H + 1)*_SLH_DSA_128_SIZE]; _xmss_gen (&_slh_hash_shake, public_seed, private_seed, &_slh_dsa_128s_params.xmss, root, &tree_ctx, &scratch_ctx, scratch); } void slh_dsa_shake_128s_generate_keypair (uint8_t *pub, uint8_t *priv, void *random_ctx, nettle_random_func *random) { random (random_ctx, SLH_DSA_128_SEED_SIZE, pub); random (random_ctx, 2*SLH_DSA_128_SEED_SIZE, priv); slh_dsa_shake_128s_root (pub, priv, pub + SLH_DSA_128_SEED_SIZE); } /* Only the "pure" and deterministic variant. */ void slh_dsa_shake_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_rdigest (&_slh_hash_shake, pub, priv + _SLH_DSA_128_SIZE, length, msg, signature, sizeof (digest), digest); _slh_dsa_sign (&_slh_dsa_128s_params, &_slh_hash_shake, pub, priv, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } int slh_dsa_shake_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { struct sha3_ctx tree_ctx, scratch_ctx; uint8_t digest[SLH_DSA_M]; _slh_dsa_pure_digest (&_slh_hash_shake, pub, length, msg, signature, sizeof (digest), digest); return _slh_dsa_verify (&_slh_dsa_128s_params, &_slh_hash_shake, pub, digest, signature + _SLH_DSA_128_SIZE, &tree_ctx, &scratch_ctx); } nettle-4.0/slh-dsa.c0000644000000000000000000001034115141166424011300 0ustar00/* slh-dsa.c SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memops.h" #include "slh-dsa.h" #include "slh-dsa-internal.h" static const uint8_t slh_pure_prefix[2] = {0, 0}; void _slh_dsa_pure_digest (const struct slh_hash *hash, const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *randomizer, size_t digest_size, uint8_t *digest) { hash->msg_digest (randomizer, pub, sizeof (slh_pure_prefix), slh_pure_prefix, length, msg, digest_size, digest); } void _slh_dsa_pure_rdigest (const struct slh_hash *hash, const uint8_t *pub, const uint8_t *prf, size_t length, const uint8_t *msg, uint8_t *randomizer, size_t digest_size, uint8_t *digest) { hash->randomizer (pub, prf, sizeof (slh_pure_prefix), slh_pure_prefix, length, msg, randomizer); _slh_dsa_pure_digest (hash, pub, length, msg, randomizer, digest_size, digest); } void _slh_dsa_sign (const struct slh_dsa_params *params, const struct slh_hash *hash, const uint8_t *pub, const uint8_t *priv, const uint8_t *digest, uint8_t *signature, void *tree_ctx, void *scratch_ctx) { uint64_t tree_idx; unsigned leaf_idx; params->parse_digest (digest + params->fors.msg_size, &tree_idx, &leaf_idx); const struct slh_merkle_ctx_secret merkle_ctx = { { hash, tree_ctx, leaf_idx }, priv, scratch_ctx, }; hash->init_tree (tree_ctx, pub, 0, tree_idx); uint8_t root[_SLH_DSA_128_SIZE]; _fors_sign (&merkle_ctx, ¶ms->fors, digest, signature, root, scratch_ctx); signature += params->fors.signature_size; _xmss_sign (&merkle_ctx, params->xmss.h, leaf_idx, root, signature, root); for (unsigned i = 1; i < params->xmss.d; i++) { signature += params->xmss.signature_size; leaf_idx = tree_idx & ((1 << params->xmss.h) - 1); tree_idx >>= params->xmss.h; hash->init_tree (tree_ctx, pub, i, tree_idx); _xmss_sign (&merkle_ctx, params->xmss.h, leaf_idx, root, signature, root); } assert (memeql_sec (root, pub + _SLH_DSA_128_SIZE, sizeof (root))); } int _slh_dsa_verify (const struct slh_dsa_params *params, const struct slh_hash *hash, const uint8_t *pub, const uint8_t *digest, const uint8_t *signature, void *tree_ctx, void *scratch_ctx) { uint64_t tree_idx; unsigned leaf_idx; params->parse_digest (digest + params->fors.msg_size, &tree_idx, &leaf_idx); const struct slh_merkle_ctx_public merkle_ctx = { hash, tree_ctx, leaf_idx }; hash->init_tree (tree_ctx, pub, 0, tree_idx); uint8_t root[_SLH_DSA_128_SIZE]; _fors_verify (&merkle_ctx, ¶ms->fors, digest, signature, root, scratch_ctx); signature += params->fors.signature_size; _xmss_verify (&merkle_ctx, params->xmss.h, leaf_idx, root, signature, root, scratch_ctx); for (unsigned i = 1; i < params->xmss.d; i++) { signature += params->xmss.signature_size; leaf_idx = tree_idx & ((1 << params->xmss.h) - 1); tree_idx >>= params->xmss.h; hash->init_tree (tree_ctx, pub, i, tree_idx); _xmss_verify (&merkle_ctx, params->xmss.h, leaf_idx, root, signature, root, scratch_ctx); } return memcmp (root, pub + _SLH_DSA_128_SIZE, sizeof (root)) == 0; } nettle-4.0/slh-dsa.h0000644000000000000000000001105615141166424011311 0ustar00/* slh-dsa.h SLH-DSA (FIPS 205) signatures. Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SLH_DSA_H #define NETTLE_SLH_DSA_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define slh_dsa_shake_128s_root nettle_slh_dsa_shake_128s_root #define slh_dsa_shake_128f_root nettle_slh_dsa_shake_128f_root #define slh_dsa_sha2_128s_root nettle_slh_dsa_sha2_128s_root #define slh_dsa_sha2_128f_root nettle_slh_dsa_sha2_128f_root #define slh_dsa_shake_128s_generate_keypair nettle_slh_dsa_shake_128s_generate_keypair #define slh_dsa_shake_128f_generate_keypair nettle_slh_dsa_shake_128f_generate_keypair #define slh_dsa_sha2_128s_generate_keypair nettle_slh_dsa_sha2_128s_generate_keypair #define slh_dsa_sha2_128f_generate_keypair nettle_slh_dsa_sha2_128f_generate_keypair #define slh_dsa_shake_128s_sign nettle_slh_dsa_shake_128s_sign #define slh_dsa_shake_128f_sign nettle_slh_dsa_shake_128f_sign #define slh_dsa_sha2_128s_sign nettle_slh_dsa_sha2_128s_sign #define slh_dsa_sha2_128f_sign nettle_slh_dsa_sha2_128f_sign #define slh_dsa_shake_128s_verify nettle_slh_dsa_shake_128s_verify #define slh_dsa_shake_128f_verify nettle_slh_dsa_shake_128f_verify #define slh_dsa_sha2_128s_verify nettle_slh_dsa_sha2_128s_verify #define slh_dsa_sha2_128f_verify nettle_slh_dsa_sha2_128f_verify /* Key layout: private: secret_seed prf public: public_seed root */ #define SLH_DSA_128_SEED_SIZE 16 #define SLH_DSA_128_KEY_SIZE 32 #define SLH_DSA_128S_SIGNATURE_SIZE 7856 #define SLH_DSA_128F_SIGNATURE_SIZE 17088 /* Computes public key root, from the two seeds. */ void slh_dsa_shake_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root); void slh_dsa_shake_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root); void slh_dsa_sha2_128s_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root); void slh_dsa_sha2_128f_root (const uint8_t *public_seed, const uint8_t *private_seed, uint8_t *root); void slh_dsa_shake_128s_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random); void slh_dsa_shake_128f_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random); void slh_dsa_sha2_128s_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random); void slh_dsa_sha2_128f_generate_keypair (uint8_t *pub, uint8_t *key, void *random_ctx, nettle_random_func *random); /* Only the "pure" and deterministic variant. */ void slh_dsa_shake_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); void slh_dsa_shake_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); void slh_dsa_sha2_128s_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); void slh_dsa_sha2_128f_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int slh_dsa_shake_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); int slh_dsa_shake_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); int slh_dsa_sha2_128s_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); int slh_dsa_sha2_128f_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); #ifdef __cplusplus } #endif #endif /* NETTLE_SLH_DSA_H */ nettle-4.0/slh-fors.c0000644000000000000000000001106415141166424011505 0ustar00/* slh-fors.c Forest of Random Subsets, part of SLH-DSA (FIPS 205) Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "bswap-internal.h" #include "slh-dsa-internal.h" void _fors_gen (const struct slh_merkle_ctx_secret *ctx, unsigned idx, uint8_t *sk, uint8_t *leaf) { struct slh_address_hash ah = { bswap32_if_le (SLH_FORS_PRF), bswap32_if_le (ctx->pub.keypair), 0, bswap32_if_le (idx), }; ctx->pub.hash->secret (ctx->pub.tree_ctx, &ah, ctx->secret_seed, sk); ah.type = bswap32_if_le (SLH_FORS_TREE); ctx->pub.hash->secret (ctx->pub.tree_ctx, &ah, sk, leaf); } static void fors_leaf (const struct slh_merkle_ctx_secret *ctx, unsigned idx, uint8_t *out) { _fors_gen (ctx, idx, out, out); } static void fors_node (const struct slh_merkle_ctx_public *ctx, unsigned height, unsigned index, const uint8_t *left, const uint8_t *right, uint8_t *out) { struct slh_address_hash ah = { bswap32_if_le (SLH_FORS_TREE), bswap32_if_le (ctx->keypair), bswap32_if_le (height), bswap32_if_le (index), }; ctx->hash->node (ctx->tree_ctx, &ah, left, right, out); } static void fors_sign_one (const struct slh_merkle_ctx_secret *ctx, unsigned a, unsigned idx, uint8_t *signature, void *pub_ctx) { uint8_t hash[_SLH_DSA_128_SIZE]; _fors_gen (ctx, idx, signature, hash); signature += _SLH_DSA_128_SIZE; _merkle_sign (ctx, fors_leaf, fors_node, a, idx, signature); _merkle_verify (&ctx->pub, fors_node, a, idx, signature, hash); ctx->pub.hash->update (pub_ctx, _SLH_DSA_128_SIZE, hash); } void _fors_sign (const struct slh_merkle_ctx_secret *ctx, const struct slh_fors_params *fors, const uint8_t *msg, uint8_t *signature, uint8_t *pub, void *pub_ctx) { struct slh_address_hash ah = { bswap32_if_le (SLH_FORS_ROOTS), bswap32_if_le (ctx->pub.keypair), 0, 0, }; unsigned i, w, bits; unsigned mask = (1 << fors->a) - 1; ctx->pub.hash->init_hash (ctx->pub.tree_ctx, pub_ctx, &ah); for (i = w = bits = 0; i < fors->k; i++, signature += (fors->a + 1) * _SLH_DSA_128_SIZE) { for (; bits < fors->a; bits += 8) w = (w << 8) | *msg++; bits -= fors->a; fors_sign_one (ctx, fors->a, (i << fors->a) + ((w >> bits) & mask), signature, pub_ctx); } ctx->pub.hash->digest (pub_ctx, pub); } static void fors_verify_one (const struct slh_merkle_ctx_public *ctx, unsigned a, unsigned idx, const uint8_t *signature, void *pub_ctx) { uint8_t root[_SLH_DSA_128_SIZE]; struct slh_address_hash ah = { bswap32_if_le (SLH_FORS_TREE), bswap32_if_le (ctx->keypair), 0, bswap32_if_le (idx), }; ctx->hash->secret (ctx->tree_ctx, &ah, signature, root); _merkle_verify (ctx, fors_node, a, idx, signature + _SLH_DSA_128_SIZE, root); ctx->hash->update (pub_ctx, _SLH_DSA_128_SIZE, root); } void _fors_verify (const struct slh_merkle_ctx_public *ctx, const struct slh_fors_params *fors, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, void *pub_ctx) { struct slh_address_hash ah = { bswap32_if_le (SLH_FORS_ROOTS), bswap32_if_le (ctx->keypair), 0, 0, }; unsigned i, w, bits; unsigned mask = (1 << fors->a) - 1; ctx->hash->init_hash (ctx->tree_ctx, pub_ctx, &ah); for (i = w = bits = 0; i < fors->k; i++, signature += (fors->a + 1) * _SLH_DSA_128_SIZE) { for (; bits < fors->a; bits += 8) w = (w << 8) | *msg++; bits -= fors->a; fors_verify_one (ctx, fors->a, (i << fors->a) + ((w >> bits) & mask), signature, pub_ctx); } ctx->hash->digest (pub_ctx, pub); } nettle-4.0/slh-merkle.c0000644000000000000000000000664515141166424012024 0ustar00/* slh-merkle.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "slh-dsa-internal.h" /* Computes root hash of a tree. Example for height == 2, 4 entries: i = 0 ==> stack: [0], i = 1 i = 1 ==> stack: [0, 1] ==> [0|1], i = 2 i = 2 ==> stack: [0|1, 2], i = 3 i = 3 ==> stack: [0|1, 2, 3] ==> [0|1, 2|3] ==> [0|1|2|3], i = 4 The size of the stack equals popcount(i) */ void _merkle_root (const struct slh_merkle_ctx_secret *ctx, merkle_leaf_hash_func *leaf_hash, merkle_node_hash_func *node_hash, unsigned height, unsigned start, uint8_t *root, /* Must have space for (height + 1) node hashes */ uint8_t *stack) { unsigned stack_size = 0; unsigned i; assert (height > 0); assert ( (start & ((1<= 2); idx >>= 1; stack_size--; if (h == height) { assert (stack_size == 1); node_hash (&ctx->pub, h, idx, stack + (stack_size - 1) * _SLH_DSA_128_SIZE, stack + stack_size * _SLH_DSA_128_SIZE, root); return; } node_hash (&ctx->pub, h, idx, stack + (stack_size - 1) * _SLH_DSA_128_SIZE, stack + stack_size * _SLH_DSA_128_SIZE, stack + (stack_size - 1)* _SLH_DSA_128_SIZE); } } } void _merkle_sign (const struct slh_merkle_ctx_secret *ctx, merkle_leaf_hash_func *leaf_hash, merkle_node_hash_func *node_hash, unsigned height, unsigned idx, uint8_t *signature) { unsigned h; /* By generating the path from the end, we can use the output area as the temporary stack. */ for (h = height; --h > 0;) _merkle_root (ctx, leaf_hash, node_hash, h, (idx & -(1 << h)) ^ (1 << h), signature + h*_SLH_DSA_128_SIZE, signature); leaf_hash (ctx, idx ^ 1, signature); } void _merkle_verify (const struct slh_merkle_ctx_public *ctx, merkle_node_hash_func *node_hash, unsigned height, unsigned idx, const uint8_t *signature, uint8_t *hash) { unsigned h; for (h = 1; h <= height; h++, signature += _SLH_DSA_128_SIZE) { unsigned right = idx & 1; idx >>= 1; if (right) node_hash (ctx, h, idx, signature, hash, hash); else node_hash (ctx, h, idx, hash, signature, hash); } } nettle-4.0/slh-sha256.c0000644000000000000000000001221315141166424011541 0ustar00/* slh-sha256.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "slh-dsa-internal.h" #include "bswap-internal.h" #include "hmac.h" #include "sha2.h" /* Uses a "compressed" address, uint8_t layer uint64_t tree_idx uint8_t type (packed, no padding). */ /* All hashing but H_{msg} and PRF_{msg} use plain sha256: */ static void slh_sha256_init_tree (struct sha256_ctx *ctx, const uint8_t *public_seed, uint32_t layer, uint64_t tree_idx) { static const uint8_t pad[48]; uint8_t addr_layer; uint64_t addr_tree; sha256_init (ctx); sha256_update (ctx, _SLH_DSA_128_SIZE, public_seed); /* This padding completes a sha256 block. */ sha256_update (ctx, sizeof (pad), pad); /* Compressed address. */ addr_layer = layer; sha256_update (ctx, 1, &addr_layer); addr_tree = bswap64_if_le (tree_idx); sha256_update (ctx, sizeof (addr_tree), (const uint8_t *) &addr_tree); } static void slh_sha256_init_hash (const struct sha256_ctx *tree_ctx, struct sha256_ctx *ctx, const struct slh_address_hash *ah) { *ctx = *tree_ctx; /* For compressed addr, hash only last byte of the type. */ sha256_update (ctx, sizeof (*ah) - 3, (const uint8_t *) ah + 3); } static void slh_sha256_digest (struct sha256_ctx *ctx, uint8_t *out) { uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest (ctx, digest); memcpy (out, digest, _SLH_DSA_128_SIZE); } static void slh_sha256_secret (const struct sha256_ctx *tree_ctx, const struct slh_address_hash *ah, const uint8_t *secret, uint8_t *out) { struct sha256_ctx ctx; slh_sha256_init_hash (tree_ctx, &ctx, ah); sha256_update (&ctx, _SLH_DSA_128_SIZE, secret); slh_sha256_digest (&ctx, out); } static void slh_sha256_node (const struct sha256_ctx *tree_ctx, const struct slh_address_hash *ah, const uint8_t *left, const uint8_t *right, uint8_t *out) { struct sha256_ctx ctx; slh_sha256_init_hash (tree_ctx, &ctx, ah); sha256_update (&ctx, _SLH_DSA_128_SIZE, left); sha256_update (&ctx, _SLH_DSA_128_SIZE, right); slh_sha256_digest (&ctx, out); } static void slh_sha256_randomizer (const uint8_t *public_seed, const uint8_t *secret_prf, size_t prefix_length, const uint8_t *prefix, size_t msg_length, const uint8_t *msg, uint8_t *randomizer) { struct hmac_sha256_ctx ctx; uint8_t digest[SHA256_DIGEST_SIZE]; hmac_sha256_set_key (&ctx, _SLH_DSA_128_SIZE, secret_prf); hmac_sha256_update (&ctx, _SLH_DSA_128_SIZE, public_seed); hmac_sha256_update (&ctx, prefix_length, prefix); hmac_sha256_update (&ctx, msg_length, msg); hmac_sha256_digest (&ctx, digest); memcpy (randomizer, digest, _SLH_DSA_128_SIZE); } static void slh_sha256_msg_digest (const uint8_t *randomizer, const uint8_t *pub, size_t prefix_length, const uint8_t *prefix, size_t length, const uint8_t *msg, size_t digest_size, uint8_t *digest) { struct sha256_ctx ctx; uint8_t inner[SHA256_DIGEST_SIZE]; uint32_t i; sha256_init (&ctx); sha256_update (&ctx, _SLH_DSA_128_SIZE, randomizer); sha256_update (&ctx, 2*_SLH_DSA_128_SIZE, pub); sha256_update (&ctx, prefix_length, prefix); sha256_update (&ctx, length, msg); sha256_digest (&ctx, inner); /* mgf1 with inner digest as the seed. */ for (i = 0; digest_size > 0; i++) { uint32_t i_be = bswap32_if_le (i); sha256_update (&ctx, _SLH_DSA_128_SIZE, randomizer); sha256_update (&ctx, _SLH_DSA_128_SIZE, pub); sha256_update (&ctx, sizeof (inner), inner); sha256_update (&ctx, sizeof (i_be), (const uint8_t *) &i_be); if (digest_size < SHA256_DIGEST_SIZE) { sha256_digest (&ctx, inner); memcpy (digest, inner, digest_size); break; } sha256_digest (&ctx, digest); digest += SHA256_DIGEST_SIZE; digest_size -= SHA256_DIGEST_SIZE; } } const struct slh_hash _slh_hash_sha256 = { (slh_hash_init_tree_func *) slh_sha256_init_tree, (slh_hash_init_hash_func *) slh_sha256_init_hash, (nettle_hash_update_func *) sha256_update, (nettle_hash_digest_func *) slh_sha256_digest, (slh_hash_secret_func *) slh_sha256_secret, (slh_hash_node_func *) slh_sha256_node, slh_sha256_randomizer, slh_sha256_msg_digest }; nettle-4.0/slh-shake.c0000644000000000000000000001001415141166424011621 0ustar00/* slh-shake.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa-internal.h" #include "bswap-internal.h" #include "sha3.h" /* Fields always big-endian */ struct slh_address_tree { uint32_t layer; uint32_t pad; /* Always zero */ uint64_t tree_idx; }; static void slh_shake_init_tree (struct sha3_ctx *ctx, const uint8_t *public_seed, uint32_t layer, uint64_t tree_idx) { struct slh_address_tree at = { bswap32_if_le (layer), 0, bswap64_if_le (tree_idx) }; sha3_init (ctx); sha3_256_update (ctx, _SLH_DSA_128_SIZE, public_seed); sha3_256_update (ctx, sizeof (at), (const uint8_t *) &at); } static void slh_shake_init_hash (const struct sha3_ctx *tree_ctx, struct sha3_ctx *ctx, const struct slh_address_hash *ah) { *ctx = *tree_ctx; sha3_256_update (ctx, sizeof (*ah), (const uint8_t *) ah); } static void slh_shake_secret (const struct sha3_ctx *tree_ctx, const struct slh_address_hash *ah, const uint8_t *secret, uint8_t *out) { struct sha3_ctx ctx; slh_shake_init_hash (tree_ctx, &ctx, ah);; sha3_256_update (&ctx, _SLH_DSA_128_SIZE, secret); sha3_256_shake (&ctx, _SLH_DSA_128_SIZE, out); } static void slh_shake_node (const struct sha3_ctx *tree_ctx, const struct slh_address_hash *ah, const uint8_t *left, const uint8_t *right, uint8_t *out) { struct sha3_ctx ctx; slh_shake_init_hash (tree_ctx, &ctx, ah);; sha3_256_update (&ctx, _SLH_DSA_128_SIZE, left); sha3_256_update (&ctx, _SLH_DSA_128_SIZE, right); sha3_256_shake (&ctx, _SLH_DSA_128_SIZE, out); } static void slh_shake_digest (struct sha3_ctx *ctx, uint8_t *out) { sha3_256_shake (ctx, _SLH_DSA_128_SIZE, out); } static void slh_shake_randomizer (const uint8_t *public_seed, const uint8_t *secret_prf, size_t prefix_length, const uint8_t *prefix, size_t msg_length, const uint8_t *msg, uint8_t *randomizer) { struct sha3_ctx ctx; sha3_init (&ctx); sha3_256_update (&ctx, _SLH_DSA_128_SIZE, secret_prf); sha3_256_update (&ctx, _SLH_DSA_128_SIZE, public_seed); sha3_256_update (&ctx, prefix_length, prefix); sha3_256_update (&ctx, msg_length, msg); sha3_256_shake (&ctx, _SLH_DSA_128_SIZE, randomizer); } static void slh_shake_msg_digest (const uint8_t *randomizer, const uint8_t *pub, size_t prefix_length, const uint8_t *prefix, size_t msg_length, const uint8_t *msg, size_t digest_size, uint8_t *digest) { struct sha3_ctx ctx; sha3_init (&ctx); sha3_256_update (&ctx, _SLH_DSA_128_SIZE, randomizer); sha3_256_update (&ctx, 2*_SLH_DSA_128_SIZE, pub); sha3_256_update (&ctx, prefix_length, prefix); sha3_256_update (&ctx, msg_length, msg); sha3_256_shake (&ctx, digest_size, digest); } const struct slh_hash _slh_hash_shake = { (slh_hash_init_tree_func *) slh_shake_init_tree, (slh_hash_init_hash_func *) slh_shake_init_hash, (nettle_hash_update_func *) sha3_256_update, (nettle_hash_digest_func *) slh_shake_digest, (slh_hash_secret_func *) slh_shake_secret, (slh_hash_node_func *) slh_shake_node, slh_shake_randomizer, slh_shake_msg_digest }; nettle-4.0/slh-wots.c0000644000000000000000000001374615141166424011541 0ustar00/* slh-wots.c WOTS+ one-time signatures, part of SLH-DSA (FIPS 205) Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "slh-dsa-internal.h" #include "bswap-internal.h" /* If s == 0, returns src and leaves dst unchanged. Otherwise, returns dst. For the ah argument, leaves ah->keypair and ah->height_chain unchanged, but overwrites the other fields. */ static const uint8_t * wots_chain (const struct slh_hash *hash, const void *ctx, struct slh_address_hash *ah, unsigned i, unsigned s, const uint8_t *src, uint8_t *dst) { unsigned j; if (s == 0) return src; ah->type = bswap32_if_le (SLH_WOTS_HASH); ah->index_hash = bswap32_if_le (i); hash->secret (ctx, ah, src, dst); for (j = 1; j < s; j++) { ah->index_hash = bswap32_if_le (i + j); hash->secret (ctx, ah, dst, dst); } return dst; } static void wots_pk_init (const struct slh_hash *hash, const void *tree_ctx, unsigned keypair, struct slh_address_hash *ah, void *ctx) { ah->type = bswap32_if_le (SLH_WOTS_PK); ah->keypair = bswap32_if_le (keypair); ah->height_chain = 0; ah->index_hash = 0; hash->init_hash (tree_ctx, ctx, ah); } void _wots_gen (const struct slh_hash *hash, const void *tree_ctx, const uint8_t *secret_seed, uint32_t keypair, uint8_t *pub, void *pub_ctx) { struct slh_address_hash ah; unsigned i; wots_pk_init (hash, tree_ctx, keypair, &ah, pub_ctx); for (i = 0; i < _WOTS_SIGNATURE_LENGTH; i++) { uint8_t out[_SLH_DSA_128_SIZE]; /* Generate secret value. */ ah.type = bswap32_if_le (SLH_WOTS_PRF); ah.height_chain = bswap32_if_le (i); ah.index_hash = 0; hash->secret (tree_ctx, &ah, secret_seed, out); /* Hash chain. */ wots_chain (hash, tree_ctx, &ah, 0, 15, out, out); hash->update (pub_ctx, _SLH_DSA_128_SIZE, out); } hash->digest (pub_ctx, pub); } /* Produces signature hash corresponding to the ith message nybble. Modifies addr. */ static void wots_sign_one (const struct slh_hash *hash, const void *tree_ctx, const uint8_t *secret_seed, uint32_t keypair, unsigned i, uint8_t msg, uint8_t *signature, void *pub_ctx) { struct slh_address_hash ah; uint8_t pub[_SLH_DSA_128_SIZE]; signature += i*_SLH_DSA_128_SIZE; /* Generate secret value. */ ah.type = bswap32_if_le (SLH_WOTS_PRF); ah.keypair = bswap32_if_le (keypair); ah.height_chain = bswap32_if_le (i); ah.index_hash = 0; hash->secret (tree_ctx, &ah, secret_seed, signature); /* Hash chain. */ wots_chain (hash, tree_ctx, &ah, 0, msg, signature, signature); hash->update (pub_ctx, _SLH_DSA_128_SIZE, wots_chain (hash, tree_ctx, &ah, msg, 15 - msg, signature, pub)); } void _wots_sign (const struct slh_hash *hash, const void *tree_ctx, const uint8_t *secret_seed, unsigned keypair, const uint8_t *msg, uint8_t *signature, uint8_t *pub, void *pub_ctx) { struct slh_address_hash ah; unsigned i; uint32_t csum; wots_pk_init (hash, tree_ctx, keypair, &ah, pub_ctx); for (i = 0, csum = 15*32; i < _SLH_DSA_128_SIZE; i++) { uint8_t m0, m1; m0 = msg[i] >> 4; csum -= m0; wots_sign_one (hash, tree_ctx, secret_seed, keypair, 2*i, m0, signature, pub_ctx); m1 = msg[i] & 0xf; csum -= m1; wots_sign_one (hash, tree_ctx, secret_seed, keypair, 2*i + 1, m1, signature, pub_ctx); } wots_sign_one (hash, tree_ctx, secret_seed, keypair, 32, csum >> 8, signature, pub_ctx); wots_sign_one (hash, tree_ctx, secret_seed, keypair, 33, (csum >> 4) & 0xf, signature, pub_ctx); wots_sign_one (hash, tree_ctx, secret_seed, keypair, 34, csum & 0xf, signature, pub_ctx); hash->digest (pub_ctx, pub); } static void wots_verify_one (const struct slh_hash *hash, const void *tree_ctx, uint32_t keypair, unsigned i, uint8_t msg, const uint8_t *signature, void *pub_ctx) { struct slh_address_hash ah; uint8_t out[_SLH_DSA_128_SIZE]; signature += i*_SLH_DSA_128_SIZE; ah.keypair = bswap32_if_le (keypair); ah.height_chain = bswap32_if_le (i); hash->update (pub_ctx, _SLH_DSA_128_SIZE, wots_chain (hash, tree_ctx, &ah, msg, 15 - msg, signature, out)); } void _wots_verify (const struct slh_hash *hash, const void *tree_ctx, unsigned keypair, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, void *pub_ctx) { struct slh_address_hash ah; unsigned i; uint32_t csum; wots_pk_init (hash, tree_ctx, keypair, &ah, pub_ctx); for (i = 0, csum = 15*32; i < _SLH_DSA_128_SIZE; i++) { uint8_t m0, m1; m0 = msg[i] >> 4; csum -= m0; wots_verify_one (hash, tree_ctx, keypair, 2*i, m0, signature, pub_ctx); m1 = msg[i] & 0xf; csum -= m1; wots_verify_one (hash, tree_ctx, keypair, 2*i + 1, m1, signature, pub_ctx); } wots_verify_one (hash, tree_ctx, keypair, 32, csum >> 8, signature, pub_ctx); wots_verify_one (hash, tree_ctx, keypair, 33, (csum >> 4) & 0xf, signature, pub_ctx); wots_verify_one (hash, tree_ctx, keypair, 34, csum & 0xf, signature, pub_ctx); hash->digest (pub_ctx, pub); } nettle-4.0/slh-xmss.c0000644000000000000000000000571115141166424011530 0ustar00/* slh-xmss.c The eXtended Merkle Signature Scheme, part of SLH-DSA (FIPS 205) Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "bswap-internal.h" #include "slh-dsa-internal.h" static void xmss_leaf (const struct slh_merkle_ctx_secret *ctx, unsigned idx, uint8_t *leaf) { _wots_gen (ctx->pub.hash, ctx->pub.tree_ctx, ctx->secret_seed, idx, leaf, ctx->scratch_ctx); } static void xmss_node (const struct slh_merkle_ctx_public *ctx, unsigned height, unsigned index, const uint8_t *left, const uint8_t *right, uint8_t *out) { struct slh_address_hash ah = { bswap32_if_le (SLH_XMSS_TREE), 0, bswap32_if_le (height), bswap32_if_le (index), }; ctx->hash->node (ctx->tree_ctx, &ah, left, right, out); } void _xmss_gen (const struct slh_hash *hash, const uint8_t *public_seed, const uint8_t *secret_seed, const struct slh_xmss_params *xmss, uint8_t *root, void *tree_ctx, void *scratch_ctx, uint8_t *scratch) { const struct slh_merkle_ctx_secret ctx = { { hash, tree_ctx, 0 }, secret_seed, scratch_ctx, }; hash->init_tree (tree_ctx, public_seed, xmss->d - 1, 0); _merkle_root (&ctx, xmss_leaf, xmss_node, xmss->h, 0, root, scratch); } void _xmss_sign (const struct slh_merkle_ctx_secret *ctx, unsigned h, unsigned idx, const uint8_t *msg, uint8_t *signature, uint8_t *pub) { _wots_sign (ctx->pub.hash, ctx->pub.tree_ctx, ctx->secret_seed, idx, msg, signature, pub, ctx->scratch_ctx); signature += WOTS_SIGNATURE_SIZE; _merkle_sign (ctx, xmss_leaf, xmss_node, h, idx, signature); _merkle_verify (&ctx->pub, xmss_node, h, idx, signature, pub); } void _xmss_verify (const struct slh_merkle_ctx_public *ctx, unsigned h, unsigned idx, const uint8_t *msg, const uint8_t *signature, uint8_t *pub, void *scratch_ctx) { _wots_verify (ctx->hash, ctx->tree_ctx, idx, msg, signature, pub, scratch_ctx); signature += WOTS_SIGNATURE_SIZE; _merkle_verify (ctx, xmss_node, h, idx, signature, pub); } nettle-4.0/sm3-meta.c0000644000000000000000000000232415141166424011375 0ustar00/* sm3-meta.c Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sm3.h" const struct nettle_hash nettle_sm3 = _NETTLE_HASH(sm3, SM3); nettle-4.0/sm3.c0000644000000000000000000002060515141166424010453 0ustar00/* sm3.c The SM3 hash function. Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sm3.h" #include "macros.h" #include "nettle-write.h" static const uint32_t K[64] = { 0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL, 0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL, 0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL, 0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL, 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL, 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL, 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL, 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL, 0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL, 0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL, 0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL, 0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL, 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL, 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL, 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL, 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL }; /* Transform the message X which consists of 16 32-bit-words. See GM/T 004-2012 for details. */ #define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \ do { \ ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \ ss2 = ss1 ^ ROTL32(12, (a)); \ d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \ h += GG ## i(e, f, g) + ss1 + (w1); \ b = ROTL32(9, (b)); \ f = ROTL32(19, (f)); \ h = P0((h)); \ } while (0) #define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2) #define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2) #define FF1(x, y, z) (x ^ y ^ z) #define FF2(x, y, z) ((x & y) | (x & z) | (y & z)) #define GG1(x, y, z) (x ^ y ^ z) #define GG2(x, y, z) ((x & y) | ( ~x & z)) /* Message expansion */ #define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x))) #define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x))) #define I(i) (w[i] = READ_UINT32(input + i * 4)) #define W1(i) (w[i & 0x0f]) #define W2(i) (w[i & 0x0f] = \ P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \ ^ ROTL32(7, w[(i-13) & 0x0f]) \ ^ w[(i-6) & 0x0f]) static void sm3_compress(uint32_t *state, const uint8_t *input) { uint32_t a, b, c, d, e, f, g, h, ss1, ss2; uint32_t w[16]; a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; f = state[5]; g = state[6]; h = state[7]; R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4)); R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5)); R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6)); R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7)); R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8)); R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9)); R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10)); R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11)); R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12)); R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13)); R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14)); R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15)); R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16)); R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17)); R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18)); R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19)); R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20)); R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21)); R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22)); R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23)); R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24)); R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25)); R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26)); R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27)); R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28)); R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29)); R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30)); R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31)); R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32)); R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33)); R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34)); R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35)); R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36)); R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37)); R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38)); R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39)); R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40)); R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41)); R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42)); R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43)); R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44)); R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45)); R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46)); R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47)); R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48)); R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49)); R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50)); R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51)); R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52)); R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53)); R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54)); R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55)); R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56)); R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57)); R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58)); R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59)); R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60)); R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61)); R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62)); R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63)); R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64)); R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65)); R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66)); R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67)); state[0] ^= a; state[1] ^= b; state[2] ^= c; state[3] ^= d; state[4] ^= e; state[5] ^= f; state[6] ^= g; state[7] ^= h; } void sm3_init(struct sm3_ctx *ctx) { static const uint32_t H0[_SM3_DIGEST_LENGTH] = { 0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL, 0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } #define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data))) void sm3_update(struct sm3_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } static void sm3_write_digest(struct sm3_ctx *ctx, uint8_t *digest) { uint64_t bit_count; MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count); COMPRESS(ctx, ctx->block); _nettle_write_be32(SM3_DIGEST_SIZE, digest, ctx->state); } void sm3_digest(struct sm3_ctx *ctx, uint8_t *digest) { sm3_write_digest(ctx, digest); sm3_init(ctx); } nettle-4.0/sm3.h0000644000000000000000000000363715141166424010466 0ustar00/* sm3.h The SM3 hash function. Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SM3_H_INCLUDED #define NETTLE_SM3_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sm3_init nettle_sm3_init #define sm3_update nettle_sm3_update #define sm3_digest nettle_sm3_digest #define SM3_DIGEST_SIZE 32 #define SM3_BLOCK_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SM3_DIGEST_LENGTH 8 struct sm3_ctx { uint32_t state[_SM3_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[SM3_BLOCK_SIZE]; /* Block buffer */ }; void sm3_init(struct sm3_ctx *ctx); void sm3_update(struct sm3_ctx *ctx, size_t length, const uint8_t *data); void sm3_digest(struct sm3_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SM3_H_INCLUDED */ nettle-4.0/sm4-meta.c0000644000000000000000000000261515141166424011401 0ustar00/* sm4-meta.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sm4.h" const struct nettle_cipher nettle_sm4 = { "sm4", sizeof(struct sm4_ctx), SM4_BLOCK_SIZE, SM4_KEY_SIZE, (nettle_set_key_func *) sm4_set_encrypt_key, (nettle_set_key_func *) sm4_set_decrypt_key, (nettle_cipher_func *) sm4_crypt, (nettle_cipher_func *) sm4_crypt }; nettle-4.0/sm4.c0000644000000000000000000001402715141166424010455 0ustar00/* sm4.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sm4.h" #include "macros.h" static const uint32_t fk[4] = { 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc }; static const uint32_t ck[32] = { 0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269, 0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9, 0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249, 0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9, 0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229, 0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299, 0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209, 0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279 }; static const uint8_t sbox[256] = { 0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05, 0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62, 0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6, 0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8, 0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35, 0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87, 0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e, 0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1, 0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3, 0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f, 0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51, 0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8, 0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0, 0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84, 0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48 }; static uint32_t sm4_t_non_lin_sub(uint32_t x) { uint32_t out; out = (uint32_t)sbox[x & 0xff]; out |= (uint32_t)sbox[(x >> 8) & 0xff] << 8; out |= (uint32_t)sbox[(x >> 16) & 0xff] << 16; out |= (uint32_t)sbox[(x >> 24) & 0xff] << 24; return out; } static uint32_t sm4_key_lin_sub(uint32_t x) { return x ^ ROTL32(13, x) ^ ROTL32(23, x); } static uint32_t sm4_enc_lin_sub(uint32_t x) { return x ^ ROTL32(2, x) ^ ROTL32(10, x) ^ ROTL32(18, x) ^ ROTL32(24, x); } static uint32_t sm4_key_sub(uint32_t x) { return sm4_key_lin_sub(sm4_t_non_lin_sub(x)); } static uint32_t sm4_enc_sub(uint32_t x) { return sm4_enc_lin_sub(sm4_t_non_lin_sub(x)); } static uint32_t sm4_round(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3, uint32_t rk) { return x0 ^ sm4_enc_sub(x1 ^ x2 ^ x3 ^ rk); } static void sm4_set_key(struct sm4_ctx *ctx, const uint8_t *key, int encrypt) { uint32_t rk0, rk1, rk2, rk3; unsigned i; rk0 = READ_UINT32(key + 0) ^ fk[0]; rk1 = READ_UINT32(key + 4) ^ fk[1]; rk2 = READ_UINT32(key + 8) ^ fk[2]; rk3 = READ_UINT32(key + 12) ^ fk[3]; for (i = 0; i < 32; i += 4) { rk0 ^= sm4_key_sub(rk1 ^ rk2 ^ rk3 ^ ck[i + 0]); rk1 ^= sm4_key_sub(rk2 ^ rk3 ^ rk0 ^ ck[i + 1]); rk2 ^= sm4_key_sub(rk3 ^ rk0 ^ rk1 ^ ck[i + 2]); rk3 ^= sm4_key_sub(rk0 ^ rk1 ^ rk2 ^ ck[i + 3]); if (encrypt) { ctx->rkey[i + 0] = rk0; ctx->rkey[i + 1] = rk1; ctx->rkey[i + 2] = rk2; ctx->rkey[i + 3] = rk3; } else { ctx->rkey[31 - 0 - i] = rk0; ctx->rkey[31 - 1 - i] = rk1; ctx->rkey[31 - 2 - i] = rk2; ctx->rkey[31 - 3 - i] = rk3; } } } void sm4_set_encrypt_key(struct sm4_ctx *ctx, const uint8_t *key) { sm4_set_key(ctx, key, 1); } void sm4_set_decrypt_key(struct sm4_ctx *ctx, const uint8_t *key) { sm4_set_key(ctx, key, 0); } void sm4_crypt(const struct sm4_ctx *context, size_t length, uint8_t *dst, const uint8_t *src) { const uint32_t *rk = context->rkey; assert( !(length % SM4_BLOCK_SIZE) ); for ( ; length; length -= SM4_BLOCK_SIZE) { uint32_t x0, x1, x2, x3; unsigned i; x0 = READ_UINT32(src + 0 * 4); x1 = READ_UINT32(src + 1 * 4); x2 = READ_UINT32(src + 2 * 4); x3 = READ_UINT32(src + 3 * 4); for (i = 0; i < 32; i += 4) { x0 = sm4_round(x0, x1, x2, x3, rk[i + 0]); x1 = sm4_round(x1, x2, x3, x0, rk[i + 1]); x2 = sm4_round(x2, x3, x0, x1, rk[i + 2]); x3 = sm4_round(x3, x0, x1, x2, rk[i + 3]); } WRITE_UINT32(dst + 0 * 4, x3); WRITE_UINT32(dst + 1 * 4, x2); WRITE_UINT32(dst + 2 * 4, x1); WRITE_UINT32(dst + 3 * 4, x0); src += SM4_BLOCK_SIZE; dst += SM4_BLOCK_SIZE; } } nettle-4.0/sm4.h0000644000000000000000000000331015141166424010453 0ustar00/* sm4.h Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SM4_H_INCLUDED #define NETTLE_SM4_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sm4_set_encrypt_key nettle_sm4_set_encrypt_key #define sm4_set_decrypt_key nettle_sm4_set_decrypt_key #define sm4_crypt nettle_sm4_crypt #define SM4_BLOCK_SIZE 16 #define SM4_KEY_SIZE 16 struct sm4_ctx { uint32_t rkey[32]; }; void sm4_set_encrypt_key(struct sm4_ctx *ctx, const uint8_t *key); void sm4_set_decrypt_key(struct sm4_ctx *ctx, const uint8_t *key); void sm4_crypt(const struct sm4_ctx *context, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SM4_H_INCLUDED */ nettle-4.0/sparc64/0000755000000000000000000000000015141166424011064 5ustar00nettle-4.0/sparc64/aes-decrypt-internal.asm0000644000000000000000000000670115141166424015624 0ustar00C sparc64/aes-decrypt-internal.asm ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`sparc64/aes.m4') C Arguments define(`ROUNDS',`%i0') define(`KEYS', `%i1') define(`T', `%i2') define(`LENGTH',`%i3') define(`DST', `%i4') define(`SRC', `%i5') C AES state, two copies for unrolling define(`W0', `%l0') define(`W1', `%l1') define(`W2', `%l2') define(`W3', `%l3') define(`X0', `%l4') define(`X1', `%l5') define(`X2', `%l6') define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 define(`KEY', `%o4') define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(`FRAME_SIZE', 192) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_decrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC sub KEY, 32, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(4, W0, W3, W2, W1, KEY, X0) AES_ROUND(5, W1, W0, W3, W2, KEY, X1) AES_ROUND(6, W2, W1, W0, W3, KEY, X2) AES_ROUND(7, W3, W2, W1, W0, KEY, X3) C Transform X -> W AES_ROUND(0, X0, X3, X2, X1, KEY, W0) AES_ROUND(1, X1, X0, X3, X2, KEY, W1) AES_ROUND(2, X2, X1, X0, X3, KEY, W2) AES_ROUND(3, X3, X2, X1, X0, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop sub KEY, 32, KEY C Penultimate round AES_ROUND(4, W0, W3, W2, W1, KEY, X0) AES_ROUND(5, W1, W0, W3, W2, KEY, X1) AES_ROUND(6, W2, W1, W0, W3, KEY, X2) AES_ROUND(7, W3, W2, W1, W0, KEY, X3) C Final round AES_FINAL_ROUND(0, T, X0, X3, X2, X1, KEY, DST) AES_FINAL_ROUND(1, T, X1, X0, X3, X2, KEY, DST) AES_FINAL_ROUND(2, T, X2, X1, X0, X3, KEY, DST) AES_FINAL_ROUND(3, T, X3, X2, X1, X0, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_decrypt) nettle-4.0/sparc64/aes-encrypt-internal.asm0000644000000000000000000000734615141166424015644 0ustar00C sparc64/aes-encrypt-internal.asm ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`sparc64/aes.m4') C Arguments define(`ROUNDS',`%i0') define(`KEYS', `%i1') define(`T', `%i2') define(`LENGTH',`%i3') define(`DST', `%i4') define(`SRC', `%i5') C AES state, two copies for unrolling define(`W0', `%l0') define(`W1', `%l1') define(`W2', `%l2') define(`W3', `%l3') define(`X0', `%l4') define(`X1', `%l5') define(`X2', `%l6') define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 define(`KEY', `%o4') define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(`FRAME_SIZE', 192) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_encrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X1, X2, X3, KEY, W0) AES_ROUND(5, X1, X2, X3, X0, KEY, W1) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X1, X2, X3, KEY, DST) AES_FINAL_ROUND(1, T, X1, X2, X3, X0, KEY, DST) AES_FINAL_ROUND(2, T, X2, X3, X0, X1, KEY, DST) AES_FINAL_ROUND(3, T, X3, X0, X1, X2, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_encrypt) C Stats for AES 128 on sellafield.lysator.liu.se (UE450, 296 MHz) C 1. nettle-1.13 C-code (nettle-1.13 assembler was broken for sparc64) C 2. New C-code C 3. New assembler code (basically the same as for sparc32) C MB/s cycles/block C 1 0.8 5781 C 2 1.8 2460 C 3 8.2 548 nettle-4.0/sparc64/aes.m40000644000000000000000000000412615141166424012101 0ustar00C Used as temporaries by the AES macros define(`TMP1', `%g1') define(`TMP2', `%g2') define(`TMP3', `%g3') C Loop invariants used by AES_ROUND define(`T0', `%o0') define(`T1', `%o1') define(`T2', `%o2') define(`T3', `%o3') C AES_LOAD(i, src, key, res) define(`AES_LOAD', ` ldub [$2 + 4*$1], $4 ldub [$2 + 4*$1 + 1], TMP1 ldub [$2 + 4*$1 + 2], TMP2 sll TMP1, 8, TMP1 or $4, TMP1, $4 ldub [$2 + 4*$1+3], TMP1 sll TMP2, 16, TMP2 or $4, TMP2, $4 sll TMP1, 24, TMP1 C Get subkey ld [$3 + 4*$1], TMP2 or $4, TMP1, $4 xor $4, TMP2, $4')dnl C AES_ROUND(i, a, b, c, d, key, res) C Computes one word of the AES round C FIXME: Could use registers pointing directly to the four tables C FIXME: Needs better instruction scheduling, and perhaps more temporaries C Alternatively, we can use a single table and some rotations define(`AES_ROUND', ` and $2, 0xff, TMP1 C 0 srl $3, 6, TMP2 C 1 sll TMP1, 2, TMP1 C 0 and TMP2, 0x3fc, TMP2 C 1 ld [T0 + TMP1], $7 C 0 E0 srl $4, 14, TMP1 C 2 ld [T1 + TMP2], TMP2 C 1 and TMP1, 0x3fc, TMP1 C 2 xor $7, TMP2, $7 C 1 E1 srl $5, 22, TMP2 C 3 ld [T2 + TMP1], TMP1 C 2 and TMP2, 0x3fc, TMP2 C 3 xor $7, TMP1, $7 C 2 E2 ld [$6 + 4*$1], TMP1 C 4 ld [T3 + TMP2], TMP2 C 3 xor $7, TMP1, $7 C 4 E4 xor $7, TMP2, $7 C 3 E3 ')dnl C AES_FINAL_ROUND(i, T, a, b, c, d, key, dst) C Compute one word in the final round function. Output is converted to C octets and stored at dst. Relies on AES_SBOX being zero. define(`AES_FINAL_ROUND', ` C Load subkey ld [$7 + 4*$1], TMP3 and $3, 0xff, TMP1 C 0 srl $4, 8, TMP2 C 1 ldub [T + TMP1], TMP1 C 0 and TMP2, 0xff, TMP2 C 1 xor TMP3, TMP1, TMP1 C 0 ldub [T + TMP2], TMP2 C 1 stb TMP1, [$8 + 4*$1] C 0 E0 srl $5, 16, TMP1 C 2 srl TMP3, 8, TMP3 C 1 and TMP1, 0xff, TMP1 C 2 xor TMP3, TMP2, TMP2 C 1 ldub [T + TMP1], TMP1 C 2 stb TMP2, [$8 + 4*$1 + 1] C 1 E1 srl $6, 24, TMP2 C 3 srl TMP3, 8, TMP3 C 2 ldub [T + TMP2], TMP2 C 3 xor TMP3, TMP1, TMP1 C 2 srl TMP3, 8, TMP3 C 3 stb TMP1, [$8 + 4*$1 + 2] C 2 E2 xor TMP3, TMP2, TMP2 C 3 stb TMP2, [$8 + 4*$1 + 3] C 3 E3 ') nettle-4.0/sparc64/machine.m40000644000000000000000000000015315141166424012731 0ustar00define(`BIAS', 2047) C Magic stack bias for the Sparc64 ABI .register %g2,#scratch .register %g3,#scratch nettle-4.0/stamp-h.in0000644000000000000000000000001215141166424011474 0ustar00timestamp nettle-4.0/streebog-meta.c0000644000000000000000000000241615141166424012507 0ustar00/* streebog-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "streebog.h" const struct nettle_hash nettle_streebog512 = _NETTLE_HASH(streebog512, STREEBOG512); const struct nettle_hash nettle_streebog256 = _NETTLE_HASH(streebog256, STREEBOG256); nettle-4.0/streebog.c0000644000000000000000000016361715141166424011576 0ustar00/* streebog.c - GOST R 34.11-2012 (Streebog) hash function See RFC 6986 for the English translation of the standard Copyright (C) 2020 Dmitry Baryshkov Based on my code in libgcrypt. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "streebog.h" #include "macros.h" #include "nettle-write.h" /* Pre-computed results of multiplication of bytes on A and reordered with Pi[]. */ static const uint64_t streebog_table[8][256] = { /* 0 */ { 0xd01f715b5c7ef8e6ULL, 0x16fa240980778325ULL, 0xa8a42e857ee049c8ULL, 0x6ac1068fa186465bULL, 0x6e417bd7a2e9320bULL, 0x665c8167a437daabULL, 0x7666681aa89617f6ULL, 0x4b959163700bdcf5ULL, 0xf14be6b78df36248ULL, 0xc585bd689a625cffULL, 0x9557d7fca67d82cbULL, 0x89f0b969af6dd366ULL, 0xb0833d48749f6c35ULL, 0xa1998c23b1ecbc7cULL, 0x8d70c431ac02a736ULL, 0xd6dfbc2fd0a8b69eULL, 0x37aeb3e551fa198bULL, 0x0b7d128a40b5cf9cULL, 0x5a8f2008b5780cbcULL, 0xedec882284e333e5ULL, 0xd25fc177d3c7c2ceULL, 0x5e0f5d50b61778ecULL, 0x1d873683c0c24cb9ULL, 0xad040bcbb45d208cULL, 0x2f89a0285b853c76ULL, 0x5732fff6791b8d58ULL, 0x3e9311439ef6ec3fULL, 0xc9183a809fd3c00fULL, 0x83adf3f5260a01eeULL, 0xa6791941f4e8ef10ULL, 0x103ae97d0ca1cd5dULL, 0x2ce948121dee1b4aULL, 0x39738421dbf2bf53ULL, 0x093da2a6cf0cf5b4ULL, 0xcd9847d89cbcb45fULL, 0xf9561c078b2d8ae8ULL, 0x9c6a755a6971777fULL, 0xbc1ebaa0712ef0c5ULL, 0x72e61542abf963a6ULL, 0x78bb5fde229eb12eULL, 0x14ba94250fceb90dULL, 0x844d6697630e5282ULL, 0x98ea08026a1e032fULL, 0xf06bbea144217f5cULL, 0xdb6263d11ccb377aULL, 0x641c314b2b8ee083ULL, 0x320e96ab9b4770cfULL, 0x1ee7deb986a96b85ULL, 0xe96cf57a878c47b5ULL, 0xfdd6615f8842feb8ULL, 0xc83862965601dd1bULL, 0x2ea9f83e92572162ULL, 0xf876441142ff97fcULL, 0xeb2c455608357d9dULL, 0x5612a7e0b0c9904cULL, 0x6c01cbfb2d500823ULL, 0x4548a6a7fa037a2dULL, 0xabc4c6bf388b6ef4ULL, 0xbade77d4fdf8bebdULL, 0x799b07c8eb4cac3aULL, 0x0c9d87e805b19cf0ULL, 0xcb588aac106afa27ULL, 0xea0c1d40c1e76089ULL, 0x2869354a1e816f1aULL, 0xff96d17307fbc490ULL, 0x9f0a9d602f1a5043ULL, 0x96373fc6e016a5f7ULL, 0x5292dab8b3a6e41cULL, 0x9b8ae0382c752413ULL, 0x4f15ec3b7364a8a5ULL, 0x3fb349555724f12bULL, 0xc7c50d4415db66d7ULL, 0x92b7429ee379d1a7ULL, 0xd37f99611a15dfdaULL, 0x231427c05e34a086ULL, 0xa439a96d7b51d538ULL, 0xb403401077f01865ULL, 0xdda2aea5901d7902ULL, 0x0a5d4a9c8967d288ULL, 0xc265280adf660f93ULL, 0x8bb0094520d4e94eULL, 0x2a29856691385532ULL, 0x42a833c5bf072941ULL, 0x73c64d54622b7eb2ULL, 0x07e095624504536cULL, 0x8a905153e906f45aULL, 0x6f6123c16b3b2f1fULL, 0xc6e55552dc097bc3ULL, 0x4468feb133d16739ULL, 0xe211e7f0c7398829ULL, 0xa2f96419f7879b40ULL, 0x19074bdbc3ad38e9ULL, 0xf4ebc3f9474e0b0cULL, 0x43886bd376d53455ULL, 0xd8028beb5aa01046ULL, 0x51f23282f5cdc320ULL, 0xe7b1c2be0d84e16dULL, 0x081dfab006dee8a0ULL, 0x3b33340d544b857bULL, 0x7f5bcabc679ae242ULL, 0x0edd37c48a08a6d8ULL, 0x81ed43d9a9b33bc6ULL, 0xb1a3655ebd4d7121ULL, 0x69a1eeb5e7ed6167ULL, 0xf6ab73d5c8f73124ULL, 0x1a67a3e185c61fd5ULL, 0x2dc91004d43c065eULL, 0x0240b02c8fb93a28ULL, 0x90f7f2b26cc0eb8fULL, 0x3cd3a16f114fd617ULL, 0xaae49ea9f15973e0ULL, 0x06c0cd748cd64e78ULL, 0xda423bc7d5192a6eULL, 0xc345701c16b41287ULL, 0x6d2193ede4821537ULL, 0xfcf639494190e3acULL, 0x7c3b228621f1c57eULL, 0xfb16ac2b0494b0c0ULL, 0xbf7e529a3745d7f9ULL, 0x6881b6a32e3f7c73ULL, 0xca78d2bad9b8e733ULL, 0xbbfe2fc2342aa3a9ULL, 0x0dbddffecc6381e4ULL, 0x70a6a56e2440598eULL, 0xe4d12a844befc651ULL, 0x8c509c2765d0ba22ULL, 0xee8c6018c28814d9ULL, 0x17da7c1f49a59e31ULL, 0x609c4c1328e194d3ULL, 0xb3e3d57232f44b09ULL, 0x91d7aaa4a512f69bULL, 0x0ffd6fd243dabbccULL, 0x50d26a943c1fde34ULL, 0x6be15e9968545b4fULL, 0x94778fea6faf9fdfULL, 0x2b09dd7058ea4826ULL, 0x677cd9716de5c7bfULL, 0x49d5214fffb2e6ddULL, 0x0360e83a466b273cULL, 0x1fc786af4f7b7691ULL, 0xa0b9d435783ea168ULL, 0xd49f0c035f118cb6ULL, 0x01205816c9d21d14ULL, 0xac2453dd7d8f3d98ULL, 0x545217cc3f70aa64ULL, 0x26b4028e9489c9c2ULL, 0xdec2469fd6765e3eULL, 0x04807d58036f7450ULL, 0xe5f17292823ddb45ULL, 0xf30b569b024a5860ULL, 0x62dcfc3fa758aefbULL, 0xe84cad6c4e5e5aa1ULL, 0xccb81fce556ea94bULL, 0x53b282ae7a74f908ULL, 0x1b47fbf74c1402c1ULL, 0x368eebf39828049fULL, 0x7afbeff2ad278b06ULL, 0xbe5e0a8cfe97caedULL, 0xcfd8f7f413058e77ULL, 0xf78b2bc301252c30ULL, 0x4d555c17fcdd928dULL, 0x5f2f05467fc565f8ULL, 0x24f4b2a21b30f3eaULL, 0x860dd6bbecb768aaULL, 0x4c750401350f8f99ULL, 0x0000000000000000ULL, 0xecccd0344d312ef1ULL, 0xb5231806be220571ULL, 0xc105c030990d28afULL, 0x653c695de25cfd97ULL, 0x159acc33c61ca419ULL, 0xb89ec7f872418495ULL, 0xa9847693b73254dcULL, 0x58cf90243ac13694ULL, 0x59efc832f3132b80ULL, 0x5c4fed7c39ae42c4ULL, 0x828dabe3efd81cfaULL, 0xd13f294d95ace5f2ULL, 0x7d1b7a90e823d86aULL, 0xb643f03cf849224dULL, 0x3df3f979d89dcb03ULL, 0x7426d836272f2ddeULL, 0xdfe21e891fa4432aULL, 0x3a136c1b9d99986fULL, 0xfa36f43dcd46add4ULL, 0xc025982650df35bbULL, 0x856d3e81aadc4f96ULL, 0xc4a5e57e53b041ebULL, 0x4708168b75ba4005ULL, 0xaf44bbe73be41aa4ULL, 0x971767d029c4b8e3ULL, 0xb9be9feebb939981ULL, 0x215497ecd18d9aaeULL, 0x316e7e91dd2c57f3ULL, 0xcef8afe2dad79363ULL, 0x3853dc371220a247ULL, 0x35ee03c9de4323a3ULL, 0xe6919aa8c456fc79ULL, 0xe05157dc4880b201ULL, 0x7bdbb7e464f59612ULL, 0x127a59518318f775ULL, 0x332ecebd52956ddbULL, 0x8f30741d23bb9d1eULL, 0xd922d3fd93720d52ULL, 0x7746300c61440ae2ULL, 0x25d4eab4d2e2eefeULL, 0x75068020eefd30caULL, 0x135a01474acaea61ULL, 0x304e268714fe4ae7ULL, 0xa519f17bb283c82cULL, 0xdc82f6b359cf6416ULL, 0x5baf781e7caa11a8ULL, 0xb2c38d64fb26561dULL, 0x34ce5bdf17913eb7ULL, 0x5d6fb56af07c5fd0ULL, 0x182713cd0a7f25fdULL, 0x9e2ac576e6c84d57ULL, 0x9aaab82ee5a73907ULL, 0xa3d93c0f3e558654ULL, 0x7e7b92aaae48ff56ULL, 0x872d8ead256575beULL, 0x41c8dbfff96c0e7dULL, 0x99ca5014a3cc1e3bULL, 0x40e883e930be1369ULL, 0x1ca76e95091051adULL, 0x4e35b42dbab6b5b1ULL, 0x05a0254ecabd6944ULL, 0xe1710fca8152af15ULL, 0xf22b0e8dcb984574ULL, 0xb763a82a319b3f59ULL, 0x63fca4296e8ab3efULL, 0x9d4a2d4ca0a36a6bULL, 0xe331bfe60eeb953dULL, 0xd5bf541596c391a2ULL, 0xf5cb9bef8e9c1618ULL, 0x46284e9dbc685d11ULL, 0x2074cffa185f87baULL, 0xbd3ee2b6b8fcedd1ULL, 0xae64e3f1f23607b0ULL, 0xfeb68965ce29d984ULL, 0x55724fdaf6a2b770ULL, 0x29496d5cd753720eULL, 0xa75941573d3af204ULL, 0x8e102c0bea69800aULL, 0x111ab16bc573d049ULL, 0xd7ffe439197aab8aULL, 0xefac380e0b5a09cdULL, 0x48f579593660fbc9ULL, 0x22347fd697e6bd92ULL, 0x61bc1405e13389c7ULL, 0x4ab5c975b9d9c1e1ULL, 0x80cd1bcf606126d2ULL, 0x7186fd78ed92449aULL, 0x93971a882aabccb3ULL, 0x88d0e17f66bfce72ULL, 0x27945a985d5bd4d6ULL }, /* 1 */ { 0xde553f8c05a811c8ULL, 0x1906b59631b4f565ULL, 0x436e70d6b1964ff7ULL, 0x36d343cb8b1e9d85ULL, 0x843dfacc858aab5aULL, 0xfdfc95c299bfc7f9ULL, 0x0f634bdea1d51fa2ULL, 0x6d458b3b76efb3cdULL, 0x85c3f77cf8593f80ULL, 0x3c91315fbe737cb2ULL, 0x2148b03366ace398ULL, 0x18f8b8264c6761bfULL, 0xc830c1c495c9fb0fULL, 0x981a76102086a0aaULL, 0xaa16012142f35760ULL, 0x35cc54060c763cf6ULL, 0x42907d66cc45db2dULL, 0x8203d44b965af4bcULL, 0x3d6f3cefc3a0e868ULL, 0xbc73ff69d292bda7ULL, 0x8722ed0102e20a29ULL, 0x8f8185e8cd34deb7ULL, 0x9b0561dda7ee01d9ULL, 0x5335a0193227fad6ULL, 0xc9cecc74e81a6fd5ULL, 0x54f5832e5c2431eaULL, 0x99e47ba05d553470ULL, 0xf7bee756acd226ceULL, 0x384e05a5571816fdULL, 0xd1367452a47d0e6aULL, 0xf29fde1c386ad85bULL, 0x320c77316275f7caULL, 0xd0c879e2d9ae9ab0ULL, 0xdb7406c69110ef5dULL, 0x45505e51a2461011ULL, 0xfc029872e46c5323ULL, 0xfa3cb6f5f7bc0cc5ULL, 0x031f17cd8768a173ULL, 0xbd8df2d9af41297dULL, 0x9d3b4f5ab43e5e3fULL, 0x4071671b36feee84ULL, 0x716207e7d3e3b83dULL, 0x48d20ff2f9283a1aULL, 0x27769eb4757cbc7eULL, 0x5c56ebc793f2e574ULL, 0xa48b474f9ef5dc18ULL, 0x52cbada94ff46e0cULL, 0x60c7da982d8199c6ULL, 0x0e9d466edc068b78ULL, 0x4eec2175eaf865fcULL, 0x550b8e9e21f7a530ULL, 0x6b7ba5bc653fec2bULL, 0x5eb7f1ba6949d0ddULL, 0x57ea94e3db4c9099ULL, 0xf640eae6d101b214ULL, 0xdd4a284182c0b0bbULL, 0xff1d8fbf6304f250ULL, 0xb8accb933bf9d7e8ULL, 0xe8867c478eb68c4dULL, 0x3f8e2692391bddc1ULL, 0xcb2fd60912a15a7cULL, 0xaec935dbab983d2fULL, 0xf55ffd2b56691367ULL, 0x80e2ce366ce1c115ULL, 0x179bf3f8edb27e1dULL, 0x01fe0db07dd394daULL, 0xda8a0b76ecc37b87ULL, 0x44ae53e1df9584cbULL, 0xb310b4b77347a205ULL, 0xdfab323c787b8512ULL, 0x3b511268d070b78eULL, 0x65e6e3d2b9396753ULL, 0x6864b271e2574d58ULL, 0x259784c98fc789d7ULL, 0x02e11a7dfabb35a9ULL, 0x8841a6dfa337158bULL, 0x7ade78c39b5dcdd0ULL, 0xb7cf804d9a2cc84aULL, 0x20b6bd831b7f7742ULL, 0x75bd331d3a88d272ULL, 0x418f6aab4b2d7a5eULL, 0xd9951cbb6babdaf4ULL, 0xb6318dfde7ff5c90ULL, 0x1f389b112264aa83ULL, 0x492c024284fbaec0ULL, 0xe33a0363c608f9a0ULL, 0x2688930408af28a4ULL, 0xc7538a1a341ce4adULL, 0x5da8e677ee2171aeULL, 0x8c9e92254a5c7fc4ULL, 0x63d8cd55aae938b5ULL, 0x29ebd8daa97a3706ULL, 0x959827b37be88aa1ULL, 0x1484e4356adadf6eULL, 0xa7945082199d7d6bULL, 0xbf6ce8a455fa1cd4ULL, 0x9cc542eac9edcae5ULL, 0x79c16f0e1c356ca3ULL, 0x89bfab6fdee48151ULL, 0xd4174d1830c5f0ffULL, 0x9258048415eb419dULL, 0x6139d72850520d1cULL, 0x6a85a80c18ec78f1ULL, 0xcd11f88e0171059aULL, 0xcceff53e7ca29140ULL, 0xd229639f2315af19ULL, 0x90b91ef9ef507434ULL, 0x5977d28d074a1be1ULL, 0x311360fce51d56b9ULL, 0xc093a92d5a1f2f91ULL, 0x1a19a25bb6dc5416ULL, 0xeb996b8a09de2d3eULL, 0xfee3820f1ed7668aULL, 0xd7085ad5b7ad518cULL, 0x7fff41890fe53345ULL, 0xec5948bd67dde602ULL, 0x2fd5f65dbaaa68e0ULL, 0xa5754affe32648c2ULL, 0xf8ddac880d07396cULL, 0x6fa491468c548664ULL, 0x0c7c5c1326bdbed1ULL, 0x4a33158f03930fb3ULL, 0x699abfc19f84d982ULL, 0xe4fa2054a80b329cULL, 0x6707f9af438252faULL, 0x08a368e9cfd6d49eULL, 0x47b1442c58fd25b8ULL, 0xbbb3dc5ebc91769bULL, 0x1665fe489061eac7ULL, 0x33f27a811fa66310ULL, 0x93a609346838d547ULL, 0x30ed6d4c98cec263ULL, 0x1dd9816cd8df9f2aULL, 0x94662a03063b1e7bULL, 0x83fdd9fbeb896066ULL, 0x7b207573e68e590aULL, 0x5f49fc0a149a4407ULL, 0x343259b671a5a82cULL, 0xfbc2bb458a6f981fULL, 0xc272b350a0a41a38ULL, 0x3aaf1fd8ada32354ULL, 0x6cbb868b0b3c2717ULL, 0xa2b569c88d2583feULL, 0xf180c9d1bf027928ULL, 0xaf37386bd64ba9f5ULL, 0x12bacab2790a8088ULL, 0x4c0d3b0810435055ULL, 0xb2eeb9070e9436dfULL, 0xc5b29067cea7d104ULL, 0xdcb425f1ff132461ULL, 0x4f122cc5972bf126ULL, 0xac282fa651230886ULL, 0xe7e537992f6393efULL, 0xe61b3a2952b00735ULL, 0x709c0a57ae302ce7ULL, 0xe02514ae416058d3ULL, 0xc44c9dd7b37445deULL, 0x5a68c5408022ba92ULL, 0x1c278cdca50c0bf0ULL, 0x6e5a9cf6f18712beULL, 0x86dce0b17f319ef3ULL, 0x2d34ec2040115d49ULL, 0x4bcd183f7e409b69ULL, 0x2815d56ad4a9a3dcULL, 0x24698979f2141d0dULL, 0x0000000000000000ULL, 0x1ec696a15fb73e59ULL, 0xd86b110b16784e2eULL, 0x8e7f8858b0e74a6dULL, 0x063e2e8713d05fe6ULL, 0xe2c40ed3bbdb6d7aULL, 0xb1f1aeca89fc97acULL, 0xe1db191e3cb3cc09ULL, 0x6418ee62c4eaf389ULL, 0xc6ad87aa49cf7077ULL, 0xd6f65765ca7ec556ULL, 0x9afb6c6dda3d9503ULL, 0x7ce05644888d9236ULL, 0x8d609f95378feb1eULL, 0x23a9aa4e9c17d631ULL, 0x6226c0e5d73aac6fULL, 0x56149953a69f0443ULL, 0xeeb852c09d66d3abULL, 0x2b0ac2a753c102afULL, 0x07c023376e03cb3cULL, 0x2ccae1903dc2c993ULL, 0xd3d76e2f5ec63bc3ULL, 0x9e2458973356ff4cULL, 0xa66a5d32644ee9b1ULL, 0x0a427294356de137ULL, 0x783f62be61e6f879ULL, 0x1344c70204d91452ULL, 0x5b96c8f0fdf12e48ULL, 0xa90916ecc59bf613ULL, 0xbe92e5142829880eULL, 0x727d102a548b194eULL, 0x1be7afebcb0fc0ccULL, 0x3e702b2244c8491bULL, 0xd5e940a84d166425ULL, 0x66f9f41f3e51c620ULL, 0xabe80c913f20c3baULL, 0xf07ec461c2d1edf2ULL, 0xf361d3ac45b94c81ULL, 0x0521394a94b8fe95ULL, 0xadd622162cf09c5cULL, 0xe97871f7f3651897ULL, 0xf4a1f09b2bba87bdULL, 0x095d6559b2054044ULL, 0x0bbc7f2448be75edULL, 0x2af4cf172e129675ULL, 0x157ae98517094bb4ULL, 0x9fda55274e856b96ULL, 0x914713499283e0eeULL, 0xb952c623462a4332ULL, 0x74433ead475b46a8ULL, 0x8b5eb112245fb4f8ULL, 0xa34b6478f0f61724ULL, 0x11a5dd7ffe6221fbULL, 0xc16da49d27ccbb4bULL, 0x76a224d0bde07301ULL, 0x8aa0bca2598c2022ULL, 0x4df336b86d90c48fULL, 0xea67663a740db9e4ULL, 0xef465f70e0b54771ULL, 0x39b008152acb8227ULL, 0x7d1e5bf4f55e06ecULL, 0x105bd0cf83b1b521ULL, 0x775c2960c033e7dbULL, 0x7e014c397236a79fULL, 0x811cc386113255cfULL, 0xeda7450d1a0e72d8ULL, 0x5889df3d7a998f3bULL, 0x2e2bfbedc779fc3aULL, 0xce0eef438619a4e9ULL, 0x372d4e7bf6cd095fULL, 0x04df34fae96b6a4fULL, 0xf923a13870d4adb6ULL, 0xa1aa7e050a4d228dULL, 0xa8f71b5cb84862c9ULL, 0xb52e9a306097fde3ULL, 0x0d8251a35b6e2a0bULL, 0x2257a7fee1c442ebULL, 0x73831d9a29588d94ULL, 0x51d4ba64c89ccf7fULL, 0x502ab7d4b54f5ba5ULL, 0x97793dce8153bf08ULL, 0xe5042de4d5d8a646ULL, 0x9687307efc802bd2ULL, 0xa05473b5779eb657ULL, 0xb4d097801d446939ULL, 0xcff0e2f3fbca3033ULL, 0xc38cbee0dd778ee2ULL, 0x464f499c252eb162ULL, 0xcad1dbb96f72cea6ULL, 0xba4dd1eec142e241ULL, 0xb00fa37af42f0376ULL }, /* 2 */ { 0xcce4cd3aa968b245ULL, 0x089d5484e80b7fafULL, 0x638246c1b3548304ULL, 0xd2fe0ec8c2355492ULL, 0xa7fbdf7ff2374eeeULL, 0x4df1600c92337a16ULL, 0x84e503ea523b12fbULL, 0x0790bbfd53ab0c4aULL, 0x198a780f38f6ea9dULL, 0x2ab30c8f55ec48cbULL, 0xe0f7fed6b2c49db5ULL, 0xb6ecf3f422cadbdcULL, 0x409c9a541358df11ULL, 0xd3ce8a56dfde3fe3ULL, 0xc3e9224312c8c1a0ULL, 0x0d6dfa58816ba507ULL, 0xddf3e1b179952777ULL, 0x04c02a42748bb1d9ULL, 0x94c2abff9f2decb8ULL, 0x4f91752da8f8acf4ULL, 0x78682befb169bf7bULL, 0xe1c77a48af2ff6c4ULL, 0x0c5d7ec69c80ce76ULL, 0x4cc1e4928fd81167ULL, 0xfeed3d24d9997b62ULL, 0x518bb6dfc3a54a23ULL, 0x6dbf2d26151f9b90ULL, 0xb5bc624b05ea664fULL, 0xe86aaa525acfe21aULL, 0x4801ced0fb53a0beULL, 0xc91463e6c00868edULL, 0x1027a815cd16fe43ULL, 0xf67069a0319204cdULL, 0xb04ccc976c8abce7ULL, 0xc0b9b3fc35e87c33ULL, 0xf380c77c58f2de65ULL, 0x50bb3241de4e2152ULL, 0xdf93f490435ef195ULL, 0xf1e0d25d62390887ULL, 0xaf668bfb1a3c3141ULL, 0xbc11b251f00a7291ULL, 0x73a5eed47e427d47ULL, 0x25bee3f6ee4c3b2eULL, 0x43cc0beb34786282ULL, 0xc824e778dde3039cULL, 0xf97d86d98a327728ULL, 0xf2b043e24519b514ULL, 0xe297ebf7880f4b57ULL, 0x3a94a49a98fab688ULL, 0x868516cb68f0c419ULL, 0xeffa11af0964ee50ULL, 0xa4ab4ec0d517f37dULL, 0xa9c6b498547c567aULL, 0x8e18424f80fbbbb6ULL, 0x0bcdc53bcf2bc23cULL, 0x137739aaea3643d0ULL, 0x2c1333ec1bac2ff0ULL, 0x8d48d3f0a7db0625ULL, 0x1e1ac3f26b5de6d7ULL, 0xf520f81f16b2b95eULL, 0x9f0f6ec450062e84ULL, 0x0130849e1deb6b71ULL, 0xd45e31ab8c7533a9ULL, 0x652279a2fd14e43fULL, 0x3209f01e70f1c927ULL, 0xbe71a770cac1a473ULL, 0x0e3d6be7a64b1894ULL, 0x7ec8148cff29d840ULL, 0xcb7476c7fac3be0fULL, 0x72956a4a63a91636ULL, 0x37f95ec21991138fULL, 0x9e3fea5a4ded45f5ULL, 0x7b38ba50964902e8ULL, 0x222e580bbde73764ULL, 0x61e253e0899f55e6ULL, 0xfc8d2805e352ad80ULL, 0x35994be3235ac56dULL, 0x09add01af5e014deULL, 0x5e8659a6780539c6ULL, 0xb17c48097161d796ULL, 0x026015213acbd6e2ULL, 0xd1ae9f77e515e901ULL, 0xb7dc776a3f21b0adULL, 0xaba6a1b96eb78098ULL, 0x9bcf4486248d9f5dULL, 0x582666c536455efdULL, 0xfdbdac9bfeb9c6f1ULL, 0xc47999be4163cdeaULL, 0x765540081722a7efULL, 0x3e548ed8ec710751ULL, 0x3d041f67cb51bac2ULL, 0x7958af71ac82d40aULL, 0x36c9da5c047a78feULL, 0xed9a048e33af38b2ULL, 0x26ee7249c96c86bdULL, 0x900281bdeba65d61ULL, 0x11172c8bd0fd9532ULL, 0xea0abf73600434f8ULL, 0x42fc8f75299309f3ULL, 0x34a9cf7d3eb1ae1cULL, 0x2b838811480723baULL, 0x5ce64c8742ceef24ULL, 0x1adae9b01fd6570eULL, 0x3c349bf9d6bad1b3ULL, 0x82453c891c7b75c0ULL, 0x97923a40b80d512bULL, 0x4a61dbf1c198765cULL, 0xb48ce6d518010d3eULL, 0xcfb45c858e480fd6ULL, 0xd933cbf30d1e96aeULL, 0xd70ea014ab558e3aULL, 0xc189376228031742ULL, 0x9262949cd16d8b83ULL, 0xeb3a3bed7def5f89ULL, 0x49314a4ee6b8cbcfULL, 0xdcc3652f647e4c06ULL, 0xda635a4c2a3e2b3dULL, 0x470c21a940f3d35bULL, 0x315961a157d174b4ULL, 0x6672e81dda3459acULL, 0x5b76f77a1165e36eULL, 0x445cb01667d36ec8ULL, 0xc5491d205c88a69bULL, 0x456c34887a3805b9ULL, 0xffddb9bac4721013ULL, 0x99af51a71e4649bfULL, 0xa15be01cbc7729d5ULL, 0x52db2760e485f7b0ULL, 0x8c78576eba306d54ULL, 0xae560f6507d75a30ULL, 0x95f22f6182c687c9ULL, 0x71c5fbf54489aba5ULL, 0xca44f259e728d57eULL, 0x88b87d2ccebbdc8dULL, 0xbab18d32be4a15aaULL, 0x8be8ec93e99b611eULL, 0x17b713e89ebdf209ULL, 0xb31c5d284baa0174ULL, 0xeeca9531148f8521ULL, 0xb8d198138481c348ULL, 0x8988f9b2d350b7fcULL, 0xb9e11c8d996aa839ULL, 0x5a4673e40c8e881fULL, 0x1687977683569978ULL, 0xbf4123eed72acf02ULL, 0x4ea1f1b3b513c785ULL, 0xe767452be16f91ffULL, 0x7505d1b730021a7cULL, 0xa59bca5ec8fc980cULL, 0xad069eda20f7e7a3ULL, 0x38f4b1bba231606aULL, 0x60d2d77e94743e97ULL, 0x9affc0183966f42cULL, 0x248e6768f3a7505fULL, 0xcdd449a4b483d934ULL, 0x87b59255751baf68ULL, 0x1bea6d2e023d3c7fULL, 0x6b1f12455b5ffcabULL, 0x743555292de9710dULL, 0xd8034f6d10f5fddfULL, 0xc6198c9f7ba81b08ULL, 0xbb8109aca3a17edbULL, 0xfa2d1766ad12cabbULL, 0xc729080166437079ULL, 0x9c5fff7b77269317ULL, 0x0000000000000000ULL, 0x15d706c9a47624ebULL, 0x6fdf38072fd44d72ULL, 0x5fb6dd3865ee52b7ULL, 0xa33bf53d86bcff37ULL, 0xe657c1b5fc84fa8eULL, 0xaa962527735cebe9ULL, 0x39c43525bfda0b1bULL, 0x204e4d2a872ce186ULL, 0x7a083ece8ba26999ULL, 0x554b9c9db72efbfaULL, 0xb22cd9b656416a05ULL, 0x96a2bedea5e63a5aULL, 0x802529a826b0a322ULL, 0x8115ad363b5bc853ULL, 0x8375b81701901eb1ULL, 0x3069e53f4a3a1fc5ULL, 0xbd2136cfede119e0ULL, 0x18bafc91251d81ecULL, 0x1d4a524d4c7d5b44ULL, 0x05f0aedc6960daa8ULL, 0x29e39d3072ccf558ULL, 0x70f57f6b5962c0d4ULL, 0x989fd53903ad22ceULL, 0xf84d024797d91c59ULL, 0x547b1803aac5908bULL, 0xf0d056c37fd263f6ULL, 0xd56eb535919e58d8ULL, 0x1c7ad6d351963035ULL, 0x2e7326cd2167f912ULL, 0xac361a443d1c8cd2ULL, 0x697f076461942a49ULL, 0x4b515f6fdc731d2dULL, 0x8ad8680df4700a6fULL, 0x41ac1eca0eb3b460ULL, 0x7d988533d80965d3ULL, 0xa8f6300649973d0bULL, 0x7765c4960ac9cc9eULL, 0x7ca801adc5e20ea2ULL, 0xdea3700e5eb59ae4ULL, 0xa06b6482a19c42a4ULL, 0x6a2f96db46b497daULL, 0x27def6d7d487edccULL, 0x463ca5375d18b82aULL, 0xa6cb5be1efdc259fULL, 0x53eba3fef96e9cc1ULL, 0xce84d81b93a364a7ULL, 0xf4107c810b59d22fULL, 0x333974806d1aa256ULL, 0x0f0def79bba073e5ULL, 0x231edc95a00c5c15ULL, 0xe437d494c64f2c6cULL, 0x91320523f64d3610ULL, 0x67426c83c7df32ddULL, 0x6eefbc99323f2603ULL, 0x9d6f7be56acdf866ULL, 0x5916e25b2bae358cULL, 0x7ff89012e2c2b331ULL, 0x035091bf2720bd93ULL, 0x561b0d22900e4669ULL, 0x28d319ae6f279e29ULL, 0x2f43a2533c8c9263ULL, 0xd09e1be9f8fe8270ULL, 0xf740ed3e2c796fbcULL, 0xdb53ded237d5404cULL, 0x62b2c25faebfe875ULL, 0x0afd41a5d2c0a94dULL, 0x6412fd3ce0ff8f4eULL, 0xe3a76f6995e42026ULL, 0x6c8fa9b808f4f0e1ULL, 0xc2d9a6dd0f23aad1ULL, 0x8f28c6d19d10d0c7ULL, 0x85d587744fd0798aULL, 0xa20b71a39b579446ULL, 0x684f83fa7c7f4138ULL, 0xe507500adba4471dULL, 0x3f640a46f19a6c20ULL, 0x1247bd34f7dd28a1ULL, 0x2d23b77206474481ULL, 0x93521002cc86e0f2ULL, 0x572b89bc8de52d18ULL, 0xfb1d93f8b0f9a1caULL, 0xe95a2ecc4724896bULL, 0x3ba420048511ddf9ULL, 0xd63e248ab6bee54bULL, 0x5dd6c8195f258455ULL, 0x06a03f634e40673bULL, 0x1f2a476c76b68da6ULL, 0x217ec9b49ac78af7ULL, 0xecaa80102e4453c3ULL, 0x14e78257b99d4f9aULL }, /* 3 */ { 0x20329b2cc87bba05ULL, 0x4f5eb6f86546a531ULL, 0xd4f44775f751b6b1ULL, 0x8266a47b850dfa8bULL, 0xbb986aa15a6ca985ULL, 0xc979eb08f9ae0f99ULL, 0x2da6f447a2375ea1ULL, 0x1e74275dcd7d8576ULL, 0xbc20180a800bc5f8ULL, 0xb4a2f701b2dc65beULL, 0xe726946f981b6d66ULL, 0x48e6c453bf21c94cULL, 0x42cad9930f0a4195ULL, 0xefa47b64aacccd20ULL, 0x71180a8960409a42ULL, 0x8bb3329bf6a44e0cULL, 0xd34c35de2d36daccULL, 0xa92f5b7cbc23dc96ULL, 0xb31a85aa68bb09c3ULL, 0x13e04836a73161d2ULL, 0xb24dfc4129c51d02ULL, 0x8ae44b70b7da5acdULL, 0xe671ed84d96579a7ULL, 0xa4bb3417d66f3832ULL, 0x4572ab38d56d2de8ULL, 0xb1b47761ea47215cULL, 0xe81c09cf70aba15dULL, 0xffbdb872ce7f90acULL, 0xa8782297fd5dc857ULL, 0x0d946f6b6a4ce4a4ULL, 0xe4df1f4f5b995138ULL, 0x9ebc71edca8c5762ULL, 0x0a2c1dc0b02b88d9ULL, 0x3b503c115d9d7b91ULL, 0xc64376a8111ec3a2ULL, 0xcec199a323c963e4ULL, 0xdc76a87ec58616f7ULL, 0x09d596e073a9b487ULL, 0x14583a9d7d560dafULL, 0xf4c6dc593f2a0cb4ULL, 0xdd21d19584f80236ULL, 0x4a4836983ddde1d3ULL, 0xe58866a41ae745f9ULL, 0xf591a5b27e541875ULL, 0x891dc05074586693ULL, 0x5b068c651810a89eULL, 0xa30346bc0c08544fULL, 0x3dbf3751c684032dULL, 0x2a1e86ec785032dcULL, 0xf73f5779fca830eaULL, 0xb60c05ca30204d21ULL, 0x0cc316802b32f065ULL, 0x8770241bdd96be69ULL, 0xb861e18199ee95dbULL, 0xf805cad91418fcd1ULL, 0x29e70dccbbd20e82ULL, 0xc7140f435060d763ULL, 0x0f3a9da0e8b0cc3bULL, 0xa2543f574d76408eULL, 0xbd7761e1c175d139ULL, 0x4b1f4f737ca3f512ULL, 0x6dc2df1f2fc137abULL, 0xf1d05c3967b14856ULL, 0xa742bf3715ed046cULL, 0x654030141d1697edULL, 0x07b872abda676c7dULL, 0x3ce84eba87fa17ecULL, 0xc1fb0403cb79afdfULL, 0x3e46bc7105063f73ULL, 0x278ae987121cd678ULL, 0xa1adb4778ef47cd0ULL, 0x26dd906c5362c2b9ULL, 0x05168060589b44e2ULL, 0xfbfc41f9d79ac08fULL, 0x0e6de44ba9ced8faULL, 0x9feb08068bf243a3ULL, 0x7b341749d06b129bULL, 0x229c69e74a87929aULL, 0xe09ee6c4427c011bULL, 0x5692e30e725c4c3aULL, 0xda99a33e5e9f6e4bULL, 0x353dd85af453a36bULL, 0x25241b4c90e0fee7ULL, 0x5de987258309d022ULL, 0xe230140fc0802984ULL, 0x93281e86a0c0b3c6ULL, 0xf229d719a4337408ULL, 0x6f6c2dd4ad3d1f34ULL, 0x8ea5b2fbae3f0aeeULL, 0x8331dd90c473ee4aULL, 0x346aa1b1b52db7aaULL, 0xdf8f235e06042aa9ULL, 0xcc6f6b68a1354b7bULL, 0x6c95a6f46ebf236aULL, 0x52d31a856bb91c19ULL, 0x1a35ded6d498d555ULL, 0xf37eaef2e54d60c9ULL, 0x72e181a9a3c2a61cULL, 0x98537aad51952fdeULL, 0x16f6c856ffaa2530ULL, 0xd960281e9d1d5215ULL, 0x3a0745fa1ce36f50ULL, 0x0b7b642bf1559c18ULL, 0x59a87eae9aec8001ULL, 0x5e100c05408bec7cULL, 0x0441f98b19e55023ULL, 0xd70dcc5534d38aefULL, 0x927f676de1bea707ULL, 0x9769e70db925e3e5ULL, 0x7a636ea29115065aULL, 0x468b201816ef11b6ULL, 0xab81a9b73edff409ULL, 0xc0ac7de88a07bb1eULL, 0x1f235eb68c0391b7ULL, 0x6056b074458dd30fULL, 0xbe8eeac102f7ed67ULL, 0xcd381283e04b5fbaULL, 0x5cbefecec277c4e3ULL, 0xd21b4c356c48ce0dULL, 0x1019c31664b35d8cULL, 0x247362a7d19eea26ULL, 0xebe582efb3299d03ULL, 0x02aef2cb82fc289fULL, 0x86275df09ce8aaa8ULL, 0x28b07427faac1a43ULL, 0x38a9b7319e1f47cfULL, 0xc82e92e3b8d01b58ULL, 0x06ef0b409b1978bcULL, 0x62f842bfc771fb90ULL, 0x9904034610eb3b1fULL, 0xded85ab5477a3e68ULL, 0x90d195a663428f98ULL, 0x5384636e2ac708d8ULL, 0xcbd719c37b522706ULL, 0xae9729d76644b0ebULL, 0x7c8c65e20a0c7ee6ULL, 0x80c856b007f1d214ULL, 0x8c0b40302cc32271ULL, 0xdbcedad51fe17a8aULL, 0x740e8ae938dbdea0ULL, 0xa615c6dc549310adULL, 0x19cc55f6171ae90bULL, 0x49b1bdb8fe5fdd8dULL, 0xed0a89af2830e5bfULL, 0x6a7aadb4f5a65bd6ULL, 0x7e22972988f05679ULL, 0xf952b3325566e810ULL, 0x39fecedadf61530eULL, 0x6101c99f04f3c7ceULL, 0x2e5f7f6761b562ffULL, 0xf08725d226cf5c97ULL, 0x63af3b54860fef51ULL, 0x8ff2cb10ef411e2fULL, 0x884ab9bb35267252ULL, 0x4df04433e7ba8daeULL, 0x9afd8866d3690741ULL, 0x66b9bb34de94abb3ULL, 0x9baaf18d92171380ULL, 0x543c11c5f0a064a5ULL, 0x17a1b1bdbed431f1ULL, 0xb5f58eeaf3a2717fULL, 0xc355f6c849858740ULL, 0xec5df044694ef17eULL, 0xd83751f5dc6346d4ULL, 0xfc4433520dfdacf2ULL, 0x0000000000000000ULL, 0x5a51f58e596ebc5fULL, 0x3285aaf12e34cf16ULL, 0x8d5c39db6dbd36b0ULL, 0x12b731dde64f7513ULL, 0x94906c2d7aa7dfbbULL, 0x302b583aacc8e789ULL, 0x9d45facd090e6b3cULL, 0x2165e2c78905aec4ULL, 0x68d45f7f775a7349ULL, 0x189b2c1d5664fdcaULL, 0xe1c99f2f030215daULL, 0x6983269436246788ULL, 0x8489af3b1e148237ULL, 0xe94b702431d5b59cULL, 0x33d2d31a6f4adbd7ULL, 0xbfd9932a4389f9a6ULL, 0xb0e30e8aab39359dULL, 0xd1e2c715afcaf253ULL, 0x150f43763c28196eULL, 0xc4ed846393e2eb3dULL, 0x03f98b20c3823c5eULL, 0xfd134ab94c83b833ULL, 0x556b682eb1de7064ULL, 0x36c4537a37d19f35ULL, 0x7559f30279a5ca61ULL, 0x799ae58252973a04ULL, 0x9c12832648707ffdULL, 0x78cd9c6913e92ec5ULL, 0x1d8dac7d0effb928ULL, 0x439da0784e745554ULL, 0x413352b3cc887dcbULL, 0xbacf134a1b12bd44ULL, 0x114ebafd25cd494dULL, 0x2f08068c20cb763eULL, 0x76a07822ba27f63fULL, 0xeab2fb04f25789c2ULL, 0xe3676de481fe3d45ULL, 0x1b62a73d95e6c194ULL, 0x641749ff5c68832cULL, 0xa5ec4dfc97112cf3ULL, 0xf6682e92bdd6242bULL, 0x3f11c59a44782bb2ULL, 0x317c21d1edb6f348ULL, 0xd65ab5be75ad9e2eULL, 0x6b2dd45fb4d84f17ULL, 0xfaab381296e4d44eULL, 0xd0b5befeeeb4e692ULL, 0x0882ef0b32d7a046ULL, 0x512a91a5a83b2047ULL, 0x963e9ee6f85bf724ULL, 0x4e09cf132438b1f0ULL, 0x77f701c9fb59e2feULL, 0x7ddb1c094b726a27ULL, 0x5f4775ee01f5f8bdULL, 0x9186ec4d223c9b59ULL, 0xfeeac1998f01846dULL, 0xac39db1ce4b89874ULL, 0xb75b7c21715e59e0ULL, 0xafc0503c273aa42aULL, 0x6e3b543fec430bf5ULL, 0x704f7362213e8e83ULL, 0x58ff0745db9294c0ULL, 0x67eec2df9feabf72ULL, 0xa0facd9ccf8a6811ULL, 0xb936986ad890811aULL, 0x95c715c63bd9cb7aULL, 0xca8060283a2c33c7ULL, 0x507de84ee9453486ULL, 0x85ded6d05f6a96f6ULL, 0x1cdad5964f81ade9ULL, 0xd5a33e9eb62fa270ULL, 0x40642b588df6690aULL, 0x7f75eec2c98e42b8ULL, 0x2cf18dace3494a60ULL, 0x23cb100c0bf9865bULL, 0xeef3028febb2d9e1ULL, 0x4425d2d394133929ULL, 0xaad6d05c7fa1e0c8ULL, 0xad6ea2f7a5c68cb5ULL, 0xc2028f2308fb9381ULL, 0x819f2f5b468fc6d5ULL, 0xc5bafd88d29cfffcULL, 0x47dc59f357910577ULL, 0x2b49ff07392e261dULL, 0x57c59ae5332258fbULL, 0x73b6f842e2bcb2ddULL, 0xcf96e04862b77725ULL, 0x4ca73dd8a6c4996fULL, 0x015779eb417e14c1ULL, 0x37932a9176af8bf4ULL }, /* 4 */ { 0x190a2c9b249df23eULL, 0x2f62f8b62263e1e9ULL, 0x7a7f754740993655ULL, 0x330b7ba4d5564d9fULL, 0x4c17a16a46672582ULL, 0xb22f08eb7d05f5b8ULL, 0x535f47f40bc148ccULL, 0x3aec5d27d4883037ULL, 0x10ed0a1825438f96ULL, 0x516101f72c233d17ULL, 0x13cc6f949fd04eaeULL, 0x739853c441474bfdULL, 0x653793d90d3f5b1bULL, 0x5240647b96b0fc2fULL, 0x0c84890ad27623e0ULL, 0xd7189b32703aaea3ULL, 0x2685de3523bd9c41ULL, 0x99317c5b11bffefaULL, 0x0d9baa854f079703ULL, 0x70b93648fbd48ac5ULL, 0xa80441fce30bc6beULL, 0x7287704bdc36ff1eULL, 0xb65384ed33dc1f13ULL, 0xd36417343ee34408ULL, 0x39cd38ab6e1bf10fULL, 0x5ab861770a1f3564ULL, 0x0ebacf09f594563bULL, 0xd04572b884708530ULL, 0x3cae9722bdb3af47ULL, 0x4a556b6f2f5cbaf2ULL, 0xe1704f1f76c4bd74ULL, 0x5ec4ed7144c6dfcfULL, 0x16afc01d4c7810e6ULL, 0x283f113cd629ca7aULL, 0xaf59a8761741ed2dULL, 0xeed5a3991e215facULL, 0x3bf37ea849f984d4ULL, 0xe413e096a56ce33cULL, 0x2c439d3a98f020d1ULL, 0x637559dc6404c46bULL, 0x9e6c95d1e5f5d569ULL, 0x24bb9836045fe99aULL, 0x44efa466dac8ecc9ULL, 0xc6eab2a5c80895d6ULL, 0x803b50c035220cc4ULL, 0x0321658cba93c138ULL, 0x8f9ebc465dc7ee1cULL, 0xd15a5137190131d3ULL, 0x0fa5ec8668e5e2d8ULL, 0x91c979578d1037b1ULL, 0x0642ca05693b9f70ULL, 0xefca80168350eb4fULL, 0x38d21b24f36a45ecULL, 0xbeab81e1af73d658ULL, 0x8cbfd9cae7542f24ULL, 0xfd19cc0d81f11102ULL, 0x0ac6430fbb4dbc90ULL, 0x1d76a09d6a441895ULL, 0x2a01573ff1cbbfa1ULL, 0xb572e161894fde2bULL, 0x8124734fa853b827ULL, 0x614b1fdf43e6b1b0ULL, 0x68ac395c4238cc18ULL, 0x21d837bfd7f7b7d2ULL, 0x20c714304a860331ULL, 0x5cfaab726324aa14ULL, 0x74c5ba4eb50d606eULL, 0xf3a3030474654739ULL, 0x23e671bcf015c209ULL, 0x45f087e947b9582aULL, 0xd8bd77b418df4c7bULL, 0xe06f6c90ebb50997ULL, 0x0bd96080263c0873ULL, 0x7e03f9410e40dcfeULL, 0xb8e94be4c6484928ULL, 0xfb5b0608e8ca8e72ULL, 0x1a2b49179e0e3306ULL, 0x4e29e76961855059ULL, 0x4f36c4e6fcf4e4baULL, 0x49740ee395cf7bcaULL, 0xc2963ea386d17f7dULL, 0x90d65ad810618352ULL, 0x12d34c1b02a1fa4dULL, 0xfa44258775bb3a91ULL, 0x18150f14b9ec46ddULL, 0x1491861e6b9a653dULL, 0x9a1019d7ab2c3fc2ULL, 0x3668d42d06fe13d7ULL, 0xdcc1fbb25606a6d0ULL, 0x969490dd795a1c22ULL, 0x3549b1a1bc6dd2efULL, 0xc94f5e23a0ed770eULL, 0xb9f6686b5b39fdcbULL, 0xc4d4f4a6efeae00dULL, 0xe732851a1fff2204ULL, 0x94aad6de5eb869f9ULL, 0x3f8ff2ae07206e7fULL, 0xfe38a9813b62d03aULL, 0xa7a1ad7a8bee2466ULL, 0x7b6056c8dde882b6ULL, 0x302a1e286fc58ca7ULL, 0x8da0fa457a259bc7ULL, 0xb3302b64e074415bULL, 0x5402ae7eff8b635fULL, 0x08f8050c9cafc94bULL, 0xae468bf98a3059ceULL, 0x88c355cca98dc58fULL, 0xb10e6d67c7963480ULL, 0xbad70de7e1aa3cf3ULL, 0xbfb4a26e320262bbULL, 0xcb711820870f02d5ULL, 0xce12b7a954a75c9dULL, 0x563ce87dd8691684ULL, 0x9f73b65e7884618aULL, 0x2b1e74b06cba0b42ULL, 0x47cec1ea605b2df1ULL, 0x1c698312f735ac76ULL, 0x5fdbcefed9b76b2cULL, 0x831a354c8fb1cdfcULL, 0x820516c312c0791fULL, 0xb74ca762aeadabf0ULL, 0xfc06ef821c80a5e1ULL, 0x5723cbf24518a267ULL, 0x9d4df05d5f661451ULL, 0x588627742dfd40bfULL, 0xda8331b73f3d39a0ULL, 0x17b0e392d109a405ULL, 0xf965400bcf28fba9ULL, 0x7c3dbf4229a2a925ULL, 0x023e460327e275dbULL, 0x6cd0b55a0ce126b3ULL, 0xe62da695828e96e7ULL, 0x42ad6e63b3f373b9ULL, 0xe50cc319381d57dfULL, 0xc5cbd729729b54eeULL, 0x46d1e265fd2a9912ULL, 0x6428b056904eeff8ULL, 0x8be23040131e04b7ULL, 0x6709d5da2add2ec0ULL, 0x075de98af44a2b93ULL, 0x8447dcc67bfbe66fULL, 0x6616f655b7ac9a23ULL, 0xd607b8bded4b1a40ULL, 0x0563af89d3a85e48ULL, 0x3db1b4ad20c21ba4ULL, 0x11f22997b8323b75ULL, 0x292032b34b587e99ULL, 0x7f1cdace9331681dULL, 0x8e819fc9c0b65affULL, 0xa1e3677fe2d5bb16ULL, 0xcd33d225ee349da5ULL, 0xd9a2543b85aef898ULL, 0x795e10cbfa0af76dULL, 0x25a4bbb9992e5d79ULL, 0x78413344677b438eULL, 0xf0826688cef68601ULL, 0xd27b34bba392f0ebULL, 0x551d8df162fad7bcULL, 0x1e57c511d0d7d9adULL, 0xdeffbdb171e4d30bULL, 0xf4feea8e802f6caaULL, 0xa480c8f6317de55eULL, 0xa0fc44f07fa40ff5ULL, 0x95b5f551c3c9dd1aULL, 0x22f952336d6476eaULL, 0x0000000000000000ULL, 0xa6be8ef5169f9085ULL, 0xcc2cf1aa73452946ULL, 0x2e7ddb39bf12550aULL, 0xd526dd3157d8db78ULL, 0x486b2d6c08becf29ULL, 0x9b0f3a58365d8b21ULL, 0xac78cdfaadd22c15ULL, 0xbc95c7e28891a383ULL, 0x6a927f5f65dab9c3ULL, 0xc3891d2c1ba0cb9eULL, 0xeaa92f9f50f8b507ULL, 0xcf0d9426c9d6e87eULL, 0xca6e3baf1a7eb636ULL, 0xab25247059980786ULL, 0x69b31ad3df4978fbULL, 0xe2512a93cc577c4cULL, 0xff278a0ea61364d9ULL, 0x71a615c766a53e26ULL, 0x89dc764334fc716cULL, 0xf87a638452594f4aULL, 0xf2bc208be914f3daULL, 0x8766b94ac1682757ULL, 0xbbc82e687cdb8810ULL, 0x626a7a53f9757088ULL, 0xa2c202f358467a2eULL, 0x4d0882e5db169161ULL, 0x09e7268301de7da8ULL, 0xe897699c771ac0dcULL, 0xc8507dac3d9cc3edULL, 0xc0a878a0a1330aa6ULL, 0x978bb352e42ba8c1ULL, 0xe9884a13ea6b743fULL, 0x279afdbabecc28a2ULL, 0x047c8c064ed9eaabULL, 0x507e2278b15289f4ULL, 0x599904fbb08cf45cULL, 0xbd8ae46d15e01760ULL, 0x31353da7f2b43844ULL, 0x8558ff49e68a528cULL, 0x76fbfc4d92ef15b5ULL, 0x3456922e211c660cULL, 0x86799ac55c1993b4ULL, 0x3e90d1219a51da9cULL, 0x2d5cbeb505819432ULL, 0x982e5fd48cce4a19ULL, 0xdb9c1238a24c8d43ULL, 0xd439febecaa96f9bULL, 0x418c0bef0960b281ULL, 0x158ea591f6ebd1deULL, 0x1f48e69e4da66d4eULL, 0x8afd13cf8e6fb054ULL, 0xf5e1c9011d5ed849ULL, 0xe34e091c5126c8afULL, 0xad67ee7530a398f6ULL, 0x43b24dec2e82c75aULL, 0x75da99c1287cd48dULL, 0x92e81cdb3783f689ULL, 0xa3dd217cc537cecdULL, 0x60543c50de970553ULL, 0x93f73f54aaf2426aULL, 0xa91b62737e7a725dULL, 0xf19d4507538732e2ULL, 0x77e4dfc20f9ea156ULL, 0x7d229ccdb4d31dc6ULL, 0x1b346a98037f87e5ULL, 0xedf4c615a4b29e94ULL, 0x4093286094110662ULL, 0xb0114ee85ae78063ULL, 0x6ff1d0d6b672e78bULL, 0x6dcf96d591909250ULL, 0xdfe09e3eec9567e8ULL, 0x3214582b4827f97cULL, 0xb46dc2ee143e6ac8ULL, 0xf6c0ac8da7cd1971ULL, 0xebb60c10cd8901e4ULL, 0xf7df8f023abcad92ULL, 0x9c52d3d2c217a0b2ULL, 0x6b8d5cd0f8ab0d20ULL, 0x3777f7a29b8fa734ULL, 0x011f238f9d71b4e3ULL, 0xc1b75b2f3c42be45ULL, 0x5de588fdfe551ef7ULL, 0x6eeef3592b035368ULL, 0xaa3a07ffc4e9b365ULL, 0xecebe59a39c32a77ULL, 0x5ba742f8976e8187ULL, 0x4b4a48e0b22d0e11ULL, 0xddded83dcb771233ULL, 0xa59feb79ac0c51bdULL, 0xc7f5912a55792135ULL }, /* 5 */ { 0x6d6ae04668a9b08aULL, 0x3ab3f04b0be8c743ULL, 0xe51e166b54b3c908ULL, 0xbe90a9eb35c2f139ULL, 0xb2c7066637f2bec1ULL, 0xaa6945613392202cULL, 0x9a28c36f3b5201ebULL, 0xddce5a93ab536994ULL, 0x0e34133ef6382827ULL, 0x52a02ba1ec55048bULL, 0xa2f88f97c4b2a177ULL, 0x8640e513ca2251a5ULL, 0xcdf1d36258137622ULL, 0xfe6cb708dedf8ddbULL, 0x8a174a9ec8121e5dULL, 0x679896036b81560eULL, 0x59ed033395795feeULL, 0x1dd778ab8b74edafULL, 0xee533ef92d9f926dULL, 0x2a8c79baf8a8d8f5ULL, 0x6bcf398e69b119f6ULL, 0xe20491742fafdd95ULL, 0x276488e0809c2aecULL, 0xea955b82d88f5cceULL, 0x7102c63a99d9e0c4ULL, 0xf9763017a5c39946ULL, 0x429fa2501f151b3dULL, 0x4659c72bea05d59eULL, 0x984b7fdccf5a6634ULL, 0xf742232953fbb161ULL, 0x3041860e08c021c7ULL, 0x747bfd9616cd9386ULL, 0x4bb1367192312787ULL, 0x1b72a1638a6c44d3ULL, 0x4a0e68a6e8359a66ULL, 0x169a5039f258b6caULL, 0xb98a2ef44edee5a4ULL, 0xd9083fe85e43a737ULL, 0x967f6ce239624e13ULL, 0x8874f62d3c1a7982ULL, 0x3c1629830af06e3fULL, 0x9165ebfd427e5a8eULL, 0xb5dd81794ceeaa5cULL, 0x0de8f15a7834f219ULL, 0x70bd98ede3dd5d25ULL, 0xaccc9ca9328a8950ULL, 0x56664eda1945ca28ULL, 0x221db34c0f8859aeULL, 0x26dbd637fa98970dULL, 0x1acdffb4f068f932ULL, 0x4585254f64090fa0ULL, 0x72de245e17d53afaULL, 0x1546b25d7c546cf4ULL, 0x207e0ffffb803e71ULL, 0xfaaad2732bcf4378ULL, 0xb462dfae36ea17bdULL, 0xcf926fd1ac1b11fdULL, 0xe0672dc7dba7ba4aULL, 0xd3fa49ad5d6b41b3ULL, 0x8ba81449b216a3bcULL, 0x14f9ec8a0650d115ULL, 0x40fc1ee3eb1d7ce2ULL, 0x23a2ed9b758ce44fULL, 0x782c521b14fddc7eULL, 0x1c68267cf170504eULL, 0xbcf31558c1ca96e6ULL, 0xa781b43b4ba6d235ULL, 0xf6fd7dfe29ff0c80ULL, 0xb0a4bad5c3fad91eULL, 0xd199f51ea963266cULL, 0x414340349119c103ULL, 0x5405f269ed4dadf7ULL, 0xabd61bb649969dcdULL, 0x6813dbeae7bdc3c8ULL, 0x65fb2ab09f8931d1ULL, 0xf1e7fae152e3181dULL, 0xc1a67cef5a2339daULL, 0x7a4feea8e0f5bba1ULL, 0x1e0b9acf05783791ULL, 0x5b8ebf8061713831ULL, 0x80e53cdbcb3af8d9ULL, 0x7e898bd315e57502ULL, 0xc6bcfbf0213f2d47ULL, 0x95a38e86b76e942dULL, 0x092e94218d243cbaULL, 0x8339debf453622e7ULL, 0xb11be402b9fe64ffULL, 0x57d9100d634177c9ULL, 0xcc4e8db52217cbc3ULL, 0x3b0cae9c71ec7aa2ULL, 0xfb158ca451cbfe99ULL, 0x2b33276d82ac6514ULL, 0x01bf5ed77a04bde1ULL, 0xc5601994af33f779ULL, 0x75c4a3416cc92e67ULL, 0xf3844652a6eb7fc2ULL, 0x3487e375fdd0ef64ULL, 0x18ae430704609eedULL, 0x4d14efb993298efbULL, 0x815a620cb13e4538ULL, 0x125c354207487869ULL, 0x9eeea614ce42cf48ULL, 0xce2d3106d61fac1cULL, 0xbbe99247bad6827bULL, 0x071a871f7b1c149dULL, 0x2e4a1cc10db81656ULL, 0x77a71ff298c149b8ULL, 0x06a5d9c80118a97cULL, 0xad73c27e488e34b1ULL, 0x443a7b981e0db241ULL, 0xe3bbcfa355ab6074ULL, 0x0af276450328e684ULL, 0x73617a896dd1871bULL, 0x58525de4ef7de20fULL, 0xb7be3dcab8e6cd83ULL, 0x19111dd07e64230cULL, 0x842359a03e2a367aULL, 0x103f89f1f3401fb6ULL, 0xdc710444d157d475ULL, 0xb835702334da5845ULL, 0x4320fc876511a6dcULL, 0xd026abc9d3679b8dULL, 0x17250eee885c0b2bULL, 0x90dab52a387ae76fULL, 0x31fed8d972c49c26ULL, 0x89cba8fa461ec463ULL, 0x2ff5421677bcabb7ULL, 0x396f122f85e41d7dULL, 0xa09b332430bac6a8ULL, 0xc888e8ced7070560ULL, 0xaeaf201ac682ee8fULL, 0x1180d7268944a257ULL, 0xf058a43628e7a5fcULL, 0xbd4c4b8fbbce2b07ULL, 0xa1246df34abe7b49ULL, 0x7d5569b79be9af3cULL, 0xa9b5a705bd9efa12ULL, 0xdb6b835baa4bc0e8ULL, 0x05793bac8f147342ULL, 0x21c1512881848390ULL, 0xfdb0556c50d357e5ULL, 0x613d4fcb6a99ff72ULL, 0x03dce2648e0cda3eULL, 0xe949b9e6568386f0ULL, 0xfc0f0bbb2ad7ea04ULL, 0x6a70675913b5a417ULL, 0x7f36d5046fe1c8e3ULL, 0x0c57af8d02304ff8ULL, 0x32223abdfcc84618ULL, 0x0891caf6f720815bULL, 0xa63eeaec31a26fd4ULL, 0x2507345374944d33ULL, 0x49d28ac266394058ULL, 0xf5219f9aa7f3d6beULL, 0x2d96fea583b4cc68ULL, 0x5a31e1571b7585d0ULL, 0x8ed12fe53d02d0feULL, 0xdfade6205f5b0e4bULL, 0x4cabb16ee92d331aULL, 0x04c6657bf510cea3ULL, 0xd73c2cd6a87b8f10ULL, 0xe1d87310a1a307abULL, 0x6cd5be9112ad0d6bULL, 0x97c032354366f3f2ULL, 0xd4e0ceb22677552eULL, 0x0000000000000000ULL, 0x29509bde76a402cbULL, 0xc27a9e8bd42fe3e4ULL, 0x5ef7842cee654b73ULL, 0xaf107ecdbc86536eULL, 0x3fcacbe784fcb401ULL, 0xd55f90655c73e8cfULL, 0xe6c2f40fdabf1336ULL, 0xe8f6e7312c873b11ULL, 0xeb2a0555a28be12fULL, 0xe4a148bc2eb774e9ULL, 0x9b979db84156bc0aULL, 0x6eb60222e6a56ab4ULL, 0x87ffbbc4b026ec44ULL, 0xc703a5275b3b90a6ULL, 0x47e699fc9001687fULL, 0x9c8d1aa73a4aa897ULL, 0x7cea3760e1ed12ddULL, 0x4ec80ddd1d2554c5ULL, 0x13e36b957d4cc588ULL, 0x5d2b66486069914dULL, 0x92b90999cc7280b0ULL, 0x517cc9c56259deb5ULL, 0xc937b619ad03b881ULL, 0xec30824ad997f5b2ULL, 0xa45d565fc5aa080bULL, 0xd6837201d27f32f1ULL, 0x635ef3789e9198adULL, 0x531f75769651b96aULL, 0x4f77530a6721e924ULL, 0x486dd4151c3dfdb9ULL, 0x5f48dafb9461f692ULL, 0x375b011173dc355aULL, 0x3da9775470f4d3deULL, 0x8d0dcd81b30e0ac0ULL, 0x36e45fc609d888bbULL, 0x55baacbe97491016ULL, 0x8cb29356c90ab721ULL, 0x76184125e2c5f459ULL, 0x99f4210bb55edbd5ULL, 0x6f095cf59ca1d755ULL, 0x9f51f8c3b44672a9ULL, 0x3538bda287d45285ULL, 0x50c39712185d6354ULL, 0xf23b1885dcefc223ULL, 0x79930ccc6ef9619fULL, 0xed8fdc9da3934853ULL, 0xcb540aaa590bdf5eULL, 0x5c94389f1a6d2cacULL, 0xe77daad8a0bbaed7ULL, 0x28efc5090ca0bf2aULL, 0xbf2ff73c4fc64cd8ULL, 0xb37858b14df60320ULL, 0xf8c96ec0dfc724a7ULL, 0x828680683f329f06ULL, 0x941cd051cd6a29ccULL, 0xc3c5c05cae2b5e05ULL, 0xb601631dc2e27062ULL, 0xc01922382027843bULL, 0x24b86a840e90f0d2ULL, 0xd245177a276ffc52ULL, 0x0f8b4de98c3c95c6ULL, 0x3e759530fef809e0ULL, 0x0b4d2892792c5b65ULL, 0xc4df4743d5374a98ULL, 0xa5e20888bfaeb5eaULL, 0xba56cc90c0d23f9aULL, 0x38d04cf8ffe0a09cULL, 0x62e1adafe495254cULL, 0x0263bcb3f40867dfULL, 0xcaeb547d230f62bfULL, 0x6082111c109d4293ULL, 0xdad4dd8cd04f7d09ULL, 0xefec602e579b2f8cULL, 0x1fb4c4187f7c8a70ULL, 0xffd3e9dfa4db303aULL, 0x7bf0b07f9af10640ULL, 0xf49ec14dddf76b5fULL, 0x8f6e713247066d1fULL, 0x339d646a86ccfbf9ULL, 0x64447467e58d8c30ULL, 0x2c29a072f9b07189ULL, 0xd8b7613f24471ad6ULL, 0x6627c8d41185ebefULL, 0xa347d140beb61c96ULL, 0xde12b8f7255fb3aaULL, 0x9d324470404e1576ULL, 0x9306574eb6763d51ULL, 0xa80af9d2c79a47f3ULL, 0x859c0777442e8b9bULL, 0x69ac853d9db97e29ULL }, /* 6 */ { 0xc3407dfc2de6377eULL, 0x5b9e93eea4256f77ULL, 0xadb58fdd50c845e0ULL, 0x5219ff11a75bed86ULL, 0x356b61cfd90b1de9ULL, 0xfb8f406e25abe037ULL, 0x7a5a0231c0f60796ULL, 0x9d3cd216e1f5020bULL, 0x0c6550fb6b48d8f3ULL, 0xf57508c427ff1c62ULL, 0x4ad35ffa71cb407dULL, 0x6290a2da1666aa6dULL, 0xe284ec2349355f9fULL, 0xb3c307c53d7c84ecULL, 0x05e23c0468365a02ULL, 0x190bac4d6c9ebfa8ULL, 0x94bbbee9e28b80faULL, 0xa34fc777529cb9b5ULL, 0xcc7b39f095bcd978ULL, 0x2426addb0ce532e3ULL, 0x7e79329312ce4fc7ULL, 0xab09a72eebec2917ULL, 0xf8d15499f6b9d6c2ULL, 0x1a55b8babf8c895dULL, 0xdb8add17fb769a85ULL, 0xb57f2f368658e81bULL, 0x8acd36f18f3f41f6ULL, 0x5ce3b7bba50f11d3ULL, 0x114dcc14d5ee2f0aULL, 0xb91a7fcded1030e8ULL, 0x81d5425fe55de7a1ULL, 0xb6213bc1554adeeeULL, 0x80144ef95f53f5f2ULL, 0x1e7688186db4c10cULL, 0x3b912965db5fe1bcULL, 0xc281715a97e8252dULL, 0x54a5d7e21c7f8171ULL, 0x4b12535ccbc5522eULL, 0x1d289cefbea6f7f9ULL, 0x6ef5f2217d2e729eULL, 0xe6a7dc819b0d17ceULL, 0x1b94b41c05829b0eULL, 0x33d7493c622f711eULL, 0xdcf7f942fa5ce421ULL, 0x600fba8b7f7a8ecbULL, 0x46b60f011a83988eULL, 0x235b898e0dcf4c47ULL, 0x957ab24f588592a9ULL, 0x4354330572b5c28cULL, 0xa5f3ef84e9b8d542ULL, 0x8c711e02341b2d01ULL, 0x0b1874ae6a62a657ULL, 0x1213d8e306fc19ffULL, 0xfe6d7c6a4d9dba35ULL, 0x65ed868f174cd4c9ULL, 0x88522ea0e6236550ULL, 0x899322065c2d7703ULL, 0xc01e690bfef4018bULL, 0x915982ed8abddaf8ULL, 0xbe675b98ec3a4e4cULL, 0xa996bf7f82f00db1ULL, 0xe1daf8d49a27696aULL, 0x2effd5d3dc8986e7ULL, 0xd153a51f2b1a2e81ULL, 0x18caa0ebd690adfbULL, 0x390e3134b243c51aULL, 0x2778b92cdff70416ULL, 0x029f1851691c24a6ULL, 0x5e7cafeacc133575ULL, 0xfa4e4cc89fa5f264ULL, 0x5a5f9f481e2b7d24ULL, 0x484c47ab18d764dbULL, 0x400a27f2a1a7f479ULL, 0xaeeb9b2a83da7315ULL, 0x721c626879869734ULL, 0x042330a2d2384851ULL, 0x85f672fd3765aff0ULL, 0xba446b3a3e02061dULL, 0x73dd6ecec3888567ULL, 0xffac70ccf793a866ULL, 0xdfa9edb5294ed2d4ULL, 0x6c6aea7014325638ULL, 0x834a5a0e8c41c307ULL, 0xcdba35562fb2cb2bULL, 0x0ad97808d06cb404ULL, 0x0f3b440cb85aee06ULL, 0xe5f9c876481f213bULL, 0x98deee1289c35809ULL, 0x59018bbfcd394bd1ULL, 0xe01bf47220297b39ULL, 0xde68e1139340c087ULL, 0x9fa3ca4788e926adULL, 0xbb85679c840c144eULL, 0x53d8f3b71d55ffd5ULL, 0x0da45c5dd146caa0ULL, 0x6f34fe87c72060cdULL, 0x57fbc315cf6db784ULL, 0xcee421a1fca0fddeULL, 0x3d2d0196607b8d4bULL, 0x642c8a29ad42c69aULL, 0x14aff010bdd87508ULL, 0xac74837beac657b3ULL, 0x3216459ad821634dULL, 0x3fb219c70967a9edULL, 0x06bc28f3bb246cf7ULL, 0xf2082c9126d562c6ULL, 0x66b39278c45ee23cULL, 0xbd394f6f3f2878b9ULL, 0xfd33689d9e8f8cc0ULL, 0x37f4799eb017394fULL, 0x108cc0b26fe03d59ULL, 0xda4bd1b1417888d6ULL, 0xb09d1332ee6eb219ULL, 0x2f3ed975668794b4ULL, 0x58c0871977375982ULL, 0x7561463d78ace990ULL, 0x09876cff037e82f1ULL, 0x7fb83e35a8c05d94ULL, 0x26b9b58a65f91645ULL, 0xef20b07e9873953fULL, 0x3148516d0b3355b8ULL, 0x41cb2b541ba9e62aULL, 0x790416c613e43163ULL, 0xa011d380818e8f40ULL, 0x3a5025c36151f3efULL, 0xd57095bdf92266d0ULL, 0x498d4b0da2d97688ULL, 0x8b0c3a57353153a5ULL, 0x21c491df64d368e1ULL, 0x8f2f0af5e7091bf4ULL, 0x2da1c1240f9bb012ULL, 0xc43d59a92ccc49daULL, 0xbfa6573e56345c1fULL, 0x828b56a8364fd154ULL, 0x9a41f643e0df7cafULL, 0xbcf843c985266aeaULL, 0x2b1de9d7b4bfdce5ULL, 0x20059d79dedd7ab2ULL, 0x6dabe6d6ae3c446bULL, 0x45e81bf6c991ae7bULL, 0x6351ae7cac68b83eULL, 0xa432e32253b6c711ULL, 0xd092a9b991143cd2ULL, 0xcac711032e98b58fULL, 0xd8d4c9e02864ac70ULL, 0xc5fc550f96c25b89ULL, 0xd7ef8dec903e4276ULL, 0x67729ede7e50f06fULL, 0xeac28c7af045cf3dULL, 0xb15c1f945460a04aULL, 0x9cfddeb05bfb1058ULL, 0x93c69abce3a1fe5eULL, 0xeb0380dc4a4bdd6eULL, 0xd20db1e8f8081874ULL, 0x229a8528b7c15e14ULL, 0x44291750739fbc28ULL, 0xd3ccbd4e42060a27ULL, 0xf62b1c33f4ed2a97ULL, 0x86a8660ae4779905ULL, 0xd62e814a2a305025ULL, 0x477703a7a08d8addULL, 0x7b9b0e977af815c5ULL, 0x78c51a60a9ea2330ULL, 0xa6adfb733aaae3b7ULL, 0x97e5aa1e3199b60fULL, 0x0000000000000000ULL, 0xf4b404629df10e31ULL, 0x5564db44a6719322ULL, 0x9207961a59afec0dULL, 0x9624a6b88b97a45cULL, 0x363575380a192b1cULL, 0x2c60cd82b595a241ULL, 0x7d272664c1dc7932ULL, 0x7142769faa94a1c1ULL, 0xa1d0df263b809d13ULL, 0x1630e841d4c451aeULL, 0xc1df65ad44fa13d8ULL, 0x13d2d445bcf20bacULL, 0xd915c546926abe23ULL, 0x38cf3d92084dd749ULL, 0xe766d0272103059dULL, 0xc7634d5effde7f2fULL, 0x077d2455012a7ea4ULL, 0xedbfa82ff16fb199ULL, 0xaf2a978c39d46146ULL, 0x42953fa3c8bbd0dfULL, 0xcb061da59496a7dcULL, 0x25e7a17db6eb20b0ULL, 0x34aa6d6963050fbaULL, 0xa76cf7d580a4f1e4ULL, 0xf7ea10954ee338c4ULL, 0xfcf2643b24819e93ULL, 0xcf252d0746aeef8dULL, 0x4ef06f58a3f3082cULL, 0x563acfb37563a5d7ULL, 0x5086e740ce47c920ULL, 0x2982f186dda3f843ULL, 0x87696aac5e798b56ULL, 0x5d22bb1d1f010380ULL, 0x035e14f7d31236f5ULL, 0x3cec0d30da759f18ULL, 0xf3c920379cdb7095ULL, 0xb8db736b571e22bbULL, 0xdd36f5e44052f672ULL, 0xaac8ab8851e23b44ULL, 0xa857b3d938fe1fe2ULL, 0x17f1e4e76eca43fdULL, 0xec7ea4894b61a3caULL, 0x9e62c6e132e734feULL, 0xd4b1991b432c7483ULL, 0x6ad6c283af163acfULL, 0x1ce9904904a8e5aaULL, 0x5fbda34c761d2726ULL, 0xf910583f4cb7c491ULL, 0xc6a241f845d06d7cULL, 0x4f3163fe19fd1a7fULL, 0xe99c988d2357f9c8ULL, 0x8eee06535d0709a7ULL, 0x0efa48aa0254fc55ULL, 0xb4be23903c56fa48ULL, 0x763f52caabbedf65ULL, 0xeee1bcd8227d876cULL, 0xe345e085f33b4dccULL, 0x3e731561b369bbbeULL, 0x2843fd2067adea10ULL, 0x2adce5710eb1ceb6ULL, 0xb7e03767ef44ccbdULL, 0x8db012a48e153f52ULL, 0x61ceb62dc5749c98ULL, 0xe85d942b9959eb9bULL, 0x4c6f7709caef2c8aULL, 0x84377e5b8d6bbda3ULL, 0x30895dcbb13d47ebULL, 0x74a04a9bc2a2fbc3ULL, 0x6b17ce251518289cULL, 0xe438c4d0f2113368ULL, 0x1fb784bed7bad35fULL, 0x9b80fae55ad16efcULL, 0x77fe5e6c11b0cd36ULL, 0xc858095247849129ULL, 0x08466059b97090a2ULL, 0x01c10ca6ba0e1253ULL, 0x6988d6747c040c3aULL, 0x6849dad2c60a1e69ULL, 0x5147ebe67449db73ULL, 0xc99905f4fd8a837aULL, 0x991fe2b433cd4a5aULL, 0xf09734c04fc94660ULL, 0xa28ecbd1e892abe6ULL, 0xf1563866f5c75433ULL, 0x4dae7baf70e13ed9ULL, 0x7ce62ac27bd26b61ULL, 0x70837a39109ab392ULL, 0x90988e4b30b3c8abULL, 0xb2020b63877296bfULL, 0x156efcb607d6675bULL }, /* 7 */ { 0xe63f55ce97c331d0ULL, 0x25b506b0015bba16ULL, 0xc8706e29e6ad9ba8ULL, 0x5b43d3775d521f6aULL, 0x0bfa3d577035106eULL, 0xab95fc172afb0e66ULL, 0xf64b63979e7a3276ULL, 0xf58b4562649dad4bULL, 0x48f7c3dbae0c83f1ULL, 0xff31916642f5c8c5ULL, 0xcbb048dc1c4a0495ULL, 0x66b8f83cdf622989ULL, 0x35c130e908e2b9b0ULL, 0x7c761a61f0b34fa1ULL, 0x3601161cf205268dULL, 0x9e54ccfe2219b7d6ULL, 0x8b7d90a538940837ULL, 0x9cd403588ea35d0bULL, 0xbc3c6fea9ccc5b5aULL, 0xe5ff733b6d24aeedULL, 0xceed22de0f7eb8d2ULL, 0xec8581cab1ab545eULL, 0xb96105e88ff8e71dULL, 0x8ca03501871a5eadULL, 0x76ccce65d6db2a2fULL, 0x5883f582a7b58057ULL, 0x3f7be4ed2e8adc3eULL, 0x0fe7be06355cd9c9ULL, 0xee054e6c1d11be83ULL, 0x1074365909b903a6ULL, 0x5dde9f80b4813c10ULL, 0x4a770c7d02b6692cULL, 0x5379c8d5d7809039ULL, 0xb4067448161ed409ULL, 0x5f5e5026183bd6cdULL, 0xe898029bf4c29df9ULL, 0x7fb63c940a54d09cULL, 0xc5171f897f4ba8bcULL, 0xa6f28db7b31d3d72ULL, 0x2e4f3be7716eaa78ULL, 0x0d6771a099e63314ULL, 0x82076254e41bf284ULL, 0x2f0fd2b42733df98ULL, 0x5c9e76d3e2dc49f0ULL, 0x7aeb569619606cdbULL, 0x83478b07b2468764ULL, 0xcfadcb8d5923cd32ULL, 0x85dac7f05b95a41eULL, 0xb5469d1b4043a1e9ULL, 0xb821ecbbd9a592fdULL, 0x1b8e0b0e798c13c8ULL, 0x62a57b6d9a0be02eULL, 0xfcf1b793b81257f8ULL, 0x9d94ea0bd8fe28ebULL, 0x4cea408aeb654a56ULL, 0x23284a47e888996cULL, 0x2d8f1d128b893545ULL, 0xf4cbac3132c0d8abULL, 0xbd7c86b9ca912ebaULL, 0x3a268eef3dbe6079ULL, 0xf0d62f6077a9110cULL, 0x2735c916ade150cbULL, 0x89fd5f03942ee2eaULL, 0x1acee25d2fd16628ULL, 0x90f39bab41181bffULL, 0x430dfe8cde39939fULL, 0xf70b8ac4c8274796ULL, 0x1c53aeaac6024552ULL, 0x13b410acf35e9c9bULL, 0xa532ab4249faa24fULL, 0x2b1251e5625a163fULL, 0xd7e3e676da4841c7ULL, 0xa7b264e4e5404892ULL, 0xda8497d643ae72d3ULL, 0x861ae105a1723b23ULL, 0x38a6414991048aa4ULL, 0x6578dec92585b6b4ULL, 0x0280cfa6acbaeaddULL, 0x88bdb650c273970aULL, 0x9333bd5ebbff84c2ULL, 0x4e6a8f2c47dfa08bULL, 0x321c954db76cef2aULL, 0x418d312a72837942ULL, 0xb29b38bfffcdf773ULL, 0x6c022c38f90a4c07ULL, 0x5a033a240b0f6a8aULL, 0x1f93885f3ce5da6fULL, 0xc38a537e96988bc6ULL, 0x39e6a81ac759ff44ULL, 0x29929e43cee0fce2ULL, 0x40cdd87924de0ca2ULL, 0xe9d8ebc8a29fe819ULL, 0x0c2798f3cfbb46f4ULL, 0x55e484223e53b343ULL, 0x4650948ecd0d2fd8ULL, 0x20e86cb2126f0651ULL, 0x6d42c56baf5739e7ULL, 0xa06fc1405ace1e08ULL, 0x7babbfc54f3d193bULL, 0x424d17df8864e67fULL, 0xd8045870ef14980eULL, 0xc6d7397c85ac3781ULL, 0x21a885e1443273b1ULL, 0x67f8116f893f5c69ULL, 0x24f5efe35706cff6ULL, 0xd56329d076f2ab1aULL, 0x5e1eb9754e66a32dULL, 0x28d2771098bd8902ULL, 0x8f6013f47dfdc190ULL, 0x17a993fdb637553cULL, 0xe0a219397e1012aaULL, 0x786b9930b5da8606ULL, 0x6e82e39e55b0a6daULL, 0x875a0856f72f4ec3ULL, 0x3741ff4fa458536dULL, 0xac4859b3957558fcULL, 0x7ef6d5c75c09a57cULL, 0xc04a758b6c7f14fbULL, 0xf9acdd91ab26ebbfULL, 0x7391a467c5ef9668ULL, 0x335c7c1ee1319acaULL, 0xa91533b18641e4bbULL, 0xe4bf9a683b79db0dULL, 0x8e20faa72ba0b470ULL, 0x51f907737b3a7ae4ULL, 0x2268a314bed5ec8cULL, 0xd944b123b949edeeULL, 0x31dcb3b84d8b7017ULL, 0xd3fe65279f218860ULL, 0x097af2f1dc8ffab3ULL, 0x9b09a6fc312d0b91ULL, 0xcc6ded78a3c4520fULL, 0x3481d9ba5ebfcc50ULL, 0x4f2a667f1182d56bULL, 0xdfd9fdd4509ace94ULL, 0x26752045fbbc252bULL, 0xbffc491f662bc467ULL, 0xdd593272fc202449ULL, 0x3cbbc218d46d4303ULL, 0x91b372f817456e1fULL, 0x681faf69bc6385a0ULL, 0xb686bbeebaa43ed4ULL, 0x1469b5084cd0ca01ULL, 0x98c98009cbca94acULL, 0x6438379a73d8c354ULL, 0xc2caba2dc0c5fe26ULL, 0x3e3b0dbe78d7a9deULL, 0x50b9ee202d670f04ULL, 0x4590b27b37eab0e5ULL, 0x6025b4cb36b10af3ULL, 0xfb2c1237079c0162ULL, 0xa12f28130c936be8ULL, 0x4b37e52e54eb1cccULL, 0x083a1ba28ad28f53ULL, 0xc10a9cd83a22611bULL, 0x9f1425ad7444c236ULL, 0x069d4cf7e9d3237aULL, 0xedc56899e7f621beULL, 0x778c273680865fcfULL, 0x309c5aeb1bd605f7ULL, 0x8de0dc52d1472b4dULL, 0xf8ec34c2fd7b9e5fULL, 0xea18cd3d58787724ULL, 0xaad515447ca67b86ULL, 0x9989695a9d97e14cULL, 0x0000000000000000ULL, 0xf196c63321f464ecULL, 0x71116bc169557cb5ULL, 0xaf887f466f92c7c1ULL, 0x972e3e0ffe964d65ULL, 0x190ec4a8d536f915ULL, 0x95aef1a9522ca7b8ULL, 0xdc19db21aa7d51a9ULL, 0x94ee18fa0471d258ULL, 0x8087adf248a11859ULL, 0xc457f6da2916dd5cULL, 0xfa6cfb6451c17482ULL, 0xf256e0c6db13fbd1ULL, 0x6a9f60cf10d96f7dULL, 0x4daaa9d9bd383fb6ULL, 0x03c026f5fae79f3dULL, 0xde99148706c7bb74ULL, 0x2a52b8b6340763dfULL, 0x6fc20acd03edd33aULL, 0xd423c08320afdefaULL, 0xbbe1ca4e23420dc0ULL, 0x966ed75ca8cb3885ULL, 0xeb58246e0e2502c4ULL, 0x055d6a021334bc47ULL, 0xa47242111fa7d7afULL, 0xe3623fcc84f78d97ULL, 0x81c744a11efc6db9ULL, 0xaec8961539cfb221ULL, 0xf31609958d4e8e31ULL, 0x63e5923ecc5695ceULL, 0x47107ddd9b505a38ULL, 0xa3afe7b5a0298135ULL, 0x792b7063e387f3e6ULL, 0x0140e953565d75e0ULL, 0x12f4f9ffa503e97bULL, 0x750ce8902c3cb512ULL, 0xdbc47e8515f30733ULL, 0x1ed3610c6ab8af8fULL, 0x5239218681dde5d9ULL, 0xe222d69fd2aaf877ULL, 0xfe71783514a8bd25ULL, 0xcaf0a18f4a177175ULL, 0x61655d9860ec7f13ULL, 0xe77fbc9dc19e4430ULL, 0x2ccff441ddd440a5ULL, 0x16e97aaee06a20dcULL, 0xa855dae2d01c915bULL, 0x1d1347f9905f30b2ULL, 0xb7c652bdecf94b34ULL, 0xd03e43d265c6175dULL, 0xfdb15ec0ee4f2218ULL, 0x57644b8492e9599eULL, 0x07dda5a4bf8e569aULL, 0x54a46d71680ec6a3ULL, 0x5624a2d7c4b42c7eULL, 0xbebca04c3076b187ULL, 0x7d36f332a6ee3a41ULL, 0x3b6667bc6be31599ULL, 0x695f463aea3ef040ULL, 0xad08b0e0c3282d1cULL, 0xb15b1e4a052a684eULL, 0x44d05b2861b7c505ULL, 0x15295c5b1a8dbfe1ULL, 0x744c01c37a61c0f2ULL, 0x59c31cd1f1e8f5b7ULL, 0xef45a73f4b4ccb63ULL, 0x6bdf899c46841a9dULL, 0x3dfb2b4b823036e3ULL, 0xa2ef0ee6f674f4d5ULL, 0x184e2dfb836b8cf5ULL, 0x1134df0a5fe47646ULL, 0xbaa1231d751f7820ULL, 0xd17eaa81339b62bdULL, 0xb01bf71953771daeULL, 0x849a2ea30dc8d1feULL, 0x705182923f080955ULL, 0x0ea757556301ac29ULL, 0x041d83514569c9a7ULL, 0x0abad4042668658eULL, 0x49b72a88f851f611ULL, 0x8a3d79f66ec97dd7ULL, 0xcd2d042bf59927efULL, 0xc930877ab0f0ee48ULL, 0x9273540deda2f122ULL, 0xc797d02fd3f14261ULL, 0xe1e2f06a284d674aULL, 0xd2be8c74c97cfd80ULL, 0x9a494faf67707e71ULL, 0xb3dbd1eca9908293ULL, 0x72d14d3493b2e388ULL, 0xd6a30f258c153427ULL }, }; static const uint64_t C16[12][8] = { { 0xdd806559f2a64507ULL, 0x05767436cc744d23ULL, 0xa2422a08a460d315ULL, 0x4b7ce09192676901ULL, 0x714eb88d7585c4fcULL, 0x2f6a76432e45d016ULL, 0xebcb2f81c0657c1fULL, 0xb1085bda1ecadae9ULL }, { 0xe679047021b19bb7ULL, 0x55dda21bd7cbcd56ULL, 0x5cb561c2db0aa7caULL, 0x9ab5176b12d69958ULL, 0x61d55e0f16b50131ULL, 0xf3feea720a232b98ULL, 0x4fe39d460f70b5d7ULL, 0x6fa3b58aa99d2f1aULL }, { 0x991e96f50aba0ab2ULL, 0xc2b6f443867adb31ULL, 0xc1c93a376062db09ULL, 0xd3e20fe490359eb1ULL, 0xf2ea7514b1297b7bULL, 0x06f15e5f529c1f8bULL, 0x0a39fc286a3d8435ULL, 0xf574dcac2bce2fc7ULL }, { 0x220cbebc84e3d12eULL, 0x3453eaa193e837f1ULL, 0xd8b71333935203beULL, 0xa9d72c82ed03d675ULL, 0x9d721cad685e353fULL, 0x488e857e335c3c7dULL, 0xf948e1a05d71e4ddULL, 0xef1fdfb3e81566d2ULL }, { 0x601758fd7c6cfe57ULL, 0x7a56a27ea9ea63f5ULL, 0xdfff00b723271a16ULL, 0xbfcd1747253af5a3ULL, 0x359e35d7800fffbdULL, 0x7f151c1f1686104aULL, 0x9a3f410c6ca92363ULL, 0x4bea6bacad474799ULL }, { 0xfa68407a46647d6eULL, 0xbf71c57236904f35ULL, 0x0af21f66c2bec6b6ULL, 0xcffaa6b71c9ab7b4ULL, 0x187f9ab49af08ec6ULL, 0x2d66c4f95142a46cULL, 0x6fa4c33b7a3039c0ULL, 0xae4faeae1d3ad3d9ULL }, { 0x8886564d3a14d493ULL, 0x3517454ca23c4af3ULL, 0x06476983284a0504ULL, 0x0992abc52d822c37ULL, 0xd3473e33197a93c9ULL, 0x399ec6c7e6bf87c9ULL, 0x51ac86febf240954ULL, 0xf4c70e16eeaac5ecULL }, { 0xa47f0dd4bf02e71eULL, 0x36acc2355951a8d9ULL, 0x69d18d2bd1a5c42fULL, 0xf4892bcb929b0690ULL, 0x89b4443b4ddbc49aULL, 0x4eb7f8719c36de1eULL, 0x03e7aa020c6e4141ULL, 0x9b1f5b424d93c9a7ULL }, { 0x7261445183235adbULL, 0x0e38dc92cb1f2a60ULL, 0x7b2b8a9aa6079c54ULL, 0x800a440bdbb2ceb1ULL, 0x3cd955b7e00d0984ULL, 0x3a7d3a1b25894224ULL, 0x944c9ad8ec165fdeULL, 0x378f5a541631229bULL }, { 0x74b4c7fb98459cedULL, 0x3698fad1153bb6c3ULL, 0x7a1e6c303b7652f4ULL, 0x9fe76702af69334bULL, 0x1fffe18a1b336103ULL, 0x8941e71cff8a78dbULL, 0x382ae548b2e4f3f3ULL, 0xabbedea680056f52ULL }, { 0x6bcaa4cd81f32d1bULL, 0xdea2594ac06fd85dULL, 0xefbacd1d7d476e98ULL, 0x8a1d71efea48b9caULL, 0x2001802114846679ULL, 0xd8fa6bbbebab0761ULL, 0x3002c6cd635afe94ULL, 0x7bcd9ed0efc889fbULL }, { 0x48bc924af11bd720ULL, 0xfaf417d5d9b21b99ULL, 0xe71da4aa88e12852ULL, 0x5d80ef9d1891cc86ULL, 0xf82012d430219f9bULL, 0xcda43c32bcdf1d77ULL, 0xd21380b00449b17aULL, 0x378ee767f11631baULL }, }; #define strido(out, temp, i) do { \ uint64_t t; \ t = streebog_table[0][(temp[0] >> (i * 8)) & 0xff]; \ t ^= streebog_table[1][(temp[1] >> (i * 8)) & 0xff]; \ t ^= streebog_table[2][(temp[2] >> (i * 8)) & 0xff]; \ t ^= streebog_table[3][(temp[3] >> (i * 8)) & 0xff]; \ t ^= streebog_table[4][(temp[4] >> (i * 8)) & 0xff]; \ t ^= streebog_table[5][(temp[5] >> (i * 8)) & 0xff]; \ t ^= streebog_table[6][(temp[6] >> (i * 8)) & 0xff]; \ t ^= streebog_table[7][(temp[7] >> (i * 8)) & 0xff]; \ out[i] = t; } while(0) static void LPSX (uint64_t *out, const uint64_t *a, const uint64_t *b) { uint64_t temp[8]; temp[0] = a[0] ^ b[0]; temp[1] = a[1] ^ b[1]; temp[2] = a[2] ^ b[2]; temp[3] = a[3] ^ b[3]; temp[4] = a[4] ^ b[4]; temp[5] = a[5] ^ b[5]; temp[6] = a[6] ^ b[6]; temp[7] = a[7] ^ b[7]; strido (out, temp, 0); strido (out, temp, 1); strido (out, temp, 2); strido (out, temp, 3); strido (out, temp, 4); strido (out, temp, 5); strido (out, temp, 6); strido (out, temp, 7); } static inline void g (uint64_t *h, uint64_t *m, uint64_t *N) { uint64_t K[8]; uint64_t T[8]; int i; LPSX (K, h, N); LPSX (T, K, m); LPSX (K, K, C16[0]); for (i = 1; i < 12; i++) { LPSX (T, K, T); LPSX (K, K, C16[i]); } h[0] ^= T[0] ^ K[0] ^ m[0]; h[1] ^= T[1] ^ K[1] ^ m[1]; h[2] ^= T[2] ^ K[2] ^ m[2]; h[3] ^= T[3] ^ K[3] ^ m[3]; h[4] ^= T[4] ^ K[4] ^ m[4]; h[5] ^= T[5] ^ K[5] ^ m[5]; h[6] ^= T[6] ^ K[6] ^ m[6]; h[7] ^= T[7] ^ K[7] ^ m[7]; } static void streebog512_compress (struct streebog512_ctx *ctx, const uint8_t *input, uint64_t count) { uint64_t M[8]; uint64_t cf; int i; for (i = 0; i < 8; i++, input += 8) M[i] = LE_READ_UINT64(input); g (ctx->state, M, ctx->count); ctx->count[0] += count; if (ctx->count[0] < count) { /* overflow */ for (i = 1; i < 8; i++) { ctx->count[i]++; if (ctx->count[i] != 0) break; } } ctx->sigma[0] += M[0]; cf = (ctx->sigma[0] < M[0]); for (i = 1; i < 7; i++) { ctx->sigma[i] += cf; cf = (ctx->sigma[i] < cf); ctx->sigma[i] += M[i]; cf |= (ctx->sigma[i] < M[i]); } ctx->sigma[7] += M[7] + cf; } static void streebog_final (struct streebog512_ctx *ctx) { uint64_t Z[8] = {}; unsigned int i; /* PAD. It does not count towards message length */ i = ctx->index; /* We have at least one byte free) */ ctx->block[i++] = 1; while (i < 64) ctx->block[i++] = 0; streebog512_compress (ctx, ctx->block, ctx->index * 8); g (ctx->state, ctx->count, Z); g (ctx->state, ctx->sigma, Z); } #define COMPRESS(ctx, data) (streebog512_compress((ctx), (data), 64 * 8)) void streebog512_init(struct streebog512_ctx *ctx) { memset(ctx->state, 0, sizeof(ctx->state)); memset(ctx->count, 0, sizeof(ctx->count)); memset(ctx->sigma, 0, sizeof(ctx->sigma)); /* Initialize buffer */ ctx->index = 0; } void streebog512_update(struct streebog512_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, (void)0); } static void streebog512_write_digest(struct streebog512_ctx *ctx, size_t offset, size_t length, uint8_t *digest) { assert(offset + length <= STREEBOG512_DIGEST_SIZE); streebog_final(ctx); _nettle_write_le64(length, digest, ctx->state + offset); } void streebog512_digest(struct streebog512_ctx *ctx, uint8_t *digest) { streebog512_write_digest(ctx, 0, STREEBOG512_DIGEST_SIZE, digest); streebog512_init(ctx); } void streebog256_init(struct streebog256_ctx *ctx) { memset(ctx->state, 1, sizeof(ctx->state)); memset(ctx->count, 0, sizeof(ctx->count)); memset(ctx->sigma, 0, sizeof(ctx->sigma)); /* Initialize buffer */ ctx->index = 0; } void streebog256_digest(struct streebog256_ctx *ctx, uint8_t *digest) { streebog512_write_digest(ctx, 4, STREEBOG256_DIGEST_SIZE, digest); streebog256_init(ctx); } nettle-4.0/streebog.h0000644000000000000000000000507215141166424011571 0ustar00/* streebog.h The Streebog family of hash functions. Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_STREEBOG_H_INCLUDED #define NETTLE_STREEBOG_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define streebog256_init nettle_streebog256_init #define streebog256_digest nettle_streebog256_digest #define streebog512_init nettle_streebog512_init #define streebog512_update nettle_streebog512_update #define streebog512_digest nettle_streebog512_digest /* STREEBOG512 */ #define STREEBOG512_DIGEST_SIZE 64 #define STREEBOG512_BLOCK_SIZE 64 /* Digest is kept internally as 8 64-bit words. */ #define _STREEBOG512_DIGEST_LENGTH 8 struct streebog512_ctx { uint64_t state[_STREEBOG512_DIGEST_LENGTH]; /* State variables */ uint64_t count[_STREEBOG512_DIGEST_LENGTH]; uint64_t sigma[_STREEBOG512_DIGEST_LENGTH]; unsigned int index; /* index into buffer */ uint8_t block[STREEBOG512_BLOCK_SIZE]; /* STREEBOG512 data buffer */ }; void streebog512_init(struct streebog512_ctx *ctx); void streebog512_update(struct streebog512_ctx *ctx, size_t length, const uint8_t *data); void streebog512_digest(struct streebog512_ctx *ctx, uint8_t *digest); #define STREEBOG256_DIGEST_SIZE 32 #define STREEBOG256_BLOCK_SIZE STREEBOG512_BLOCK_SIZE #define streebog256_ctx streebog512_ctx void streebog256_init(struct streebog256_ctx *ctx); #define streebog256_update nettle_streebog512_update void streebog256_digest(struct streebog256_ctx *ctx, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_STREEBOG_H_INCLUDED */ nettle-4.0/testsuite/0000755000000000000000000000000015141166425011634 5ustar00nettle-4.0/testsuite/Makefile.in0000644000000000000000000001407715141166425013712 0ustar00@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. TS_NETTLE_SOURCES = aes-test.c aes-keywrap-test.c arcfour-test.c arctwo-test.c \ balloon-test.c blowfish-test.c bcrypt-test.c cast128-test.c \ base16-test.c base64-test.c \ camellia-test.c chacha-test.c \ cnd-memcpy-test.c \ des-test.c des3-test.c \ md2-test.c md4-test.c md5-test.c \ memeql-test.c memxor-test.c gosthash94-test.c \ ripemd160-test.c hkdf-test.c \ salsa20-test.c \ sha1-test.c sha224-test.c sha256-test.c \ sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-384-test.c sha3-512-test.c \ shake128-test.c shake256-test.c \ streebog-test.c sm3-test.c sm4-test.c \ serpent-test.c twofish-test.c version-test.c \ knuth-lfib-test.c \ cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ cmac-test.c ocb-test.c siv-cmac-test.c siv-gcm-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ meta-aead-test.c meta-mac-test.c \ buffer-test.c yarrow-test.c xts-test.c pbkdf2-test.c \ x86-ibt-test.c drbg-ctr-aes256-test.c \ slh-dsa-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ pkcs1-test.c pkcs1-sec-decrypt-test.c \ pss-test.c rsa-sign-tr-test.c \ pss-mgf1-test.c rsa-pss-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ rsa-oaep-encrypt-test.c \ rsa-sec-decrypt-test.c \ rsa-compute-root-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c curve448-dh-test.c \ ecc-mod-arith-test.c ecc-mod-test.c ecc-modinv-test.c \ ecc-redc-test.c ecc-sqrt-test.c \ ecc-dup-test.c ecc-add-test.c \ ecc-mul-g-test.c ecc-mul-a-test.c \ ecdsa-sign-test.c ecdsa-verify-test.c \ ecdsa-keygen-test.c ecdh-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx TS_NETTLE = $(TS_NETTLE_SOURCES:.c=$(EXEEXT)) TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT)) TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED) TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT)) TARGETS = $(TS_C) $(TS_CXX) TS_SC_HOGWEED = sc-pkcs1-sec-decrypt-test sc-rsa-sec-decrypt-test \ sc-rsa-oaep-encrypt-test \ sc-ecdsa-sign-test sc-curve25519-dh-test sc-curve448-dh-test \ sc-ed25519-test sc-ed448-test TS_SC_NETTLE = sc-cnd-memcpy-test sc-gcm-test sc-memeql-test sc-slh-dsa-test TS_SC = @IF_VALGRIND@ $(TS_SC_NETTLE) @IF_HOGWEED@ $(TS_SC_HOGWEED) TS_SH = symbols-test TS_ALL = $(TARGETS) $(TS_SH) $(TS_SC) @IF_DLOPEN_TEST@ dlopen-test$(EXEEXT) TS_FAT = $(patsubst %, %$(EXEEXT), aes-test cbc-test \ chacha-test salsa20-test memxor-test \ sha1-test sha256-test sha512-test sha3-permute-test sha3-512-test \ umac-test gcm-test siv-gcm-test) EXTRA_SOURCES = sha1-huge-test.c EXTRA_TARGETS = $(EXTRA_SOURCES:.c=$(EXEEXT)) # Includes all C source files, regardless of configuration SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c dlopen-test.c DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in \ $(TS_SH) $(TS_SC_NETTLE) $(TS_SC_HOGWEED) sc-valgrind.sh testutils.h sha3.awk \ gold-bug.txt slh-dsa-shake-128s.ref slh-dsa-shake-128f.ref \ slh-dsa-shake-128f-tc64.msg slh-dsa-shake-128f-tc64.sig \ slh-dsa-shake-128s-tc215.msg slh-dsa-shake-128s-tc215.sig \ slh-dsa-sha2-128s-tc162.msg slh-dsa-sha2-128s-tc162.sig \ slh-dsa-sha2-128f-tc7.msg slh-dsa-sha2-128f-tc7.sig all: $(EXTRA_TARGETS) %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) %.$(OBJEXT): %.cxx $(COMPILE_CXX) -c $< && $(DEP_PROCESS) # BSD (and Solaris) make doesn't allow extra dependencies together one # single-suffix rules, which makes it impossible or almost impossible # to use suffix rules to build the test executables. So we use an # explicit rule for each and every executable. TEST_OBJS = testutils.$(OBJEXT) ../non-nettle.$(OBJEXT) LIB_HOGWEED = @IF_HOGWEED@ -lhogweed TEST_LIBS = $(LIB_HOGWEED) -lnettle $(LIBS) ../non-nettle.$(OBJEXT): ( cd .. && $(MAKE) non-nettle.$(OBJEXT) ) # Special target, to omit linking with libnettle dlopen-test$(EXEEXT): dlopen-test.$(OBJEXT) testutils.$(OBJEXT) $(LINK) dlopen-test.$(OBJEXT) -ldl -o dlopen-test$(EXEEXT) # Special target, using C++ linking cxx-test$(EXEEXT): cxx-test.$(OBJEXT) $(LINK_CXX) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ %$(EXEEXT): %.$(OBJEXT) $(LINK) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../non-nettle.$(OBJEXT) \ ../libnettle.stamp @IF_HOGWEED@ ../libhogweed.stamp # For use as, e.g., # # make check EMULATOR='$(VALGRIND)' # make check EMULATOR='$(VALGRIND) --log-fd=3' 3>valgrind.log # --partial-loads-ok=yes is needed for memxor's handling of unaligned # data. VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes check: $(TS_ALL) $(TS_ALL:sc-%=%) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" NM="$(NM)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status testsuite/$@ install uninstall: true distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) $(EXTRA_TARGETS) dlopen-test$(EXEEXT) \ *.$(OBJEXT) *.$(OBJEXT).d test1.out distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h # Includes dependency files for everything, including objects which # the current configuration will not build. DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) $(CXX_SOURCES:.cxx=.$(OBJEXT).d) -include $(DEP_FILES) nettle-4.0/testsuite/aes-keywrap-test.c0000644000000000000000000004005215141166425015206 0ustar00#include "testutils.h" #include "nist-keywrap.h" typedef void nettle_nist_keywrap_func(const void *ctx, const uint8_t * iv, size_t cleartext_length, uint8_t * cleartext, const uint8_t * ciphertext); typedef int nettle_nist_keyunwrap_func(const void *ctx, const uint8_t * iv, size_t cleartext_length, uint8_t * cleartext, const uint8_t * ciphertext); struct nettle_wrap { void *ctx; nettle_set_key_func *set_encrypt_key; nettle_cipher_func *encrypt; nettle_set_key_func *set_decrypt_key; nettle_cipher_func *decrypt; }; struct nettle_specific_wrap { void *ctx; nettle_set_key_func *set_encrypt_key; nettle_nist_keywrap_func *keywrap_func; nettle_set_key_func *set_decrypt_key; nettle_nist_keyunwrap_func *keyunwrap_func; }; static void test_wrap (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t data[40]; w->set_encrypt_key (w->ctx, key->data); nist_keywrap16 (w->ctx, w->encrypt, iv->data, cleartext->length + 8, data, cleartext->data); if (!MEMEQ (ciphertext->length, data, ciphertext->data)) { fprintf (stderr, "test_wrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (ciphertext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (ciphertext); fprintf (stderr, "\n"); FAIL (); } } static void test_unwrap (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *cleartext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); nist_keyunwrap16 (w->ctx, w->decrypt, iv->data, cleartext->length, data, ciphertext->data); if (!MEMEQ (cleartext->length, data, cleartext->data)) { fprintf (stderr, "test_unwrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (cleartext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (cleartext); fprintf (stderr, "\n"); FAIL (); } } static void test_unwrap_fail (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); if (nist_keyunwrap16 (w->ctx, w->decrypt, iv->data, ciphertext->length-8, data, ciphertext->data)) { FAIL (); } } static void test_specific_wrap (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t data[40]; w->set_encrypt_key (w->ctx, key->data); w->keywrap_func (w->ctx, iv->data, cleartext->length + 8, data, cleartext->data); if (!MEMEQ (ciphertext->length, data, ciphertext->data)) { fprintf (stderr, "test_specific_wrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (ciphertext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (ciphertext); fprintf (stderr, "\n"); FAIL (); } } static void test_specific_unwrap (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *cleartext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); w->keyunwrap_func (w->ctx, iv->data, cleartext->length, data, ciphertext->data); if (!MEMEQ (cleartext->length, data, cleartext->data)) { fprintf (stderr, "test_unwrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (cleartext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (cleartext); fprintf (stderr, "\n"); FAIL (); } } static void test_specific_unwrap_fail (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); if (w->keyunwrap_func (w->ctx, iv->data, ciphertext->length-8, data, ciphertext->data)) { FAIL (); } } void test_main (void) { struct aes128_ctx ctx_128; struct aes192_ctx ctx_192; struct aes256_ctx ctx_256; struct nettle_wrap wrap128, wrap192, wrap256; struct nettle_wrap unwrap128, unwrap192, unwrap256; struct nettle_specific_wrap swrap128, swrap192, swrap256; struct nettle_specific_wrap sunwrap128, sunwrap192, sunwrap256; wrap128.ctx = &ctx_128; wrap128.set_encrypt_key = (nettle_set_key_func *) & aes128_set_encrypt_key; wrap128.encrypt = (nettle_cipher_func *) & aes128_encrypt; unwrap128.ctx = &ctx_128; unwrap128.set_decrypt_key = (nettle_set_key_func *) & aes128_set_decrypt_key; unwrap128.decrypt = (nettle_cipher_func *) & aes128_decrypt; wrap192.ctx = &ctx_192; wrap192.set_encrypt_key = (nettle_set_key_func *) & aes192_set_encrypt_key; wrap192.encrypt = (nettle_cipher_func *) & aes192_encrypt; unwrap192.ctx = &ctx_192; unwrap192.set_decrypt_key = (nettle_set_key_func *) & aes192_set_decrypt_key; unwrap192.decrypt = (nettle_cipher_func *) & aes192_decrypt; wrap256.ctx = &ctx_256; wrap256.set_encrypt_key = (nettle_set_key_func *) & aes256_set_encrypt_key; wrap256.encrypt = (nettle_cipher_func *) & aes256_encrypt; unwrap256.ctx = &ctx_256; unwrap256.set_decrypt_key = (nettle_set_key_func *) & aes256_set_decrypt_key; unwrap256.decrypt = (nettle_cipher_func *) & aes256_decrypt; swrap128.ctx = &ctx_128; swrap128.set_encrypt_key = (nettle_set_key_func *) & aes128_set_encrypt_key; swrap128.keywrap_func = (nettle_nist_keywrap_func *) & aes128_keywrap; swrap192.ctx = &ctx_192; swrap192.set_encrypt_key = (nettle_set_key_func *) & aes192_set_encrypt_key; swrap192.keywrap_func = (nettle_nist_keywrap_func *) & aes192_keywrap; swrap256.ctx = &ctx_256; swrap256.set_encrypt_key = (nettle_set_key_func *) & aes256_set_encrypt_key; swrap256.keywrap_func = (nettle_nist_keywrap_func *) & aes256_keywrap; sunwrap128.ctx = &ctx_128; sunwrap128.set_decrypt_key = (nettle_set_key_func *) & aes128_set_decrypt_key; sunwrap128.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes128_keyunwrap; sunwrap192.ctx = &ctx_192; sunwrap192.set_decrypt_key = (nettle_set_key_func *) & aes192_set_decrypt_key; sunwrap192.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes192_keyunwrap; sunwrap256.ctx = &ctx_256; sunwrap256.set_decrypt_key = (nettle_set_key_func *) & aes256_set_decrypt_key; sunwrap256.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes256_keyunwrap; test_wrap (&wrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_unwrap (&unwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1EA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_wrap (&wrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D")); test_unwrap (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5E")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE6")); test_wrap (&wrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2")); test_unwrap (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_unwrap_fail (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725B93 6BA814915C6762D2")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E5 769C8B80A32CB895 8CD5D17D6B254DA1")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F816 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_specific_wrap (&swrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_specific_unwrap (&sunwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B446 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_specific_wrap (&swrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D")); test_specific_unwrap (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 478AB8A17AD84E5D")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8101E7D6E8AE7")); test_specific_wrap (&swrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2")); test_specific_unwrap (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_specific_unwrap_fail (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEF725A93 6BA814915C6762D2")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68C3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED426 CBC7F0E71A99F43B FB988B9B7A02DD21")); } nettle-4.0/testsuite/aes-test.c0000644000000000000000000001367315141166425013537 0ustar00#include "testutils.h" #include "aes.h" #include "nettle-internal.h" typedef void invert_func (void *, void *) ; static void test_invert(const struct nettle_cipher *cipher, invert_func *invert, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { void *encrypt = xalloc(cipher->context_size); void *decrypt = xalloc(cipher->context_size); uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); ASSERT (key->length == cipher->key_size); length = cleartext->length; cipher->set_encrypt_key (encrypt, key->data); cipher->encrypt (encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "test_invert: Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } invert (decrypt, encrypt); cipher->decrypt (decrypt, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (encrypt); free (decrypt); free (data); } void test_main(void) { /* 128 bit keys */ test_cipher(&nettle_aes128, SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_cipher(&nettle_aes128, SHEX("14151617191A1B1C 1E1F202123242526"), SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); test_cipher(&nettle_aes128, SHEX("28292A2B2D2E2F30 323334353738393A"), SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); test_cipher(&nettle_aes128, SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), SHEX("CE52AF650D088CA5 59425223F4D32694")); /* 192 bit keys */ test_cipher(&nettle_aes192, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); /* 256 bit keys */ test_cipher(&nettle_aes256, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); /* This test case has been problematic with the CBC test case */ test_cipher(&nettle_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), /* In the cbc test, I once got the bad value * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e")); /* From draft NIST spec on AES modes. * * F.1 ECB Example Vectors * F.1.1 ECB-AES128-Encrypt */ test_cipher(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3ad77bb40d7a3660a89ecaf32466ef97" "f5d3d58503b9699de785895a96fdbaaf" "43b1cd7f598ece23881b00e3ed030688" "7b0c785e27e8ad3f8223207104725dd4")); /* F.1.3 ECB-AES192-Encrypt */ test_cipher(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("bd334f1d6e45f25ff712a214571fa5cc" "974104846d0ad3ad7734ecb3ecee4eef" "ef7afd2270e2e60adce0ba2face6444e" "9a4b41ba738d6c72fb16691603c18e0e")); /* F.1.5 ECB-AES256-Encrypt */ test_cipher(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" "591ccb10d410ed26dc5ba74a31362870" "b6ed21b99ca6f4f9f153e7b1beafed1d" "23304b7a39f9f3ff067d8d8f9e24ecc7")); /* Test aes_invert_key with src != dst */ test_invert(&nettle_aes128, (invert_func *) aes128_invert_key, SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_invert(&nettle_aes192, (invert_func *) aes192_invert_key, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); test_invert(&nettle_aes256, (invert_func *) aes256_invert_key, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); } /* Internal state for the first test case: 0: a7106950 81cf0e5a 8d5574b3 4b929b0c 1: aa1e31c4 c19a8917 12282e4 b23e51eb 2: 14be6dac fede8fdc 8fb98878 a27dfb5c 3: e80a6f32 431515bb 72e8a651 7daf188b 4: c50438c0 d464b2b6 76b875e9 b2b5f574 5: d81ab740 746b4d89 ff033aac 44d5ffa2 6: 52e6bb4a edadc170 24867df4 6e2ad5d5 7: ab1c7365 64d09f00 7718d521 46a3df32 8: f1eaad16 1aefdfb 7ba5724d d8499631 9: 1020300 2030001 3000102 10203 99: 5332f5d8 7def8982 a406b506 c9e95bfd */ nettle-4.0/testsuite/arcfour-test.c0000644000000000000000000001144115141166425014417 0ustar00#include "testutils.h" #include "arcfour.h" static void test_arcfour(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; struct arcfour_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); arcfour_set_key(&ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { arcfour_crypt(&ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } arcfour_crypt(&ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } arcfour_set_key(&ctx, key->length, key->data); arcfour_crypt(&ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { test_arcfour(SHEX("01234567 89ABCDEF 00000000 00000000"), SHEX("01234567 89ABCDEF"), SHEX("69723659 1B5242B1")); /* More data. This ensures that we get some collisions between the S accesses at index i,j and the access at si + sj. I.e. the cases where the ordering of loads and stores matter. */ test_arcfour(SHEX("aaaaaaaa bbbbbbbb cccccccc dddddddd"), SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("a2b35dc7 bf95ae1e 1c432d15 f4fb8c1c" "f264e1d0 bd090831 6caa7d17 5401ae67" "3cfbd140 fd3dee42 1012d674 2fb69fa3" "6522631e bb3d4703 535de1ce 4a81ddce" "5780cfe0 b5fc9fae ebe14c96 26451bd9" "992f2204 119cbe37 cbdc453c 7afa08c7" "1380ccf8 48f81e53 a535cdfb 96c64faa" "c3f759d0 fa1ff920 008d95cf 39d52324" "d0aac3f9 749b22e2 6a065145 06fb249d" "ffb8e05e cb0381fe 5346a04a 63dac61c" "10b6683e 3ab427de d4c6bc60 6366545e" "77d0e121 96037717 a745d49e e72a70aa" "a50a612d 879b0580 fd4a89ae 3ee49871" "2cf6c98d a62dfbc7 d7b2d901 2c3aaf27" "42b7e089 ef2466ac 450b440c 138daa1a" "cf9ebef6 f66a7a64 2677b213 06640130" "de6651df 0065180d 4db366ba 9c377712" "53d21cac 82ed72a4 c6c4d81e 4375fea3" "1f935909 95322c83 13c64d8e 829c93a6" "d540a1b3 20f41541 96800888 1a7afc9b" "e39e89fc 3ac78be5 cdbbf774 33c36863" "da2a3b1b d06e54a9 aa4b7edd 70b34941" "b886f7db f36c3def f9fc4c80 7ce55ea5" "98a7257b f68a9e1d caf4bfd6 43bd9853" "c966629d 54e34221 6e140780 d48c69bb" "5e77e886 86f2ebcb 807732d5 d29bc384" "a4ca1c31 c7c1b5b9 85dbfcf1 8d845905" "a0ff487a b4a3f252 a75caebf 857ba48b" "613e3067 92cada3e 0e07f599 2f4794f3" "af01f15a 491732fb 22aa09a3 d2e1e408" "fe94bdb4 993c68b1 1bb79eb1 bb7ec446" "760ef7bf 2caa8713 479760e5 a6e143cd")); } nettle-4.0/testsuite/arctwo-test.c0000644000000000000000000000672415141166425014265 0ustar00/* arctwo-test.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2004 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "arctwo.h" /* For tests with obscure values of ebk. */ static void test_arctwo(unsigned ekb, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct arctwo_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); arctwo_set_key_ekb(&ctx, key->length, key->data, ekb); arctwo_encrypt(&ctx, length, data, cleartext->data); ASSERT(MEMEQ(length, data, ciphertext->data)); arctwo_decrypt(&ctx, length, data, data); ASSERT(MEMEQ(length, data, cleartext->data)); free(data); } void test_main(void) { /* Test vectors from Peter Gutmann's paper. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("1c198a83 8df028b7")); test_cipher(&nettle_arctwo_gutmann128, SHEX("00010203 04050607 08090a0b 0c0d0e0f"), SHEX("00000000 00000000"), SHEX("50dc0162 bd757f31")); /* This one was checked against libmcrypt's RFC2268. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("30000000 00000000 00000000 00000000"), SHEX("10000000 00000000"), SHEX("8fd10389 336bf95e")); /* Test vectors from RFC 2268. */ test_cipher(&nettle_arctwo64, SHEX("ffffffff ffffffff"), SHEX("ffffffff ffffffff"), SHEX("278b27e4 2e2f0d49")); test_cipher(&nettle_arctwo64, SHEX("30000000 00000000"), SHEX("10000000 00000001"), SHEX("30649edf 9be7d2c2")); test_cipher(&nettle_arctwo128, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("2269552a b0f85ca6")); /* More obscure tests from RFC 2286 */ test_arctwo(63, SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("ebb773f9 93278eff")); test_arctwo(64, SHEX("88"), SHEX("00000000 00000000"), SHEX("61a8a244 adacccf0")); test_arctwo(64, SHEX("88bca90e 90875a"), SHEX("00000000 00000000"), SHEX("6ccf4308 974c267f")); test_arctwo(64, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("1a807d27 2bbe5db1")); test_arctwo(129, SHEX("88bca90e 90875a7f 0f79c384 627bafb2" "16f80a6f 85920584 c42fceb0 be255daf 1e"), SHEX("00000000 00000000"), SHEX("5b78d3a4 3dfff1f1")); } nettle-4.0/testsuite/balloon-test.c0000644000000000000000000001213015141166425014400 0ustar00/* balloon-test.c Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "balloon.h" static void test_balloon(const struct nettle_hash *alg, size_t password_len, const char *password, size_t salt_len, const char *salt, unsigned s_cost, unsigned t_cost, const struct tstring *expected) { void *ctx = xalloc(alg->context_size); uint8_t *buf = xalloc(balloon_itch(alg->digest_size, s_cost)); alg->init(ctx); balloon(ctx, alg->update, alg->digest, alg->digest_size, s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); if (!MEMEQ(alg->digest_size, buf, expected->data)) { fprintf(stderr, "test_balloon: result doesn't match the expectation:"); fprintf(stderr, "\nOutput: "); print_hex(alg->digest_size, buf); fprintf(stderr, "\nExpected:"); tstring_print_hex(expected); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(buf); } static void test_balloon_sha(const struct nettle_hash *alg, size_t password_len, const char *password, size_t salt_len, const char *salt, unsigned s_cost, unsigned t_cost, const struct tstring *expected) { uint8_t *buf = xalloc(balloon_itch(alg->digest_size, s_cost)); if (alg == &nettle_sha1) balloon_sha1(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha256) balloon_sha256(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha384) balloon_sha384(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha512) balloon_sha512(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else { fprintf(stderr, "test_balloon_sha: bad test\n"); FAIL(); } if (!MEMEQ(alg->digest_size, buf, expected->data)) { fprintf(stderr, "test_balloon_sha: result doesn't match the expectation:"); fprintf(stderr, "\nOutput: "); print_hex(alg->digest_size, buf); fprintf(stderr, "\nExpected:"); tstring_print_hex(expected); fprintf(stderr, "\n"); FAIL(); } free(buf); } /* Test vectors are taken from: * * */ void test_main(void) { test_balloon(&nettle_sha256, 8, "hunter42", 11, "examplesalt", 1024, 3, SHEX("716043dff777b44aa7b88dcbab12c078abecfac9d289c5b5195967aa63440dfb")); test_balloon(&nettle_sha256, 0, "", 4, "salt", 3, 3, SHEX("5f02f8206f9cd212485c6bdf85527b698956701ad0852106f94b94ee94577378")); test_balloon(&nettle_sha256, 8, "password", 0, "", 3, 3, SHEX("20aa99d7fe3f4df4bd98c655c5480ec98b143107a331fd491deda885c4d6a6cc")); test_balloon(&nettle_sha256, 1, "", 1, "", 3, 3, SHEX("4fc7e302ffa29ae0eac31166cee7a552d1d71135f4e0da66486fb68a749b73a4")); test_balloon(&nettle_sha256, 8, "password", 4, "salt", 1, 1, SHEX("eefda4a8a75b461fa389c1dcfaf3e9dfacbc26f81f22e6f280d15cc18c417545")); test_balloon_sha(&nettle_sha1, 8, "password", 4, "salt", 3, 3, SHEX("99393c091fdd3136f85864099ec49a439dcacc21")); test_balloon_sha(&nettle_sha256, 8, "password", 4, "salt", 3, 3, SHEX("a4df347f5a312e8b2b14c32164f61a81758c807f1bdcda44f4930e2b80ab2154")); test_balloon_sha(&nettle_sha384, 8, "password", 4, "salt", 3, 3, SHEX("78da235f7d0f84aba98b50a432fa6c8f7f3ecb7ea0858cfb316c7e5356aae6c8" "d7e7b3924c54c4ed71a3d0d68cb0ad68")); test_balloon_sha(&nettle_sha512, 8, "password", 4, "salt", 3, 3, SHEX("9baf289dfa42990f4b189d96d4ede0f2610ba71fb644169427829d696f6866d8" "7af41eb68f9e14fd4b1f1a7ce4832f1ed6117c16e8eae753f9e1d054a7c0a7eb")); } nettle-4.0/testsuite/base16-test.c0000644000000000000000000000315215141166425014037 0ustar00#include "testutils.h" #include "base16.h" static void test_base16 (size_t data_length, const uint8_t *data, const char *ascii) { size_t ascii_length = strlen(ascii); char *buffer = xalloc(1 + ascii_length); uint8_t *check = xalloc(1 + BASE16_DECODE_LENGTH (ascii_length)); struct base16_decode_ctx decode; size_t done; ASSERT(ascii_length <= BASE16_ENCODE_LENGTH (data_length)); ASSERT(data_length <= BASE16_DECODE_LENGTH (ascii_length)); memset(buffer, 0x33, 1 + ascii_length); memset(check, 0x55, 1 + data_length); base16_encode_update (buffer, data_length, data); ASSERT (MEMEQ(ascii_length, buffer, ascii)); ASSERT (0x33 == buffer[ascii_length]); base16_decode_init (&decode); done = data_length; ASSERT (base16_decode_update(&decode, &done, check, ascii_length, buffer)); ASSERT (done == data_length); ASSERT (base16_decode_final (&decode)); ASSERT (MEMEQ(data_length, check, data)); ASSERT (0x55 == check[data_length]); free(buffer); free(check); } void test_main(void) { ASSERT(BASE16_ENCODE_LENGTH(0) == 0); ASSERT(BASE16_ENCODE_LENGTH(1) == 2); ASSERT(BASE16_ENCODE_LENGTH(2) == 4); ASSERT(BASE16_DECODE_LENGTH(0) == 0); ASSERT(BASE16_DECODE_LENGTH(1) == 1); ASSERT(BASE16_DECODE_LENGTH(2) == 1); ASSERT(BASE16_DECODE_LENGTH(3) == 2); ASSERT(BASE16_DECODE_LENGTH(4) == 2); test_base16 (LDATA(""), ""); test_base16 (LDATA("H"), "48"); test_base16 (LDATA("He"), "4865"); test_base16 (LDATA("Hel"), "48656c"); test_base16 (LDATA("Hell"), "48656c6c"); test_base16 (LDATA("Hello"), "48656c6c6f"); test_base16 (LDATA("Hello\0"), "48656c6c6f00"); } nettle-4.0/testsuite/base64-test.c0000644000000000000000000001370415141166425014046 0ustar00#include "testutils.h" #include "base64.h" #include "knuth-lfib.h" struct base64_variant { void (*encode_init)(struct base64_encode_ctx *ctx); void (*decode_init)(struct base64_decode_ctx *ctx); }; static const struct base64_variant base64std = { base64_encode_init, base64_decode_init, }; static const struct base64_variant base64url = { base64url_encode_init, base64url_decode_init, }; static void test_base64 (const struct base64_variant *variant, size_t data_length, const uint8_t *data, const char *ascii) { size_t ascii_length = strlen (ascii); char *buffer = xalloc (1 + ascii_length); uint8_t *check = xalloc (1 + BASE64_DECODE_LENGTH (ascii_length)); struct base64_encode_ctx encode; struct base64_decode_ctx decode; size_t done; ASSERT (ascii_length <= (BASE64_ENCODE_LENGTH (data_length) + BASE64_ENCODE_FINAL_LENGTH)); ASSERT (data_length <= BASE64_DECODE_LENGTH (ascii_length)); memset(buffer, 0x33, 1 + ascii_length); memset(check, 0x55, 1 + data_length); variant->encode_init(&encode); done = base64_encode_update (&encode, buffer, data_length, data); done += base64_encode_final (&encode, buffer + done); ASSERT (done == ascii_length); ASSERT (MEMEQ(ascii_length, buffer, ascii)); ASSERT (0x33 == buffer[ascii_length]); variant->decode_init (&decode); done = BASE64_DECODE_LENGTH (ascii_length); ASSERT (base64_decode_update(&decode, &done, check, ascii_length, buffer)); ASSERT (done == data_length); ASSERT (base64_decode_final(&decode)); ASSERT (MEMEQ(data_length, check, data)); ASSERT (0x55 == check[data_length]); free(buffer); free(check); } static void test_fuzz_once(struct base64_encode_ctx *encode, struct base64_decode_ctx *decode, size_t size, const uint8_t *input) { size_t base64_len = BASE64_ENCODE_RAW_LENGTH (size); size_t out_len; char *base64 = xalloc (base64_len + 2); uint8_t *decoded = xalloc (size + 2); *base64++ = 0x12; base64[base64_len] = 0x34; *decoded++ = 0x56; decoded[size] = 0x78; out_len = base64_encode_update(encode, base64, size, input); ASSERT (out_len <= base64_len); out_len += base64_encode_final(encode, base64 + out_len); ASSERT (out_len == base64_len); ASSERT (base64[-1] == 0x12); ASSERT (base64[base64_len] == 0x34); ASSERT(base64_decode_update(decode, &out_len, decoded, base64_len, base64)); ASSERT(base64_decode_final(decode)); ASSERT (out_len == size); ASSERT (decoded[-1] == 0x56); ASSERT (decoded[size] == 0x78); ASSERT(MEMEQ(size, input, decoded)); free (base64 - 1); free (decoded - 1); } static void test_fuzz(void) { /* Fuzz a round-trip through both encoder and decoder */ struct base64_encode_ctx encode; struct base64_decode_ctx decode; unsigned i; size_t length; uint8_t input[1024]; struct knuth_lfib_ctx rand_ctx; knuth_lfib_init(&rand_ctx, 39854); for (i = 0; i < 10000; i++) { length = i % sizeof(input); /* length could be 0, which is fine we need to test that case too */ knuth_lfib_random(&rand_ctx, length, input); base64_encode_init(&encode); base64_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); base64url_encode_init(&encode); base64url_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); } } static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { *dst_length = length; return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } void test_main(void) { ASSERT(BASE64_ENCODE_LENGTH(0) == 0); /* At most 4 bits */ ASSERT(BASE64_ENCODE_LENGTH(1) == 2); /* At most 12 bits */ ASSERT(BASE64_ENCODE_LENGTH(2) == 3); /* At most 20 bits */ ASSERT(BASE64_ENCODE_LENGTH(3) == 4); /* At most 28 bits */ ASSERT(BASE64_ENCODE_LENGTH(4) == 6); /* At most 36 bits */ ASSERT(BASE64_ENCODE_LENGTH(5) == 7); /* At most 44 bits */ ASSERT(BASE64_ENCODE_LENGTH(12) == 16); /* At most 100 bits */ ASSERT(BASE64_ENCODE_LENGTH(13) == 18); /* At most 108 bits */ ASSERT(BASE64_DECODE_LENGTH(0) == 0); /* At most 6 bits */ ASSERT(BASE64_DECODE_LENGTH(1) == 1); /* At most 12 bits */ ASSERT(BASE64_DECODE_LENGTH(2) == 2); /* At most 18 bits */ ASSERT(BASE64_DECODE_LENGTH(3) == 3); /* At most 24 bits */ ASSERT(BASE64_DECODE_LENGTH(4) == 3); /* At most 30 bits */ test_base64(&base64std, LDATA(""), ""); test_base64(&base64std, LDATA("H"), "SA=="); test_base64(&base64std, LDATA("He"), "SGU="); test_base64(&base64std, LDATA("Hel"), "SGVs"); test_base64(&base64std, LDATA("Hell"), "SGVsbA=="); test_base64(&base64std, LDATA("Hello"), "SGVsbG8="); test_base64(&base64std, LDATA("Hello\0"), "SGVsbG8A"); test_base64(&base64std, LDATA("Hello?>>>"), "SGVsbG8/Pj4+"); test_base64(&base64std, LDATA("\xff\xff\xff\xff"), "/////w=="); test_base64(&base64url, LDATA(""), ""); test_base64(&base64url, LDATA("H"), "SA=="); test_base64(&base64url, LDATA("He"), "SGU="); test_base64(&base64url, LDATA("Hel"), "SGVs"); test_base64(&base64url, LDATA("Hell"), "SGVsbA=="); test_base64(&base64url, LDATA("Hello"), "SGVsbG8="); test_base64(&base64url, LDATA("Hello\0"), "SGVsbG8A"); test_base64(&base64url, LDATA("Hello?>>>"), "SGVsbG8_Pj4-"); test_base64(&base64url, LDATA("\xff\xff\xff\xff"), "_____w=="); { /* Test overlapping areas */ uint8_t buffer[] = "Helloxxxx"; struct base64_decode_ctx ctx; size_t dst_length; ASSERT(BASE64_ENCODE_RAW_LENGTH(5) == 8); base64_encode_in_place(5, buffer); ASSERT(MEMEQ(9, buffer, "SGVsbG8=x")); base64_decode_init(&ctx); dst_length = 0; /* Output parameter only. */ ASSERT(base64_decode_in_place(&ctx, &dst_length, 8, buffer)); ASSERT(dst_length == 5); ASSERT(MEMEQ(9, buffer, "HelloG8=x")); } test_fuzz (); } nettle-4.0/testsuite/bcrypt-test.c0000644000000000000000000000745315141166425014271 0ustar00#include "testutils.h" #include "blowfish.h" static void test_bcrypt(int succeed, const struct tstring *key, const struct tstring *hash) { if (succeed != blowfish_bcrypt_verify(key->length, key->data, hash->length, hash->data)) { fprintf(stderr, "blowfish_bcrypt_verify failed:\nKey:"); tstring_print_hex(key); fprintf(stderr, "\nHash: "); tstring_print_hex(hash); fprintf(stderr, "\n"); FAIL(); } } void test_main(void) { /* Tests for BSD-style bcrypt. From John the Ripper 1.7.9 via Phpass */ test_bcrypt(1, SDATA("U*U"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW")); test_bcrypt(1, SDATA("U*U*"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK")); test_bcrypt(1, SDATA("U*U*U"), SDATA("$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a")); test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); test_bcrypt(1, SDATA("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789chars after 72 are ignored"), SDATA("$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui")); test_bcrypt(1, SDATA("\xa3"), SDATA("$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")); test_bcrypt(1, SDATA("\xa3"), SDATA("$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq")); test_bcrypt(1, SDATA("\xd1\x91"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS")); test_bcrypt(1, SDATA("\xd0\xc1\xd2\xcf\xcc\xd8"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS")); test_bcrypt(1, SDATA("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa""chars after 72 are ignored as usual"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6")); test_bcrypt(1, SDATA("\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy")); test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); test_bcrypt(1, SDATA("\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe")); /* From Openwall's crypt v1.2 via Phpass */ test_bcrypt(0, SDATA(""), SDATA("$2a$03$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2a$32$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2z$05$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2`$05$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2{$05$CCCCCCCCCCCCCCCCCCCCC.")); /* Stephen's personal tests */ test_bcrypt(1, SDATA("yawinpassword"), SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); test_bcrypt(0, SDATA("xawinpassword"), SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); test_bcrypt(1, SDATA("Bootq9sH5"), SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); test_bcrypt(0, SDATA("Bootq9sH6"), SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); test_bcrypt(0, SDATA("1234"), SDATA("$2y$")); } nettle-4.0/testsuite/bignum-test.c0000644000000000000000000000403515141166425014240 0ustar00#include "testutils.h" #if HAVE_CONFIG_H #include "config.h" #endif #include #include #if WITH_HOGWEED #include "bignum.h" static void test_bignum(const char *hex, const struct tstring *base256) { mpz_t a; mpz_t b; uint8_t *buf; mpz_init_set_str(a, hex, 16); nettle_mpz_init_set_str_256_s(b, base256->length, base256->data); ASSERT(mpz_cmp(a, b) == 0); buf = xalloc(base256->length + 1); memset(buf, 17, base256->length + 1); nettle_mpz_get_str_256(base256->length, buf, a); ASSERT(MEMEQ(base256->length, buf, base256->data)); ASSERT(buf[base256->length] == 17); mpz_clear(a); mpz_clear(b); free(buf); } static void test_size(long x, unsigned size) { mpz_t t; mpz_init_set_si(t, x); ASSERT(nettle_mpz_sizeinbase_256_s(t) == size); mpz_clear(t); } #endif /* WITH_HOGWEED */ void test_main(void) { #if WITH_HOGWEED test_size(0, 1); test_size(1, 1); test_size(0x7f, 1); test_size(0x80, 2); test_size(0x81, 2); test_size(0xff, 2); test_size(0x100, 2); test_size(0x101, 2); test_size(0x1111, 2); test_size(0x7fff, 2); test_size(0x8000, 3); test_size(0x8001, 3); test_size(- 1, 1); /* ff */ test_size(- 0x7f, 1); /* 81 */ test_size(- 0x80, 1); /* 80 */ test_size(- 0x81, 2); /* ff7f */ test_size(- 0xff, 2); /* ff01 */ test_size(- 0x100, 2); /* ff00 */ test_size(- 0x101, 2); /* feff */ test_size(- 0x1111, 2); /* eeef */ test_size(- 0x7fff, 2); /* 8001 */ test_size(- 0x8000, 2); /* 8000 */ test_size(- 0x8001, 3); /* ff7fff */ test_bignum("0", SHEX("00")); test_bignum("010203040506", SHEX("010203040506")); test_bignum("80010203040506", SHEX("0080010203040506")); test_bignum( "-1", SHEX( "ff")); test_bignum( "-7f", SHEX( "81")); test_bignum( "-80", SHEX( "80")); test_bignum( "-81", SHEX( "ff7f")); test_bignum("-7fff", SHEX( "8001")); test_bignum("-8000", SHEX( "8000")); test_bignum("-8001", SHEX("ff7fff")); #else /* !WITH_HOGWEED */ SKIP(); #endif /* !WITH_HOGWEED */ } nettle-4.0/testsuite/blowfish-test.c0000644000000000000000000000263615141166425014601 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "blowfish.h" static void test_blowfish(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct blowfish_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; blowfish_set_key(&ctx, key->length, key->data); blowfish_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } blowfish_set_key(&ctx, key->length, key->data); blowfish_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* 208 bit key. Test from GNUPG. */ test_blowfish(SDATA("abcdefghijklmnopqrstuvwxyz"), SDATA("BLOWFISH"), SHEX("32 4E D0 FE F4 13 A2 03")); } nettle-4.0/testsuite/buffer-test.c0000644000000000000000000000114715141166425014231 0ustar00#include "testutils.h" #include "buffer.h" void test_main(void) { struct nettle_buffer buffer; uint8_t s[5]; nettle_buffer_init(&buffer); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(NETTLE_BUFFER_PUTC(&buffer, 'x')); ASSERT(buffer.size == 4); ASSERT(buffer.alloc >= 4); ASSERT(MEMEQ(4, buffer.contents, "foox")); nettle_buffer_clear(&buffer); nettle_buffer_init_size(&buffer, sizeof(s), s); ASSERT(buffer.alloc == sizeof(s)); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(buffer.size == 3); ASSERT(!nettle_buffer_write(&buffer, LDATA("bar"))); } nettle-4.0/testsuite/camellia-test.c0000644000000000000000000000662115141166425014531 0ustar00#include "testutils.h" #include "camellia.h" static void test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); if (key->length == 16) { struct camellia128_ctx encrypt; struct camellia128_ctx decrypt; camellia128_set_encrypt_key (&encrypt, key->data); camellia128_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fail_encrypt: tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } camellia128_invert_key (&decrypt, &encrypt); camellia128_crypt (&decrypt, length, data, data); } else { struct camellia256_ctx encrypt; struct camellia256_ctx decrypt; if (key->length == 24) camellia192_set_encrypt_key (&encrypt, key->data); else if (key->length == 32) camellia256_set_encrypt_key (&encrypt, key->data); else abort (); camellia256_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) goto fail_encrypt; camellia256_invert_key (&decrypt, &encrypt); camellia256_crypt (&decrypt, length, data, data); } if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (data); } void test_main(void) { /* Test vectors from RFC 3713 */ /* 128 bit keys */ test_cipher(&nettle_camellia128, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); /* 192 bit keys */ test_cipher(&nettle_camellia192, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); /* 256 bit keys */ test_cipher(&nettle_camellia256, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); /* Test camellia_invert_key with src != dst */ test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); } nettle-4.0/testsuite/cast128-test.c0000644000000000000000000000344015141166425014143 0ustar00#include "testutils.h" #include "cast128.h" static void test_cast5(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct cast128_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; cast5_set_key(&ctx, key->length, key->data); cast128_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cast5_set_key(&ctx, key->length, key->data); cast128_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* Test vectors from B.1. Single Plaintext-Key-Ciphertext Sets, RFC * 2144 */ /* 128 bit key */ test_cipher(&nettle_cast128, SHEX("01 23 45 67 12 34 56 78" "23 45 67 89 34 56 78 9A"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("23 8B 4F E5 84 7E 44 B2")); /* 80 bit key */ test_cast5(SHEX("01 23 45 67 12 34 56 78 23 45"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("EB 6A 71 1A 2C 02 27 1B")); /* 40 bit key */ test_cast5(SHEX("01 23 45 67 12"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("7A C8 16 D1 6E 9B 30 2E")); } nettle-4.0/testsuite/cbc-test.c0000644000000000000000000002730615141166425013514 0ustar00#include "testutils.h" #include "aes.h" #include "cbc.h" #include "knuth-lfib.h" #include "non-nettle.h" /* Test with more data and inplace decryption, to check that the * cbc_decrypt buffering works. */ #define CBC_BULK_DATA 0x2710 /* 10000 */ static void test_cbc_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CBC_BULK_DATA]; uint8_t cipher[CBC_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("c7a42a569b421224 d0c23e52f46f97f5"); struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CBC_BULK_DATA); knuth_lfib_random(&random, CBC_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CBC_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); CBC_ENCRYPT(&aes, aes256_encrypt, CBC_BULK_DATA, cipher, clear); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_decrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); CBC_DECRYPT(&aes, aes256_decrypt, CBC_BULK_DATA, cipher, cipher); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CBC_BULK_DATA, clear, cipher)); } void test_main(void) { /* Intermediate values: * iv XOR first message block: * "a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37" * First ciphertext block, c1: * "1f 94 fc 85 f2 36 21 06 4a ea e3 c9 cc 38 01 0e" * c1 XOR second message block: * "3f e0 94 ec 81 16 4e 68 26 93 c3 a6 a2 5b 64 2f" * Second ciphertext block, c1: * "7b f6 5f c5 02 59 2e 71 af bf 34 87 c0 36 2a 16" */ test_cipher_cbc(&nettle_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SDATA("Listen, I'll say this only once!"), SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e" "7b f6 5f c5 02 59 2e 71" "af bf 34 87 c0 36 2a 16"), SHEX("e9 a7 26 a0 44 7b 8d e6 03 83 60 de ea d5 b0 4e")); /* From NIST spec 800-38a on AES modes. * * F.2 CBC Example Vectors * F.2.1 CBC-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * d86421fb9f1a1eda505ee1375746972c * 604ed7ddf32efdff7020d0238b7c2a5d * 8521f2fd3c8eef2cdc3da7e5c44ea206 */ test_cipher_cbc(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("7649abac8119b246cee98e9b12e9197d" "5086cb9b507219ee95db113a917678b2" "73bed6b8e3c1743b7116e69e22229516" "3ff1caa1681fac09120eca307586e1a7"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes128, NULL, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("7649abac8119b246cee98e9b12e9197d" "5086cb9b507219ee95db113a917678b2" "73bed6b8e3c1743b7116e69e22229516" "3ff1caa1681fac09120eca307586e1a7"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); /* F.2.3 CBC-AES192.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * e12f97e55dbfcfa1efcf7796da0fffb9 * 8411b1ef0e2109e5001cf96f256346b5 * a1840065cdb4e1f7d282fbd7db9d35f0 */ test_cipher_cbc(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("4f021db243bc633d7178183a9fa071e8" "b4d9ada9ad7dedf4e5e738763f69145a" "571b242012fb7ae07fa9baac3df102e0" "08b0e27988598881d920a9e64f5615cd"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes192, NULL, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("4f021db243bc633d7178183a9fa071e8" "b4d9ada9ad7dedf4e5e738763f69145a" "571b242012fb7ae07fa9baac3df102e0" "08b0e27988598881d920a9e64f5615cd"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); /* F.2.5 CBC-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * 5ba1c653c8e65d26e929c4571ad47587 * ac3452d0dd87649c8264b662dc7a7e92 * cf6d172c769621d8081ba318e24f2371 */ test_cipher_cbc(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f58c4c04d6e5f1ba779eabfb5f7bfbd6" "9cfc4e967edb808d679f777bc6702c7d" "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes256, NULL, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f58c4c04d6e5f1ba779eabfb5f7bfbd6" "9cfc4e967edb808d679f777bc6702c7d" "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); test_cbc_bulk(); } /* IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 7649abac8119b246cee98e9b12e9197d Ciphertext 7649abac8119b246cee98e9b12e9197d Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block d86421fb9f1a1eda505ee1375746972c Output Block 5086cb9b507219ee95db113a917678b2 Ciphertext 5086cb9b507219ee95db113a917678b2 Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 604ed7ddf32efdff7020d0238b7c2a5d Output Block 73bed6b8e3c1743b7116e69e22229516 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Output Block 3ff1caa1681fac09120eca307586e1a7 Ciphertext 3ff1caa1681fac09120eca307586e1a7 F.2.2 CBC-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 7649abac8119b246cee98e9b12e9197d Input Block 7649abac8119b246cee98e9b12e9197d Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 5086cb9b507219ee95db113a917678b2 Input Block 5086cb9b507219ee95db113a917678b2 Output Block d86421fb9f1a1eda505ee1375746972c Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Input Block 73bed6b8e3c1743b7116e69e22229516 Output Block 604ed7ddf32efdff7020d0238b7c2a5d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 3ff1caa1681fac09120eca307586e1a7 Input Block 3ff1caa1681fac09120eca307586e1a7 Output Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.3 CBC-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 4f021db243bc633d7178183a9fa071e8 Ciphertext 4f021db243bc633d7178183a9fa071e8 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block e12f97e55dbfcfa1efcf7796da0fffb9 Output Block b4d9ada9ad7dedf4e5e738763f69145a Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 8411b1ef0e2109e5001cf96f256346b5 Output Block 571b242012fb7ae07fa9baac3df102e0 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block a1840065cdb4e1f7d282fbd7db9d35f0 Output Block 08b0e27988598881d920a9e64f5615cd Ciphertext 08b0e27988598881d920a9e64f5615cd F.2.4 CBC-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 4f021db243bc633d7178183a9fa071e8 Input Block 4f021db243bc633d7178183a9fa071e8 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Input Block b4d9ada9ad7dedf4e5e738763f69145a Output Block e12f97e55dbfcfa1efcf7796da0fffb9 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Input Block 571b242012fb7ae07fa9baac3df102e0 Output Block 8411b1ef0e2109e5001cf96f256346b5 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 08b0e27988598881d920a9e64f5615cd Input Block 08b0e27988598881d920a9e64f5615cd Output Block a1840065cdb4e1f7d282fbd7db9d35f0 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.5 CBC-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block 5ba1c653c8e65d26e929c4571ad47587 Output Block 9cfc4e967edb808d679f777bc6702c7d Ciphertext 9cfc4e967edb808d679f777bc6702c7d Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block ac3452d0dd87649c8264b662dc7a7e92 Output Block 39f23369a9d9bacfa530e26304231461 Ciphertext 39f23369a9d9bacfa530e26304231461 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block cf6d172c769621d8081ba318e24f2371 Output Block b2eb05e2c39be9fcda6c19078c6a9d1b Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b F.2.6 CBC-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Input Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 9cfc4e967edb808d679f777bc6702c7d Input Block 9cfc4e967edb808d679f777bc6702c7d Output Block 5ba1c653c8e65d26e929c4571ad47587 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 39f23369a9d9bacfa530e26304231461 Input Block 39f23369a9d9bacfa530e26304231461 Output Block ac3452d0dd87649c8264b662dc7a7e92 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b Input Block b2eb05e2c39be9fcda6c19078c6a9d1b Output Block cf6d172c769621d8081ba318e24f2371 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-4.0/testsuite/ccm-test.c0000644000000000000000000006677615141166425013545 0ustar00/* ccm-test.c Self-test and vectors for CCM mode ciphers using AES-128 and AES-256. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* The * test vectors have been collected from the following standards: * NIST SP800-38C * RFC 3610 * IEEE 802.15.4-2011 * IEEE P1619.1/D22 July 2007 (draft version) */ #include "testutils.h" #include "aes.h" #include "ccm.h" #include "knuth-lfib.h" static void test_compare_results(const char *name, const struct tstring *adata, /* Expected results. */ const struct tstring *e_clear, const struct tstring *e_cipher, /* Actual results. */ const void *clear, const void *cipher, const void *digest) /* digest optional. */ { int tlength = (e_cipher->length - e_clear->length); if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest)) { fprintf(stderr, "%s digest failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(tlength, digest); fprintf(stderr, "\nExpected:"); print_hex(tlength, e_cipher->data + e_clear->length); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) { fprintf(stderr, "%s: encryption failed\nAdata: ", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(e_cipher->length, cipher); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_cipher); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_clear->length, e_clear->data, clear)) { fprintf(stderr, "%s decrypt failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_cipher); fprintf(stderr, "\nOutput: "); print_hex(e_clear->length, clear); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_clear); fprintf(stderr, "\n"); FAIL(); } } /* test_compare_results */ static void test_cipher_ccm(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *nonce, const struct tstring *authdata, int repeat, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *en_data; uint8_t *de_data; uint8_t *en_digest; uint8_t de_digest[CCM_BLOCK_SIZE]; size_t tlength; struct ccm_ctx ccm; int i; ASSERT (key->length == cipher->key_size); ASSERT (cleartext->length <= ciphertext->length); ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length); tlength = ciphertext->length - cleartext->length; de_data = xalloc(cleartext->length); en_data = xalloc(ciphertext->length); en_digest = en_data + cleartext->length; cipher->set_encrypt_key(ctx, key->data); /* Encrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data); ccm_digest(&ccm, ctx, cipher->encrypt, en_digest); /* Decrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data); ccm_digest(&ccm, ctx, cipher->encrypt, de_digest); /* Compare results using the generic API. */ test_compare_results("CCM", authdata, cleartext, ciphertext, de_data, en_data, de_digest); /* Ensure we get the same answers using the all-in-one API. */ if (repeat <= 1) { memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); if (!ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, ciphertext->data)) { fprintf(stderr, "ccm_decrypt_message failed to validate message\n"); FAIL(); } test_compare_results("CCM_MSG", authdata, cleartext, ciphertext, de_data, en_data, NULL); /* Ensure that we can detect corrupted message or tag data. */ if (tlength) { en_data[0] ^= 1; if (ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, en_data)) { fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); FAIL(); } } /* Ensure we can detect corrupted adata. */ if (tlength && authdata->length) { if (ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length-1, authdata->data, tlength, cleartext->length, de_data, ciphertext->data)) { fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); FAIL(); } } } /* Ensure we get the same answers using the per-cipher API. */ if (cipher == &nettle_aes128) { struct ccm_aes128_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-128 encrypt. */ ccm_aes128_set_key(&aes, key->data); ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes128_digest(&aes, en_digest); /* AES-128 decrypt. */ ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes128_digest(&aes, de_digest); test_compare_results("CCM_AES_128", authdata, cleartext, ciphertext, de_data, en_data, de_digest); if (repeat <= 1) { memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); ccm_aes128_encrypt_message (ctx, nonce->length, nonce->data, authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); if (!ccm_aes128_decrypt_message(ctx, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, ciphertext->data)) { fprintf(stderr, "ccm_aes128_decrypt_message failed to validate message\n"); FAIL(); } test_compare_results("CCM_AES_128_MSG", authdata, cleartext, ciphertext, de_data, en_data, NULL); } } /* TODO: I couldn't find any test cases for CCM-AES-192 */ if (cipher == &nettle_aes256) { struct ccm_aes256_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-256 encrypt. */ ccm_aes256_set_key(&aes, key->data); ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes256_digest(&aes, en_digest); /* AES-256 decrypt. */ ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes256_digest(&aes, de_digest); test_compare_results("CCM_AES_256", authdata, cleartext, ciphertext, de_data, en_data, de_digest); if (repeat <= 1) { memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); ccm_aes256_encrypt_message (ctx, nonce->length, nonce->data, authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); if (!ccm_aes256_decrypt_message(ctx, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, ciphertext->data)) { fprintf(stderr, "ccm_aes256_decrypt_message failed to validate message\n"); FAIL(); } test_compare_results("CCM_AES_256_MSG", authdata, cleartext, ciphertext, de_data, en_data, NULL); } } free(ctx); free(en_data); free(de_data); } void test_main(void) { /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */ struct tstring *adata; unsigned int i; adata = tstring_alloc(256); for (i=0; ilength; i++) adata->data[i] = (i & 0xff); /* From NIST spec 800-38C on AES modes. * * Appendix C: Example Vectors */ /* * C.1 Example 1 * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("10111213141516"), SHEX("0001020304050607"), 1, SHEX("20212223"), SHEX("7162015b" "4dac255d")); /* * C.2 Example 2 * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("1011121314151617"), SHEX("000102030405060708090a0b0c0d0e0f"), 1, SHEX("202122232425262728292a2b2c2d2e2f"), SHEX("d2a1f0e051ea5f62081a7792073d593d" "1fc64fbfaccd")); /* * C.3 Example 3 * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f" "10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f" "3031323334353637"), SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b" "6176aad9a4428aa5 484392fbc1b09951")); /* * C.4 Example 4 * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256 * A = 00010203 04050607 08090a0b 0c0d0e0f * 10111213 ... */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b1c"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f" "303132333435363738393a3b3c3d3e3f"), SHEX("69915dad1e84c6376a68c2967e4dab61" "5ae0fd1faec44cc484828529463ccf72" "b4ac6bec93e8598e7f0dadbcea5b")); /* From RFC 3610 * * Section 8: Test Vectors * Packet Vector #1 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84" "17 E8 D1 2C FD F9 26 E0")); /* * Packet Vector #2 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B" "A0 91 D5 6E 10 40 09 16")); /* * Packet Vector #3 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57" "4A DA A7 6F BD 9F B0 C5")); /* * Packet Vector #4 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C" "96 C8 61 B9 C9 E6 1E F1")); /* * Packet Vector #5 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E" "51 E8 3F 07 7D 9C 2D 93")); /* * Packet Vector #6 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87" "40 5A 04 43 AC 91 CB 94")); /* * Packet Vector #7 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C" "04 8C 56 60 2C 97 AC BB 74 90")); /* * Packet Vector #8 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24" "C1 7B 44 33 F4 34 96 3F 34 B4")); /* * Packet Vector #9 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97" "EA 9C 07 E5 6B 5E B1 7E 5F 4E")); /* * Packet Vector #10 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B" "56 6A A9 40 6B 4D 99 99 88 DD")); /* * Packet Vector #11 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34" "F5 3A A2 E9 10 7A 8B 6C 02 2C")); /* * Packet Vector #12 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43" "CD 1A A3 16 62 E7 AD 65 D6 DB")); /* * Packet Vector #13 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"), SHEX("0B E1 A8 8B AC E0 18 B1"), 1, SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"), SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8" "E7 8C F7 CB 0C DD D7 B3")); /* * Packet Vector #14 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"), SHEX("63 01 8F 76 DC 8A 1B CB"), 1, SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"), SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33" "C5 2E E8 1D 7D 77 C0 8A")); /* * Packet Vector #15 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"), SHEX("AA 6C FA 36 CA E8 6B 40"), 1, SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"), SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08" "A7 76 79 6E DB 72 35 06")); /* * Packet Vector #16 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"), SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1, SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"), SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26" "9A 6F 49 97 5B CA DE AF")); /* * Packet Vector #17 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"), SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1, SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"), SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F" "76 2C 0C 77 44 FE 7E 3C")); /* * Packet Vector #18 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"), SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1, SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"), SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8" "47 09 9E 5A E0 70 45 51")); /* * Packet Vector #19 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"), SHEX("D8 5B C7 E6 9F 94 4F B8"), 1, SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"), SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A" "63 7C F9 BE C2 40 88 97 C6 BA")); /* * Packet Vector #20 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"), SHEX("74 A0 EB C9 06 9F 5B 37"), 1, SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"), SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6" "F0 A4 77 CC 2F C9 BF 54 89 44")); /* * Packet Vector #21 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"), SHEX("44 A3 AA 3A AE 64 75 CA"), 1, SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"), SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54" "4D 41 51 A4 ED 3A 8B 87 B9 CE")); /* * Packet Vector #22 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"), SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1, SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"), SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF" "7D 22 C8 08 8C 66 6B E5 C1 97")); /* * Packet Vector #23 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"), SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1, SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"), SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC" "DF 7E 00 DC CE C7 AE 52 98 7D")); /* * Packet Vector #24 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"), SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1, SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"), SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1" "6D CE 9E 82 EF A1 6D A6 20 59")); /* From IEEE 802.15.4-2011 * * Annex C: Test vectors for cryptographic building blocks * C.2.1 MAC beacon frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"), SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1, SHEX(""), SHEX("22 3B C1 EC 84 1A B5 53")); /* * C.2.3 MAC command frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"), SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1, SHEX("CE"), SHEX("D8 4F DE 52 90 61 F9 C6 F1")); /* From IEEE P1619.1/D22 July 2007 (draft version) * * Annex D: Test Vectors * D.2.1 CCM-128-AES-256 test vector 1 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), 0, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "4b0a3e5e51f151eb0ffae7c43d010fdb")); /* * D.2.2 CCM-128-AES-256 test vector 2 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX(""), SHEX("904704e89fb216443cb9d584911fc3c2")); /* * D.2.3 CCM-128-AES-256 test vector 3 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "87314e9c1fa01abe6a6415943dc38521")); /* * D.2.4 CCM-128-AES-256 test vector 4 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX(""), 0, SHEX("a845348ec8c5b5f126f50e76fefd1b1e"), SHEX("cc881261c6a7fa72b96a1739176b277f" "3472e1145f2c0cbe146349062cf0e423")); /* * D.2.5 CCM-128-AES-256 test vector 5 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5" "9bba3f3a107f3239bd63902923f80371")); /* * D.2.6 CCM-128-AES-256 test vector 6 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2" "3376d2cf256ef613c56454cbb5265834")); /* * D.2.7 CCM-128-AES-256 test vector 7 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1, SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2" "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86" "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108" "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152" "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2" "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad" "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738" "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9" "ebb1fa9d28ccfe21bdfea7e6d91e0bab")); /* * D.2.8 CCM-128-AES-256 test vector 8 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("36"), 1, SHEX("a9"), SHEX("9d3261b1cf931431e99a32806738ecbd2a")); /* * D.2.9 CCM-128-AES-256 test vector 9 */ test_cipher_ccm(&nettle_aes256, SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1, SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"), SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6" "8f3829e8e76ee23c04f566189e63c686")); } nettle-4.0/testsuite/cfb-test.c0000644000000000000000000002730015141166425013511 0ustar00#include "testutils.h" #include "aes.h" #include "cfb.h" #include "knuth-lfib.h" /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 #define CFB8_BULK_DATA CFB_BULK_DATA static void test_cfb_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CFB_BULK_DATA]; uint8_t cipher[CFB_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("1fd0a9189b8480b7 b06a2b36ef5943ba"); struct CFB_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB_BULK_DATA); knuth_lfib_random(&random, CFB_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CFB_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); CFB_ENCRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, clear); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); CFB_DECRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } static void test_cfb8_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CFB8_BULK_DATA]; uint8_t cipher[CFB8_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("f84bfd48206f5803 6ef86f4e69e9aec0"); struct CFB8_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB8_BULK_DATA); knuth_lfib_random(&random, CFB8_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CFB8_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CFB8_SET_IV(&aes, start_iv); CFB8_ENCRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, clear); ASSERT(cipher[CFB8_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_encrypt_key(&aes.ctx, key); CFB8_SET_IV(&aes, start_iv); CFB8_DECRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB8_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CFB8_BULK_DATA, clear, cipher)); } void test_main(void) { /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.7 CFB8-AES128.Encrypt */ test_cipher_cfb8(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("3b79424c9c0dd436bace9e0ed4586a4f" "32b9"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.9 CFB8-AES192.Encrypt */ test_cipher_cfb8(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("cda2521ef0a905ca44cd057cbf0d47a0" "678a"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.11 CFB8-AES256.Encrypt */ test_cipher_cfb8(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("dc1f1a8520a64db55fcc8ac554844e88" "9700"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.13 CFB128-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * 3b3fd92eb72dad20333449f8e83cfb4a * c8a64537a0b3a93fcde3cdad9f1ce58b * 26751f67a3cbb140b1808cf187a4f4df */ test_cipher_cfb(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3b3fd92eb72dad20333449f8e83cfb4a" "c8a64537a0b3a93fcde3cdad9f1ce58b" "26751f67a3cbb140b1808cf187a4f4df" "c04b05357c5d1c0eeac4c66f9ff7f2e6"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.15 CFB128-AES192.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * cdc80d6fddf18cab34c25909c99a4174 * 67ce7f7f81173621961a2b70171d3d7a * 2e1e8a1dd59b88b1c8e60fed1efac4c9 */ test_cipher_cfb(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("cdc80d6fddf18cab34c25909c99a4174" "67ce7f7f81173621961a2b70171d3d7a" "2e1e8a1dd59b88b1c8e60fed1efac4c9" "c05f9f9ca9834fa042ae8fba584b09ff"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.17 CFB128-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 000102030405060708090a0b0c0d0e0f * dc7e84bfda79164b7ecd8486985d3860 * 39ffed143b28b1c832113c6331e5407b * df10132415e54b92a13ed0a8267ae2f9 */ test_cipher_cfb(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("dc7e84bfda79164b7ecd8486985d3860" "39ffed143b28b1c832113c6331e5407b" "df10132415e54b92a13ed0a8267ae2f9" "75a385741ab9cef82031623d55b1e471"), SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); test_cfb8_bulk(); } /* F.3.13 CFB128-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 26751f67a3cbb140b1808cf187a4f4df Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 F.3.14 CFB128-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Ciphertext 26751f67a3cbb140b1808cf187a4f4df Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.15 CFB128-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 000102030405060708090a0b0c0d0e0f Segment #1 50 IV Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext cdc80d6fddf18cab34c25909c99a4174 Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 67ce7f7f81173621961a2b70171d3d7a Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c05f9f9ca9834fa042ae8fba584b09ff F.3.16 CFB128-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Ciphertext cdc80d6fddf18cab34c25909c99a4174 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Ciphertext 67ce7f7f81173621961a2b70171d3d7a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Ciphertext c05f9f9ca9834fa042ae8fba584b09ff Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.17 CFB128-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 39ffed143b28b1c832113c6331e5407b Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext df10132415e54b92a13ed0a8267ae2f9 Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 75a385741ab9cef82031623d55b1e471 F.3.18 CFB128-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Ciphertext 39ffed143b28b1c832113c6331e5407b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Ciphertext df10132415e54b92a13ed0a8267ae2f9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Ciphertext 75a385741ab9cef82031623d55b1e471 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-4.0/testsuite/chacha-poly1305-test.c0000644000000000000000000000213215141166425015454 0ustar00#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From draft-irtf-cfrg-chacha20-poly1305-08 */ test_aead (&nettle_chacha_poly1305, NULL, SHEX("8081828384858687 88898a8b8c8d8e8f" "9091929394959697 98999a9b9c9d9e9f"), SHEX("50515253c0c1c2c3 c4c5c6c7"), SHEX("4c61646965732061 6e642047656e746c" "656d656e206f6620 74686520636c6173" "73206f6620273939 3a20496620492063" "6f756c64206f6666 657220796f75206f" "6e6c79206f6e6520 74697020666f7220" "7468652066757475 72652c2073756e73" "637265656e20776f 756c642062652069" "742e"), SHEX("d31a8d34648e60db7b86afbc53ef7ec2" "a4aded51296e08fea9e2b5a736ee62d6" "3dbea45e8ca9671282fafb69da92728b" "1a71de0a9e060b2905d6a5b67ecd3b36" "92ddbd7f2d778b8c9803aee328091b58" "fab324e4fad675945585808b4831d7bc" "3ff4def08e4b7a9de576d26586cec64b" "6116"), /* The draft splits the nonce into a "common part" and an iv, and it seams the "common part" is the first 4 bytes. */ SHEX("0700000040414243 44454647"), SHEX("1ae10b594f09e26a 7e902ecbd0600691")); } nettle-4.0/testsuite/chacha-test.c0000644000000000000000000006446115141166425014177 0ustar00/* chacha-test.c Test program for the ChaCha stream cipher implementation. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "chacha.h" #include "chacha-internal.h" static int memzero_p (const uint8_t *p, size_t n) { size_t i; for (i = 0; i < n; i++) if (p[i]) return 0; return 1; } /* Test with simple structure of the salsa20 input, to aid debugging. */ static void test_chacha_core(void) { const uint32_t input[16] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, /* Second block will have carry from first counter word propagate to next word. */ 0xffffffff, 13, 14, 15, }; const struct tstring *expected = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" "0aab2d67b09b2a63 6127fc965d831b2c" "ddc9e25ca7841f3e 938e3566a7702a0b" "7f80559e639ef6da 6d39627abc7da6b1" "0090a54241e68b6b d870f3b60adcaf89" "09d3c7b8a8c76aa3 941d726c649636db" "d6c3f0490fd38a46 070b77a757972126" "6323aa95eef9d68c 7eac86e913caa80c" "17dd18ae19b0b72e 0ef6e66a58c0791e" "e574e44162c99484 68085365916e0fee" "e3d0a5d3d2b93b4a ff245cb557af3ead" "2395f5cc7a00e25a 4f69a17969360781"); const struct tstring *expected_32 /* For 32-bit counter */ = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" "0aab2d67b09b2a63 6127fc965d831b2c" "ddc9e25ca7841f3e 938e3566a7702a0b" "7f80559e639ef6da 6d39627abc7da6b1" "ea56196ace461eeb f898ade2f51c425f" "ff0452d728f13505 e23a1d017b40becd" "6482114a4586f48a 85c5cb9f92333de6" "9c248f2a809275fa 4786d5d6854fd7d7" "77dd6b03073f9dbf 294eabd6affa3104" "fccb19c3182a330c af2fdf0c43ebfa52" "7f845ffc0a897bea 2cf27a3dfc6f31af" "7db66563de442b71 f6d51f96930587ef"); struct chacha_ctx ctx; uint8_t output[192]; ASSERT (expected->length == 192); ASSERT (expected_32->length == 192); /* Three blocks, to exercises _chacha_3core, if available. */ memcpy (&ctx, input, sizeof(ctx)); chacha_crypt (&ctx, 192, output, expected->data); if (!memzero_p (output, 192)) { fprintf(stderr, "chacha_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(192, output); fprintf(stderr, "\n"); FAIL(); } memcpy (&ctx, input, sizeof(ctx)); chacha_crypt32 (&ctx, 192, output, expected_32->data); if (!memzero_p (output, 192)) { fprintf(stderr, "chacha_crypt32 failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(192, output); fprintf(stderr, "\n"); FAIL(); } } /* For tests with non-standard number of rounds, calling _nettle_chacha_core directly. */ static void test_chacha_rounds(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, unsigned rounds) { struct chacha_ctx ctx; uint32_t out[_CHACHA_STATE_LENGTH]; ASSERT (expected->length == CHACHA_BLOCK_SIZE); ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); ASSERT (nonce->length == CHACHA_NONCE_SIZE); chacha_set_nonce(&ctx, nonce->data); _nettle_chacha_core (out, ctx.state, rounds); if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) { printf("Error, expected:\n"); tstring_print_hex (expected); printf("Got:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); FAIL (); } if (verbose) { printf("Result after encryption:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); } } static void _test_chacha(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, const struct tstring *counter) { struct chacha_ctx ctx; nettle_set_key_func *set_nonce; nettle_set_key_func *set_counter; nettle_crypt_func *crypt; uint8_t *data = xalloc (expected->length + 2); size_t length; data++; ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); switch (nonce->length) { case CHACHA_NONCE_SIZE: set_nonce = (nettle_set_key_func *) chacha_set_nonce; set_counter = (nettle_set_key_func *) chacha_set_counter; crypt = (nettle_crypt_func *) chacha_crypt; if (counter) ASSERT (counter->length == CHACHA_COUNTER_SIZE); break; case CHACHA_NONCE96_SIZE: set_nonce = (nettle_set_key_func *) chacha_set_nonce96; set_counter = (nettle_set_key_func *) chacha_set_counter32; crypt = (nettle_crypt_func *) chacha_crypt32; if (counter) ASSERT (counter->length == CHACHA_COUNTER32_SIZE); break; default: die ("Bad nonce size %u.\n", (unsigned) nonce->length); } for (length = 1; length <= expected->length; length++) { size_t offset; data[-1] = 17; memset (data, 0, length); data[length] = 17; set_nonce (&ctx, nonce->data); if (counter) set_counter (&ctx, counter->data); crypt (&ctx, length, data, data); ASSERT (data[-1] == 17); ASSERT (data[length] == 17); if (!MEMEQ(length, data, expected->data)) { printf("Error, length %u, expected:\n", (unsigned) length); print_hex (length, expected->data); printf("Got:\n"); print_hex(length, data); FAIL (); } /* Round up to next block boundary. */ offset = (length + CHACHA_BLOCK_SIZE - 1) & -CHACHA_BLOCK_SIZE; if (offset < expected->length) { memset(data, 0, expected->length - offset); data[expected->length - offset] = 17; crypt (&ctx, expected->length - offset, data, data); if (!MEMEQ(expected->length - offset, data, expected->data + offset)) { printf("Error, length %u, offset %u, remaining %u, expected:\n", (unsigned) length, (unsigned) offset, (unsigned) (expected->length - offset)); print_hex (expected->length - offset, expected->data + offset); printf("Got:\n"); print_hex(expected->length - offset, data); FAIL (); } } } if (verbose) { printf("Result after encryption:\n"); print_hex(expected->length, data); } free (data - 1); } static void test_chacha(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected) { _test_chacha(key, nonce, expected, NULL); } static void test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, const struct tstring *counter) { _test_chacha(key, nonce, expected, counter); } void test_main(void) { test_chacha_core(); /* Test vectors from draft-strombergson-chacha-test-vectors */ test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" "2c840ec3ce9a7f3b 181be188ef711a1e" "984ce172b9216f41 9f445367456d5619" "314a42a3da86b001 387bfdb80e0cfe42" /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" "c0fd581259f9a2aa dcf20f8fd566a26b" "5032ec38bbc5da98 ee0c6f568b872a65" "a08abf251deb21bb 4b56e5d8821e68aa" */), 8); test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("9bf49a6a0755f953 811fce125f2683d5" "0429c3bb49e07414 7e0089a52eae155f" "0564f879d27ae3c0 2ce82834acfa8c79" "3a629f2ca0de6919 610be82f411326be" /* "0bd58841203e74fe 86fc71338ce0173d" "c628ebb719bdcbcc 151585214cc089b4" "42258dcda14cf111 c602b8971b8cc843" "e91e46ca905151c0 2744a6b017e69316" */), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("76b8e0ada0f13d90 405d6ae55386bd28" "bdd219b8a08ded1a a836efcc8b770dc7" "da41597c5157488d 7724e03fb8d84a37" "6a43b8f41518a11c c387b669b2ee6586" "9f07e7be5551387a 98ba977c732d080d" "cb0f29a048e36569 12c6533e32ee7aed" "29b721769ce64e43 d57133b074d839d5" "31ed1f28510afb45 ace10a1f4b794d6f")); /* TC2: Single bit in key set. All zero IV */ test_chacha_rounds (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" "12f4a465ee635acc 3a311de8740489ea" "289d04f43c7518db 56eb4433e498a123" "8cd8464d3763ddbb 9222ee3bd8fae3c8"), 8); test_chacha_rounds (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("12056e595d56b0f6 eef090f0cd25a209" "49248c2790525d0f 930218ff0b4ddd10" "a6002239d9a454e2 9e107a7d06fefdfe" "f0210feba044f9f2 9b1772c960dc29c0"), 12); test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("c5d30a7ce1ec1193 78c84f487d775a85" "42f13ece238a9455 e8229e888de85bbd" "29eb63d0a17a5b99 9b52da22be4023eb" "07620a54f6fa6ad8 737b71eb0464dac0" "10f656e6d1fd5505 3e50c4875c9930a3" "3f6d0263bd14dfd6 ab8c70521c19338b" "2308b95cf8d0bb7d 202d2102780ea352" "8f1cb48560f76b20 f382b942500fceac")); /* TC3: Single bit in IV set. All zero key */ test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" "3aa0edccc1be6942 090faeeca0d7599b" "7ff0fe616bb25aa0 153ad6fdc88b9549" "03c22426d478b97b 22b8f9b1db00cf06"), 8); test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" "f8b33f635714418f 9836ade59be12969" "46c953a0f38ecffc 9ecb98e81d5d99a5" "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("ef3fdfd6c61578fb f5cf35bd3dd33b80" "09631634d21e42ac 33960bd138e50d32" "111e4caf237ee53c a8ad6426194a8854" "5ddc497a0b466e7d 6bbdb0041b2f586b" "5305e5e44aff19b2 35936144675efbe4" "409eb7e8e5f1430f 5f5836aeb49bb532" "8b017c4b9dc11f8a 03863fa803dc71d5" "726b2b6b31aa3270 8afe5af1d6b69058")); /* TC4: All bits in key and IV are set. */ test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" "c973df05225afb2a a26396f2a9849a4a" "445e0547d31c1623 c537df4ba85c70a9" "884a35bcbf3dfab0 77e98b0f68135f54"), 8); test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("04bf88dae8e47a22 8fa47b7e6379434b" "a664a7d28f4dab84 e5f8b464add20c3a" "caa69c5ab221a23a 57eb5f345c96f4d1" "322d0a2ff7a9cd43 401cd536639a615a"), 12); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("d9bf3f6bce6ed0b5 4254557767fb5744" "3dd4778911b60605 5c39cc25e674b836" "3feabc57fde54f79 0c52c8ae43240b79" "d49042b777bfd6cb 80e931270b7f50eb" "5bac2acd86a836c5 dc98c116c1217ec3" "1d3a63a9451319f0 97f3b4d6dab07787" "19477d24d24b403a 12241d7cca064f79" "0f1d51ccaff6b166 7d4bbca1958c4306")); /* TC5: Every even bit set in key and IV. */ test_chacha_rounds (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" "996952b4fb72cb61 05f1243ce3442e29" "75a59ebcd2b2a598 290d7538491fe65b" "dbfefd060d887981 20a70d049dc2677d"), 8); test_chacha_rounds (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" "5ca7302f6a0a2944 953de00450eecd40" "b860f66049f2eaed 63b2ef39cc310d2c" "488f5d9a241b615d c0ab70f921b91b95"), 12); test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("bea9411aa453c543 4a5ae8c92862f564" "396855a9ea6e22d6 d3b50ae1b3663311" "a4a3606c671d605c e16c3aece8e61ea1" "45c59775017bee2f a6f88afc758069f7" "e0b8f676e644216f 4d2a3422d7fa36c6" "c4931aca950e9da4 2788e6d0b6d1cd83" "8ef652e97b145b14 871eae6c6804c700" "4db5ac2fce4c68c7 26d004b10fcaba86")); /* TC6: Every odd bit set in key and IV. */ test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" "2d71ef7f0cf9e387 df6ed6972f0aae21" "311aa581f816c90e 8a99de990b6b95aa" "c92450f4e1127126 67b804c99e9c6eda"), 8); test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("856505b01d3b47aa e03d6a97aa0f033a" "9adcc94377babd86 08864fb3f625b6e3" "14f086158f9f725d 811eeb953b7f7470" "76e4c3f639fa841f ad6c9a709e621397"), 12); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("9aa2a9f656efde5a a7591c5fed4b35ae" "a2895dec7cb4543b 9e9f21f5e7bcbcf3" "c43c748a970888f8 248393a09d43e0b7" "e164bc4d0b0fb240 a2d72115c4808906" "72184489440545d0 21d97ef6b693dfe5" "b2c132d47e6f041c 9063651f96b623e6" "2a11999a23b6f7c4 61b2153026ad5e86" "6a2e597ed07b8401 dec63a0934c6b2a9")); /* TC7: Sequence patterns in key and IV. */ test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("db43ad9d1e842d12 72e4530e276b3f56" "8f8859b3f7cf6d9d 2c74fa53808cb515" "7a8ebf46ad3dcc4b 6c7dadde131784b0" "120e0e22f6d5f9ff a7407d4a21b695d9"), 8); test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" "568b0e5589346935 505f064b8c2698db" "f7d850667d8e67be 639f3b4f6a16f92e" "65ea80f6c7429445 da1fc2c1b9365040"), 12); test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("9fadf409c00811d0 0431d67efbd88fba" "59218d5d6708b1d6 85863fabbb0e961e" "ea480fd6fb532bfd 494b215101505742" "3ab60a63fe4f55f7 a212e2167ccab931" "fbfd29cf7bc1d279 eddf25dd316bb884" "3d6edee0bd1ef121 d12fa17cbc2c574c" "ccab5e275167b08b d686f8a09df87ec3" "ffb35361b94ebfa1 3fec0e4889d18da5")); /* TC8: hashed string patterns */ test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("838751b42d8ddd8a 3d77f48825a2ba75" "2cf4047cb308a597 8ef274973be374c9" "6ad848065871417b 08f034e681fe46a9" "3f7d5c61d1306614 d4aaf257a7cff08b"), 8); test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("1482072784bc6d06 b4e73bdc118bc010" "3c7976786ca918e0 6986aa251f7e9cc1" "b2749a0a16ee83b4 242d2e99b08d7c20" "092b80bc466c8728 3b61b1b39d0ffbab"), 12); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("f63a89b75c2271f9 368816542ba52f06" "ed49241792302b00 b5e8f80ae9a473af" "c25b218f519af0fd d406362e8d69de7f" "54c604a6e00f353f 110f771bdca8ab92" "e5fbc34e60a1d9a9 db17345b0a402736" "853bf910b060bdf1 f897b6290f01d138" "ae2c4c90225ba9ea 14d518f55929dea0" "98ca7a6ccfe61227 053c84e49a4a3332")); /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce. Manually sets the 32-bit counter value to 1. */ test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" "1011121314151617 18191a1b1c1d1e1f"), SHEX("000000090000004a 00000000"), SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" "c7d1f4c733c06803 0422aa9ac3d46c4e" "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), SHEX("01000000")); /* This is identical to the above 96-bit nonce test, but it manually sets the 64-bit counter value */ test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" "1011121314151617 18191a1b1c1d1e1f"), SHEX("0000004a00000000"), SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" "c7d1f4c733c06803 0422aa9ac3d46c4e" "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), SHEX("0100000000000009")); /* Tests with long message, 16 blocks. */ test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" "09742e5a6858def1 c1413425719ba204"), SHEX("f9a864f273cc10fe baf531d7"), SHEX("3bed2adca04c96c8 d74e08aff4d5d9e0" "836209a15db7ea25 87c61d61a3472c4f" "b09ec92d020a25fd 183eb31870bf01c2" "9a87c2280ca12718 2af7a0b626ba4906" "51268430b180c7f9 5bb680bacf4a84e7" "dadd67bb6e2aa32d 22fb99ae4dfac283" "acb0f596f75518f9 3227448d63048f1a" "20108699cc0504e5 524e11e71f05d3f9" "b37725c68260448d dd61b690f614571b" "a57a848f6f2b0e10 5c044986d9d2f7ca" "10177a27c5ccbb94 ffefcb87d836b02a" "e6c312ebd5862520 c67d05259326a1d5" "645a6f4cdda94de2 8d5d8069d95263e7" "037c4fbe1322fcb5 cf5ab14237039b76" "f76134345777d647 799f248b7f8c9a94" "713e5678bfdef4f2 7285a34be8800146" "1f9cffbf24228377 d583f34ddb9c6010" "8c035f7e5285953c 74b56e1508531705" "f49398b409d94276 435814ee76232b57" "0b461913fa88381f 238a241afa7042f0" "35e796cb4a058dfc 4098b614464ad230" "9c6e7719d940e26b 8d77472d357230f5" "cb35cfa86bf46324 eafb305ae2d50509" "0e635ebe9e4a090a 41c8e9e931d7bf5f" "22a59d75130c62e3 a4829fc38d07d458" "072956a6282b9a90 f9a491e064dcc689" "28e47fd1c7131e97 6f755027fbf190cf" "977de188faa80a7c 83921745bb14f534" "3cbc9d86d01379f3 d59fa5b454ed8855" "46f34b9e419dfe08 9879cae4b297a3d8" "28367da777756aaa 9de2005e0ad1af6f" "af6daf9c14aedc39 fcbf95863a128816" "93f22a580c96ca98 da6c13166cd17b22" "2c468df637bf2961 e6b7692c6ed3463b" "84a1837108de1ea4 20c0a890c92768b8" "ac6732645a1a609c 28345d5e69f9475c" "21401fe2b7504230 ce4866d09484ffdc" "0bdd08f193993b26 083808e88f109d3b" "753d61a4391b1461 fe3a9bc07e2fee7b" "b37c9997c8f3d081 d6d145fb060da3f2" "28a31a2be1a35c6c 4c6181bac0f1119e" "e87bc230512e0fb4 38040e89e8af7452" "71530ae0e34bca8e 0cfbe5bbad577bea" "bc1c9c673d197185 7033822cd0ea21ed" "ccfdf4788f62c26b bd2718e576db61f5" "4ebef978884c7fe7 b4934918cb89e3a2" "df3b5c664ab9ff09 0c016ba84ebbbd73" "8cf905fc8ca95dee 757a901ea27a33d2" "813f0a17692c5646 6f9690cddb3e15f7" "1020f9321bd45ccb 49c41deb49103a7d" "b8535b705e4d3389 f4495ee49f96dc5d" "c7eab39129652078 8b3876576f5dadb0" "a674bdad75a9f581 d48fbc2e6de734f0" "73f78ed77b041a09 760ef6eb754cc60e" "8fabd6e1b3ce02bb b302f8a73be42ddf" "1dae4d8b251320d2 184adaf92eb76b12" "37d169621de761fb cb6942a7b9972cca" "9d35d58b2779523b ad584c27bb991acd" "a0be4174dcd85ffe fe16abf2235829c5" "0ac49897e2b2a7ef b1c5c07e80d7fce1" "c4f5596231ad3436 0c75cd60b5088281" "83c74ffc805177f7 c687454582a3cbc3" "79180c9a90680eda 68499e0ee435c7c6" "e028d305299b43dd eb68c387ae694a53")); test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" "09742e5a6858def1 c1413425719ba204"), SHEX("f9a864f273cc10fe"), SHEX("bd11678b8300a275 60dadbde311b1660" "edf6ec14eff4b553 418c7a99c8a0512b" "f79cfbf853f0df4f daa806dd6ac12aea" "bc92f8d4964f4d86 e12934589e46b6f3" "cb00ac786355852a f066f1ca2485f7bb" "232096e5a6042498 149600c6d438598a" "8b89bf6b3adcbbd8 010e91148c01c06d" "4f5b651333f32292 0e149f6fe2dcc8a4" "98744655d32732f8 69a88b5cf80761a8" "218888d5ba5788c8 7eef9340e2f03b0c" "b1caf7cfe0d9cde6 434d615a7f1c603e" "1302e311cadb7c69 95ca53981ae58aac" "40718e7dc61eabe3 35c253988217fc10" "1a1633b9bce6fbc9 b9fd9c9a2ab319a5" "9ba134ef7505e64c c35cccbb320bec09" "4dc950849b49d86d 572f795c1a24dbe3" "2d51e61a7291375a 85b150f0530f53c1" "3c987c0beedb2107 49c847c774523858" "dbeb997609cf89ad cf7433e668a460bc" "52cfa00951daac95 e5edc8baf32a867e" "81c3d7de7f34ea28 f74339985f2643cc" "9b5d30d76872d20e fb18d914a58f0083" "d5d322f5cdd5a3dd 63148988bb79e97a" "1e8a9595e1f4cccd 8910a043f1b07cd1" "bcb8e7c4c8018de9 8ff65b2787304751" "333b94ae56dbbb36 4e9ed750dc77d9ce" "c9c5a440663b78a6 0dba2ac3b5e7fcf1" "c1f14cd1a9794c49 ff082df137a4a35d" "bee8409979b49275 3a4a32825b6c9903" "28440e2c7d2c2cae 4bdd5769dc0cc31f" "4bd5b8d090ec6cbe d743b44bf62531c5" "f12e1bbb68cca686 36953a259c9d4b9b" "c1ec206c8a506f49 9a13a2e60c026f53" "61bd34428f9d6fa7 207c63589d1efd5f" "161cc957275a7f00 992c7e1dfda6f913" "9d35ae670cff55da 1dba6a2f13424b3f" "61c68580885eba6a f2aecb29d138b209" "1c7227902aceddfb d4761f7cbae75d89" "aaca5808a4704410 448a6eb13cf4b4f6" "cd7c37341ae80b23 6affef543aef78aa" "15a4581380cb19b8 e684ddd3efaea4e6" "bb88c07aa9325398 cb67e241a59732d0" "dfe999532b53d255 fb34a937aa55ae4d" "02b7850831b7b669 1e4ee269c5d38a9d" "80133265072ab3f3 af627298a265d7c0" "1fe95f895b08d4c8 7dd4f6f7a6ce1393" "de4225fedd1bf3c1 fe76a171f99d5e3f" "975e31ca21d58fa6 daf580dcb46379a6" "8a6a65e72b4df392 d3f94697f352286e" "0f00ce97f2656011 4ccf17bdcedc9589" "a9c8041e9f3daf9c f5c222d6ddbd2cfc" "b26065a9f85592d5 e6f85a46e0e9fd79" "f25197451c8d18d3 ed15cac7ba27870f" "8f0cbe7c17409a4e 66e95adde633d2d6" "270e0d17ca774efa 1ce9908e03baf208" "cfee33add11dcd9e 032db6fbb7b209a6" "30ac76c88e695413 a3c75d885a2fe9c4" "50236bf7a59110d5 62c77bc046afeb0d" "a8210a75a79e6732 9e49a225bee17b84" "bf24bdd32f77fdf4 05fd06955b0802d9" "7a4f115b8b052184 1a80620b2d66e572" "41d137cbcb2131c5 c8cbabe8a1b0ca25" "d760f988e68843ef ddc7449daf2b18ce" "5825cc4f79aaf7ac 659c77a1ad294b51")); /* From https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt */ test_chacha_with_counter (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("032CC123482C3171 1F94C941AF5AB1F4" "155784332ED5348F E79AEC5EAD4C06C3" "F13C280D8CC49925 E4A6A5922EC80E13" "A4CDFA840C70A142 7A3CB699166991A5" "ACE4CD09E294D191 2D4AD205D06F95D9" "C2F2BFCF453E8753 F128765B62215F4D" "92C74F2F626C6A64 0C0B1284D839EC81" "F1696281DAFC3E68 4593937023B58B1D" "3DB41D3AA0D32928 5DE6F225E6E24BD5" "9C9A17006943D5C9 B680E3873BDC683A" "5819469899989690 C281CD17C96159AF" "0682B5B903468A61 F50228CF09622B5A" "46F0F6EFEE15C8F1 B198CB49D92B9908" "67905159440CC723 916DC00128269810" "39CE1766AA2542B0 5DB3BD809AB14248" "9D5DBFE1273E7399 637B4B3213768AAA" "89B1889375E99FE2 442C4F68ADF54158" "F4B8135713D00999 B92B38E3AAFE5FF4" "959B1834BE3DC54F C36AA9D32EB121E0" "F688B90E7C7E2649 F4AAEF407BDD2B94" "09EFEC03114CB5D4 FFD1788E0FE1897B" "D176C1311E368368 C657A5EE55C9CA03" "CC71744F030822D5 3A0486A97B9D9824" "0274FADEAF262BD8 1B58BCE3DFA98414" "C24B5BC517FD9199 3A6B2E6232B05021" "25C6F48A6921E2DD A8EB6B3C4ECF2AAE" "889602AD90B5D253 7FF45DF525C67B98" "3B51DBD23E1280AA 656EAE85B63CC42D" "E8C70E7C19C1D66E 3F902BEA9D1ACFD3" "326B5985AD7C8CAB D431ACBC62976CE5" "23C938EA447D4AF0 F560DC52B0AB1D7D" "66A42AB8272E2C40 BD66470FE6F68846" "12A11D899A0B7EB5 4907BBEDD6483EFC" "ED1F15621D4673FF 928C5AAB5F465257" "123679EF17C39648 C537E150108E0F66" "08732E9F5B240689 EEB5402FA04CCB89" "B7CA9649A361C526 B41ED110402D9497" "715B03441118BC49 53FCBEF395267570" "BD43EC0EEF7B6167 F14FED205EB81290" "7D0C134DC49FA5B1 8F5A3A3A9BD0A71B" "2FFE445EE4FABEB4 054CC922BA360E45" "89B681F01E2A43B5 A0C0F0C39A5ADB94" "B3BC2D20FF7F287F DF17F53B7CB5E3A1" "ABD46FC0819A3559 C03C6B4106603066" "359A4A09B468B6DF EF8A363C7B31D9E8" "8ABB85914F4A27C3 0E9915C66AAC3576" "9E481C87AEE4C313 8CF40F288ED3C172" "FFC17D3D78F8D32C 3C756C13CFBFB95F" "3ECCE6D8B54344D7 8998F58148C4B43B" "1A6201ABFF3D4FB4 B76E3BBA104CFAA5" "5D8DA4319A9E0606 644B07DC204E9635" "502186C1EF9E4332 2EFD69F86D4DA1F6" "A98BF0B800BA04BD 9FBA5C5BE8EC49D4" "8D9EECBADEE669EF 69C9522C730110BB" "8339AF0E45185262 C9183307C5EEA59D" "E5095CAC26E8428D 4CA9E44DCF8FC7B4" "1F9624A2DBA36F44 415BAC489BF46CB6" "BB1BD2B70D719772 FDABB3B166EA615A" "BDF208C39BA8A708 D933CBC8A3236D4A" "15629FCAA35E00C2 B361527326E7AB51" "409A7DE42C909334 6E41D3A3C4529D95" "57BBC01EEFF927F1 052B5E02F74542B0" "4E78F1E933C67DBC 2C9187527C86DA77" "F045D4B07CF646BA 9547646905F1F117"), SHEX("feffffff00000000")); /* 32-bit overflow */ } nettle-4.0/testsuite/cmac-test.c0000644000000000000000000000703415141166425013664 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "cmac.h" #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, NULL, key, msg, ref) #define test_cmac_aes256(key, msg, ref) \ test_mac(&nettle_cmac_aes256, NULL, key, msg, ref) #define test_cmac_des3(key, msg, ref) \ test_mac(&nettle_cmac_des3, NULL, key, msg, ref) void test_main(void) { /* * CMAC-AES Test Vectors from RFC4493. */ test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SDATA(""), SHEX("bb1d6929e95937287fa37d129b756746")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("070a16b46b4d4144f79bdd9dd04a287c")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("dfa66747de9ae63030ca32611497c827")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("51f0bebf7e3b9d92fc49741779363cfe")); /* Additional tests with different keys (same plaintext) * to check all variants of set_key() */ test_cmac_aes128 (SHEX("2b7e151628aed2a8abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("87dd33c2945a4e228028690ae8954945")); test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("f0dc613a88886c7ed76eeb51f1c5e8d3")); test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3d"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("b9d092dc387a9e42cdfeb9f9930cf567")); /* CMAC-AES256 vectors taken from phplib */ test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SDATA(""), SHEX("028962f61b7bf89efc6b551f4667d983")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("28a7023f452e8f82bd4bf28d8c37c35c")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411"), SHEX("aaf3d8f1de5640c232f5b169b9c911e6")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"), SHEX("e1992190549f6ed5696a2c056c315410")); /* CMAC-3DES vectors from NIST SP800-38B examples */ test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SDATA(""), SHEX("7db0d37df936c550")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("30239cf1f52e6609")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a57"), SHEX("6c9f3ee4923f6be2")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"), SHEX("99429bd0bf7904e5")); } nettle-4.0/testsuite/cnd-memcpy-test.c0000644000000000000000000000176515141166425015022 0ustar00#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" static void cnd_memcpy_for_test(int cnd, void *dst, const void *src, size_t n) { /* Makes valgrind trigger on any branches depending on the input data. */ mark_bytes_undefined (n, dst); mark_bytes_undefined (n, src); mark_bytes_undefined (sizeof(cnd), &cnd); cnd_memcpy (cnd, dst, src, n); mark_bytes_defined (n, src); mark_bytes_defined (n, dst); } #define MAX_SIZE 50 void test_main(void) { uint8_t src[MAX_SIZE]; uint8_t dst[MAX_SIZE]; uint8_t res[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 1; size < 50; size++) { knuth_lfib_random (&random_ctx, size, src); knuth_lfib_random (&random_ctx, size, dst); memcpy (res, dst, size); cnd_memcpy_for_test (0, res, src, size); ASSERT (memcmp (res, dst, size) == 0); cnd_memcpy_for_test (1, res, src, size); ASSERT (memcmp (res, src, size) == 0); } } nettle-4.0/testsuite/ctr-test.c0000644000000000000000000002677415141166425013565 0ustar00#include "testutils.h" #include "non-nettle.h" void test_main(void) { /* From NIST spec 800-38a on AES modes, * * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38A.pdf * * F.5 CTR Example Vectors */ /* Zero-length data. Exposes bug reported by Tim Kosse, where ctr_crypt increment the ctr when it shouldn't. */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX(""), SHEX(""), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.1 CTR-AES128.Encrypt */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("874d6191b620e3261bef6864990db6ce" "9806f66b7970fdff8617187bb9fffdff" "5ae4df3edbd5d35e5b4f09020db03eab" "1e031dda2fbe03d1792170a0f3009cee"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.3 CTR-AES192.Encrypt */ test_cipher_ctr(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("1abc932417521ca24f2b0459fe7e6e0b" "090339ec0aa6faefd5ccc2c6f4ce8e94" "1e36b26bd1ebc670d1bd1d665620abf7" "4f78a7f6d29809585a97daec58c6b050"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.5 CTR-AES256.Encrypt */ test_cipher_ctr(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("601ec313775789a5b7a7f504bbf3d228" "f443e3ca4d62b59aca84e990cacaf5c5" "2b0930daa23de94ce87017ba2d84988d" "dfc9c58db67aada613c2dd08457941a6"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* Test carry propagation in the counter. Unofficial test vectors. */ test_cipher_ctr(&nettle_aes128, /* 2 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("fc5a51074aa08a8a 8fce0373557c8de7" "b2ddc0e45c6e15d3 7d7e2b238a7d200c" "d108ffc93fd4e2ef 0ee447dd77a891f4" "a12bf17ea1f0be04 75908308a585d9bd"), SHEX("0102030405060708090a0b0c0d0efffe")); test_cipher_ctr(&nettle_aes128, /* 7 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("afaf63875aae5fb4 49e39377c8b972ed" "f55c5da552429ba8 b30fa1b1edd18269" "d6cc0ca8a964504c 9519f11ab462985b" "16e3c7c12cf4a556 d28433500e07ab7b"), SHEX("010203040506070809fffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 8 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("b34ceeb036a0a71f eabd6bf64e2f70f8" "35eb1751c4989fa9 71d747e18a45c0c6" "2379e536ccfbdecd 0a26af9640a73e10" "19626834910ff917 eb05a8f1a33b6d4a"), SHEX("0102030405060708fffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 9 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3891a1de2c0f71b9 b90a1f84a1d712bf" "0ca6339a5839385f 170784fb612f15a5" "6593433e1c21191c e042c7a695a7f65a" "f4334fafdb372b64 0862ebb1b6bbcc7a"), SHEX("01020304050607fffffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 15 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("91e64f693763258a aae861412d4250e2" "963b5b8d4ccea79e ac2558295268de85" "2f78de7d71554880 fb186a93378fb922" "8c05c84f8d4f3edd a40a43bcc1c474db"), SHEX("01fffffffffffffffffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 16 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("ba76aa54d5b56067 c1a7903b3fddfa89" "24df0c565cf42a68 978713b67ad124fd" "4d3f774ab9e47da2 dbb9315ea3110680" "a18d5905ebfe25a8 03df27c2211e58d6"), SHEX("fffffffffffffffffffffffffffffffe")); /* Unofficial test vector for CTR mode with triple-des, to exercise block size different from 16. */ test_cipher_ctr(&nettle_des3, SHEX("3e 0b 10 b0 5d 49 c2 54" "6b 46 e0 75 8a 91 61 85" "cb 04 07 d3 20 16 cb a2"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("bb41303df94d0bca b881fb57e7132271" "820f70c0d53b3f5a 686943680303b37d" "5bbcfbd4fb283ef3 8078d0660c60121f" "41e0f1e4c2a4fe12 a676ec05b7fc4d8f"), SHEX("f8f9fafbfcfdfeff")); } /* F.5.1 CTR-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 874d6191b620e3261bef6864990db6ce Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 9806f66b7970fdff8617187bb9fffdff Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 1e031dda2fbe03d1792170a0f3009cee F.5.2 CTR-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Ciphertext 874d6191b620e3261bef6864990db6ce Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Ciphertext 9806f66b7970fdff8617187bb9fffdff Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Ciphertext 1e031dda2fbe03d1792170a0f3009cee Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.3 CTR-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 4f78a7f6d29809585a97daec58c6b050 F.5.4 CTR-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Ciphertext 4f78a7f6d29809585a97daec58c6b050 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.5 CTR-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 601ec313775789a5b7a7f504bbf3d228 Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2b0930daa23de94ce87017ba2d84988d Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext dfc9c58db67aada613c2dd08457941a6 F.5.6 CTR-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Ciphertext 601ec313775789a5b7a7f504bbf3d228 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Ciphertext 2b0930daa23de94ce87017ba2d84988d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Ciphertext dfc9c58db67aada613c2dd08457941a6 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-4.0/testsuite/curve25519-dh-test.c0000644000000000000000000001140615141166425015102 0ustar00/* curve25519-dh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "curve25519.h" static void test_g (const uint8_t *s, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; mark_bytes_undefined (CURVE25519_SIZE, s); curve25519_mul_g (p, s); mark_bytes_defined (CURVE25519_SIZE, p); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul_g failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } static void test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; mark_bytes_undefined (CURVE25519_SIZE, b); mark_bytes_undefined (CURVE25519_SIZE, s); curve25519_mul (p, s, b); mark_bytes_defined (CURVE25519_SIZE, p); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\nb = "); print_hex (CURVE25519_SIZE, b); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* From RFC 7748. */ test_g (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); test_a (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_g. */ test_g (H("70076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e02b"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_a. */ test_a (H("5aab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92cea"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant bit (last octet) of the x coordinate is ignored. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882bcf"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); } nettle-4.0/testsuite/curve448-dh-test.c0000644000000000000000000000720015141166425014731 0ustar00/* curve448-dh-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "curve448.h" static void test_g (const uint8_t *s, const uint8_t *r) { uint8_t p[CURVE448_SIZE]; mark_bytes_undefined (CURVE448_SIZE, s); curve448_mul_g (p, s); mark_bytes_defined (CURVE448_SIZE, p); if (!MEMEQ (CURVE448_SIZE, p, r)) { printf ("curve448_mul_g failure:\ns = "); print_hex (CURVE448_SIZE, s); printf ("\np = "); print_hex (CURVE448_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE448_SIZE, r); printf (" (expected)\n"); abort (); } } static void test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) { uint8_t p[CURVE448_SIZE]; mark_bytes_undefined (CURVE448_SIZE, s); mark_bytes_undefined (CURVE448_SIZE, b); curve448_mul (p, s, b); mark_bytes_defined (CURVE448_SIZE, p); if (!MEMEQ (CURVE448_SIZE, p, r)) { printf ("curve448_mul failure:\ns = "); print_hex (CURVE448_SIZE, s); printf ("\nb = "); print_hex (CURVE448_SIZE, b); printf ("\np = "); print_hex (CURVE448_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE448_SIZE, r); printf (" (expected)\n"); abort (); } } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* From RFC 7748. */ test_g (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0")); test_g (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609")); test_a (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609"), H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); test_a (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0"), H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); } nettle-4.0/testsuite/cxx-test.cxx0000644000000000000000000000606415141166425014145 0ustar00/* For FILE, used by gmp.h */ #include #include "testutils.h" #include "md5.h" /* Test C++ linkage */ void test_main(void) { struct md5_ctx md5; uint8_t digest[MD5_DIGEST_SIZE]; md5_init (&md5); md5_update (&md5, 14, reinterpret_cast ("message digest")); md5_digest (&md5, digest); ASSERT (MEMEQ (MD5_DIGEST_SIZE, digest, H("F96B697D7CB7938D 525A2F31AAF161D0"))); #if WITH_PUBLIC_KEY struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_set_str(pub.n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub.e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key.q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key.a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key.b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key.c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); mpz_t signature; mpz_init(signature); /* Create signature */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_sign (&key, &md5, signature)); /* Verify it */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_verify (&pub, &md5, signature)); /* Try bad data */ md5_update (&md5, 39, reinterpret_cast ("The magik words are squeamish ossifrage")); ASSERT (!rsa_md5_verify (&pub, &md5, signature)); #endif /* WITH_PUBLIC_KEY */ } nettle-4.0/testsuite/des-test.c0000644000000000000000000000635715141166425013543 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "des.h" static void test_des(const struct tstring *key, int expected_parity, const struct tstring *cleartext, const struct tstring *ciphertext) { struct des_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == DES_KEY_SIZE); data = xalloc(length); ASSERT (des_check_parity(8, key->data) == expected_parity); ASSERT (des_set_key(&ctx, key->data)); des_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } des_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } static void test_weak(const struct tstring *key) { struct des_ctx ctx; ASSERT (key->length == DES_KEY_SIZE); ASSERT (des_set_key(&ctx, key->data) == 0); } void test_main(void) { /* From Applied Cryptography */ test_des(SHEX("01234567 89ABCDEF"), 1, SHEX("01234567 89ABCDE7"), SHEX("C9574425 6A5ED31D")); test_des(SHEX("01 01 01 01 01 01 01 80"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("9C C6 2D F4 3B 6E ED 74")); test_des(SHEX("80 01 01 01 01 01 01 01"), 1, SHEX("00 00 00 00 00 00 00 40"), SHEX("A3 80 E0 2A 6B E5 46 96")); test_des(SHEX("08 19 2A 3B 4C 5D 6E 7F"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("25 DD AC 3E 96 17 64 67")); test_des(SHEX("01 23 45 67 89 AB CD EF"), 1, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Same key, but with one bad parity bit, */ test_des(SHEX("01 23 45 66 89 AB CD EF"), 0, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Parity check */ { const struct tstring *s = SHEX("01 01 01 01 01 01 01 00"); ASSERT (des_check_parity(s->length, s->data) == 0); } /* The four weak keys */ test_weak(SHEX("01 01 01 01 01 01 01 01")); test_weak(SHEX("FE FE FE FE FE FE FE FE")); test_weak(SHEX("1F 1F 1F 1F 0E 0E 0E 0E")); test_weak(SHEX("E0 E0 E0 E0 F1 F1 F1 F1")); /* Same weak key, but different parity. */ test_weak(SHEX("E0 E0 E0 E0 F0 F1 F1 F1")); /* The six pairs of semiweak keys */ test_weak(SHEX("01 FE 01 FE 01 FE 01 FE")); test_weak(SHEX("FE 01 FE 01 FE 01 FE 01")); test_weak(SHEX("1F E0 1F E0 0E F1 0E F1")); test_weak(SHEX("E0 1F E0 1F F1 0E F1 0E")); test_weak(SHEX("01 E0 01 E0 01 F1 01 F1")); test_weak(SHEX("E0 01 E0 01 F1 01 F1 01")); test_weak(SHEX("1F FE 1F FE 0E FE 0E FE")); test_weak(SHEX("FE 1F FE 1F FE 0E FE 0E")); test_weak(SHEX("01 1F 01 1F 01 0E 01 0E")); test_weak(SHEX("1F 01 1F 01 0E 01 0E 01")); test_weak(SHEX("E0 FE E0 FE F1 FE F1 FE")); test_weak(SHEX("FE E0 FE E0 FE F1 FE F1")); } nettle-4.0/testsuite/des3-test.c0000644000000000000000000000067415141166425013622 0ustar00#include "testutils.h" #include "non-nettle.h" #include "des.h" void test_main(void) { /* Intermediate values: * After first DES encryption: "cd ea 2a 20 c2 e0 9e 48" * After second DES decryption: "69 52 6e 95 8b ea 49 bd" */ test_cipher(&nettle_des3, SHEX("3e 0b 10 b0 5d 49 c2 54" "6b 46 e0 75 8a 91 61 85" "cb 04 07 d3 20 16 cb a2"), SDATA("Now is t"), SHEX("0a 5d b5 2d 85 74 d1 c9")); } nettle-4.0/testsuite/dlopen-test.c0000644000000000000000000000142215141166425014235 0ustar00#include "testutils.h" #include "version.h" #if HAVE_DLFCN_H #include #endif #ifdef __APPLE__ #define SO_EXT "dylib" #else #define SO_EXT "so" #endif int main (int argc UNUSED, char **argv UNUSED) { #if HAVE_LIBDL void *handle = dlopen ("../libnettle." SO_EXT, RTLD_NOW); int (*get_version)(void); if (!handle) { fprintf (stderr, "dlopen failed: %s\n", dlerror()); FAIL (); } get_version = (int(*)(void)) dlsym (handle, "nettle_version_minor"); if (!get_version) { fprintf (stderr, "dlsym failed: %s\n", dlerror()); FAIL (); } if (get_version() != NETTLE_VERSION_MINOR) { fprintf (stderr, "unexpected nettle version\n"); FAIL (); } dlclose (handle); return EXIT_SUCCESS; #else SKIP(); #endif } nettle-4.0/testsuite/drbg-ctr-aes256-test.c0000644000000000000000000000435515141166425015473 0ustar00/* drbg-ctr-aes256-test.c Copyright (C) 2023 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "drbg-ctr.h" void test_main (void) { struct drbg_ctr_aes256_ctx rng; uint8_t seed_material[DRBG_CTR_AES256_SEED_SIZE]; uint8_t tmp[DRBG_CTR_AES256_SEED_SIZE]; size_t i; /* https://ntruprime.cr.yp.to/nist/ntruprime-20201007/Reference_Implementation/kem/sntrup761/nist/kat_kem.c.html https://ntruprime.cr.yp.to/nist/ntruprime-20201007/KAT/kem/sntrup761/kat_kem.req.html */ for (i = 0; i < DRBG_CTR_AES256_SEED_SIZE; i++) seed_material[i] = i; drbg_ctr_aes256_init (&rng, seed_material); drbg_ctr_aes256_random (&rng, DRBG_CTR_AES256_SEED_SIZE, tmp); if (!MEMEQ (DRBG_CTR_AES256_SEED_SIZE, tmp, H ("061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479" "D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1"))) { printf ("drbg_ctr_aes256 = "); print_hex (DRBG_CTR_AES256_SEED_SIZE, tmp); abort (); } drbg_ctr_aes256_random (&rng, DRBG_CTR_AES256_SEED_SIZE, tmp); if (!MEMEQ (DRBG_CTR_AES256_SEED_SIZE, tmp, H ("D81C4D8D734FCBFBEADE3D3F8A039FAA2A2C9957E835AD55" "B22E75BF57BB556AC81ADDE6AEEB4A5A875C3BFCADFA958F"))) { printf ("drbg_ctr_aes256 = "); print_hex (DRBG_CTR_AES256_SEED_SIZE, tmp); abort (); } } nettle-4.0/testsuite/dsa-keygen-test.c0000644000000000000000000000351015141166425015003 0ustar00#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct dsa_params params; mpz_t pub; mpz_t key; struct knuth_lfib_ctx lfib; dsa_params_init(¶ms); mpz_init(pub); mpz_init(key); knuth_lfib_init(&lfib, 13); ASSERT (dsa_generate_params(¶ms, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 160)); dsa_generate_keypair(¶ms, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(¶ms, pub, key, 160); test_dsa160(¶ms, pub, key, NULL); ASSERT (dsa_generate_params(¶ms, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 256)); dsa_generate_keypair(¶ms, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(¶ms, pub, key, 256); test_dsa256(¶ms, pub, key, NULL); ASSERT (dsa_generate_params(¶ms, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 224)); dsa_generate_keypair(¶ms, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(¶ms, pub, key, 224); test_dsa256(¶ms, pub, key, NULL); /* Test with large q */ if (!dsa_generate_params (¶ms, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 768)) FAIL(); dsa_generate_keypair (¶ms, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(¶ms, pub, key, 768); test_dsa256(¶ms, pub, key, NULL); dsa_params_clear(¶ms); mpz_clear(pub); mpz_clear(key); } nettle-4.0/testsuite/dsa-test.c0000644000000000000000000012544215141166425013534 0ustar00#include "testutils.h" void test_main(void) { struct dsa_params params; mpz_t pub; mpz_t key; struct dsa_signature signature; dsa_params_init(¶ms); mpz_init(pub); mpz_init(key); dsa_signature_init(&signature); mpz_set_str(params.p, "83d9a7c2ce2a9179f43cdb3bffe7de0f0eef26dd5dfae44d" "531bc0de45634d2c07cb929b0dbe10da580070e6abfbb841" "5c44bff570b8ad779df653aad97dc7bdeb815d7e88103e61" "606ed3d8a295fbfd340d2d49e220833ebace5511e22c4f02" "97ed351e9948fa848e9c8fadb7b47bcc47def4255b5e1d5e" "10215b3b55a0b85f", 16); mpz_set_str(params.q, "8266e0deaf46020ba48d410ca580f3a978629b5d", 16); mpz_set_str(params.g, "30d34bb9f376bec947154afe4076bc7d359c9d32f5471ddb" "be8d6a941c47fa9dc4f32573151dbb4aa59eb989b74ac36b" "b6310a5e8b580501655d91f393daa193ae1303049b87febb" "093dc0404b53b4c5da2463300f9c5b156d788c4ace8ecbb9" "dd00c18d99537f255ac025d074d894a607cbe3023a1276ef" "556916a33f7de543", 16); mpz_set_str(pub, "64402048b27f39f404a546a84909c9c0e9e2dd153a849946" "1062892598d30af27ae3cefc2b700fb6d077390a83bdcad7" "8a1299487c9623bb62af0c85a3df9ef1ee2c0d66658e1fd3" "283b5407f6cd30ee7e6154fad41a6a8b0f5c86c5accc1127" "bf7c9a5d6badcb012180cb62a55c5e17d6d3528cdbe002cc" "ee131c1b86867f7a", 16); mpz_set_str(key, "56c6efaf878d06eef21dc070fab71da6ec1e30a6", 16); test_dsa_key(¶ms, pub, key, 160); mpz_set_str(signature.r, "180342f8d4fb5bd0311ebf205bdee6e556014eaf", 16); mpz_set_str(signature.s, "392dc6566b2735531a8460966171464ef7ddfe12", 16); test_dsa160(¶ms, pub, key, &signature); mpz_set_str(params.p, "fda45d8f1df8f2b84fb3cf9ae69f93b087d98bea282f643e" "23472c5b57605952010e4c846d711f2783e8ad4e1447698e" "2e328fdb1d411ccb0f3caef5b8fc0b9dcecfadf022ecc7de" "5c153c8f10fe88d63abf7d296ad485dfd6eead595fc1c36b" "8bd42e8668b55b2bb0f1a6aecbe678df504880de2481a5e4" "97d1b7d92ee48ffeb083a1833094a0418ec0d914409c720c" "87ea63c164ec448c471b574a8f88073ebeb44dc6d6b98260" "46126f03022ff04dcb6a2381a09b0a227d3c57cfbfd48e4a" "19cbb0a35242c9e234ebe105ae26cab01ede40aa2869fad8" "6bff57a19ec87b8de294ca03269c268c10813f18169beac5" "ac97c0e748ccb244282c50c670e1bccb", 16); mpz_set_str(params.q, "bd612630da4d930779a32546dc413efd299111b443c7355d" "65d991163cc3cd9d", 16); mpz_set_str(params.g, "050c56e14adb03e47d3902852f5b21c96c28a2aa89619c8b" "78a98aa5083700994f99184588d2cefaf2a3ea213dd2d084" "0e682a52357d5fefaef44520622f021855744d638e792f21" "89543f9770aa1960da4d7b325a37a2922b035c8da3d71543" "5d7a6ddefc62e84fe76fecbbf9667c6a1781a84aa434548b" "bdc315f2fb0a420d65c1f72911845b148e994660138052a1" "fce1c6f933be155b2af8c0177277cd3b75d9477ddbcb77bc" "f5cccea915a2f3750ba41f337edd44f768cb3d24b17e299d" "5cebe5e78cbaf5ad41e815edfc71df3131bd5359c653a224" "bd3ac6a27bad7efff11b24fad0109ee26e4df76fc99e150d" "666a9294bab8a03f113d228bfad349f4", 16); mpz_set_str(pub, "da7f9abb0b554afaa926c9cffa897239bfdbc58ed9981748" "edb1e38f42dea0560a407a48b509a5cb460bf31dee9057a0" "b41d468698fa82ff03c47e8f3f6564c74d6f1daa5f84ad25" "b937317f861fa68c19e20d6b855e85cd94d5af95b968416e" "6d43711f24d5497f018b7627d2bed25dc793ddb897fdcc34" "5d183e43a80205483dea7a12185be3b185a7d84d3385b962" "4485882722d177ccd8f49c5b519fb96b9b59fcfc63422f25" "88fb8ff00bce46acb7c80d105c31414ecf5be0a0dad975bd" "dcd83d6f063f9bce562fdd5b68e18fc2159dbb2457adc7a7" "ee5bc0796eff370908f866a41b9a8873f89e1904925141f8" "e574df25bd869f43a184a804e8ce5fcc", 16); mpz_set_str(key, "39f84f88569da55c6bee7e18175b539ea9b7ee24fabd85a7" "1fa8c93b7181545b", 16); test_dsa_key(¶ms, pub, key, 256); mpz_set_str(signature.r, "03fe95c9dbbe1be019d7914e45c37c70" "0f499f559312a59f3bc5037f51d3f74c", 16); mpz_set_str(signature.s, "839dbee8d30e6b0cc349528f900f30ee" "6d4ce9864332d07c87b5a98bd75dbdbb", 16); test_dsa256(¶ms, pub, key, &signature); /* Some of the test vectors from http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3dsatestvectors.zip */ /* L=1024, N=160, SHA-1 */ mpz_set_str(params.p, "a8f9cd201e5e35d892f85f80e4db2599a5676a3b1d4f1903" "30ed3256b26d0e80a0e49a8fffaaad2a24f472d2573241d4" "d6d6c7480c80b4c67bb4479c15ada7ea8424d2502fa01472" "e760241713dab025ae1b02e1703a1435f62ddf4ee4c1b664" "066eb22f2e3bf28bb70a2a76e4fd5ebe2d1229681b5b0643" "9ac9c7e9d8bde283", 16); mpz_set_str(params.q, "f85f0f83ac4df7ea0cdf8f469bfeeaea14156495", 16); mpz_set_str(params.g, "2b3152ff6c62f14622b8f48e59f8af46883b38e79b8c74de" "eae9df131f8b856e3ad6c8455dab87cc0da8ac973417ce4f" "7878557d6cdf40b35b4a0ca3eb310c6a95d68ce284ad4e25" "ea28591611ee08b8444bd64b25f3f7c572410ddfb39cc728" "b9c936f85f419129869929cdb909a6a3a99bbe0892163681" "71bd0ba81de4fe33", 16); mpz_set_str(pub, "313fd9ebca91574e1c2eebe1517c57e0c21b0209872140c5" "328761bbb2450b33f1b18b409ce9ab7c4cd8fda3391e8e34" "868357c199e16a6b2eba06d6749def791d79e95d3a4d09b2" "4c392ad89dbf100995ae19c01062056bb14bce005e8731ef" "de175f95b975089bdcdaea562b32786d96f5a31aedf75364" "008ad4fffebb970b", 16); mpz_set_str(signature.r, "50ed0e810e3f1c7cb6ac62332058448bd8b284c0", 16); mpz_set_str(signature.s, "c6aded17216b46b7e4b6f2a97c1ad7cc3da83fde", 16); test_dsa_verify(¶ms, pub, &nettle_sha1, SHEX("3b46736d559bd4e0c2c1b2553a33ad3c6cf23cac998d3d0c" "0e8fa4b19bca06f2f386db2dcff9dca4f40ad8f561ffc308" "b46c5f31a7735b5fa7e0f9e6cb512e63d7eea05538d66a75" "cd0d4234b5ccf6c1715ccaaf9cdc0a2228135f716ee9bdee" "7fc13ec27a03a6d11c5c5b3685f51900b1337153bc6c4e8f" "52920c33fa37f4e7"), &signature); mpz_set_str(pub, "29bdd759aaa62d4bf16b4861c81cf42eac2e1637b9ecba51" "2bdbc13ac12a80ae8de2526b899ae5e4a231aef884197c94" "4c732693a634d7659abc6975a773f8d3cd5a361fe2492386" "a3c09aaef12e4a7e73ad7dfc3637f7b093f2c40d6223a195" "c136adf2ea3fbf8704a675aa7817aa7ec7f9adfb2854d4e0" "5c3ce7f76560313b", 16); mpz_set_str(signature.r, "a26c00b5750a2d27fe7435b93476b35438b4d8ab", 16); mpz_set_str(signature.s, "61c9bfcb2938755afa7dad1d1e07c6288617bf70", 16); test_dsa_verify(¶ms, pub, &nettle_sha1, SHEX("d2bcb53b044b3e2e4b61ba2f91c0995fb83a6a97525e6644" "1a3b489d9594238bc740bdeea0f718a769c977e2de003877" "b5d7dc25b182ae533db33e78f2c3ff0645f2137abc137d4e" "7d93ccf24f60b18a820bc07c7b4b5fe08b4f9e7d21b256c1" "8f3b9d49acc4f93e2ce6f3754c7807757d2e1176042612cb" "32fc3f4f70700e25"), &signature); /* L=1024, N=160, SHA-224 */ mpz_set_str(params.p, "8b9b32f5ba38faad5e0d506eb555540d0d7963195558ca30" "8b7466228d92a17b3b14b8e0ab77a9f3b2959a09848aa69f" "8df92cd9e9edef0adf792ce77bfceccadd9352700ca5faec" "f181fa0c326db1d6e5d352458011e51bd3248f4e3bd7c820" "d7e0a81932aca1eba390175e53eada197223674e3900263e" "90f72d94e7447bff", 16); mpz_set_str(params.q, "bc550e965647fb3a20f245ec8475624abbb26edd", 16); mpz_set_str(params.g, "11333a931fba503487777376859fdc12f7c687b0948ae889" "d287f1b7a712ad220ae4f1ce379d0dbb5c9abf419621f005" "fc123c327e5055d1850634c36d397e689e111d598c1c3636" "b940c84f42f436846e8e7fcad9012ceda398720f32fffd1a" "45ab6136ce417069207ac140675b8f86dd063915ae6f62b0" "cec729fbd509ac17", 16); mpz_set_str(pub, "7e339f3757450390160e02291559f30bed0b2d758c5ccc2d" "8d456232bb435ae49de7e7957e3aad9bfdcf6fd5d9b6ee3b" "521bc2229a8421dc2aa59b9952345a8fc1de49b348003a9b" "18da642d7f6f56e3bc665131ae9762088a93786f7b4b72a4" "bcc308c67e2532a3a5bf09652055cc26bf3b18833598cffd" "7011f2285f794557", 16); mpz_set_str(signature.r, "afee719e7f848b54349ccc3b4fb26065833a4d8e", 16); mpz_set_str(signature.s, "734efe992256f31325e749bc32a24a1f957b3a1b", 16); test_dsa_verify(¶ms, pub, &nettle_sha224, SHEX("fb2128052509488cad0745ed3e6312850dd96ddaf791f1e6" "24e22a6b9beaa65319c325c78ef59cacba0ccfa722259f24" "f92c17b77a8f6d8e97c93d880d2d8dbbbedcf6acefa06b0e" "476ca2013d0394bd90d56c10626ef43cea79d1ef0bc7ac45" "2bf9b9acaef70325e055ac006d34024b32204abea4be5faa" "e0a6d46d365ed0d9"), &signature); /* L=1024, N=160, SHA-256 */ mpz_set_str(params.p, "cba13e533637c37c0e80d9fcd052c1e41a88ac325c4ebe13" "b7170088d54eef4881f3d35eae47c210385a8485d2423a64" "da3ffda63a26f92cf5a304f39260384a9b7759d8ac1adc81" "d3f8bfc5e6cb10efb4e0f75867f4e848d1a338586dd0648f" "eeb163647ffe7176174370540ee8a8f588da8cc143d939f7" "0b114a7f981b8483", 16); mpz_set_str(params.q, "95031b8aa71f29d525b773ef8b7c6701ad8a5d99", 16); mpz_set_str(params.g, "45bcaa443d4cd1602d27aaf84126edc73bd773de6ece15e9" "7e7fef46f13072b7adcaf7b0053cf4706944df8c4568f26c" "997ee7753000fbe477a37766a4e970ff40008eb900b9de4b" "5f9ae06e06db6106e78711f3a67feca74dd5bddcdf675ae4" "014ee9489a42917fbee3bb9f2a24df67512c1c35c97bfbf2" "308eaacd28368c5c", 16); mpz_set_str(pub, "4cd6178637d0f0de1488515c3b12e203a3c0ca652f2fe30d" "088dc7278a87affa634a727a721932d671994a958a0f8922" "3c286c3a9b10a96560542e2626b72e0cd28e5133fb57dc23" "8b7fab2de2a49863ecf998751861ae668bf7cad136e6933f" "57dfdba544e3147ce0e7370fa6e8ff1de690c51b4aeedf04" "85183889205591e8", 16); mpz_set_str(signature.r, "76683a085d6742eadf95a61af75f881276cfd26a", 16); mpz_set_str(signature.s, "3b9da7f9926eaaad0bebd4845c67fcdb64d12453", 16); test_dsa_verify(¶ms, pub, &nettle_sha256, SHEX("812172f09cbae62517804885754125fc6066e9a902f9db20" "41eeddd7e8da67e4a2e65d0029c45ecacea6002f9540eb10" "04c883a8f900fd84a98b5c449ac49c56f3a91d8bed3f08f4" "27935fbe437ce46f75cd666a0707265c61a096698dc2f36b" "28c65ec7b6e475c8b67ddfb444b2ee6a984e9d6d15233e25" "e44bd8d7924d129d"), &signature); /* L=2048, N=224, SHA-1 */ mpz_set_str(params.p, "f2d39ed3062b13c916273600a0f2a029e86d7a4b9217b4f1" "815bf2b24d9710a57ab33f997294b014585b8d0198dfdccb" "cd75314da5ff85aa344b45adaeaa979b51a312a7bfa94472" "fb633f1a6f156bb4458867dfd38403f06b851f00fe2d3484" "077bded71ab7513d04a140220575fb693395480e4c8402b7" "a46cec2d37a778c305accd1f13e9f62e865315f4b22cc467" "c8986ec8e4961ddf810566b0c4ee369ac6aa15e43f474400" "5826f5bde8071a19e30b6909aac4b3d174237270dad02799" "d09b8a2cc5f22e66894b5422228b2c234f11f5a771c5b89c" "f465a2acecbbeeaa1725fe8f9b59422be8991052cb556ddf" "2c8ce8fa9206dbf39feadc194e00f8e5", 16); mpz_set_str(params.q, "8000000000000000c118f49835e4ef733c4d15800fcf059e884d31b1", 16); mpz_set_str(params.g, "e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac14" "63c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b" "782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a94" "3854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9" "052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf" "8957c4ba0630f3f32ad689389ac47443176063f247d9e229" "6b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b" "894f01afec523833669eac031a420e540ba1320a59c424a3" "e5849a460a56bcb001647885b1433c4f992971746bfe2977" "ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d" "1684eab90d863f29f41cf7578faa908c", 16); mpz_set_str(pub, "289ff18c32a56bb0b8839370647683a38a5a7e291410b932" "07212adc8088d30f93e9e4abc523f3d46936e7d5c90d8874" "2b36afd37563408f15c8c1a4f7ac24bf05f01008ffee70c8" "825d57c3a9308bad8a095af2b53b2dda3cbed846d95e301e" "b9b84766415d11f6c33209a0d28571096ab04a79aa0dc465" "997529686b68e887cd8a205c2dc8195aef0422eba9979f54" "9ac85548e419413643b7244361153ada1480d238cd00dc16" "527938955548dd5d027ded1029eeeb8ed6c61b4cd59341d8" "b15466e9da890a989996f4d7691e6072de136af28b5874bf" "08bd1f8a60cfb1c00888132909f515e04bce81b02951aa41" "baac68ffdb8c5dc77a1d32d8f2c10dd7", 16); mpz_set_str(signature.r, "45df2f423e94bf155dd4e1d9e63f315ea606dd38527d4cf6328738c8", 16); mpz_set_str(signature.s, "59b3e8efa5bc0ccbf4a3cbb6515c4b9bf784cfacdcc101dc9f81d31f", 16); test_dsa_verify(¶ms, pub, &nettle_sha1, SHEX("edc6fd9b6c6e8a59f283016f7f29ee16deeaa609b5737927" "162aef34fed985d0bcb550275637ba67831a2d4efccb3529" "6dfe730f4a0b4f4728d1d7d1bb8f4a36238a5c94311fa113" "4a93a6b4de39c085e9f60ae4e237c0416d58042bb36baa38" "cba8c896295b745d5376fd8ce42eb6ee5a1b38f87716b265" "b76e58cfb24a9170"), &signature); /* L=2048, N=224, SHA-224 */ mpz_set_str(params.p, "aa815c9db1c4d3d2773c7d0d4d1da75ecfc4a39e97d5fa19" "1ffec8b1490a290ce335e5ce87ea620a8a17de0bb64714e2" "ec840bf00e6ebdb4ffb4e324ca07c3c8717309af1410362a" "772c9add838b2b0cae1e90ab448adabdacd2e5df59c4187a" "32a23719d6c57e9400885383bf8f066f23b941920d54c35b" "4f7cc5044f3b40f17046956307b748e840732844d00a9ce6" "ec5714293b6265147f15c67f4be38b082b55fdeadb612468" "9fb76f9d25cc28b8eaa98b562d5c1011e0dcf9b39923240d" "332d89dc9603b7bddd0c70b83caa2905631b1c83cabbae6c" "0c0c2efe8f58131ed8351bf93e875f6a73a93cbad470141a" "2687fbacf2d71c8ddee971ad660729ad", 16); mpz_set_str(params.q, "ea347e90be7c2875d1fe1db622b4763837c5e27a6037310348c1aa11", 16); mpz_set_str(params.g, "2042094ccbc8b8723fc928c12fda671b83295e99c743576f" "44504be1186323319b5002d24f173df909ea241d6ea52899" "04ee4636204b2fbe94b068fe093f7962579549551d3af219" "ad8ed19939eff86bcec834de2f2f78596e89e7cb52c524e1" "77098a56c232eb1f563aa84bc6b026deee6ff51cb441e080" "f2dafaea1ced86427d1c346be55c66803d4b76d133cd445b" "4c3482fa415023463c9bf30f2f784223e26057d3aa0d7fbb" "660630c52e49d4a0325c7389e072aa349f13c966e159752f" "bb71e9336890f93243fa6e72d299365ee5b3fe266ebf1110" "568fee4425c847b50210bd484b97431a42856adca3e7d1a9" "c9c675c7e266918320dd5a78a48c48a9", 16); mpz_set_str(pub, "1ae10c786ad0902c5c685dae5c7121418a377b888b5f2f2b" "c76623570fd62bcb190b471ad5359c5f062f8819289e956d" "8aa6f90d1f8cf1ee72d3a1bdfd56c478dc29a19c4569b5a6" "0e3a8f34f60656eac5b25dde5514a5c67b675423204f6cca" "f0990617cc7355b9d3ed868978a252020a769ed59a6edaa6" "efe3377eef45f3f6f3e64179cc7db8b143fb835c5d71bfcf" "a1e2a9049bccf7fe9ab57546220fe3f4b7521c861739d138" "507e81a46a6993605441dcb90d6ee4afbc42cabe90a25444" "4968109d7edd9694a023239f1d56175dd1fac115915e24fa" "b563f4fc3f269bed2f300832d112596485a711417aa73bb4" "ac72a651a1fa5baed3636c720d397008", 16); mpz_set_str(signature.r, "65102e8f64ecb11f06017b1a0c0def3c29897c277c4a948b1f4da6b9", 16); mpz_set_str(signature.s, "21ad0abb27bd3c21166cb96aef70c0dbd5f3079cab0dd543d4125bd1", 16); test_dsa_verify(¶ms, pub, &nettle_sha224, SHEX("e920fc1610718f2b0213d301c0092a51f3c6b0107bbbd824" "3a9689c044e2d142f202d9d195a5faef4be5acadc9ff6f7d" "2261e58b517139bcb9489b110423c2e59eb181294ffdae8a" "ad0e624fab974c97f9f5e7dc19d678a9cb3429cf05ec5090" "72856f5adfec6e29bafe8e5ba95593e612843e343111d88a" "1eaff7dc0a2e277f"), &signature); /* mod = L=2048, N=224, SHA-256 */ mpz_set_str(params.p, "a4c7eaab42c4c73b757770916489f17cd50725cd0a4bc4e1" "cf67f763b8c1de2d6dab9856baafb008f365b18a42e14dc5" "1f350b88eca0209c5aa4fd71a7a96c765f5901c21e720570" "d7837bec7c76d2e49344731ca39405d0a879b9e0dcd1a812" "5fd130ec1e783e654b94e3002e6b629e904ab3877867720c" "bd54b4270a9e15cd028c7cc796f06c272a660951928fdbeb" "2dca061b41e932257305742ff16e2f429191d5e5f1a6ddf6" "e78c5d7722cff80a9c0bd5c8d7aeba8c04438992b075e307" "c1534c49ad380f477f5f7987dc172c161dca38dcaf3fb384" "6c72c9119a5299adc748951b3dce0d00d4a9013800b20082" "03b72465bc6a84ae059a30c4522dea57", 16); mpz_set_str(params.q, "ce89fe332b8e4eb3d1e8ddcea5d163a5bc13b63f16993755427aef43", 16); mpz_set_str(params.g, "8c465edf5a180730291e080dfc5385397a5006450dba2efe" "0129264fbd897bb5579ca0eab19aa278220424724b4f2a6f" "6ee6328432abf661380646097233505339c5519d357d7112" "b6eec938b85d5aa75cc2e38092f0a530acb54e50fe82c4d5" "62fb0f3036b80b30334023ebbe6637a0010b00c7db863711" "68563671e1e0f028aedbd45d2d572621a609982a073e51aa" "e27707afbeef29e2ecee84d7a6d5da382be3a35f42b6c668" "49202ab19d025b869d08776476d1ab981475ad2ad2f3e6fd" "07e30696d90a626816df60d6ca7afd7b482f942f83b45cc8" "2933731f87faee320900f2aa3e70b1867e1430e40be67c07" "f9290299ef067b8b24a7515b3f992c07", 16); mpz_set_str(pub, "748a40237211a2d9852596e7a891f43d4eb0ee48826c9cfb" "336bbb68dbe5a5e16b2e1271d4d13de03644bb85ef6be523" "a4d4d88415bcd596ba8e0a3c4f6439e981ed013d7d9c7033" "6febf7d420cfed02c267457bb3f3e7c82145d2af54830b94" "2ec74a5d503e4226cd25dd75decd3f50f0a858155d7be799" "410836ddc559ce99e1ae513808fdaeac34843dd7258f16f6" "7f19205f6f139251a4186da8496d5e90d3fecf8ed10be6c2" "5ff5eb33d960c9a8f4c581c8c724ca43b761e9fdb5af66bf" "fb9d2ebb11a6b504a1fbe4f834ecb6ac254cab513e943b9a" "953a7084b3305c661bfad434f6a835503c9ade7f4a57f5c9" "65ec301ecde938ee31b4deb038af97b3", 16); mpz_set_str(signature.r, "9c5fa46879ddaf5c14f07dfb5320715f67a6fec179e3ad53342fb6d1", 16); mpz_set_str(signature.s, "c3e17e7b3c4d0ac8d49f4dd0f04c16a094f42da0afcc6c90f5f1bbc8", 16); test_dsa_verify(¶ms, pub, &nettle_sha256, SHEX("cec8d2843dee7cb5f9119b75562585e05c5ce2f4e6457e9b" "cc3c1c781ccd2c0442b6282aea610f7161dcede176e77486" "1f7d2691be6c894ac3ebf80c0fab21e52a3e63ae0b350257" "62ccd6c9e1fecc7f9fe00aa55c0c3ae33ae88f66187f9598" "eba9f863171f3f56484625bf39d883427349b8671d9bb7d3" "96180694e5b546ae"), &signature); /* L=2048, N=256, SHA-1 */ mpz_set_str(params.p, "c1a59d215573949e0b20a974c2edf2e3137ff2463062f75f" "1d13df12aba1076bb2d013402b60af6c187fb0fa362167c9" "76c2617c726f9077f09e18c11b60f65008825bd6c02a1f57" "d3eb0ad41cd547de43d87f2525f971d42b306506e7ca03be" "63b35f4ada172d0a06924440a14250d7822ac2d5aeafed46" "19e79d4158a7d5eb2d9f023db181a8f094b2c6cb87cb8535" "416ac19813f07144660c557745f44a01c6b1029092c129b0" "d27183e82c5a21a80177ee7476eb95c466fb472bd3d2dc28" "6ce25847e93cbfa9ad39cc57035d0c7b64b926a9c7f5a7b2" "bc5abcbfbdc0b0e3fede3c1e02c44afc8aefc7957da07a0e" "5fd12339db8667616f62286df80d58ab", 16); mpz_set_str(params.q, "8000000000000000000000001bd62c65e8b87c89797f8f0c" "bfa55e4a6810e2c7", 16); mpz_set_str(params.g, "aea5878740f1424d3c6ea9c6b4799615d2749298a17e2620" "7f76cef340ddd390e1b1ad6b6c0010ad015a103342ddd452" "cac024b36e42d9b8ed52fafae7a1d3ce9e4b21f910d1356e" "b163a3e5a8184c781bf14492afa2e4b0a56d8884fd01a628" "b9662739c42e5c5795ade2f5f27e6de1d963917ce8806fc4" "0d021cd87aa3aa3a9e4f0c2c4c45d2959b2578b2fb1a2229" "c37e181059b9d5e7b7862fa82e2377a49ed0f9dca820a581" "4079dd6610714efaf8b0cc683d8e72e4c884e6f9d4946b3e" "8d4cbb92adbbe7d4c47cc30be7f8c37ca81883a1aac68600" "59ff4640a29ccae73de20b12e63b00a88b2ee9ba94b75eb4" "0a656e15d9ec83731c85d0effcb9ef9f", 16); mpz_set_str(pub, "880e17c4ae8141750609d8251c0bbd7acf6d0b460ed3688e" "9a5f990e6c4b5b00875da750e0228a04102a35f57e74b8d2" "f9b6950f0d1db8d302c5c90a5b8786a82c68ff5b17a57a75" "8496c5f8053e4484a253d9942204d9a1109f4bd2a3ec311a" "60cf69c685b586d986f565d33dbf5aab7091e31aa4102c4f" "4b53fbf872d700156465b6c075e7f778471a23502dc0fee4" "1b271c837a1c26691699f3550d060a331099f64837cddec6" "9caebf51bf4ec9f36f2a220fe773cb4d3c02d0446ddd4613" "3532ef1c3c69d432e303502bd05a75279a7809a742ac4a78" "72b07f1908654049419350e37a95f2ef33361d8d8736d408" "3dc14c0bb972e14d4c7b97f3ddfccaef", 16); mpz_set_str(signature.r, "363e01c564f380a27d7d23b207af3f961d48fc0995487f60" "052775d724ab3d10", 16); mpz_set_str(signature.s, "4916d91b2927294e429d537c06dd2463d1845018cca2873e" "90a6c837b445fdde", 16); test_dsa_verify(¶ms, pub, &nettle_sha1, SHEX("de3605dbefde353cbe05e0d6098647b6d041460dfd4c0003" "12be1afe7551fd3b93fed76a9763c34e004564b8f7dcacbd" "99e85030632c94e9b0a032046523b7aacdf934a2dbbdcfce" "efe66b4e3d1cb29e994ff3a4648a8edd9d58ed71f12399d9" "0624789c4e0eebb0fbd5080f7d730f875a1f290749334cb4" "05e9fd2ae1b4ed65"), &signature); /* L=2048, N=256, SHA-224 */ mpz_set_str(params.p, "d02276ebf3c22ffd666983183a47ae94c9bccbcbf95ddcb4" "91d1f7ce643549199992d37c79e7b032d26ed031b6ba4489" "f3125826fafb2726a98333ebd9abdde592d8693d9859536d" "9cc3841a1d24e044d35aced6136256fc6d6b615cf4f4163a" "a381eb2b4c480825a8eccc56d8ddcf5fe637e38ad9b2974b" "d2cf68bf271e0d067d2465a8b6b660524f0082598945ada5" "8ea649b9804eb4753408c2c59768c46abb82e3295f3d9ca4" "69f84cc187f572dc4b5a3b39346ec839dfad6f07d6d1f0e2" "15209bb0ecc05c767cf2e7943ac9cfb02eee1e9ef5946e8c" "e88316b5e15fdcf95a132ef2e4bb0817136528cfa5dd9653" "2f9c3abe5c421620edb6bcbd52234ca9", 16); mpz_set_str(params.q, "8000000012997e8285e4089708f528070c6d7af8a0bd0140" "9e7a079cdb6fc5bb", 16); mpz_set_str(params.g, "778453049ef262147fed7b59b0ee6764607c51e7b5b5fc6f" "ea7a7a7b1dd6bb283f4a9ae98efd3964b1556758cb15b2a5" "3af8619e74d85898bec77d3b3f382494ae5961a13ffc745d" "a386182291519800f99dd710e00aeb15adee088e2798ee2e" "46f598526cf0f4667055d1ba009750041dc5cdd2725ff1d9" "7dd340c8518af7671b87d39d67aeced84b66f84e0701efc8" "2a5c9ef954ee576d24c385b14d63037f0d866fd424b4975b" "dd5485ed740cb932e843f906683f7c7b2c74775d901c361b" "847b519c0da699638da40bd736b783d2710b2c2cc26ef912" "71bf4e2c1929f876e902e2057164223bc78d6a2b9f6c0c7a" "7cb85922f7d6c4287ae23861f8128848", 16); mpz_set_str(pub, "7bb31e98c7a0437f978a73d5dcfbdfbb09cc2499dfaf1eb5" "256bccd6358cabb5f67d04a42823463b7e957f2b9213f1fa" "8e5a98d614484701abb8c7d67641fe6ed06fa4527b493dda" "b2e74640fde3de70da693f1db2b8e26417040af0eea6cab4" "51a795a52e187d2ee241b93f65c86c6d66f45834cce165ac" "5eb670d4f0095c23ce9757e3bdc636f991ee0073d90a0920" "2edb35cc3ea1cf9adca1617fa0bffd9c126229a604a1d3bf" "4931ddf0b9942dfc8a2f8c09fcc97032564a79ae1ebe1e2c" "e49ff57839e7c43fa60b1603d15a450898aa4e4a1ee80657" "94126d64f013367096a83686b9f158c33b10f5f3b36cf1f6" "358b3f34f84b101dc26d3db68bcc95c8", 16); mpz_set_str(signature.r, "059bee9e708b7f20c3f791a640edee964e0aa672893c4847" "99715817b3a8f6d4", 16); mpz_set_str(signature.s, "4bd41c84a724cc86e4f0194ec0fbf379e654d0d7f6a1f08b" "d468139422a5c353", 16); test_dsa_verify(¶ms, pub, &nettle_sha224, SHEX("39f2d8d503aae8cd17854456ecfad49a18900d4375412bc6" "89181ed9c2ccafea98dca689a72dc75e5367d3d3abfc2169" "700d5891cff70f69d9aca093b061b9f5057f94636bc27831" "15254344fb12e33b167272e198838a8728e7744ea9a2e824" "8e34d5906e298302472637b879de91c1a6f9f331a5cf98a5" "af29132990d27416"), &signature); /* L=2048, N=256, SHA-256 */ mpz_set_str(params.p, "a8adb6c0b4cf9588012e5deff1a871d383e0e2a85b5e8e03" "d814fe13a059705e663230a377bf7323a8fa117100200bfd" "5adf857393b0bbd67906c081e585410e38480ead51684dac" "3a38f7b64c9eb109f19739a4517cd7d5d6291e8af20a3fbf" "17336c7bf80ee718ee087e322ee41047dabefbcc34d10b66" "b644ddb3160a28c0639563d71993a26543eadb7718f317bf" "5d9577a6156561b082a10029cd44012b18de6844509fe058" "ba87980792285f2750969fe89c2cd6498db3545638d5379d" "125dccf64e06c1af33a6190841d223da1513333a7c9d7846" "2abaab31b9f96d5f34445ceb6309f2f6d2c8dde06441e879" "80d303ef9a1ff007e8be2f0be06cc15f", 16); mpz_set_str(params.q, "e71f8567447f42e75f5ef85ca20fe557ab0343d37ed09edc" "3f6e68604d6b9dfb", 16); mpz_set_str(params.g, "5ba24de9607b8998e66ce6c4f812a314c6935842f7ab54cd" "82b19fa104abfb5d84579a623b2574b37d22ccae9b3e415e" "48f5c0f9bcbdff8071d63b9bb956e547af3a8df99e5d3061" "979652ff96b765cb3ee493643544c75dbe5bb39834531952" "a0fb4b0378b3fcbb4c8b5800a5330392a2a04e700bb6ed7e" "0b85795ea38b1b962741b3f33b9dde2f4ec1354f09e2eb78" "e95f037a5804b6171659f88715ce1a9b0cc90c27f35ef2f1" "0ff0c7c7a2bb0154d9b8ebe76a3d764aa879af372f4240de" "8347937e5a90cec9f41ff2f26b8da9a94a225d1a913717d7" "3f10397d2183f1ba3b7b45a68f1ff1893caf69a827802f7b" "6a48d51da6fbefb64fd9a6c5b75c4561", 16); mpz_set_str(pub, "5a55dceddd1134ee5f11ed85deb4d634a3643f5f36dc3a70" "689256469a0b651ad22880f14ab85719434f9c0e407e60ea" "420e2a0cd29422c4899c416359dbb1e592456f2b3cce2332" "59c117542fd05f31ea25b015d9121c890b90e0bad033be13" "68d229985aac7226d1c8c2eab325ef3b2cd59d3b9f7de7db" "c94af1a9339eb430ca36c26c46ecfa6c5481711496f624e1" "88ad7540ef5df26f8efacb820bd17a1f618acb50c9bc197d" "4cb7ccac45d824a3bf795c234b556b06aeb9291734532520" "84003f69fe98045fe74002ba658f93475622f76791d9b262" "3d1b5fff2cc16844746efd2d30a6a8134bfc4c8cc80a4610" "7901fb973c28fc553130f3286c1489da", 16); mpz_set_str(signature.r, "633055e055f237c38999d81c397848c38cce80a55b649d9e" "7905c298e2a51447", 16); mpz_set_str(signature.s, "2bbf68317660ec1e4b154915027b0bc00ee19cfc0bf75d01" "930504f2ce10a8b0", 16); test_dsa_verify(¶ms, pub, &nettle_sha256, SHEX("4e3a28bcf90d1d2e75f075d9fbe55b36c5529b17bc3a9cca" "ba6935c9e20548255b3dfae0f91db030c12f2c344b3a29c4" "151c5b209f5e319fdf1c23b190f64f1fe5b330cb7c8fa952" "f9d90f13aff1cb11d63181da9efc6f7e15bfed4862d1a62c" "7dcf3ba8bf1ff304b102b1ec3f1497dddf09712cf323f561" "0a9d10c3d9132659"), &signature); /* L=2048, N=256, SHA-384 */ mpz_set_str(params.p, "a6167c16fff74e29342b8586aed3cd896f7b1635a2286ff1" "6fdff41a06317ca6b05ca2ba7c060ad6db1561621ccb0c40" "b86a03619bfff32e204cbd90b79dcb5f86ebb493e3bd1988" "d8097fa23fa4d78fb3cddcb00c466423d8fa719873c37645" "fe4eecc57171bbedfe56fa9474c96385b8ba378c79972d7a" "aae69a2ba64cde8e5654f0f7b74550cd3447e7a472a33b40" "37db468dde31c348aa25e82b7fc41b837f7fc226a6103966" "ecd8f9d14c2d3149556d43829f137451b8d20f8520b0ce8e" "3d705f74d0a57ea872c2bdee9714e0b63906cddfdc28b677" "7d19325000f8ed5278ec5d912d102109319cba3b6469d467" "2909b4f0dbeec0bbb634b551ba0cf213", 16); mpz_set_str(params.q, "8427529044d214c07574f7b359c2e01c23fd97701b328ac8" "c1385b81c5373895", 16); mpz_set_str(params.g, "6fc232415c31200cf523af3483f8e26ace808d2f1c6a8b86" "3ab042cc7f6b7144b2d39472c3cb4c7681d0732843503d8f" "858cbe476e6740324aaa295950105978c335069b919ff9a6" "ff4b410581b80712fe5d3e04ddb4dfd26d5e7fbca2b0c52d" "8d404343d57b2f9b2a26daa7ece30ceab9e1789f9751aaa9" "387049965af32650c6ca5b374a5ae70b3f98e053f51857d6" "bbb17a670e6eaaf89844d641e1e13d5a1b24d053dc6b8fd1" "01c624786951927e426310aba9498a0042b3dc7bbc59d705" "f80d9b807de415f7e94c5cf9d789992d3bb8336d1d808cb8" "6b56dde09d934bb527033922de14bf307376ab7d22fbcd61" "6f9eda479ab214a17850bdd0802a871c", 16); mpz_set_str(pub, "5ca7151bca0e457bbc46f59f71d81ab16688dc0eb7e4d17b" "166c3326c5b12c5bdebb3613224d1a754023c50b83cb5ecc" "139096cef28933b3b12ca31038e4089383597c59cc27b902" "be5da62cae7da5f4af90e9410ed1604082e2e38e25eb0b78" "dfac0aeb2ad3b19dc23539d2bcd755db1cc6c9805a7dd109" "e1c98667a5b9d52b21c2772121b8d0d2b246e5fd3da80728" "e85bbf0d7067d1c6baa64394a29e7fcbf80842bd4ab02b35" "d83f59805a104e0bd69d0079a065f59e3e6f21573a00da99" "0b72ea537fa98caaa0a58800a7e7a0623e263d4fca65ebb8" "eded46efdfe7db92c9ebd38062d8f12534f015b186186ee2" "361d62c24e4f22b3e95da0f9062ce04d", 16); mpz_set_str(signature.r, "4fd8f25c059030027381d4167c3174b6be0088c15f0a573d" "7ebd05960f5a1eb2", 16); mpz_set_str(signature.s, "5f56869cee7bf64fec5d5d6ea15bb1fa1169003a87eccc16" "21b90a1b892226f2", 16); test_dsa_verify(¶ms, pub, &nettle_sha384, SHEX("8c78cffdcf25d8230b835b30512684c9b252115870b603d1" "b4ba2eb5d35b33f26d96b684126ec34fff67dfe5c8c856ac" "fe3a9ff45ae11d415f30449bcdc3bf9a9fb5a7e48afeaba6" "d0b0fc9bce0197eb2bf7a840249d4e550c5a25dc1c71370e" "67933edad2362fae6fad1efba5c08dc1931ca2841b44b78c" "0c63a1665ffac860"), &signature); /* L=3072, N=256, SHA-1 */ mpz_set_str(params.p, "fd5a6c56dd290f7dd84a29de17126eb4e4487b3eff0a44ab" "e5c59792d2e1200b9c3db44d528b9f7d2248032e4ba0f7bf" "c4fafc706be511db2276c0b7ecffd38da2e1c2f237a75390" "c1e4d3239cba8e20e55840ecb05df5f01a1b6977ad1906f2" "cb544ccfb93b901ad0966b1832ad2dab526244a3156c905c" "01ac51cb73b9dcd9860d56175a425d846485d9b1f44a8a0c" "2578e6cf61947bc1a1392fdd320b16a9d70455fe436f2d47" "ded8e8e605f7486eb578ea7fc4ffd13c07f9996af159fd41" "1e9451403278dd1141a8c926b35c96384bbd6bee09c46f44" "c36b1ffc7197f5e925dbe0544a68e6ab8c18e426a466b392" "f9c27dd79fefa9ca163cc5a375539a8559f277f657a535d1" "964c6a5e91683ef5698ebaa01ef818dbf72cb04c3ff092d1" "88866f25cd405108f566b087f73d2d5beb51fac6de84ae51" "61a66af9602c7e4bfc146f4820bdfc092faeac69133e4a08" "a5b202a12498a22e57bad54674ed4b510109d52b5f74e70e" "1f6f82161718cd4cf00cc9f1958acc8bddcdfbd1fbe46cd1", 16); mpz_set_str(params.q, "800000000000000000000000334a26dd8f49c6811ce81bb1" "342b06e980f64b75", 16); mpz_set_str(params.g, "99ab030a21a5c9818174872167641c81c1e03c9b274cfbc2" "7bc472542927766de5fa0539b3b73f3f16ac866a9aec8b44" "5ded97fbff08834ed98c77e7fc89e5dc657bef766ff7fbf8" "e76873e17bee412762d56fe1141760ab4d25bafd4b6ef25b" "49a3506632d1f8e10770930760ec1325932c5a4baf9e9015" "4264ddf442ec5c41fed95d11525151dbcfb3758149bad81c" "62b9cff7816b8f953b8b7c022590d1584e921dc955f5328a" "c72983ed5cf0d04056fe0d531e62f8f6c9ab3c0fcd44e148" "60b7311d2561c77c1d32f6c69dc8f77968c9d881ad9db5e0" "c114fda8628bca0335eb7fb9e15e625aabab58fc01194c81" "bf6fb2ce54077b82250e57c6a7b25deb6ee39d4b686a5c30" "7a7612b2d85ee92512413dea297e44f317be7ceb70a3328a" "f0b401001a418562b8ffe4e9771b4b4a8e0b40c791349d5d" "4e459fe620a1a2fc72e2f6ca28567d4c2632bbde1b49864c" "06bb12619f132c1da8f571ef613eac739f66ab3914cb3fa1" "ab86e05e5082ebaa24ebeea4cf51beefc27df512fe3fee7d", 16); mpz_set_str(pub, "e7c2ee18c3aa362c0182c6a56c2584628083c73e045beda8" "d653690c9c2f6544edf9702c57c455273905336a5f517110" "7a313cd7d0b0f50f8d3342c60219f22a9023394059d05f46" "4c4496d55dab6eb0898527ff4cf5678e7b5bfb5e18d92c4a" "9d73288cce14530fc4702f6d0397ec39a880c4a72d358730" "c56633386ede028023c1791f3164d1574e7823c79b8a3ca1" "343ea166ba6f02b7ff7e9ef2198db107f7cc159f3b6a1c00" "a78c355c566deb0ac6fde3f633cb9177a1fbc6c1766ca021" "d5fec470101abb440d2f06982181a8c92b7cdd765336b9a1" "e1ab70283d6db0a963fb648c37c4e29a74c37577291049ab" "47cdbc104c04db966681ea8ebb9f00cf4c4a546211737957" "5fbda4b801979451fa94b19b4e93656705c0f734f3e0914b" "b96c1e2b8a0fb68faf14296efdf3300ad95bcde8b67cc4b2" "6e6488eef925cfaeac6f0d6567e8b41355f89d1c2b8fe687" "bfa2df5e287e1305b89b8c388c26196090ac0351abc561aa" "dc797da8ccea4146c3e96095ebce353e0da4c55019052caa", 16); mpz_set_str(signature.r, "21ca148cdf44be4ae93b2f353b8e512d03ad96dafa80623f" "de4922a95f032732", 16); mpz_set_str(signature.s, "73e48b77a3aa44307483c2dd895cb51db2112177c185c59c" "b1dcff32fda02a4f", 16); test_dsa_verify(¶ms, pub, &nettle_sha1, SHEX("ca84af5c9adbc0044db00d7acfb1b493aab0388ffbad47b3" "8cd3e9e3111cfe2cda2a45f751c46862f05bdcec4b698adf" "d2e1606e484c3be4ac0c379d4fbc7c2cda43e922811d7f6c" "33040e8e65d5f317684b90e26387cf931fe7c2f515058d75" "3b08137ff2c6b79c910de8283149e6872cb66f7e02e66f23" "71785129569362f1"), &signature); /* L=3072, N=256, SHA-256 */ mpz_set_str(params.p, "c7b86d7044218e367453d210e76433e4e27a983db1c560bb" "9755a8fb7d819912c56cfe002ab1ff3f72165b943c0b28ed" "46039a07de507d7a29f738603decd1270380a41f971f2592" "661a64ba2f351d9a69e51a888a05156b7fe1563c4b77ee93" "a44949138438a2ab8bdcfc49b4e78d1cde766e5498476005" "7d76cd740c94a4dd25a46aa77b18e9d707d6738497d4eac3" "64f4792d9766a16a0e234807e96b8c64d404bbdb876e39b5" "799ef53fe6cb9bab62ef19fdcc2bdd905beda13b9ef7ac35" "f1f557cb0dc458c019e2bc19a9f5dfc1e4eca9e6d4665641" "24304a31f038605a3e342da01be1c2b545610edd2c1397a3" "c8396588c6329efeb4e165af5b368a39a88e4888e39f40bb" "3de4eb1416672f999fead37aef1ca9643ff32cdbc0fcebe6" "28d7e46d281a989d43dd21432151af68be3f6d56acfbdb6c" "97d87fcb5e6291bf8b4ee1275ae0eb4383cc753903c8d29f" "4adb6a547e405decdff288c5f6c7aa30dcb12f84d392493a" "70933317c0f5e6552601fae18f17e6e5bb6bf396d32d8ab9", 16); mpz_set_str(params.q, "876fa09e1dc62b236ce1c3155ba48b0ccfda29f3ac5a97f7" "ffa1bd87b68d2a4b", 16); mpz_set_str(params.g, "110afebb12c7f862b6de03d47fdbc3326e0d4d31b12a8ca9" "5b2dee2123bcc667d4f72c1e7209767d2721f95fbd9a4d03" "236d54174fbfaff2c4ff7deae4738b20d9f37bf0a1134c28" "8b420af0b5792e47a92513c0413f346a4edbab2c45bdca13" "f5341c2b55b8ba54932b9217b5a859e553f14bb8c120fbb9" "d99909dff5ea68e14b379964fd3f3861e5ba5cc970c4a180" "eef54428703961021e7bd68cb637927b8cbee6805fa27285" "bfee4d1ef70e02c1a18a7cd78bef1dd9cdad45dde9cd6907" "55050fc4662937ee1d6f4db12807ccc95bc435f11b71e708" "6048b1dab5913c6055012de82e43a4e50cf93feff5dcab81" "4abc224c5e0025bd868c3fc592041bba04747c10af513fc3" "6e4d91c63ee5253422cf4063398d77c52fcb011427cbfcfa" "67b1b2c2d1aa4a3da72645cb1c767036054e2f31f88665a5" "4461c885fb3219d5ad8748a01158f6c7c0df5a8c908ba8c3" "e536822428886c7b500bbc15b49df746b9de5a78fe3b4f69" "91d0110c3cbff458039dc36261cf46af4bc2515368f4abb7", 16); mpz_set_str(pub, "456a105c713566234838bc070b8a751a0b57767cb75e9911" "4a1a46641e11da1fa9f22914d808ad7148612c1ea55d2530" "1781e9ae0c9ae36a69d87ba039ec7cd864c3ad094873e6e5" "6709fd10d966853d611b1cff15d37fdee424506c184d62c7" "033358be78c2250943b6f6d043d63b317de56e5ad8d1fd97" "dd355abe96452f8e435485fb3b907b51900aa3f24418df50" "b4fcdafbf6137548c39373b8bc4ba3dabb4746ebd17b87fc" "d6a2f197c107b18ec5b465e6e4cb430d9c0ce78da5988441" "054a370792b730da9aba41a3169af26176f74e6f7c0c9c9b" "55b62bbe7ce38d4695d48157e660c2acb63f482f55418150" "e5fee43ace84c540c3ba7662ae80835c1a2d51890ea96ba2" "06427c41ef8c38aa07d2a365e7e58380d8f4782e22ac2101" "af732ee22758337b253637838e16f50f56d313d07981880d" "685557f7d79a6db823c61f1bb3dbc5d50421a4843a6f2969" "0e78aa0f0cff304231818b81fc4a243fc00f09a54c466d6a" "8c73d32a55e1abd5ec8b4e1afa32a79b01df85a81f3f5cfe", 16); mpz_set_str(signature.r, "53bae6c6f336e2eb311c1e92d95fc449a929444ef81ec427" "9660b200d59433de", 16); mpz_set_str(signature.s, "49f3a74e953e77a7941af3aefeef4ed499be209976a0edb3" "fa5e7cb961b0c112", 16); test_dsa_verify(¶ms, pub, &nettle_sha256, SHEX("cb06e02234263c22b80e832d6dc5a1bee5ea8af3bc2da752" "441c04027f176158bfe68372bd67f84d489c0d49b07d4025" "962976be60437be1a2d01d3be0992afa5abe0980e26a9da4" "ae72f827b423665195cc4eed6fe85c335b32d9c03c945a86" "e7fa99373f0a30c6eca938b3afb6dff67adb8bece6f8cfec" "4b6a12ea281e2323"), &signature); /* L=3072, N=256, SHA-384 */ mpz_set_str(params.p, "a410d23ed9ad9964d3e401cb9317a25213f75712acbc5c12" "191abf3f1c0e723e2333b49eb1f95b0f9748d952f04a5ae3" "58859d384403ce364aa3f58dd9769909b45048548c55872a" "6afbb3b15c54882f96c20df1b2df164f0bac849ca17ad2df" "63abd75c881922e79a5009f00b7d631622e90e7fa4e98061" "8575e1d6bd1a72d5b6a50f4f6a68b793937c4af95fc11541" "759a1736577d9448b87792dff07232415512e933755e1225" "0d466e9cc8df150727d747e51fea7964158326b1365d580c" "b190f4518291598221fdf36c6305c8b8a8ed05663dd7b006" "e945f592abbecae460f77c71b6ec649d3fd5394202ed7bbb" "d040f7b8fd57cb06a99be254fa25d71a3760734046c2a0db" "383e02397913ae67ce65870d9f6c6f67a9d00497be1d763b" "21937cf9cbf9a24ef97bbcaa07916f8894e5b7fb03258821" "ac46140965b23c5409ca49026efb2bf95bce025c4183a5f6" "59bf6aaeef56d7933bb29697d7d541348c871fa01f869678" "b2e34506f6dc0a4c132b689a0ed27dc3c8d53702aa584877", 16); mpz_set_str(params.q, "abc67417725cf28fc7640d5de43825f416ebfa80e191c42e" "e886303338f56045", 16); mpz_set_str(params.g, "867d5fb72f5936d1a14ed3b60499662f3124686ef108c5b3" "da6663a0e86197ec2cc4c9460193a74ff16028ac9441b0c7" "d27c2272d483ac7cd794d598416c4ff9099a61679d417d47" "8ce5dd974bf349a14575afe74a88b12dd5f6d1cbd3f91ddd" "597ed68e79eba402613130c224b94ac28714a1f1c552475a" "5d29cfcdd8e08a6b1d65661e28ef313514d1408f5abd3e06" "ebe3a7d814d1ede316bf495273ca1d574f42b482eea30db5" "3466f454b51a175a0b89b3c05dda006e719a2e6371669080" "d768cc038cdfb8098e9aad9b8d83d4b759f43ac9d22b353e" "d88a33723550150de0361b7a376f37b45d437f71cb711f28" "47de671ad1059516a1d45755224a15d37b4aeada3f58c69a" "136daef0636fe38e3752064afe598433e80089fda24b144a" "462734bef8f77638845b00e59ce7fa4f1daf487a2cada11e" "aba72bb23e1df6b66a183edd226c440272dd9b06bec0e57f" "1a0822d2e00212064b6dba64562085f5a75929afa5fe509e" "0b78e630aaf12f91e4980c9b0d6f7e059a2ea3e23479d930", 16); mpz_set_str(pub, "1f0a5c75e7985d6e70e4fbfda51a10b925f6accb600d7c65" "10db90ec367b93bb069bd286e8f979b22ef0702f717a8755" "c18309c87dae3fe82cc3dc8f4b7aa3d5f3876f4d4b3eb68b" "fe910c43076d6cd0d39fc88dde78f09480db55234e6c8ca5" "9fe2700efec04feee6b4e8ee2413721858be7190dbe905f4" "56edcab55b2dc2916dc1e8731988d9ef8b619abcf8955aa9" "60ef02b3f02a8dc649369222af50f1338ed28d667f3f10ca" "e2a3c28a3c1d08df639c81ada13c8fd198c6dae3d62a3fe9" "f04c985c65f610c06cb8faea68edb80de6cf07a8e89c0021" "8185a952b23572e34df07ce5b4261e5de427eb503ee1baf5" "992db6d438b47434c40c22657bc163e7953fa33eff39dc27" "34607039aadd6ac27e4367131041f845ffa1a13f556bfba2" "307a5c78f2ccf11298c762e08871968e48dc3d1569d09965" "cd09da43cf0309a16af1e20fee7da3dc21b364c4615cd512" "3fa5f9b23cfc4ffd9cfdcea670623840b062d4648d2eba78" "6ad3f7ae337a4284324ace236f9f7174fbf442b99043002f", 16); mpz_set_str(signature.r, "7695698a14755db4206e850b4f5f19c540b07d07e08aac59" "1e20081646e6eedc", 16); mpz_set_str(signature.s, "3dae01154ecff7b19007a953f185f0663ef7f2537f0b15e0" "4fb343c961f36de2", 16); test_dsa_verify(¶ms, pub, &nettle_sha384, SHEX("ed9a64d3109ef8a9292956b946873ca4bd887ce624b81be8" "1b82c69c67aaddf5655f70fe4768114db2834c71787f858e" "5165da1a7fa961d855ad7e5bc4b7be31b97dbe770798ef79" "66152b14b86ae35625a28aee5663b9ef3067cbdfbabd8719" "7e5c842d3092eb88dca57c6c8ad4c00a19ddf2e1967b59bd" "06ccaef933bc28e7"), &signature); /* L=3072, N=256, SHA-512 */ mpz_set_str(params.p, "c1d0a6d0b5ed615dee76ac5a60dd35ecb000a202063018b1" "ba0a06fe7a00f765db1c59a680cecfe3ad41475badb5ad50" "b6147e2596b88d34656052aca79486ea6f6ec90b23e363f3" "ab8cdc8b93b62a070e02688ea877843a4685c2ba6db111e9" "addbd7ca4bce65bb10c9ceb69bf806e2ebd7e54edeb7f996" "a65c907b50efdf8e575bae462a219c302fef2ae81d73cee7" "5274625b5fc29c6d60c057ed9e7b0d46ad2f57fe01f82323" "0f31422722319ce0abf1f141f326c00fbc2be4cdb8944b6f" "d050bd300bdb1c5f4da72537e553e01d51239c4d461860f1" "fb4fd8fa79f5d5263ff62fed7008e2e0a2d36bf7b9062d0d" "75db226c3464b67ba24101b085f2c670c0f87ae530d98ee6" "0c5472f4aa15fb25041e19106354da06bc2b1d322d40ed97" "b21fd1cdad3025c69da6ce9c7ddf3dcf1ea4d56577bfdec2" "3071c1f05ee4077b5391e9a404eaffe12d1ea62d06acd6bf" "19e91a158d2066b4cd20e4c4e52ffb1d5204cd022bc7108f" "2c799fb468866ef1cb09bce09dfd49e4740ff8140497be61", 16); mpz_set_str(params.q, "bf65441c987b7737385eadec158dd01614da6f15386248e59f3cddbefc8e9dd1", 16); mpz_set_str(params.g, "c02ac85375fab80ba2a784b94e4d145b3be0f92090eba17b" "d12358cf3e03f4379584f8742252f76b1ede3fc37281420e" "74a963e4c088796ff2bab8db6e9a4530fc67d51f88b905ab" "43995aab46364cb40c1256f0466f3dbce36203ef228b35e9" "0247e95e5115e831b126b628ee984f349911d30ffb9d613b" "50a84dfa1f042ba536b82d5101e711c629f9f2096dc834de" "ec63b70f2a2315a6d27323b995aa20d3d0737075186f5049" "af6f512a0c38a9da06817f4b619b94520edfac85c4a6e2e1" "86225c95a04ec3c3422b8deb284e98d24b31465802008a09" "7c25969e826c2baa59d2cba33d6c1d9f3962330c1fcda7cf" "b18508fea7d0555e3a169daed353f3ee6f4bb30244319161" "dff6438a37ca793b24bbb1b1bc2194fc6e6ef60278157899" "cb03c5dd6fc91a836eb20a25c09945643d95f7bd50d20668" "4d6ffc14d16d82d5f781225bff908392a5793b803f9b70b4" "dfcb394f9ed81c18e391a09eb3f93a032d81ba670cabfd6f" "64aa5e3374cb7c2029f45200e4f0bfd820c8bd58dc5eeb34", 16); mpz_set_str(pub, "6da54f2b0ddb4dcce2da1edfa16ba84953d8429ce60cd111" "a5c65edcf7ba5b8d9387ab6881c24880b2afbdb437e9ed7f" "fb8e96beca7ea80d1d90f24d546112629df5c9e9661742cc" "872fdb3d409bc77b75b17c7e6cfff86261071c4b5c9f9898" "be1e9e27349b933c34fb345685f8fc6c12470d124cecf51b" "5d5adbf5e7a2490f8d67aac53a82ed6a2110686cf631c348" "bcbc4cf156f3a6980163e2feca72a45f6b3d68c10e5a2283" "b470b7292674490383f75fa26ccf93c0e1c8d0628ca35f2f" "3d9b6876505d118988957237a2fc8051cb47b410e8b7a619" "e73b1350a9f6a260c5f16841e7c4db53d8eaa0b4708d62f9" "5b2a72e2f04ca14647bca6b5e3ee707fcdf758b925eb8d4e" "6ace4fc7443c9bc5819ff9e555be098aa055066828e21b81" "8fedc3aac517a0ee8f9060bd86e0d4cce212ab6a3a243c5e" "c0274563353ca7103af085e8f41be524fbb75cda88903907" "df94bfd69373e288949bd0626d85c1398b3073a139d5c747" "d24afdae7a3e745437335d0ee993eef36a3041c912f7eb58", 16); mpz_set_str(signature.r, "a40a6c905654c55fc58e99c7d1a3feea2c5be64823d4086c" "e811f334cfdc448d", 16); mpz_set_str(signature.s, "6478050977ec585980454e0a2f26a03037b921ca588a78a4" "daff7e84d49a8a6c", 16); test_dsa_verify(¶ms, pub, &nettle_sha512, SHEX("494180eed0951371bbaf0a850ef13679df49c1f13fe3770b" "6c13285bf3ad93dc4ab018aab9139d74200808e9c55bf883" "00324cc697efeaa641d37f3acf72d8c97bff0182a35b9401" "50c98a03ef41a3e1487440c923a988e53ca3ce883a2fb532" "bb7441c122f1dc2f9d0b0bc07f26ba29a35cdf0da846a9d8" "eab405cbf8c8e77f"), &signature); dsa_params_clear(¶ms); mpz_clear(pub); mpz_clear(key); dsa_signature_clear(&signature); } nettle-4.0/testsuite/eax-test.c0000644000000000000000000000603715141166425013540 0ustar00#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From the EAX specification, http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf */ test_aead(&nettle_eax_aes128, NULL, SHEX("233952DEE4D5ED5F9B9C6D6FF80FF478"), /* key */ SHEX("6BFB914FD07EAE6B"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("62EC67F9C3A4A407FCB2A8C49031A8B3"), /* nonce */ SHEX("E037830E8389F27B025A2D6527E79D01")); /* tag */ test_aead(&nettle_eax_aes128, NULL, SHEX("91945D3F4DCBEE0BF45EF52255F095A4"), SHEX("FA3BFD4806EB53FA"), SHEX("F7FB"), SHEX("19DD"), SHEX("BECAF043B0A23D843194BA972C66DEBD"), SHEX("5C4C9331049D0BDAB0277408F67967E5")); test_aead(&nettle_eax_aes128, NULL, SHEX("01F74AD64077F2E704C0F60ADA3DD523"), SHEX("234A3463C1264AC6"), SHEX("1A47CB4933"), SHEX("D851D5BAE0"), SHEX("70C3DB4F0D26368400A10ED05D2BFF5E"), SHEX("3A59F238A23E39199DC9266626C40F80")); test_aead(&nettle_eax_aes128, NULL, SHEX("D07CF6CBB7F313BDDE66B727AFD3C5E8"), SHEX("33CCE2EABFF5A79D"), SHEX("481C9E39B1"), SHEX("632A9D131A"), SHEX("8408DFFF3C1A2B1292DC199E46B7D617"), SHEX("D4C168A4225D8E1FF755939974A7BEDE")); test_aead(&nettle_eax_aes128, NULL, SHEX("35B6D0580005BBC12B0587124557D2C2"), SHEX("AEB96EAEBE2970E9"), SHEX("40D0C07DA5E4"), SHEX("071DFE16C675"), SHEX("FDB6B06676EEDC5C61D74276E1F8E816"), SHEX("CB0677E536F73AFE6A14B74EE49844DD")); test_aead(&nettle_eax_aes128, NULL, SHEX("BD8E6E11475E60B268784C38C62FEB22"), SHEX("D4482D1CA78DCE0F"), SHEX("4DE3B35C3FC039245BD1FB7D"), SHEX("835BB4F15D743E350E728414"), SHEX("6EAC5C93072D8E8513F750935E46DA1B"), SHEX("ABB8644FD6CCB86947C5E10590210A4F")); test_aead(&nettle_eax_aes128, NULL, SHEX("7C77D6E813BED5AC98BAA417477A2E7D"), SHEX("65D2017990D62528"), SHEX("8B0A79306C9CE7ED99DAE4F87F8DD61636"), SHEX("02083E3979DA014812F59F11D52630DA30"), SHEX("1A8C98DCD73D38393B2BF1569DEEFC19"), SHEX("137327D10649B0AA6E1C181DB617D7F2")); test_aead(&nettle_eax_aes128, NULL, SHEX("5FFF20CAFAB119CA2FC73549E20F5B0D"), SHEX("54B9F04E6A09189A"), SHEX("1BDA122BCE8A8DBAF1877D962B8592DD2D56"), SHEX("2EC47B2C4954A489AFC7BA4897EDCDAE8CC3"), SHEX("DDE59B97D722156D4D9AFF2BC7559826"), SHEX("3B60450599BD02C96382902AEF7F832A")); test_aead(&nettle_eax_aes128, NULL, SHEX("A4A4782BCFFD3EC5E7EF6D8C34A56123"), SHEX("899A175897561D7E"), SHEX("6CF36720872B8513F6EAB1A8A44438D5EF11"), SHEX("0DE18FD0FDD91E7AF19F1D8EE8733938B1E8"), SHEX("B781FCF2F75FA5A8DE97A9CA48E522EC"), SHEX("E7F6D2231618102FDB7FE55FF1991700")); test_aead(&nettle_eax_aes128, NULL, SHEX("8395FCF1E95BEBD697BD010BC766AAC3"), SHEX("126735FCC320D25A"), SHEX("CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7"), SHEX("CB8920F87A6C75CFF39627B56E3ED197C552D295A7"), SHEX("22E7ADD93CFC6393C57EC0B3C17D6B44"), SHEX("CFC46AFC253B4652B1AF3795B124AB6E")); } nettle-4.0/testsuite/ecc-add-test.c0000644000000000000000000000421515141166425014237 0ustar00#include "testutils.h" #include void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->add_hhh_itch); ASSERT (ecc->dup_itch <= ecc->add_hhh_itch); test_ecc_get_g (i, g); ecc->dup (ecc, g2, g, scratch); test_ecc_mul_h (i, 2, g2); ecc->add_hhh (ecc, g3, g, g2, scratch); test_ecc_mul_h (i, 3, g3); ecc->add_hhh (ecc, g3, g2, g, scratch); test_ecc_mul_h (i, 3, g3); ecc->add_hhh (ecc, p, g, g3, scratch); test_ecc_mul_h (i, 4, p); ecc->add_hhh (ecc, p, g3, g, scratch); test_ecc_mul_h (i, 4, p); ecc->dup (ecc, p, g2, scratch); test_ecc_mul_h (i, 4, p); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); ASSERT (ecc->add_hh_itch <= ecc->add_hhh_itch); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc->add_hhh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc->add_hh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc->add_hhh (ecc, p, p, g, scratch); test_ecc_mul_h (i, 1, p); ecc->add_hh (ecc, p, z, g, scratch); test_ecc_mul_h (i, 1, p); ecc->add_hhh (ecc, g2, g, p, scratch); test_ecc_mul_h (i, 2, g2); ecc->add_hh (ecc, g2, g, g, scratch); test_ecc_mul_h (i, 2, g2); free (z); } else { ASSERT (ecc_nonsec_add_jjj (ecc, g2, g, g, scratch)); test_ecc_mul_h (i, 2, g2); ASSERT (ecc_nonsec_add_jjj (ecc, g3, g2, g, scratch)); test_ecc_mul_h (i, 3, g3); ASSERT (ecc_nonsec_add_jjj (ecc, p, g, g3, scratch)); test_ecc_mul_h (i, 4, p); ASSERT (ecc_nonsec_add_jjj (ecc, p, g2, g2, scratch)); test_ecc_mul_h (i, 4, p); } free (g); free (g2); free (g3); free (p); free (scratch); } } nettle-4.0/testsuite/ecc-dup-test.c0000644000000000000000000000154615141166425014303 0ustar00#include "testutils.h" void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch); test_ecc_get_g (i, g); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc->dup (ecc, p, z, scratch); test_ecc_mul_h (i, 0, p); free (z); } ecc->dup (ecc, p, g, scratch); test_ecc_mul_h (i, 2, p); ecc->dup (ecc, p, p, scratch); test_ecc_mul_h (i, 4, p); free (p); free (g); free (scratch); } } nettle-4.0/testsuite/ecc-mod-arith-test.c0000644000000000000000000000741715141166425015402 0ustar00#include "testutils.h" #define MAX_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 10000 static void test_add(const char *name, const struct ecc_modulo *m, const mpz_t az, const mpz_t bz) { mp_limb_t a[MAX_SIZE]; mp_limb_t b[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mpz_t mz; mpz_t tz; mpz_t ref; mpz_init (ref); mpz_add (ref, az, bz); mpz_mod (ref, ref, mpz_roinit_n (mz, m->m, m->size)); mpz_limbs_copy (a, az, m->size); mpz_limbs_copy (b, bz, m->size); ecc_mod_add (m, t, a, b); if (!mpz_congruent_p (ref, mpz_roinit_n (tz, t, m->size), mz)) { fprintf (stderr, "ecc_mod_add %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpz_out_str (stderr, 16, ref); fprintf (stderr, "\n"); abort (); } mpz_clear (ref); } static void test_sub(const char *name, const struct ecc_modulo *m, /* If range is non-null, check that 0 <= r < range. */ const mp_limb_t *range, const mpz_t az, const mpz_t bz) { mp_limb_t a[MAX_SIZE]; mp_limb_t b[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mpz_t mz; mpz_t tz; mpz_t ref; mpz_init (ref); mpz_sub (ref, az, bz); mpz_mod (ref, ref, mpz_roinit_n (mz, m->m, m->size)); mpz_limbs_copy (a, az, m->size); mpz_limbs_copy (b, bz, m->size); ecc_mod_sub (m, t, a, b); if (!mpz_congruent_p (ref, mpz_roinit_n (tz, t, m->size), mz)) { fprintf (stderr, "ecc_mod_sub %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpz_out_str (stderr, 16, ref); fprintf (stderr, "\n"); abort (); } if (range && mpn_cmp (t, range, m->size) >= 0) { fprintf (stderr, "ecc_mod_sub %s out of range: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " \nrange = "); mpn_out_str (stderr, 16, range, m->size); fprintf (stderr, "\n"); abort (); } mpz_clear (ref); } static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, unsigned count) { mpz_t a, b; unsigned j; mpz_init (a); mpz_init (b); for (j = 0; j < count; j++) { if (j & 1) { mpz_rrandomb (a, rands, m->size * GMP_NUMB_BITS); mpz_rrandomb (b, rands, m->size * GMP_NUMB_BITS); } else { mpz_urandomb (a, rands, m->size * GMP_NUMB_BITS); mpz_urandomb (b, rands, m->size * GMP_NUMB_BITS); } test_add (name, m, a, b); test_sub (name, m, NULL, a, b); } if (m->bit_size < m->size * GMP_NUMB_BITS) { mp_limb_t two_p[MAX_SIZE]; mpn_lshift (two_p, m->m, m->size, 1); mpz_t range; mpz_roinit_n (range, two_p, m->size); mpz_urandomm (a, rands, range); mpz_urandomm (b, rands, range); test_sub (name, m, two_p, a, b); } mpz_clear (a); mpz_clear (b); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, COUNT); test_modulo (rands, "q", &ecc_curves[i]->q, COUNT); } gmp_randclear (rands); } nettle-4.0/testsuite/ecc-mod-test.c0000644000000000000000000001361515141166425014272 0ustar00#include "testutils.h" static void ref_mod (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t r, a, m; mpz_init (r); mpz_mod (r, mpz_roinit_n (a, ap, 2*mn), mpz_roinit_n (m, mp, mn)); mpz_limbs_copy (rp, r, mn); mpz_clear (r); } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 10000 /* Destructively normalize tp, then compare */ static int mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) { if (mpn_cmp (tp, m->m, m->size) >= 0) mpn_sub_n (tp, tp, m->m, m->size); return mpn_cmp (ref, tp, m->size) == 0; } static void test_one(const char *name, const struct ecc_modulo *m, const mpz_t r) { mp_limb_t a[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; mpz_limbs_copy (a, r, 2*m->size); ref_mod (ref, a, m->m, m->size); mpn_copyi (t, a, 2*m->size); m->mod (m, t, t); if (!mod_equal (m, ref, t)) { fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } mpn_copyi (t, a, 2*m->size); m->mod (m, t + m->size, t); if (!mod_equal (m, ref, t + m->size)) { fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp + size\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t + m->size, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } if (m->B_size < m->size) { mpn_copyi (t, a, 2*m->size); ecc_mod (m, t, t); if (!mod_equal (m, ref, t)) { fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } mpn_copyi (t, a, 2*m->size); ecc_mod (m, t + m->size, t); if (!mod_equal (m, ref, t + m->size)) { fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp + size\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t + m->size, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } } } static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, unsigned count) { mpz_t r; unsigned j; mpz_init (r); for (j = 0; j < count; j++) { if (j & 2) { if (j & 1) mpz_rrandomb (r, rands, 2*m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*m->size * GMP_NUMB_BITS); } else { /* Test inputs close to a multiple of m. */ mpz_t q; unsigned q_size; int diff; mpz_urandomb(r, rands, 30); q_size = 11 + mpz_get_ui(r) % (m->size * GMP_NUMB_BITS - 10); mpz_urandomb(r, rands, 30); diff = mpz_get_si(r) % 20 - 10; if (j & 1) mpz_rrandomb (r, rands, q_size); else mpz_urandomb (r, rands, q_size); mpz_mul (r, r, mpz_roinit_n(q, m->m, m->size)); if (diff >= 0) mpz_add_ui (r, r, diff); else mpz_sub_ui (r, r, -diff); if (mpz_sgn(r) < 0) continue; } test_one (name, m, r); } mpz_clear (r); } static void test_fixed (void) { mpz_t r; mpz_init (r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFF001C2C00", 16); mpz_mul_2exp (r, r, 256); test_one ("p", &_nettle_secp_256r1.p, r); test_one ("q", &_nettle_secp_256r1.q, r); mpz_set_str (r, "ffffffff00000001fffffffeffffffffffffffffffffffffffffffc0000000000007ffffffffffffffffffffffffffff00000000000000000fffffffffffffff", 16); test_one ("p", &_nettle_secp_256r1.p, r); test_one ("q", &_nettle_secp_256r1.q, r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "4c9000000000000000000000000000000000000000000000004a604db486e000000000000000000000000000000000000000121025be29575adb2c8ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 16); test_one ("p", &_nettle_secp_384r1.p, r); test_one ("q", &_nettle_secp_384r1.q, r); /* Triggered a carry bug in development version. */ mpz_set_str (r, "e64a84643150260640e4677c19ffc4faef06042132b86af6e9ee33fe1850222e57a514d5f1d6d444008bb896a96a43d5629945e57548f5e12f66be132b24110cbb2df6d7d3dd3aaadc98b0bbf29573843ad72e57f59fc5d4f56cc599da18bb99", 16); test_one ("p", &_nettle_secp_384r1.p, r); test_one ("q", &_nettle_secp_384r1.q, r); mpz_clear (r); } static void test_patterns (const char *name, const struct ecc_modulo *m) { mpz_t r; unsigned j; mpz_init (r); for (j = m->bit_size; j < 2*m->bit_size; j++) { /* Single one bit */ mpz_set_ui (r, 1); mpz_mul_2exp (r, r, j); test_one (name, m, r); /* All ones. */ mpz_mul_2exp (r, r, 1); mpz_sub_ui (r, r, 1); test_one (name, m, r); } mpz_clear (r); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_fixed (); for (i = 0; ecc_curves[i]; i++) { test_patterns ("p", &ecc_curves[i]->p); test_patterns ("q", &ecc_curves[i]->p); } test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, COUNT); test_modulo (rands, "q", &ecc_curves[i]->q, COUNT); } gmp_randclear (rands); } nettle-4.0/testsuite/ecc-modinv-test.c0000644000000000000000000000650715141166425015011 0ustar00#include "testutils.h" #include static int ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn, int use_redc) { mpz_t g, s, a, m; int res; mpz_init (g); mpz_init (s); mpz_roinit_n (a, ap, mn); mpz_roinit_n (m, mp, mn); mpz_gcdext (g, s, NULL, a, m); if (mpz_cmp_ui (g, 1) == 0) { if (mpz_sgn (s) < 0) { mpz_add (s, s, m); ASSERT (mpz_sgn (s) > 0); } res = 1; } else res = 0; if (use_redc) { mpz_mul_2exp (s, s, 2 * mn * GMP_NUMB_BITS); mpz_mod (s, s, m); } mpz_limbs_copy (rp, s, mn); mpz_clear (g); mpz_clear (s); return res; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 200 static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, int use_redc) { mp_limb_t *a; mp_limb_t *ai; mp_limb_t *ref; mp_limb_t *scratch; unsigned j; mpz_t r; mpz_init (r); a = xalloc_limbs (m->size); ai = xalloc_limbs (m->size); ref = xalloc_limbs (m->size);; scratch = xalloc_limbs (m->invert_itch); /* Check behaviour for zero input */ mpn_zero (a, m->size); memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, a, scratch); if (!ecc_mod_zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for zero input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Check behaviour for a = m */ memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, m->m, scratch); if (!ecc_mod_zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for a = p input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, m->size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, m->size); if (!ref_modinv (ref, a, m->m, m->size, use_redc)) { if (verbose) fprintf (stderr, "Test %u (bit size %u) not invertible mod %s.\n", j, m->bit_size, name); continue; } m->invert (m, ai, a, scratch); if (!ecc_mod_equal_p (m, ai, ref, scratch)) { fprintf (stderr, "%s->invert failed (test %u, bit size %u):\n", name, j, m->bit_size); fprintf (stderr, "a = "); mpz_out_str (stderr, 16, r); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\nr = "); mpn_out_str (stderr, 16, ref, m->size); printf ("\n"); abort (); } } mpz_clear (r); free (a); free (ai); free (ref); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, ecc_curves[i]->use_redc); test_modulo (rands, "q", &ecc_curves[i]->q, 0); } gmp_randclear (rands); } nettle-4.0/testsuite/ecc-mul-a-test.c0000644000000000000000000000461415141166425014525 0ustar00#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); test_randomize (rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *g = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_itch); unsigned j; test_ecc_get_ga (i, g); mpn_zero (n, size); for (n[0] = 1; n[0] <= 4; n[0]++) { ecc->mul (ecc, p, n, g, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); test_ecc_ga (i, p); mpn_zero (n, size); for (j = 0; j < 30; j++) { if (j & 1) mpz_rrandomb (r, rands, size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, size * GMP_NUMB_BITS); /* Reduce so that (almost surely) n < q */ mpz_limbs_copy (n, r, size); n[size - 1] %= ecc->q.m[size - 1]; ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); ecc->mul_g (ecc, q, n, scratch); ecc->h_to_a (ecc, 0, q, q, scratch); if (mpn_cmp (p, q, 2*size)) { fprintf (stderr, "Different results from ecc->mul and ecc->mul_g.\n" " bits = %u\n", ecc->p.bit_size); fprintf (stderr, " n = "); mpn_out_str (stderr, 16, n, size); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, p, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, p + size, size); fprintf (stderr, "\nq = "); mpn_out_str (stderr, 16, q, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, q + size, size); fprintf (stderr, "\n"); abort (); } } free (g); free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-4.0/testsuite/ecc-mul-g-test.c0000644000000000000000000000247515141166425014536 0ustar00#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); test_randomize(rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_g_itch); mpn_zero (n, size); n[0] = 1; ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); test_ecc_ga (i, p); for (n[0] = 2; n[0] <= 4; n[0]++) { ecc->mul_g (ecc, p, n, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); test_ecc_ga (i, p); free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-4.0/testsuite/ecc-redc-test.c0000644000000000000000000000751515141166425014432 0ustar00#include "testutils.h" static void ref_redc (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t t; mpz_t m, a; mp_size_t an; mpz_init (t); mpz_setbit (t, mn * GMP_NUMB_BITS); mpz_roinit_n (m, mp, mn); an = 2*mn; while (an > 0 && ap[an-1] == 0) an--; mpz_roinit_n (a, ap, an); mpz_invert (t, t, m); mpz_mul (t, t, a); mpz_mod (t, t, m); mpz_limbs_copy (rp, t, mn); mpz_clear (t); } /* Destructively normalize tp, then compare */ static int mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) { if (mpn_cmp (tp, m->m, m->size) >= 0) mpn_sub_n (tp, tp, m->m, m->size); return mpn_cmp (ref, tp, m->size) == 0; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 10000 void test_main (void) { gmp_randstate_t rands; mp_limb_t a[MAX_SIZE]; mp_limb_t m[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; unsigned i; mpz_t r; gmp_randinit_default (rands); test_randomize(rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; unsigned j; for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, 2*ecc->p.size); ref_redc (ref, a, ecc->p.m, ecc->p.size); if (ecc->p.reduce != ecc->p.mod) { mpn_copyi (m, a, 2*ecc->p.size); ecc->p.reduce (&ecc->p, m, m); if (!mod_equal (&ecc->p, ref, m)) { fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } mpn_copyi (m, a, 2*ecc->p.size); ecc->p.reduce (&ecc->p, m + ecc->p.size, m); if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) { fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp + size\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } if (ecc->p.redc_size != 0) { mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) ecc_pm1_redc (&ecc->p, m, m); else ecc_pp1_redc (&ecc->p, m, m); if (!mod_equal (&ecc->p, ref, m)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) ecc_pm1_redc (&ecc->p, m + ecc->p.size, m); else ecc_pp1_redc (&ecc->p, m + ecc->p.size, m); if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } } } mpz_clear (r); gmp_randclear (rands); } nettle-4.0/testsuite/ecc-sqrt-test.c0000644000000000000000000001565615141166425014513 0ustar00/* ecc-sqrt.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #define COUNT 500 #if NETTLE_USE_MINI_GMP /* Implements Legendre symbol only, requiring that p is an odd prime */ static int mpz_ui_kronecker (mp_limb_t ul, const mpz_t p) { mpz_t t, u; int r; mpz_init_set_ui (u, ul); mpz_init_set (t, p); mpz_sub_ui (t, t, 1); mpz_tdiv_q_2exp (t, t, 1); mpz_powm (t, u, t, p); r = mpz_cmp_ui (t, 1); if (r < 0) r = 0; else if (r == 0) r = 1; else { mpz_sub (t, p, t); ASSERT (mpz_cmp_ui (t, 1) == 0); r = -1; } mpz_clear (t); mpz_clear (u); return r; } #endif /* NETTLE_USE_MINI_GMP */ static void test_sqrt (gmp_randstate_t rands, const struct ecc_modulo *m, int use_redc) { mpz_t u; mpz_t p; mpz_t r; mpz_t t; unsigned z, i; mp_limb_t *up; mp_limb_t *rp; mp_limb_t *scratch; mpz_init (u); mpz_init (t); mpz_roinit_n (p, m->m, m->size); up = xalloc_limbs (m->size); rp = xalloc_limbs (m->size); scratch = xalloc_limbs (m->sqrt_itch); /* Check behaviour for zero input */ mpn_zero (up, m->size); memset (rp, 17, m->size * sizeof(*rp)); if (!m->sqrt (m, rp, up, scratch)) { fprintf (stderr, "m->sqrt returned failure for zero input, bit_size = %d\n", m->bit_size); abort(); } if (!ecc_mod_zero_p (m, rp)) { fprintf (stderr, "m->sqrt failed for zero input (bit size %u):\n", m->bit_size); fprintf (stderr, "r = "); mpn_out_str (stderr, 16, rp, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Find a non-square */ for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) ; if (verbose) fprintf(stderr, "test_sqrt on %d-bit modulo. Non square: %d\n", m->bit_size, z); for (i = 0; i < COUNT; i++) { if (i & 1) mpz_rrandomb (u, rands, m->bit_size); else mpz_urandomb (u, rands, m->bit_size); if (use_redc) { /* We get non-redc sqrt if we reduce u before calling m->sqrt */ mpz_limbs_copy (scratch, u, m->size); mpn_zero (scratch + m->size, m->size); m->reduce (m, up, scratch); } else { mpz_limbs_copy (up, u, m->size); } if (!m->sqrt (m, rp, up, scratch)) { mpz_mul_ui (u, u, z); mpz_mod (u, u, p); ecc_mod_mul_1 (m, up, up, z); if (!m->sqrt (m, rp, up, scratch)) { fprintf (stderr, "m->sqrt returned failure, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\n"); abort (); } } /* Check that r^2 = u */ mpz_roinit_n (r, rp, m->size); mpz_mul (t, r, r); if (!mpz_congruent_p (t, u, p)) { fprintf (stderr, "m->sqrt gave incorrect result, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nr = 0x"); mpz_out_str (stderr, 16, r); fprintf (stderr, "\n"); abort (); } } mpz_clear (u); mpz_clear (t); free (up); free (rp); free (scratch); } static void test_sqrt_ratio (gmp_randstate_t rands, const struct ecc_modulo *m) { mpz_t u; mpz_t v; mpz_t p; mpz_t r; mpz_t t; unsigned z, i; mp_limb_t *up; mp_limb_t *vp; mp_limb_t *rp; mp_limb_t *scratch; mpz_init (u); mpz_init (v); mpz_init (t); mpz_roinit_n (p, m->m, m->size); up = xalloc_limbs (m->size); vp = xalloc_limbs (m->size); rp = xalloc_limbs (m->size); scratch = xalloc_limbs (m->sqrt_ratio_itch); /* Check behaviour for zero input */ mpn_zero (up, m->size); mpn_zero (vp, m->size); vp[0] = 1; memset (rp, 17, m->size * sizeof(*rp)); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { fprintf (stderr, "m->sqrt_ratio returned failure for zero input, bit_size = %d\n", m->bit_size); abort(); } if (!ecc_mod_zero_p (m, rp)) { fprintf (stderr, "m->sqrt_ratio failed for zero input (bit size %u):\n", m->bit_size); fprintf (stderr, "r = "); mpn_out_str (stderr, 16, rp, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Find a non-square */ for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) ; if (verbose) fprintf(stderr, "test_sqrt_ratio on %d-bit modulo. Non square: %d\n", m->bit_size, z); for (i = 0; i < COUNT; i++) { if (i & 1) { mpz_rrandomb (u, rands, m->bit_size); mpz_rrandomb (v, rands, m->bit_size); } else { mpz_urandomb (u, rands, m->bit_size); mpz_urandomb (v, rands, m->bit_size); } mpz_limbs_copy (up, u, m->size); mpz_limbs_copy (vp, v, m->size); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { mpz_mul_ui (u, u, z); mpz_mod (u, u, p); mpz_limbs_copy (up, u, m->size); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { if (mpz_divisible_p (v, p)) /* v = 0 (mod p), sqrt_ratio should fail. */ continue; fprintf (stderr, "m->sqrt_ratio returned failure, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\n"); abort (); } } /* Check that r^2 v = u */ mpz_roinit_n (r, rp, m->size); mpz_mul (t, r, r); mpz_mul (t, t, v); if (!mpz_congruent_p (t, u, p)) { fprintf (stderr, "m->sqrt_ratio gave incorrect result, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\nr = 0x"); mpz_out_str (stderr, 16, r); fprintf (stderr, "\n"); abort (); } } mpz_clear (u); mpz_clear (v); mpz_clear (t); free (up); free (vp); free (rp); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { if (ecc_curves[i]->p.sqrt) test_sqrt (rands, &ecc_curves[i]->p, ecc_curves[i]->use_redc); if (ecc_curves[i]->p.sqrt_ratio) test_sqrt_ratio (rands, &ecc_curves[i]->p); } gmp_randclear (rands); } nettle-4.0/testsuite/ecdh-test.c0000644000000000000000000002610415141166425013663 0ustar00/* ecdh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" static int set_point (struct ecc_point *p, const char *x, const char *y) { mpz_t X, Y; int ret; mpz_init_set_str (X, x, 0); mpz_init_set_str (Y, y, 0); ret = ecc_point_set (p, X, Y); mpz_clear (X); mpz_clear (Y); return ret; } static void set_scalar (struct ecc_scalar *s, const char *x) { mpz_t X; mpz_init_set_str (X, x, 0); if (!ecc_scalar_set (s, X)) abort (); mpz_clear (X); } static void check_point (const char *name, const char *label, const struct ecc_point *P, const struct ecc_point *R) { mpz_t px, py, rx, ry; mpz_init (px); mpz_init (py); mpz_init (rx); mpz_init (ry); ecc_point_get (P, px, py); ecc_point_get (R, rx, ry); /* FIXME: Should have a public point compare function */ if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0) { fprintf (stderr, "Failed %s %s\np_x = ", name, label); mpz_out_str (stderr, 10, px); fprintf (stderr, "\nr_x = "); mpz_out_str (stderr, 10, rx); fprintf (stderr, " (expected)\np_y = "); mpz_out_str (stderr, 10, py); fprintf (stderr, "\nr_y = "); mpz_out_str (stderr, 10, ry); fprintf (stderr, " (expected)\n"); abort (); } mpz_clear (px); mpz_clear (py); mpz_clear (rx); mpz_clear (ry); } static void test_dh (const char *name, const struct ecc_curve *ecc, const char *a_priv, const char *ax, const char *ay, const char *b_priv, const char *bx, const char *by, const char *sx, const char *sy) { struct ecc_point A, B, S, T; struct ecc_scalar A_priv, B_priv; ecc_scalar_init (&A_priv, ecc); set_scalar (&A_priv, a_priv); ecc_point_init (&A, ecc); ASSERT (set_point (&A, ax, ay)); ecc_scalar_init (&B_priv, ecc); set_scalar (&B_priv, b_priv); ecc_point_init (&B, ecc); ASSERT (set_point (&B, bx, by)); ecc_point_init (&S, ecc); ASSERT (set_point (&S, sx, sy)); ecc_point_init (&T, ecc); ecc_point_mul_g (&T, &A_priv); check_point (name, "a g", &T, &A); ecc_point_mul (&T, &B_priv, &T); check_point (name, "b (a g)", &T, &S); ecc_point_mul_g (&T, &B_priv); check_point (name, "b g", &T, &B); ecc_point_mul (&T, &A_priv, &T); check_point (name, "a (b g)", &T, &S); ecc_scalar_clear (&A_priv); ecc_scalar_clear (&B_priv); ecc_point_clear (&A); ecc_point_clear (&B); ecc_point_clear (&S); ecc_point_clear (&T); } static void test_public_key (const char *label, const struct ecc_curve *ecc, const char *x, const char *y, int expect_success) { struct ecc_point P; int ret; ecc_point_init (&P, ecc); ret = set_point (&P, x, y); if (!ret && expect_success) die ("Test point '%s' not on curve!\n", label); if (ret && !expect_success) die ("Expected failure to set point '%s'!", label); ecc_point_clear (&P); } void test_main(void) { test_public_key ("(0,0) with secp-192r1", &_nettle_secp_192r1, "0", "0", 0); test_public_key ( "(P,0) with secp-192r1", &_nettle_secp_192r1, "6277101735386680763835789423207666416083908700390324961279", "0", 0); test_public_key ( "(0,P) with secp-192r1", &_nettle_secp_192r1, "0", "6277101735386680763835789423207666416083908700390324961279", 0); test_public_key ( "(P,P) with secp-192r1", &_nettle_secp_192r1, "6277101735386680763835789423207666416083908700390324961279", "6277101735386680763835789423207666416083908700390324961279", 0); test_public_key ("(1,2) with secp-192r1", &_nettle_secp_192r1, "1", "2", 0); test_public_key ("(X,Y) with secp-192r1", &_nettle_secp_192r1, "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", 1); test_dh ("secp-192r1", &_nettle_secp_192r1, "3406157206141798348095184987208239421004566462391397236532", "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", "738368960171459956677260317271477822683777845013274506165", "2585840779771604687467445319428618542927556223024046979917", "293088185788565313717816218507714888251468410990708684573", "149293809021051532782730990145509724807636529827149481690", "2891131861147398318714693938158856874319184314120776776192"); test_dh ("secp-224r1", &_nettle_secp_224r1, "1321072106881784386340709783538698930880431939595776773514895067682", "6768311794185371282972144247871764855860666277647541840973645586477", "2880077809069104378181313860274147139049600284805670362929579614547", "13934723037778859565852601874354272638301919827851286722006496784914", "373124771833407982305885866158843810218322878380632071540538232035", "24223309755162432227459925493224336241652868856405241018762887667883", "8330362698029245839097779050425944245826040430538860338085968752913", "24167244512472228715617822000878192535267113543393576038737592837010"); test_dh ("secp-256r1", &_nettle_secp_256r1, "94731533361265297353914491124013058635674217345912524033267198103710636378786", "22441589863306126152768848344973918725077248391248404659242620344938484650846", "8673475622926171928656873398933611700804732317466515884933832073457396747355", "97657865959185011849283028361556797595752581630732610898393589042714626616209", "18453500628354973083413728373777272885280811435138222441593126858566687017580", "14365748655141740924607822284126054269177292284541187981786689038777833170313", "102958799567030688009123101477538973715497039396202015119148334812951370853564", "29188877854984806245046208182450375893010623119030341548941791125497546766367"); test_dh ("secp-384r1", &_nettle_secp_384r1, "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070", "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707", "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966", "36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645", "6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397", "36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008", "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789", "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405"); test_dh ("secp-521r1", &_nettle_secp_521r1, "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826", "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116", "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106", "4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590", "3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253", "4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182", "2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370", "4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782"); /* NOTE: This isn't the standard way to do curve25519 diffie-hellman, but it tests that the ecc_point interface works also with curve25519. */ test_dh ("curve25519", &_nettle_curve25519, "238301186166219052901200372289459967515481170332211409964804596991365959539", "14283836751943535877833976277675258994717521964638468784408792140505262281235", "43912344711849354965202408139054167824861850336739416536288592824181793690574", "3795950278952272509684177709511717492358770264218705926196469999516028451559", "9468726108732441384988851273894214794301501512287024874346147472389705411936", "38072138078045635808869930165213470653418146012939584392304609812494425185763", "10481077163111981870382976851703705086808805457403127024129174358161599078055", "29260211489972704256554624312266763530759418996739976957020673870747051409679"); /* NOTE: This isn't the standard way to do curve448 diffie-hellman, but it tests that the ecc_point interface works also with curve448. */ test_dh ("curve448", &_nettle_curve448, "129458936807933142766404648460937163205634163580407624950524900086792185737444124895392953822100034523565454893159084960036749128566328", "23903108874160330022289088207864530114505726115081678533913226179385920277612083777349117962138808929878378666596532036566924169949084", "693683143993815499711046966874265987454661213870193324674425656110752379002105414428569086535475560314058341102862207145978150379762153", "66424594649188102315894632429895338306697492782714758296415311427244880255966850729749965592839835963032731282879151354354178946253531", "411851112596680430188999894591634506976361833537024658040418853047370769553774913299417695327870642536912872558385293694714169201128264", "337433451779159274143076131600929733721586133908369086734805607026091240174740218929467625260731556550599267570314197354864315711490353", "224725768629972498035446273711269105191383993674106563435257119903436206484342709996926420948730961128941009070083709026343858723205213", "514544926219850986487923720424370435708360925070646212523588162169142573918197583804309386017625350764529605929374479238949748203847320"); } nettle-4.0/testsuite/ecdsa-keygen-test.c0000644000000000000000000000435015141166425015316 0ustar00#include "testutils.h" #include "knuth-lfib.h" void test_main (void) { unsigned i; struct knuth_lfib_ctx rctx; struct dsa_signature signature; struct tstring *digest; knuth_lfib_init (&rctx, 4711); dsa_signature_init (&signature); digest = SHEX (/* sha256("abc") */ "BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; struct ecc_point pub; struct ecc_scalar key; if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* Exclude curve25519 and curve448, not supported with ECDSA. */ continue; if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); ecdsa_generate_keypair (&pub, &key, &rctx, (nettle_random_func *) knuth_lfib_random); if (verbose) { fprintf (stderr, "Public key:\nx = "); write_mpn (stderr, 16, pub.p, ecc->p.size); fprintf (stderr, "\ny = "); write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); fprintf (stderr, "\nPrivate key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } if (!test_ecc_point_valid_p (&pub)) die ("ecdsa_generate_keypair produced an invalid point.\n"); ecdsa_sign (&key, &rctx, (nettle_random_func *) knuth_lfib_random, digest->length, digest->data, &signature); if (!ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify failed.\n"); digest->data[3] ^= 17; if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid digest.\n"); digest->data[3] ^= 17; mpz_combit (signature.r, 117); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.r.\n"); mpz_combit (signature.r, 117); mpz_combit (signature.s, 93); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.s.\n"); ecc_point_clear (&pub); ecc_scalar_clear (&key); } dsa_signature_clear (&signature); } nettle-4.0/testsuite/ecdsa-sign-test.c0000644000000000000000000001441015141166425014772 0ustar00#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Private key */ const char *sz, /* Random nonce */ const char *sk, /* Hash */ const struct tstring *h, /* Expected signature */ const char *r, const char *s) { struct dsa_signature ref; mpz_t t; mpz_t z; mpz_t k; mp_limb_t *rp = xalloc_limbs (ecc->p.size); mp_limb_t *sp = xalloc_limbs (ecc->p.size); mp_limb_t *zp = xalloc_limbs (ecc->p.size); mp_limb_t *kp = xalloc_limbs (ecc->p.size); mp_limb_t *scratch = xalloc_limbs (ecc_ecdsa_sign_itch (ecc)); dsa_signature_init (&ref); mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); mpz_limbs_copy (zp, z, ecc->p.size); mpz_limbs_copy (kp, k, ecc->p.size); mark_bytes_undefined (sizeof(mp_limb_t) * ecc->p.size, zp); mark_bytes_undefined (sizeof(mp_limb_t) * ecc->p.size, kp); ecc_ecdsa_sign (ecc, zp, kp, h->length, h->data, rp, sp, scratch); mark_bytes_defined (sizeof(mp_limb_t) * ecc->p.size, rp); mark_bytes_defined (sizeof(mp_limb_t) * ecc->p.size, sp); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); if (mpz_cmp (ref.r, mpz_roinit_n (t, rp, ecc->p.size)) != 0 || mpz_cmp (ref.s, mpz_roinit_n (t, sp, ecc->p.size)) != 0) { fprintf (stderr, "_ecdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "r = "); write_mpn (stderr, 16, rp, ecc->p.size); fprintf (stderr, "\ns = "); write_mpn (stderr, 16, sp, ecc->p.size); fprintf (stderr, "\nref.r = "); mpz_out_str (stderr, 16, ref.r); fprintf (stderr, "\nref.s = "); mpz_out_str (stderr, 16, ref.s); fprintf (stderr, "\n"); abort(); } free (rp); free (sp); free (zp); free (kp); free (scratch); dsa_signature_clear (&ref); mpz_clear (k); mpz_clear (z); } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* Producing the signature for corresponding test in ecdsa-verify-test.c, with special u1 and u2. */ test_ecdsa (&_nettle_secp_224r1, "99b5b787484def12894ca507058b3bf5" "43d72d82fa7721d2e805e5e6", "2", SHEX("cdb887ac805a3b42e22d224c85482053" "16c755d4a736bb2032c92553"), "706a46dc76dcb76798e60e6d89474788" "d16dc18032d268fd1a704fa6", /* r */ "3a41e1423b1853e8aa89747b1f987364" "44705d6d6d8371ea1f578f2e"); /* s */ /* Produce a signature where verify operation results in a point duplication. */ test_ecdsa (&_nettle_secp_256r1, "1", /* Private key */ "01010101010101010101010101010101" "01010101010101010101010101010101", /* nonce */ SHEX("6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16"), /* hash */ "6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16", /* r */ "53f097727a0e0dc284a0daa0da0ab77d" "5792ae67ed075d1f8d5bda0f853fa093"); /* s */ /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&_nettle_secp_192r1, "DC51D3866A15BACDE33D96F992FCA99D" "A7E6EF0934E70975", /* z */ "9E56F509196784D963D1C0A401510EE7" "ADA3DCC5DEE04B15", /* k */ SHEX("BA7816BF8F01CFEA414140DE5DAE2223" "B00361A396177A9C"), /* h */ "8c478db6a5c131540cebc739f9c0a9a8" "c720c2abdd14a891", /* r */ "a91fb738f9f175d72f9c98527e881c36" "8de68cb55ffe589"); /* s */ test_ecdsa (&_nettle_secp_224r1, "446df0a771ed58403ca9cb316e617f6b" "158420465d00a69601e22858", /* z */ "4c13f1905ad7eb201178bc08e0c9267b" "4751c15d5e1831ca214c33f4", /* z */ SHEX("1b28a611fe62ab3649350525d06703ba" "4b979a1e543566fd5caa85c6"), /* h */ "2cc280778f3d067df6d3adbe3a6aad63" "bc75f08f5c5f915411902a99", /* r */ "d0f069fd0f108eb07b7bbc54c8d6c88d" "f2715c38a95c31a2b486995f"); /* s */ /* From RFC 4754 */ test_ecdsa (&_nettle_secp_256r1, "DC51D386 6A15BACD E33D96F9 92FCA99D" "A7E6EF09 34E70975 59C27F16 14C88A7F", /* z */ "9E56F509 196784D9 63D1C0A4 01510EE7" "ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE", /* k */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&_nettle_secp_384r1, "0BEB6466 34BA8773 5D77AE48 09A0EBEA" "865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F", /* z */ "B4B74E44 D71A13D5 68003D74 89908D56" "4C7761E2 29C58CBF A1895009 6EB7463B" "854D7FA9 92F934D9 27376285 E63414FA", /* k */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&_nettle_secp_521r1, "0065FDA3 409451DC AB0A0EAD 45495112" "A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA" "D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1", /* z */ "00C1C2B3 05419F5A 41344D7E 4359933D" "734096F5 56197A9B 244342B8 B62F46F9" "373778F9 DE6B6497 B1EF825F F24F42F9" "B4A4BD73 82CFC337 8A540B1B 7F0C1B95" "6C2F", /* k */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ } nettle-4.0/testsuite/ecdsa-verify-test.c0000644000000000000000000001504115141166425015337 0ustar00#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Public key */ const char *xs, const char *ys, /* Hash */ struct tstring *h, /* Valid signature */ const char *r, const char *s) { struct ecc_point pub; struct dsa_signature signature; mpz_t x, y; ecc_point_init (&pub, ecc); dsa_signature_init (&signature); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); if (!ecc_point_set (&pub, x, y)) die ("ecc_point_set failed.\n"); mpz_set_str (signature.r, r, 16); mpz_set_str (signature.s, s, 16); if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); mpz_out_str (stderr, 16, x); fprintf (stderr, "\ny = "); mpz_out_str (stderr, 16, y); fprintf (stderr, "\ndigest "); print_hex (h->length, h->data); fprintf (stderr, "r = "); mpz_out_str (stderr, 16, signature.r); fprintf (stderr, "\ns = "); mpz_out_str (stderr, 16, signature.s); fprintf (stderr, "\n"); abort(); } mpz_combit (signature.r, ecc->p.bit_size / 3); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (r modified).\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (s modified).\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (h modified).\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed, internal testsuite error.\n"); goto fail; } ecc_point_clear (&pub); dsa_signature_clear (&signature); mpz_clear (x); mpz_clear (y); } void test_main (void) { /* Corresponds to nonce k = 2 and private key z = 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and hash are chosen so that intermediate scalars in the verify equations are u1 = 0x6b245680e700, u2 = 259da6542d4ba7d21ad916c3bd57f811. These values require canonical reduction of the scalars. Bug caused by missing canonical reduction reported by Guido Vranken. */ test_ecdsa (&_nettle_secp_224r1, "9e7e6cc6b1bdfa8ee039b66ad85e5490" "7be706a900a3cba1c8fdd014", /* x */ "74855db3f7c1b4097ae095745fc915e3" "8a79d2a1de28f282eafb22ba", /* y */ SHEX("cdb887ac805a3b42e22d224c85482053" "16c755d4a736bb2032c92553"), "706a46dc76dcb76798e60e6d89474788" "d16dc18032d268fd1a704fa6", /* r */ "3a41e1423b1853e8aa89747b1f987364" "44705d6d6d8371ea1f578f2e"); /* s */ /* Test case provided by Guido Vranken, from oss-fuzz */ test_ecdsa (&_nettle_secp_192r1, "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */ " 1e2584 2ab8b2b0 4017f655 1b5e4058 a2aa0612 2dae9344", /* y */ SHEX("00"), /* h == 0 corner case*/ "952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */ "ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */ /* Test case provided by Guido Vranken, from oss-fuzz. Triggers point duplication in the verify operation by using private key = 1 (public key = generator) and hash = r. */ test_ecdsa (&_nettle_secp_256r1, "6B17D1F2E12C4247F8BCE6E563A440F2" "77037D812DEB33A0F4A13945D898C296", /* x */ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" "2BCE33576B315ECECBB6406837BF51F5", /* y */ SHEX("6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16"), /* hash */ "6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16", /* r */ "53f097727a0e0dc284a0daa0da0ab77d" "5792ae67ed075d1f8d5bda0f853fa093"); /* s */ /* From RFC 4754 */ test_ecdsa (&_nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" "BF42D60C BCA20085 E0822CB0 4235E970", /* x */ "6FC98BD7 E50211A4 A27102FA 3549DF79" "EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D", /* y */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&_nettle_secp_384r1, "96281BF8 DD5E0525 CA049C04 8D345D30" "82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922", /* x */ "447688BA 94708EB6 E2E4D59F 6AB6D7ED" "FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA", /* y */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&_nettle_secp_521r1, "0151518F 1AF0F563 517EDD54 85190DF9" "5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018" "8901CECD 650699C9 B5E456AE A5ADD190" "52A8", /* x */ "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF" "6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF" "4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643", /* y */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ } nettle-4.0/testsuite/ed25519-test.c0000644000000000000000000001307215141166425013756 0ustar00/* ed25519-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #include "testutils.h" #include #include "eddsa.h" #include "base16.h" static void decode_hex (size_t length, uint8_t *dst, const char *src) { struct base16_decode_ctx ctx; size_t out_size = length; base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); ASSERT (out_size == length); ASSERT (base16_decode_final (&ctx)); } /* Processes a single line in the format of http://ed25519.cr.yp.to/python/sign.input: sk pk : pk : m : s m : where sk (secret key) and pk (public key) are 32 bytes each, m is variable size, and s is 64 bytes. All values hex encoded. */ static void test_one (const char *line) { const char *p; const char *mp; uint8_t sk[ED25519_KEY_SIZE]; uint8_t pk[ED25519_KEY_SIZE]; uint8_t t[ED25519_KEY_SIZE]; uint8_t s[ED25519_SIGNATURE_SIZE]; uint8_t *msg; size_t msg_size; uint8_t s2[ED25519_SIGNATURE_SIZE]; decode_hex (ED25519_KEY_SIZE, sk, line); p = strchr (line, ':'); ASSERT (p == line + 128); p++; decode_hex (ED25519_KEY_SIZE, pk, p); p = strchr (p, ':'); ASSERT (p == line + 193); mp = ++p; p = strchr (p, ':'); ASSERT (p); ASSERT ((p - mp) % 2 == 0); msg_size = (p - mp) / 2; decode_hex (ED25519_SIGNATURE_SIZE, s, p+1); msg = xalloc (msg_size + 1); msg[msg_size] = 'x'; decode_hex (msg_size, msg, mp); mark_bytes_undefined (ED25519_KEY_SIZE, sk); ed25519_sha512_public_key (t, sk); mark_bytes_defined (ED25519_KEY_SIZE, t); ASSERT (MEMEQ(ED25519_KEY_SIZE, t, pk)); ed25519_sha512_sign (pk, sk, msg_size, msg, s2); mark_bytes_defined (ED25519_SIGNATURE_SIZE, s2); ASSERT (MEMEQ (ED25519_SIGNATURE_SIZE, s, s2)); ASSERT (ed25519_sha512_verify (pk, msg_size, msg, s)); s2[ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); memcpy (s2, s, ED25519_SIGNATURE_SIZE); s2[2*ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); ASSERT (!ed25519_sha512_verify (pk, msg_size + 1, msg, s)); if (msg_size > 0) { msg[msg_size-1] ^= 0x20; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s)); } free (msg); } #ifndef HAVE_GETLINE static ssize_t getline(char **lineptr, size_t *n, FILE *f) { size_t i; int c; if (!*lineptr) { *n = 500; *lineptr = xalloc (*n); } i = 0; do { c = getc(f); if (c < 0) { if (i > 0) break; return -1; } (*lineptr) [i++] = c; if (i == *n) { *n *= 2; *lineptr = realloc (*lineptr, *n); if (!*lineptr) die ("Virtual memory exhausted.\n"); } } while (c != '\n'); (*lineptr) [i] = 0; return i; } #endif void test_main(void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif const char *input = getenv ("ED25519_SIGN_INPUT"); if (input) { size_t buf_size; char *buf; FILE *f = fopen (input, "r"); if (!f) die ("Opening input file '%s' failed: %s\n", input, strerror (errno)); for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) test_one (buf); free (buf); fclose (f); } else { /* First few lines only */ test_one ("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a:d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a::e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b:"); test_one ("4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:72:92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c0072:"); test_one ("c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:af82:6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40aaf82:"); test_one ("0d4a05b07352a5436e180356da0ae6efa0345ff7fb1572575772e8005ed978e9e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:cbc77b:d9868d52c2bebce5f3fa5a79891970f309cb6591e3e1702a70276fa97c24b3a8e58606c38c9758529da50ee31b8219cba45271c689afa60b0ea26c99db19b00ccbc77b:"); } } nettle-4.0/testsuite/ed448-test.c0000644000000000000000000003726715141166425013624 0ustar00/* ed448-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #include "testutils.h" #include #include "eddsa.h" #include "base16.h" static void decode_hex (size_t length, uint8_t *dst, const char *src) { struct base16_decode_ctx ctx; size_t out_size = length; base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); ASSERT (out_size == length); ASSERT (base16_decode_final (&ctx)); } /* Processes a single line in the format of http://ed25519.cr.yp.to/python/sign.input: sk pk : pk : m : s m : where sk (secret key) and pk (public key) are 57 bytes each, m is variable size, and s is 114 bytes. All values hex encoded. */ static void test_one (const char *line) { const char *p; const char *mp; uint8_t sk[ED448_KEY_SIZE]; uint8_t pk[ED448_KEY_SIZE]; uint8_t t[ED448_KEY_SIZE]; uint8_t s[ED448_SIGNATURE_SIZE]; uint8_t *msg; size_t msg_size; uint8_t s2[ED448_SIGNATURE_SIZE]; decode_hex (ED448_KEY_SIZE, sk, line); p = strchr (line, ':'); ASSERT (p == line + 228); p++; decode_hex (ED448_KEY_SIZE, pk, p); p = strchr (p, ':'); ASSERT (p == line + 343); mp = ++p; p = strchr (p, ':'); ASSERT (p); ASSERT ((p - mp) % 2 == 0); msg_size = (p - mp) / 2; decode_hex (ED448_SIGNATURE_SIZE, s, p+1); msg = xalloc (msg_size + 1); msg[msg_size] = 'x'; decode_hex (msg_size, msg, mp); mark_bytes_undefined (ED448_KEY_SIZE, sk); ed448_shake256_public_key (t, sk); mark_bytes_defined (ED448_KEY_SIZE, t); ASSERT (MEMEQ(ED448_KEY_SIZE, t, pk)); ed448_shake256_sign (pk, sk, msg_size, msg, s2); mark_bytes_defined (ED448_SIGNATURE_SIZE, s2); ASSERT (MEMEQ (ED448_SIGNATURE_SIZE, s, s2)); ASSERT (ed448_shake256_verify (pk, msg_size, msg, s)); s2[ED448_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); memcpy (s2, s, ED448_SIGNATURE_SIZE); s2[2*ED448_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); ASSERT (!ed448_shake256_verify (pk, msg_size + 1, msg, s)); if (msg_size > 0) { msg[msg_size-1] ^= 0x20; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s)); } free (msg); } /* Subset of test vectors from https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/ed448_test.json */ static void test_wycheproof (void) { /* tcId: 76 */ struct tstring *pub = SHEX ("419610a534af127f583b04818cdb7f0ff300b025f2e01682bcae33fd691cee03" "9511df0cddc690ee978426e8b38e50ce5af7dcfba50f704c00"); struct tstring *msg = SHEX ("54657374"); struct tstring *sig /* Final octet should be zero, but isn't. */ = SHEX ("5d053ff5b71f6ec3284525d35d77933178c8e19879886d08eccc6c7d27e9e5b5" "e02537dbc4d4723506e8d171fc1733857573dd02d18f48f280" "31d67d699a188a9ca46b4eabe2107aef237ca609cb462e24c91d25d286402b6e" "f7862b78a386950246ff38d6d2f458136d12e3c97fdd982601"); ASSERT (pub->length == ED448_KEY_SIZE); ASSERT (sig->length == ED448_SIGNATURE_SIZE); ASSERT (!ed448_shake256_verify (pub->data, msg->length, msg->data, sig->data)); /* Should verify when last octet is set to zero. */ sig->data[ED448_SIGNATURE_SIZE - 1] = 0; ASSERT (ed448_shake256_verify (pub->data, msg->length, msg->data, sig->data)); } #ifndef HAVE_GETLINE static ssize_t getline(char **lineptr, size_t *n, FILE *f) { size_t i; int c; if (!*lineptr) { *n = 500; *lineptr = xalloc (*n); } i = 0; do { c = getc(f); if (c < 0) { if (i > 0) break; return -1; } (*lineptr) [i++] = c; if (i == *n) { *n *= 2; *lineptr = realloc (*lineptr, *n); if (!*lineptr) die ("Virtual memory exhausted.\n"); } } while (c != '\n'); (*lineptr) [i] = 0; return i; } #endif void test_main(void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif const char *input = getenv ("ED448_SIGN_INPUT"); if (input) { size_t buf_size; char *buf; FILE *f = fopen (input, "r"); if (!f) die ("Opening input file '%s' failed: %s\n", input, strerror (errno)); for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) test_one (buf); free (buf); fclose (f); } else { /* Test vectors from RFC 8032. */ /* Blank */ test_one ("6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b" "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" ":" "533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600" ":"); /* 1 octet */ test_one ("c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e" "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" "03:" "26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00" "03:"); /* 11 octets */ test_one ("cd23d24f714274e744343237b93290f511f6425f98e64459ff203e8985083ffdf60500553abc0e05cd02184bdb89c4ccd67e187951267eb328" "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" "0c3e544074ec63b0265e0c:" "1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00" "0c3e544074ec63b0265e0c:"); /* 12 octets */ test_one ("258cdd4ada32ed9c9ff54e63756ae582fb8fab2ac721f2c8e676a72768513d939f63dddb55609133f29adf86ec9929dccb52c1c5fd2ff7e21b" "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" "64a65f3cdedcdd66811e2915:" "7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00" "64a65f3cdedcdd66811e2915:"); /* 13 octets */ test_one ("7ef4e84544236752fbb56b8f31a23a10e42814f5f55ca037cdcc11c64c9a3b2949c1bb60700314611732a6c2fea98eebc0266a11a93970100e" "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" "64a65f3cdedcdd66811e2915e7:" "6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100" "64a65f3cdedcdd66811e2915e7:"); /* 64 octets */ test_one ("d65df341ad13e008567688baedda8e9dcdc17dc024974ea5b4227b6530e339bff21f99e68ca6968f3cca6dfe0fb9f4fab4fa135d5542ea3f01" "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:" "554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900" "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:"); /* 256 octets */ test_one ("2ec5fe3c17045abdb136a5e6a913e32ab75ae68b53d2fc149b77e504132d37569b7e766ba74a19bd6162343a21c8590aa9cebca9014c636df5" "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:" "c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00" "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:"); /* 1023 octets */ test_one ("872d093780f5d3730df7c212664b37b8a0f24f56810daa8382cd4fa3f77634ec44dc54f1c2ed9bea86fafb7632d8be199ea165f5ad55dd9ce8" "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:" "e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00" "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:"); test_wycheproof (); } } nettle-4.0/testsuite/eddsa-compress-test.c0000644000000000000000000000631615141166425015674 0ustar00/* eddsa-compress-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #define COUNT 500 void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size, itch; mpz_t zp, t; mp_limb_t *s; mp_limb_t *p; mp_limb_t *pa1; mp_limb_t *pa2; mp_limb_t *scratch; size_t clen; uint8_t *c; unsigned j; if (!(ecc->p.bit_size == 255 || ecc->p.bit_size == 448)) continue; size = ecc_size (ecc); clen = 1 + ecc->p.bit_size / 8; mpz_roinit_n (zp, ecc->p.m, size); mpz_init (t); s = xalloc_limbs (size); p = xalloc_limbs (ecc_size_j (ecc)); pa1 = xalloc_limbs (ecc_size_a (ecc)); pa2 = xalloc_limbs (ecc_size_a (ecc)); c = xalloc (clen); itch = _eddsa_decompress_itch (ecc); if (itch < ecc->mul_g_itch) itch = ecc->mul_g_itch; ASSERT (_eddsa_compress_itch (ecc) <= itch); scratch = xalloc_limbs (itch); for (j = 0; j < COUNT; j++) { mpz_t x1, y1, x2, y2; mpz_urandomb (t, rands, ecc->q.bit_size); mpz_limbs_copy (s, t, ecc->q.size); ecc->mul_g (ecc, p, s, scratch); _eddsa_compress (ecc, c, p, scratch); ecc->h_to_a (ecc, 0, pa1, p, scratch); _eddsa_decompress (ecc, pa2, c, scratch); mpz_roinit_n (x1, pa1, size); mpz_roinit_n (y1, pa1 + size, size); mpz_roinit_n (x2, pa2, size); mpz_roinit_n (y2, pa2 + size, size); if (!(mpz_congruent_p (x1, x2, zp) && mpz_congruent_p (y1, y2, zp))) { fprintf (stderr, "eddsa compression failed:\nc = "); print_hex (clen, c); fprintf (stderr, "\np1 = 0x"); mpz_out_str (stderr, 16, x1); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y1); fprintf (stderr, "\np2 = 0x"); mpz_out_str (stderr, 16, x2); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y2); fprintf (stderr, "\n"); FAIL(); } } mpz_clear (t); free (s); free (p); free (c); free (pa1); free (pa2); free (scratch); } gmp_randclear (rands); } nettle-4.0/testsuite/eddsa-sign-test.c0000644000000000000000000001623015141166425014775 0ustar00/* eddsa-sign-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #include "sha3.h" static void test_eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *signature = xalloc (2*nbytes); uint8_t *public_out = xalloc (nbytes); uint8_t *digest = xalloc (2*nbytes); const uint8_t *k1 = digest + nbytes; mp_limb_t *k2 = xalloc_limbs (ecc->p.size); ASSERT (public->length == nbytes); ASSERT (private->length == nbytes); ASSERT (ref->length == 2*nbytes); _eddsa_expand_key (ecc, eddsa, ctx, private->data, digest, k2); _eddsa_public_key (ecc, k2, public_out, scratch); if (!MEMEQ (nbytes, public_out, public->data)) { fprintf (stderr, "Bad public key from _eddsa_expand_key + _eddsa_public_key.\n"); fprintf (stderr, "got:"); print_hex (nbytes, public_out); fprintf (stderr, "\nref:"); tstring_print_hex (public); fprintf (stderr, "\n"); abort (); } _eddsa_sign (ecc, eddsa, ctx, public->data, k1, k2, msg->length, msg->data, signature, scratch); if (!MEMEQ (2*nbytes, signature, ref->data)) { fprintf (stderr, "Bad _eddsa_sign output.\n"); fprintf (stderr, "Public key:"); tstring_print_hex (public); fprintf (stderr, "\nPrivate key:"); tstring_print_hex (private); fprintf (stderr, "\nk2:"); mpn_out_str (stderr, 16, k2, ecc->p.size); fprintf (stderr, "\nMessage (length %u):", (unsigned) msg->length); tstring_print_hex (msg); fprintf (stderr, "\ngot:"); print_hex (2*nbytes, signature); fprintf (stderr, "\nref:"); tstring_print_hex (ref); fprintf (stderr, "\n"); abort (); } free (scratch); free (signature); free (digest); free (k2); free (public_out); } static void test_ed25519_sign (const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { struct sha512_ctx ctx; sha512_init (&ctx); test_eddsa_sign (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, public, private, msg, ref); } static void test_ed448_sign (const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { struct sha3_ctx ctx; sha3_init (&ctx); test_eddsa_sign (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, public, private, msg, ref); } void test_main (void) { /* Based on a few of the test vectors at http://ed25519.cr.yp.to/python/sign.input */ test_ed25519_sign (SHEX("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX("9d61b19deffd5a60 ba844af492ec2cc4" "4449c5697b326919 703bac031cae7f60"), SHEX(""), SHEX("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_ed25519_sign (SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("4ccd089b28ff96da 9db6c346ec114e0f" "5b8a319f35aba624 da8cf6ed4fb8a6fb"), SHEX("72"), SHEX("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_ed25519_sign (SHEX("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("f215d34fe2d757cf f9cf5c05430994de" "587987ce45cb0459 f61ec6c825c62259"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); /* Based on a few of the test vectors from RFC 8032 */ test_ed448_sign (SHEX("5fd7449b59b461fd 2ce787ec616ad46a" "1da1342485a70e1f 8a0ea75d80e96778" "edf124769b46c706 1bd6783df1e50f6c" "d1fa1abeafe82561 80"), SHEX("6c82a562cb808d10 d632be89c8513ebf" "6c929f34ddfa8c9f 63c9960ef6e348a3" "528c8a3fcc2f044e 39a3fc5b94492f8f" "032e7549a20098f9 5b"), SHEX(""), SHEX("533a37f6bbe45725 1f023c0d88f976ae" "2dfb504a843e34d2 074fd823d41a591f" "2b233f034f628281 f2fd7a22ddd47d78" "28c59bd0a21bfd39 80ff0d2028d4b18a" "9df63e006c5d1c2d 345b925d8dc00b41" "04852db99ac5c7cd da8530a113a0f4db" "b61149f05a736326 8c71d95808ff2e65" "2600")); test_ed448_sign (SHEX("43ba28f430cdff45 6ae531545f7ecd0a" "c834a55d9358c037 2bfa0c6c6798c086" "6aea01eb00742802 b8438ea4cb82169c" "235160627b4c3a94 80"), SHEX("c4eab05d357007c6 32f3dbb48489924d" "552b08fe0c353a0d 4a1f00acda2c463a" "fbea67c5e8d2877c 5e3bc397a659949e" "f8021e954e0a1227 4e"), SHEX("03"), SHEX("26b8f91727bd6289 7af15e41eb43c377" "efb9c610d48f2335 cb0bd0087810f435" "2541b143c4b981b7 e18f62de8ccdf633" "fc1bf037ab7cd779 805e0dbcc0aae1cb" "cee1afb2e027df36 bc04dcecbf154336" "c19f0af7e0a64729 05e799f1953d2a0f" "f3348ab21aa4adaf d1d234441cf807c0" "3a00")); test_ed448_sign (SHEX("df9705f58edbab80 2c7f8363cfe5560a" "b1c6132c20a9f1dd 163483a26f8ac53a" "39d6808bf4a1dfbd 261b099bb03b3fb5" "0906cb28bd8a081f 00"), SHEX("d65df341ad13e008 567688baedda8e9d" "cdc17dc024974ea5 b4227b6530e339bf" "f21f99e68ca6968f 3cca6dfe0fb9f4fa" "b4fa135d5542ea3f 01"), SHEX("bd0f6a3747cd561b dddf4640a332461a" "4a30a12a434cd0bf 40d766d9c6d458e5" "512204a30c17d1f5 0b5079631f64eb31" "12182da300583546 1113718d1a5ef944"), SHEX("554bc2480860b49e ab8532d2a533b7d5" "78ef473eeb58c98b b2d0e1ce488a98b1" "8dfde9b9b90775e6 7f47d4a1c3482058" "efc9f40d2ca033a0 801b63d45b3b722e" "f552bad3b4ccb667 da350192b61c508c" "f7b6b5adadc2c8d9 a446ef003fb05cba" "5f30e88e36ec2703 b349ca229c267083" "3900")); } nettle-4.0/testsuite/eddsa-verify-test.c0000644000000000000000000001523515141166425015345 0ustar00/* eddsa-verify-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #include "sha3.h" static void test_eddsa (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { mp_limb_t *A = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (_eddsa_verify_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *cmsg = xalloc (msg->length); uint8_t *csignature = xalloc (2*nbytes); if (!_eddsa_decompress (ecc, A, pub, scratch)) die ("Invalid eddsa public key.\n"); memcpy (csignature, signature, 2*nbytes); if (!_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "eddsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\npub = ", ecc->p.bit_size); print_hex (nbytes, pub); fprintf (stderr, "\nmsg = "); tstring_print_hex (msg); fprintf (stderr, "\nsign = "); print_hex (2*nbytes, csignature); fprintf (stderr, "\n"); abort(); } memcpy (csignature, signature, 2*nbytes); csignature[nbytes/3] ^= 0x40; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature r.\n"); goto fail; } memcpy (csignature, signature, 2*nbytes); csignature[5*nbytes/3] ^= 0x8; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature s.\n"); goto fail; } if (msg->length == 0) { if (_eddsa_verify (ecc, eddsa, pub, A, ctx, LDATA("foo"), signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with different message.\n"); goto fail; } } else { if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length - 1, msg->data, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with truncated message.\n"); goto fail; } memcpy (cmsg, msg->data, msg->length); cmsg[2*msg->length / 3] ^= 0x20; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, cmsg, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with modified message.\n"); goto fail; } } free (A); free (scratch); free (cmsg); free (csignature); } static void test_ed25519 (const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { struct sha512_ctx ctx; sha512_init (&ctx); test_eddsa (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, pub, msg, signature); } static void test_ed448 (const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { struct sha3_ctx ctx; sha3_init (&ctx); test_eddsa (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, pub, msg, signature); } void test_main (void) { test_ed25519 (H("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX(""), H("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_ed25519 (H("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("72"), H("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_ed25519 (H("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), H("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); /* Based on a few of the test vectors from RFC 8032 */ test_ed448 (H("5fd7449b59b461fd 2ce787ec616ad46a" "1da1342485a70e1f 8a0ea75d80e96778" "edf124769b46c706 1bd6783df1e50f6c" "d1fa1abeafe82561 80"), SHEX(""), H("533a37f6bbe45725 1f023c0d88f976ae" "2dfb504a843e34d2 074fd823d41a591f" "2b233f034f628281 f2fd7a22ddd47d78" "28c59bd0a21bfd39 80ff0d2028d4b18a" "9df63e006c5d1c2d 345b925d8dc00b41" "04852db99ac5c7cd da8530a113a0f4db" "b61149f05a736326 8c71d95808ff2e65" "2600")); test_ed448 (H("43ba28f430cdff45 6ae531545f7ecd0a" "c834a55d9358c037 2bfa0c6c6798c086" "6aea01eb00742802 b8438ea4cb82169c" "235160627b4c3a94 80"), SHEX("03"), H("26b8f91727bd6289 7af15e41eb43c377" "efb9c610d48f2335 cb0bd0087810f435" "2541b143c4b981b7 e18f62de8ccdf633" "fc1bf037ab7cd779 805e0dbcc0aae1cb" "cee1afb2e027df36 bc04dcecbf154336" "c19f0af7e0a64729 05e799f1953d2a0f" "f3348ab21aa4adaf d1d234441cf807c0" "3a00")); test_ed448 (H("df9705f58edbab80 2c7f8363cfe5560a" "b1c6132c20a9f1dd 163483a26f8ac53a" "39d6808bf4a1dfbd 261b099bb03b3fb5" "0906cb28bd8a081f 00"), SHEX("bd0f6a3747cd561b dddf4640a332461a" "4a30a12a434cd0bf 40d766d9c6d458e5" "512204a30c17d1f5 0b5079631f64eb31" "12182da300583546 1113718d1a5ef944"), H("554bc2480860b49e ab8532d2a533b7d5" "78ef473eeb58c98b b2d0e1ce488a98b1" "8dfde9b9b90775e6 7f47d4a1c3482058" "efc9f40d2ca033a0 801b63d45b3b722e" "f552bad3b4ccb667 da350192b61c508c" "f7b6b5adadc2c8d9 a446ef003fb05cba" "5f30e88e36ec2703 b349ca229c267083" "3900")); } nettle-4.0/testsuite/gcm-test.c0000644000000000000000000010227515141166425013532 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "gcm.h" #include "ghash-internal.h" static void test_gcm_hash (const struct tstring *msg, const struct tstring *ref) { struct gcm_aes128_ctx ctx; const uint8_t z16[16] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }; uint8_t digest[GCM_DIGEST_SIZE]; ASSERT (ref->length == sizeof(digest)); gcm_aes128_set_key (&ctx, z16); gcm_aes128_set_iv (&ctx, 16, z16); gcm_aes128_update (&ctx, msg->length, msg->data); gcm_aes128_digest (&ctx, digest); if (!MEMEQ (ref->length, ref->data, digest)) { fprintf (stderr, "gcm_hash failed, msg: %s\nOutput: ", msg->data); print_hex (16, digest); fprintf(stderr, "Expected:"); tstring_print_hex(ref); fprintf(stderr, "\n"); FAIL(); } } static void test_ghash_internal (const struct tstring *key, const struct tstring *iv, const struct tstring *message, const struct tstring *digest) { ASSERT (key->length == GCM_BLOCK_SIZE); ASSERT (iv->length == GCM_BLOCK_SIZE); ASSERT (digest->length == GCM_BLOCK_SIZE); ASSERT (message->length % GCM_BLOCK_SIZE == 0); struct gcm_key gcm_key; union nettle_block16 state; /* Mark inputs as "undefined" to valgrind, to get warnings about any branches or memory accesses depending on secret data. */ memcpy (state.b, key->data, GCM_BLOCK_SIZE); mark_bytes_undefined (sizeof(state), &state); _ghash_set_key (&gcm_key, &state); memcpy (state.b, iv->data, GCM_BLOCK_SIZE); mark_bytes_undefined (sizeof(state), &state); mark_bytes_undefined (message->length, message->data); _ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data); mark_bytes_defined (sizeof(state), &state); mark_bytes_defined (message->length, message->data); if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data)) { fprintf (stderr, "gcm_hash (internal) failed\n"); fprintf(stderr, "Key: "); tstring_print_hex(key); fprintf(stderr, "\nIV: "); tstring_print_hex(iv); fprintf(stderr, "\nMessage: "); tstring_print_hex(message); fprintf(stderr, "\nOutput: "); print_hex(GCM_BLOCK_SIZE, state.b); fprintf(stderr, "\nExpected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } } /* Hack that uses a 16-byte nonce, a 12-byte standard GCM nonce and an explicit initial value for the counter. */ static void gcm_aes128_set_iv_hack (struct gcm_aes128_ctx *ctx, size_t size, const uint8_t *iv) { assert (size == 16); gcm_aes128_set_iv (ctx, 12, iv); memcpy (ctx->gcm.ctr.b + 12, iv + 12, 4); } void test_main(void) { /* * GCM-AES Test Vectors from * http://www.cryptobarn.com/papers/gcm-spec.pdf */ /* Test case 1 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("58e2fccefa7e3061367f1d57a4e7455a")); /* tag */ /* Test case 2 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("0388dace60b6a392f328c2b971b2fe78"), SHEX("000000000000000000000000"), SHEX("ab6e47d42cec13bdf53a67b21257bddf")); /* Test case 3 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091473f5985"), SHEX("cafebabefacedbaddecaf888"), SHEX("4d5c2af327cd64a62cf35abd2ba6fab4")); /* Test case 4 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091"), SHEX("cafebabefacedbaddecaf888"), SHEX("5bc94fbc3221a5db94fae95ae7121a47")); /* Regression test, same inputs but explicitly setting the counter value. */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091"), SHEX("cafebabefacedbaddecaf88800000002"), /* ctr == 2, same as the spec */ SHEX("5bc94fbc3221a5db94fae95ae7121a47")); test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("77ffd1ba63b141ba fb2efb329c9c25ee" "99e5e06e603dd5c6 8efe1cb2cefc0677" "2e7b14dea92760f7 6273dc0cce1d013d" "2ad8c11273fe9496 5448534b"), SHEX("cafebabefacedbaddecaf888ffffffff"), /* ctr == 2^31-1 */ SHEX("83cf46eb0407be56 72f756a4caebcda7")); /* Test case 5 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("61353b4c2806934a777ff51fa22a4755" "699b2a714fcdc6f83766e5f97b6c7423" "73806900e49f24b22b097544d4896b42" "4989b5e1ebac0f07c23f4598"), SHEX("cafebabefacedbad"), SHEX("3612d2e79e3b0785561be14aaca2fccb")); /* Test case 6 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("8ce24998625615b603a033aca13fb894" "be9112a5c3a211a8ba262a3cca7e2ca7" "01e4a9a4fba43c90ccdcb281d48c7c6f" "d62875d2aca417034c34aee5"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); /* Test 128 bytes */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255" "5ae376bc5e9f6a1b08e34db7a6ee0736" "9ba662ea12f6f197e6bc3ed69d2480f3" "ea5691347f2ba69113eb37910ebc18c8" "0f697234582016fa956ca8f63ae6b473"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091473f5985" "874b1178906ddbeab04ab2fe6cce8c57" "8d7e961bd13fd6a8c56b66ca5e576492" "1a48cd8bda04e66343e73055118b69b9" "ced486813846958a11e602c03cfc232b"), SHEX("cafebabefacedbaddecaf888"), SHEX("796836f1246c9d735c5e1be0a715ccc3")); /* Test 719 bytes */ test_aead(&nettle_gcm_aes256, NULL, SHEX("6235f895fca5ebf60e921204d3a13f2e" "8b32cfe744ed1359043877b0b9adb438"), SHEX(""), SHEX("42c1cc08486f413f2f11668b2a16f0e0" "5883f0c37014c05b3fec1d253c51d203" "cf59741fb285b407c66a63398a5bdecb" "af0844bd6f9115e1f57a6e18bddd6150" "59a997abbb0e745c00a4435404549b3b" "77ecfd5ca6e87b08aee6103f3265d1fc" "a41d2c31fb337ab33523f42041d4ad82" "8ba4ad961c2053be0ea6f4dc78493e72" "b1a9b583cb0854b7ad493aae98cea666" "1030908c5583d77c8be653ded26e1821" "0152d19f9dbb9c7357cc8909759b7870" "ed26974db4e40ca5fa700470c6961c7d" "544177a8e3b07e9682d9eca2876855f9" "8f9e7343476a08369367a82ddeac41a9" "5c4d73970f7068fa564d00c23b1fc8b9" "781f5107e39a134eed2b2ea3f744b2e7" "ab1937d9ba765ed2f25315174c6b169f" "026649ca7c9105f245361ef577ad1f46" "a813fb63b608996382a2edb3acdf4319" "45ea7873d9b73911a3137cf83ff7ad81" "482fa95c5fa0f079a4477d802026fd63" "0ac77e6d7547ff76662e8a6c8135af0b" "2e6a4960c110e1e15403a4090c377a15" "23275b8b4ba56497ae4a50731f661c5c" "03253c8d485871340eec4e551a036ae5" "b6192b842a20d1ea806f960e0562c778" "8779603846b425576e1663f8ad6ed742" "69e188ef6ed5b49a3c786c3be5a01d22" "865c743aeb2426c709fc919647874f1a" "d66b2c1847c0b824a85a4a9ecb03e72a" "09e64d9c6d8660f52f4869379ff2d2cb" "0e5add6e8afb6afe0b63de8742798a68" "51289b7aebafb82f9dd1c7459008c983" "e98384cb28690969ce99460054cbd838" "f9534abf31ce571533fa96043342e3c0" "b7544a657a7c02e61995d00e820763f9" "e12b2afc559252c9b59f232860e72051" "10d3ed6d9babb8e25d9a34b3be9c64cb" "78c69122409180bed7785c0e0adc08e9" "6710a483987923e792daa92216b1e778" "a31c6c8f357c4d372f6e0b505c34b9f9" "e63d910d3295aa3d481106bb2df26388" "3f7309e245563151fa5e4e62f790f9a9" "7d7b1bb1c8266e66f6909a7ff257cc23" "59fafaaa440401a7a478db743d8bb5"), SHEX("840bdbd5b7a8fe20bbb1127f41eab3c0" "a2b437191158b60b4c1d380554d11673" "8e1c2090a29ab77447e6d8fc183ab4ea" "d5165a2c530146b31833746c50f2e8c0" "73da6022ebe3e59b20936c4b3799b823" "3b4eace85be80fb7c38ffb4a37d93995" "34f1db8f71d9c70b02f163fc9bfcc5ab" "b9141321dfceaa8844301ece260192f8" "9f004b0c4bf75fe089ca9466112197ca" "3e83742ddb4d11eb97c214ff9e1ea06b" "08b4312b85c6856c90ec39c0ecb3b54e" "f39ce7833a770af456fece18336d0b2d" "33dac8055cb4092ade6b529801ef363d" "bdf98fa83eaacdd1012d4249c3b684bb" "4896e090936c4864d4fa7f932ca621c8" "7a237baa205612ae169d940f54a1ecca" "514ef239f4f85f045a0dbff583a115e1" "f53cd862a3ed4789854ce5dbac9e171d" "0c09e33e395b4d740ef534ee70114cfd" "db34b1b5103f73b7f5faedb01fa5cd3c" "8d3583d411446e6c5be00e69a539e5bb" "a9572437e61fddcf162a13f96a2d90a0" "03607aed69d5008b7e4fcbb9fa91b937" "c126ce9097226464c172431bf6acc154" "8a109cdd8dd58eb2e485dae0205ff4b4" "15b5a08d127449233adf4ad3f03b89eb" "f8cc627bfb9307416126945870a63ce4" "ff58c4133dcb366b32e5b26d03746f76" "9377de48c4fa304ada4980770f1cbe11" "c848b1e5bbf28ae1962f9fd18e8a5ce2" "f7d7d854f33fc491b8fb86dc46249160" "6c2fc94137514954098121f3039f2be3" "1f3963aff4d75360a7c754f9eeb1b17d" "75546593feb1686b5702f9bb0ef9f8bf" "011227b4fee4797a405b514bdf38ecb1" "6a56ff354d4233aa6f1be4dce0db8535" "6210d4ecebc57e451c6f17ca3b8e2d66" "4f4b3656cd1b59aad29b17b958df7b64" "8aff3b9ca6b5489eaae25d0971325fb6" "29bee7c7527e91826b6d33e134063621" "5ebe1e2f3ec1fbea492cb5caf7b037ea" "1fed1004d9480d1a1cfbe7840e835374" "c765e25ce5ba734c0ee1b51145614346" "aa258fbd8508fa4c15c1c0d8f5dc16bb" "7b1de38757a72a1d38589e8a43dc57"), SHEX("00ffffffff0000ffffff00ff"), SHEX("d1817d2be9ff993a4b24525855e14914")); /* Same input, but different initial counter value, to trigger wraparound. */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("6235f895fca5ebf60e921204d3a13f2e" "8b32cfe744ed1359043877b0b9adb438"), SHEX(""), SHEX("42c1cc08486f413f2f11668b2a16f0e0" "5883f0c37014c05b3fec1d253c51d203" "cf59741fb285b407c66a63398a5bdecb" "af0844bd6f9115e1f57a6e18bddd6150" "59a997abbb0e745c00a4435404549b3b" "77ecfd5ca6e87b08aee6103f3265d1fc" "a41d2c31fb337ab33523f42041d4ad82" "8ba4ad961c2053be0ea6f4dc78493e72" "b1a9b583cb0854b7ad493aae98cea666" "1030908c5583d77c8be653ded26e1821" "0152d19f9dbb9c7357cc8909759b7870" "ed26974db4e40ca5fa700470c6961c7d" "544177a8e3b07e9682d9eca2876855f9" "8f9e7343476a08369367a82ddeac41a9" "5c4d73970f7068fa564d00c23b1fc8b9" "781f5107e39a134eed2b2ea3f744b2e7" "ab1937d9ba765ed2f25315174c6b169f" "026649ca7c9105f245361ef577ad1f46" "a813fb63b608996382a2edb3acdf4319" "45ea7873d9b73911a3137cf83ff7ad81" "482fa95c5fa0f079a4477d802026fd63" "0ac77e6d7547ff76662e8a6c8135af0b" "2e6a4960c110e1e15403a4090c377a15" "23275b8b4ba56497ae4a50731f661c5c" "03253c8d485871340eec4e551a036ae5" "b6192b842a20d1ea806f960e0562c778" "8779603846b425576e1663f8ad6ed742" "69e188ef6ed5b49a3c786c3be5a01d22" "865c743aeb2426c709fc919647874f1a" "d66b2c1847c0b824a85a4a9ecb03e72a" "09e64d9c6d8660f52f4869379ff2d2cb" "0e5add6e8afb6afe0b63de8742798a68" "51289b7aebafb82f9dd1c7459008c983" "e98384cb28690969ce99460054cbd838" "f9534abf31ce571533fa96043342e3c0" "b7544a657a7c02e61995d00e820763f9" "e12b2afc559252c9b59f232860e72051" "10d3ed6d9babb8e25d9a34b3be9c64cb" "78c69122409180bed7785c0e0adc08e9" "6710a483987923e792daa92216b1e778" "a31c6c8f357c4d372f6e0b505c34b9f9" "e63d910d3295aa3d481106bb2df26388" "3f7309e245563151fa5e4e62f790f9a9" "7d7b1bb1c8266e66f6909a7ff257cc23" "59fafaaa440401a7a478db743d8bb5"), SHEX("abdf2d43d5acea0e 037296441e544e8f" "d9b2fdfc434b3966 be04e88b226b9bbd" "ed6c798834bf5283 30d5a386d49b5a45" "2076bc49acf3d854 c15b52b15ab0008f" "b28069951f2baf3a d845ead585168f25" "b126ea81592fc417 3a4664cb599992dc" "5e2aebeb9a7f0ce3 46d2d100295469f2" "cae1f9190c3f50cd 8f2a4f19ea285453" "cbb7ab12f79807e5 400020da75e12ff6" "3a436705056e46bb abd17cc1e1a33b39" "4df0802b60bbe8cc 3aa5627c70279019" "7dca60f33e0eb11d cda293ac1cbe7454" "66f1c91f205e87a0 c84f06b0d920f973" "a1378dccc7950361 b7e406e557437005" "72fe973681beae6d 4a6947e3776f70f3" "71f9b1b3fbe70a51 2a0b9e6a6e6c7fd9" "b5a3471734e55883 5edddf7fb99001cf" "65fdf667c395724e 1984a0cff12a7c82" "9a740788cfc85c84 10e807d7b1c5860b" "5131eb7445ab198f 21a403a9284e44f0" "4a1383f19c6cf199 5ff1c72c83c3a34e" "f090bb8d3bc9fea0 ce70208e4effac75" "d930d8c81e6ca39a 94795f27d704724e" "873d43d6c4f6b080 221d892ec3a813b8" "9dfbf54b81d03b92 5805df1d3a510a58" "7303010c64c44fff 7fc8e5e7807ddfa0" "24e93a62d5ec07ee 1e12fa6d4676e8e9" "44ebbb62c61055f0 1634038b1306de00" "645de12137a32634 66c482feae4d9212" "5f5e8c48824d47a2 4233de2bf15f797b" "aa4ac69555d2f83c 95f8b5ea6aab9c58" "71efdf2d37dc48e8 045329279fb161ce" "c791d786b8b13ade 934c191376dcbbd7" "fca82eb907b71fe4 1d2c57e11c502933" "e770d742cdfc65d0 0d8f434b76cb5808" "4965dfade4c5a682 8e263fe55bd12052" "835e3ed3e8387163 b77ddc5c210181da" "5ec215b884d353ad 678ca70fc0251c35" "e411707a9649e1bc 4ee3e3b550ee286e" "9f51c98857530d88 e17b6e6dfacbe809" "7e1ed9df02427c7b 59e03f823ee85f35" "65066f1d8cc286b1 e1e13259769b6ebf" "60ebd2d913e6d019 755f6d6811d3e606" "8f42b10f2e02a646 8b0a9b7889b99b7c" "1754b9ee8e03b3c2 5dcf41b71f3c64"), SHEX("00ffffffff0000ff ffff00fffffffffd"), /* ctr == 2^31-3 */ SHEX("d64dd27c678a2827 859bd29e7ea4ae07")); /* Test case 7 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("cd33b28ac773f74ba00ed1f312572435")); /* Test case 8 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("98e7247c07f0fe411c267e4384b0f600"), SHEX("000000000000000000000000"), SHEX("2ff58d80033927ab8ef4d4587514f0fb")); /* Test case 9 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710acade256"), SHEX("cafebabefacedbaddecaf888"), SHEX("9924a7c8587336bfb118024db8674a14")); /* Test case 10 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710"), SHEX("cafebabefacedbaddecaf888"), SHEX("2519498e80f1478f37ba55bd6d27618c")); /* Test case 11 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("0f10f599ae14a154ed24b36e25324db8" "c566632ef2bbb34f8347280fc4507057" "fddc29df9a471f75c66541d4d4dad1c9" "e93a19a58e8b473fa0f062f7"), SHEX("cafebabefacedbad"), SHEX("65dcc57fcf623a24094fcca40d3533f8")); /* Test case 12 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("d27e88681ce3243c4830165a8fdcf9ff" "1de9a1d8e6b447ef6ef7b79828666e45" "81e79012af34ddd9e2f037589b292db3" "e67c036745fa22e7e9b7373b"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("dcf566ff291c25bbb8568fc3d376a6d9")); /* Test case 13 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("530f8afbc74536b9a963b4f1c4cb738b")); /* Test case 14 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("cea7403d4d606b6e074ec5d3baf39d18"), SHEX("000000000000000000000000"), SHEX("d0d1c8a799996bf0265b98b5d48ab919")); /* Test case 15 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662898015ad"), SHEX("cafebabefacedbaddecaf888"), SHEX("b094dac5d93471bdec1a502270e3cc6c")); /* Test case 16 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662"), SHEX("cafebabefacedbaddecaf888"), SHEX("76fc6ece0f4e1768cddf8853bb2d551b")); /* Test case 17 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("c3762df1ca787d32ae47c13bf19844cb" "af1ae14d0b976afac52ff7d79bba9de0" "feb582d33934a4f0954cc2363bc73f78" "62ac430e64abe499f47c9b1f"), SHEX("cafebabefacedbad"), SHEX("3a337dbf46a792c45e454913fe2ea8f2")); /* Test case 18 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("5a8def2f0c9e53f1f75d7853659e2a20" "eeb2b22aafde6419a058ab4f6f746bf4" "0fc0c3b780f244452da3ebf1c5d82cde" "a2418997200ef82e44ae7e3f"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("a44a8266ee1c8eb0c8b5d4cf5ae9f19a")); /* * GCM-Camellia Test Vectors obtained from the authors */ /* Test case 1 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("f5574acc3148dfcb9015200631024df9")); /* tag */ /* Test case 3 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("86e318012dd8329dc9dae6a170f61b24")); /* tag */ /* Test case 4 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("9f458869431576ea6a095456ec6b8101")); /* tag */ /* Test case 5 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a" "52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd"), /* ciphertext*/ SHEX("cafebabefacedbad"), /* IV */ SHEX("e86f8f2e730c49d536f00fb5225d28b1")); /* tag */ /* Test case 6 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e" "402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647"), /* ciphertext*/ SHEX("9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"), /* IV */ SHEX("ceae5569b2af8641572622731aed3e53")); /* tag */ /* gcm-camellia256 */ /* Test case 13 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("9cdb269b5d293bc5db9c55b057d9b591")); /* tag */ /* Test case 14 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX("0000000000000000 0000000000000000"), /* plaintext */ SHEX("3d4b2cde666761ba 5dfb305178e667fb"), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("284b63bb143c40ce100fb4dea6bb617b")); /* tag */ /* Test case 15 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b391aafd255"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b776549e092"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("c912686270a2b9966415fca3be75c468")); /* tag */ /* Test case 16 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b77"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("4e4b178d8fe26fdc95e2e7246dd94bec")); /* tag */ /* Test case 17 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("6ca95fbb7d16577a 9ef2fded94dc85b5" "d40c629f6bef2c64 9888e3cbb0ededc7" "810c04b12c2983bb bbc482e16e45c921" "5ae12c15c55f2f48 09d06652"), /* ciphertext */ SHEX("cafebabefacedbad"), /* iv */ SHEX("e6472b8ebd331bfcc7c0fa63ce094461")); /* tag */ /* Test case 18 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("e0cddd7564d09c4d c522dd65949262bb" "f9dcdb07421cf67f 3032becb7253c284" "a16e5bf0f556a308 043f53fab9eebb52" "6be7f7ad33d697ac 77c67862"), /* ciphertext */ SHEX("9313225df88406e5 55909c5aff5269aa" "6a7a9538534f7da1 e4c303d2a318a728" "c3c0c95156809539 fcf0e2429a6b5254" "16aedbf5a0de6a57 a637b39b"), /* iv */ SHEX("5791883f822013f8bd136fc36fb9946b")); /* tag */ /* * GCM-SM4 Test Vectors from * https://datatracker.ietf.org/doc/html/rfc8998 */ test_aead(&nettle_gcm_sm4, NULL, SHEX("0123456789ABCDEFFEDCBA9876543210"), SHEX("FEEDFACEDEADBEEFFEEDFACEDEADBEEFABADDAD2"), SHEX("AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFF" "EEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAA"), SHEX("17F399F08C67D5EE19D0DC9969C4BB7D" "5FD46FD3756489069157B282BB200735" "D82710CA5C22F0CCFA7CBF93D496AC15" "A56834CBCF98C397B4024A2691233B8D"), SHEX("00001234567800000000ABCD"), SHEX("83DE3541E4C2B58177E065A9BF7B62EC")); /* Test gcm_hash, with varying message size, keys and iv all zero. Not compared to any other implementation. */ test_gcm_hash (SDATA("a"), SHEX("1521c9a442bbf63b 2293a21d4874a5fd")); test_gcm_hash (SDATA("ab"), SHEX("afb4592d2c7c1687 37f27271ee30412a")); test_gcm_hash (SDATA("abc"), SHEX("9543ca3e1662ba03 9a921ec2a20769be")); test_gcm_hash (SDATA("abcd"), SHEX("8f041cc12bcb7e1b 0257a6da22ee1185")); test_gcm_hash (SDATA("abcde"), SHEX("0b2376e5fed58ffb 717b520c27cd5c35")); test_gcm_hash (SDATA("abcdef"), SHEX("9679497a1eafa161 4942963380c1a76f")); test_gcm_hash (SDATA("abcdefg"), SHEX("83862e40339536bc 723d9817f7df8282")); test_gcm_hash (SDATA("abcdefgh"), SHEX("b73bcc4d6815c4dc d7424a04e61b87c5")); test_gcm_hash (SDATA("abcdefghi"), SHEX("8e7846a383f0b3b2 07b01160a5ef993d")); test_gcm_hash (SDATA("abcdefghij"), SHEX("37651643b6f8ecac 4ea1b320e6ea308c")); test_gcm_hash (SDATA("abcdefghijk"), SHEX("c1ce10106ee23286 f00513f55e2226b0")); test_gcm_hash (SDATA("abcdefghijkl"), SHEX("c6a3e32a90196cdf b2c7a415d637e6ca")); test_gcm_hash (SDATA("abcdefghijklm"), SHEX("6cca29389d4444fa 3d20e65497088fd8")); test_gcm_hash (SDATA("abcdefghijklmn"), SHEX("19476a997ec0a824 2022db0f0e8455ce")); test_gcm_hash (SDATA("abcdefghijklmno"), SHEX("f66931cee7eadcbb d42753c3ac3c4c16")); test_gcm_hash (SDATA("abcdefghijklmnop"), SHEX("a79699ce8bed61f9 b8b1b4c5abb1712e")); test_gcm_hash (SDATA("abcdefghijklmnopq"), SHEX("65f8245330febf15 6fd95e324304c258")); test_gcm_hash (SDATA("abcdefghijklmnopqr"), SHEX("d07259e85d4fc998 5a662eed41c8ed1d")); /* Test internal ghash function. */ test_ghash_internal(SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("0000000000000000 0000000000000000")); test_ghash_internal(SHEX("8000000000000000 0000000000000000"), /* 1 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("0011223344556677 89abcdef01234567")); test_ghash_internal(SHEX("8000000000000000 0000000000000000"), SHEX("0123456789abcdef fedcba9876543210"), /* XOR:ed to the message */ SHEX("0011223344556677 89abcdef01234567"), SHEX("01326754cdfeab98 7777777777777777")); test_ghash_internal(SHEX("4000000000000000 0000000000000000"), /* x polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("e1089119a22ab33b c4d5e6f78091a2b3")); test_ghash_internal(SHEX("0800000000000000 0000000000000000"), /* x^4 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("54e1122334455667 789abcdef0123456")); test_ghash_internal(SHEX("0000000080000000 0000000000000000"), /* x^32 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("01f870078e112233 4455667789abcdef")); test_ghash_internal(SHEX("0000000000000001 0000000000000000"), /* x^63 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("1e0f1ff13ff0e00f 1c22446688aaccef")); test_ghash_internal(SHEX("0000000000000000 8000000000000000"), /* x^64 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("ee078ff89ff87007 8e11223344556677")); test_ghash_internal(SHEX("0000000000000000 0000000100000000"), /* x^95 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("efc44c3a800f1ff1 3ff0e00f1c224466")); test_ghash_internal(SHEX("0000000000000000 0000000080000000"), /* x^96 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("77e2261d40078ff8 9ff870078e112233")); test_ghash_internal(SHEX("0000000000000000 0000000000000001"), /* x^127 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("1503b3c4a3c44c3a 800f1ff13ff0e00f")); } nettle-4.0/testsuite/gold-bug.txt0000644000000000000000000022531715141166425014107 0ustar00Edgar Allan Poe The Gold-Bug What ho! what ho! this fellow is dancing mad! He hath been bitten by the Tarantula. --All in the Wrong. Many years ago, I contracted an intimacy with a Mr. William Legrand. He was of an ancient Huguenot family, and had once been wealthy: but a series of misfortunes had reduced him to want. To avoid the mortification consequent upon his disasters, he left New Orleans, the city of his forefathers, and took up his residence at Sullivan's Island, near Charleston, South Carolina. This island is a very singular one. It consists of little else than the sea sand, and is about three miles long. Its breadth at no point exceeds a quarter of a mile. It is separated from the mainland by a scarcely perceptible creek, oozing its way through a wilderness of reeds and slime, a favorite resort of the marsh hen. The vegetation, as might be supposed, is scant, or at least dwarfish. No trees of any magnitude are to be seen. Near the western extremity, where Fort Moultrie stands, and where are some miserable frame buildings, tenanted, during summer, by the fugitives from Charleston dust and fever, may be found, indeed, the bristly palmetto; but the whole island, with the exception of this western point, and a line of hard, white beach on the seacoast, is covered with a dense undergrowth of the sweet myrtle so much prized by the horticulturists of England. The shrub here often attains the height of fifteen or twenty feet, and forms an almost impenetrable coppice, burdening the air with its fragrance. In the inmost recesses of this coppice, not far from the eastern or more remote end of the island, Legrand had built himself a small hut, which he occupied when I first, by mere accident, made his acquaintance. This soon ripened into friendship--for there was much in the recluse to excite interest and esteem. I found him well educated, with unusual powers of mind, but infected with misanthropy, and subject to perverse moods of alternate enthusiasm and melancholy. He had with him many books, but rarely employed them. His chief amusements were gunning and fishing, or sauntering along the beach and through the myrtles, in quest of shells or entomological specimens--his collection of the latter might have been envied by a Swammerdamm. In these excursions he was usually accompanied by an old negro, called Jupiter, who had been manumitted before the reverses of the family, but who could be induced, neither by threats nor by promises, to abandon what he considered his right of attendance upon the footsteps of his young "Massa Will." It is not improbable that the relatives of Legrand, conceiving him to be somewhat unsettled in intellect, had contrived to instill this obstinacy into Jupiter, with a view to the supervision and guardianship of the wanderer. The winters in the latitude of Sullivan's Island are seldom very severe, and in the fall of the year it is a rare event indeed when a fire is considered necessary. About the middle of October, 18--, there occurred, however, a day of remarkable chilliness. Just before sunset I scrambled my way through the evergreens to the hut of my friend, whom I had not visited for several weeks--my residence being, at that time, in Charleston, a distance of nine miles from the island, while the facilities of passage and repassage were very far behind those of the present day. Upon reaching the hut I rapped, as was my custom, and getting no reply, sought for the key where I knew it was secreted, unlocked the door, and went in. A fine fire was blazing upon the hearth. It was a novelty, and by no means an ungrateful one. I threw off an overcoat, took an armchair by the crackling logs, and awaited patiently the arrival of my hosts. Soon after dark they arrived, and gave me a most cordial welcome. Jupiter, grinning from ear to ear, bustled about to prepare some marsh hens for supper. Legrand was in one of his fits--how else shall I term them?--of enthusiasm. He had found an unknown bivalve, forming a new genus, and, more than this, he had hunted down and secured, with Jupiter's assistance, a scarabaeus which he believed to be totally new, but in respect to which he wished to have my opinion on the morrow. "And why not to-night?" I asked, rubbing my hands over the blaze, and wishing the whole tribe of scarabaei at the devil. "Ah, if I had only known you were here!" said Legrand, "but it's so long since I saw you; and how could I foresee that you would pay me a visit this very night of all others? As I was coming home I met Lieutenant G----, from the fort, and, very foolishly, I lent him the bug; so it will be impossible for you to see it until the morning. Stay here to-night, and I will send Jup down for it at sunrise. It is the loveliest thing in creation!" "What?--sunrise?" "Nonsense! no!--the bug. It is of a brilliant gold color--about the size of a large hickory nut--with two jet black spots near one extremity of the back, and another, somewhat longer, at the other. The antennae are--" "Dey ain't NO tin in him, Massa Will, I keep a tellin' on you," here interrupted Jupiter; "de bug is a goole-bug, solid, ebery bit of him, inside and all, sep him wing--neber feel half so hebby a bug in my life." "Well, suppose it is, Jup," replied Legrand, somewhat more earnestly, it seemed to me, than the case demanded; "is that any reason for your letting the birds burn? The color"--here he turned to me--"is really almost enough to warrant Jupiter's idea. You never saw a more brilliant metallic luster than the scales emit-- but of this you cannot judge till to-morrow. In the meantime I can give you some idea of the shape." Saying this, he seated himself at a small table, on which were a pen and ink, but no paper. He looked for some in a drawer, but found none. "Never mind," he said at length, "this will answer;" and he drew from his waistcoat pocket a scrap of what I took to be very dirty foolscap, and made upon it a rough drawing with the pen. While he did this, I retained my seat by the fire, for I was still chilly. When the design was complete, he handed it to me without rising. As I received it, a loud growl was heard, succeeded by a scratching at the door. Jupiter opened it, and a large Newfoundland, belonging to Legrand, rushed in, leaped upon my shoulders, and loaded me with caresses; for I had shown him much attention during previous visits. When his gambols were over, I looked at the paper, and, to speak the truth, found myself not a little puzzled at what my friend had depicted. "Well!" I said, after contemplating it for some minutes, "this IS a strange scarabaeus, I must confess; new to me; never saw anything like it before--unless it was a skull, or a death's head, which it more nearly resembles than anything else that has come under MY observation." "A death's head!" echoed Legrand. "Oh--yes--well, it has something of that appearance upon paper, no doubt. The two upper black spots look like eyes, eh? and the longer one at the bottom like a mouth-- and then the shape of the whole is oval." "Perhaps so," said I; "but, Legrand, I fear you are no artist. I must wait until I see the beetle itself, if I am to form any idea of its personal appearance." "Well, I don't know," said he, a little nettled, "I draw tolerably-- SHOULD do it at least--have had good masters, and flatter myself that I am not quite a blockhead." "But, my dear fellow, you are joking then," said I, "this is a very passable SKULL--indeed, I may say that it is a very EXCELLENT skull, according to the vulgar notions about such specimens of physiology--and your scarabaeus must be the queerest scarabaeus in the world if it resembles it. Why, we may get up a very thrilling bit of superstition upon this hint. I presume you will call the bug Scarabaeus caput hominis, or something of that kind--there are many similar titles in the Natural Histories. But where are the antennae you spoke of?" "The antennae!" said Legrand, who seemed to be getting unaccountably warm upon the subject; "I am sure you must see the antennae. I made them as distinct as they are in the original insect, and I presume that is sufficient." "Well, well," I said, "perhaps you have--still I don't see them;" and I handed him the paper without additional remark, not wishing to ruffle his temper; but I was much surprised at the turn affairs had taken; his ill humor puzzled me--and, as for the drawing of the beetle, there were positively NO antennae visible, and the whole DID bear a very close resemblance to the ordinary cuts of a death's head. He received the paper very peevishly, and was about to crumple it, apparently to throw it in the fire, when a casual glance at the design seemed suddenly to rivet his attention. In an instant his face grew violently red--in another excessively pale. For some minutes he continued to scrutinize the drawing minutely where he sat. At length he arose, took a candle from the table, and proceeded to seat himself upon a sea chest in the farthest corner of the room. Here again he made an anxious examination of the paper, turning it in all directions. He said nothing, however, and his conduct greatly astonished me; yet I thought it prudent not to exacerbate the growing moodiness of his temper by any comment. Presently he took from his coat pocket a wallet, placed the paper carefully in it, and deposited both in a writing desk, which he locked. He now grew more composed in his demeanor; but his original air of enthusiasm had quite disappeared. Yet he seemed not so much sulky as abstracted. As the evening wore away he became more and more absorbed in reverie, from which no sallies of mine could arouse him. It had been my intention to pass the night at the hut, as I had frequently done before, but, seeing my host in this mood, I deemed it proper to take leave. He did not press me to remain, but, as I departed, he shook my hand with even more than his usual cordiality. It was about a month after this (and during the interval I had seen nothing of Legrand) when I received a visit, at Charleston, from his man, Jupiter. I had never seen the good old negro look so dispirited, and I feared that some serious disaster had befallen my friend. "Well, Jup," said I, "what is the matter now?--how is your master?" "Why, to speak the troof, massa, him not so berry well as mought be." "Not well! I am truly sorry to hear it. What does he complain of?" "Dar! dot's it!--him neber 'plain of notin'--but him berry sick for all dat." "VERY sick, Jupiter!--why didn't you say so at once? Is he confined to bed?" "No, dat he aint!--he aint 'fin'd nowhar--dat's just whar de shoe pinch--my mind is got to be berry hebby 'bout poor Massa Will." "Jupiter, I should like to understand what it is you are talking about. You say your master is sick. Hasn't he told you what ails him?" "Why, massa, 'taint worf while for to git mad about de matter-- Massa Will say noffin at all aint de matter wid him--but den what make him go about looking dis here way, wid he head down and he soldiers up, and as white as a goose? And den he keep a syphon all de time--" "Keeps a what, Jupiter?" "Keeps a syphon wid de figgurs on de slate--de queerest figgurs I ebber did see. Ise gittin' to be skeered, I tell you. Hab for to keep mighty tight eye 'pon him 'noovers. Todder day he gib me slip 'fore de sun up and was gone de whole ob de blessed day. I had a big stick ready cut for to gib him deuced good beating when he did come--but Ise sich a fool dat I hadn't de heart arter all--he looked so berry poorly." "Eh?--what?--ah yes!--upon the whole I think you had better not be too severe with the poor fellow--don't flog him, Jupiter--he can't very well stand it--but can you form no idea of what has occasioned this illness, or rather this change of conduct? Has anything unpleasant happened since I saw you?" "No, massa, dey aint bin noffin onpleasant SINCE den--'twas 'FORE den I'm feared--'twas de berry day you was dare." "How? what do you mean." "Why, massa, I mean de bug--dare now." "The what?" "De bug--I'm berry sartin dat Massa Will bin bit somewhere 'bout de head by dat goole-bug." "And what cause have you, Jupiter, for such a supposition?" "Claws enuff, massa, and mouff, too. I nebber did see sich a deuced bug--he kick and he bite eberyting what cum near him. Massa Will cotch him fuss, but had for to let him go 'gin mighty quick, I tell you--den was de time he must ha' got de bite. I didn't like de look ob de bug mouff, myself, nohow, so I wouldn't take hold oh him wid my finger, but I cotch him wid a piece oh paper dat I found. I rap him up in de paper and stuff a piece of it in he mouff--dat was de way." "And you think, then, that your master was really bitten by the beetle, and that the bite made him sick?" "I don't think noffin about it--I nose it. What make him dream 'bout de goole so much, if 'taint cause he bit by the goole-bug? Ise heered 'bout dem goole-bugs 'fore dis." "But how do you know he dreams about gold?" "How I know? why, 'cause he talk about it in he sleep--dat's how I nose." "Well, Jup, perhaps you are right; but to what fortunate circumstance am I to attribute the honor of a visit from you to- day?" "What de matter, massa?" "Did you bring any message from Mr. Legrand?" "No, massa, I bring dis here pissel;" and here Jupiter handed me a note which ran thus: "MY DEAR ---- "Why have I not seen you for so long a time? I hope you have not been so foolish as to take offense at any little brusquerie of mine; but no, that is improbable. "Since I saw you I have had great cause for anxiety. I have something to tell you, yet scarcely know how to tell it, or whether I should tell it at all. "I have not been quite well for some days past, and poor old Jup annoys me, almost beyond endurance, by his well-meant attentions. Would you believe it?--he had prepared a huge stick, the other day, with which to chastise me for giving him the slip, and spending the day, solus, among the hills on the mainland. I verily believe that my ill looks alone saved me a flogging. "I have made no addition to my cabinet since we met. "If you can, in any way, make it convenient, come over with Jupiter. DO come. I wish to see you TO-NIGHT, upon business of importance. I assure you that it is of the HIGHEST importance. "Ever yours, "WILLIAM LEGRAND." There was something in the tone of this note which gave me great uneasiness. Its whole style differed materially from that of Legrand. What could he be dreaming of? What new crotchet possessed his excitable brain? What "business of the highest importance" could HE possibly have to transact? Jupiter's account of him boded no good. I dreaded lest the continued pressure of misfortune had, at length, fairly unsettled the reason of my friend. Without a moment's hesitation, therefore, I prepared to accompany the negro. Upon reaching the wharf, I noticed a scythe and three spades, all apparently new, lying in the bottom of the boat in which we were to embark. "What is the meaning of all this, Jup?" I inquired. "Him syfe, massa, and spade." "Very true; but what are they doing here?" "Him de syfe and de spade what Massa Will sis 'pon my buying for him in de town, and de debbil's own lot of money I had to gib for em." "But what, in the name of all that is mysterious, is your 'Massa Will' going to do with scythes and spades?" "Dat's more dan I know, and debbil take me if I don't b'lieve 'tis more dan he know too. But it's all cum ob de bug." Finding that no satisfaction was to be obtained of Jupiter, whose whole intellect seemed to be absorbed by "de bug," I now stepped into the boat, and made sail. With a fair and strong breeze we soon ran into the little cove to the northward of Fort Moultrie, and a walk of some two miles brought us to the hut. It was about three in the afternoon when we arrived. Legrand had been awaiting us in eager expectation. He grasped my hand with a nervous empressement which alarmed me and strengthened the suspicions already entertained. His countenance was pale even to ghastliness, and his deep-set eyes glared with unnatural luster. After some inquiries respecting his health, I asked him, not knowing what better to say, if he had yet obtained the scarabaeus from Lieutenant G----. "Oh, yes," he replied, coloring violently, "I got it from him the next morning. Nothing should tempt me to part with that scarabaeus. Do you know that Jupiter is quite right about it?" "In what way?" I asked, with a sad foreboding at heart. "In supposing it to be a bug of REAL GOLD." He said this with an air of profound seriousness, and I felt inexpressibly shocked. "This bug is to make my fortune," he continued, with a triumphant smile; "to reinstate me in my family possessions. Is it any wonder, then, that I prize it? Since Fortune has thought fit to bestow it upon me, I have only to use it properly, and I shall arrive at the gold of which it is the index. Jupiter, bring me that scarabaeus!" "What! de bug, massa? I'd rudder not go fer trubble dat bug; you mus' git him for your own self." Hereupon Legrand arose, with a grave and stately air, and brought me the beetle from a glass case in which it was enclosed. It was a beautiful scarabaeus, and, at that time, unknown to naturalists--of course a great prize in a scientific point of view. There were two round black spots near one extremity of the back, and a long one near the other. The scales were exceedingly hard and glossy, with all the appearance of burnished gold. The weight of the insect was very remarkable, and, taking all things into consideration, I could hardly blame Jupiter for his opinion respecting it; but what to make of Legrand's concordance with that opinion, I could not, for the life of me, tell. "I sent for you," said he, in a grandiloquent tone, when I had completed my examination of the beetle, "I sent for you that I might have your counsel and assistance in furthering the views of Fate and of the bug--" "My dear Legrand," I cried, interrupting him, "you are certainly unwell, and had better use some little precautions. You shall go to bed, and I will remain with you a few days, until you get over this. You are feverish and--" "Feel my pulse," said he. I felt it, and, to say the truth, found not the slightest indication of fever. "But you may be ill and yet have no fever. Allow me this once to prescribe for you. In the first place go to bed. In the next--" "You are mistaken," he interposed, "I am as well as I can expect to be under the excitement which I suffer. If you really wish me well, you will relieve this excitement." "And how is this to be done?" "Very easily. Jupiter and myself are going upon an expedition into the hills, upon the mainland, and, in this expedition, we shall need the aid of some person in whom we can confide. You are the only one we can trust. Whether we succeed or fail, the excitement which you now perceive in me will be equally allayed." "I am anxious to oblige you in any way," I replied; "but do you mean to say that this infernal beetle has any connection with your expedition into the hills?" "It has." "Then, Legrand, I can become a party to no such absurd proceeding." "I am sorry--very sorry--for we shall have to try it by ourselves." "Try it by yourselves! The man is surely mad!--but stay!--how long do you propose to be absent?" "Probably all night. We shall start immediately, and be back, at all events, by sunrise." "And will you promise me, upon your honor, that when this freak of yours is over, and the bug business (good God!) settled to your satisfaction, you will then return home and follow my advice implicitly, as that of your physician?" "Yes; I promise; and now let us be off, for we have no time to lose." With a heavy heart I accompanied my friend. We started about four o'clock--Legrand, Jupiter, the dog, and myself. Jupiter had with him the scythe and spades--the whole of which he insisted upon carrying--more through fear, it seemed to me, of trusting either of the implements within reach of his master, than from any excess of industry or complaisance. His demeanor was dogged in the extreme, and "dat deuced bug" were the sole words which escaped his lips during the journey. For my own part, I had charge of a couple of dark lanterns, while Legrand contented himself with the scarabaeus, which he carried attached to the end of a bit of whipcord; twirling it to and fro, with the air of a conjurer, as he went. When I observed this last, plain evidence of my friend's aberration of mind, I could scarcely refrain from tears. I thought it best, however, to humor his fancy, at least for the present, or until I could adopt some more energetic measures with a chance of success. In the meantime I endeavored, but all in vain, to sound him in regard to the object of the expedition. Having succeeded in inducing me to accompany him, he seemed unwilling to hold conversation upon any topic of minor importance, and to all my questions vouchsafed no other reply than "we shall see!" We crossed the creek at the head of the island by means of a skiff, and, ascending the high grounds on the shore of the mainland, proceeded in a northwesterly direction, through a tract of country excessively wild and desolate, where no trace of a human footstep was to be seen. Legrand led the way with decision; pausing only for an instant, here and there, to consult what appeared to be certain landmarks of his own contrivance upon a former occasion. In this manner we journeyed for about two hours, and the sun was just setting when we entered a region infinitely more dreary than any yet seen. It was a species of table-land, near the summit of an almost inaccessible hill, densely wooded from base to pinnacle, and interspersed with huge crags that appeared to lie loosely upon the soil, and in many cases were prevented from precipitating themselves into the valleys below, merely by the support of the trees against which they reclined. Deep ravines, in various directions, gave an air of still sterner solemnity to the scene. The natural platform to which we had clambered was thickly overgrown with brambles, through which we soon discovered that it would have been impossible to force our way but for the scythe; and Jupiter, by direction of his master, proceeded to clear for us a path to the foot of an enormously tall tulip tree, which stood, with some eight or ten oaks, upon the level, and far surpassed them all, and all other trees which I had then ever seen, in the beauty of its foliage and form, in the wide spread of its branches, and in the general majesty of its appearance. When we reached this tree, Legrand turned to Jupiter, and asked him if he thought he could climb it. The old man seemed a little staggered by the question, and for some moments made no reply. At length he approached the huge trunk, walked slowly around it, and examined it with minute attention. When he had completed his scrutiny, he merely said: "Yes, massa, Jup climb any tree he ebber see in he life." "Then up with you as soon as possible, for it will soon be too dark to see what we are about." "How far mus' go up, massa?" inquired Jupiter. "Get up the main trunk first, and then I will tell you which way to go--and here--stop! take this beetle with you." "De bug, Massa Will!--de goole-bug!" cried the negro, drawing back in dismay--"what for mus' tote de bug way up de tree?--d--n if I do!" "If you are afraid, Jup, a great big negro like you, to take hold of a harmless little dead beetle, why you can carry it up by this string--but, if you do not take it up with you in some way, I shall be under the necessity of breaking your head with this shovel." "What de matter now, massa?" said Jup, evidently shamed into compliance; "always want for to raise fuss wid old nigger. Was only funnin anyhow. ME feered de bug! what I keer for de bug?" Here he took cautiously hold of the extreme end of the string, and, maintaining the insect as far from his person as circumstances would permit, prepared to ascend the tree. In youth, the tulip tree, or Liriodendron tulipiferum, the most magnificent of American foresters, has a trunk peculiarly smooth, and often rises to a great height without lateral branches; but, in its riper age, the bark becomes gnarled and uneven, while many short limbs make their appearance on the stem. Thus the difficulty of ascension, in the present case, lay more in semblance than in reality. Embracing the huge cylinder, as closely as possible, with his arms and knees, seizing with his hands some projections, and resting his naked toes upon others, Jupiter, after one or two narrow escapes from falling, at length wriggled himself into the first great fork, and seemed to consider the whole business as virtually accomplished. The RISK of the achievement was, in fact, now over, although the climber was some sixty or seventy feet from the ground. "Which way mus' go now, Massa Will?" he asked. "Keep up the largest branch--the one on this side," said Legrand. The negro obeyed him promptly, and apparently with but little trouble; ascending higher and higher, until no glimpse of his squat figure could be obtained through the dense foliage which enveloped it. Presently his voice was heard in a sort of halloo. "How much fudder is got to go?" "How high up are you?" asked Legrand. "Ebber so fur," replied the negro; "can see de sky fru de top oh de tree." "Never mind the sky, but attend to what I say. Look down the trunk and count the limbs below you on this side. How many limbs have you passed?" "One, two, tree, four, fibe--I done pass fibe big limb, massa, 'pon dis side." "Then go one limb higher." In a few minutes the voice was heard again, announcing that the seventh limb was attained. "Now, Jup," cried Legrand, evidently much excited, "I want you to work your way out upon that limb as far as you can. If you see anything strange let me know." By this time what little doubt I might have entertained of my poor friend's insanity was put finally at rest. I had no alternative but to conclude him stricken with lunacy, and I became seriously anxious about getting him home. While I was pondering upon what was best to be done, Jupiter's voice was again heard. "Mos feered for to ventur pon dis limb berry far--'tis dead limb putty much all de way." "Did you say it was a DEAD limb, Jupiter?" cried Legrand in a quavering voice. "Yes, massa, him dead as de door-nail--done up for sartin--done departed dis here life." "What in the name of heaven shall I do?" asked Legrand, seemingly in the greatest distress. "Do!" said I, glad of an opportunity to interpose a word, "why come home and go to bed. Come now!--that's a fine fellow. It's getting late, and, besides, you remember your promise." "Jupiter," cried he, without heeding me in the least, "do you hear me?" "Yes, Massa Will, hear you ebber so plain." "Try the wood well, then, with your knife, and see if you think it VERY rotten." "Him rotten, massa, sure nuff," replied the negro in a few moments, "but not so berry rotten as mought be. Mought venture out leetle way pon de limb by myself, dat's true." "By yourself!--what do you mean?" "Why, I mean de bug. 'Tis BERRY hebby bug. Spose I drop him down fuss, an den de limb won't break wid just de weight of one nigger." "You infernal scoundrel!" cried Legrand, apparently much relieved, "what do you mean by telling me such nonsense as that? As sure as you drop that beetle I'll break your neck. Look here, Jupiter, do you hear me?" "Yes, massa, needn't hollo at poor nigger dat style." "Well! now listen!--if you will venture out on the limb as far as you think safe, and not let go the beetle, I'll make you a present of a silver dollar as soon as you get down." "I'm gwine, Massa Will--deed I is," replied the negro very promptly--"mos out to the eend now." "OUT TO THE END!" here fairly screamed Legrand; "do you say you are out to the end of that limb?" "Soon be to de eend, massa--o-o-o-o-oh! Lor-gol-a-marcy! what IS dis here pon de tree?" "Well!" cried Legrand, highly delighted, "what is it?" "Why 'taint noffin but a skull--somebody bin lef him head up de tree, and de crows done gobble ebery bit ob de meat off." "A skull, you say!--very well,--how is it fastened to the limb?-- what holds it on?" "Sure nuff, massa; mus look. Why dis berry curious sarcumstance, pon my word--dare's a great big nail in de skull, what fastens ob it on to de tree." "Well now, Jupiter, do exactly as I tell you--do you hear?" "Yes, massa." "Pay attention, then--find the left eye of the skull." "Hum! hoo! dat's good! why dey ain't no eye lef at all." "Curse your stupidity! do you know your right hand from your left?" "Yes, I knows dat--knows all about dat--'tis my lef hand what I chops de wood wid." "To be sure! you are left-handed; and your left eye is on the same side as your left hand. Now, I suppose, you can find the left eye of the skull, or the place where the left eye has been. Have you found it?" Here was a long pause. At length the negro asked: "Is de lef eye of de skull pon de same side as de lef hand of de skull too?--cause de skull aint got not a bit oh a hand at all-- nebber mind! I got de lef eye now--here de lef eye! what mus do wid it?" Let the beetle drop through it, as far as the string will reach-- but be careful and not let go your hold of the string." "All dat done, Massa Will; mighty easy ting for to put de bug fru de hole--look out for him dare below!" During this colloquy no portion of Jupiter's person could be seen; but the beetle, which he had suffered to descend, was now visible at the end of the string, and glistened, like a globe of burnished gold, in the last rays of the setting sun, some of which still faintly illumined the eminence upon which we stood. The scarabaeus hung quite clear of any branches, and, if allowed to fall, would have fallen at our feet. Legrand immediately took the scythe, and cleared with it a circular space, three or four yards in diameter, just beneath the insect, and, having accomplished this, ordered Jupiter to let go the string and come down from the tree. Driving a peg, with great nicety, into the ground, at the precise spot where the beetle fell, my friend now produced from his pocket a tape measure. Fastening one end of this at that point of the trunk of the tree which was nearest the peg, he unrolled it till it reached the peg and thence further unrolled it, in the direction already established by the two points of the tree and the peg, for the distance of fifty feet--Jupiter clearing away the brambles with the scythe. At the spot thus attained a second peg was driven, and about this, as a center, a rude circle, about four feet in diameter, described. Taking now a spade himself, and giving one to Jupiter and one to me, Legrand begged us to set about digging as quickly as possible. To speak the truth, I had no especial relish for such amusement at any time, and, at that particular moment, would willingly have declined it; for the night was coming on, and I felt much fatigued with the exercise already taken; but I saw no mode of escape, and was fearful of disturbing my poor friend's equanimity by a refusal. Could I have depended, indeed, upon Jupiter's aid, I would have had no hesitation in attempting to get the lunatic home by force; but I was too well assured of the old negro's disposition, to hope that he would assist me, under any circumstances, in a personal contest with his master. I made no doubt that the latter had been infected with some of the innumerable Southern superstitions about money buried, and that his fantasy had received confirmation by the finding of the scarabaeus, or, perhaps, by Jupiter's obstinacy in maintaining it to be "a bug of real gold." A mind disposed to lunacy would readily be led away by such suggestions--especially if chiming in with favorite preconceived ideas--and then I called to mind the poor fellow's speech about the beetle's being "the index of his fortune." Upon the whole, I was sadly vexed and puzzled, but, at length, I concluded to make a virtue of necessity--to dig with a good will, and thus the sooner to convince the visionary, by ocular demonstration, of the fallacy of the opinion he entertained. The lanterns having been lit, we all fell to work with a zeal worthy a more rational cause; and, as the glare fell upon our persons and implements, I could not help thinking how picturesque a group we composed, and how strange and suspicious our labors must have appeared to any interloper who, by chance, might have stumbled upon our whereabouts. We dug very steadily for two hours. Little was said; and our chief embarrassment lay in the yelpings of the dog, who took exceeding interest in our proceedings. He, at length, became so obstreperous that we grew fearful of his giving the alarm to some stragglers in the vicinity,--or, rather, this was the apprehension of Legrand;-- for myself, I should have rejoiced at any interruption which might have enabled me to get the wanderer home. The noise was, at length, very effectually silenced by Jupiter, who, getting out of the hole with a dogged air of deliberation, tied the brute's mouth up with one of his suspenders, and then returned, with a grave chuckle, to his task. When the time mentioned had expired, we had reached a depth of five feet, and yet no signs of any treasure became manifest. A general pause ensued, and I began to hope that the farce was at an end. Legrand, however, although evidently much disconcerted, wiped his brow thoughtfully and recommenced. We had excavated the entire circle of four feet diameter, and now we slightly enlarged the limit, and went to the farther depth of two feet. Still nothing appeared. The gold-seeker, whom I sincerely pitied, at length clambered from the pit, with the bitterest disappointment imprinted upon every feature, and proceeded, slowly and reluctantly, to put on his coat, which he had thrown off at the beginning of his labor. In the meantime I made no remark. Jupiter, at a signal from his master, began to gather up his tools. This done, and the dog having been unmuzzled, we turned in profound silence toward home. We had taken, perhaps, a dozen steps in this direction, when, with a loud oath, Legrand strode up to Jupiter, and seized him by the collar. The astonished negro opened his eyes and mouth to the fullest extent, let fall the spades, and fell upon his knees. "You scoundrel!" said Legrand, hissing out the syllables from between his clenched teeth--"you infernal black villain!--speak, I tell you!--answer me this instant, without prevarication!--which-- which is your left eye?" "Oh, my golly, Massa Will! aint dis here my lef eye for sartain?" roared the terrified Jupiter, placing his hand upon his RIGHT organ of vision, and holding it there with a desperate pertinacity, as if in immediate, dread of his master's attempt at a gouge. "I thought so!--I knew it! hurrah!" vociferated Legrand, letting the negro go and executing a series of curvets and caracols, much to the astonishment of his valet, who, arising from his knees, looked, mutely, from his master to myself, and then from myself to his master. "Come! we must go back," said the latter, "the game's not up yet;" and he again led the way to the tulip tree. "Jupiter," said he, when we reached its foot, "come here! was the skull nailed to the limb with the face outward, or with the face to the limb?" "De face was out, massa, so dat de crows could get at de eyes good, widout any trouble." "Well, then, was it this eye or that through which you dropped the beetle?" here Legrand touched each of Jupiter's eyes. "'Twas dis eye, massa--de lef eye--jis as you tell me," and here it was his right eye that the negro indicated. "That will do--we must try it again." Here my friend, about whose madness I now saw, or fancied that I saw, certain indications of method, removed the peg which marked the spot where the beetle fell, to a spot about three inches to the westward of its former position. Taking, now, the tape measure from the nearest point of the trunk to the peg, as before, and continuing the extension in a straight line to the distance of fifty feet, a spot was indicated, removed, by several yards, from the point at which we had been digging. Around the new position a circle, somewhat larger than in the former instance, was now described, and we again set to work with the spade. I was dreadfully weary, but, scarcely understanding what had occasioned the change in my thoughts, I felt no longer any great aversion from the labor imposed. I had become most unaccountably interested--nay, even excited. Perhaps there was something, amid all the extravagant demeanor of Legrand--some air of forethought, or of deliberation, which impressed me. I dug eagerly, and now and then caught myself actually looking, with something that very much resembled expectation, for the fancied treasure, the vision of which had demented my unfortunate companion. At a period when such vagaries of thought most fully possessed me, and when we had been at work perhaps an hour and a half, we were again interrupted by the violent howlings of the dog. His uneasiness, in the first instance, had been, evidently, but the result of playfulness or caprice, but he now assumed a bitter and serious tone. Upon Jupiter's again attempting to muzzle him, he made furious resistance, and, leaping into the hole, tore up the mold frantically with his claws. In a few seconds he had uncovered a mass of human bones, forming two complete skeletons, intermingled with several buttons of metal, and what appeared to be the dust of decayed woolen. One or two strokes of a spade upturned the blade of a large Spanish knife, and, as we dug farther, three or four loose pieces of gold and silver coin came to light. At sight of these the joy of Jupiter could scarcely be restrained, but the countenance of his master wore an air of extreme disappointment. He urged us, however, to continue our exertions, and the words were hardly uttered when I stumbled and fell forward, having caught the toe of my boot in a large ring of iron that lay half buried in the loose earth. We now worked in earnest, and never did I pass ten minutes of more intense excitement. During this interval we had fairly unearthed an oblong chest of wood, which, from its perfect preservation and wonderful hardness, had plainly been subjected to some mineralizing process--perhaps that of the bichloride of mercury. This box was three feet and a half long, three feet broad, and two and a half feet deep. It was firmly secured by bands of wrought iron, riveted, and forming a kind of open trelliswork over the whole. On each side of the chest, near the top, were three rings of iron--six in all--by means of which a firm hold could be obtained by six persons. Our utmost united endeavors served only to disturb the coffer very slightly in its bed. We at once saw the impossibility of removing so great a weight. Luckily, the sole fastenings of the lid consisted of two sliding bolts. These we drew back--trembling and panting with anxiety. In an instant, a treasure of incalculable value lay gleaming before us. As the rays of the lanterns fell within the pit, there flashed upward a glow and a glare, from a confused heap of gold and of jewels, that absolutely dazzled our eyes. I shall not pretend to describe the feelings with which I gazed. Amazement was, of course, predominant. Legrand appeared exhausted with excitement, and spoke very few words. Jupiter's countenance wore, for some minutes, as deadly a pallor as it is possible, in the nature of things, for any negro's visage to assume. He seemed stupefied--thunderstricken. Presently he fell upon his knees in the pit, and burying his naked arms up to the elbows in gold, let them there remain, as if enjoying the luxury of a bath. At length, with a deep sigh, he exclaimed, as if in a soliloquy: "And dis all cum of de goole-bug! de putty goole-bug! de poor little goole-bug, what I boosed in that sabage kind oh style! Ain't you shamed oh yourself, nigger?--answer me dat!" It became necessary, at last, that I should arouse both master and valet to the expediency of removing the treasure. It was growing late, and it behooved us to make exertion, that we might get everything housed before daylight. It was difficult to say what should he done, and much time was spent in deliberation--so confused were the ideas of all. We, finally, lightened the box by removing two thirds of its contents, when we were enabled, with some trouble, to raise it from the hole. The articles taken out were deposited among the brambles, and the dog left to guard them, with strict orders from Jupiter neither, upon any pretense, to stir from the spot, nor to open his mouth until our return. We then hurriedly made for home with the chest; reaching the hut in safety, but after excessive toil, at one o'clock in the morning. Worn out as we were, it was not in human nature to do more immediately. We rested until two, and had supper; starting for the hills immediately afterwards, armed with three stout sacks, which, by good luck, were upon the premises. A little before four we arrived at the pit, divided the remainder of the booty, as equally as might be, among us, and, leaving the holes unfilled, again set out for the hut, at which, for the second time, we deposited our golden burdens, just as the first faint streaks of the dawn gleamed from over the treetops in the east. We were now thoroughly broken down; but the intense excitement of the time denied us repose. After an unquiet slumber of some three or four hours' duration, we arose, as if by preconcert, to make examination of our treasure. The chest had been full to the brim, and we spent the whole day, and the greater part of the next night, in a scrutiny of its contents. There had been nothing like order or arrangement. Everything had been heaped in promiscuously. Having assorted all with care, we found ourselves possessed of even vaster wealth than we had at first supposed. In coin there was rather more than four hundred and fifty thousand dollars--estimating the value of the pieces, as accurately as we could, by the tables of the period. There was not a particle of silver. All was gold of antique date and of great variety--French, Spanish, and German money, with a few English guineas, and some counters, of which we had never seen specimens before. There were several very large and heavy coins, so worn that we could make nothing of their inscriptions. There was no American money. The value of the jewels we found more difficulty in estimating. There were diamonds--some of them exceedingly large and fine--a hundred and ten in all, and not one of them small; eighteen rubies of remarkable brilliancy;--three hundred and ten emeralds, all very beautiful; and twenty-one sapphires, with an opal. These stones had all been broken from their settings and thrown loose in the chest. The settings themselves, which we picked out from among the other gold, appeared to have been beaten up with hammers, as if to prevent identification. Besides all this, there was a vast quantity of solid gold ornaments; nearly two hundred massive finger and ears rings; rich chains--thirty of these, if I remember; eighty-three very large and heavy crucifixes; five gold censers of great value; a prodigious golden punch bowl, ornamented with richly chased vine leaves and Bacchanalian figures; with two sword handles exquisitely embossed, and many other smaller articles which I cannot recollect. The weight of these valuables exceeded three hundred and fifty pounds avoirdupois; and in this estimate I have not included one hundred and ninety-seven superb gold watches; three of the number being worth each five hundred dollars, if one. Many of them were very old, and as timekeepers valueless; the works having suffered, more or less, from corrosion--but all were richly jeweled and in cases of great worth. We estimated the entire contents of the chest, that night, at a million and a half of dollars; and upon the subsequent disposal of the trinkets and jewels (a few being retained for our own use), it was found that we had greatly undervalued the treasure. When, at length, we had concluded our examination, and the intense excitement of the time had, in some measure, subsided, Legrand, who saw that I was dying with impatience for a solution of this most extraordinary riddle, entered into a full detail of all the circumstances connected with it. "You remember," said he, "the night when I handed you the rough sketch I had made of the scarabaeus. You recollect, also, that I became quite vexed at you for insisting that my drawing resembled a death's head. When you first made this assertion I thought you were jesting; but afterwards I called to mind the peculiar spots on the back of the insect, and admitted to myself that your remark had some little foundation in fact. Still, the sneer at my graphic powers irritated me--for I am considered a good artist--and, therefore, when you handed me the scrap of parchment, I was about to crumple it up and throw it angrily into the fire." "The scrap of paper, you mean," said I. "No; it had much of the appearance of paper, and at first I supposed it to be such, but when I came to draw upon it, I discovered it at once to be a piece of very thin parchment. It was quite dirty, you remember. Well, as I was in the very act of crumpling it up, my glance fell upon the sketch at which you had been looking, and you may imagine my astonishment when I perceived, in fact, the figure of a death's head just where, it seemed to me, I had made the drawing of the beetle. For a moment I was too much amazed to think with accuracy. I knew that my design was very different in detail from this--although there was a certain similarity in general outline. Presently I took a candle, and seating myself at the other end of the room, proceeded to scrutinize the parchment more closely. Upon turning it over, I saw my own sketch upon the reverse, just as I had made it. My first idea, now, was mere surprise at the really remarkable similarity of outline--at the singular coincidence involved in the fact that, unknown to me, there should have been a skull upon the other side of the parchment, immediately beneath my figure of the scarabaeus, and that this skull, not only in outline, but in size, should so closely resemble my drawing. I say the singularity of this coincidence absolutely stupefied me for a time. This is the usual effect of such coincidences. The mind struggles to establish a connection--a sequence of cause and effect--and, being unable to do so, suffers a species of temporary paralysis. But, when I recovered from this stupor, there dawned upon me gradually a conviction which startled me even far more than the coincidence. I began distinctly, positively, to remember that there had been NO drawing upon the parchment, when I made my sketch of the scarabaeus. I became perfectly certain of this; for I recollected turning up first one side and then the other, in search of the cleanest spot. Had the skull been then there, of course I could not have failed to notice it. Here was indeed a mystery which I felt it impossible to explain; but, even at that early moment, there seemed to glimmer, faintly, within the most remote and secret chambers of my intellect, a glow-wormlike conception of that truth which last night's adventure brought to so magnificent a demonstration. I arose at once, and putting the parchment securely away, dismissed all further reflection until I should be alone. "When you had gone, and when Jupiter was fast asleep, I betook myself to a more methodical investigation of the affair. In the first place I considered the manner in which the parchment had come into my possession. The spot where we discovered the scarabaeus was on the coast of the mainland, about a mile eastward of the island, and but a short distance above high-water mark. Upon my taking hold of it, it gave me a sharp bite, which caused me to let it drop. Jupiter, with his accustomed caution, before seizing the insect, which had flown toward him, looked about him for a leaf, or something of that nature, by which to take hold of it. It was at this moment that his eyes, and mine also, fell upon the scrap of parchment, which I then supposed to be paper. It was lying half buried in the sand, a corner sticking up. Near the spot where we found it, I observed the remnants of the hull of what appeared to have been a ship's longboat. The wreck seemed to have been there for a very great while, for the resemblance to boat timbers could scarcely be traced. "Well, Jupiter picked up the parchment, wrapped the beetle in it, and gave it to me. Soon afterwards we turned to go home, and on the way met Lieutenant G----. I showed him the insect, and he begged me to let him take it to the fort. Upon my consenting, he thrust it forthwith into his waistcoat pocket, without the parchment in which it had been wrapped, and which I had continued to hold in my hand during his inspection. Perhaps he dreaded my changing my mind, and thought it best to make sure of the prize at once--you know how enthusiastic he is on all subjects connected with Natural History. At the same time, without being conscious of it, I must have deposited the parchment in my own pocket. "You remember that when I went to the table, for the purpose of making a sketch of the beetle, I found no paper where it was usually kept. I looked in the drawer, and found none there. I searched my pockets, hoping to find an old letter, when my hand fell upon the parchment. I thus detail the precise mode in which it came into my possession, for the circumstances impressed me with peculiar force. "No doubt you will think me fanciful--but I had already established a kind of CONNECTION. I had put together two links of a great chain. There was a boat lying upon a seacoast, and not far from the boat was a parchment--NOT A PAPER--with a skull depicted upon it. You will, of course, ask 'where is the connection?' I reply that the skull, or death's head, is the well-known emblem of the pirate. The flag of the death's head is hoisted in all engagements. "I have said that the scrap was parchment, and not paper. Parchment is durable--almost imperishable. Matters of little moment are rarely consigned to parchment; since, for the mere ordinary purposes of drawing or writing, it is not nearly so well adapted as paper. This reflection suggested some meaning--some relevancy--in the death's head. I did not fail to observe, also, the FORM of the parchment. Although one of its corners had been, by some accident, destroyed, it could be seen that the original form was oblong. It was just such a slip, indeed, as might have been chosen for a memorandum--for a record of something to be long remembered, and carefully preserved." "But," I interposed, "you say that the skull was NOT upon the parchment when you made the drawing of the beetle. How then do you trace any connection between the boat and the skull--since this latter, according to your own admission, must have been designed (God only knows how or by whom) at some period subsequent to your sketching the scarabaeus?" "Ah, hereupon turns the whole mystery; although the secret, at this point, I had comparatively little difficulty in solving. My steps were sure, and could afford but a single result. I reasoned, for example, thus: When I drew the scarabaeus, there was no skull apparent upon the parchment. When I had completed the drawing I gave it to you, and observed you narrowly until you returned it. YOU, therefore, did not design the skull, and no one else was present to do it. Then it was not done by human agency. And nevertheless it was done. "At this stage of my reflections I endeavored to remember, and DID remember, with entire distinctness, every incident which occurred about the period in question. The weather was chilly (oh, rare and happy accident!), and a fire was blazing upon the hearth. I was heated with exercise and sat near the table. You, however, had drawn a chair close to the chimney. Just as I placed the parchment in your hand, and as you were in the act of inspecting it, Wolf, the Newfoundland, entered, and leaped upon your shoulders. With your left hand you caressed him and kept him off, while your right, holding the parchment, was permitted to fall listlessly between your knees, and in close proximity to the fire. At one moment I thought the blaze had caught it, and was about to caution you, but, before I could speak, you had withdrawn it, and were engaged in its examination. When I considered all these particulars, I doubted not for a moment that HEAT had been the agent in bringing to light, upon the parchment, the skull which I saw designed upon it. You are well aware that chemical preparations exist, and have existed time out of mind, by means of which it is possible to write upon either paper or vellum, so that the characters shall become visible only when subjected to the action of fire. Zaffre, digested in aqua regia, and diluted with four times its weight of water, is sometimes employed; a green tint results. The regulus of cobalt, dissolved in spirit of niter, gives a red. These colors disappear at longer or shorter intervals after the material written upon cools, but again become apparent upon the reapplication of heat. "I now scrutinized the death's head with care. Its outer edges-- the edges of the drawing nearest the edge of the vellum--were far more DISTINCT than the others. It was clear that the action of the caloric had been imperfect or unequal. I immediately kindled a fire, and subjected every portion of the parchment to a glowing heat. At first, the only effect was the strengthening of the faint lines in the skull; but, upon persevering in the experiment, there became visible, at the corner of the slip, diagonally opposite to the spot in which the death's head was delineated, the figure of what I at first supposed to be a goat. A closer scrutiny, however, satisfied me that it was intended for a kid." "Ha! ha!" said I, "to be sure I have no right to laugh at you--a million and a half of money is too serious a matter for mirth--but you are not about to establish a third link in your chain--you will not find any especial connection between your pirates and a goat-- pirates, you know, have nothing to do with goats; they appertain to the farming interest." "But I have just said that the figure was NOT that of a goat." "Well, a kid then--pretty much the same thing." "Pretty much, but not altogether," said Legrand. "You may have heard of one CAPTAIN Kidd. I at once looked upon the figure of the animal as a kind of punning or hieroglyphical signature. I say signature; because its position upon the vellum suggested this idea. The death's head at the corner diagonally opposite, had, in the same manner, the air of a stamp, or seal. But I was sorely put out by the absence of all else--of the body to my imagined instrument--of the text for my context." "I presume you expected to find a letter between the stamp and the signature." "Something of that kind. The fact is, I felt irresistibly impressed with a presentiment of some vast good fortune impending. I can scarcely say why. Perhaps, after all, it was rather a desire than an actual belief;--but do you know that Jupiter's silly words, about the bug being of solid gold, had a remarkable effect upon my fancy? And then the series of accidents and coincidents--these were so VERY extraordinary. Do you observe how mere an accident it was that these events should have occurred upon the SOLE day of all the year in which it has been, or may be sufficiently cool for fire, and that without the fire, or without the intervention of the dog at the precise moment in which he appeared, I should never have become aware of the death's head, and so never the possessor of the treasure?" "But proceed--I am all impatience." "Well; you have heard, of course, the many stories current--the thousand vague rumors afloat about money buried, somewhere upon the Atlantic coast, by Kidd and his associates. These rumors must have had some foundation in fact. And that the rumors have existed so long and so continuous, could have resulted, it appeared to me, only from the circumstance of the buried treasures still REMAINING entombed. Had Kidd concealed his plunder for a time, and afterwards reclaimed it, the rumors would scarcely have reached us in their present unvarying form. You will observe that the stories told are all about money-seekers, not about money-finders. Had the pirate recovered his money, there the affair would have dropped. It seemed to me that some accident--say the loss of a memorandum indicating its locality--had deprived him of the means of recovering it, and that this accident had become known to his followers, who otherwise might never have heard that the treasure had been concealed at all, and who, busying themselves in vain, because unguided, attempts to regain it, had given first birth, and then universal currency, to the reports which are now so common. Have you ever heard of any important treasure being unearthed along the coast?" "Never." "But that Kidd's accumulations were immense, is well known. I took it for granted, therefore, that the earth still held them; and you will scarcely be surprised when I tell you that I felt a hope, nearly amounting to certainty, that the parchment so strangely found involved a lost record of the place of deposit." "But how did you proceed?" "I held the vellum again to the fire, after increasing the heat, but nothing appeared. I now thought it possible that the coating of dirt might have something to do with the failure: so I carefully rinsed the parchment by pouring warm water over it, and, having done this, I placed it in a tin pan, with the skull downward, and put the pan upon a furnace of lighted charcoal. In a few minutes, the pan having become thoroughly heated, I removed the slip, and, to my inexpressible joy, found it spotted, in several places, with what appeared to be figures arranged in lines. Again I placed it in the pan, and suffered it to remain another minute. Upon taking it off, the whole was just as you see it now." Here Legrand, having reheated the parchment, submitted it to my inspection. The following characters were rudely traced, in a red tint, between the death's head and the goat: "53++!305))6*;4826)4+)4+).;806*;48!8]60))85;1+8*:+(;:+*8!83(88)5*!; 46(;88*96*?;8)*+(;485);5*!2:*+(;4956*2(5*-4)8]8*;4069285);)6!8)4++; 1(+9;48081;8:8+1;48!85;4)485!528806*81(+9;48;(88;4(+?34;48)4+;161;: 188;+?;" "But," said I, returning him the slip, "I am as much in the dark as ever. Were all the jewels of Golconda awaiting me upon my solution of this enigma, I am quite sure that I should be unable to earn them." "And yet," said Legrand, "the solution is by no means so difficult as you might be led to imagine from the first hasty inspection of the characters. These characters, as anyone might readily guess, form a cipher--that is to say, they convey a meaning; but then from what is known of Kidd, I could not suppose him capable of constructing any of the more abstruse cryptographs. I made up my mind, at once, that this was of a simple species--such, however, as would appear, to the crude intellect of the sailor, absolutely insoluble without the key." "And you really solved it?" "Readily; I have solved others of an abstruseness ten thousand times greater. Circumstances, and a certain bias of mind, have led me to take interest in such riddles, and it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. In fact, having once established connected and legible characters, I scarcely gave a thought to the mere difficulty of developing their import. "In the present case--indeed in all cases of secret writing--the first question regards the LANGUAGE of the cipher; for the principles of solution, so far, especially, as the more simple ciphers are concerned, depend upon, and are varied by, the genius of the particular idiom. In general, there is no alternative but experiment (directed by probabilities) of every tongue known to him who attempts the solution, until the true one be attained. But, with the cipher now before us, all difficulty was removed by the signature. The pun upon the word 'Kidd' is appreciable in no other language than the English. But for this consideration I should have begun my attempts with the Spanish and French, as the tongues in which a secret of this kind would most naturally have been written by a pirate of the Spanish main. As it was, I assumed the cryptograph to be English. "You observe there are no divisions between the words. Had there been divisions the task would have been comparatively easy. In such cases I should have commenced with a collation and analysis of the shorter words, and, had a word of a single letter occurred, as is most likely, (a or I, for example,) I should have considered the solution as assured. But, there being no division, my first step was to ascertain the predominant letters, as well as the least frequent. Counting all, I constructed a table thus: Of the character 8 there are 33. ; " 26. 4 " 19. +) " 16. * " 13. 5 " 12. 6 " 11. !1 " 8. 0 " 6. 92 " 5. :3 " 4. ? " 3. ] " 2. -. " 1. "Now, in English, the letter which most frequently occurs is e. Afterwards, the succession runs thus: a o i d h n r s t u y c f g l m w b k p q x z. E predominates so remarkably, that an individual sentence of any length is rarely seen, in which it is not the prevailing character. "Here, then, we have, in the very beginning, the groundwork for something more than a mere guess. The general use which may be made of the table is obvious--but, in this particular cipher, we shall only very partially require its aid. As our predominant character is 8, we will commence by assuming it as the e of the natural alphabet. To verify the supposition, let us observe if the 8 be seen often in couples--for e is doubled with great frequency in English--in such words, for example, as 'meet,' 'fleet,' 'speed,' 'seen,' 'been,' 'agree,' etc. In the present instance we see it doubled no less than five times, although the cryptograph is brief. "Let us assume 8, then, as e. Now, of all WORDS in the language, 'the' is most usual; let us see, therefore, whether there are not repetitions of any three characters, in the same order of collocation, the last of them being 8. If we discover repetitions of such letters, so arranged, they will most probably represent the word 'the.' Upon inspection, we find no less than seven such arrangements, the characters being ;48. We may, therefore, assume that ; represents t, 4 represents h, and 8 represents e--the last being now well confirmed. Thus a great step has been taken. "But, having established a single word, we are enabled to establish a vastly important point; that is to say, several commencements and terminations of other words. Let us refer, for example, to the last instance but one, in which the combination ;48 occurs--not far from the end of the cipher. We know that the ; immediately ensuing is the commencement of a word, and, of the six characters succeeding this 'the,' we are cognizant of no less than five. Let us set these characters down, thus, by the letters we know them to represent, leaving a space for the unknown-- t eeth. "Here we are enabled, at once, to discard the 'th,' as forming no portion of the word commencing with the first t; since, by experiment of the entire alphabet for a letter adapted to the vacancy, we perceive that no word can be formed of which this th can be a part. We are thus narrowed into t ee, and, going through the alphabet, if necessary, as before, we arrive at the word 'tree,' as the sole possible reading. We thus gain another letter, r, represented by (, with the words 'the tree' in juxtaposition. "Looking beyond these words, for a short distance, we again see the combination ;48, and employ it by way of TERMINATION to what immediately precedes. We have thus this arrangement: the tree ;4(4+?34 the, or, substituting the natural letters, where known, it reads thus: the tree thr+?3h the. "Now, if, in place of the unknown characters, we leave blank spaces, or substitute dots, we read thus: the tree thr...h the, when the word 'through' makes itself evident at once. But this discovery gives us three new letters, o, u, and g, represented by +, ?, and 3. "Looking now, narrowly, through the cipher for combinations of known characters, we find, not very far from the beginning, this arrangement, 83(88, or egree, which plainly, is the conclusion of the word 'degree,' and gives us another letter, d, represented by !. "Four letters beyond the word 'degree,' we perceive the combination ;46(;88. "Translating the known characters, and representing the unknown by dots, as before, we read thus: th.rtee, an arrangement immediately suggestive of the word thirteen,' and again furnishing us with two new characters, i and n, represented by 6 and *. "Referring, now, to the beginning of the cryptograph, we find the combination, 53++!. "Translating as before, we obtain .good, which assures us that the first letter is A, and that the first two words are 'A good.' "It is now time that we arrange our key, as far as discovered, in a tabular form, to avoid confusion. It will stand thus: 5 represents a ! " d 8 " e 3 " g 4 " h 6 " i * " n + " o ( " r ; " t ? " u "We have, therefore, no less than eleven of the most important letters represented, and it will be unnecessary to proceed with the details of the solution. I have said enough to convince you that ciphers of this nature are readily soluble, and to give you some insight into the rationale of their development. But be assured that the specimen before us appertains to the very simplest species of cryptograph. It now only remains to give you the full translation of the characters upon the parchment, as unriddled. Here it is: "'A good glass in the bishop's hostel in the devil's seat forty-one degrees and thirteen minutes northeast and by north main branch seventh limb east side shoot from the left eye of the death's head a bee-line from the tree through the shot fifty feet out.'" "But," said I, "the enigma seems still in as bad a condition as ever. How is it possible to extort a meaning from all this jargon about 'devil's seats,' 'death's heads,' and 'bishop's hostels'?" "I confess," replied Legrand, "that the matter still wears a serious aspect, when regarded with a casual glance. My first endeavor was to divide the sentence into the natural division intended by the cryptographist." "You mean, to punctuate it?" "Something of that kind." "But how was it possible to effect this?" "I reflected that it had been a POINT with the writer to run his words together without division, so as to increase the difficulty of solution. Now, a not overacute man, in pursuing such an object, would be nearly certain to overdo the matter. When, in the course of his composition, he arrived at a break in his subject which would naturally require a pause, or a point, he would be exceedingly apt to run his characters, at this place, more than usually close together. If you will observe the MS., in the present instance, you will easily detect five such cases of unusual crowding. Acting upon this hint I made the division thus: "'A good glass in the bishop's hostel in the devil's seat--forty- one degrees and thirteen minutes--northeast and by north--main branch seventh limb east side--shoot from the left eye of the death's head--a bee-line from the tree through the shot fifty feet out.'" "Even this division," said I, "leaves me still in the dark." "It left me also in the dark," replied Legrand, "for a few days; during which I made diligent inquiry in the neighborhood of Sullivan's Island, for any building which went by name of the 'Bishop's Hotel'; for, of course, I dropped the obsolete word 'hostel.' Gaining no information on the subject, I was on the point of extending my sphere of search, and proceeding in a more systematic manner, when, one morning, it entered into my head, quite suddenly, that this 'Bishop's Hostel' might have some reference to an old family, of the name of Bessop, which, time out of mind, had held possession of an ancient manor house, about four miles to the northward of the island. I accordingly went over to the plantation, and reinstituted my inquiries among the older negroes of the place. At length one of the most aged of the women said that she had heard of such a place as Bessop's Castle, and thought that she could guide me to it, but that it was not a castle, nor a tavern, but a high rock. "I offered to pay her well for her trouble, and, after some demur, she consented to accompany me to the spot. We found it without much difficulty, when, dismissing her, I proceeded to examine the place. The 'castle' consisted of an irregular assemblage of cliffs and rocks--one of the latter being quite remarkable for its height as well as for its insulated and artificial appearance. I clambered to its apex, and then felt much at a loss as to what should be next done. "While I was busied in reflection, my eyes fell upon a narrow ledge in the eastern face of the rock, perhaps a yard below the summit upon which I stood. This ledge projected about eighteen inches, and was not more than a foot wide, while a niche in the cliff just above it gave it a rude resemblance to one of the hollow-backed chairs used by our ancestors. I made no doubt that here was the 'devil's seat' alluded to in the MS., and now I seemed to grasp the full secret of the riddle. "The 'good glass,' I knew, could have reference to nothing but a telescope; for the word 'glass' is rarely employed in any other sense by seamen. Now here, I at once saw, was a telescope to be used, and a definite point of view, ADMITTING NO VARIATION, from which to use it. Nor did I hesitate to believe that the phrases, 'forty-one degrees and thirteen minutes,' and 'northeast and by north,' were intended as directions for the leveling of the glass. Greatly excited by these discoveries, I hurried home, procured a telescope, and returned to the rock. "I let myself down to the ledge, and found that it was impossible to retain a seat upon it except in one particular position. This fact confirmed my preconceived idea. I proceeded to use the glass. Of course, the 'forty-one degrees and thirteen minutes' could allude to nothing but elevation above the visible horizon, since the horizontal direction was clearly indicated by the words, 'northeast and by north.' This latter direction I at once established by means of a pocket compass; then, pointing the glass as nearly at an angle of forty-one degrees of elevation as I could do it by guess, I moved it cautiously up or down, until my attention was arrested by a circular rift or opening in the foliage of a large tree that overtopped its fellows in the distance. In the center of this rift I perceived a white spot, but could not, at first, distinguish what it was. Adjusting the focus of the telescope, I again looked, and now made it out to be a human skull. "Upon this discovery I was so sanguine as to consider the enigma solved; for the phrase 'main branch, seventh limb, east side,' could refer only to the position of the skull upon the tree, while 'shoot from the left eye of the death's head' admitted, also, of but one interpretation, in regard to a search for buried treasure. I perceived that the design was to drop a bullet from the left eye of the skull, and that a bee-line, or, in other words, a straight line, drawn from the nearest point of the trunk 'through the shot' (or the spot where the bullet fell), and thence extended to a distance of fifty feet, would indicate a definite point--and beneath this point I thought it at least POSSIBLE that a deposit of value lay concealed." "All this," I said, "is exceedingly clear, and, although ingenious, still simple and explicit. When you left the Bishop's Hotel, what then?" "Why, having carefully taken the bearings of the tree, I turned homeward. The instant that I left 'the devil's seat,' however, the circular rift vanished; nor could I get a glimpse of it afterwards, turn as I would. What seems to me the chief ingenuity in this whole business, is the fact (for repeated experiment has convinced me it IS a fact) that the circular opening in question is visible from no other attainable point of view than that afforded by the narrow ledge upon the face of the rock. "In this expedition to the 'Bishop's Hotel' I had been attended by Jupiter, who had, no doubt, observed, for some weeks past, the abstraction of my demeanor, and took especial care not to leave me alone. But, on the next day, getting up very early, I contrived to give him the slip, and went into the hills in search of the tree. After much toil I found it. When I came home at night my valet proposed to give me a flogging. With the rest of the adventure I believe you are as well acquainted as myself." "I suppose," said I, "you missed the spot, in the first attempt at digging, through Jupiter's stupidity in letting the bug fall through the right instead of through the left eye of the skull." "Precisely. This mistake made a difference of about two inches and a half in the 'shot'--that is to say, in the position of the peg nearest the tree; and had the treasure been BENEATH the 'shot,' the error would have been of little moment; but 'the shot,' together with the nearest point of the tree, were merely two points for the establishment of a line of direction; of course the error, however trivial in the beginning, increased as we proceeded with the line, and by the time we had gone fifty feet threw us quite off the scent. But for my deep-seated impressions that treasure was here somewhere actually buried, we might have had all our labor in vain." "But your grandiloquence, and your conduct in swinging the beetle-- how excessively odd! I was sure you were mad. And why did you insist upon letting fall the bug, instead of a bullet, from the skull?" "Why, to be frank, I felt somewhat annoyed by your evident suspicions touching my sanity, and so resolved to punish you quietly, in my own way, by a little bit of sober mystification. For this reason I swung the beetle, and for this reason I let it fall from the tree. An observation of yours about its great weight suggested the latter idea." "Yes, I perceive; and now there is only one point which puzzles me. What are we to make of the skeletons found in the hole?" "That is a question I am no more able to answer than yourself. There seems, however, only one plausible way of accounting for them--and yet it is dreadful to believe in such atrocity as my suggestion would imply. It is clear that Kidd--if Kidd indeed secreted this treasure, which I doubt not--it is clear that he must have had assistance in the labor. But this labor concluded, he may have thought it expedient to remove all participants in his secret. Perhaps a couple of blows with a mattock were sufficient, while his coadjutors were busy in the pit; perhaps it required a dozen--who shall tell?" nettle-4.0/testsuite/gostdsa-keygen-test.c0000644000000000000000000000443215141166425015704 0ustar00#include "testutils.h" #include "gostdsa.h" #include "knuth-lfib.h" void test_main (void) { unsigned i; struct knuth_lfib_ctx rctx; struct dsa_signature signature; struct tstring *digest; knuth_lfib_init (&rctx, 4711); dsa_signature_init (&signature); digest = SHEX (/* sha256("abc") */ "BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; struct ecc_point pub; struct ecc_scalar key; if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* Exclude curve25519 and curve448, not supported with GOSTDSA. */ continue; if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); ecdsa_generate_keypair (&pub, &key, &rctx, (nettle_random_func *) knuth_lfib_random); if (verbose) { fprintf (stderr, "Public key:\nx = "); write_mpn (stderr, 16, pub.p, ecc->p.size); fprintf (stderr, "\ny = "); write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); fprintf (stderr, "\nPrivate key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } if (!test_ecc_point_valid_p (&pub)) die ("gostdsa_generate_keypair produced an invalid point.\n"); gostdsa_sign (&key, &rctx, (nettle_random_func *) knuth_lfib_random, digest->length, digest->data, &signature); if (!gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify failed.\n"); digest->data[3] ^= 17; if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid digest.\n"); digest->data[3] ^= 17; mpz_combit (signature.r, 117); if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid signature.r.\n"); mpz_combit (signature.r, 117); mpz_combit (signature.s, 93); if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid signature.s.\n"); ecc_point_clear (&pub); ecc_scalar_clear (&key); } dsa_signature_clear (&signature); } nettle-4.0/testsuite/gostdsa-sign-test.c0000644000000000000000000000565215141166425015367 0ustar00#include "testutils.h" #include "gostdsa.h" static void test_gostdsa (const struct ecc_curve *ecc, /* Private key */ const char *sz, /* Random nonce */ const char *sk, /* Hash */ const struct tstring *h, /* Expected signature */ const char *r, const char *s) { struct dsa_signature ref; mpz_t t; mpz_t z; mpz_t k; mp_limb_t *rp = xalloc_limbs (ecc->p.size); mp_limb_t *sp = xalloc_limbs (ecc->p.size); mp_limb_t *zp = xalloc_limbs (ecc->p.size); mp_limb_t *kp = xalloc_limbs (ecc->p.size); mp_limb_t *scratch = xalloc_limbs (ecc_gostdsa_sign_itch (ecc)); dsa_signature_init (&ref); mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); mpz_limbs_copy (zp, z, ecc->p.size); mpz_limbs_copy (kp, k, ecc->p.size); ecc_gostdsa_sign (ecc, zp, kp, h->length, h->data, rp, sp, scratch); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); if (mpz_cmp (ref.r, mpz_roinit_n (t, rp, ecc->p.size)) != 0 || mpz_cmp (ref.s, mpz_roinit_n (t, sp, ecc->p.size)) != 0) { fprintf (stderr, "_gostdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "r = "); write_mpn (stderr, 16, rp, ecc->p.size); fprintf (stderr, "\ns = "); write_mpn (stderr, 16, sp, ecc->p.size); fprintf (stderr, "\nref.r = "); mpz_out_str (stderr, 16, ref.r); fprintf (stderr, "\nref.s = "); mpz_out_str (stderr, 16, ref.s); fprintf (stderr, "\n"); abort(); } free (rp); free (sp); free (zp); free (kp); free (scratch); dsa_signature_clear (&ref); mpz_clear (k); mpz_clear (z); } void test_main (void) { test_gostdsa (nettle_get_gost_gc256b(), "BFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924", /* z */ "5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C", /* k */ SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ test_gostdsa (nettle_get_gost_gc512a(), "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B", /* z */ "72ABB44536656BF1618CE10BF7EADD40582304A51EE4E2A25A0A32CB0E773ABB" "23B7D8FDD8FA5EEE91B4AE452F2272C86E1E2221215D405F51B5D5015616E1F6", /* k */ SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ } nettle-4.0/testsuite/gostdsa-verify-test.c0000644000000000000000000000706015141166425015726 0ustar00#include "testutils.h" #include "gostdsa.h" static void test_gostdsa (const struct ecc_curve *ecc, /* Public key */ const char *xs, const char *ys, /* Hash */ struct tstring *h, /* Valid signature */ const char *r, const char *s) { struct ecc_point pub; struct dsa_signature signature; mpz_t x, y; ecc_point_init (&pub, ecc); dsa_signature_init (&signature); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); if (!ecc_point_set (&pub, x, y)) die ("ecc_point_set failed.\n"); mpz_set_str (signature.r, r, 16); mpz_set_str (signature.s, s, 16); if (!gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); mpz_out_str (stderr, 16, x); fprintf (stderr, "\ny = "); mpz_out_str (stderr, 16, y); fprintf (stderr, "\ndigest "); print_hex (h->length, h->data); fprintf (stderr, "r = "); mpz_out_str (stderr, 16, signature.r); fprintf (stderr, "\ns = "); mpz_out_str (stderr, 16, signature.s); fprintf (stderr, "\n"); abort(); } mpz_combit (signature.r, ecc->p.bit_size / 3); if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; if (!gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify failed, internal testsuite error.\n"); goto fail; } ecc_point_clear (&pub); dsa_signature_clear (&signature); mpz_clear (x); mpz_clear (y); } void test_main (void) { test_gostdsa (nettle_get_gost_gc256b(), "971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA", /* x */ "AD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643", /* y */ SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ test_gostdsa (nettle_get_gost_gc512a(), "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40", /* x */ "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73", /* y */ SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ } nettle-4.0/testsuite/gostdsa-vko-test.c0000644000000000000000000001470415141166425015224 0ustar00#include "testutils.h" #include "gostdsa.h" #include "streebog.h" static void test_vko (const struct ecc_curve *ecc, const char *priv, const char *x, const char *y, const struct tstring *ukm, const struct nettle_hash *hash, void * hash_ctx, const struct tstring *res) { struct ecc_scalar ecc_key; struct ecc_point ecc_pub; mpz_t temp1, temp2; uint8_t out[128]; size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; ASSERT(out_len <= sizeof(out)); ecc_point_init (&ecc_pub, ecc); mpz_init_set_str (temp1, x, 16); mpz_init_set_str (temp2, y, 16); ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); ecc_scalar_init (&ecc_key, ecc); mpz_set_str (temp1, priv, 16); ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); mpz_clear (temp1); mpz_clear (temp2); gostdsa_vko (&ecc_key, &ecc_pub, ukm->length, ukm->data, out); ecc_scalar_clear (&ecc_key); ecc_point_clear (&ecc_pub); if (hash) { hash->init (hash_ctx); hash->update (hash_ctx, out_len, out); hash->digest (hash_ctx, out); ASSERT (hash->digest_size == res->length); ASSERT (MEMEQ (res->length, out, res->data)); } else { ASSERT (out_len == res->length); ASSERT (MEMEQ (res->length, out, res->data)); } } void test_main (void) { struct streebog256_ctx ctx_256; struct streebog256_ctx ctx_512; /* RFC 7836, App B, provides test vectors, values there are little endian. * * However those test vectors depend on the availability of Streebog hash * functions, which is not available (yet). So these test vectors capture * the VKO value just before hash function. One can verify them by * calculating the Streeebog function and comparing the result with RFC * 7836, App B. */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), NULL, NULL, SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), NULL, NULL, SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); /* RFC 7836, App B, 7), values there are little endian, calculation for size A */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog256, &ctx_256, SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); /* RFC 7836, App B, 7), values there are little endian, calculation for size B */ test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog256, &ctx_256, SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); /* RFC 7836, App B, 8), values there are little endian, calculation for size A */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog512, &ctx_512, SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); /* RFC 7836, App B, 8), values there are little endian, calculation for size B */ test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog512, &ctx_512, SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); } nettle-4.0/testsuite/gosthash94-test.c0000644000000000000000000000233515141166425014755 0ustar00#include "testutils.h" #include "gosthash94.h" /* Using test vectors from Wikipedia article on GOST */ void test_main(void) { test_hash(&nettle_gosthash94, SDATA("The quick brown fox jumps over the lazy dog"), SHEX("77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294")); test_hash(&nettle_gosthash94, SDATA("message digest"), SHEX("ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d")); test_hash(&nettle_gosthash94, SDATA("a"), SHEX("d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd")); test_hash(&nettle_gosthash94, SDATA(""), SHEX("ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d")); test_hash(&nettle_gosthash94cp, SDATA("The quick brown fox jumps over the lazy dog"), SHEX("9004294a361a508c586fe53d1f1b02746765e71b765472786e4770d565830a76")); test_hash(&nettle_gosthash94cp, SDATA("message digest"), SHEX("bc6041dd2aa401ebfa6e9886734174febdb4729aa972d60f549ac39b29721ba0")); test_hash(&nettle_gosthash94cp, SDATA("a"), SHEX("e74c52dd282183bf37af0079c9f78055715a103f17e3133ceff1aacf2f403011")); test_hash(&nettle_gosthash94cp, SDATA(""), SHEX("981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0")); } nettle-4.0/testsuite/hkdf-test.c0000644000000000000000000001324015141166425013671 0ustar00#include "testutils.h" #include "hkdf.h" #include "hmac.h" static void test_hkdf_sha256(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha256_ctx ctx; uint8_t prk[SHA256_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha256_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, ikm->length, ikm->data, prk); if (MEMEQ(SHA256_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA256_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, SHA256_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } static void test_hkdf_sha1(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha1_ctx ctx; uint8_t prk[SHA1_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha1_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, ikm->length, ikm->data, prk); if (MEMEQ(SHA1_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA1_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha1_set_key(&ctx, SHA1_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, SHA1_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } void test_main(void) { /* HKDF test vectors from RFC5869 */ test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"), SHEX("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865")); test_hkdf_sha256(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"), SHEX("b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87")); test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"), SHEX("8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"), SHEX("085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896")); test_hkdf_sha1(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("8adae09a2a307059478d309b26c4115a224cfaf6"), SHEX("0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"), SHEX("0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918")); test_hkdf_sha1(SHEX("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"), SHEX(""), SHEX(""), SHEX("2adccada18779e7c2077ad2eb19d3f3e731385dd"), SHEX("2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48")); } nettle-4.0/testsuite/hmac-test.c0000644000000000000000000010741515141166425013675 0ustar00#include "testutils.h" #include "hmac.h" void test_main (void) { /* Test vectors for md5, from RFC-2202 */ /* md5 - 1 */ test_mac (&nettle_hmac_md5, NULL, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("9294727a3638bb1c 13f48ef8158bfc9d")); /* md5 - 2 */ test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("750c783e6ab0b503 eaa86e310a5db738")); /* md5 - 3 */ test_mac (&nettle_hmac_md5, NULL, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("56be34521d144c88 dbb8c733f0e8b3f6")); /* md5 - 4 */ test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("697eaf0aca3a3aea 3a75164746ffaa79")); /* md5 - 5 */ test_mac (&nettle_hmac_md5, NULL, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("56461ef2342edc00 f9bab995")); /* md5 - 6 */ test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6b1ab7fe4bd7bf8f 0b62e6ce61b9d0cd")); /* md5 - 7 */ test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("6f630fad67cda0ee 1fb1f562db3aa53e")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("e84db42a188813f30a15e611d64c7869")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("123662062e67c2aab371cc49db0df134")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("0a46cc10a49d4b7025c040c597bf5d76")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("d1f4d89f0e8b2b6ed0623c99ec298310")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("1627207b9bed5009a4f6e9ca8d2ca01e")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("922aae6ab3b3a29202e21ce5f916ae9a")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("ede9cb83679ba82d88fbeae865b3f8fc")); test_mac (&nettle_hmac_md5, (nettle_hash_update_func*) hmac_md5_set_key, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("939dd45512ee3a594b6654f6b8de27f7")); /* Test vectors for ripemd160, from http://homes.esat.kuleuven.be/~bosselae/ripemd160.html */ test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA(""), SHEX("cf387677bfda8483e63b57e06c3b5ecd8b7fc055")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("a"), SHEX("0d351d71b78e36dbb7391c810a0d2b6240ddbafc")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abc"), SHEX("f7ef288cb1bbcc6160d76507e0a3bbf712fb67d6")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("message digest"), SHEX("f83662cc8d339c227e600fcd636c57d2571b1c34")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("843d1c4eb880ac8ac0c9c95696507957d0155ddb")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("60f5ef198a2dd5745545c1f0c47aa3fb5776f881")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("e49c136a9e5627e0681b808a3b97e6a6e661ae79")); /* Other key */ test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA(""), SHEX("fe69a66c7423eea9c8fa2eff8d9dafb4f17a62f5")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("a"), SHEX("85743e899bc82dbfa36faaa7a25b7cfd372432cd")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abc"), SHEX("6e4afd501fa6b4a1823ca3b10bd9aa0ba97ba182")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("message digest"), SHEX("2e066e624badb76a184c8f90fba053330e650e92")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("07e942aa4e3cd7c04dedc1d46e2e8cc4c741b3d9")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("b6582318ddcfb67a53a67d676b8ad869aded629a")); test_mac (&nettle_hmac_ripemd160, NULL, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("f1be3ee877703140d34f97ea1ab3a07c141333e2")); /* Test vectors for sha1, from RFC-2202 */ /* sha1 - 1 */ test_mac (&nettle_hmac_sha1, NULL, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b 0b0b0b0b"), SDATA("Hi There"), SHEX("b617318655057264 e28bc0b6fb378c8e f146be00")); /* sha1 - 2 */ test_mac (&nettle_hmac_sha1, (nettle_hash_update_func*) hmac_sha1_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("effcdf6ae5eb2fa2 d27416d5f184df9c 259a7c79")); /* sha1 - 3 */ test_mac (&nettle_hmac_sha1, NULL, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("125d7342b9ac11cd 91a39af48aa17b4f 63f175d3")); /* sha1 - 4 */ test_mac (&nettle_hmac_sha1, (nettle_hash_update_func*) hmac_sha1_set_key, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("4c9007f4026250c6 bc8414f9bf50c86c 2d7235da")); /* sha1 - 5 */ test_mac (&nettle_hmac_sha1, NULL, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("4c1a03424b55e07f e7f27be1")); /* sha1 - 6 */ test_mac (&nettle_hmac_sha1, (nettle_hash_update_func*) hmac_sha1_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("aa4ae5e15272d00e 95705637ce8a3b55 ed402112")); /* sha1 - 7 */ test_mac (&nettle_hmac_sha1, (nettle_hash_update_func*) hmac_sha1_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("e8e99d0f45237d78 6d6bbaa7965c7808 bbff1a91")); /* No test vectors for hmac-sha224 with key size = digest size. */ /* Test vectors for sha224, from RFC 4231 */ test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("896fb1128abbdf196832107cd49df33f" "47b4b1169912ba4f53684b22")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("a30e01098bc6dbbf45690f3a7e9e6d0f" "8bbea2a39e6148008fd05e44")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("7fb3cb3588c6c1f6ffa9694d7d6ad264" "9365b0c1f65d69d1ec8333ea")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("6c11506874013cac6a2abc1bb382627c" "ec6a90d86efc012de7afec5a")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("0e2aea68a90c8d37c988bcdb9fca6fa8")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("95e9a0db962095adaebe9b2d6f0dbce2" "d499f112f2d2b7273fa6870e")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("3a854166ac5d9f023f54d517d0b39dbd" "946770db9c2b95c9f6f565d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("d12a49ae38177ffeaa548b2148bb5238" "60849772d9391e675b103d89")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("b04ff8522f904f553970bfa8ad3f0086" "bce1e8580affd8a12c94e31a")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("afcfb5511f710334f9350f57faec3c08" "764b4bd126a6840f4347f116")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("9df9907af127900c909376893565c6cf" "2d7db244fdc4277da1e0b679")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("254ebf6b8ddd7a3271b3d9aca1699b0c" "0bfb7df61e8a114922c88d27")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("6ec5bffba5880c3234a6cf257816e4d5" "35ab178a7f12929769e378fb")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("5f768179dbb29ca722875d0f461a2e2f" "597d0210340a84df1a8e9c63")); test_mac (&nettle_hmac_sha224, (nettle_hash_update_func*) hmac_sha224_set_key, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c7667b0d7e56b2b4f6fcc1d8da9e22da" "a1556f44c47132a87303c6a2")); /* Test vectors for sha256, from RFC 4231 */ test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("b0344c61d8db38535ca8afceaf0bf12b" "881dc200c9833da726e9376c2e32cff7")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("5bdcc146bf60754e6a042426089575c7" "5a003f089d2739839dec58b964ec3843")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("773ea91e36800e46854db8ebd09181a7" "2959098b3ef8c122d9635514ced565fe")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("82558a389a443c0ea4cc819899f2083a" "85f0faa3e578f8077a2e3ff46729665b")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("a3b6167473100ee06e0c796c2955552b")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("60e431591ee0b67f0d8a26aacbf5b77f" "8e0bc6213728c5140546040f0ee37f54")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("9b09ffa71b942fcb27635fbcd5b0e944" "bfdc63644f0713938a7f51535c3a35e2")); /* Test vectors from RFC 4868 */ /* AUTH256-1 */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("198a607eb44bfbc6 9903a0f1cf2bbdc5" "ba0aa3f3d9ae3c1c 7a3b1696a0b68cf7")); /* AUTH256-2 */ test_mac (&nettle_hmac_sha256, NULL, SDATA("JefeJefeJefeJefeJefeJefeJefeJefe"), SDATA("what do ya want for nothing?"), SHEX("167f928588c5cc2eef8e3093caa0e87c" "9ff566a14794aa61648d81621a2a40c6")); /* AUTH256-3 */ test_mac (&nettle_hmac_sha256, NULL, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("cdcb1220d1ecccea 91e53aba3092f962" "e549fe6ce9ed7fdc 43191fbde45c30b0")); /* AUTH256-4 */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0102030405060708090a0b0c0d0e0f10" "1112131415161718191a1b1c1d1e1f20"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("372efcf9b40b35c2115b1346903d2ef4" "2fced46f0846e7257bb156d3d7b30d3f")); /* Additional test vectors for sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt */ /* Test Case #1: HMAC-SHA-256 with 3-byte input and 32-byte key */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abc"), SHEX("a21b1f5d4cf4f73a 4dd939750f7a066a" "7f98cc131cb16a66 92759021cfab8181")); /* Test Case #2: HMAC-SHA-256 with 56-byte input and 32-byte key */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopq"), SHEX("104fdc1257328f08 184ba73131c53cae" "e698e36119421149 ea8c712456697d30")); /* Test Case #3: HMAC-SHA-256 with 112-byte (multi-block) input and 32-byte key */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopqabcdbcde" "cdefdefgefghfghighijhijkijkljklm" "klmnlmnomnopnopq"), SHEX("470305fc7e40fe34 d3eeb3e773d95aab" "73acf0fd060447a5 eb4595bf33a9d1a3")); /* Test Case #4: HMAC-SHA-256 with 8-byte input and 32-byte key (same as AUTH256-1, see above) */ /* Test Case #6: HMAC-SHA-256 with 50-byte input and 32-byte key (same as AUTH256-3, see above)*/ /* Test Case #7: HMAC-SHA-256 with 50-byte input and 37-byte key */ test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20" "2122232425"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("d4633c17f6fb8d74 4c66dee0f8f07455" "6ec4af55ef079985 41468eb49bd2e917")); /* Test Case #8: HMAC-SHA-256 with 20-byte input and 32-byte key */ test_mac (&nettle_hmac_sha256, NULL, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c" "0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("7546af01841fc09b 1ab9c3749a5f1c17")); /* Test Case #9: HMAC-SHA-256 with 54-byte input and 80-byte key */ test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6953025ed96f0c09 f80a96f78e6538db" "e2e7b820e3dd970e 7ddd39091b32352f")); /* Test Case #10: HMAC-SHA-256 with 73-byte (multi-block) input and 80-byte key */ test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"), SHEX("6355ac22e890d0a3 c8481a5ca4825bc8" "84d3e7a1ff98a2fc 2ac7d8e064c3b2e6")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("5c780648c90d121c50091c3a0c3afc1f" "4ab847528005d99d9821ad3f341b651a")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("6142364c0646b0cfe426866f21d613e0" "55a136a7d9b45d85685e080a09cec463")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("e49aa7839977e130ad87b63da9d4eb7b" "263cd5a27c54a7604b6044eb35901171")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("e5ef49f545c7af933a9d18c7c562bc91" "08583fd5cf00d9e0db351d6d8f8e41bc")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("373b04877180fea27a41a8fb8f88201c" "a6268411ee3c80b01a424483eb9156e1")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("eb5945d56eefbdb41602946ea6448d53" "86b08d7d801a87f439fab52f8bb9736e")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("3798f363c57afa6edaffe39016ca7bad" "efd1e670afb0e3987194307dec3197db")); test_mac (&nettle_hmac_sha256, (nettle_hash_update_func*) hmac_sha256_set_key, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c89a7039a62985ff813fe4509b918a43" "6d7b1ffd8778e2c24dec464849fb6128")); /* Test vectors for sha384, from RFC 4231 */ test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("afd03944d84895626b0825f4ab46907f" "15f9dadbe4101ec682aa034c7cebc59c" "faea9ea9076ede7f4af152e8b2fa9cb6")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("af45d2e376484031617f78d2b58a6b1b" "9c7ef464f5a01b47e42ec3736322445e" "8e2240ca5e69e2c78b3239ecfab21649")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("88062608d3e6ad8a0aa2ace014c8a86f" "0aa635d947ac9febe83ef4e55966144b" "2a5ab39dc13814b94e3ab6e101a34f27")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("3e8a69b7783c25851933ab6290af6ca7" "7a9981480850009cc5577c6e1f573b4e" "6801dd23c4a7d679ccf8a386c674cffb")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("3abf34c3503b2a23a46efc619baef897")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("4ece084485813e9088d2c63a041bc5b4" "4f9ef1012a2b588f3cd11f05033ac4c6" "0c2ef6ab4030fe8296248df163f44952")); test_mac (&nettle_hmac_sha384, (nettle_hash_update_func*) hmac_sha384_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("6617178e941f020d351e2f254e8fd32c" "602420feb0b8fb9adccebb82461e99c5" "a678cc31e799176d3860e6110c46523e")); /* Test vectors from RFC 4868 */ /* AUTH384-1 */ test_mac (&nettle_hmac_sha384, NULL, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("b6a8d5636f5c6a7224f9977dcf7ee6c7" "fb6d0c48cbdee9737a959796489bddbc" "4c5df61d5b3297b4fb68dab9f1b582c2")); /* AUTH384-2 */ test_mac (&nettle_hmac_sha384, NULL, SDATA("JefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefeJefe"), SDATA("what do ya want for nothing?"), SHEX("2c7353974f1842fd66d53c452ca42122" "b28c0b594cfb184da86a368e9b8e16f5" "349524ca4e82400cbde0686d403371c9")); /* AUTH384-3 */ test_mac (&nettle_hmac_sha384, NULL, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("809f439be00274321d4a538652164b53" "554a508184a0c3160353e3428597003d" "35914a18770f9443987054944b7c4b4a")); /* AUTH384-4 */ test_mac (&nettle_hmac_sha384, NULL, SHEX("0102030405060708090a0b0c0d0e0f10" "1112131415161718191a1b1c1d1e1f20" "0a0b0c0d0e0f10111213141516171819"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("5b540085c6e6358096532b2493609ed1" "cb298f774f87bb5c2ebf182c83cc7428" "707fb92eab2536a5812258228bc96687")); /* Test vectors for sha512, from RFC 4231 */ test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("87aa7cdea5ef619d4ff0b4241a1d6cb0" "2379f4e2ce4ec2787ad0b30545e17cde" "daa833b7d6b8a702038b274eaea3f4e4" "be9d914eeb61f1702e696c203a126854")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("164b7a7bfcf819e2e395fbe73b56e0a3" "87bd64222e831fd610270cd7ea250554" "9758bf75c05a994a6d034f65f8f0e6fd" "caeab1a34d4a6b4b636e070a38bce737")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("fa73b0089d56a284efb0f0756c890be9" "b1b5dbdd8ee81a3655f83e33b2279d39" "bf3e848279a722c806b485a47e67c807" "b946a337bee8942674278859e13292fb")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("b0ba465637458c6990e5a8c5f61d4af7" "e576d97ff94b872de76f8050361ee3db" "a91ca5c11aa25eb4d679275cc5788063" "a5f19741120c4f2de2adebeb10a298dd")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("415fad6271580a531d4179bc891d87a6")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("80b24263c7c1a3ebb71493c1dd7be8b4" "9b46d1f41b4aeec1121b013783f8f352" "6b56d037e05f2598bd0fd2215d6a1e52" "95e64f73f63f0aec8b915a985d786598")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("e37b6a775dc87dbaa4dfa9f96e5e3ffd" "debd71f8867289865df5a32d20cdc944" "b6022cac3c4982b10d5eeb55c3e4de15" "134676fb6de0446065c97440fa8c6a58")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("34316413c2d6940572d0bbbf099d529d" "148b424533cf562bc1b365f530e21a31" "799fc51cef78060cc6f448a8e5d780c2" "6cdf20d4c3e6f27fe5ef576bbd05e855")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("cf1948507378bc3ab58cb6ec87f4d456" "b90d3298395c29873f1ded1e111b50fe" "c336ed24684bf19716efc309212f37aa" "715cfb9ecccf3af13691ded167b4b336")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("b8201784216ce01b83cdd282616c6e89" "644c6dfd1269ed8580bbc39b92add364" "c2b2a2018cffb1915e8625e473b67d0f" "e54a50e475dfa0e2b1a97bac1383792c")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("f097ee08b8c44e847a384f9fd645e35e" "4816baa9791ba39d3dc611210500b044" "873ee296bf1047dc06daa201a5767192" "5b73b4ea59c60114881c8287d0699c83")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("921a441a884b83c76a8526da8e60d60d" "17ded4eee5c29375e0d93717669a4c3e" "eba7473e95f7c1a2a85afc24a0adbc4d" "6c2bdd6ca6cab8b18d19f82d4a6c51bc")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("640054c96f35815095617d0a8c956066" "1a6ff46bfb39110333b2c52c8866abfb" "59d9152c9b0948c1ed65c3fd72a8fb82" "190acc8830770afe5b0c5b6414c75a77")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("835a4f5b3750b4c1fccfa88da2f746a4" "900160c9f18964309bb736c13b59491b" "8e32d37b724cc5aebb0f554c6338a3b5" "94c4ba26862b2dadb59b7ede1d08d53e")); test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("fdf83dc879e3476c8e8aceff2bf6fece" "2e4f39c7e1a167845465bb549dfa5ffe" "997e6c7cf3720eae51ed2b00ad2a8225" "375092290edfa9d48ec7e4bc8e276088")); /* Test vectors from RFC 4868 */ /* AUTH512-1 */ test_mac (&nettle_hmac_sha512, NULL, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("637edc6e01dce7e6742a99451aae82df" "23da3e92439e590e43e761b33e910fb8" "ac2878ebd5803f6f0b61dbce5e251ff8" "789a4722c1be65aea45fd464e89f8f5b")); /* AUTH512-2 */ test_mac (&nettle_hmac_sha512, (nettle_hash_update_func*) hmac_sha512_set_key, SDATA("JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe"), SDATA("what do ya want for nothing?"), SHEX("cb370917ae8a7ce28cfd1d8f4705d614" "1c173b2a9362c15df235dfb251b15454" "6aa334ae9fb9afc2184932d8695e397b" "fa0ffb93466cfcceaae38c833b7dba38")); /* AUTH512-3 */ test_mac (&nettle_hmac_sha512, NULL, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("2ee7acd783624ca9398710f3ee05ae41" "b9f9b0510c87e49e586cc9bf961733d8" "623c7b55cebefccf02d5581acc1c9d5f" "b1ff68a1de45509fbe4da9a433922655")); /* AUTH512-4 (note RFC errata). */ test_mac (&nettle_hmac_sha512, NULL, SHEX("0102030405060708090a0b0c0d0e0f10" "1112131415161718191a1b1c1d1e1f20" "2122232425262728292a2b2c2d2e2f30" "3132333435363738393a3b3c3d3e3f40"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("5e6688e5a3daec826ca32eaea224eff5" "e700628947470e13ad01302561bab108" "b8c48cbc6b807dcfbd850521a685babc" "7eae4a2a2e660dc0e86b931d65503fd2")); test_mac (&nettle_hmac_gosthash94, NULL, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("bfebe25f051bfef6ac858babb0abc409" "bfd2e334ab847bc0b0d056517c7d94c5")); test_mac (&nettle_hmac_gosthash94cp, NULL, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("bad70b61c41095bc47e1141cfaed4272" "6a5ceebd62ce75dbbb9ad76cda9f72f7")); /* RFC 7836 */ test_mac (&nettle_hmac_streebog512, (nettle_hash_update_func*) hmac_streebog512_set_key, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("a59bab22ecae19c65fbde6e5f4e9f5d8" "549d31f037f9df9b905500e171923a77" "3d5f1530f2ed7e964cb2eedc29e9ad2f" "3afe93b2814f79f5000ffc0366c251e6")); test_mac (&nettle_hmac_streebog256, NULL, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("a1aa5f7de402d7b3d323f2991c8d4534" "013137010a83754fd0af6d7cd4922ed9")); test_mac (&nettle_hmac_sm3, (nettle_hash_update_func*) hmac_sm3_set_key, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("7a9388e2ca5343b5d76e7c2c3d84f239" "f306c0b60d5e0dc4d2771e42860a6a2b")); } nettle-4.0/testsuite/knuth-lfib-test.c0000644000000000000000000000046715141166425015027 0ustar00#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx ctx; uint32_t a[2009]; uint32_t x; unsigned m; knuth_lfib_init(&ctx, 310952); for (m = 0; m<2009; m++) knuth_lfib_get_array(&ctx, 1009, a); x = knuth_lfib_get(&ctx); ASSERT (x == 461390032); } nettle-4.0/testsuite/md2-test.c0000644000000000000000000000160115141166425013435 0ustar00#include "testutils.h" #include "md2.h" void test_main(void) { /* Testcases from RFC 1319 */ test_hash(&nettle_md2, SDATA(""), SHEX("8350e5a3e24c153df2275c9f80692773")); test_hash(&nettle_md2, SDATA("a"), SHEX("32ec01ec4a6dac72c0ab96fb34c0b5d1")); test_hash(&nettle_md2, SDATA("abc"), SHEX("da853b0d3f88d99b30283a69e6ded6bb")); test_hash(&nettle_md2, SDATA("message digest"), SHEX("ab4f496bfb2a530b219ff33031fe06b0")); test_hash(&nettle_md2, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4e8ddff3650292ab5a4108c3aa47940b")); test_hash(&nettle_md2, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("da33def2a42df13975352846c30338cd")); test_hash(&nettle_md2, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("d5976f79d83d3a0dc9806c3c66f3efd8")); } nettle-4.0/testsuite/md4-test.c0000644000000000000000000000247015141166425013444 0ustar00#include "testutils.h" #include "md4.h" void test_main(void) { /* Testcases from RFC 1320 */ test_hash(&nettle_md4, SDATA(""), SHEX("31d6cfe0d16ae931b73c59d7e0c089c0")); test_hash(&nettle_md4, SDATA("a"), SHEX("bde52cb31de33e46245e05fbdbd6fb24")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); test_hash(&nettle_md4, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("043f8582f241db351ce627e153e7f0e4")); test_hash(&nettle_md4, SDATA("12345678901234567890123456789012345678901234567890" "123456789012345678901234567890"), SHEX("e33b4ddc9c38f2199c3e7b164fcc0536")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_md4, SDATA("38"), SHEX("ae9c7ebfb68ea795483d270f5934b71d")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); } nettle-4.0/testsuite/md5-test.c0000644000000000000000000001046015141166425013443 0ustar00#include "testutils.h" #include "md5.h" void test_main(void) { test_hash(&nettle_md5, SDATA(""), SHEX("D41D8CD98F00B204 E9800998ECF8427E")); test_hash(&nettle_md5, SDATA("a"), SHEX("0CC175B9C0F1B6A8 31C399E269772661")); test_hash(&nettle_md5, SDATA("abc"), SHEX("900150983cd24fb0 D6963F7D28E17F72")); test_hash(&nettle_md5, SDATA("message digest"), SHEX("F96B697D7CB7938D 525A2F31AAF161D0")); test_hash(&nettle_md5, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("C3FCD3D76192E400 7DFB496CCA67E13B")); test_hash(&nettle_md5, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("D174AB98D277D9F5 A5611C2C9F419D9F")); test_hash(&nettle_md5, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("57EDF4A22BE3C955 AC49DA2E2107B67A")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_md5, SDATA("38"), SHEX("a5771bce93e200c3 6f7cd9dfd0e5deaa")); /* Collisions, reported by Xiaoyun Wang1, Dengguo Feng2, Xuejia Lai3, Hongbo Yu1, http://eprint.iacr.org/2004/199. */ #define M0 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 87 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 71 415a 085125e8 f7cdc99f d91dbd f2 80373c5b" \ /* ^^ ^^ */ #define M1 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 07 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 f1 415a 085125e8 f7cdc99f d91dbd 72 80373c5b" \ /* ^^ ^^ */ #define N0 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a c7 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 cc 155c ed74cbdd 5fc5d36d b19b0a d8 35cca7e3" \ /* ^^ ^^ */ #define N1 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a 47 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 4c 155c ed74cbdd 5fc5d36d b19b0a 58 35cca7e3" \ /* ^^ ^^ */ /* Note: The checksum in the paper, 1f160396 efc71ff4 bcff659f bf9d0fa3, is incorrect. */ #define H0 "a4c0d35c 95a63a80 5915367d cfe6b751" #define N2 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 b4 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 a8 0d1e c69821bc b6a88393 96f965 2b 6ff72a70" \ /* ^^ ^^ */ #define N3 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 34 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 28 0d1e c69821bc b6a88393 96f965 ab 6ff72a70" \ /* ^^ ^^ */ /* Note: Also different from the checksum in the paper */ #define H1 "79054025 255fb1a2 6e4bc422 aef54eb4" test_hash(&nettle_md5, SHEX(M0 N0), SHEX(H0)); test_hash(&nettle_md5, SHEX(M1 N1), SHEX(H0)); test_hash(&nettle_md5, SHEX(M0 N2), SHEX(H1)); test_hash(&nettle_md5, SHEX(M1 N3), SHEX(H1)); } /* Intermediate values for the single _nettle_md5_compress call for the first test case. Each row gives the values for a, b, c, d after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i a b c d -1: 67452301 efcdab89 98badcfe 10325476 0: a5202774 efcdab89 98badcfe 10325476 1: a5202774 efcdab89 98badcfe f59592dd 15: f56c7cf1 d6819c6a 5aa53f75 374943a7 16: 1c7d7513 d6819c6a 5aa53f75 374943a7 17: 1c7d7513 d6819c6a 5aa53f75 7bd57a3a 31: 13707036 a2205f1f 1c31c384 ae7813db 32: df63eaa1 a2205f1f 1c31c384 ae7813db 33: df63eaa1 a2205f1f 1c31c384 c3689f5b 47: 3f55edfd ca7d2dbd 68d84ea2 22a31f54 48: 93aa2577 ca7d2dbd 68d84ea2 22a31f54 49: 93aa2577 ca7d2dbd 68d84ea2 1688dc85 63: 7246fad3 14e45506 ff4ea3eb 6e10a476 99: d98c1dd4 4b2008f 980980e9 7e42f8ec */ nettle-4.0/testsuite/memeql-test.c0000644000000000000000000000176215141166425014243 0ustar00#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" static int memeql_sec_for_test(const void *a, const void *b, size_t n) { int res; /* Makes valgrind trigger on any branches depending on the input data. */ mark_bytes_undefined (n, a); mark_bytes_undefined (n, b); res = memeql_sec (a, b, n); mark_bytes_defined (sizeof(res), &res); return res; } #define MAX_SIZE 50 void test_main(void) { uint8_t orig[MAX_SIZE]; uint8_t a[MAX_SIZE]; uint8_t b[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 0; size < 50; size++) { size_t i; uint8_t bit; knuth_lfib_random (&random_ctx, size, orig); memcpy (a, orig, size); memcpy (b, orig, size); ASSERT (memeql_sec_for_test (a, b, size)); for (i = 0; i < size; i++) for (bit = 0x80; bit; bit >>= 1) { b[i] = orig[i] ^ bit; ASSERT (!memeql_sec_for_test (a, b, size)); b[i] = orig[i]; } } } nettle-4.0/testsuite/memxor-test.c0000644000000000000000000001353015141166425014266 0ustar00#include "testutils.h" #include "memxor.h" #define MAX_SIZE 256 #define ALIGN_SIZE 16 #if HAVE_VALGRIND_MEMCHECK_H # include # define ROUND_DOWN(x) ((x) & (-ALIGN_SIZE)) # define ROUND_UP(x) ROUND_DOWN((x)+(ALIGN_SIZE-1)) enum mark_type { MARK_SRC, MARK_DST }; static void test_mark (enum mark_type type, const uint8_t *block, size_t block_size, const uint8_t *p, size_t size) { VALGRIND_MAKE_MEM_NOACCESS(block, p - block); if (type == MARK_DST) VALGRIND_MAKE_MEM_UNDEFINED(p, size); VALGRIND_MAKE_MEM_NOACCESS(p + size, (block + block_size) - (p + size)); } #define test_unmark(block, size) \ VALGRIND_MAKE_MEM_DEFINED((block), (size)) #else # define test_mark(type, block, block_size, start, size) # define test_unmark(block, size) #endif static uint8_t * set_align(uint8_t *buf, unsigned align) { unsigned offset; /* An extra redzone char at the beginning */ buf++; offset = (uintptr_t) (buf) % ALIGN_SIZE; if (offset < align) buf += (align - offset); else if (offset > align) buf += (align + ALIGN_SIZE - offset); return buf; } static void test_memxor (const uint8_t *a, const uint8_t *b, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_src) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t src_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *src = set_align (src_buf, align_src); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_src = %d\n", (int) size, align_dst, align_src); memcpy (dst, a, size); dst[-1] = 17; dst[size] = 17; memcpy (src, b, size); test_mark (MARK_SRC, src_buf, sizeof (src_buf), src, size); test_mark (MARK_SRC, dst_buf, sizeof (dst_buf), dst, size); memxor (dst, src, size); ASSERT (MEMEQ (size, dst, c)); test_unmark(src_buf, sizeof (src_buf)); test_unmark(dst_buf, sizeof (src_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } static void test_memxor3 (const uint8_t *ain, const uint8_t *bin, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_a, unsigned align_b) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t a_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t b_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *a = set_align (a_buf, align_a); uint8_t *b = set_align (b_buf, align_b); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_a = %d, align_b = %d\n", (int) size, align_dst, align_a, align_b); memset (dst, 0, size); dst[-1] = 17; dst[size] = 17; memcpy (a, ain, size); memcpy (b, bin, size); test_mark (MARK_SRC, a_buf, sizeof(a_buf), a, size); test_mark (MARK_SRC, b_buf, sizeof(b_buf), b, size); test_mark (MARK_DST, dst_buf, sizeof(dst_buf), dst, size); memxor3 (dst, a, b, size); ASSERT (MEMEQ (size, dst, c)); test_unmark (a_buf, sizeof(a_buf)); test_unmark (b_buf, sizeof(b_buf)); test_unmark (dst_buf, sizeof(dst_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } void test_main(void) { const uint8_t *a = H("ecc8737f 38f2f9e8 86b9d84c 42a9c7ef" "27a50860 49c6be97 c5cc6c35 3981b367" "f8b4397b 951e3b2f 35749fe1 25884fa6" "9361c97a ab1c6cce 494efb5a 1f108411" "21dc6386 e81b2410 2f04c29d e0ca1135" "c9f96f2e bb5b2e2d 8cb45df9 50c4755a" "362b7ead 4b930010 cbc69834 66221ba8" "c0b8d7ac 7ec3b700 6bdb1a3b 599f3e76" "a7e66a29 ee1fb98c 60a66c9e 0a1d9c49" "6367afc7 362d6ae1 f8799443 17e2b1a1" "ff1cc03c 9e2728ca a1f6598f 5a61bd56" "0826effc f3499da7 119249b6 fd643cd4" "2e7c74b0 f775fda4 a5617138 1e8520bf" "f17de57a decc36b6 9eceee6e d448f592" "be77a67a 1b91a5b3 62fab868 dcb046f6" "394b5335 b2eaa351 fc4456e4 35bb9c54"); const uint8_t *b = H("cac458ad fe87e226 6cb0ce3d cfa5cb3b" "963d0034 5811bb9e acf4675b 7464f800" "4b1bcff2 b2fa5dd0 0576aea6 888b8150" "bcba48f1 49bc33d2 e138b0d0 a29b486e" "f7e143c6 f9959596 6aaa4493 b0bea6f8" "1d778513 a3bfec7e 70cfe6a7 e31ad041" "5fe3371b 63aba991 dab9a3db 66310ebc" "24c2765d a722a131 2fc4d366 1f2e3388" "7e5b26d5 7b34bf4c 655d19da d1335362" "2fbc0d5d cc68c811 ef735c20 352986ef" "f47ac5c9 afa77f5a 20da6dd3 eb9dfb34" "0cdbf792 caf0d633 61d908da a4c0f2a9" "be7a573e 3b8d161c 47fc19be e47d7edc" "e5f00dae f64cbbb4 a081e1f0 381833d8" "30d302ff eed61887 3390d6b2 0048ac32" "9c6b2981 a224dcc1 6b1feebe 15834b1a"); const uint8_t *c = H("260c2bd2 c6751bce ea091671 8d0c0cd4" "b1980854 11d70509 69380b6e 4de54b67" "b3aff689 27e466ff 30023147 ad03cef6" "2fdb818b e2a05f1c a8764b8a bd8bcc7f" "d63d2040 118eb186 45ae860e 5074b7cd" "d48eea3d 18e4c253 fc7bbb5e b3dea51b" "69c849b6 2838a981 117f3bef 00131514" "e47aa1f1 d9e11631 441fc95d 46b10dfe" "d9bd4cfc 952b06c0 05fb7544 db2ecf2b" "4cdba29a fa45a2f0 170ac863 22cb374e" "0b6605f5 31805790 812c345c b1fc4662" "04fd186e 39b94b94 704b416c 59a4ce7d" "9006238e ccf8ebb8 e29d6886 faf85e63" "148de8d4 28808d02 3e4f0f9e ec50c64a" "8ea4a485 f547bd34 516a6eda dcf8eac4" "a5207ab4 10ce7f90 975bb85a 2038d74e"); const int size[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 23, 24, 25, 30, 31, 32, 33, 34, 35, 36, 37, 250, 251, 252, 253,254, 255, 256, -1 }; unsigned i, align_dst, align_a, align_b; for (i = 0; size[i] >= 0; i++) for (align_dst = 0; align_dst < ALIGN_SIZE; align_dst++) for (align_a = 0; align_a < ALIGN_SIZE; align_a++) { test_memxor (a, b, c, size[i], align_dst, align_a); for (align_b = 0; align_b < ALIGN_SIZE; align_b++) test_memxor3 (a, b, c, size[i], align_dst, align_a, align_b); } } nettle-4.0/testsuite/meta-aead-test.c0000644000000000000000000000125515141166425014576 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" const char* aeads[] = { "gcm_aes128", "gcm_aes192", "gcm_aes256", "gcm_camellia128", "gcm_camellia256", "gcm_sm4", "eax_aes128", "chacha_poly1305", }; void test_main(void) { int i,j; int count = sizeof(aeads)/sizeof(*aeads); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_aeads[j]; j++) { if (0 == strcmp(aeads[i], nettle_aeads[j]->name)) break; } ASSERT(NULL != nettle_aeads[j]); /* make sure we found a matching aead */ } j = 0; while (NULL != nettle_aeads[j]) j++; ASSERT(j == count); /* we are not missing testing any aeads */ } nettle-4.0/testsuite/meta-cipher-test.c0000644000000000000000000000174615141166425015163 0ustar00#include "testutils.h" #include "nettle-meta.h" #include "nettle-internal.h" const char* ciphers[] = { "aes128", "aes192", "aes256", "arctwo40", "arctwo64", "arctwo128", "arctwo_gutmann128", "camellia128", "camellia192", "camellia256", "cast128", "serpent128", "serpent192", "serpent256", "twofish128", "twofish192", "twofish256", "sm4" }; void test_main(void) { int i,j; int count = sizeof(ciphers)/sizeof(*ciphers); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_ciphers[j]; j++) { if (0 == strcmp(ciphers[i], nettle_ciphers[j]->name)) break; } ASSERT(NULL != nettle_ciphers[j]); /* make sure we found a matching cipher */ } j = 0; for (j = 0; NULL != nettle_ciphers[j]; j++) { ASSERT(nettle_ciphers[j]->block_size <= NETTLE_MAX_CIPHER_BLOCK_SIZE); ASSERT(nettle_ciphers[j]->key_size <= NETTLE_MAX_CIPHER_KEY_SIZE); } ASSERT(j == count); /* we are not missing testing any ciphers */ } nettle-4.0/testsuite/meta-hash-test.c0000644000000000000000000000172515141166425014631 0ustar00#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" /* For NETTLE_MAX_HASH_CONTEXT_SIZE */ #include "sha3.h" const char* hashes[] = { "gosthash94", "gosthash94cp", "md2", "md4", "md5", "ripemd160", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256", "sha3_224", "sha3_256", "sha3_384", "sha3_512", "streebog256", "streebog512", "sm3", }; void test_main(void) { int i; int count = sizeof(hashes)/sizeof(*hashes); for (i = 0; i < count; i++) { /* make sure we found a matching hash */ ASSERT(nettle_lookup_hash(hashes[i]) != NULL); } for (i = 0; NULL != nettle_hashes[i]; i++) { ASSERT(nettle_hashes[i]->block_size <= NETTLE_MAX_HASH_BLOCK_SIZE); ASSERT(nettle_hashes[i]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE); ASSERT(nettle_hashes[i]->context_size <= NETTLE_MAX_HASH_CONTEXT_SIZE); } ASSERT(i == count); /* we are not missing testing any hashes */ } nettle-4.0/testsuite/meta-mac-test.c0000644000000000000000000000137515141166425014447 0ustar00#include "testutils.h" #include "nettle-meta.h" const char* macs[] = { "cmac_aes128", "cmac_aes256", "cmac_des3", "hmac_gosthash94", "hmac_gosthash94cp", "hmac_md5", "hmac_ripemd160", "hmac_sha1", "hmac_sha224", "hmac_sha256", "hmac_sha384", "hmac_sha512", "hmac_streebog256", "hmac_streebog512", "hmac_sm3", }; void test_main(void) { int i, j; int count = sizeof(macs)/sizeof(*macs); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_macs[j]; j++) { if (0 == strcmp(macs[i], nettle_macs[j]->name)) break; } ASSERT(NULL != nettle_macs[j]); /* make sure we found a matching mac */ } i = 0; while (NULL != nettle_macs[i]) i++; ASSERT(i == count); /* we are not missing testing any macs */ } nettle-4.0/testsuite/ocb-test.c0000644000000000000000000004012615141166425013523 0ustar00#include "testutils.h" #include "non-nettle.h" struct ocb_aes128_message_key { struct ocb_aes128_encrypt_key encrypt_key; struct aes128_ctx decrypt_key; }; static void ocb_aes128_set_encrypt_key_wrapper (struct ocb_aes128_message_key *key, const uint8_t *aes_key) { ocb_aes128_set_encrypt_key (&key->encrypt_key, aes_key); } static void ocb_aes128_set_decrypt_key_wrapper (struct ocb_aes128_message_key *key, const uint8_t *aes_key) { ocb_aes128_set_decrypt_key (&key->encrypt_key, &key->decrypt_key, aes_key); } static void ocb_aes128_encrypt_message_wrapper (const struct ocb_aes128_message_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { ocb_aes128_encrypt_message (&key->encrypt_key, nlength, nonce, alength, adata, OCB_DIGEST_SIZE, clength, dst, src); } static int ocb_aes128_decrypt_message_wrapper (const struct ocb_aes128_message_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return ocb_aes128_decrypt_message (&key->encrypt_key, &key->decrypt_key, nlength, nonce, alength, adata, OCB_DIGEST_SIZE, mlength, dst, src); } static const struct nettle_aead_message ocb_aes128_message = { "ocb_aes128", sizeof(struct ocb_aes128_message_key), AES128_KEY_SIZE, OCB_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) ocb_aes128_set_encrypt_key_wrapper, (nettle_set_key_func*) ocb_aes128_set_decrypt_key_wrapper, (nettle_encrypt_message_func*) ocb_aes128_encrypt_message_wrapper, (nettle_decrypt_message_func*) ocb_aes128_decrypt_message_wrapper, }; void test_main(void) { /* From RFC 7253 */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221100"), /* nonce */ SHEX("785407BFFFC8AD9EDCC5520AC9111EE6")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("0001020304050607"), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("6820B3657B6F615A"), /* ciphertext */ SHEX("BBAA99887766554433221101"), /* nonce */ SHEX("5725BDA0D3B4EB3A257C9AF1F8F03009")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("0001020304050607"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221102"), /* nonce */ SHEX("81017F8203F081277152FADE694A0A00")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("45DD69F8F5AAE724"), /* ciphertext */ SHEX("BBAA99887766554433221103"), /* nonce */ SHEX("14054CD1F35D82760B2CD00D2F99BFA9")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F"), /* plaintext */ SHEX("571D535B60B277188BE5147170A9A22C"), /* ciphertext */ SHEX("BBAA99887766554433221104"), /* nonce */ SHEX("3AD7A4FF3835B8C5701C1CCEC8FC3358")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221105"), /* nonce */ SHEX("8CF761B6902EF764462AD86498CA6B97")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F"), /* plaintext */ SHEX("5CE88EC2E0692706A915C00AEB8B2396"), /* ciphertext */ SHEX("BBAA99887766554433221106"), /* nonce */ SHEX("F40E1C743F52436BDF06D8FA1ECA343D")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* plaintext */ SHEX("1CA2207308C87C010756104D8840CE1952F09673A448A122"), /* ciphertext */ SHEX("BBAA99887766554433221107"), /* nonce */ SHEX("C92C62241051F57356D7F3C90BB0E07F")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221108"), /* nonce */ SHEX("6DC225A071FC1B9F7C69F93B0F1E10DE")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* plaintext */ SHEX("221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3C"), /* ciphertext */ SHEX("BBAA99887766554433221109"), /* nonce */ SHEX("E725F32494B9F914D85C0B1EB38357FF")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* plaintext */ SHEX("BD6F6C496201C69296C11EFD138A467ABD3C707924B964DE" "AFFC40319AF5A485"), /* ciphertext */ SHEX("BBAA9988776655443322110A"), /* nonce */ SHEX("40FBBA186C5553C68AD9F592A79A4240")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA9988776655443322110B"), /* nonce */ SHEX("FE80690BEE8A485D11F32965BC9D2A32")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* plaintext */ SHEX("2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF4" "6040C53F1432BCDF"), /* ciphertext */ SHEX("BBAA9988776655443322110C"), /* nonce */ SHEX("B5E1DDE3BC18A5F840B52E653444D5DF")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("D5CA91748410C1751FF8A2F618255B68A0A12E093FF45460" "6E59F9C1D0DDC54B65E8628E568BAD7A"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("ED07BA06A4A69483A7035490C5769E60")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA9988776655443322110E"), /* nonce */ SHEX("C5CD9D1850C141E358649994EE701B68")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15" "A5DDBFC5787E50B5CC55EE507BCB084E"), /* ciphertext */ SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("479AD363AC366B95 A98CA5F3000B1479")); /* tag */ /* Test with 96-bit tag. */ test_aead(&nettle_ocb_aes128_t96, NULL, SHEX("0F0E0D0C0B0A09080706050403020100"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1" "A0124B0A55BAE884ED93481529C76B6A"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("D0C515F4D1CDD4FDAC4F02AA")); /* tag */ /* 16 blocks, not verified with other implementations or any authoritative test vector. */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("4412923493c57d5d e0d700f753cce0d1" "d2d95060122e9f15 a5ddbfc5787e50b5" "11dfb888da244711 f051dbce82b0b9a7" "cb14869b164e55eb 578e41fa435ff220" "25ed114f6ec18cd6 7b743ab299e596f6" "6100fba539db164d 765eaff0bf489ace" "90ff6af96d1c395b 8dd586b154a0ecea" "504395c5592cf2f0 03a3878585a0bfd3" "b4039d15bc47a6d6 4a51f7302a976bb0" "175167bcb5d8f071 a3faff70544ab2ba" "52947d35d6e545e9 bda57b3972ecad10" "f0e85aec389f4276 2e58978918d4c285" "c2088ca8ac48095c 976065aa47766756" "7a507bab08315b2e 36327e8103a6a70d" "7f9f5318684697b2 bf95d65fa5458e6e" "f40a974cb940e8fd 63baf0ce96773279"), SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("3aa4f4e4b4ff142c 9357291589fa25d8")); /* tag */ /* 16 complete blocks + left-over bytes, not verified with other implementations or any authoritative test vector. */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" "deadbeaf"), SHEX("4412923493c57d5d e0d700f753cce0d1" "d2d95060122e9f15 a5ddbfc5787e50b5" "11dfb888da244711 f051dbce82b0b9a7" "cb14869b164e55eb 578e41fa435ff220" "25ed114f6ec18cd6 7b743ab299e596f6" "6100fba539db164d 765eaff0bf489ace" "90ff6af96d1c395b 8dd586b154a0ecea" "504395c5592cf2f0 03a3878585a0bfd3" "b4039d15bc47a6d6 4a51f7302a976bb0" "175167bcb5d8f071 a3faff70544ab2ba" "52947d35d6e545e9 bda57b3972ecad10" "f0e85aec389f4276 2e58978918d4c285" "c2088ca8ac48095c 976065aa47766756" "7a507bab08315b2e 36327e8103a6a70d" "7f9f5318684697b2 bf95d65fa5458e6e" "f40a974cb940e8fd 63baf0ce96773279" "1dd97611"), SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("8a24edb596b59425 43ec197d5369979b")); /* tag */ /* Test the all-in-one message functions. */ test_aead_message(&ocb_aes128_message, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("BBAA99887766554433221100"), /* nonce */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX("785407BFFFC8AD9EDCC5520AC9111EE6")); test_aead_message(&ocb_aes128_message, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("BBAA99887766554433221101"), /* nonce */ SHEX("0001020304050607"), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009")); /* ciphertext */ /* Test-vector from libgcrypt:tests/basic.c: */ test_aead(&nettle_ocb_aes128_t96, NULL, SHEX("0F0E0D0C0B0A09080706050403020100"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ /* test vector for checksumming */ SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "04000000000000000000000000000000" "08000000000000000000000000000000" "10000000000000000000000000000000" "20000000000000000000000000000000" "40000000000000000000000000000000" "80000000000000000000000000000000" "00010000000000000000000000000000" "00020000000000000000000000000000" "00040000000000000000000000000000" "00080000000000000000000000000000" "00100000000000000000000000000000" "00200000000000000000000000000000" "00400000000000000000000000000000" "00800000000000000000000000000000" "00000100000000000000000000000000" "00000200000000000000000000000000" "00000400000000000000000000000000" "00000800000000000000000000000000" "00001000000000000000000000000000" "00002000000000000000000000000000" "00004000000000000000000000000000" "00008000000000000000000000000000" "00000001000000000000000000000000" "00000002000000000000000000000000" "00000004000000000000000000000000" "00000008000000000000000000000000" "00000010000000000000000000000000" "00000020000000000000000000000000" "00000040000000000000000000000000" "00000080000000000000000000000000" "00000000010000000000000000000000" "00000000020000000000000000000000" "00000000040000000000000000000000" "00000000080000000000000000000000" "00000000100000000000000000000000" "00000000200000000000000000000000" "00000000400000000000000000000000" "00000000800000000000000000000000" "00000000000100000000000000000000" "00000000000200000000000000000000" "00000000000400000000000000000000" "00000000000800000000000000000000" "00000000001000000000000000000000" "00000000002000000000000000000000" "00000000004000000000000000000000" "00000000008000000000000000000000"), /* plaintext */ SHEX("01105c6e36f6ac480f022c51e31ed702" "90fda4b7b783194d4b4be8e4e1e2dff4" "6a0804d1c5f9f808ea7933e31c063233" "2bf65a22b20bb13cde3b80b3682ba965" "b1207c58916f7856fa9968b410e50dee" "98b35c071163d1b352b9bbccd09fde29" "b850f40e71a8ae7d2e2d577f5ee39c46" "7fa28130b50a123c29958e4665dda9a5" "e0793997f8f19633a96392141d6e0e88" "77850ed4364065d1d2f8746e2f1d5fd1" "996cdde03215306503a30e41f58ef3c4" "400365cfea4fa6381157c12a46598edf" "18604854462ec66e3d3cf26d4723cb6a" "9d801095048086a606fdb9192760889b" "a8ce2e70e1b55a469137a9e2e6734565" "283cb1e2c74f37e0854d03e33f8ba499" "ef5d9af4edfce077c6280338f0a64286" "2e6bc27ebd5a4c91b3778e22631251c8" "c5bb75a10945597a9d6c274fc82d3338" "b403a0a549d1375f26e71ef22bce0941" "93ea87e2ed72fce0546148c351eec3be" "867bb1b96070c377fff3c98e21562beb" "475cfe28abcaaedf49981f6599b15140" "ea6130d24407079f18ba9d4a8960b082" "b39c57320e2e064f02fde88c23112146" "1cac3655868aef584714826ee4f361fb" "e6d692e1589cbb9dd3c74fa628df2a1f" "3b0029b1d62b7e9978013ed3c793c1dd" "1f184c8f7022a853cac40b74ac749aa3" "f33f0d14732dfda0f2c3c20591bf1f5a" "710ec0d0bca342baa5146068a78ff58c" "66316312b7a98af35a0f4e92799b4047" "f047ae61f25c28d232ce5c168cc745d6" "6da13cb0f9e38a696635dba7a21571cf" "cd64ec8cc33db7879f59a90d9edd00f6" "a899e39ab36b9269a3ac04ebad9326bf" "53cd9b400168a61714cd628a4056d236" "bd8622c76daa54cb65f5db2fe03bafbe" "0b23549ae31136f607293e8093a21934" "74fd5e9c2451b4c8e0499e6ad34fafc8" "ab77722a282f7f84b14ddebf7e696300" "c1ef92d4a0263c6cca104530f996e272" "f58992ff68d642b071a5848dc4acf2ae" "28fb1f27ae0f297d5136a7a0a4a03e89" "b588755b8217a1c62773790e69261269" "19f45daf7b3ccf18e3fc590a9a0e172f" "033ac4d13c3decc4c62d7de718ace802" "140452dc850989f6762e3578bbb04be3"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("1a237c599c4649f4e586b2de")); /* tag */ } nettle-4.0/testsuite/pbkdf2-test.c0000644000000000000000000001732015141166425014130 0ustar00#include "testutils.h" #include "hmac.h" #include "pbkdf2.h" /* NOTE: The salt argument is expected to expand to length, data */ #define PBKDF2_TEST(ctx, update, digest, size, c, salt, expect) \ do { \ dk[expect->length] = 17; \ PBKDF2 (ctx, update, digest, size, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) #define PBKDF2_HMAC_TEST(f, key, c, salt, expect) \ do { \ dk[expect->length] = 17; \ f (key, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) /* Streebog test has particularly long testcase */ #define MAX_DKLEN 100 void test_main (void) { uint8_t dk[MAX_DKLEN + 1]; struct hmac_sha1_ctx sha1ctx; struct hmac_sha256_ctx sha256ctx; struct hmac_sha512_ctx sha512ctx; struct hmac_gosthash94cp_ctx gosthash94cpctx; struct hmac_streebog512_ctx streebog512ctx; struct hmac_streebog256_ctx streebog256ctx; /* Test vectors for PBKDF2 from RFC 6070. */ hmac_sha1_set_key (&sha1ctx, LDATA("password")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 2, LDATA("salt"), SHEX("ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("4b007901b765489abead49d926f721d065a429c1")); #if 0 /* too slow */ PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 16777216, LDATA("salt"), SHEX("eefe3d61cd4da4e4e9945b3d6ba2158c2634e984")); #endif hmac_sha1_set_key (&sha1ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038")); hmac_sha1_set_key (&sha1ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("56fa6aa75548099dcc37d7f03425e0c3")); /* PBKDF2-HMAC-SHA-256 test vectors confirmed with another implementation. */ hmac_sha256_set_key (&sha256ctx, LDATA("passwd")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); hmac_sha256_set_key (&sha256ctx, LDATA("Password")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 80000, LDATA("NaCl"), SHEX("4ddcd8f60b98be21830cee5ef22701f9")); /* PBKDF2-HMAC-SHA-512 test vectors confirmed with another implementation (python-pbkdf2). >>> from pbkdf2 import PBKDF2 >>> import hmac as HMAC >>> from hashlib import sha512 as SHA512 >>> PBKDF2("password", "salt", 50, macmodule=HMAC, digestmodule=SHA512).read(64).encode('hex') */ hmac_sha512_set_key (&sha512ctx, LDATA("password")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("NaCL"), SHEX("73decfa58aa2e84f94771a75736bb88bd3c7b38270cfb50cb390ed78b305656af8148e52452b2216b2b8098b761fc6336060a09f76415e9f71ea47f9e9064306")); hmac_sha512_set_key (&sha512ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("sa\0lt"), SHEX("71a0ec842abd5c678bcfd145f09d83522f93361560563c4d0d63b88329871090e76604a49af08fe7c9f57156c8790996b20f06bc535e5ab5440df7e878296fa7")); hmac_sha512_set_key (&sha512ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 50, LDATA("salt\0\0\0"), SHEX("016871a4c4b75f96857fd2b9f8ca28023b30ee2a39f5adcac8c9375f9bda1ccd1b6f0b2fc3adda505412e79d890056c62e524c7d51154b1a8534575bd02dee39")); /* Test convenience functions. */ PBKDF2_HMAC_TEST(pbkdf2_hmac_sha1, LDATA("password"), 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha256, LDATA("passwd"), 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha384, LDATA("passwd"), 1, LDATA("salt"), SHEX("cd3443723a41cf1460cca9efeede428a")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha512, LDATA("passwd"), 1, LDATA("salt"), SHEX("c74319d99499fc3e9013acff597c23c5")); /* From TC26 document, MR 26.2.001-2012 */ hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("password")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 1, LDATA("salt"), SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("1f1829a94bdff5be10d0aeb36af498e7a97467f3b31116a5a7c1afff9deadafe")); hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("788358c69cb2dbe251a7bb17d5f4241f265a792a35becde8d56f326b49c85047b7638acb4764b1fd")); hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("pass\0word")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("43e06c5590b08c0225242373127edf9c8e9c3291")); PBKDF2_HMAC_TEST (pbkdf2_hmac_gosthash94cp, LDATA("password"), 1, LDATA("salt"), SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); /* From TC26 document R 50.1.111-2016 */ hmac_streebog512_set_key (&streebog512ctx, LDATA("password")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 1, LDATA("salt"), SHEX("64770af7f748c3b1c9ac831dbcfd85c26111b30a8a657ddc3056b80ca73e040d2854fd36811f6d825cc4ab66ec0a68a490a9e5cf5156b3a2b7eecddbf9a16b47")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("e52deb9a2d2aaff4e2ac9d47a41f34c20376591c67807f0477e32549dc341bc7867c09841b6d58e29d0347c996301d55df0d34e47cf68f4e3c2cdaf1d9ab86c3")); hmac_streebog512_set_key (&streebog512ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("b2d8f1245fc4d29274802057e4b54e0a0753aa22fc53760b301cf008679e58fe4bee9addcae99ba2b0b20f431a9c5e50f395" "c89387d0945aedeca6eb4015dfc2bd2421ee9bb71183ba882ceebfef259f33f9e27dc6178cb89dc37428cf9cc52a2baa2d3a")); hmac_streebog512_set_key (&streebog512ctx, LDATA("pass\0word")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("50df062885b69801a3c10248eb0a27ab6e522ffeb20c991c660f001475d73a4e167f782c18e97e92976d9c1d970831ea78ccb879f67068cdac1910740844e830")); /* Generated */ hmac_streebog256_set_key (&streebog256ctx, LDATA("password")); PBKDF2_TEST (&streebog256ctx, hmac_streebog256_update, hmac_streebog256_digest, STREEBOG256_DIGEST_SIZE, 1, LDATA("salt"), SHEX("d789458d143b9abebc4ef63ca8e576c72b13c7d4289db23fc1e946f84cd605bc")); } nettle-4.0/testsuite/pkcs1-sec-decrypt-test.c0000644000000000000000000000416715141166425016226 0ustar00#include "testutils.h" #include "pkcs1-internal.h" static int pkcs1_decrypt_for_test(size_t msg_len, uint8_t *msg, size_t pad_len, uint8_t *pad) { int ret; mark_bytes_undefined (msg_len, msg); mark_bytes_undefined (pad_len, pad); ret = _pkcs1_sec_decrypt (msg_len, msg, pad_len, pad); mark_bytes_defined (msg_len, msg); mark_bytes_defined (pad_len, pad); mark_bytes_defined (sizeof (ret), &ret); return ret; } void test_main(void) { uint8_t pad[128]; uint8_t buffer[] = "\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x00\x53\x49\x47\x4e\x45\x44\x20\x4d\x45\x53\x53\x41\x47\x45\x2e"; uint8_t message[15]; memcpy(pad, buffer, 128); memset (message, 'A', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 1); ASSERT (memcmp (message, "SIGNED MESSAGE.", 15) == 0); /* break format byte 1 */ memcpy(pad, buffer, 128); pad[0] = 1; memset (message, 'B', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "BBBBBBBBBBBBBBB", 15) == 0); /* break format byte 2 */ memcpy(pad, buffer, 128); pad[1] = 1; memset (message, 'C', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "CCCCCCCCCCCCCCC", 15) == 0); /* break padding */ memcpy(pad, buffer, 128); pad[24] = 0; memset (message, 'D', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "DDDDDDDDDDDDDDD", 15) == 0); /* break terminator */ memcpy(pad, buffer, 128); pad[112] = 1; memset (message, 'E', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "EEEEEEEEEEEEEEE", 15) == 0); } nettle-4.0/testsuite/pkcs1-test.c0000644000000000000000000000056615141166425014005 0ustar00#include "testutils.h" #include "pkcs1.h" #include "hogweed-internal.h" void test_main(void) { uint8_t buffer[16]; uint8_t expected[16] = { 0, 1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0, 'a', 'b', 'c' }; _pkcs1_signature_prefix(sizeof(buffer), buffer, LDATA("abc"), 0); ASSERT(MEMEQ(sizeof(buffer), buffer, expected)); } nettle-4.0/testsuite/poly1305-test.c0000644000000000000000000001556015141166425014260 0ustar00#include "testutils.h" #include "poly1305.h" #include "poly1305-internal.h" #include "knuth-lfib.h" static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, const struct tstring *ref) { uint8_t tag[16]; ASSERT (ref->length == POLY1305_AES_DIGEST_SIZE); f(ctx, tag); if (!MEMEQ(ref->length, ref->data, tag)) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %u\n", (unsigned) msg->length); printf ("tag: "); print_hex (ref->length, tag); printf ("ref: "); print_hex (ref->length, ref->data); abort (); } } static void test_poly1305 (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, const struct tstring *ref) { struct poly1305_aes_ctx ctx; ASSERT (key->length == POLY1305_AES_KEY_SIZE); ASSERT (ref->length == POLY1305_AES_DIGEST_SIZE); poly1305_aes_set_key (&ctx, key->data); poly1305_aes_set_nonce (&ctx, nonce->data); poly1305_aes_update(&ctx, msg->length, msg->data); check_digest ("poly1305-aes", &ctx, (nettle_hash_digest_func *) poly1305_aes_digest, msg, ref); } static void poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, union nettle_block16 *nonce) { struct poly1305_ctx ctx; _nettle_poly1305_set_key (&ctx, key); for ( ; length >= 16; length -= 16, message += 16) _nettle_poly1305_block (&ctx, message, 1); if (length > 0) { uint8_t block[16]; memcpy (block, message, length); block[length] = 1; memset (block + length + 1, 0, sizeof(block) - 1 - length); _nettle_poly1305_block (&ctx, block, 0); } _nettle_poly1305_digest (&ctx, nonce); } static void ref_poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, union nettle_block16 *nonce) { uint8_t block[16]; mpz_t p; mpz_t h; mpz_t r; mpz_t m; mpz_init_set_ui (p, 1); mpz_init (r); mpz_init_set_ui (h, 0); mpz_init (m); mpz_mul_2exp (p, p, 130); mpz_sub_ui (p, p, 5); memcpy (block, key, sizeof(block)); block[3] &= 0x0f; block[4] &= 0xfc; block[7] &= 0x0f; block[8] &= 0xfc; block[11] &= 0x0f; block[12] &= 0xfc; block[15] &= 0x0f; /* Little-endian load */ mpz_import (r, 16, -1, 1, 0, 0, block); for ( ; length >= 16; length -= 16, message += 16) { mpz_import (m, 16, -1, 1, 0, 0, message); mpz_setbit (m, 128); mpz_add (h, h, m); mpz_mul (h, h, r); mpz_mod (h, h, p); } if (length > 0) { mpz_import (m, length, -1, 1, 0, 0, message); mpz_setbit (m, length * 8); mpz_add (h, h, m); mpz_mul (h, h, r); mpz_mod (h, h, p); } mpz_import (m, 16, -1, 1, 0, 0, nonce->b); mpz_add (h, h, m); mpz_fdiv_r_2exp (h, h, 128); memset (nonce->b, 0, 16); mpz_export (nonce->b, NULL, -1, 1, 0, 0, h); mpz_clear (p); mpz_clear (r); mpz_clear (h); mpz_clear (m); } static void test_poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, const uint8_t nonce[16], const uint8_t ref[16]) { union nettle_block16 digest; memcpy (digest.b, nonce, sizeof(digest.b)); poly1305_internal (key, length, message, &digest); if (!MEMEQ (sizeof(digest.b), digest.b, ref)) { printf ("poly1305_internal failed\n"); printf ("key: "); print_hex (16, key); printf ("nonce: "); print_hex (16, nonce); printf ("msg: "); print_hex (length, message); printf ("length: %u\n", (unsigned) length); printf ("tag: "); print_hex (16, digest.b); printf ("ref: "); print_hex (16, ref); abort(); } } static void test_fixed (void) { static uint8_t nonce[16] = {0}; static const struct { char *key; char *message; char *digest; } test_cases[] = { {"9959780624f5670ccc9e530738ddd70a", "82785d0bbe75181ea188c1a0d8dd81cf90d1c0f1cfa97912e92ab91bd3357368", "00000000000000000000000000000000"}, {"6c72ea0dc487510934252a01544e9307", "0b6a6a734cb67fe9a548a81f21ec3db398c1ed1a62715e993e67f0a682b75990", "01000000000000000000000000000000"}, {"64447e0bdca48e0a30c5af06ec830008", "1fd9b81b8310bdf6007549d6d06df6d07e37c8a8500edd91874a5657cff1c1ba", "faffffffffffffffffffffffffffffff"}, {"054a840700390c092c422e037825c709", "3faabe212f024da30f8f7064d3dab6f426c5a408de0bec35624b6793a0d4a353", "05000000000000000000000000000000",} }; size_t i; for (i = 0; i < sizeof(test_cases) / sizeof(test_cases[0]); i++) { struct tstring *key = tstring_hex(test_cases[i].key); struct tstring *message = tstring_hex(test_cases[i].message); struct tstring *digest = tstring_hex(test_cases[i].digest); union nettle_block16 out; ASSERT (key->length == 16); ASSERT (digest->length == 16); memset (out.b, 0, sizeof(out.b)); test_poly1305_internal (key->data, message->length, message->data, nonce, digest->data); } } #define COUNT 10000 #define MAX_MESSAGE_SIZE 300 static void test_random(void) { struct knuth_lfib_ctx rand_ctx; unsigned j; knuth_lfib_init (&rand_ctx, 17); for (j = 0; j < COUNT; j++) { uint8_t key[16]; uint8_t nonce[16]; uint8_t message[MAX_MESSAGE_SIZE]; size_t length; union nettle_block16 ref; knuth_lfib_random (&rand_ctx, sizeof(key), key); knuth_lfib_random (&rand_ctx, sizeof(nonce), nonce); knuth_lfib_random (&rand_ctx, sizeof(length), (uint8_t *) &length); length %= MAX_MESSAGE_SIZE + 1; knuth_lfib_random (&rand_ctx, length, message); memcpy (ref.b, nonce, sizeof(ref.b)); ref_poly1305_internal (key, length, message, &ref); test_poly1305_internal (key, length, message, nonce, ref.b); } } void test_main(void) { /* From Bernstein's paper. */ test_poly1305 (SHEX("75deaa25c09f208e1dc4ce6b5cad3fbfa0f3080000f46400d0c7e9076c834403"), SHEX("61ee09218d29b0aaed7e154a2c5509cc"), SHEX(""), SHEX("dd3fab2251f11ac759f0887129cc2ee7")); test_poly1305 (SHEX("ec074c835580741701425b623235add6851fc40c3467ac0be05cc20404f3f700"), SHEX("fb447350c4e868c52ac3275cf9d4327e"), SHEX("f3f6"), SHEX("f4c633c3044fc145f84f335cb81953de")); test_poly1305 (SHEX("6acb5f61a7176dd320c5c1eb2edcdc74" "48443d0bb0d21109c89a100b5ce2c208"), SHEX("ae212a55399729595dea458bc621ff0e"), SHEX("663cea190ffb83d89593f3f476b6bc24" "d7e679107ea26adb8caf6652d0656136"), SHEX("0ee1c16bb73f0f4fd19881753c01cdbe")); test_poly1305 (SHEX("e1a5668a4d5b66a5f68cc5424ed5982d12976a08c4426d0ce8a82407c4f48207"), SHEX("9ae831e743978d3a23527c7128149e3a"), SHEX("ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491" "faf0990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb2109" "5c1bf9"), SHEX("5154ad0d2cb26e01274fc51148491f1b")); test_fixed(); test_random(); } nettle-4.0/testsuite/pss-mgf1-test.c0000644000000000000000000000247415141166425014421 0ustar00#include "testutils.h" #include "pss-mgf1.h" void test_main(void) { struct sha1_ctx sha1ctx; struct sha256_ctx sha256ctx; const struct tstring *seed, *expected; uint8_t mask[120]; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ seed = SHEX("df1a896f9d8bc816d97cd7a2c43bad54" "6fbe8cfe"); expected = SHEX("66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc89739a96643136e8b0f465e87a4535cd4c59b10028d"); sha1_init(&sha1ctx); sha1_update(&sha1ctx, seed->length, seed->data); pss_mgf1(&sha1ctx, &nettle_sha1, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); /* Test with our own data. */ seed = SDATA("abc"); expected = SHEX("cf2db1ac9867debdf8ce91f99f141e5544bf26ca36b3fd4f8e4035" "eec42cab0d46c386ebccef82ba0bb0b095aaa5548b03cdff695187" "1c6fb505af68af688332f885d324a47d2145a3d8392c37978d7dc9" "84c95728950c4cf3de6becc59e60ea506951bd40e6de3863095064" "3ab2edbb47dc66cb54beb2d1"); sha256_init(&sha256ctx); sha256_update(&sha256ctx, seed->length, seed->data); pss_mgf1(&sha256ctx, &nettle_sha256, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); } nettle-4.0/testsuite/pss-test.c0000644000000000000000000000504315141166425013564 0ustar00#include "testutils.h" #include "pss.h" void test_main(void) { struct tstring *salt; struct tstring *digest; mpz_t m; mpz_t expected; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ mpz_init(m); mpz_init(expected); salt = SHEX("e3b5d5d002c1bce50c2b65ef88a188d83bce7e61"); digest = SHEX("37b66ae0445843353d47ecb0b4fd14c110e62d6a"); ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha1, salt->length, salt->data, digest->data)); mpz_set_str(expected, "66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc896da1cb39311af37ea4a75e24bdbfd5c1da0de7cecdf" "1a896f9d8bc816d97cd7a2c43bad546fbe8cfebc", 16); ASSERT(mpz_cmp(m, expected) == 0); mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); /* Test with our own data. */ mpz_init(m); mpz_init(expected); salt = SHEX("11223344556677889900"); /* From sha256-test.c */ digest = SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad"); mpz_set_str(expected, "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8" "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8" "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f" "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1" "d7788826a63af767f301bcc05dd65b00da862cbc", 16); /* Try bad salt */ salt->data[6] = 0x00; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) != 0); /* Try the good salt */ salt->data[6] = 0x77; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) == 0); /* Try bad message */ mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good message */ mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try bad digest */ digest->data[17] = 0x00; ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good digest */ digest->data[17] = 0x03; ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); } nettle-4.0/testsuite/random-prime-test.c0000644000000000000000000000102015141166425015340 0ustar00#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx lfib; mpz_t p; unsigned bits; knuth_lfib_init(&lfib, 17); mpz_init(p); for (bits = 6; bits < 1000; bits = bits + 1 + bits/10) { if (verbose) fprintf(stderr, "bits = %d\n", bits); nettle_random_prime(p, bits, 0, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, NULL); ASSERT (mpz_sizeinbase (p, 2) == bits); ASSERT (mpz_probab_prime_p(p, 25)); } mpz_clear(p); } nettle-4.0/testsuite/ripemd160-test.c0000644000000000000000000000215615141166425014470 0ustar00#include "testutils.h" #include "ripemd160.h" void test_main(void) { test_hash(&nettle_ripemd160, SDATA(""), SHEX("9c1185a5c5e9fc54612808977ee8f548b2258d31")); test_hash(&nettle_ripemd160, SDATA("a"), SHEX("0bdc9d2d256b3ee9daae347be6f4dc835a467ffe")); test_hash(&nettle_ripemd160, SDATA("abc"), SHEX("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")); test_hash(&nettle_ripemd160, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("f71c27109c692c1b56bbdceb5b9d2865b3708dbc")); test_hash(&nettle_ripemd160, SDATA("message digest"), SHEX("5d0689ef49d2fae572b881b123a85ffa21595f36")); test_hash(&nettle_ripemd160, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("b0e20b6e3116640286ed3a87a5713079b21f5189")); test_hash(&nettle_ripemd160, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("9b752e45573d4b39f4dbd3323cab82bf63326bfb")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_ripemd160, SDATA("38"), SHEX("6b2d075b1cd34cd1c3e43a995f110c55649dad0e")); } nettle-4.0/testsuite/rsa-compute-root-test.c0000644000000000000000000001050415141166425016175 0ustar00#include "testutils.h" #include #include "rsa.h" #define KEY_COUNT 10 #define COUNT 50 static void random_fn (void *ctx, size_t n, uint8_t *dst) { gmp_randstate_t *rands = (gmp_randstate_t *)ctx; mpz_t r; mpz_init (r); mpz_urandomb (r, *rands, n*8); nettle_mpz_get_str_256 (n, dst, r); mpz_clear (r); } static void test_one (gmp_randstate_t *rands, struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t plaintext) { mpz_t ciphertext; mpz_t decrypted; mpz_init (ciphertext); mpz_init (decrypted); mpz_powm (ciphertext, plaintext, pub->e, pub->n); rsa_compute_root_tr (pub, key, rands, random_fn, decrypted, ciphertext); if (mpz_cmp (plaintext, decrypted)) { fprintf (stderr, "rsa_compute_root_tr failed\n"); fprintf(stderr, "Public key: size=%u\n n:", (unsigned) pub->size); mpz_out_str (stderr, 10, pub->n); fprintf(stderr, "\n e:"); mpz_out_str (stderr, 10, pub->e); fprintf(stderr, "\nPrivate key: size=%u\n p:", (unsigned) key->size); mpz_out_str (stderr, 10, key->p); fprintf(stderr, "\n q:"); mpz_out_str (stderr, 10, key->q); fprintf(stderr, "\n a:"); mpz_out_str (stderr, 10, key->a); fprintf(stderr, "\n b:"); mpz_out_str (stderr, 10, key->b); fprintf(stderr, "\n c:"); mpz_out_str (stderr, 10, key->c); fprintf(stderr, "\n d:"); mpz_out_str (stderr, 10, key->d); fprintf(stderr, "\n"); fprintf (stderr, "plaintext(%u) = ", (unsigned) mpz_sizeinbase (plaintext, 2)); mpz_out_str (stderr, 10, plaintext); fprintf (stderr, "\n"); fprintf (stderr, "ciphertext(%u) = ", (unsigned) mpz_sizeinbase (ciphertext, 2)); mpz_out_str (stderr, 10, ciphertext); fprintf (stderr, "\n"); fprintf (stderr, "decrypted(%u) = ", (unsigned) mpz_sizeinbase (decrypted, 2)); mpz_out_str (stderr, 10, decrypted); fprintf (stderr, "\n"); abort(); } mpz_clear (ciphertext); mpz_clear (decrypted); } #if !NETTLE_USE_MINI_GMP /* We want to generate keypairs that are not "standard" but have more size * variance between q and p. */ static void generate_keypair (gmp_randstate_t rands, struct rsa_public_key *pub, struct rsa_private_key *key) { unsigned long int psize; unsigned long int qsize; mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; int res; mpz_init (p1); mpz_init (q1); mpz_init (phi); mpz_init (tmp); psize = 100 + gmp_urandomm_ui (rands, 400); qsize = 100 + gmp_urandomm_ui (rands, 400); mpz_set_ui (pub->e, 65537); for (;;) { for (;;) { mpz_rrandomb (key->p, rands, psize); mpz_nextprime (key->p, key->p); mpz_sub_ui (p1, key->p, 1); mpz_gcd (tmp, pub->e, p1); if (mpz_cmp_ui (tmp, 1) == 0) break; } for (;;) { mpz_rrandomb (key->q, rands, qsize); mpz_nextprime (key->q, key->q); mpz_sub_ui (q1, key->q, 1); mpz_gcd (tmp, pub->e, q1); if (mpz_cmp_ui (tmp, 1) == 0) break; } if (mpz_invert (key->c, key->q, key->p)) break; } mpz_mul(phi, p1, q1); res = mpz_invert(key->d, pub->e, phi); assert (res); mpz_fdiv_r (key->a, key->d, p1); mpz_fdiv_r (key->b, key->d, q1); mpz_mul (pub->n, key->p, key->q); pub->size = key->size = mpz_size(pub->n) * sizeof(mp_limb_t); mpz_clear (tmp); mpz_clear (phi); mpz_clear (q1); mpz_clear (p1); } #endif void test_main (void) { gmp_randstate_t rands; struct rsa_public_key pub; struct rsa_private_key key; mpz_t plaintext; unsigned i, j; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init (plaintext); gmp_randinit_default (rands); test_randomize(rands); for (j = 0; j < KEY_COUNT; j++) { #if !NETTLE_USE_MINI_GMP generate_keypair(rands, &pub, &key); #else rsa_generate_keypair(&pub, &key, &rands, random_fn, NULL, NULL, 512, 16); #endif /* !NETTLE_USE_MINI_GMP */ for (i = 0; i < COUNT; i++) { mpz_urandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } for (i = 0; i < COUNT; i++) { mpz_rrandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } } mpz_clear (plaintext); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); gmp_randclear (rands); } nettle-4.0/testsuite/rsa-encrypt-test.c0000644000000000000000000001150515141166425015226 0ustar00#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; /* FIXME: How is this spelled? */ const unsigned char msg[] = "Squemish ossifrage"; size_t msg_length = LLENGTH(msg); uint8_t *decrypted; size_t decrypted_length; uint8_t after; mpz_t gibberish; mpz_t bad_input; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); mpz_init(bad_input); knuth_lfib_init(&lfib, 17); test_rsa_set_key_1(&pub, &key); if (verbose) fprintf(stderr, "msg: `%s', length = %d\n", msg, (int) msg_length); ASSERT(msg_length <= key.size); ASSERT(rsa_encrypt(&pub, &lfib, (nettle_random_func *) knuth_lfib_random, msg_length, msg, gibberish)); if (verbose) { fprintf(stderr, "encrypted: "); mpz_out_str(stderr, 10, gibberish); } decrypted = xalloc(key.size + 1); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length - 1; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); decrypted_length = msg_length; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); knuth_lfib_random (&lfib, key.size + 1, decrypted); after = decrypted[key.size]; decrypted_length = key.size; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[key.size] == after); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test side channel resistant variant */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test invalid length to rsa_sec_decrypt */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); decrypted_length = msg_length - 1; after = decrypted[decrypted_length] = 'X'; decrypted[0] = 'A'; ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(decrypted[decrypted_length] == after); ASSERT(decrypted[0] == 'A'); /* Test zero input. */ mpz_set_ui (bad_input, 0); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test input that is slightly larger than n */ mpz_add(bad_input, gibberish, pub.n); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test input that is considerably larger than n */ mpz_mul_2exp (bad_input, pub.n, 100); mpz_add (bad_input, bad_input, gibberish); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test invalid key. */ mpz_add_ui (key.q, key.q, 2); decrypted_length = key.size; ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); mpz_clear(bad_input); free(decrypted); } nettle-4.0/testsuite/rsa-keygen-test.c0000644000000000000000000000420715141166425015025 0ustar00#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); /* Generate a 1024 bit key with random e */ knuth_lfib_init(&lfib, 13); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 50)); test_rsa_key(&pub, &key); mpz_set_str(expected, "31ee088024b66f28" "e182fa07e60f7864" "636eea21cf74c804" "02a9c29ebd00933d" "8fae3ddf029d18e0" "1b5498c70a4b68fd" "d3135748424e8caf" "43ee86068f250c92" "8da001d09f68c433" "96f2c2a42eaed7e5" "8934a052faa38b2c" "f2ac04cc91bd0d15" "4f60b16dc9045b08" "2ea1372717fd7f9c" "1e9cc383b7d5b909" "72e3126df060ef79" , 16); test_rsa_md5(&pub, &key, expected); /* Generate a 2000 bit key with fixed e */ knuth_lfib_init(&lfib, 17); mpz_set_ui(pub.e, 17); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2000, 0)); test_rsa_key(&pub, &key); mpz_set_str(expected, "892ef7cda3b0b501" "85de20b93340316e" "b35ac9c193f1f5a3" "9e6c1c327b9c36b8" "d4f1d41653b48fbd" "0c49e48bbdc46ced" "13b3f6426e8a1780" "55b9077ba59ce748" "a325563c3b4bdf78" "acdcdd556f5de3cf" "70257c3b334ba360" "5625ebda869c8058" "b95b40c1e75eb91b" "776e83c0224757c6" "b61266cb1739df1a" "c7fcc09194c575b5" "af4f3eb8e3aa3900" "22b72fb6e950c355" "88743bab32c3a214" "ea5865e2f5c41d67" "12e745496890fc9d" "7944a759f39d7b57" "e365d8d3f6ac2dd4" "052b6a2e58a6af82" "b0d67e7fe09045d9" "bc965e260cf3c9a9" "3bfaa09bdd076dc2" "c0ab48ce5b67105c" "cad90dcfc11cd713" "e64478d2d7ea42dd" "fd040793c487588d" "6218" , 16); test_rsa_sha1(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-4.0/testsuite/rsa-oaep-encrypt-test.c0000644000000000000000000004303515141166425016153 0ustar00#include "testutils.h" #include "knuth-lfib.h" #include "nettle-meta.h" #include "rsa-internal.h" #include "sha1.h" #define MARK_MPZ_LIMBS_UNDEFINED(x) \ mark_bytes_undefined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) #define MARK_MPZ_LIMBS_DEFINED(x) \ mark_bytes_defined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) typedef int (*test_rsa_oaep_encrypt_func) (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); typedef int (*test_rsa_oaep_decrypt_func) (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); static int rsa_decrypt_for_test(test_rsa_oaep_decrypt_func decrypt_func, const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { int ret; /* Makes valgrind trigger on any branches depending on the input data. Except that (i) we have to allow rsa_sec_compute_root_tr to check that p and q are odd, (ii) mpn_sec_div_r may leak information about the most significant bits of p and q, due to normalization check and table lookup in invert_limb, and (iii) mpn_sec_powm may leak information about the least significant bits of p and q, due to table lookup in binvert_limb. */ mark_bytes_undefined (*length, message); MARK_MPZ_LIMBS_UNDEFINED(key->a); MARK_MPZ_LIMBS_UNDEFINED(key->b); MARK_MPZ_LIMBS_UNDEFINED(key->c); mark_bytes_undefined ((mpz_size (key->p) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->p) + 1); mark_bytes_undefined((mpz_size (key->q) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->q) + 1); ret = decrypt_func (pub, key, random_ctx, random, label_length, label, length, message, ciphertext); mark_bytes_defined (sizeof(*length), length); mark_bytes_defined (*length, message); mark_bytes_defined (sizeof(ret), &ret); MARK_MPZ_LIMBS_DEFINED(key->a); MARK_MPZ_LIMBS_DEFINED(key->b); MARK_MPZ_LIMBS_DEFINED(key->c); MARK_MPZ_LIMBS_DEFINED(key->p); MARK_MPZ_LIMBS_DEFINED(key->q); return ret; } static void test_rsa_oaep_encrypt_decrypt (struct rsa_public_key *pub, struct rsa_private_key *key, test_rsa_oaep_encrypt_func encrypt_func, test_rsa_oaep_decrypt_func decrypt_func, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message) { uint8_t *ciphertext; uint8_t *decrypted; size_t decrypted_length; uint8_t after; struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); ciphertext = xalloc (key->size + 1); knuth_lfib_random (&lfib, key->size + 1, ciphertext); after = ciphertext[key->size]; ASSERT (encrypt_func (pub, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, length, message, ciphertext)); ASSERT (ciphertext[key->size] == after); if (verbose) { fprintf (stderr, "encrypted: "); print_hex (key->size, ciphertext); fprintf (stderr, "\n"); } decrypted = xalloc (length + 1); knuth_lfib_random (&lfib, length + 1, decrypted); after = decrypted[length]; /* Test short buffer */ decrypted_length = length - 1; ASSERT (!rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); decrypted_length = length; ASSERT (rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); ASSERT (decrypted_length == length); ASSERT (MEMEQ (length, message, decrypted)); ASSERT (decrypted[length] == after); free (decrypted); free (ciphertext); } static void test_encrypt_decrypt (void) { struct rsa_public_key pub; struct rsa_private_key key; const unsigned char msg[] = "Squemish ossifrage"; size_t msg_length = LLENGTH(msg); const unsigned char label[] = "This is a magic label"; size_t label_length = LLENGTH(label); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_2(&pub, &key); /* Test without label */ test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha256_encrypt, rsa_oaep_sha256_decrypt, 0, NULL, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha384_encrypt, rsa_oaep_sha384_decrypt, 0, NULL, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha512_encrypt, rsa_oaep_sha512_decrypt, 0, NULL, msg_length, msg); /* Test with label */ test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha256_encrypt, rsa_oaep_sha256_decrypt, label_length, label, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha384_encrypt, rsa_oaep_sha384_decrypt, label_length, label, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha512_encrypt, rsa_oaep_sha512_decrypt, label_length, label, msg_length, msg); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); } static int rsa_oaep_sha1_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha1_ctx ctx; sha1_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha1, label_length, label, length, message, ciphertext); } static int rsa_oaep_sha1_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha1_ctx ctx; sha1_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha1, label_length, label, length, message, ciphertext); } static void random_from_seed (struct tstring *seed, size_t n, uint8_t *dst) { ASSERT (n <= seed->length); memcpy (dst, seed->data, n); } static void test_rsa_oaep_encrypt_decrypt_kat (struct rsa_public_key *pub, struct rsa_private_key *key, test_rsa_oaep_encrypt_func encrypt_func, test_rsa_oaep_decrypt_func decrypt_func, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, const uint8_t *expected) { uint8_t *ciphertext; uint8_t *decrypted; size_t decrypted_length; uint8_t after; /* For blinding at decryption */ struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); ciphertext = xalloc (key->size + 1); knuth_lfib_random (&lfib, key->size + 1, ciphertext); after = ciphertext[key->size]; ASSERT (encrypt_func (pub, random_ctx, random, label_length, label, length, message, ciphertext)); ASSERT (MEMEQ (key->size, ciphertext, expected)); ASSERT (ciphertext[key->size] == after); decrypted = xalloc (length + 1); knuth_lfib_random (&lfib, length + 1, decrypted); after = decrypted[length]; decrypted_length = length; ASSERT (rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); ASSERT (decrypted_length == length); ASSERT (MEMEQ (length, message, decrypted)); ASSERT (decrypted[length] == after); free (decrypted); free (ciphertext); } /* The below are known answer tests constructed using the draft * version of PKCS #1 2.1 test vectors from RSA Laboratories: * * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip * * While the original zip file is no longer accessible, a copy is * kept in the python-cryptography repository, under the following license: * https://github.com/pyca/cryptography/tree/49bf4e408cd2f93276687f451dd28982e5d501e0/vectors/cryptography_vectors/asymmetric/RSA/pkcs-1v2-1d2-vec */ /* * Copyright (c) Individual contributors. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of PyCA Cryptography nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static void test_rsa_oaep_set_key(struct rsa_public_key *pub, struct rsa_private_key *key) { mpz_set_str(pub->n, "a8b3b284af8eb50b" "387034a860f146c4" "919f318763cd6c55" "98c8ae4811a1e0ab" "c4c7e0b082d693a5" "e7fced675cf46685" "12772c0cbc64a742" "c6c630f533c8cc72" "f62ae833c40bf258" "42e984bb78bdbf97" "c0107d55bdb662f5" "c4e0fab9845cb514" "8ef7392dd3aaff93" "ae1e6b667bb3d424" "7616d4f5ba10d4cf" "d226de88d39f16fb", 16); mpz_set_str(pub->e, "010001", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "53339cfdb79fc846" "6a655c7316aca85c" "55fd8f6dd898fdaf" "119517ef4f52e8fd" "8e258df93fee180f" "a0e4ab29693cd83b" "152a553d4ac4d181" "2b8b9fa5af0e7f55" "fe7304df41570926" "f3311f15c4d65a73" "2c483116ee3d3d2d" "0af3549ad9bf7cbf" "b78ad884f84d5beb" "04724dc7369b31de" "f37d0cf539e9cfcd" "d3de653729ead5d1" , 16); #endif mpz_set_str(key->p, "d32737e7267ffe13" "41b2d5c0d150a81b" "586fb3132bed2f8d" "5262864a9cb9f30a" "f38be448598d413a" "172efb802c21acf1" "c11c520c2f26a471" "dcad212eac7ca39d", 16); mpz_set_str(key->q, "cc8853d1d54da630" "fac004f471f281c7" "b8982d8224a490ed" "beb33d3e3d5cc93c" "4765703d1dd79164" "2f1f116a0dd852be" "2419b2af72bfe9a0" "30e860b0288b5d77", 16); mpz_set_str(key->a, "0e12bf1718e9cef5" "599ba1c3882fe804" "6a90874eefce8f2c" "cc20e4f2741fb0a3" "3a3848aec9c9305f" "becbd2d76819967d" "4671acc6431e4037" "968db37878e695c1", 16); mpz_set_str(key->b, "95297b0f95a2fa67" "d00707d609dfd4fc" "05c89dafc2ef6d6e" "a55bec771ea33373" "4d9251e79082ecda" "866efef13c459e1a" "631386b7e354c899" "f5f112ca85d71583", 16); mpz_set_str(key->c, "4f456c502493bdc0" "ed2ab756a3a6ed4d" "67352a697d4216e9" "3212b127a63d5411" "ce6fa98d5dbefd73" "263e372814274381" "8166ed7dd63687dd" "2a8ca1d2f4fbd8e1", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } static void test_encrypt (void) { struct rsa_public_key pub; struct rsa_private_key key; struct tstring *seed; struct tstring *msg; struct tstring *ciphertext; rsa_private_key_init(&key); rsa_public_key_init(&pub); /* Test vector from RSA labs */ test_rsa_oaep_set_key(&pub, &key); /* Example 1.1 */ msg = tstring_hex ("6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34"); seed = tstring_hex ("18b776ea21069d69776a33e96bad48e1dda0a5ef"); ciphertext = tstring_hex ("354fe67b4a126d5d" "35fe36c777791a3f" "7ba13def484e2d39" "08aff722fad468fb" "21696de95d0be911" "c2d3174f8afcc201" "035f7b6d8e69402d" "e5451618c21a535f" "a9d7bfc5b8dd9fc2" "43f8cf927db31322" "d6e881eaa91a9961" "70e657a05a266426" "d98c88003f8477c1" "227094a0d9fa1e8c" "4024309ce1ecccb5" "210035d47ac72e8a"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.2 */ msg = tstring_hex ("750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5"); seed = tstring_hex ("0cc742ce4a9b7f32f951bcb251efd925fe4fe35f"); ciphertext = tstring_hex ("640db1acc58e0568" "fe5407e5f9b701df" "f8c3c91e716c536f" "c7fcec6cb5b71c11" "65988d4a279e1577" "d730fc7a29932e3f" "00c81515236d8d8e" "31017a7a09df4352" "d904cdeb79aa583a" "dcc31ea698a4c052" "83daba9089be5491" "f67c1a4ee48dc74b" "bbe6643aef846679" "b4cb395a352d5ed1" "15912df696ffe070" "2932946d71492b44"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.3 */ msg = tstring_hex ("d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051"); seed = tstring_hex ("2514df4695755a67b288eaf4905c36eec66fd2fd"); ciphertext = tstring_hex ("423736ed035f6026" "af276c35c0b3741b" "365e5f76ca091b4e" "8c29e2f0befee603" "595aa8322d602d2e" "625e95eb81b2f1c9" "724e822eca76db86" "18cf09c5343503a4" "360835b5903bc637" "e3879fb05e0ef326" "85d5aec5067cd7cc" "96fe4b2670b6eac3" "066b1fcf5686b685" "89aafb7d629b02d8" "f8625ca3833624d4" "800fb081b1cf94eb"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.4 */ msg = tstring_hex ("52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85"); seed = tstring_hex ("c4435a3e1a18a68b6820436290a37cefb85db3fb"); ciphertext = tstring_hex ("45ead4ca551e662c" "9800f1aca8283b05" "25e6abae30be4b4a" "ba762fa40fd3d38e" "22abefc69794f6eb" "bbc05ddbb1121624" "7d2f412fd0fba87c" "6e3acd888813646f" "d0e48e785204f9c3" "f73d6d8239562722" "dddd8771fec48b83" "a31ee6f592c4cfd4" "bc88174f3b13a112" "aae3b9f7b80e0fc6" "f7255ba880dc7d80" "21e22ad6a85f0755"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.5 */ msg = tstring_hex ("8da89fd9e5f974a29feffb462b49180f6cf9e802"); seed = tstring_hex ("b318c42df3be0f83fea823f5a7b47ed5e425a3b5"); ciphertext = tstring_hex ("36f6e34d94a8d34d" "aacba33a2139d00a" "d85a9345a86051e7" "3071620056b920e2" "19005855a213a0f2" "3897cdcd731b4525" "7c777fe908202bef" "dd0b58386b1244ea" "0cf539a05d5d1032" "9da44e13030fd760" "dcd644cfef2094d1" "910d3f433e1c7c6d" "d18bc1f2df7f643d" "662fb9dd37ead905" "9190f4fa66ca39e8" "69c4eb449cbdc439"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.6 */ msg = tstring_hex ("26521050844271"); seed = tstring_hex ("e4ec0982c2336f3a677f6a356174eb0ce887abc2"); ciphertext = tstring_hex ("42cee2617b1ecea4" "db3f4829386fbd61" "dafbf038e180d837" "c96366df24c097b4" "ab0fac6bdf590d82" "1c9f10642e681ad0" "5b8d78b378c0f46c" "e2fad63f74e0ad3d" "f06b075d7eb5f563" "6f8d403b9059ca76" "1b5c62bb52aa4500" "2ea70baace08ded2" "43b9d8cbd62a68ad" "e265832b56564e43" "a6fa42ed199a0997" "69742df1539e8255"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif test_encrypt_decrypt (); test_encrypt (); } nettle-4.0/testsuite/rsa-pss-sign-tr-test.c0000644000000000000000000003024615141166425015733 0ustar00#include "testutils.h" #include "knuth-lfib.h" #include "nettle-internal.h" #define SALT "This is a magic salt" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" typedef int (*test_pss_sign_tr_func) (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); typedef int (*test_pss_verify_func) (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); static void test_rsa_pss_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, test_pss_sign_tr_func sign_tr_func, test_pss_verify_func verify_func, void *ctx, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, size_t length, const uint8_t *message, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; uint8_t bad_digest[NETTLE_MAX_HASH_DIGEST_SIZE]; knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, length, message); hash->digest(ctx, digest); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); if (verbose) { fprintf(stderr, "rsa-pss-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pss-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad digest */ memset(bad_digest, 0x17, sizeof(bad_digest)); ASSERT (!verify_func(pub, salt_length, bad_digest, signature)); /* Try the good digest */ ASSERT (verify_func(pub, salt_length, digest, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!verify_func(pub, salt_length, digest, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct sha256_ctx sha256ctx; struct sha384_ctx sha384ctx; struct sha512_ctx sha512ctx; mpz_t p1; mpz_t q1; struct tstring *salt; struct tstring *msg; mpz_t expected; mpz_init(expected); mpz_init(p1); mpz_init(q1); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "25e6ce0cc00e917e177a09cb4dfd843d104c179b71aded60e68ebc" "ca2cabb1e51502adf28e53fa7ede42619f21a1162755b9658edf88" "a038bb4fea2bb73306fb384d5785c1a8c98a255277c91a4f88ddd3" "52ebdc78f71f7e62b7a870dac4ab25f1004453457e831a1572f7c9" "23fcc48e3b69db582127d14471c7195dce", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); mpz_set_str(expected, "52f4393ccc92b5672dd3cfd8624765d3a4cdb50c7a92060c33b4663" "fa545b32ce56ec8cd44fe9720df301906ae40921e844b6d80331194" "972f98e309c937c887c53da940778f29d52dd9489e6016a07e9aa16" "b1ea8fefc0860ad69068ad6f94a4b0c8fc8a0797b08c58cf4a8df90" "ee1375feedf7bf73f16ebb2d1cc7e4", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "1a4d28331341cabf7ac85bc59a58d439b7ec2c607c6a74e35b5909" "1dfa3d9de9fde93e4a431f0f768bec07c39995d253209f86e3dc84" "037ecd5d23d963fab4fa8a001e018d82cb19d743a94ba7dc7a821e" "87b72e67a0fe058f956208f7060dc104", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); /* From FIPS 186-2 */ mpz_set_str(pub.n, "be499b5e7f06c83f" "a0293e31465c8eb6" "b58af920bae52a7b" "5b9bfeb7aa72db12" "64112eb3fd431d31" "a2a7e50941566929" "494a0e891ed56139" "18b4b51b0d1fb977" "83b26acf7d0f384c" "fb35f4d2824f5dd3" "80623a26bf180b63" "961c619dcdb20cae" "406f22f6e276c80a" "37259490cfeb72c1" "a71a84f1846d3308" "77ba3e3101ec9c7b" , 16); mpz_set_str(pub.e, "11", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "e7a80c5d211c06ac" "b900939495f26d36" "5fc2b4825b75e356" "f89003eaa5931e6b" "e5c3f7e6a633ad59" "db6289d06c354c23" "5e739a1e3f3d39fb" "40d1ffb9cb44288f", 16); mpz_set_str(key.q, "d248aa248000f720" "258742da67b71194" "0c8f76e1ecd52b67" "a6ffe1e49354d66f" "f84fa601804743f5" "838da2ed4693a5a2" "8658d6528cc1803b" "f6c8dc73c5230b55", 16); mpz_set_str(key.d, "0d0f17362bdad181" "db4e1fe03e8de1a3" "208989914e14bf26" "9558826bfa20faf4" "b68dba6bb989a01f" "03a21c44665dc5f6" "48cb5b59b954eb10" "77a80263bd22cdfb" "88d39164b7404f4f" "1106ee01cf60b776" "95748d8fdaf9fd42" "8963fe75144010b1" "934c8e26a8823967" "2cf49b3422a07c4d" "834ba208d570fe40" "8e7095c90547e68d", 16); /* a = d % (p-1) */ mpz_sub_ui(p1, key.p, 1); mpz_fdiv_r(key.a, key.d, p1); mpz_clear(p1); /* b = d % (q-1) */ mpz_sub_ui(q1, key.q, 1); mpz_fdiv_r(key.b, key.d, q1); mpz_clear(q1); /* c = q^{-1} (mod p) */ mpz_invert(key.c, key.q, key.p); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "11e169f2fd40b07641b9768a2ab19965fb6c27f10fcf0323fcc6d1" "2eb4f1c06b330ddaa1ea504407afa29de9ebe0374fe9d1e7d0ffbd" "5fc1cf3a3446e4145415d2ab24f789b3464c5c43a256bbc1d692cf" "7f04801dac5bb401a4a03ab7d5728a860c19e1a4dc797ca542c820" "3cec2e601eb0c51f567f2eda022b0b9ebddeeefa", 16); salt = SHEX("11223344555432167890"); msg = SHEX("c7f5270fca725f9bd19f519a8d7cca3cc5c079024029f3bae510f9" "b02140fe238908e4f6c18f07a89c687c8684669b1f1db2baf9251a" "3c829faccb493084e16ec9e28d58868074a5d6221667dd6e528d16" "fe2c9f3db4cfaf6c4dce8c8439af38ceaaaa9ce2ecae7bc8f4a5a5" "5e3bf96df9cd575c4f9cb327951b8cdfe4087168"); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "b281ad934b2775c0cba5fb10aa574d2ed85c7f99b942b78e497024" "80069362ed394baded55e56cfcbe7b0b8d2217a05a60e1acd725cb" "09060dfac585bc2132b99b41cdbd530c69d17cdbc84bc6b9830fc7" "dc8e1b2412cfe06dcf8c1a0cc3453f93f25ebf10cb0c90334fac57" "3f449138616e1a194c67f44efac34cc07a526267", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha384_sign_digest_tr, rsa_pss_sha384_verify_digest, &sha384ctx, &nettle_sha384, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "8ffc38f9b820ef6b080fd2ec7de5626c658d79056f3edf610a295b" "7b0546f73e01ffdf4d0070ebf79c33fd86c2d608be9438b3d420d0" "9535b97cd3d846ecaf8f6551cdf93197e9f8fb048044473ab41a80" "1e9f7fc983c62b324361dade9f71a65952bd35c59faaa4d6ff462f" "68a6c4ec0b428aa47336f2178aeb276136563b7d", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha512_sign_digest_tr, rsa_pss_sha512_verify_digest, &sha512ctx, &nettle_sha512, salt->length, salt->data, msg->length, msg->data, expected); /* The public key n for this test is of size k = 1017 bits, and the pss "em" value is limited to k - 1 = 1016 bits or 127 octets. The alleged signature below results in a 1017 bit number during the signature verification, which is too large, and used to result in an assertion failure when attempting to convert the number to a 127 octet string. */ mpz_set_str(pub.n, "1d64559685aad3490e976b48aacf442ecee847268f882341eafe78" "a0ca4ef88f66edbaf55b70e5285cc117aa9ceb322a4227c17e9e89" "27bf38e5672faecf79e2983d92766fbb6624522f072ae0e4e46d37" "052ce1e5745c2dd8fd67de3862e4711161e359b96bda85911ebf4e" "6ce1bea625970269c77004a3cb03f9c382c5f79", 16); mpz_set_str(pub.e, "10001", 16); ASSERT (rsa_public_key_prepare(&pub)); msg = SHEX("7f85e4909ff7bb29536e540a53031ef03ddcb129e553a43273fa1f" "ed28c22a8b57c7bde101ff746f335ba69b29642019"); /* Alleged signature, resulting in a too large m. */ mpz_set_str(expected, "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000005ffff05" "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000", 16); ASSERT(!rsa_pss_sha384_verify_digest(&pub, 48, msg->data, expected)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-4.0/testsuite/rsa-sec-decrypt-test.c0000644000000000000000000001050015141166425015756 0ustar00#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" #define MARK_MPZ_LIMBS_UNDEFINED(x) \ mark_bytes_undefined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) #define MARK_MPZ_LIMBS_DEFINED(x) \ mark_bytes_defined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) static int rsa_decrypt_for_test(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { int ret; /* Makes valgrind trigger on any branches depending on the input data. Except that (i) we have to allow rsa_sec_compute_root_tr to check that p and q are odd, (ii) mpn_sec_div_r may leak information about the most significant bits of p and q, due to normalization check and table lookup in invert_limb, and (iii) mpn_sec_powm may leak information about the least significant bits of p and q, due to table lookup in binvert_limb. */ mark_bytes_undefined (length, message); MARK_MPZ_LIMBS_UNDEFINED(key->a); MARK_MPZ_LIMBS_UNDEFINED(key->b); MARK_MPZ_LIMBS_UNDEFINED(key->c); mark_bytes_undefined ((mpz_size (key->p) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->p) + 1); mark_bytes_undefined((mpz_size (key->q) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->q) + 1); ret = rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish); mark_bytes_defined (length, message); mark_bytes_defined (sizeof(ret), &ret); MARK_MPZ_LIMBS_DEFINED(key->a); MARK_MPZ_LIMBS_DEFINED(key->b); MARK_MPZ_LIMBS_DEFINED(key->c); MARK_MPZ_LIMBS_DEFINED(key->p); MARK_MPZ_LIMBS_DEFINED(key->q); return ret; } #define PAYLOAD_SIZE 50 #define DECRYPTED_SIZE 256 void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx random_ctx; uint8_t plaintext[PAYLOAD_SIZE]; uint8_t decrypted[DECRYPTED_SIZE]; uint8_t verifybad[PAYLOAD_SIZE]; unsigned n_size = 1024; mpz_t gibberish; mpz_t garbage; unsigned count; #if NETTLE_USE_MINI_GMP if (test_side_channel) SKIP(); #endif rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); mpz_init(garbage); knuth_lfib_init (&random_ctx, 19); memset(verifybad, 'A', PAYLOAD_SIZE); for (count = 1; count < 20; count++) { ASSERT (rsa_generate_keypair(&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, NULL, NULL, n_size, 17)); /* the next key will be 19 bits larger */ n_size += 19; knuth_lfib_random (&random_ctx, PAYLOAD_SIZE, plaintext); ASSERT(rsa_encrypt(&pub, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, plaintext, gibberish)); /* good decryption */ ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, gibberish) == 1); ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted)); ASSERT (pub.size > 10); ASSERT (pub.size <= DECRYPTED_SIZE); /* Check that too large message length is rejected, largest valid size is pub.size - 11. */ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, pub.size - 10, decrypted, gibberish)); /* This case used to result in arithmetic underflow and a crash. */ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, pub.size, decrypted, gibberish)); /* bad one */ memcpy(decrypted, verifybad, PAYLOAD_SIZE); nettle_mpz_random_size(garbage, &random_ctx, (nettle_random_func *) knuth_lfib_random, mpz_sizeinbase(gibberish, 2)); ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, garbage) == 0); ASSERT (MEMEQ (PAYLOAD_SIZE, verifybad, decrypted)); } rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); mpz_clear(garbage); } nettle-4.0/testsuite/rsa-sign-tr-test.c0000644000000000000000000001410215141166425015121 0ustar00#include "testutils.h" #include "knuth-lfib.h" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" static void test_rsa_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, unsigned di_length, const uint8_t *di, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); if (verbose) { fprintf(stderr, "rsa-pkcs1-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pkcs1-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad data */ ASSERT (!rsa_pkcs1_verify(pub, 16, (void*)"The magick words", signature)); /* Try correct data */ ASSERT (rsa_pkcs1_verify(pub, di_length, di, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!rsa_pkcs1_verify(pub, di_length, di, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "23bd361a622bc35450a30ae332d8dad050c6bad5cae0b61c5bee29" "db876d7fe098472fc7933f2cc1121c0fc8a414c71a98189c66077b" "fe3d58d08dc242bbcfdf2c905b91de0e479a8b4b159a45fe1789db" "abdaf88aa704e7558f24f5a0be382619758061cde89e9c730ac6db" "ef005bfad5a936633e3dfccc37b2214e2", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); mpz_set_str(expected, "15bd817f53501f8eb6693283004546ba14f19dd4da742b1e30a7b2" "1db309cd3f36f821f565d31c1ed2df8b6648dd8bdb218f841f5506" "a437825999aaf3ef77dff9a1fc7631ce0e99f851f4166ae67caed9" "820a764e44274a898ddd72f4c7115ba49d332f4fa929ee6dce4d61" "39fef8d8d25d4c9ff857689846e5cac26d", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "5493d4d774d03f54de2e9bef6818b74a8e22bbe9628b6dec3f178d" "cc0090dab933a0f24bc9ac8aec949558868ea4f8e29d0248e70717" "6c113e8fbd9f1428c45a120378e32febffd4e9aca8102081bb5b90" "0f2914395a220823b700dbd7bd32646e", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); /* Test sha1 signature */ mpz_set_str(expected, "126bbd3d9e8649187069d8b6f0f43bd234a53249f765f616647049" "ca49b2c4cc8049440d5a9f1d10fcdf162b40afd9b761bcd30e2c60" "133b2c6f0504fe447038422b835d35448acb0881e894144e4ccaea" "59ce8dd16d3540fcbb84ebd1c5fb37510", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-4.0/testsuite/rsa-test.c0000644000000000000000000001464615141166425013555 0ustar00#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test md5 signatures */ mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "129b405ed85db88c" "55d35344c4b52854" "496516b4d63d8211" "80a0c24d6ced9047" "33065a564bbd33d0" "a5cdfd204b9c6d15" "78337207c2f1662d" "c73906c7a0f2bf5c" "af92cef9121957b1" "dcb111ff47b92389" "888e384d0cfd1b1e" "e5d7003a8feff3fd" "dd6a71d242a79272" "25234d67ba369441" "c12ae555c697754e" "a17f93fa92", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "13f9e43f7a401a73" "0a74985c01520d76" "bf5f2e2dff91e93b" "9267d8c388d6937b" "d4bc6f1fa31618a9" "b5e3a1a875af72f5" "0e805dbfebdf4348" "7d49763f0b365e78" "d2c0ea8fb3785897" "782289a58f998907" "248c9cdf2c643d7e" "6ba6b55026227773" "6f19caa69c4fc6d7" "7e2e5d4cd6b7a82b" "900d201ffd000448" "685e5a4f3e", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "06327f717f43bcf3" "5994e567e8241963" "8c22e1057a7771e7" "a665bb7441a39cc8" "7762f6b1a459cae3" "281462ed3f6aec48" "15c2365797a02af6" "8a603adf276c46f6" "e6afb25d07c57f47" "c516aff84abda629" "cc83d9364eb3616d" "7d4ddf0e9a25fac5" "7d56a252b0cb7b1f" "8266b525e9b893af" "116e7845c0969a9f" "603e2543f3", 16); test_rsa_sha512(&pub, &key, expected); /* Test detection of invalid keys with even modulo */ mpz_clrbit (pub.n, 0); ASSERT (!rsa_public_key_prepare (&pub)); mpz_clrbit (key.p, 0); ASSERT (!rsa_private_key_prepare (&key)); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test md5 signatures */ mpz_set_str(expected, "011b939f6fbacf7f" "7d3217b022d07477" "e582e34d4bbddd4c" "31520647417fc8a6" "18b2e196d799cedd" "d8f5c062fd796b0f" "72ab46db2ac6ec74" "39d856be3f746cc4" "3e0a15429954736a" "60a8b3c6ea93d2cb" "c69085c307d72517" "07d43bf97a3b51eb" "9e89", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "648c49e0ed045547" "08381d0bcd03b7bd" "b0f80a0e9030525d" "234327a1c96b8660" "f1c01c6f15ae76d0" "4f53a53806b7e4db" "1f789e6e89b538f6" "88fcbd2caa6abef0" "5432d52f3de463a4" "a9e6de94f1b7bb68" "3c07edf0924fc93f" "56e1a0dba8f7491c" "5c", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "d759bb28b4d249a2" "f8b67bdbb1ab7f50" "c88712fbcabc2956" "1ec6ca3f8fdafe7a" "38433d7da287b8f7" "87857274c1640b2b" "e652cd89c501d570" "3980a0af5c6bb60c" "f84feab25b099d06" "e2519accb73dac43" "fb8bdad28835f3bd" "84c43678fe2ef41f" "af", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "f761aae6273d6149" "06d8c208fb2897ca" "d798a46af4985b86" "51d51e6a3e11cbe0" "84f18ba8979c0f54" "11493f7c6e770560" "03db2146b4dbcaa6" "4aae2e02aab9ff7b" "1ddf77dc72145cf1" "c26ebde7c708cdc1" "62e167a7ac33967b" "386a40ea4a988d17" "47", 16); test_rsa_sha512(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-4.0/testsuite/rsa2sexp-test.c0000644000000000000000000000573715141166425014540 0ustar00#include "testutils.h" #include "buffer.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; struct nettle_buffer buffer; rsa_public_key_init(&pub); rsa_private_key_init(&priv); mpz_set_str(pub.n, "085c3408989acae4faec3cbbad91c90d34c1d259cd74121a" "36f38b0b51424a9b2be514a04377113a6cdafe79dd7d5f2e" "cc8b5e9661189b86a7b22239907c25", 16); mpz_set_str(pub.e, "36ad4b1d", 16); ASSERT(rsa_public_key_prepare(&pub)); mpz_set_str(priv.d, "06ee6d4ff3c239e408150daf8117abfa36a40ad4455d9059" "a86d52f33a2de07418a0a699594588c64810248c9412d554" "f74af947c73c32007e87c92f0937ed", 16); mpz_set_str(priv.p, "03259879b24315e9cf14254824c7935d807cdb6990f414a0" "f65e6065130a611f", 16); mpz_set_str(priv.q, "02a81ba73bad45fc73b36deffce52d1b73e0747f4d8a8264" "8cecd310448ea63b", 16); mpz_set_str(priv.a, "026cbdad5dd0046e093f060ecd5b4ac918e098b0278bb752" "b7cadd6a8944f0b9", 16); mpz_set_str(priv.b, "0148751e622d6d58e3bb094afd6edacf7370351d068e2ce9" "f565c5528c4a7473", 16); mpz_set_str(priv.c, "f8a458ea73a018dc6fa56863e3bc6de405f364f77dee6f09" "62679ea1a8282e", 16); ASSERT(rsa_private_key_prepare(&priv)); nettle_buffer_init(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, "rsa", &pub, &priv)); if (verbose) { printf("private:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"))); nettle_buffer_clear(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, NULL, &pub, NULL)); if (verbose) { printf("public:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831303a7075626c69632d6b65792839" "3a7273612d706b63733128313a6e3633" "3a085c3408989acae4faec3cbbad91c9" "0d34c1d259cd74121a36f38b0b51424a" "9b2be514a04377113a6cdafe79dd7d5f" "2ecc8b5e9661189b86a7b22239907c25" "2928313a65343a36ad4b1d292929"))); nettle_buffer_clear(&buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-4.0/testsuite/salsa20-test.c0000644000000000000000000003533015141166425014226 0ustar00#include "testutils.h" #include "salsa20.h" #include "memxor.h" static int memzero_p (const uint8_t *p, size_t n) { size_t i; for (i = 0; i < n; i++) if (p[i]) return 0; return 1; } /* The ecrypt testcases encrypt 512 zero bytes (8 blocks), then give the xor of all blocks, and the data for block 0 (0-63), 3,4 (192-319), 7 (448-511) */ #define STREAM_LENGTH 512 static void test_salsa20_stream(const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *xor_ref) { struct salsa20_ctx ctx; uint8_t data[STREAM_LENGTH + 1]; uint8_t stream[STREAM_LENGTH + 1]; uint8_t xor[SALSA20_BLOCK_SIZE]; size_t j; ASSERT (iv->length == SALSA20_NONCE_SIZE); ASSERT (ciphertext->length == 4*SALSA20_BLOCK_SIZE); ASSERT (xor_ref->length == SALSA20_BLOCK_SIZE); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_nonce(&ctx, iv->data); memset(stream, 0, STREAM_LENGTH + 1); salsa20_crypt(&ctx, STREAM_LENGTH, stream, stream); if (stream[STREAM_LENGTH]) { fprintf(stderr, "Stream of %d bytes wrote too much!\n", STREAM_LENGTH); FAIL(); } if (!MEMEQ (64, stream, ciphertext->data)) { fprintf(stderr, "Error failed, offset 0:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (128, stream + 192, ciphertext->data + 64)) { fprintf(stderr, "Error failed, offset 192:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, stream + 192); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 64); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (64, stream + 448, ciphertext->data + 192)) { fprintf(stderr, "Error failed, offset 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream + 448); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 192); fprintf(stderr, "\n"); FAIL(); } memxor3 (xor, stream, stream + SALSA20_BLOCK_SIZE, SALSA20_BLOCK_SIZE); for (j = 2*SALSA20_BLOCK_SIZE; j < STREAM_LENGTH; j += SALSA20_BLOCK_SIZE) memxor (xor, stream + j, SALSA20_BLOCK_SIZE); if (!MEMEQ (SALSA20_BLOCK_SIZE, xor, xor_ref->data)) { fprintf(stderr, "Error failed, bad xor 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(SALSA20_BLOCK_SIZE, xor); fprintf(stderr, "\nExpected:"); print_hex(SALSA20_BLOCK_SIZE, xor_ref->data); fprintf(stderr, "\n"); FAIL(); } for (j = 1; j <= STREAM_LENGTH; j++) { memset(data, 0, STREAM_LENGTH + 1); salsa20_set_nonce(&ctx, iv->data); salsa20_crypt(&ctx, j, data, data); if (!MEMEQ(j, data, stream)) { fprintf(stderr, "Encrypt failed for length %lu:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(j, data); fprintf(stderr, "\nExpected:"); print_hex(j, stream); fprintf(stderr, "\n"); FAIL(); } if (!memzero_p (data + j, STREAM_LENGTH + 1 - j)) { fprintf(stderr, "Encrypt failed for length %lu, wrote too much:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(STREAM_LENGTH + 1 - j, data + j); fprintf(stderr, "\n"); FAIL(); } } } /* Test with simple structure of the salsa20 input, to aid debugging. */ static void test_salsa20_core(void) { const uint32_t input[16] = { 0, 1, 2, 3, 4, 5, 6, 7, /* Second block will have carry from first counter word propagate to next word. */ 0xffffffff, 9, 10, 11, 12, 13, 14, 15 }; const struct tstring *expected_12 = SHEX("c456dd00835121fa 2f3f818adea91c66" "c024ec78191dbef8 4e828fde71420f4f" "2edb91cc7ae72fe6 1c6d96d1169241f5" "8d34bec538389247 1b2f71089992fd2b" "a1194b4875788ee5 731f27c32481450b" "4cc7b2a3f8ac7f43 6f42bd16a71cb721" "299f6d9481e4bc87 23b5c0a2f142e507" "34b7fe35fe292f2f 1bf9ae5296afdbeb"); const struct tstring *expected_20 = SHEX( "02e02587e69cd380 3e5f3c53f0c29173" "d3becef2da8da494 e8d1d4294270fc5e" "a2c2001a6a45dc71 a3699e6594af795f" "299814ae4f73650b e1d13040031dbfef" "46b5b8ce5dc5b255 78b2695eb61fa816" "7e22958311e2d585 826f4ebf1c7b3c98" "a2857c3e4edc6f9e ed4312d698ddad55" "57d13942292f8713 63eb7a5ab07a707e"); struct salsa20_ctx ctx; uint8_t output[128]; ASSERT (expected_12->length == 128); ASSERT (expected_20->length == 128); /* Two blocks, to exercises _salsa20_2core, if available. */ memcpy (&ctx, input, sizeof(ctx)); salsa20r12_crypt (&ctx, 128, output, expected_12->data); if (!memzero_p (output, 128)) { fprintf(stderr, "salsa20r12_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, output); fprintf(stderr, "\n"); FAIL(); } memcpy (&ctx, input, sizeof(ctx)); salsa20_crypt (&ctx, 128, output, expected_20->data); if (!memzero_p (output, 128)) { fprintf(stderr, "salsa20_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, output); fprintf(stderr, "\n"); FAIL(); } } typedef void salsa20_func(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); static void _test_salsa20(salsa20_func *crypt, const struct tstring *key, const struct tstring *nonce, const struct tstring *cleartext, const struct tstring *ciphertext) { struct salsa20_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (nonce->length == SALSA20_NONCE_SIZE); data = xalloc(length + 1); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_nonce(&ctx, nonce->data); data[length] = 17; crypt(&ctx, length, data, cleartext->data); if (data[length] != 17) { fprintf(stderr, "Encrypt of %lu bytes wrote too much!\nInput:", (unsigned long) length); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } salsa20_set_key(&ctx, key->length, key->data); salsa20_set_nonce(&ctx, nonce->data); crypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } #define test_salsa20(key, nonce, cleartext, ciphertext) \ _test_salsa20 (salsa20_crypt, (key), (nonce), (cleartext), (ciphertext)) #define test_salsa20r12(key, nonce, cleartext, ciphertext) \ _test_salsa20 (salsa20r12_crypt, (key), (nonce), (cleartext), (ciphertext)) void test_main(void) { test_salsa20_core(); /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/reduced/12-rounds/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20r12(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("FC207DBF C76C5E17")); test_salsa20r12(SHEX("00400000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("6C11A3F9 5FEC7F48")); test_salsa20r12(SHEX("09090909090909090909090909090909"), SHEX("0000000000000000"), SHEX("00000000 00000000"), SHEX("78E11FC3 33DEDE88")); test_salsa20r12(SHEX("1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("A6747461 1DF551FF")); test_salsa20r12(SHEX("80000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("AFE411ED 1C4E07E4")); test_salsa20r12(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("52E20CF8 775AE882")); /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("4DFA5E48 1DA23EA0")); test_salsa20(SHEX("00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("B66C1E44 46DD9557")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("05E1E7BE B697D999")); test_salsa20(SHEX("80000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("E3BE8FDD 8BECA2E3")); test_salsa20(SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("2ABA3DC45B494700")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("F5FAD53F 79F9DF58")); test_salsa20_stream(SHEX("80000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("4DFA5E481DA23EA09A31022050859936" "DA52FCEE218005164F267CB65F5CFD7F" "2B4F97E0FF16924A52DF269515110A07" "F9E460BC65EF95DA58F740B7D1DBB0AA" "DA9C1581F429E0A00F7D67E23B730676" "783B262E8EB43A25F55FB90B3E753AEF" "8C6713EC66C51881111593CCB3E8CB8F" "8DE124080501EEEB389C4BCB6977CF95" "7D5789631EB4554400E1E025935DFA7B" "3E9039D61BDC58A8697D36815BF1985C" "EFDF7AE112E5BB81E37ECF0616CE7147" "FC08A93A367E08631F23C03B00A8DA2F" "B375703739DACED4DD4059FD71C3C47F" "C2F9939670FAD4A46066ADCC6A564578" "3308B90FFB72BE04A6B147CBE38CC0C3" "B9267C296A92A7C69873F9F263BE9703"), SHEX("F7A274D268316790A67EC058F45C0F2A" "067A99FCDE6236C0CEF8E056349FE54C" "5F13AC74D2539570FD34FEAB06C57205" "3949B59585742181A5A760223AFA22D4")); test_salsa20_stream(SHEX("48494A4B4C4D4E4F5051525354555657" "58595A5B5C5D5E5F6061626364656667"), SHEX("0000000000000000"), SHEX("53AD3698A011F779AD71030F3EFBEBA0" "A7EE3C55789681B1591EF33A7BE521ED" "68FC36E58F53FFD6E1369B00E390E973" "F656ACB097E0D603BE59A0B8F7975B98" "A04698274C6AC6EC03F66ED3F94C08B7" "9FFDBF2A1610E6F5814905E73AD6D0D2" "8164EEB8450D8ED0BB4B644761B43512" "52DD5DDF00C31E3DABA0BC17691CCFDC" "B826C7F071E796D34E3BFFB3C96E76A1" "209388392806947C7F19B86D379FA3AE" "DFCD19EBF49803DACC6E577E5B97B0F6" "D2036B6624D8196C96FCF02C865D30C1" "B505D41E2C207FA1C0A0E93413DDCFFC" "9BECA8030AFFAC2466E56482DA0EF428" "E63880B5021D3051F18679505A2B9D4F" "9B2C5A2D271D276DE3F51DBEBA934436"), SHEX("7849651A820B1CDFE36D5D6632716534" "E0635EDEFD538122D80870B60FB055DB" "637C7CA2B78B116F83AFF46E40F8F71D" "4CD6D2E1B750D5E011D1DF2E80F7210A")); } /* Intermediate values for the first salsa20 test case. 0: 61707865 80 0 0 0 3120646e 0 0 0 0 79622d36 80 0 0 0 6b206574 1: 50e6ebaf 3093463d f190e454 9032fa35 b83c32b0 7fdf3d47 eff21454 a6bf53f6 59562a33 90327718 9bc1ab3d 49c5665e 4b9c6232 a5b70d82 b1169b3c 8273a766 2: 877140ed bc61b44d 60af1c4e 8a219997 dfa36b55 9dc00f65 e245efc8 ece54d32 72a63aac c0dc93d7 a1cd6536 b3d44ccb 8ebd332b c4022fa0 5d4ff16b 65f222e 3: 26693f1 c7ef1593 549a3a3 9396e54a c899675e 1f815f3 47c648d ebbc01 67f6ac0c d03d4afa 810d422e e7fd3e5b 8cd07539 3eb6917b 54e58e29 ef2c818d 4: 1dff67e3 39538859 717137d4 b935012 f279ff60 26098b57 4cc2cc68 752f0a9c f62fef8b a3028de7 74c726e7 42bbaa73 85d7ae1b 36e9c191 791019b1 82263e6a 5: 5058d8b0 d3e44dcf 10bb47b1 7b673ef0 19f30031 111e4716 ec0295bc 6fd5bf67 12ffc7e4 d8b55c8 170d410 dd715714 dcd50b85 1f2bfff6 bde9be51 dbcb0b76 6: bc9cffbc 33ef9daa 8057f2b9 896b4878 705ae8b d14227c3 64a13629 112fc18c bfe180ad eaf359a0 68467f43 a365bb13 6b1e849 e6cc8032 70e6c3fe cb0a55bb 7: 8d90ced2 54d545b4 85be446e b1632f4f a071ac6a 90e0a919 33e1e736 ca25d574 a2b9cc17 7211ef22 c6d499c3 83fdd462 69a1c02c 4ee14ab4 33c7598 6c536d35 8: 27885144 2d2a552b f3f9bf1b 33ebeb6b 104b8b7a a96110e 9acb26ae 9dba5b23 be384f78 4cdf3afc ef04b59d f0b9a6fe ae50a69b 6c6ea81 f11fe33a 5abcb2ae 9: 3b2388b1 a820e0d9 1f008910 88c73d4e fc306490 8188ba2d d0cae010 9a65a2e4 cf53e73f acec2667 4b870ab0 6cbfe29b 27295feb 2a801ee 16f1c6fe 4f40ae38 10: 6d52785f 5d421f38 d44f5a20 a7ec3b7c c6a5c6cb f2a38eca c45beae 69415ff 93bbc87e cad09b7b c4627081 55276967 3e13c4d8 aa4e20f4 2a485bf2 bcdbfc61 11: 5136a836 dd9db9bc 50366ca5 a65edf75 75bb5d1e 6bd4e822 cb52477c 7323b939 881133b8 38079a5c 14e61ea3 632aa57 ac091b61 fc1c6ca1 7e5fcc1a 329a1938 12: 5e0ca897 175e6c47 7a1e9674 609ad5a ac25229b 49de7bae 370e70c f8bde5e7 21f81ab3 e6130800 9e2a3e8f 70eed5f1 d0fbb239 d78a8ea6 b644390a 2c582e03 13: 99fc90d3 f3e42871 78784440 a5885714 28084a8c 27900f47 e453b985 39b7ca44 81e5dbf 7860f2b0 693f4da0 74c5ce19 5f2d43d a9563322 7bd6f4da 4d2e97f5 14: 25571a99 3197dbee 50a1c7d7 91f0e753 2528837d 56153f81 287f5022 270918e4 42764fa3 fea16e5b 9ec649fe a4e5e669 8734b3d9 6fc1ae8a b79a8a04 af160a85 15: 34b906a6 3f56196a 6b690cbf 6c08907a 60cfba2b 819592a7 3c9b803a 1a3ce6d2 fdfc6af 282cd998 ad20e9ec a0c76a1 772ffdcc ebf39c76 15579a67 dada9ba0 16: 3d87b380 5f9d893a c676cd97 e6d2b4b8 7d6ca34a 1dc97a79 e3de94b bccb03cd 12e2a81b 23b00e62 74d433a6 acedb4cb 6e34fe34 f4c034e4 b3349639 f6ac0473 17: e014e81d 916efb68 d833f0c9 2a0e2be9 a334791f 71573537 d5c5cb06 c8abbb8c 6abb97da 9031d7dc 9bea8440 90030a9c 6c2bdf8a 2649fbf 3a3aeef8 ee0d66c8 18: e9fb1dd3 80e4f86d 2bf2e408 d1809e73 20872c8d d93bc116 9012e00c 1c813d8e 45aa03ae 7136cba6 a6b85fc3 9e2d048a 48013f9e 1f2853d3 854c21d b9cdfb3c 19: 3d47db86 8392cea8 2cf87621 2cff7d58 dea99415 5800a055 e3661354 86701443 cc9d23f 616a0a0b 836c1eb9 6c1e72e7 24cba2f0 54be11a6 6dcb2586 a5663106 20: e6ee81e8 a03ea19d 2002319a 36998550 eefc52da e4e51bb3 b67c264f 7ffd5c5f e0974f2b 4a9216ff 1bc4b21c 70a1095 bc60e4f9 da95ef65 b740f758 3f90765d */ nettle-4.0/testsuite/sc-cnd-memcpy-test0000755000000000000000000000013615141166425015176 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./cnd-memcpy-test nettle-4.0/testsuite/sc-curve25519-dh-test0000755000000000000000000000014115141166425015261 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./curve25519-dh-test nettle-4.0/testsuite/sc-curve448-dh-test0000755000000000000000000000013715141166425015120 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./curve448-dh-test nettle-4.0/testsuite/sc-ecdsa-sign-test0000755000000000000000000000013615141166425015157 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ecdsa-sign-test nettle-4.0/testsuite/sc-ed25519-test0000755000000000000000000000013315141166425014135 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ed25519-test nettle-4.0/testsuite/sc-ed448-test0000755000000000000000000000013115141166425013765 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ed448-test nettle-4.0/testsuite/sc-gcm-test0000755000000000000000000000012715141166425013710 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./gcm-test nettle-4.0/testsuite/sc-memeql-test0000755000000000000000000000013215141166425014416 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./memeql-test nettle-4.0/testsuite/sc-pkcs1-sec-decrypt-test0000755000000000000000000000014515141166425016403 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./pkcs1-sec-decrypt-test nettle-4.0/testsuite/sc-rsa-oaep-encrypt-test0000755000000000000000000000014415141166425016332 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./rsa-oaep-encrypt-test nettle-4.0/testsuite/sc-rsa-sec-decrypt-test0000755000000000000000000000014315141166425016145 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./rsa-sec-decrypt-test nettle-4.0/testsuite/sc-slh-dsa-test0000755000000000000000000000013315141166425014472 0ustar00#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./slh-dsa-test nettle-4.0/testsuite/sc-valgrind.sh0000644000000000000000000000040715141166425014402 0ustar00# To setup a test to check for branches or memory accesses depending on secret data, # using valgrind. with_valgrind () { type valgrind >/dev/null 2>&1 || exit 77 NETTLE_TEST_SIDE_CHANNEL=1 valgrind -q --exit-on-first-error=yes --error-exitcode=1 "$@" } nettle-4.0/testsuite/serpent-test.c0000644000000000000000000002601215141166425014436 0ustar00#include "testutils.h" #include "serpent.h" static const struct tstring * tstring_hex_reverse (const char *hex) { struct tstring *s = tstring_hex (hex); uint8_t *p; size_t length, i; length = s->length; p = s->data; for (i = 0; i < (length+1)/2; i++) { uint8_t t = p[i]; p[i] = p[length - 1 - i]; p[length - 1 - i] = t; } return s; } #define RHEX(x) tstring_hex_reverse(x) /* For testing unusual key sizes. */ static void test_serpent(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct serpent_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; serpent_set_key(&ctx, key->length, key->data); serpent_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } serpent_set_key(&ctx, key->length, key->data); serpent_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* From libgcrypt */ test_cipher(&nettle_serpent128, SHEX("0000000000000000 0000000000000000"), SHEX("D29D576FCEA3A3A7 ED9099F29273D78E"), SHEX("B2288B968AE8B086 48D1CE9606FD992D")); test_cipher(&nettle_serpent192, SHEX("0000000000000000 0000000000000000 0000000000000000"), SHEX("D29D576FCEABA3A7 ED9899F2927BD78E"), SHEX("130E353E1037C224 05E8FAEFB2C3C3E9")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("D095576FCEA3E3A7 ED98D9F29073D78E"), SHEX("B90EE5862DE69168 F2BDD5125B45472B")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("2061A42782BD52EC 691EC383B03BA77C")); /* The first test for each key size from the ecb_vk.txt and ecb_vt.txt * files in the serpent package. */ /* NOTE: These vectors uses strange byte-reversed order of inputs and outputs. */ /* 128 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent128, RHEX("8000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("49AFBFAD9D5A3405 2CD8FFA5986BD2DD")); /* vt, 1 */ test_cipher(&nettle_serpent128, RHEX("0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("10B5FFB720B8CB90 02A1142B0BA2E94A")); /* 192 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent192, RHEX("8000000000000000 0000000000000000" "0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("E78E5402C7195568 AC3678F7A3F60C66")); /* vt, 1 */ test_cipher(&nettle_serpent192, RHEX("0000000000000000 0000000000000000" "0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("B10B271BA25257E1 294F2B51F076D0D9")); /* 256 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent256, RHEX("8000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("ABED96E766BF28CB C0EBD21A82EF0819")); /* vt, 1 */ test_cipher(&nettle_serpent256, RHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("DA5A7992B1B4AE6F 8C004BC8A7DE5520")); /* Test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/ */ /* serpent128 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent128, SHEX("000102030405060708090A0B0C0D0E0F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("563E2CF8740A27C164804560391E9B27")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent128, SHEX("2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("92D7F8EF2C36C53409F275902F06539F")); /* serpent192 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent192, SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("6AB816C82DE53B93005008AFA2246A02")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent192, SHEX("2BD6459F82C5B300952C49104881FF482BD6459F82C5B300"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("827B18C2678A239DFC5512842000E204")); /* serpent256 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent256, SHEX("000102030405060708090A0B0C0D0E0F" "101112131415161718191A1B1C1D1E1F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("2868B7A2D28ECD5E4FDEFAC3C4330074")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent256, SHEX("2BD6459F82C5B300952C49104881FF48" "2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("3E507730776B93FDEA661235E1DD99F0")); /* Test key padding. We use nettle_serpent256, which actually works also with key sizes smaller than 32 bytes. */ test_cipher(&nettle_serpent256, SHEX("00112233440100000000000000000000" "00000000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); /* Tests with various key sizes. Currrently, key sizes smaller than SERPENT_MIN_KEY_SIZE bytes (128 bits) are not publicly supported. */ test_serpent(SHEX("0011223344"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00010000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00112201000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "001122"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); /* Test with multiple blocks. */ test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2"), SHEX("b3d488986c80dea7 c5ebdab4907871c9")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03")); test_cipher(&nettle_serpent128, SHEX("91c8e949e12f0e38 7b2473238a3df1b6"), SHEX("00000000 00000001 00000002 00000003" "00000004 00000005 00000006 00000007" "00000008 00000009 0000000a 0000000b" "0000000c 0000000d 0000000e 0000000f"), SHEX("2db9f0a39d4f31a4 b1a83cd1032fe1bd" "3606caa84a220b1b f6f43ff80a831203" "8c6c8d2793dc10b3 904d30e194f086a6" "b2f3e932b9b3f8d1 d4d074f7bd1ff7a3")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b" "34d449409c1f850a 4cb6700d6ef3405f"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1" "ebe855dd51532477 4d2d55969e032e6c")); } nettle-4.0/testsuite/sexp-format-test.c0000644000000000000000000001013615141166425015223 0ustar00#include "testutils.h" #include "sexp.h" #include "buffer.h" #if WITH_HOGWEED # include "bignum.h" #endif void test_main(void) { struct nettle_buffer buffer; { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "{KDM6Zm9vKDM6YmFyMTc6eHh4eHh4eHh4eHh4eHh4eHgpKQ==}"; nettle_buffer_init(&buffer); ASSERT(sexp_transport_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_transport_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "1:\0""1:a2:bc3:def4:ghij5:\x00\xDE\xAD\xBE\xEF"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%i%i%i%i%i%i", 0, 0x61, 0x6263, 0x646566, 0x6768696a, 0xDEADBEEF) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(4:bar))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s%l)", "foo", (size_t) 7, "(4:bar)") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "([1:t]3:foo3:bar[6:gazonk]3:baz1:q)"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0t%0s%0s%0t%0s%0t%0s)", "t", "foo", "bar", "gazonk", "baz", NULL, "q") == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Try literals */ { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar%0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar %0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Literal parenthesis */ { const char e[] = ")3:foo(3:bar"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(sexp_format(NULL, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } #if WITH_HOGWEED { mpz_t x; mpz_t y; mpz_t z; const char e[] = "(3:foo(3:bar1:\xff""11:abcdefghijk13:\0\x81""abcdefghijk))"; mpz_init_set_si(x, -1); nettle_mpz_init_set_str_256_u(y, 11, US("abcdefghijk")); nettle_mpz_init_set_str_256_u(z, 12, US("\x81""abcdefghijk")); nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); mpz_clear(x); mpz_clear(y); mpz_clear(z); } #endif /* WITH_HOGWEED */ } nettle-4.0/testsuite/sexp-test.c0000644000000000000000000000612115141166425013734 0ustar00#include "testutils.h" #include "sexp.h" void test_main(void) { struct sexp_iterator i; uint32_t x; ASSERT(sexp_iterator_first(&i, LDATA(""))); ASSERT(i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("()"))); ASSERT(i.type == SEXP_LIST && sexp_iterator_enter_list(&i) && i.type == SEXP_END && sexp_iterator_exit_list(&i) && i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("("))); ASSERT(i.type == SEXP_LIST && !sexp_iterator_enter_list(&i)); /* Check integers. */ ASSERT(sexp_iterator_first(&i, LDATA("1:\0" "1:\x11" "2:\x00\x11" "2:\x00\x80" "5:\x00\xaa\xbb\xcc\xdd"))); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x80); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0xaabbccdd); ASSERT(sexp_iterator_first(&i, LDATA("3:foo0:[3:bar]12:xxxxxxxxxxxx"))); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); /* Same data, transport encoded. */ { struct tstring *s = tstring_data(LDATA("{Mzpmb28=} {MDo=} {WzM6YmFyXTEyOnh4eHh4eHh4eHh4eA==}")); ASSERT(sexp_transport_iterator_first (&i, s->length, s->data)); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); } { static const char * const keys[2] = { "n", "e" }; struct sexp_iterator v[2]; ASSERT(sexp_iterator_first(&i, LDATA("((1:n2:xx3:foo)((((((1:z))))))0:(1:y)(1:e))"))); ASSERT(sexp_iterator_enter_list(&i) && sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 2 && MEMEQ(2, "xx", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 3 && MEMEQ(3, "foo", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_END); ASSERT(v[1].type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("((1:n))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(sexp_iterator_first(&i, LDATA("((1:n)(1:n3:foo))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); } } nettle-4.0/testsuite/sexp2rsa-test.c0000644000000000000000000000236015141166425014525 0ustar00#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; const struct tstring *sexp; rsa_public_key_init(&pub); rsa_private_key_init(&priv); sexp = SHEX("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"); ASSERT(rsa_keypair_from_sexp (&pub, &priv, 0, sexp->length, sexp->data)); test_rsa_key(&pub, &priv); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-4.0/testsuite/sha1-huge-test.c0000644000000000000000000000054715141166425014545 0ustar00#include "testutils.h" void test_main(void) { /* Hashes 10 000 000 x 30 000 bytes > 64 * 2^32. This overflows the low word of the block counter. This test vector is not cross checked with any other sha1 implementation. */ test_hash_large(&nettle_sha1, 10000000, 30000, 'a', SHEX("0ba79364dc64648f 2074fb4bc5c28bcf" "b7a787b0")); } nettle-4.0/testsuite/sha1-test.c0000644000000000000000000001017015141166425013610 0ustar00#include "testutils.h" #include "nettle-write.h" #include "sha1.h" /* Test compression only. */ static void test_sha1_compress(const struct tstring *input, const struct tstring *expected) { size_t split; ASSERT (input->length % SHA1_BLOCK_SIZE == 0); ASSERT (expected->length == SHA1_DIGEST_SIZE); for (split = 0; split <= input->length; split += SHA1_BLOCK_SIZE) { struct sha1_ctx ctx; uint8_t digest[SHA1_DIGEST_SIZE]; sha1_init (&ctx); sha1_update (&ctx, split, input->data); sha1_update (&ctx, input->length - split, input->data + split); _nettle_write_be32 (SHA1_DIGEST_SIZE, digest, ctx.state); if (!MEMEQ (SHA1_DIGEST_SIZE, digest, expected->data)) { fprintf (stderr, "sha1_compress failed: length %u, split %u \nInput:", (unsigned) input->length, (unsigned) split); tstring_print_hex (input); fprintf (stderr, "\nOutput: "); print_hex (SHA1_DIGEST_SIZE, digest); fprintf(stdout, "\nExpected:\n"); tstring_print_hex (expected); fprintf (stderr, "\n"); abort (); } } } void test_main(void) { /* Initial state */ test_sha1_compress (SDATA(""), SHEX("67452301efcdab89 98badcfe10325476" "c3d2e1f0")); /* Single block compressed */ test_sha1_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY"), SHEX("005cf6fb02d9a17e f77d0b8eac9da60c" "08ecaf1c")); /* Two blocks compressed */ test_sha1_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY" "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345" "6789abcdefghijklmnopqrstuvwxyzzy"), SHEX("3e0dd3db30fc4e45 c17a97f0c431f07b" "6b4a5cc5")); test_hash(&nettle_sha1, SDATA(""), SHEX("DA39A3EE5E6B4B0D 3255BFEF95601890 AFD80709")); test_hash(&nettle_sha1, SDATA("a"), SHEX("86F7E437FAA5A7FC E15D1DDCB9EAEAEA 377667B8")); test_hash(&nettle_sha1, SDATA("abc"), SHEX("A9993E364706816A BA3E25717850C26C 9CD0D89D")); test_hash(&nettle_sha1, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("32D10C7B8CF96570 CA04CE37F2A19D84 240D3A89")); test_hash(&nettle_sha1, SDATA("message digest"), SHEX("C12252CEDA8BE899 4D5FA0290A47231C 1D16AAE3")); test_hash(&nettle_sha1, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("761C457BF73B14D2 7E9E9265C46F4B4D DA11F940")); test_hash(&nettle_sha1, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("50ABF5706A150990 A08B2C5EA40FA0E5 85554732")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_sha1, SDATA("38"), SHEX("5b384ce32d8cdef02bc3a139d4cac0a22bb029e8")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA1(""). Each row is the values for A, B, C, D, E after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i A B C D E -1: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 0: 67452301 7bf36ae2 98badcfe 10325476 1fb498b3 1: 59d148c0 7bf36ae2 98badcfe 5d43e370 1fb498b3 15: 40182905 4544b22e a13017ac ab703832 d8fd6547 16: 50060a41 4544b22e a13017ac 6bf9173 d8fd6547 17: 50060a41 4544b22e 28a9520e 6bf9173 f63f5951 18: 50060a41 b3088dd 28a9520e c1afe45c f63f5951 19: e758e8da b3088dd 8a2a5483 c1afe45c f63f5951 20: e758e8da 42cc2237 8a2a5483 c1afe45c 90eb9850 21: b9d63a36 42cc2237 8a2a5483 7dbb787d 90eb9850 38: e47bc31 62273351 b201788b 413c1d9a 2aeeae62 39: 9bdbdd71 62273351 ec805e22 413c1d9a 2aeeae62 40: 9bdbdd71 5889ccd4 ec805e22 413c1d9a 95aa398b 41: 66f6f75c 5889ccd4 ec805e22 5e28e858 95aa398b 58: 2164303a 982bcbca e1afab22 c5a3382e af9292fa 59: 9b9d2913 982bcbca b86beac8 c5a3382e af9292fa 60: 9b9d2913 a60af2f2 b86beac8 c5a3382e d37db937 61: e6e74a44 a60af2f2 b86beac8 85b9d227 d37db937 78: c57a6345 6e9d9f84 666b8bc6 852dc41a ec052519 79: 72f480ed 6e9d9f84 999ae2f1 852dc41a ec052519 99: da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709 */ nettle-4.0/testsuite/sha224-test.c0000644000000000000000000000306715141166425013766 0ustar00#include "testutils.h" void test_main(void) { /* From FIPS180-2 addendum (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf) */ test_hash(&nettle_sha224, SDATA("abc"), SHEX("23097d22 3405d822 8642a477 bda255b3" "2aadbce4 bda0b3f7 e36c9da7")); test_hash(&nettle_sha224, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("75388b16 512776cc 5dba5da1 fd890150" "b0c6455c b4f58b19 52522525")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha224, SDATA(""), SHEX("d14a028c2a3a2bc9 476102bb288234c4" "15a2b01f828ea62a c5b3e42f")); test_hash(&nettle_sha224, SDATA("a"), SHEX("abd37534c7d9a2ef b9465de931cd7055" "ffdb8879563ae980 78d6d6d5")); test_hash(&nettle_sha224, SDATA("38"), SHEX("4cfca6da32da6471 98225460722b7ea1" "284f98c4b179e8db ae3f93d5")); test_hash(&nettle_sha224, SDATA("message digest"), SHEX("2cb21c83ae2f004d e7e81c3c7019cbcb" "65b71ab656b22d6d 0c39b8eb")); test_hash(&nettle_sha224, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("45a5f72c39c5cff2 522eb3429799e49e" "5f44b356ef926bcf 390dccc2")); test_hash(&nettle_sha224, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("bff72b4fcb7d75e5 632900ac5f90d219" "e05e97a7bde72e74 0db393d9")); test_hash(&nettle_sha224, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b50aecbe4e9bb0b5 7bc5f3ae760a8e01" "db24f203fb3cdcd1 3148046e")); } nettle-4.0/testsuite/sha256-test.c0000644000000000000000000002015215141166425013765 0ustar00#include "testutils.h" #include "nettle-write.h" #include "sha2.h" /* Test compression only. */ static void test_sha256_compress(const struct tstring *input, const struct tstring *expected) { size_t split; ASSERT (input->length % SHA256_BLOCK_SIZE == 0); ASSERT (expected->length == SHA256_DIGEST_SIZE); for (split = 0; split <= input->length; split += SHA256_BLOCK_SIZE) { struct sha256_ctx ctx; uint8_t digest[SHA256_DIGEST_SIZE]; sha256_init (&ctx); sha256_update (&ctx, split, input->data); sha256_update (&ctx, input->length - split, input->data + split); _nettle_write_be32 (SHA256_DIGEST_SIZE, digest, ctx.state); if (!MEMEQ (SHA256_DIGEST_SIZE, digest, expected->data)) { fprintf (stderr, "sha256_compress failed: length %u, split %u\nInput:", (unsigned) input->length, (unsigned) split); tstring_print_hex (input); fprintf (stderr, "\nOutput: "); print_hex (SHA256_DIGEST_SIZE, digest); fprintf(stdout, "\nExpected:\n"); tstring_print_hex (expected); fprintf (stderr, "\n"); abort (); } } } void test_main(void) { /* Initial state */ test_sha256_compress (SDATA(""), SHEX("6a09e667 bb67ae85 3c6ef372 a54ff53a" "510e527f 9b05688c 1f83d9ab 5be0cd19")); /* Single block compressed */ test_sha256_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY"), SHEX("932558b453a68273 4daf0008efb6b5e5" "32808baaf92bc749 2ac377107618ac67")); /* Two blocks compressed */ test_sha256_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY" "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345" "6789abcdefghijklmnopqrstuvwxyzzy"), SHEX("d82038b1732bbe97 94b879b41f98e9fc" "2777fd8ab76737f5 60919c4fe1366c8e")); /* From FIPS180-2 */ test_hash(&nettle_sha256, SDATA("abc"), SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad")); test_hash(&nettle_sha256, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("248d6a61d20638b8 e5c026930c3e6039" "a33ce45964ff2167 f6ecedd419db06c1")); test_hash(&nettle_sha256, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("cf5b16a778af8380 036ce59e7b049237" "0b249b11e8f07a51 afac45037afee9d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha256, SDATA(""), SHEX("e3b0c44298fc1c14 9afbf4c8996fb924" "27ae41e4649b934c a495991b7852b855")); test_hash(&nettle_sha256, SDATA("a"), SHEX("ca978112ca1bbdca fac231b39a23dc4d" "a786eff8147c4e72 b9807785afee48bb")); test_hash(&nettle_sha256, SDATA("38"), SHEX("aea92132c4cbeb26 3e6ac2bf6c183b5d" "81737f179f21efdc 5863739672f0f470")); test_hash(&nettle_sha256, SDATA("message digest"), SHEX("f7846f55cf23e14e ebeab5b4e1550cad" "5b509e3348fbc4ef a3a1413d393cb650")); test_hash(&nettle_sha256, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("71c480df93d6ae2f 1efad1447c66c952" "5e316218cf51fc8d 9ed832f2daf18b73")); test_hash(&nettle_sha256, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("db4bfcbd4da0cd85 a60c3c37d3fbd880" "5c77f15fc6b1fdfe 614ee0a7c8fdb4c0")); test_hash(&nettle_sha256, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("f371bc4a311f2b00 9eef952dd83ca80e" "2b60026c8e935592 d0f9c308453c813e")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA256("abc"). Each row are the values for A, B, C, D, E, F, G, H after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. -1: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 0: 6a09e667 bb67ae85 3c6ef372 fa2a4622 510e527f 9b05688c 1f83d9ab 5d6aebcd 1: 6a09e667 bb67ae85 78ce7989 fa2a4622 510e527f 9b05688c 5a6ad9ad 5d6aebcd 6: 24e00850 e5030380 2b4209f5 4409a6a d550f666 9b27a401 714260ad 43ada245 7: 85a07b5f e5030380 2b4209f5 4409a6a c657a79 9b27a401 714260ad 43ada245 8: 85a07b5f e5030380 2b4209f5 32ca2d8c c657a79 9b27a401 714260ad 8e04ecb9 9: 85a07b5f e5030380 1cc92596 32ca2d8c c657a79 9b27a401 8c87346b 8e04ecb9 14: 816fd6e9 c0645fde d932eb16 87912990 f71fc5a9 b92f20c 745a48de 1e578218 15: b0fa238e c0645fde d932eb16 87912990 7590dcd b92f20c 745a48de 1e578218 16: b0fa238e c0645fde d932eb16 8034229c 7590dcd b92f20c 745a48de 21da9a9b 17: b0fa238e c0645fde 846ee454 8034229c 7590dcd b92f20c c2fbd9d1 21da9a9b 18: b0fa238e cc899961 846ee454 8034229c 7590dcd fe777bbf c2fbd9d1 21da9a9b 19: b0638179 cc899961 846ee454 8034229c e1f20c33 fe777bbf c2fbd9d1 21da9a9b 20: b0638179 cc899961 846ee454 9dc68b63 e1f20c33 fe777bbf c2fbd9d1 8ada8930 21: b0638179 cc899961 c2606d6d 9dc68b63 e1f20c33 fe777bbf e1257970 8ada8930 22: b0638179 a7a3623f c2606d6d 9dc68b63 e1f20c33 49f5114a e1257970 8ada8930 23: c5d53d8d a7a3623f c2606d6d 9dc68b63 aa47c347 49f5114a e1257970 8ada8930 24: c5d53d8d a7a3623f c2606d6d 2823ef91 aa47c347 49f5114a e1257970 1c2c2838 25: c5d53d8d a7a3623f 14383d8e 2823ef91 aa47c347 49f5114a cde8037d 1c2c2838 26: c5d53d8d c74c6516 14383d8e 2823ef91 aa47c347 b62ec4bc cde8037d 1c2c2838 27: edffbff8 c74c6516 14383d8e 2823ef91 77d37528 b62ec4bc cde8037d 1c2c2838 28: edffbff8 c74c6516 14383d8e 363482c9 77d37528 b62ec4bc cde8037d 6112a3b7 29: edffbff8 c74c6516 a0060b30 363482c9 77d37528 b62ec4bc ade79437 6112a3b7 30: edffbff8 ea992a22 a0060b30 363482c9 77d37528 109ab3a ade79437 6112a3b7 31: 73b33bf5 ea992a22 a0060b30 363482c9 ba591112 109ab3a ade79437 6112a3b7 32: 73b33bf5 ea992a22 a0060b30 9cd9f5f6 ba591112 109ab3a ade79437 98e12507 33: 73b33bf5 ea992a22 59249dd3 9cd9f5f6 ba591112 109ab3a fe604df5 98e12507 34: 73b33bf5 85f3833 59249dd3 9cd9f5f6 ba591112 a9a7738c fe604df5 98e12507 35: f4b002d6 85f3833 59249dd3 9cd9f5f6 65a0cfe4 a9a7738c fe604df5 98e12507 36: f4b002d6 85f3833 59249dd3 41a65cb1 65a0cfe4 a9a7738c fe604df5 772a26b 37: f4b002d6 85f3833 34df1604 41a65cb1 65a0cfe4 a9a7738c a507a53d 772a26b 38: f4b002d6 6dc57a8a 34df1604 41a65cb1 65a0cfe4 f0781bc8 a507a53d 772a26b 39: 79ea687a 6dc57a8a 34df1604 41a65cb1 1efbc0a0 f0781bc8 a507a53d 772a26b 40: 79ea687a 6dc57a8a 34df1604 26352d63 1efbc0a0 f0781bc8 a507a53d d6670766 41: 79ea687a 6dc57a8a 838b2711 26352d63 1efbc0a0 f0781bc8 df46652f d6670766 42: 79ea687a decd4715 838b2711 26352d63 1efbc0a0 17aa0dfe df46652f d6670766 43: fda24c2e decd4715 838b2711 26352d63 9d4baf93 17aa0dfe df46652f d6670766 44: fda24c2e decd4715 838b2711 26628815 9d4baf93 17aa0dfe df46652f a80f11f0 45: fda24c2e decd4715 72ab4b91 26628815 9d4baf93 17aa0dfe b7755da1 a80f11f0 46: fda24c2e a14c14b0 72ab4b91 26628815 9d4baf93 d57b94a9 b7755da1 a80f11f0 47: 4172328d a14c14b0 72ab4b91 26628815 fecf0bc6 d57b94a9 b7755da1 a80f11f0 48: 4172328d a14c14b0 72ab4b91 bd714038 fecf0bc6 d57b94a9 b7755da1 5757ceb 49: 4172328d a14c14b0 6e5c390c bd714038 fecf0bc6 d57b94a9 f11bfaa8 5757ceb 50: 4172328d 52f1ccf7 6e5c390c bd714038 fecf0bc6 7a0508a1 f11bfaa8 5757ceb 51: 49231c1e 52f1ccf7 6e5c390c bd714038 886e7a22 7a0508a1 f11bfaa8 5757ceb 52: 49231c1e 52f1ccf7 6e5c390c 101fd28f 886e7a22 7a0508a1 f11bfaa8 529e7d00 53: 49231c1e 52f1ccf7 f5702fdb 101fd28f 886e7a22 7a0508a1 9f4787c3 529e7d00 54: 49231c1e 3ec45cdb f5702fdb 101fd28f 886e7a22 e50e1b4f 9f4787c3 529e7d00 55: 38cc9913 3ec45cdb f5702fdb 101fd28f 54cb266b e50e1b4f 9f4787c3 529e7d00 56: 38cc9913 3ec45cdb f5702fdb 9b5e906c 54cb266b e50e1b4f 9f4787c3 fcd1887b 57: 38cc9913 3ec45cdb 7e44008e 9b5e906c 54cb266b e50e1b4f c062d46f fcd1887b 58: 38cc9913 6d83bfc6 7e44008e 9b5e906c 54cb266b ffb70472 c062d46f fcd1887b 59: b21bad3d 6d83bfc6 7e44008e 9b5e906c b6ae8fff ffb70472 c062d46f fcd1887b 60: b21bad3d 6d83bfc6 7e44008e b85e2ce9 b6ae8fff ffb70472 c062d46f 961f4894 61: b21bad3d 6d83bfc6 4d24d6c b85e2ce9 b6ae8fff ffb70472 948d25b6 961f4894 62: b21bad3d d39a2165 4d24d6c b85e2ce9 b6ae8fff fb121210 948d25b6 961f4894 63: 506e3058 d39a2165 4d24d6c b85e2ce9 5ef50f24 fb121210 948d25b6 961f4894 99: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad */ nettle-4.0/testsuite/sha3-224-test.c0000644000000000000000000030237615141166425014133 0ustar00#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_224.txt using sha3.awk. */ test_hash(&nettle_sha3_224, /* 0 octets */ SHEX(""), SHEX("6B4E03423667DBB73B6E15454F0EB1ABD4597F9A1B078E3F5B5A6BC7")); test_hash(&nettle_sha3_224, /* 1 octets */ SHEX("CC"), SHEX("DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39")); test_hash(&nettle_sha3_224, /* 2 octets */ SHEX("41FB"), SHEX("BFF295861DAEDF33E70519B1E2BCB4C2E9FE3364D789BC3B17301C15")); test_hash(&nettle_sha3_224, /* 3 octets */ SHEX("1F877C"), SHEX("14889DF49C076A9AF2F4BCB16339BCC45A24EBF9CE4DCDCE7EC17217")); test_hash(&nettle_sha3_224, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("A33C58DF8A8026F0F9591966BD6D00EED3B1E829580AB9BE268CAF39")); test_hash(&nettle_sha3_224, /* 5 octets */ SHEX("21F134AC57"), SHEX("10E580A32199596169331AD43CFCF10264F81565037040028A06B458")); test_hash(&nettle_sha3_224, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("FE52C30C95C1E5193207E97D355FDE09453482708C0876AA961508F0")); test_hash(&nettle_sha3_224, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("8B449849CB7C4776C593DE58FD5C2E322CB5316BE08A75057A01ED6A")); test_hash(&nettle_sha3_224, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("01386CDD70589B3B34941EFE16B85071E9BA948179922044F640868E")); test_hash(&nettle_sha3_224, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("86953D0864019C81FD3A805357A162FD76A13A7CBF6FF0D635015D0E")); test_hash(&nettle_sha3_224, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("E56FC2A5A58709031DF02A2E46AD95F93583E2745630540D8D97F703")); test_hash(&nettle_sha3_224, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("1D783C37C32A2B71B504BCAA05FC00B639F1FAE7E8D8E3F3BC49F041")); test_hash(&nettle_sha3_224, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("54C7E4BF3C73E192ADE223DFEA86F2D04ACF953612731958F854C7BD")); test_hash(&nettle_sha3_224, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("77E51CEADA2AA1CBBF95ACD821008B57E946F7940223B19F0C53E62E")); test_hash(&nettle_sha3_224, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("9ED59ED155E97154E067FA0F5A130839B57BDBDA6FEB82DABE006F00")); test_hash(&nettle_sha3_224, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("81B3E56CFEEE8E9138D3BFE24BB7CCDFD4B50D0B8CA11AE7D4B0C960")); test_hash(&nettle_sha3_224, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("B1571BED52E54EEF377D99DF7BE4BC6682C43387F2BF9ACC92DF608F")); test_hash(&nettle_sha3_224, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("08045CF78D238D56972F1C850414BC404FC6DCB11F8D8210D034C610")); test_hash(&nettle_sha3_224, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("9FFD840C550AD23971EB5CE89AE2FD6222ABFB7F0AAFD7EB0005716B")); test_hash(&nettle_sha3_224, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("72DECB5EA1B25A2DAAEB234A8D96E0F57211426666A2EE76B2385C62")); test_hash(&nettle_sha3_224, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("A589936370A3D20039C469D44A1C26E62823AB28CC50175A9897F98E")); test_hash(&nettle_sha3_224, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("96F43401AD49C58D887020F395BDD01F6DAD04128A85B17780408C37")); test_hash(&nettle_sha3_224, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("A3A0F0C552E7CD2723FE22E1D5719E213D9A3DA1DB99E32EFFFD0F46")); test_hash(&nettle_sha3_224, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("E991F4A14B56DC6B224EF352AE8BC8CAE8B1AF1C25C6733DFB7FFE1F")); test_hash(&nettle_sha3_224, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("718866C21CBE3F291364C07B36078A6BF0B8258B0EC155E2E2B1AF23")); test_hash(&nettle_sha3_224, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("23606D06FD8F87C2205ABB5FD04C33EBA30509955200566A0F772B49")); test_hash(&nettle_sha3_224, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("05935F0AD2264475DF34FA96F6A9118C32B217E86169EB7ADE4E2FDB")); test_hash(&nettle_sha3_224, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("FBEC83CBDB6D08C7BFDDC2E37F73B16DC92926A5C23DAB41DEEBFB1B")); test_hash(&nettle_sha3_224, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("1E693B0BCE2372550DAEF35B14F13AB43441ED6742DEE3E86FD1D8EF")); test_hash(&nettle_sha3_224, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("1781F1344DC17F678571F4E5DF3998B1D38B1D83602B53B9B6F283D6")); test_hash(&nettle_sha3_224, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("03B74B7D8FC1F23F76BAB2B6C35F292C15506DE64978FCF6D9973FCE")); test_hash(&nettle_sha3_224, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("6A6857FBA903B9DA2753690C39C548BE008E22EBB372EEAA16C85918")); test_hash(&nettle_sha3_224, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("887921848AD98458F3DB3E0ECD5AD5DB1F0BF9F2D0CA08601074D597")); test_hash(&nettle_sha3_224, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("E0573AD706B44D8C4D204F884B95AB18913E76F41CF29A16DBE34794")); test_hash(&nettle_sha3_224, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("BA31233099055483C99F7AD82D0D24AF487ED4B53FFF1A892A55DDB3")); test_hash(&nettle_sha3_224, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BEFAA1CB47CF78DDD4E096B861BC340B776F52E351EBE378ADE305BA")); test_hash(&nettle_sha3_224, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("F1E7A1B28EA4D6FB86570F66911E3258C3F49F891654FBCE9BC79B8B")); test_hash(&nettle_sha3_224, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("C2B31746446934FE29E84CFB5C25B03BE33E9004F74E91C1AF0DB789")); test_hash(&nettle_sha3_224, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("3A80645FE4271346AAEDC3AE5011B75DF163FAD3EE6128D87F3D9DA3")); test_hash(&nettle_sha3_224, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("3C5EBE43A2571BCEF25E4EA67A4CA9838770D23599059955AF93FF83")); test_hash(&nettle_sha3_224, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("AF71DAB0F33D3B48733AD6335CA609398D894E6FA96F5510AE73E5D2")); test_hash(&nettle_sha3_224, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("DD7512DAA0C634CC1588870B84691D7DE2C182E5570D57868E7DDA5D")); test_hash(&nettle_sha3_224, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("6CB4F9292BA33CA8D293B7A7EF76619E77309BA2178CD4A130BF9218")); test_hash(&nettle_sha3_224, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("A9B8435E55FC50FE935EC96798A629C13E856C3C5CFD248126976E0D")); test_hash(&nettle_sha3_224, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("93E79850622B91F729AB056EA402E27F01B5323158111B29362A96D5")); test_hash(&nettle_sha3_224, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("7E51D5531382490670115DE13137CB3ADB6E7621B7D9ECA8170FAA96")); test_hash(&nettle_sha3_224, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("95C35037A8076926FC5C421C35160AC5FE533A2782F20F2D3F4B1B7D")); test_hash(&nettle_sha3_224, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("BF024A4FE480636118FCC85B807704D59B64D16A150AA53CDE41F030")); test_hash(&nettle_sha3_224, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("B7A51FBB084DEEB55136EFD7260E5B112E3C40D1A2D14B142DF930DF")); test_hash(&nettle_sha3_224, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("61CF830A2C4F8F48BC643F97A25F822C013F73BDF4CB4194BC8D55DF")); test_hash(&nettle_sha3_224, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("D87F62EA811A2F6BF3C5FDE13475B9C676620C0184F87149DC8686C8")); test_hash(&nettle_sha3_224, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("028A639C7EC0BA1DCEC0B689AA26E2C0167622462669A5C52031602B")); test_hash(&nettle_sha3_224, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("908EF28AB2B6CBB449B9AF7FA78B3D90E019C3916562EB4819A0C87F")); test_hash(&nettle_sha3_224, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("6AC84149F890E1352C6D7397DAC3B3773947B3757E8ED4EC059EF899")); test_hash(&nettle_sha3_224, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("45DA27715CD75F5875BEB7D914CF7488240D1B1F975D430D2F49E9BF")); test_hash(&nettle_sha3_224, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("63AFBABBEC072140DFCEFE64CF7BC9534DCA10956042E31DBE58D0A5")); test_hash(&nettle_sha3_224, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6487193D9CBE593B3DAA50D4DFDF7DD2612300BB93CB39E3EEFA1AFA")); test_hash(&nettle_sha3_224, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("0DEC25BE3277E27D4F784AD5FF8F79D61D9A309BD693513ACBEED12F")); test_hash(&nettle_sha3_224, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("130B67C6D1A5616227ABD73ABF6FEB70FCE1D5A4BF3338C6DCCB39D5")); test_hash(&nettle_sha3_224, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("3ABB5ACB8485E20BB620D4A030B9C25D3156A9B26893AE007C79F305")); test_hash(&nettle_sha3_224, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("922E216529A95305307E908C69367EBB9AD931ECA314563AC36AAB80")); test_hash(&nettle_sha3_224, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("C72E93A2C39ABCD90AB11CD3F15D59DA3C23C0F17C4E26C9C5890887")); test_hash(&nettle_sha3_224, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("CCCC3B59F28C3FC462DC0A696150F5AEA62DA0ABA97C476BD0D866C1")); test_hash(&nettle_sha3_224, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("28CFD0C6F0208D24AAA69E6C39F5257C13303E91C2D683A9AF29B973")); test_hash(&nettle_sha3_224, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("C154607F986F9BF902D831293C8386D36B201EABA6F6FB0B678B4B81")); test_hash(&nettle_sha3_224, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("95E87AC90F541AB90CBCF7FD7E0E0C152CEF78D5EE1830E9ED8A1ED7")); test_hash(&nettle_sha3_224, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("35BD7D02541D6D4B10ACE6029A24C07A38FD563ABA227F0F776EA5E2")); test_hash(&nettle_sha3_224, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("99DECB8CF1D474970B3CFA87FA462B75E3287B98B4BE4093429E22D6")); test_hash(&nettle_sha3_224, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8C20FD3D8E08235B01727A4DF44D86E71E824F14B0C2FE4E8DA7F1BB")); test_hash(&nettle_sha3_224, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("E29E68439AECDE56F5297FB935DC7DBE63D61CE360A19629195BD8AA")); test_hash(&nettle_sha3_224, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("5D2164DA84E7707CD1E789711A664AB2EBCF66EBA899A909A1D0CBEC")); test_hash(&nettle_sha3_224, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("FA263B093EA3F96B52DB6251EA25A5254ADA5B54D476CB0794D38889")); test_hash(&nettle_sha3_224, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("D803E320A9865EBF3555E8A3E3134768A2EE1B3E59FA15F35C2EC550")); test_hash(&nettle_sha3_224, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("102925B63B3E9395F88124C3BFA777F29A5B41C13B62ADD7C271CD6E")); test_hash(&nettle_sha3_224, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("6C4E83CD9258205F3C2BCF64149F4ACDCEE7742CB2D36038537171BD")); test_hash(&nettle_sha3_224, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("C74C9EBB2EF9A9822A6228BD1186DCC4411BC59EC938DF27E54B0815")); test_hash(&nettle_sha3_224, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("D23420F9985D66F097D43A0FB2434149D2B33F21B5BAD6CFC250E072")); test_hash(&nettle_sha3_224, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("102EDD2E946F33DD7AA553EA4CE4E659C7B240E1E28BC66200845D87")); test_hash(&nettle_sha3_224, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("7C8EB98B7338403C013D65C0B5BB4B5D2CBF539CB1109CF447FA6650")); test_hash(&nettle_sha3_224, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("C7B07DE91EFCE42DAB78199EE2EB3014A494994236A12B3DE2330C25")); test_hash(&nettle_sha3_224, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("2FCEF2594AE855DE4FC66DCCC517A659118B3A9F2E5FE638980ADBFB")); test_hash(&nettle_sha3_224, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("D45873F0453CBF38156A1384E33E5C76588B7BFB48A709B3943D9186")); test_hash(&nettle_sha3_224, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("3543ADD5B7EDFC83AFE7C1F2D55140AEDB858304628109FD077B3860")); test_hash(&nettle_sha3_224, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("36784F114958D8B5B625DD89A4E3973A113E5D1610DFA55B4FB45AEC")); test_hash(&nettle_sha3_224, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4187FEAED4FBD3D505A96A8D60668A88172E4F7C8451A4A6802C5747")); test_hash(&nettle_sha3_224, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6E4766DB4E9D1102CEE6DFE0AE2221321B9C0FE707F0A7825D7557EC")); test_hash(&nettle_sha3_224, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("E1FC972BFB294185F1980CA2938655FB583E812AD3D64FA5A4CF703E")); test_hash(&nettle_sha3_224, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F6F28E3B65B684C9D9506061980046061390CCDE2458A20F9B086BE5")); test_hash(&nettle_sha3_224, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("F686D2B1386B02B08F6B02BD5D50206D5E138440CB0D93EBCC3B32A7")); test_hash(&nettle_sha3_224, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("46483375D112FC2BE7F611BE4B98DFADA38892C43CEFA586726B48BB")); test_hash(&nettle_sha3_224, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("E1E9AD568AE5B0D9731400BA4FC7DF0321A04EA41393BA6979C7179C")); test_hash(&nettle_sha3_224, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("133F31D9FBC1B2A33F1C98BFE21E129E0716A69EE27408743FFF17AC")); test_hash(&nettle_sha3_224, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("31328F04CA64E8521A36A8943C33CEB95BE1B9080F4533D6DA07606D")); test_hash(&nettle_sha3_224, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("ADD374B1D279469C08E7B27AE3FF1B04C3D0FB3EF6E59AA3AF86660B")); test_hash(&nettle_sha3_224, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FED7FDE894D92CC3BB68FCC396B5EB00C4156F04FC9CED99D12CFA5B")); test_hash(&nettle_sha3_224, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("17FC0327DE474C78F538B4F3981674FF470AA42EF3B82C0CC34DE6DA")); test_hash(&nettle_sha3_224, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("88FEFBE8995E296A9DEE4DA2B414D5A7E134045639A6B176C2D736ED")); test_hash(&nettle_sha3_224, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("C002732F6F38AB83828921F5FCB4A8CE1FC561B0E9FA214C5FF02192")); test_hash(&nettle_sha3_224, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("44E9002F9D97D98BB439AFC361F93BB959523E73136A2C65B2E2B066")); test_hash(&nettle_sha3_224, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("2BFF16CBA9E50762D2288EB780078462C086F4CBF59479F5387A0B27")); test_hash(&nettle_sha3_224, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("5EFDC3CAA22EE2C2EB632D4C6645CE3EC63960DFD69A04BBE01156C5")); test_hash(&nettle_sha3_224, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("E8FB64A74387C9A3E1AC4ABC82D3591B6B349F2E5CDE6584D8D7C371")); test_hash(&nettle_sha3_224, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("DB224BCCF5CA86DFBA3EA372E2269750B532409EA004E82D4B5835E8")); test_hash(&nettle_sha3_224, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("4E28867DCEF3A7B759CA24D8107BEB0CBF9DB0F10A3C410A9B4BA8C8")); test_hash(&nettle_sha3_224, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("5C0C2DF13A1FD6762B6E50FB3E080E649C3A7A8DDA415C42FB637136")); test_hash(&nettle_sha3_224, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("36F5630EC2829B0FBAD84F150932E46647EDCC454E06B23166661D60")); test_hash(&nettle_sha3_224, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("DAC2594BCD357E63928A21E98348F27D0FA2C70EB07C7E8E93D6D84E")); test_hash(&nettle_sha3_224, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("24970DF3CF8C9E30DCBE661817FF74538AD43BC90B149ED7CAB7811B")); test_hash(&nettle_sha3_224, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("AD9BF420D2B570EBE7923A76B253F156F3513712955BCBB9A87394DB")); test_hash(&nettle_sha3_224, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("2F60928263FE1D5FA5136DA8DE1D2C3B60BD4B700A3E2C256E9536EF")); test_hash(&nettle_sha3_224, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("BFB40F7E7F81F2FEC7644E08FBC99C768ADC6314B8CCD833332F1BF8")); test_hash(&nettle_sha3_224, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("190E9FDA8A7D78343FF24ADE9FEE69650C7631AD6329D17D4BD575DB")); test_hash(&nettle_sha3_224, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("E26CD20B87083CB9F246D216E3DA51EF7C5519B483DB439D37256DBE")); test_hash(&nettle_sha3_224, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6CAF807F6ABC1A7721A5F209FC09FD00474B9E2A77EF7B57E1320271")); test_hash(&nettle_sha3_224, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("64CD5291A1A0807BA7C14103A0F46C636795F8F8D3A12E59E88D9C51")); test_hash(&nettle_sha3_224, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("29491256A80BF1A9325348B5841EDC726FA8A53117268C47F74B5E49")); test_hash(&nettle_sha3_224, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("A523449B770A8DE3B39CD446046149FEAEE327D6D5B39929B9AAC915")); test_hash(&nettle_sha3_224, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("ABB2FCE213CE164C94AB7A763C21F638A3BB8D72F802DEADACC023AE")); test_hash(&nettle_sha3_224, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("C40D969F7218D71B904C4E4EACEB0473BA0A2E7339649DA5DFEB8938")); test_hash(&nettle_sha3_224, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("2EB28FDF458D4FECB5B441D910B576F630E666BBF30AAC90AB64425B")); test_hash(&nettle_sha3_224, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("A3387B2FA23A13BFAE77895F1F93935A0710EE3A027FF0D6399D8ECC")); test_hash(&nettle_sha3_224, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("75755F46C2FC86BD4AAE75919C6CA5B1A7375E466CA3170F70EEE490")); test_hash(&nettle_sha3_224, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("7184C69EE1C43FD564102CD68EF898D5D0D8264B9B0D044691BC18AF")); test_hash(&nettle_sha3_224, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("F50CF78FF46513C905399CC2510681A90CE089FCED40FBC9CF218CA4")); test_hash(&nettle_sha3_224, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("F2AABE18D7B4DD8E4DC0AC8DCF4E9019C7C9AF33D4B952DA41219FE5")); test_hash(&nettle_sha3_224, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("AC5D00D177E71D7B9A97270E6200E4D3D07851EB2E58B12BE0BEED95")); test_hash(&nettle_sha3_224, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("CB7979B4C6C2826CDEF7E1AADA85F8C4546DD59D29FC0AEA444F8077")); test_hash(&nettle_sha3_224, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("F9D8CCF6684693C40C81EBBD006C49984FBAF3A2B2E905ABE60765DD")); test_hash(&nettle_sha3_224, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("ED1F6387A7BE090277B65A5FCD7040C7BE0EEAF0FD7F14968097873B")); test_hash(&nettle_sha3_224, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("0A27CE6973CB22A8B10057A8E7A654058B71E6D8C69C653415FF0C81")); test_hash(&nettle_sha3_224, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("BE3BE49980F43FB6598BE921D7D8FDA1F397F605D9708C5D125C4E9F")); test_hash(&nettle_sha3_224, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("932137BF2CD32DDFD3BA80C525268730B6F7458601B5296AEB325183")); test_hash(&nettle_sha3_224, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("796698CE24EFCDA8214D161138F3C7DA6D7615E4CF1DAC63B69941F9")); test_hash(&nettle_sha3_224, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("B216930E158D65FB1FF424F9EAB6CD28996231EF5EE1D65DBE29D370")); test_hash(&nettle_sha3_224, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("AF6C676A62288B2D25A862F8866B262A74E3D2A0D414B966CE601E14")); test_hash(&nettle_sha3_224, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("418C83EB01881B4F38544665201DD05C939CA047D31834F637342342")); test_hash(&nettle_sha3_224, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("64D78817714FE05272D3805E6E19056B1649036CDCD5094FD1CC890A")); test_hash(&nettle_sha3_224, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("2C4E7C537D0E2AF2261A669BC24BD0DF16D2C72A7F98D7A5EF6A8150")); test_hash(&nettle_sha3_224, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF1FCB80AB380CA33BDB61F96ADAB334937E190F03C1B78B219E50F8")); test_hash(&nettle_sha3_224, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("0DD77ADA384CAB6A7ACED19CFC8048C2566D4303E2010C98D16A0516")); test_hash(&nettle_sha3_224, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("B256D0D6B6D6A72E113D105AD9601C91933D53B20A30D8E2CF33F96D")); test_hash(&nettle_sha3_224, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("B95F72512546E4AF685931246717BC482BFE922789A26EEF01BDE82D")); test_hash(&nettle_sha3_224, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("628238A9532727CC83F8FDCED11D138A17EEE4822C5D3549157D6D5E")); test_hash(&nettle_sha3_224, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("AB0FD308590574D6F6130232D9FAFA9FFCFEA78579A6A8F67C590420")); test_hash(&nettle_sha3_224, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("D5134200DC98F4CA480CD24D24497737252B55977AE5A869BA27089D")); test_hash(&nettle_sha3_224, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("494CBC9B649E48EC5AD7364AEB9C8EDF4A4F400789EF203F7B818A44")); test_hash(&nettle_sha3_224, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("7FF8A28AB12074102AEF3EFB8904284B617237322A2BF701C9FCFEFC")); test_hash(&nettle_sha3_224, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("50CDBEAB4BBAA0861F3E364AF520F9D8B54E79E3871ABCA7BBB2BAE5")); test_hash(&nettle_sha3_224, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("29B6B523C82F499078C73630BA38227BBD08EF1A2D67B425C058DEF5")); test_hash(&nettle_sha3_224, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("93CE0C8D4355300D4E63D6599129DEA7420E5B609DBB35BE432B12B5")); test_hash(&nettle_sha3_224, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("D02896D957B599869F2B2A4992A49EEF7AB1308F456C78C809BDAC88")); test_hash(&nettle_sha3_224, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("181E2301F629A569271BB740D32B1D3BD25ACB179E9AEBEF98009ED4")); test_hash(&nettle_sha3_224, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("5CD017B269A6366C789D9CECAEF3EE9C3575181A084266D78A028DB7")); test_hash(&nettle_sha3_224, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("AC280A211C98A07F6FCBB719F250E3E5A6BA2C93A833976C9F3147EB")); test_hash(&nettle_sha3_224, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("C284C9308A28B6D29CCAA7853F8C41BADCDDBC1AA4E99481A6EE2F4D")); test_hash(&nettle_sha3_224, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("3D9A979B34D45569E1C98D09DC62D03616C0251C41A8B90138750F1E")); test_hash(&nettle_sha3_224, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("8DDC9F1E0F94C1247A67D6119A9169762C6C7F1EC7F611D61353AB30")); test_hash(&nettle_sha3_224, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("46EDA2622D49B9148B40B6014C75A4086EB9DD4740F0DD591ACA53B2")); test_hash(&nettle_sha3_224, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("57CFA137968C39EAA12533044B8265BB903EC16C8D17B6CF1F106C57")); test_hash(&nettle_sha3_224, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("8730C219E19D9D37CB7A63A4DDD55E84DCB0236EF7C8828B2A23C9B9")); test_hash(&nettle_sha3_224, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("61C01FB4A010F319D193CB6D36063751950A1A8F93539BEA32F84EA1")); test_hash(&nettle_sha3_224, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("1459044DF9C26F5E240F6A6B9380734CAD84B6592FC9693DDD9F974E")); test_hash(&nettle_sha3_224, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("EB5CC00173239851F3960EDAC336005109189DFC04B29CA4CDDE5BC1")); test_hash(&nettle_sha3_224, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("A640D4841390F47DC47D4BFCF130FCF51C5F2D491F91C13374CE5965")); test_hash(&nettle_sha3_224, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("85BB3ED98C4808D8F67C722C9119C54E6543B29E57BD4FB5CBC878C7")); test_hash(&nettle_sha3_224, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("50B7D0ACB93211E0FC935F970BC43A00BE829D6B3C137D4A7E3B2BC1")); test_hash(&nettle_sha3_224, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("7CDC1782B39FC0EEB1F874D97C88051CF10508E0875FA173AC41CC8E")); test_hash(&nettle_sha3_224, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("EE5D508A4E75900193E99A04B8D838A18DEDFCC431E7AF3182A47DD6")); test_hash(&nettle_sha3_224, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("5942BA8B58A355F2AEF07E29F8F9971301E877FA32D7025DF552B1EB")); test_hash(&nettle_sha3_224, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("29240A9E973888B98A3A836933855D41D8ABB6C3806A626C3DF18F6C")); test_hash(&nettle_sha3_224, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9AF178B1DD3CEFC96227A289175BB61D9F6B0B352D7804F5E07EA45D")); test_hash(&nettle_sha3_224, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("F543B4D423EAAC86338BB6D8C6181AD6DC0A25733953CED7EB8377F3")); test_hash(&nettle_sha3_224, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("77B4079EEE9D9E3FDA051EE0CA430B4DF011D056612C1AF446A187C2")); test_hash(&nettle_sha3_224, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("987D30120C9AA4964650A6A730E99C86F7FBDDB4EA8D6B4815EE4EBF")); test_hash(&nettle_sha3_224, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("46193359397BC3EACD69BFF410203583382DE93ECC4D80DCFB4FC51D")); test_hash(&nettle_sha3_224, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("0BC29107C7E25D44F8CE83A415B1DE5DF38A6719769606762B7192C2")); test_hash(&nettle_sha3_224, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("B485644C32283B280179F7C9714350F0B3ACFD7C45A247BF3B6CDB07")); test_hash(&nettle_sha3_224, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("F384542499EFD23381DEBCD9124C539C40BFA70E517280F56A0920E1")); test_hash(&nettle_sha3_224, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("D12E3884BC8CF9175D1778E8A3AAA119E4A897738F8D81B1278BC448")); test_hash(&nettle_sha3_224, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("D8A348264D48045D4482F3FE002C1A1F36D4DF0D5E47FAC5125C7947")); test_hash(&nettle_sha3_224, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("6865464C6A230B4BF64BA33BF97459D1D22DAFB19E08F4B7DACE02FF")); test_hash(&nettle_sha3_224, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("19D33CD354A13AB2A44044154BD865F117EF8A887FBD0570A8A4CA80")); test_hash(&nettle_sha3_224, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E438AE4153463B333AE4FE57BF131505C8C04A534A39A20574155E49")); test_hash(&nettle_sha3_224, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("454796C7219C6F7E88508DFC13668B81748211BD016D84B59293B445")); test_hash(&nettle_sha3_224, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("CE158AED6ED3C9D4432E2422AF8D255AB1F3898F6F5B5C5A1478552C")); test_hash(&nettle_sha3_224, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("A0A21D95E640F13B25652484E244BE1B373E9B0609B685EFCE48107A")); test_hash(&nettle_sha3_224, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("CA8CB1359F0B05E2FF9414CCE0DE6D2CB4D05B08354C2119A87342CA")); test_hash(&nettle_sha3_224, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("0DDDD152CF063F0F505B518EB8DB755704F45C9735780EC3A898A923")); test_hash(&nettle_sha3_224, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("57397BB1F84711641E94F413F5D73556B96BA5CFE15F709528626D07")); test_hash(&nettle_sha3_224, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("68F6AC4289FD5214263130830FDA4DA601B88B1F8533EAC07A0338D9")); test_hash(&nettle_sha3_224, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F145C45212392894E7F1C4E52728470F8A2D961514869990EFBE8232")); test_hash(&nettle_sha3_224, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("38CE7100E92EE4B65CC831915A06CFC2101990CB68E1004F7E9017D4")); test_hash(&nettle_sha3_224, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("BD63CA84DAC8BC586D0F0BE352DBBBA1F4CB430DEAA8119B8DA13C06")); test_hash(&nettle_sha3_224, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("7EE4EAEA6127C68EFCE66991B8F0851FE072DF3B1E0B5D07E3A4BE06")); test_hash(&nettle_sha3_224, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("7F3EE578B0410687EAF536F9EC7D654B75F504C104B78793C4CF90D5")); test_hash(&nettle_sha3_224, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("C9C26396E560CD1E6824D9E56E179FCC8AAC4C0D932F7632BA594D4C")); test_hash(&nettle_sha3_224, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("EF30652E3C6EA4EC214472BF96E5F30DCA1D31A78EB422734615EAF1")); test_hash(&nettle_sha3_224, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("5A964BF38EB347684220A3E83EB1EFCB641C8F911CB068A774B25B8C")); test_hash(&nettle_sha3_224, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("07413665EDCB8A35021874984910B498CF74823050640243AE7C84CD")); test_hash(&nettle_sha3_224, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("FCC9EAD160832F5F0FAFED6381AFD57FE1335FBFB05B7FB1F0075D37")); test_hash(&nettle_sha3_224, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("EC5C6DB60B0834FB2E0E7106AEEAFB9E614BE093C847018214D8A5DB")); test_hash(&nettle_sha3_224, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("0D5F6DE16B7CBBA49C28654F2AE98163257E7B6B500A3801EEF0733F")); test_hash(&nettle_sha3_224, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("7B7E1FC4D3833ED87FD166F909F5C2566DC0E95B17AC834F1E9E3DAD")); test_hash(&nettle_sha3_224, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("C6AC9D5464855E5C2F83F2A56F9A992137DA47EC05C541295F8C43E7")); test_hash(&nettle_sha3_224, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("4EE2F93C18974D978DD3A1CBF8B1DAC473807067B8807D026182B901")); test_hash(&nettle_sha3_224, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("D64AEE17ED8E2B85E6B097DB49554D356F032A34A15B7E844EC8D889")); test_hash(&nettle_sha3_224, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("1BDDC92BE89A672C1BD956B450B9D7B47B4BB0BC58AC51F15F7E054D")); test_hash(&nettle_sha3_224, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("0C8AC240170C6546DEBF4BFB5B38F8F30EA5DC6EF86C166E8E136D6B")); test_hash(&nettle_sha3_224, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("2FD9FDFD244B0A7342F886B87B3DDDCE54C8870FB26A71A8F6520231")); test_hash(&nettle_sha3_224, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("1B6BE19D72199BF75FD4075E54975AFA0433B9BF515BD300CE543D41")); test_hash(&nettle_sha3_224, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A46B89B64B0C7930DD45F5B2582FD79C7AD90A58C94C52F9BFA55CFC")); test_hash(&nettle_sha3_224, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("21F0D8855387241D71A712E5F5682C156B9FD2AA6284294718853F0A")); test_hash(&nettle_sha3_224, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("82EE85541D7A5B2A2B290003C3EE46574D58A7DDD54FBC210F8FEA57")); test_hash(&nettle_sha3_224, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("278DD8A3F3208191CFF658B8D6DB35E133A16E47AA375EDB92C6A737")); test_hash(&nettle_sha3_224, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("B50527711C047DEF70B17CF20F970BED79C1C1B95275C2784C3903DE")); test_hash(&nettle_sha3_224, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("F77CB5275212C92FA0DAD921B65F50814822E3D6D584C89528990F02")); test_hash(&nettle_sha3_224, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("76CA9E685DFADC67576D44E8C1A82E8CF7E92FB0A81FE49E21108E09")); test_hash(&nettle_sha3_224, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ABD313BC70B7FAB0EBC167D739B54C97389E752EE1A313B12673F51C")); test_hash(&nettle_sha3_224, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("F79F6356328C580B811FEA81C5ED90A303CAF34A09BEB143BE450D42")); test_hash(&nettle_sha3_224, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("299D62F8DF5EADE6871883B033B830A9952A74B12F3D55AF798C6997")); test_hash(&nettle_sha3_224, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("82BA2B8D65E14FDAC51F609F888881DB8070A0B70D7892C009A1AD28")); test_hash(&nettle_sha3_224, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("F8E5218DB087D38B1C773247FC22704C1FBDB20B1500E26AFA0B7572")); test_hash(&nettle_sha3_224, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("FA602F09B28F8679771E9C3966032B80FA2F0F33E84F3ED69BE7AE9C")); test_hash(&nettle_sha3_224, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C8D7568889DD6FCBC3B8874ED79051875D3CE29102DF0C5DAC8AEB8A")); test_hash(&nettle_sha3_224, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("D83B06D509D332164087C0C3FA50B2264CB27F66D746B0470166CBC2")); test_hash(&nettle_sha3_224, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("386147B0CF2365346E9846D3F3A7DCEEB6E3665BA7D1593C08B2B582")); test_hash(&nettle_sha3_224, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("A69C0C18A712408D8FA2389ACABC3BF6F6412F69783E9F37960D0B56")); test_hash(&nettle_sha3_224, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("0699FD35416D83791DC8E656F22718B09DA9E3DF6E7F37A250E22DCD")); test_hash(&nettle_sha3_224, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("BF6A3598A15E28B776229F4D124D403FAD9D0FBC2B7668C95D8B5046")); test_hash(&nettle_sha3_224, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("56F8E9F69A399E528996C463D65F20DB41406533C7DF2BA1AFA2494A")); test_hash(&nettle_sha3_224, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("9904D57DEDB935427F235A0009612235F14E9426B218E028F87B3C0C")); test_hash(&nettle_sha3_224, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("FF7013679AB2BE65AEDD09739F56F8DD0072738B86E71A2470476C8C")); test_hash(&nettle_sha3_224, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("9DFB6A854A33914EAE1596DCD2BE363A96E7E088BE520F60E5A65C7F")); test_hash(&nettle_sha3_224, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C27E80C373B216703D3D9E67223CFC5497C3E74455D49B049AE3F5F4")); test_hash(&nettle_sha3_224, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("3A189630F53C567B1C1825794D50DEF901A00E7F3728ECF2BBE00D90")); test_hash(&nettle_sha3_224, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("2585BD8D9158D6952BEE95B004F5FED70FAF061B68AB2D6A40469BE7")); test_hash(&nettle_sha3_224, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("7E64F3C5895D0586CC5B543B27DE1B66A935171E2E7F3CA48DD3718E")); test_hash(&nettle_sha3_224, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("0F837708E010375AF87F75415ED69988FE60EB2F2669AD051FA99727")); test_hash(&nettle_sha3_224, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("C79DE39778593810C03583D5962B36E04F343653074766D157A15993")); test_hash(&nettle_sha3_224, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("95CC811CC56521A40E3CED8D9A230E2101E8061FB01E388B9964BF29")); test_hash(&nettle_sha3_224, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("2EBE13F12EC43E3F6B0506D7AB216E1C311394F7C89D69A920CD00C0")); test_hash(&nettle_sha3_224, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("820101F5435D86E19BEC58ED0E1C7E630FE82DD92D7704E414802A16")); test_hash(&nettle_sha3_224, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("B1CF54F51F81FDB5B649BB6115126149296278BFF3D5395CF5F112D4")); test_hash(&nettle_sha3_224, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("B602722D1B9F31B9C5091E0FF720F1D1A8A51EB6F95ED3B412DE063D")); test_hash(&nettle_sha3_224, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("1368454E849F2D2299077F40826B4072E6FEE49B2062CB8E3B4523C9")); test_hash(&nettle_sha3_224, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("5765B70574F93341C1CC4ACB34F645B5D97B81D4CE8F38C3862F6C19")); test_hash(&nettle_sha3_224, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("B8FB318245B4042222B4063A053F15DA6B894F22736F3F9E26F72175")); test_hash(&nettle_sha3_224, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("353622E92C7907F5563BAF8F4E7AF0C2F872F4FB583B01AF9EB3D907")); test_hash(&nettle_sha3_224, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("87215AF73D5CDE98B355479AFB82A511180B7DC3D5342C88E133AED8")); test_hash(&nettle_sha3_224, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("25AE852DBA36B8D58A94DD5CFD8345141FF57E7DB7D7816C4F7252BB")); test_hash(&nettle_sha3_224, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("ECE0394418F066F55023797551E06F6A7D1645682AA4D9DD75AF8E76")); test_hash(&nettle_sha3_224, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("84A4BD2E3FA26C4FB01FE81953398F5B4B5704944354B51B887FD990")); test_hash(&nettle_sha3_224, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("170C413863D9F4E8C0B87A8532416B10A69C348D3A144658EAEEF0ED")); test_hash(&nettle_sha3_224, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("D8C257DB76536F7EF1DCFB24976EB716D9491CD8651E0254E7C4A5BB")); test_hash(&nettle_sha3_224, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("F81D8EE40869BB38A13A4F75588FA3308068DD1CDC27267D66FAC198")); test_hash(&nettle_sha3_224, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("94689EA9F347DDA8DD798A858605868743C6BD03A6A65C6085D52BED")); } nettle-4.0/testsuite/sha3-256-test.c0000644000000000000000000030637615141166425014144 0ustar00#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_256.txt using sha3.awk. */ test_hash(&nettle_sha3_256, /* 0 octets */ SHEX(""), SHEX("A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A")); test_hash(&nettle_sha3_256, /* 1 octets */ SHEX("CC"), SHEX("677035391CD3701293D385F037BA32796252BB7CE180B00B582DD9B20AAAD7F0")); test_hash(&nettle_sha3_256, /* 2 octets */ SHEX("41FB"), SHEX("39F31B6E653DFCD9CAED2602FD87F61B6254F581312FB6EEEC4D7148FA2E72AA")); test_hash(&nettle_sha3_256, /* 3 octets */ SHEX("1F877C"), SHEX("BC22345E4BD3F792A341CF18AC0789F1C9C966712A501B19D1B6632CCD408EC5")); test_hash(&nettle_sha3_256, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("C5859BE82560CC8789133F7C834A6EE628E351E504E601E8059A0667FF62C124")); test_hash(&nettle_sha3_256, /* 5 octets */ SHEX("21F134AC57"), SHEX("55BD9224AF4EED0D121149E37FF4D7DD5BE24BD9FBE56E0171E87DB7A6F4E06D")); test_hash(&nettle_sha3_256, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("AE0CBC757D4AB088E172ABFD8746289950F92D38A25295658DBF744B5635AF04")); test_hash(&nettle_sha3_256, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("E340C9A44373EFCC212F3CB66A047AC34C87FF1C58C4A14B16A2BFC34698BB1D")); test_hash(&nettle_sha3_256, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("BA4FB009D57A5CEB85FC64D54E5C55A55854B41CC47AD15294BC41F32165DFBA")); test_hash(&nettle_sha3_256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("B9886EF905C8BDD272EDA8298865E0769869F1C964460D1AA9D7A0C687707CCD")); test_hash(&nettle_sha3_256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("FAB8F88D3191E21A725B21C63A02CAD3FA7C450EF8584B94CFA382F393422455")); test_hash(&nettle_sha3_256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("9363ACD3F48BB91A8998AA0E8DF75C971770A16A71E7D2334409734CD7D0A9EE")); test_hash(&nettle_sha3_256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("16932F6F65DEAAD5780E25AB410C66B0E4198EBA9F4ED1A25EE24F7879FAEFE2")); test_hash(&nettle_sha3_256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("1C28100E0EF50671C7EA3E024FA3BA9DA2EBDDB4DE264C3A2426C36AD3F91C61")); test_hash(&nettle_sha3_256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("8183BE4875FAB7EC5F99ED94F5F900CF1D6B953D8F71E1E7CC008687980E613A")); test_hash(&nettle_sha3_256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("3B1A6D21FE44691DAC4EB7C593A6D8523CB606E63CF00E94D711A574248DACA5")); test_hash(&nettle_sha3_256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("2C7E7CB356FDC68EC8927E499D2A6BAE2B781817919C829EBBE8225BAED46967")); test_hash(&nettle_sha3_256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("C7B12EFF692D842110CC39AC60616707ACB3F9B0F1CB361B94577EFC529CA26C")); test_hash(&nettle_sha3_256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("493EBAEBC04776F4E067555AFA09B58C850FDF1B0E22D4BF006CE41C091DC762")); test_hash(&nettle_sha3_256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("1D01F3120ECFBDD28DCE44317666CF864F52391B9ECA3843DB45667C2E0A98AD")); test_hash(&nettle_sha3_256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("2C1E61E5D45203F27B86F1293A80BAB34192DAF42B8623B12005B2FB1C18ACB1")); test_hash(&nettle_sha3_256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("AD0E3F29767067E929D1CECD95582DF8F2A9BEB92EAA27EEB315F620365A9244")); test_hash(&nettle_sha3_256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("2B4EB5DE20E86074CABB55BFA63A5C8C6AE15679302061845B9CF233E17C906B")); test_hash(&nettle_sha3_256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("6AE04C6C6F3651F1F64C0AD69733990B41747C93F87ACB813BB25BB1FC0EFF07")); test_hash(&nettle_sha3_256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("40F9F55BC55DA466BC3DC1F89835A64094572DE73D64ED6646A1D3B667BE70A9")); test_hash(&nettle_sha3_256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("C64BECF7B75FC885D5853924F2B7D37ABCEFD3DA126BB817697E1A09152B1EBE")); test_hash(&nettle_sha3_256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("57D46A6BC8FAB33601538DAD27F98C66443032CC3912434C28EB88D0AF44C52C")); test_hash(&nettle_sha3_256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("7C956503D5B4DBB764FF8E66FA74CE0F9132DA90EA3543F669C9DD08E413E33C")); test_hash(&nettle_sha3_256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("6DE164A9626D5A4F54D854AC158994F35A8E362ECC753F55182790934A2E0D06")); test_hash(&nettle_sha3_256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("B760312BD1B279FC672479D21C5ED349E5FE96F08940237B4515452721C49A16")); test_hash(&nettle_sha3_256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("94FC255DE4EF19C0DA4B09B2E2FAC21F20048B46F17C30685ABE40D5C743F375")); test_hash(&nettle_sha3_256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("39A4A0FFC4603698AE0A4F3D24B1BC42AC7A2D7D923E7A5D602453E82D5323C5")); test_hash(&nettle_sha3_256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("2F1A5F7159E34EA19CDDC70EBF9B81F1A66DB40615D7EAD3CC1F1B954D82A3AF")); test_hash(&nettle_sha3_256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("1C57FE0E38CD3A124EAA6CD87F70A079BCCC073A341E8C0EB1976FB3A3F7B774")); test_hash(&nettle_sha3_256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("A905603B186EF4F2D5B2D1BCFDA504C68ED5EB9B0C7B7EA2A001575F5AA69E68")); test_hash(&nettle_sha3_256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("FFFD39F7C451788EB0316F429EA0A7C0AC8091657ACA28F1560ED5775E8C4C12")); test_hash(&nettle_sha3_256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("6F55BECD168E0939BA2FA090257B1727FC66491A44493279A5BEACB9E3435324")); test_hash(&nettle_sha3_256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("84649BFFCD48527B9288E8DA5F52FBAB2604DC5A91C4B0B87D477DBD7B40B6AE")); test_hash(&nettle_sha3_256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D4055B4E3E2AEA1C67CC99FD409D574E53E1E296CF9EEF73C472AB92A6CB6609")); test_hash(&nettle_sha3_256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("5694CA2F3B9962226A87163AB38325BCDC898A732DFEB2C36DB4EB88616B8741")); test_hash(&nettle_sha3_256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("8CF287AD03AB4A74086620CFA4CCE74F48FA5CDB15EC02B1F721736A4F849E60")); test_hash(&nettle_sha3_256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("C5D5AF22A4DF9ACD0C056FA30D8E240B679A20D4D2630260F779FF815CA82D7D")); test_hash(&nettle_sha3_256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("0AC75279ADFF65660464550A283FECD4E0610D88F35574C3D7AC5D22262A2FE8")); test_hash(&nettle_sha3_256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("81917AE290DBBA17289A8A67E5C2E8B12D3DDE0EFE9F990198A1763FF4F3DDA7")); test_hash(&nettle_sha3_256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("138E75E72FDDD927E591315AF8D3ABA280EFA36230A3309A97BCDE5A78C31589")); test_hash(&nettle_sha3_256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("21BCDAD3FEF3E5B859CB0912A2991EFA661BAD812747292EF0F79A8FCC6B4E98")); test_hash(&nettle_sha3_256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("8D6FD9C559B0B4948F91337916084C0082A16A0755B0A00811096E973E48B3C8")); test_hash(&nettle_sha3_256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("1DD23AE7AADD61E712BDD82BD60A70DD9D66C9FD79DBFD8669E3EAABF7901CDC")); test_hash(&nettle_sha3_256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("34F8607EC10C092C1BA0B6565CE6197062C4E1A35A8E8C723E48A2D2416C3790")); test_hash(&nettle_sha3_256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("19A8577FC90FAE5D6A6B2E0C1FF155515502CFA1757029C09BEBBFA263D9A363")); test_hash(&nettle_sha3_256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9D9DBB4CE7D01D009E72A66051ACC16805E49F598CBE430C5D4C22A881A64B3F")); test_hash(&nettle_sha3_256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("13F0D951B64481135466CFCCBE52418CC1D03FB16B5B696C35D724F6F55CBB6D")); test_hash(&nettle_sha3_256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("FB2FE7B00B75C42305CF31DE14D98F904E8C46DC57BB6F94C282CA8C13DC45DB")); test_hash(&nettle_sha3_256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("D54CBF7D5C80AE11A0D0BAD4E95AB18B5F07C970621F3936447A48EEF818D06E")); test_hash(&nettle_sha3_256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("FF050A45ADEEF4CFC7D964102BA877C80320A37794893E6865965EC2547CD4C9")); test_hash(&nettle_sha3_256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1BC1BCC70F638958DB1006AF37B02EBD8954EC59B3ACBAD12EACEDBC5B21E908")); test_hash(&nettle_sha3_256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("F7BDE239AD087AA7DABE42CC4D3C49380A026CD239A7FAAF34A2233469A44A4D")); test_hash(&nettle_sha3_256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("EF845AAC2AAF0A793108204FF380E0A30F2558E7ACDE4531AB22F8EC79E26A69")); test_hash(&nettle_sha3_256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("26DB514E01E034C678B636D40BA367DA2F37F67078BB576FF2B8559B3517484D")); test_hash(&nettle_sha3_256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("5DBD4B558463196211465C1FC32401FC2D8E41EBC5E6BADD1D8F7C4F090F728F")); test_hash(&nettle_sha3_256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("355C79FD6E6FA88ED402B6979FDE1ED805498ABEB101F4231B5D64D1439D552D")); test_hash(&nettle_sha3_256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("3D9C9BF09D88211C7E0056112D073EE85D00ACAA4DA7A668FA017B3273CD4D4B")); test_hash(&nettle_sha3_256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("67980D28E2E658E7A24A2593A28167A13D907D06F47729D47CA4FE1772F8B3DF")); test_hash(&nettle_sha3_256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("A8DF6B76DF41994F7593F1A81967E77EE180E31183D1C4A569DB854E61E99B05")); test_hash(&nettle_sha3_256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("27A6441EE939B46E2C378D7AFEB0E891C47A28120E488EFF0AB71AF08788CEB3")); test_hash(&nettle_sha3_256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("C4BB067383002DB44CA773918BB74104B604A583E12B06BE56C270F8B43512F2")); test_hash(&nettle_sha3_256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("AE773915CA642D80413330C9E0EE9BD06653C0023C5C0277100F3B1526EAA51D")); test_hash(&nettle_sha3_256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("1CF9D6CE9CB658556B76CD7EBA3E51393699AD500B1AB3F56172748DB7F59667")); test_hash(&nettle_sha3_256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8D60E889E2B1020DAD4B523301F5F6BBAB6C781AF276085AF6765546FCFB95AC")); test_hash(&nettle_sha3_256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("DD4FF4B530552F48AF9A7530A6464819ED1A5B733084F709E41DAF1ACB35ECFD")); test_hash(&nettle_sha3_256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("7AC8D4BB53FC434DD8712DAEFEB474668F541418E6F617DBA523D8392EB0766E")); test_hash(&nettle_sha3_256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("F7B0E15A63232A2B800B23B311D357617DDFD1293E1FFE3F772692ADE3427152")); test_hash(&nettle_sha3_256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("B3D05AF7E8C406A7C2709223791D3F5F4B3129329993220053A36293AC2B0E06")); test_hash(&nettle_sha3_256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("6C47E2EA4BA29E17792DEFC4B707754C4664BDE15168A5100BF881EC7C02B258")); test_hash(&nettle_sha3_256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("82A66BED668DCC14AF12C14C976CE650049E9D1D9969B83D1DD3B6F1C07D252B")); test_hash(&nettle_sha3_256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("2F21D07D7B10683B9AC7A63E9FCC70CF9F887CB905F9BFF5332551288B288524")); test_hash(&nettle_sha3_256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("80202F01E7140DB4FEE490DCC50AFAFDF6A48CA33D362C7875B8E8DB9C9D0655")); test_hash(&nettle_sha3_256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("B2330A189047E3117479A2F20B3407A7D119E4AD431FE06FF1FF2A106F2AB3A2")); test_hash(&nettle_sha3_256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("BB9B9BB685C241F8D63FDBF0DBAABCEF7075ADD7BA405A2FFFE7AD5B23E021C7")); test_hash(&nettle_sha3_256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("F8316A367AA0316DA3562F319D522E81F4A8BD2E2108D2532126F4A903704BA3")); test_hash(&nettle_sha3_256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("89E3EBD02B229CD759612A5521D867AB2A1594BC0B1FE6A78B7954CCC84CAF03")); test_hash(&nettle_sha3_256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("2E7CC875305EA6BB9C2FC770B9D84FD93B96405DF9B93307F6B5DE26E135724C")); test_hash(&nettle_sha3_256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("ECAB75F28A728429CB433EC13310D1B850CCF522C38D2FA6DFA489963D6D6CA7")); test_hash(&nettle_sha3_256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("021C9459D1451F3DA4C07C029A8681945C87C5BEBC6C30DA1D95C5C49D8AB95C")); test_hash(&nettle_sha3_256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4642E21622F15B09B9413659680116BF2F96CAC2384B8C79F1328D5DD36D7A01")); test_hash(&nettle_sha3_256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("8DAA47C3572157266AD0276D5926AFF2872F06B0CD7B974A80D7A6827D41D782")); test_hash(&nettle_sha3_256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("345365232CE9AFC655DCE4BAC23F43C8ACBDF9016D4BC2344BE8D396A4919C34")); test_hash(&nettle_sha3_256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F52E102E57293878C28F29DEB47792324FE455A62FA7441AABCC16A9CFC40FFA")); test_hash(&nettle_sha3_256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("2B89AA88B1B7F9F8EA461C4C5CAE4829125F45F5697DEADB8DB2E964524C0D91")); test_hash(&nettle_sha3_256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("3F3092365982C0B4278055BEEE9032FF9D1060E03C3B087E1A6197DEFC707E1A")); test_hash(&nettle_sha3_256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("3C74AAE2F340A24178CBAB51004CBA1AAC3D91133C300715EA82C177269C0556")); test_hash(&nettle_sha3_256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("0157C4BA44618DED11E9800AFA07A0D5B6C711FC16A576C5EDB71C4CC6894F82")); test_hash(&nettle_sha3_256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("8D53DBA107AAACB8422D6667F6778839F8965F8E4C8F4A851284CC91168A9030")); test_hash(&nettle_sha3_256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("5163F02233E332AD9BE32C2346C9FCFE39AFA5FBE9BC1CFEB92F4920155B20EC")); test_hash(&nettle_sha3_256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FAAF0E95217CA4B1568751EF2E4CD341D9EC33E16600BF09B92C6F1A6DF84D2E")); test_hash(&nettle_sha3_256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("B2C175D9D92AAA9EE72672F995B8DFD2DAAF6555A0327A508218A9B447F00BE8")); test_hash(&nettle_sha3_256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("FB5388122306D37CEE790CAD1D3CDDBA8E9A93D5F9D78288B052482739C883FD")); test_hash(&nettle_sha3_256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("1C2F8D418FF6718B18DD4C756DCC8ED0F4755E8C22497A6CC19F8D7AE7FD2DA7")); test_hash(&nettle_sha3_256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("7EA8116E6434C1CAA049069DBBD9B6F0E9DC6CDFD6A889343D3B2652803078FC")); test_hash(&nettle_sha3_256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("736D888751FAAC4D8E78B45B95ABB15D40D98D8038C7225BE0F523D5439EA5B6")); test_hash(&nettle_sha3_256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("90E10B1CA8D352794D7DBD7BAE410BEF25F0EC7D080E053F48674237E33EA45F")); test_hash(&nettle_sha3_256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("8A0A8D6D55CCCBE05EC74DC273B16D66C9B9006665EECB5B6023D2EA39C64554")); test_hash(&nettle_sha3_256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("122895D63AA6030FC8F23940C528E7A5D9C7FB170A79FE7BC42360CE50E25B7A")); test_hash(&nettle_sha3_256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("3E04EE539505C52D814CAB3C5CDD7DF2D6EEE627EA44188153EA6B8C8BE5F6C2")); test_hash(&nettle_sha3_256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("E360B424A5C06704D148352E04F4651F8D3B385C01F24FDA09D266D4ED7FF662")); test_hash(&nettle_sha3_256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("0D3BECB9E1B4AE1F15C9EE98732B4796E99FD799F76ED7332A68AB36C77A1EF9")); test_hash(&nettle_sha3_256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("3AADD7E2086D383832489AA3088E903F5C6FA8E38DF2CF876E0B4DCDDCA5C923")); test_hash(&nettle_sha3_256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("715CED5776A802EB8EE02C9D46543FF46FE7A9CD192FA7D4FFB6E81427FE1B71")); test_hash(&nettle_sha3_256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("DDE61F8BE25B8B23E1212C1C0B8A85A0D02D8548BB17D377133E3C06DDB58CA2")); test_hash(&nettle_sha3_256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("059F2BEDF4A6EEFB95FC5C0AE17556CE8BDDC5E1880FAB2F688A03A46BB28C5F")); test_hash(&nettle_sha3_256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("125B0EE7870A6F7EB4FD965D9E0B90D79FFFBC54A2018F4C68224682F3603F3F")); test_hash(&nettle_sha3_256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("9A78E0B5A34CBF1716F14CF7B67EFDC4540A75CC646538A11A8EFD9D7CD7529F")); test_hash(&nettle_sha3_256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("42305A251A8009EDFD62C7D91910B96B9B5DD8FDA5B1326FE41EF6EEF978D1BE")); test_hash(&nettle_sha3_256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6B9E8F3E82EA174EBC88A53C5DED06271D38F79E9CEC571A9D195EF549102EB8")); test_hash(&nettle_sha3_256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("358DE4C1ED30F48B084F961F653FEBC69318F93883612D5A04B9139A14EC702E")); test_hash(&nettle_sha3_256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("4A7BD18AE10EB9458924AA5CA00D3F634AB9753628107F15FF2BF24CCD3B94F4")); test_hash(&nettle_sha3_256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("9889E4B3B1294A01556FA9DE6A6A508A9A763D5133FDCD4937B6BB23CA3E1901")); test_hash(&nettle_sha3_256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("3D02B41985BDD1835CB474FB364C25C2CCA9DA0ED2FBBAB75524B410903815B9")); test_hash(&nettle_sha3_256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("1CD92039BE4580C686796D5900EED431EBAD6EA566E9244E76BA6873EFCB49AB")); test_hash(&nettle_sha3_256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("680C70B243163BE6E58ED3B8E2D85E6894E5E89501C444C8C0A2D776ACAD8599")); test_hash(&nettle_sha3_256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("D65E823D2CE4EFFB9B27DBBF6EFCDA738AD152FBB12D2108D2EC6D050A3FB295")); test_hash(&nettle_sha3_256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("CE6D2DD8D5441FC15B888FED72061E129125431BEDEA32E00EE0A7655C06C358")); test_hash(&nettle_sha3_256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("280713C0FA7160289FBFEE5AA580AD82512839153DAE47DE0D154384A4D8B3ED")); test_hash(&nettle_sha3_256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("721FD872696F21DEAA9595C0CEE7BC07249601927C96A65826B4887CDBA1AE96")); test_hash(&nettle_sha3_256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("B53AF8620B39CAD2D698A176A070AEAA9FB67BD0335C3485A3B6C73A71DC5C5C")); test_hash(&nettle_sha3_256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("78A18BF0A52E6F77F15F7FFE4CA3C999E57E1C3F6BF10950581F403450EDB797")); test_hash(&nettle_sha3_256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("A7F0151EEE6B21FE827E69256D560E1EA8D939B80962FC7FA8610AC189402AD2")); test_hash(&nettle_sha3_256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("0A09C4B18F5117F0E45D43E235BB14E55B162E99EB3744165196D04A854229F9")); test_hash(&nettle_sha3_256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("B7D031AA69B7B4D26A35B896D761314F1D61EB12DCC1E72AAF61B9CD48003AF9")); test_hash(&nettle_sha3_256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("EC0858C9D017A2D3727CAADE7E4872684F17B822CAFECDA445A15CF30FAC8CF0")); test_hash(&nettle_sha3_256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("71E1D610B576063F2B12F691220BEADF506BEC0A3A086BBE5864FB54F93DB556")); test_hash(&nettle_sha3_256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("72A8A7493309080ACCCA2A2A21D641F2B9685B7362BE496DC7BC330659F8CFE1")); test_hash(&nettle_sha3_256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("AF19E988D37E2577DA4F43463789B73625D354FCCCBD10CD2C61FBDC8BB01827")); test_hash(&nettle_sha3_256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("F1E9B9CEF2B37E4EC3A0FCD5EFF5BF7E3D49100AEBF018DC92FB6A40E4297704")); test_hash(&nettle_sha3_256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("DD3EBE0CCA0CAD3AF72AF73FB49D40DBDCC4B1F1FF465CCAEFE672F77992ACA0")); test_hash(&nettle_sha3_256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("A19EEE92BB2097B64E823D597798AA18BE9B7C736B8059ABFD6779AC35AC81B5")); test_hash(&nettle_sha3_256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("DF673F4105379FF6B755EEAB20CEB0DC77B5286364FE16C59CC8A907AFF07732")); test_hash(&nettle_sha3_256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("D52432CF3B6B4B949AA848E058DCD62D735E0177279222E7AC0AF8504762FAA0")); test_hash(&nettle_sha3_256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("07E65754D62E01B9A049D15DEC0D09C02F479CA2AEB4B18E37070B20F85A1B26")); test_hash(&nettle_sha3_256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("17A461B8EE507ABCFED51A50EF14891309FE402C569D94394CA7A3031BEFCD50")); test_hash(&nettle_sha3_256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("A03C6B5B51AE4AA00912AF1CFB6C7B960EF58036156497CC567B1369149A5949")); test_hash(&nettle_sha3_256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("14C69C5EABDEFC9E3A1461A379EC92C32BC6B69071029CB3655159DB1A5251A7")); test_hash(&nettle_sha3_256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("3CBE06887C8AE360E957EB08CA577834C457FADF418D0CB73967FA827A22A4D7")); test_hash(&nettle_sha3_256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("E58A947E98D6DD7E932D2FE02D9992E6118C0C2C606BDCDA06E7943D2C95E0E5")); test_hash(&nettle_sha3_256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("A936FB9AF87FB67857B3EAD5C76226AD84DA47678F3C2FFE5A39FDB5F7E63FFB")); test_hash(&nettle_sha3_256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("3A654B88F88086C2751EDAE6D39248143CF6235C6B0B7969342C45A35194B67E")); test_hash(&nettle_sha3_256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("19A3CB3E8551F08FBBA5DB614E268F63D1F6A0C3689BBE973D59D35BB4F455D0")); test_hash(&nettle_sha3_256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("CA8CFB13973FF8597D6AAA806BD32E82F4EA68BAC3FB543F26687DE4B9CBE8BD")); test_hash(&nettle_sha3_256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("9AE670FA85AB5C6B3BC76797CF24CD385110708137B6F8EFD8D1A21C39881C18")); test_hash(&nettle_sha3_256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("E32DF6218BA75FD4788A7E5727A7D68C5829C49346683FC213E433AF3DBA5AB5")); test_hash(&nettle_sha3_256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("028173E3C6C392E5D13AF748F3788D43449BC5DD5953124EA5EDF3930275F665")); test_hash(&nettle_sha3_256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("97450FC46F2E5DF8F81623B1CCA43FA50F51EA735E4421D7DFF66314D8E211BC")); test_hash(&nettle_sha3_256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("AB4E5A70390577F8AE260D53CB0E70914F8B9398ABAA841F7807F1476046C64F")); test_hash(&nettle_sha3_256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("8118F2C157DF1250DB43B31183F442F89B322E496918838C5B668F9647AC6D6B")); test_hash(&nettle_sha3_256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("736E30ACCC5559188412C797A1A5BE61D1F90F149401F631597944155A85FAF7")); test_hash(&nettle_sha3_256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("9599DEECCC698A24A461A7419E91939C741613F4CE887DBA89DC7E327C51F5BF")); test_hash(&nettle_sha3_256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("BE0D871606A4C129CEF616F438600D5CBC0E9F49D2ADC8A86571C192361C3F4F")); test_hash(&nettle_sha3_256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("4D30600C60ED94A0D2BCC17571A19BD0170CDACAC78D0421E0BBAE2A36A48B6D")); test_hash(&nettle_sha3_256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("3BD6FB72764F7AD4391B7B40AEA424ABD5F5561AC56F9E072C753D6090FA4BFB")); test_hash(&nettle_sha3_256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("6689BB25BAEE0C582F8F1B0C87073BE366644DA859313BECF446435D2F6E899E")); test_hash(&nettle_sha3_256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("2628DDC7758208AA9F1E49497224EB268C6D2BCDAAB4820DE9C16A65C6F6017A")); test_hash(&nettle_sha3_256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("DF448936EE72D9FE6CCFB37D183AAFDDC7908E016271AFA81EC083A10A144F5D")); test_hash(&nettle_sha3_256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("2BB4CEC22A4FECD83FBBBAD1E3835343E36C6CB66C26964A432EC4C70F3E17B4")); test_hash(&nettle_sha3_256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("1462F2EA1C3580C0A2E8C0B30C27A608D82CD707F6D1A0AAD5CC7C3D1B8D6C30")); test_hash(&nettle_sha3_256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("617B412ED64F56D6DB36B7E52EAD618D95A091D65052C3F376A532D8BBDAF7C7")); test_hash(&nettle_sha3_256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("82C541EA5CB15D1A4125F536825938C2358EEC2BDDC5D1CC4042DE3AF036CA55")); test_hash(&nettle_sha3_256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("684BB7932433218C616F0590B039CEFAC972828470647D1591CEAC889C893272")); test_hash(&nettle_sha3_256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("508B2AF376BA6467CF982C767C848D2BDA8D068A53416F074A0C98C473D02F6B")); test_hash(&nettle_sha3_256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("55E228BCBDA7061642D004373D4E6407B72A37381D1BEFFCBFBF9F5F6EA093EA")); test_hash(&nettle_sha3_256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("0523C09BBCFFE418D3FCD22C6ABF95ABFB38F94CE5562B8BFCD2EEA9FB729041")); test_hash(&nettle_sha3_256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("DCBC258241ADED3799996C2AD6ED0E3D74CFCC67749D3480B2A9A78E5F8AFF82")); test_hash(&nettle_sha3_256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("CBE8318E7B2FE72BFCD2530CCCECEA4018B1587F483B73F50CE5E84CED65E093")); test_hash(&nettle_sha3_256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("8CEA2960087048E6E6D47E31554F305FCC81E03E90BA8F8332DD86C6B6B38E03")); test_hash(&nettle_sha3_256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("44E276991E5382BD7EB5ADCF1F79362804D346BEDFC6916F4DCA4B57240E9C99")); test_hash(&nettle_sha3_256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("80891A086AF385025068799F192411C689CC4E0D9A59F3F41DBB02A343F1A759")); test_hash(&nettle_sha3_256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77DDF034B7DFD6B292AA3B0C1E552F47B1D8C23078042CC58BB3DD4720B9EE4D")); test_hash(&nettle_sha3_256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("23D2688D867A18040E82F7876ACF04DC3A9C0140FEDD93EBE7ADF920B2F83DA4")); test_hash(&nettle_sha3_256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("2DF666FC5D4EAD1C3B10B9F8D4BB81AEA4F93D3873D5CE5CFBAC4B69435E1B7C")); test_hash(&nettle_sha3_256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("AF0C5474528032E2629B8FBB0E34405F7F251D41E73B5667BE3C07CCB2C1C953")); test_hash(&nettle_sha3_256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("9BBEF7A75391354A388AAA7CA035DC62D3231B80091BB7748F76E52D8E9F20F0")); test_hash(&nettle_sha3_256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("B108457A6BD331BE43C9FE1E2A02E8C744C2BCC927A9C3C486F110DCCF907F6B")); test_hash(&nettle_sha3_256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("A61109838DFA5B146DF4E6C3BDBC7A477BE36B6228EBD91025012AF4CC0EB409")); test_hash(&nettle_sha3_256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("4F0F30C890B0AB404961158573538FE9A2B234B94A0991F26D5EA04FDDC9C565")); test_hash(&nettle_sha3_256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("85459CFB0289599CDD67C473A0BA6DA616C608E367F58C50A03562424DCF1D06")); test_hash(&nettle_sha3_256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("5539D2E52A5A1BB3C246B0158356E2B2782FC13C10248937A0C4A40B091F6247")); test_hash(&nettle_sha3_256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("6D63419207B99D4DB1ADD795D852A8DAAC11B789AF0C7D6353036CB23F6428B4")); test_hash(&nettle_sha3_256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("D2090DAE0FC201B2B9C03DD482A8EB1FFD3CF70C55F98D6F39A41B8BDAC27A17")); test_hash(&nettle_sha3_256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("C9E8F96BA75EAF371DCA35DC69138ECA8CB3F2823F3BE551D9DC8AA6A4ED4169")); test_hash(&nettle_sha3_256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("233B0BC28143C32A668B0AB5D76BE5712C0387056FB0E79F2C2F7F1C31E4A86A")); test_hash(&nettle_sha3_256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("B79B5F8182D3FB4ABAB63E7CB26A8E0865AE8D79BD4C514AD8917D5ECB7FED8F")); test_hash(&nettle_sha3_256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F680198DE2943D20E9D809FD8312D674C9A250DA22BA6E920E408F6F2C0E0739")); test_hash(&nettle_sha3_256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("A190DD73556086EA70BC31022D6A4F95D89DC099E2030C19311CC8988281278F")); test_hash(&nettle_sha3_256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("21166064C52B588C1EC7EA6DF1905A2B59BAD499B470F308A26B6E354DDFE58F")); test_hash(&nettle_sha3_256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("051E19906464EC7FDC3D37EE3BCEF63438EC5EDBEA5AA202A24B7F7190B689E0")); test_hash(&nettle_sha3_256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("18FE66C0CD095C9CC811F5410B5CFDC1B152AE3CAB0C3328974E7D4BBEB40053")); test_hash(&nettle_sha3_256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("BDB42638921199D604294B5578CEBACCDF132E1D7AF7675B7768E50553FCB604")); test_hash(&nettle_sha3_256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("CBD88209B530018A856C5C2321D7E485511CA1513661F1FDE1FA06F4603DE117")); test_hash(&nettle_sha3_256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("F0C4C1374F33A91DC657F8A3FA51763CBD0FBA1CAFDD2C595ED302AAB1AB75A9")); test_hash(&nettle_sha3_256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("F2157C165EEBDFD04451E9E6CF0B112BB148EB9C40E8B2427EE8EA57E60D5DD6")); test_hash(&nettle_sha3_256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("0836ABBF77EF78E162DE8FB664B9996D5A03919B741EB4A3F02E7B97826569FA")); test_hash(&nettle_sha3_256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("84970C79316E89B70E2B186A69DB1A4C3E33C7A376B45C1B79BD346DD33EF4CE")); test_hash(&nettle_sha3_256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("06ED2EBC419D053949E88CC9C040B1EBCE74375AD0CE09C0CD4D562C62F8497D")); test_hash(&nettle_sha3_256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("CF9060AF3E4ED47316ACF51E5B92123CDC4827BD4AEF991588DCD8078B9EEA40")); test_hash(&nettle_sha3_256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("63E407300F99FF2360F02AAE0ADA35F6C1A90AED2C63282B23A7990BAE307254")); test_hash(&nettle_sha3_256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("427741570D5E21590E5045A8450216365BA95C2E72455A3DBD694F13155DE1B7")); test_hash(&nettle_sha3_256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("B5E60A019E8414D470AE702738BC358F1C80BB6FF7BDE4F2DBB56C299C764B16")); test_hash(&nettle_sha3_256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("C986BDAE9B13FBC92793619E4970ABC33398F2B5A57A6CBB40A622592E2695DF")); test_hash(&nettle_sha3_256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("224C7FC8A0EC3895E8969CE7C7F7ECAA54FE2EEC9AB3120726106F22AA297541")); test_hash(&nettle_sha3_256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("FAF5E3B7A64629FFEEE07A67ED77A3A4F67F18C9381FE9B19F6EE601F5FB99AF")); test_hash(&nettle_sha3_256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("A8A98E6B3A005FCB319FEE58C5457D04B69D59F53873F6FCC6065D68F880833F")); test_hash(&nettle_sha3_256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("C89F2B346127EAB9E28095DC44918C1A1AAEAE04861C1DD0144A1EE07F823C18")); test_hash(&nettle_sha3_256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("E7A81ACBEF35D7B24B706549B41ABD82628CCFF9ACF41F2C8ADD28743688AE01")); test_hash(&nettle_sha3_256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("D81249143A69EA1C9DC168B55FFE06D46D0FBC007065110353D76C6CCE4FFE66")); test_hash(&nettle_sha3_256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AA8BBD4812142211212763BF8EE4D6E0AADAFE5E528AEA1FB1BE118806E49F66")); test_hash(&nettle_sha3_256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("4089B181DF5ECA5F14DAB1057AAAEECABA15F200FDDA0DE49357D6196FAAB44B")); test_hash(&nettle_sha3_256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("DEBF59BB233D05549853804FC67840821BD5802F87FC8A915B710D3E82070950")); test_hash(&nettle_sha3_256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("0FDBA1C79F55F233A1217F522D6C81F777F330FADB565E1171F39E1788913342")); test_hash(&nettle_sha3_256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ED45A06E95A6539270B02290D71005F01C55BA077414C3BCDB379537E6DBEFC9")); test_hash(&nettle_sha3_256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("37E7CF6A9A31B0982B2479432B7838657741B0EE79ADDA1B287550EB325C78CC")); test_hash(&nettle_sha3_256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("373704F641FAF2B918E22E9142ABF6B4AC71B6883AC4D7A075F626E947837D3F")); test_hash(&nettle_sha3_256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("EE5994B3D32BDAE58E72566FC24B886461217FDD7273E1608F0B2926B7923546")); test_hash(&nettle_sha3_256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("6A584F9F4ACD8FC8E15DACD326291FE9311C20987225C51CF4251E52B47FA223")); test_hash(&nettle_sha3_256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("4F92839CDDB0DF31D16A0DB53BBE07698A7C1912D5590D21155D45DB1B48CAB4")); test_hash(&nettle_sha3_256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("EAFD661F343AE834C621E074AC6903A2E3E6324F365B3432DFFA732F477AC129")); test_hash(&nettle_sha3_256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("3DCEC669C5D0176B1BDC002728D242C587DDA03B3ABFA6074523D3FAEF4820BE")); test_hash(&nettle_sha3_256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("4BDF731BBB3D0E2AB0EB3D972123A7A0A085E8A98AC6AF8ADBD335B37275DDFF")); test_hash(&nettle_sha3_256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("47F904FEEA607225CAB2E3C52748878964BFEDCFE068727DE610F63421367BCF")); test_hash(&nettle_sha3_256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("324937607D9F16AF815701749F0377B3281AF9C5BB565D6F2B9611532B6BF044")); test_hash(&nettle_sha3_256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("B984C2D6B6FDC28574AAD551FC16B68F85BF6CC480A15C128AE5616561D46721")); test_hash(&nettle_sha3_256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("91A5B9FC2DCC5FAEDA57D2E7A41E922DC32D572AEBDF6D54CB8C3AE4245E8565")); test_hash(&nettle_sha3_256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("97DCA1050A465B60E91EBE26E29ADB5A286A0582EEE2E89B8B901954293F6146")); test_hash(&nettle_sha3_256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("6D033D85DAED3366D5F7D5E4F03B3D05B65778EEEA074B0C683CFFCD6F51D5BD")); test_hash(&nettle_sha3_256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("01EBBB73410EEBAC665C3B40063D001F43DBE9D1722EB323FE08763D7FF0616C")); test_hash(&nettle_sha3_256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("8D3A49CB572AB99C9BF0231366BB017C9ADF25479D35443A971E45787E738CE5")); test_hash(&nettle_sha3_256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("FBB5A0AB1A3B4C4FA56ADB1C9531EB9979C554903053013C20FEFD3F57B5CCDB")); test_hash(&nettle_sha3_256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("6B3DCC7AC6A5CB85B67FC71B4055D3798134DEEF26FD3EB03A042E0DAA35CC85")); test_hash(&nettle_sha3_256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("5D1DBA8F1584AC3F36B3AC925EC13AC284013B9664965AB6265B942466B5D8EC")); test_hash(&nettle_sha3_256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("89C6C86DB0A889AA67D8CB085F9F4312645972D977C5B952D9F6243D7D3BE4D5")); test_hash(&nettle_sha3_256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("AC02432A5541C26238C6F99FADB2B23B5FFCAD8F04BD4C3B9A6620CAB1266E6B")); test_hash(&nettle_sha3_256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("F55AA01DEAB12148E35759DB818F1059351165E9E6F93D342F0ABFCA102E0801")); test_hash(&nettle_sha3_256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("7C0BDA7CB42DADBD037F50A5F27E3AB5DA258D4670F1BEA90154C87C98136BA1")); test_hash(&nettle_sha3_256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("F60C53BA2132293B881F0513E7AB47FE9746ED4A6AC9CADE61E6D802D5872372")); test_hash(&nettle_sha3_256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("1C66B9A7C50ED77D179A0C437D5890C9835A13F90A73A01332AB0731A41A115E")); test_hash(&nettle_sha3_256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("48A00BA224AC5558F41A79F52137DB9182A93F1045D43789E5913D7BE40408C2")); test_hash(&nettle_sha3_256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("240A85EAF7F3016C192AD5E17E5F93B643FE3EDBA719F423693A34DA3784827A")); test_hash(&nettle_sha3_256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("2AA9D0A1D9B9B691B4B8641E68D454D2D9C34CE43A5B55DD57590716B8A46CF7")); test_hash(&nettle_sha3_256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("58C469E1A76835CC1A897B885B1B2A33B0AABCE4CFBB65523D2E0D08D6D1A413")); test_hash(&nettle_sha3_256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("6C8DF81B1E1ED70A5413368018DB9628B0E0B4563423C051A54D000AADDE0C06")); test_hash(&nettle_sha3_256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("108FFF41D5BCF654071B4414E666FDEBBE878C309D6DDC90AFAF5C61DF8559F0")); test_hash(&nettle_sha3_256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("751EAAAFA4AEC8ACD26606D6439C55B5C66EC7DB807579EDC68994B300F7A077")); test_hash(&nettle_sha3_256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("90C2D5F8E26B0BDDEA719064BB02A6242F2CC5A42936B14FE17F861B47B7E186")); test_hash(&nettle_sha3_256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("3298A95CFE59B9D6CAB99C36DC1324194C09F97F08944A02D9574BBCA3186B41")); test_hash(&nettle_sha3_256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("1C4172928CB10E16AB3CDB33F815103B000A6C7D62376CAD29AF03F4B2B0E103")); test_hash(&nettle_sha3_256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("F5CFB4DF3F7C5A778F38A3B43B26479A0E8A49030C59AC19FB0CFA806081CA4A")); test_hash(&nettle_sha3_256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("06AB8FDBE4DCE935E42003C17FF60BA236F43A843995B7FEF3A29DFE0C82F1D4")); test_hash(&nettle_sha3_256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("C11F3522A8FB7B3532D80B6D40023A92B489ADDAD93BF5D64B23F35E9663521C")); } nettle-4.0/testsuite/sha3-384-test.c0000644000000000000000000032637615141166425014150 0ustar00#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_384.txt using sha3.awk. */ test_hash(&nettle_sha3_384, /* 0 octets */ SHEX(""), SHEX("0C63A75B845E4F7D01107D852E4C2485C51A50AAAA94FC61995E71BBEE983A2AC3713831264ADB47FB6BD1E058D5F004")); test_hash(&nettle_sha3_384, /* 1 octets */ SHEX("CC"), SHEX("5EE7F374973CD4BB3DC41E3081346798497FF6E36CB9352281DFE07D07FC530CA9AD8EF7AAD56EF5D41BE83D5E543807")); test_hash(&nettle_sha3_384, /* 2 octets */ SHEX("41FB"), SHEX("1DD81609DCC290EFFD7AC0A95D4A20821580E56BD50DBD843920650BE7A80A1719577DA337CFDF86E51C764CAA2E10BD")); test_hash(&nettle_sha3_384, /* 3 octets */ SHEX("1F877C"), SHEX("14F6F486FB98ED46A4A198040DA8079E79E448DAACEBE905FB4CF0DF86EF2A7151F62FE095BF8516EB0677FE607734E2")); test_hash(&nettle_sha3_384, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D92BBD604BDD24B9889508F8558B13E96595AC90BC8A441DAF9B51D6ABC14FFD0835FB9366E3912504264CE87E421CB8")); test_hash(&nettle_sha3_384, /* 5 octets */ SHEX("21F134AC57"), SHEX("E248D6FF342D35A30EC230BA51CDB161025D6F1C251ACA6AE3531F0682C164A1FC0725B1BEFF808A200C131557A22809")); test_hash(&nettle_sha3_384, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("D6DD2ED08C1F644857A15DAFAF80538BEE597278C9ABE047BFBABFB8B1FCB7543E80AE9F7143D00F4DAAF39B138AB3FF")); test_hash(&nettle_sha3_384, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("49CA1EB8D71D1FDC7A72DAA320C8F9CA543671C2CB8FE9B2638A8416DF50A790A50D0BB6B88741D7816D6061F46AEA89")); test_hash(&nettle_sha3_384, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("89DBF4C39B8FB46FDF0A6926CEC0355A4BDBF9C6A446E140B7C8BD08FF6F489F205DAF8EFFE160F437F67491EF897C23")); test_hash(&nettle_sha3_384, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("D6154641D7D9DF62F0CEDC2BD64EE82412B3A80F6EACE7C45F9703373379007EABF592D2D2116E093DC33DCBBA4649E9")); test_hash(&nettle_sha3_384, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("2EE5DF2591CFC4CB1E1D0BD8B28727F0FA5359A75F7819A92A3CB80DDB5708E4705177B981396B4818D11E3CA615EC93")); test_hash(&nettle_sha3_384, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("786C3F73FB092BE184FC2B19F5920F3D94F25D4523165AE82F9B39B2C724FD62DC9A3263091A239D5EF1AD562DD4FD26")); test_hash(&nettle_sha3_384, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("79188139EC2CAD8D197D308B806CF383782C29A8C27EE29C5E31425B2DD18B2F5F491FBFB38D7078F58510125C064A0A")); test_hash(&nettle_sha3_384, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("0C82B8C75C5D540E7D624928281FBA8B8D0B1583D74F3F0EA4F200F1CE5475149C282E05DB695DC67BAF42DEFFDC3F55")); test_hash(&nettle_sha3_384, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("830D2325C001623EDFEA97EA1D0E65982D4ED7ABB8E64EA61C85E9BC1882D11FC4153C30BE63FC66F5FBCE74BB394596")); test_hash(&nettle_sha3_384, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("1DBE1BC60A9C6FBE10A727E2A6D397930D547AD2C390286948C3167EE77FF6E275EC8431C5AD4B4E4E5AE67A4BC88D05")); test_hash(&nettle_sha3_384, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("FEEE2EF332515284E0BA247C62F264199044D03877C58E54B51A62E39E91C27AAAE384837EB9D479B4C0308CFC6B779B")); test_hash(&nettle_sha3_384, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("1888E953727CB837DE40C69869560C20729C50638E4561B385937BFC4C297E789EA6C03EFCF2DF3290B1FD36BE268C32")); test_hash(&nettle_sha3_384, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("30DE7B544265422CE689E667F48498F455E8BF1055653F21294EAD7D2E898B05FA75EECA46DC2575C475C480AA49CA62")); test_hash(&nettle_sha3_384, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("041B7C89BD4B582A7D20E579C6FDB18BA0C1251DABACC687AF448EB49151BBC04ADCB81D797D4BC51F03BFFF230FFCC6")); test_hash(&nettle_sha3_384, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("EAF751EE6E75AA2C56453F316C019BDA7D7AE1FDA03B79AC413BB1F2840D58AAAAC77F2DC106D22F1A71157F9F841C4B")); test_hash(&nettle_sha3_384, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("16C4A7F7E8BA7EA13C59576BE602F885E21BE7C34B3AC05CAC4262BAAD8AA3F95BD9260F13F08550CE331EC773BA758C")); test_hash(&nettle_sha3_384, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("5119A4FC11DAF2EF5DEB7AEB35549162D9AFC827392A8868E7F8594A5C194D9C8F6A430CB386B8D825CC6DAB4EDB742A")); test_hash(&nettle_sha3_384, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("A91F0170457E78B3BB15B0BDC0FF4EFE8D7313D2725D8E8DB875BCAFBC11314126559F45E86E78136EB214FF02764CAB")); test_hash(&nettle_sha3_384, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("98FE81746CCF7CFE5571D6D8B09943ECAE44F606444F9DABF1A57FE4E871F6962266D18652FD4EEBDBE492CFC5B2B21F")); test_hash(&nettle_sha3_384, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("3DD9054C105C40798DF45CFB5880F97A9536FA7BD13F1D816B8EE887FCBAFC102A7D4BDE9FE6E265538EEC2525B50D89")); test_hash(&nettle_sha3_384, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("DECD778B89B4295072DBF98689E2EB6066E406356EA4B7CAD550019F4A2ABB25163E9571D0ADB9ADC6A802B7E03C152C")); test_hash(&nettle_sha3_384, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("37F14B317D46BDB3E5DD6F68986A08A098C46B9D85D1F254A17878C008F97926C8A13C3838721CFE3A58076F3992F26C")); test_hash(&nettle_sha3_384, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("641A7AF13B889D1A0F1AA3E4E4FF8CC5903C47E1A52BDEA257D80E37E596564AB33EEAD06717CDB6B706CB6986293D4F")); test_hash(&nettle_sha3_384, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("122B8B86103FE3C18FF28178A256ACB0CAB8518338D2CBA697E3F560ECFEE09B024B97D8D1F69632AD1F2C5F5628D3EF")); test_hash(&nettle_sha3_384, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("F35A292E197007E28CE652A067173F3659C51B70438AA9E433081D3DF71B4A11E3F3BE5AF32E2C08D23A0B44E30B0BDF")); test_hash(&nettle_sha3_384, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("2EA596B446D5CCD8F0927A2E3790911E00F1F52CFBFC41F12290CBACD1C903C74DEEF840FD1398E12EE863ACD92BAEBF")); test_hash(&nettle_sha3_384, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("BAAE7AAED4FBF42F9316C7E8F722EEB06A598B509F184B22FBD5A81C93D95FFF711F5DE90847B3248B6DF76CABCE07EE")); test_hash(&nettle_sha3_384, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("32CFC8A18A7116D4B9029051941808C3B332EFDB132C515F9110E19B8354355D94616C9965BC2D1F2489F8452AF7FB2F")); test_hash(&nettle_sha3_384, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("73443EA38A8801395C044E3CBECD45DD62D6E304C5440FA9FE9651A438C010A76712759BE20681F1416661E746E5EB77")); test_hash(&nettle_sha3_384, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("6E82F460660F3D2CC33AA59A37F325EED0133FE29A9CB428A3C22572B6BF6C5DA2D0D4645C49135653A049795D4E2AD0")); test_hash(&nettle_sha3_384, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("229160A61CF2842B37EA85788BB1CE8294DED9EAD266359D61DF3D6DF98EE155ED03AB1A51D6291B41680A00553298EB")); test_hash(&nettle_sha3_384, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("F5D838DEDF07AC3A5646221ADC6CA59045976DF9C33367FDAA0BE3AFC57EEF0D434EE92CD618B3FA26C7EABD18D78772")); test_hash(&nettle_sha3_384, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D41A324A1739BBCFC983A2B250750A1117E57BD26512CC5DCA7066D8B972AD9EB0BB3C7E36B9B84FC0E8129B69CD3847")); test_hash(&nettle_sha3_384, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("170D73BAF77EAE7A852A1BB19BA6665F9EF425A66F2649E959B5CAA82D01FDB89C8C7FA6F40702F7C3391B146F6FA33E")); test_hash(&nettle_sha3_384, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("A8F4A60A8FF5B3EBB4EADB9C46F1F403AB7FF632C7A11F80FC9153858B484291B3936713076955207D0C7E1964DC1346")); test_hash(&nettle_sha3_384, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("5815D78ACA9600632239B7CE8385D7E837F883857601EFB78F9C2DAC9A96AE0BFD107526F268D06FB4227D4774A9E727")); test_hash(&nettle_sha3_384, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("A5D91B01650D24B4753F41871FA700E997D5F1EF9C06D8F9B3A9B2D318716408E1566BB04B49B84E77F5F73D8F640541")); test_hash(&nettle_sha3_384, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("C7BA066881DB931E9C674D74CE2309B3002C6D5BC22056C454261CDBC5D93FE310EADD755E41FB1D789FDB9A73FDA28F")); test_hash(&nettle_sha3_384, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("A52CA3413BB83934B1EAD4686F639B90C5EE3CB5BE7E29A1A5293C868441D79BE2EF246B427FFCF0568D4D01BE54FF0D")); test_hash(&nettle_sha3_384, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("13E60554FA18CEF87CEABE147541886D97C2FB5F40F163D953306D2A26B013B33CB202D78AEF49FD47E7EC1C745920CD")); test_hash(&nettle_sha3_384, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("E4E03CCBA92BBD28182D005F69DE4E71C61C62CD323DECFB2ADDBEEFF7EE74933AA7A167E4E1DBB3DF7E5C91184F2D88")); test_hash(&nettle_sha3_384, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("9B26E9BF13B6FC33FD335DF976C8E1B781C800895EBD72E34F96EB875B41F04AAEE825CD8F0EB6C43D803F4E6EF688A9")); test_hash(&nettle_sha3_384, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("A127FEFCDD240F762CCE3F5F1551FC7E1CDEBC7950D1CD94C6888F490CB2285A10FD0EE797B168C5CA4761FA232AAF05")); test_hash(&nettle_sha3_384, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("FEB5A24EDB05BEF846B0A1F3F48DA212DFC2D0BAC746890D4AD72FBE3A7B4FF8E2B542B827779467122271B1E0DF2BD2")); test_hash(&nettle_sha3_384, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("8DA4F3D1A13197171B02E1CCB07BF51CDBABD833FDC3C3797A113CFA5C71795782C47CE36C389FBAD461D0D5B59CA684")); test_hash(&nettle_sha3_384, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("D19FE4A5F93BCD483DAA7AF8CB636807962D40AF9A507DC4FA4E1FD480A6E8FA3C25FA30EB6B74979EE456C1644A5C1D")); test_hash(&nettle_sha3_384, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("63FF3053ACE687FB91070CA7FC6A51C259E13DA8AC0DD741AB36D1FA930E3BB9AC6A1FAD654F7238CFC4485C5F9F8252")); test_hash(&nettle_sha3_384, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("39DDE02A319B5E869F4C51A1D30FF4D4D88EBE504C54F155AA5FAD3316404FDBD1918074D35D14BAC88D6F359108A1DC")); test_hash(&nettle_sha3_384, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("1959378F32117E58C0141160E16FACFE336590196BE805D149EB5AEEA641F9BB119B3EDDFEFD817701C82D2F528B823E")); test_hash(&nettle_sha3_384, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("7B172A9BB311B1375E15ECE1C1E8F092BECFAFEC9F3144E93F596EB7E6ABFB34FCEDB08EDA7883EBBF40038B7A754F9F")); test_hash(&nettle_sha3_384, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6BA32ECAAA0AA9C59E72173F2A7816AC51F313C467A017190DB9832C6311EC23B8D56B7B220FA09A9081962EFED5183E")); test_hash(&nettle_sha3_384, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("55FDF2EC27D334B5B59EFB9B6D518E25BE0F5FF6379F7B97945F3E1235EC70295B39EBEABF70FCAF1E61EDB1C21A4C06")); test_hash(&nettle_sha3_384, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D51A3F33919FE5DA0EFEA6EDAD201F01FA8416C385A89D96DF743D243A6AABA5B7690D187B95CAFFDACD1E85F56B813B")); test_hash(&nettle_sha3_384, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("F1D6E8F95C497D5BEAFB4215E07CDB59E0E3709CF561618F67E301931D204C6CE477E0F750099584B645E2F718650813")); test_hash(&nettle_sha3_384, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("B1D347D057CCD72867B12BF00BF511F87DEFCD0FA6ADADAF4BB1AD790F06ECBB1F4488A0319B05C46A7874857370CE76")); test_hash(&nettle_sha3_384, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("4F192EDFA54FECE64AC0B3EC9E120B291ADE99948805A87BBB04947E928BB5EBA87E2EE599960C436EA7C7884187E78C")); test_hash(&nettle_sha3_384, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("75E23FED3B59DB6B1D3378B7E8772642CBBFF7710D8A91B249BB6C68E384CD416F19AC1E8ED92B71D0CA303D247EE9BD")); test_hash(&nettle_sha3_384, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("C8D1E6BE5485FC13BF433F11A580ABBE89B12A66D0E5CB141E1D62CDC6A367725793FB25840B36CB7003F2E7DF3E5F2F")); test_hash(&nettle_sha3_384, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("423BA134D3BCB5E440AC83372C7EDDBA3AE3BDDF1222F505C19CDE246AD76A2B0D07239A54E1D0934C9B3D29D49E5FBD")); test_hash(&nettle_sha3_384, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("662C4851D311A786DE4CDA7E9EA1EFF0BFA462761FF6CF804E591ED9A15B0DC93A2BB6A6CFFDC8D7D23A233A52C86EAD")); test_hash(&nettle_sha3_384, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("5F54B1DAFA67ED9B498125E064F0B07F54E754E3F30720DD4A471E9BB6E307F05FB69BC81D391F503C95C3BB671E6973")); test_hash(&nettle_sha3_384, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("A21B55DED8FE41FB2B193FA490420A8B62FCAE9A185DA85E253DAEFE85270B6904BA4ECC76BB5128926FFF9D79F728AD")); test_hash(&nettle_sha3_384, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("341BE5677A05EED816A219669D680BBF185B31CF3EB0D289F90210FB1A7940D9BFF4909320AE4E3B7274E5BE479C46F1")); test_hash(&nettle_sha3_384, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("D70F78894E292B075A0FE56FB952B2CE87A94CA029347159FBB12B22103DD4DC4C265B7AE88950CCA89C40B531437AA4")); test_hash(&nettle_sha3_384, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("89BD6B7CC9ADDDFFE46BF85C56B8CE66E1B1B46969B197ADBF2E34B7059D8BB05F9F53BD1A58A7E0A66E5EF208BF5695")); test_hash(&nettle_sha3_384, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("AE651EF50A20B0F496F104F56F845206ED544B28D0374CBB779146DFF2EA5894EB29301FE33872F9B299A79C0C0F28C4")); test_hash(&nettle_sha3_384, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A842918DFBBF3BFFCCC527B6DD2C0DF4EB3F100F0692727DA77DAF44A654876013B37031C493AC18950003EEBD107A29")); test_hash(&nettle_sha3_384, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("20D16CC6AF5B4D5AECCEAD09F300B1DC1DA93A608370EE0B2CF15C316508B5EF8C9BE27D0F7288617B1E529FC2932038")); test_hash(&nettle_sha3_384, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("69A3BB36F52EB650C6E8242DB05659573AF811A1A5DB908F773D65E74D327F5B65303DD0DD9BD07FF100D050E46FE97D")); test_hash(&nettle_sha3_384, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("D239F2FA1675A1A031E2F6E8A53D6E2F37D081CDB029727B3ACBDD7CBFC7D3581BDE8D3068AA9A300AE12B7245124508")); test_hash(&nettle_sha3_384, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("2F8D747DDF64320297B44F8547EF42FCE78A48F0A59A18DB1CFB9F43C049628F97C0BB93ADAAB9617155272424F74027")); test_hash(&nettle_sha3_384, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("714BE6F2F934E0B6FD69E392D99ACC98592B015E48A1637262F99286502B06774783BB9F371C760C3EB78AEADFBD0DF0")); test_hash(&nettle_sha3_384, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("22A41B117464F7F49682E8139A0D5BD23FE00D1190B1B419F27B490B729B56BBA9DE649DD7C988B6B308038661E1C362")); test_hash(&nettle_sha3_384, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("77780F3646D288291790F2A5F4AA9C98A64A1115306994CD65C7620DDE06D35117CE4B79DAE08B5B4E798459010941BB")); test_hash(&nettle_sha3_384, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("5CED3B7368582DD6DEBFE41D6AFFD82B72894B51FF4C4ACCBA09C595B36E23E347AB4BAAB0E5191D86E26E6596D62E23")); test_hash(&nettle_sha3_384, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1410EF9ABB8D98B1C65E113A61915B0E6933BC59DA31C8FCC39B7165E715919184375D822A07C778F63431BE2AEECD99")); test_hash(&nettle_sha3_384, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("330ED51B045471DEA8CFF26510D68494611ECFD614D49E5A9CC8846A132519BBCF49907691AC5ACCFC0528DA0C14D49E")); test_hash(&nettle_sha3_384, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("387111A206FC6488F78D41786886A9E5EC9F73E1131D92F290F68512320A408D5F63EAA5ABA32D9853EB11B5B0887E62")); test_hash(&nettle_sha3_384, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("78573F5D075200D3823194A71E55880F4FE78489234DBF3DF3E3734CBCAE8DC1D8C1AE95F9EFA9903DC4C4581B59DDDE")); test_hash(&nettle_sha3_384, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("FDFE4F1B034733C2C94A7B36E2B52774A95C2BDE22FCDDFCEF52F7FEF7C67F08E2F7B9B8967E447F76EF91960DA76288")); test_hash(&nettle_sha3_384, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("48D66A4165AA54528ECE89BD9AA00EAB196F32DFDC4D76F236655835527AAA1642E6BF4EDF24F030F5EEEF07FA40F5D2")); test_hash(&nettle_sha3_384, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("3C2575372CE1F380A6E66BB075FBAE98FC2E6D3D267A20FF0313ABC3DE252E03FD5BDFA8BC2B79FC874CCDA4ABDBB4A6")); test_hash(&nettle_sha3_384, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("0EE6AECA8DD80B74225AC4882E2BC1E6819C9B94F0D0BC0A1E21AABF4B11CB74DB4734BC8D1179D7DCEF535BE9F3DA28")); test_hash(&nettle_sha3_384, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("8027E5044923F8EEE1DF184865CD97B635A78DA199FD80AD3D343A5AE03D1B165E58D1B0BD093EF916A16D6641BDA17C")); test_hash(&nettle_sha3_384, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("796818E047913D5AFB4AE4C5B7C5D5EF699A3A9EBEFB44462EE8FE603CA5628973369E4A9D8E10115FDD75C89707A8F9")); test_hash(&nettle_sha3_384, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1E96EFF62E9F464B4802972FDAC77C3EA1131B2822619D2C5D863E357D0945C17F93EDE66AF05D46E63C2857A54F67F4")); test_hash(&nettle_sha3_384, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("4CC41C2FB7D71DA1AD36D18029F755DAF342E732EC31F0C06E27091307718ACB53FA113AE508DF38B8C96834DE33F9F1")); test_hash(&nettle_sha3_384, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("9A8D4B560421C82991BDFCA0898A29A59BDB09D20F8A5B279096723BAB382789F081EAD50D273ECA436C526ABA6D5CFC")); test_hash(&nettle_sha3_384, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("367CB3FE03A3CBB50FAE1FE7EA883A0AE53CBE772F709DC5505F3C907564C08FC49707CFF9639B25C746B6039FF48AE9")); test_hash(&nettle_sha3_384, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("BBBD05D69D7A082FCDA8ED535D7E4E5DE1377BD91E72D42DC95295C9DB780169E2F9620EC7A5AFF959FF2D946FD20A72")); test_hash(&nettle_sha3_384, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("BE8BEC0C2EC721E0C326037CE86A1518FB395C3A9802DE01C3E234268EBB9AC9A39A6E404F25FB7FEBDCF1F7F25DC083")); test_hash(&nettle_sha3_384, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("2AEEAF292AD625221BA79A621217FD1B3F8978BA83FE7FF13B38574FCFAFFBD207298854B6F9C27D6677494204221FDA")); test_hash(&nettle_sha3_384, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("9A1761C5759CE67C9C093EC5C831C1FF7CAB64AC7C8002066EDCAED044DEF57CEA3EF6BE98578363D2CE3D1F5BA448F8")); test_hash(&nettle_sha3_384, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("4A24A1AF68DB65C3977431EE81092C776F7CB33D6F08940100EA240A2D1F8623A41D07CE9937BCBEC8CA1072A1A78E8B")); test_hash(&nettle_sha3_384, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("928E94D19FC60065A5EF7E48018387C80F2D350F306D0F610173719D5C874D4A8ACC340FEAD4BE357E1F78124198AD77")); test_hash(&nettle_sha3_384, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("78A18D62F8A7EFF5C6DD75B8CB073FD30EE68C878C2EC58AAD1C5DD0EB0AE43698A617BB0C670FCE2AA098E0ADF425B2")); test_hash(&nettle_sha3_384, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("EEEB56C3E54FA833B985EFA5923C3F0225F419664CEDD898C79F64D72D2AD4B125A38BE0201846C442EAF0051D516DC9")); test_hash(&nettle_sha3_384, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("0A834E111B4E840E787C19748465A47D88B3F0F3DAAF15DB25536BDC6078FA9C05E6C953830274223968847DA8BFD20D")); test_hash(&nettle_sha3_384, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("D1C0FA85C8D183BEFF99AD9D752B263E286B477F79F0710B010317017397813344B99DAF3BB7B1BC5E8D722BAC85943A")); test_hash(&nettle_sha3_384, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("6AEDCF4426B2483C0D0D04695BCC052BEDD04FA4D17A1BBB2797F6272FA476BFC138E4091409FEB1AC0E8BFF350A6663")); test_hash(&nettle_sha3_384, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("ACB7013CE75124388187DC0E7430CB74A314D601B6C8D7A7DE5CF03197A84F7874FF058808575CB2F10185F561BB06B1")); test_hash(&nettle_sha3_384, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("F947469DB712EA26F25F709FF7879136EA2A79E0A2D0ED5EE4ADF0E167F106BC410C93AE1D986EC211E0FD9A40741857")); test_hash(&nettle_sha3_384, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("65989BF4EBBF4C21B3DD34551D3F6167910236671BB7F348DC552ADB8028A468FA40EF4A8C1227A1A41C28105E64AC20")); test_hash(&nettle_sha3_384, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("B77A69E373AF0F733CDAD399C9B12642A046E1A7893D3382943A8367D37740DF53916F6DAF90517B39621C14343754A2")); test_hash(&nettle_sha3_384, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("3D14B6FAE6156E7876367897A49269181EA58CC3CA9621C0F81D6A5FB6F615680D909B29F6AF7E62FAD04D70046BE997")); test_hash(&nettle_sha3_384, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("456AD01908E187CA2CE9E7A4DAED8788C909E9BC974EFD1C9A44AC36DB9B6DA985C947C7E0A47AB27BF10CD760FA48AF")); test_hash(&nettle_sha3_384, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("C26BDAC454E1ADC0D090D0C5254A29966611B6673014CBACA24D26B6F63EC7E8F993BA3DF7DF89770E902D5F6574F6A8")); test_hash(&nettle_sha3_384, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("1D85BF9AA2B6DCC3105E7D7F91069F01E4C998D6F03B77650D75839D65A7A049196FD935AFEFFDEB657BC8F96B7C17B5")); test_hash(&nettle_sha3_384, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("085CFA581CF3F4F19416BEE3ED5AC2544662AA51BDF1D2E348D9BCC27343487DF20B18D9F6FB64565868504A6805D176")); test_hash(&nettle_sha3_384, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("376088F09039CAA40BF19FF5E5F193FC9ECB6116A0ACB3237AAAB6CD807BD7AF45D804D837A18D2BD9A8C3DAA3A1D153")); test_hash(&nettle_sha3_384, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("CD40B35FBD90B04D0641F71088F7C6159D8EB16DE8AAE09F355877A0333B53150B81D36C5C2446BF5AC462EF84D4E572")); test_hash(&nettle_sha3_384, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("DB14442400597871FA56D10F53BE7BB4002C44624C44E89C99B95122676A76FF28840285239E2E4FBFB751E4179577D8")); test_hash(&nettle_sha3_384, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("4509ADB6177BC6DEBCA7E36948F07001159A57EC8CCA2B76C770735C5BCCC679DA6AB4E64D915D0E1A754C3FDA11B524")); test_hash(&nettle_sha3_384, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("193AF71BDD228AB3E8AE50E1B1CBF1984B0AF92AAC5A71CBE618AFD4187DED6B461411A39E72EA4E213FE0A5231C498D")); test_hash(&nettle_sha3_384, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("3E419569A4197BB71BAF416B38772EEDD9C1D5A3252111609F0FF8A18A749D5A56143A14925A82CD35C44400A49AFDFB")); test_hash(&nettle_sha3_384, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("6215C070D0CB388A134766035C4BA95143E608D15CAF742796304FFA1A62E55660AB9AB1F6538B4AF1F3EA89BE7D51FF")); test_hash(&nettle_sha3_384, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("0E27ABAD85255A66217722B7D4E032BF29F638BAE965B99F8EAF309071FF8C107F5B6BBB6AB1985228E697DE60595DF6")); test_hash(&nettle_sha3_384, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("AB9FD51B3AA4CD944ABB6CDB063708B2D1203D65A1A2EBB48E0C19722A18B9EF54D7A11F7684462B995B6D38CDDC0463")); test_hash(&nettle_sha3_384, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("03945325AC50E56BC8B515576529ABAA9A22BC2A7CED9142A75CE939A388AF0022A4E75A33964BBB3580564E0AF809D3")); test_hash(&nettle_sha3_384, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("59126910A3462E3B7AC22892F637D87D90686BC0A9BBD4A32E2C4C71A168BA685F2184560E125DB3DC23D90B9E820F1A")); test_hash(&nettle_sha3_384, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("D3239A33BAA55B0F21169E0FDE6114B08106BAF3F4BA0CA19D7B5CF44030057AC672CE529EB0F3BDA36819967819AAFA")); test_hash(&nettle_sha3_384, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("38A11581D874A574929C51F8DCC9E501900743864AEC3AC0889E62C1071CA5F8B6CCF9C0BDB3BB365916EB4340973DC7")); test_hash(&nettle_sha3_384, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("8FD01909381EB713803419361D8E82E92476A08EDCC225BB8A135D215CB48D07B074624FCF2E73E666DBA59334719839")); test_hash(&nettle_sha3_384, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5D7DC5FC9DE88B1C0C46AA6D49273505FF7A76A179E31AB5D976A69D89B83DFA6DEAE9E1B93440EC055DE1CC824D6B15")); test_hash(&nettle_sha3_384, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("3D6BBA145D7E69DBBB0F099D47A1F2138D4A00F26B07C62CF38471F0FB9CA022C61F7A769013A9BD8D5D87D8E01D9B4D")); test_hash(&nettle_sha3_384, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("FBCEF80DD06E7E0B3B7A5485CA5BC2B388CB91A2890F181C857B3E0ABEFD6065499D82DD55F3FCD17E351C0A3636B859")); test_hash(&nettle_sha3_384, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("338AACBAC8AC5BCC13FAFC0EC6D2ECF4A871F9B09D7B1BC5BD6F8D7C9DD1354B8E28C68158A36551DDDAB8B684579EE1")); test_hash(&nettle_sha3_384, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("FFC98D84C268BD09CAD09CD7B4BF9D35EDE97EC55885E839E557D21ECC0E28A855000386E68FAAE3E64A19B443B2587D")); test_hash(&nettle_sha3_384, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("471465890C3B9C03EDFBF0F6883D565740BADA3B7628AD6A27F729C35C1A8666953E8B99D2C89EDE0BD2D5D70FDEF11B")); test_hash(&nettle_sha3_384, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("0F8BA7214DE0E3A9E13C282BFA09CEA782C31C052F516D0AAA403D97716E0D08B1F7F9BB4085B555740C813C4ECE1B90")); test_hash(&nettle_sha3_384, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("CAD2D28FBDCC3A5D71FB3ADCEEC52313AD41D4FF1F915CAA34EE127839DBF2E9A7B06E1C4ECD6255926C16C06E51EFD0")); test_hash(&nettle_sha3_384, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("5B192EBAB47215A8E9FB8E4D561B220B1DC36707A3F085F7BB0175335C393251E3467F945570420C743365D0F09B9E09")); test_hash(&nettle_sha3_384, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF6F80B6D56CFFA8545A27A245A50E6C2D117FC3598F465B6CD78560F4B3C7D2123F28F67CA9E65BFE0B7F566C57B9EF")); test_hash(&nettle_sha3_384, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("CE97E9DF08789D84151A95C8134F0DB74E5D4E076E0C15966825C371B79B3192FD7C9C6BDAE86B775804B5363D1152C7")); test_hash(&nettle_sha3_384, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("89BF889FBD7A384290D3B1D52709DBA686351E53937630B7C7F01BCDDA19B1517D317D65E799E686C71A0AB4D65B60B8")); test_hash(&nettle_sha3_384, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("5D40E392C2E5B29C80C2D760A93AA1E193472D7EE59E203DD478FE24C5A6264E2873AF31ABDE81827862901AE59571BB")); test_hash(&nettle_sha3_384, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("7C63A0DC1C39CF4FAB2D22F62C1B00757AA4B89ED0D7128DA243D9082AD0C78784AC24DF34F5AB30375F1D581E7420BD")); test_hash(&nettle_sha3_384, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("ED085D830AFD2D8F79627281C2A8163C391FEC2C58268F66F74CFF9751BB29E0D071EA8FD2FCF943020D0AD758281BFD")); test_hash(&nettle_sha3_384, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("29124752CCD4AC724A9C3D53B0B352AF2DBD76729F8C5C648B1E9D77819F32E2A7DE0E15286478A24DF9BB370F855C1C")); test_hash(&nettle_sha3_384, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("FAEAB5687F39EC9894C5CCFFB57E82A84BBB7D493CC6AFC03D07AC7B4F181E61639B9A4771C99985ED7FA1773E1CA3F4")); test_hash(&nettle_sha3_384, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("E4E352B1D2D987A37C831629FE0C6AB9EAB2C35E401D1B5F443ADC54A96EF3C91D0876CCF46ADEF819C460369136DA87")); test_hash(&nettle_sha3_384, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("6C288FE4A74F0ED1B36D12F2DB697FBC44017BB57D38C9EBD45F5A8B4FEB59148060AE4BA1FFA162E10E6916CEA1A794")); test_hash(&nettle_sha3_384, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("E1B6DAC3F138B5F336F1F75894F825FFC197836C92BF359B55BB2A78239F24F9C4AA1E063C9C2B273B9CFA766FBFBAE5")); test_hash(&nettle_sha3_384, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("6E07B59E93B22475633B5BA1AA6891119CFF690697AC679E9349E8694C654074D965F0C32FF517B10EE8F6993F6E4646")); test_hash(&nettle_sha3_384, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("19EB2E15262A839538846F7252676971207913279B9AE9B6BA3650D8F3A8E558B13C35B31F1AB7429E376255338C4AA2")); test_hash(&nettle_sha3_384, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("F4DA80B26FB5E6F7E5DFE47128EEE095D46D9ACEFBE76F74EFBC8A1AD68E8456634E9376025648EF7A3350299F366E29")); test_hash(&nettle_sha3_384, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("BDBA7838A1E7A601D559F49EC1323B7C5FABE1E109FDCAFF3F7865F9AF4196ABBF60AC123097A7B860FE438684355EB0")); test_hash(&nettle_sha3_384, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("96DFE9996BFFA5E5D83C39B11F47F12D11210F7D4300B7180D1891EAAA7FE4809F9489B1E2407FF87FB2628DDF1FC020")); test_hash(&nettle_sha3_384, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("79CF2A3017F82693C0A531A367186D055FCE63081EDF980C6A0B967B6ECCE75D635B98485E9B6B285B08336FF34E61C9")); test_hash(&nettle_sha3_384, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("0ED3CA1620CE3A923A22E9D13BBF7543ACEE05F66B67E6D6F435BC513F4698949C27528068F892F0871916FE2D0433C3")); test_hash(&nettle_sha3_384, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("69A27BBF080E015592893D3B55D1957D267784569923A466165A6FB129613D8EA6F610F3760E349D46B09277CB854546")); test_hash(&nettle_sha3_384, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("E9C8830140629669A1DC5C8EE27BE669B7122F4DC88224635CDE334AD99615F3FDC4869E56263E3C7F4420736F714E26")); test_hash(&nettle_sha3_384, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("4DF060276105BF002F8E9F3F08D5B51F7C2ADFE5AAB9A1A683C053E045C89A883028B1093461368262EA85F5239AC7B1")); test_hash(&nettle_sha3_384, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("816AA6DB9B663288E5F932F0FEAFF0EE7875C3B3E6FBAC0CDDC458BD646371969CF50D2D0942FCC7403573B01B05B455")); test_hash(&nettle_sha3_384, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("125B51C253391677C59C0332C6A13D07DE55EAB80857593F0839A56FA678C5E2F7CB2F934ABE5E5887804AAB5D8F13E1")); test_hash(&nettle_sha3_384, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("130C4B06A55F11C80C41608ADFD7B4CE8795871BCF16900F20D2751E123B41D3B2048FD05267C2F9653ECE3630BDD330")); test_hash(&nettle_sha3_384, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("3EA0FA3FC035EA40CBBE9A3C1C6F7E5A437BA20F26736F2895F81D53BEC92A186E74762910C4AA62565373D38B28D5FD")); test_hash(&nettle_sha3_384, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("7C1F1A46E409046B5A314767E8B7E7B1D9A92931443C5D02A581371B380AFA1867E554C3F7DF2E4557ACFD9F8E230C44")); test_hash(&nettle_sha3_384, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2AD23817002C8F0089D423760F5569EB67CBEED2F0F2AA12F8EDE7856EE22AA6EB684F86AE91741A4AA3C80AC97C4A0B")); test_hash(&nettle_sha3_384, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("D34974759C6A4AA9D1A4ED3DE341A2BA022DF127BE92EB0BBC1900EB5AC7B8AFE909B52DA5714668C3C4B7DB939F2436")); test_hash(&nettle_sha3_384, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("0FB38AE233520D4F57469463E1E68D5518EA4E965755C03AD458DD285AFB2DF518C3D389BD361CBDCE46B654631A18C2")); test_hash(&nettle_sha3_384, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("CB8F1CC9EB72465176B97B6226A87E69D77C65190114CCE1F830A3DFEFA5A8A278D5CF594B173AC58C06EC74958FF8C6")); test_hash(&nettle_sha3_384, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("87776D7022DC18592B578C534E2FCF57946E0F74C47DF85612F89C6593FD50A9E445C048D6CDA9A1D1D10EA3B3C973D0")); test_hash(&nettle_sha3_384, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("83F4442147FEFC8E5BAD3E9EE4C6661A771AE8C87458AB67153DECD35DAF6756EEF28E4AE72E65EBFAE08886A6E773E0")); test_hash(&nettle_sha3_384, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("51358159074D960C0B9D73D5F12AFDAFB8F5D7905BDA62379A6E0D6727D03EFD26EEA51B434368E2E566CB4747D0BA35")); test_hash(&nettle_sha3_384, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("3ECEA8CAF0D8EFA42D54AC5EF36E624237D9F5508ED6FCB6434D67F3FB788C538C635798F52B2F073A4A7376FD31C4A3")); test_hash(&nettle_sha3_384, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("A8876FE4652ACF72DCC8FD5133E5D4CA4E3766AB987CF66EAE5E3770E252D2FD2A890525016623EE69064690828C727B")); test_hash(&nettle_sha3_384, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("6A09735736780F199D75C60903AA24D7F8AA17516690854F7522EF0BBF47D41CBDC8BDB2CB2F3C5596510539677607E9")); test_hash(&nettle_sha3_384, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("83FC2B91AB81D4B15363F15E53BF639063BAC55502B4421CF9A53BCAB9FF47FD77DE5AC6934F67A412EA1910FAD67768")); test_hash(&nettle_sha3_384, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77C0480B91F32EF809D8C23AB236581F0BCA8B9447A4D36228052B3ABB6AB69C61D19D720486A3FF497A4673B84CB951")); test_hash(&nettle_sha3_384, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("781466E257D2FA594E39DC220A260C7478D2158BB70E426F9E9587F5A51A7C29FDC7AF23E7AB9C774E33C08AB38CEDB7")); test_hash(&nettle_sha3_384, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("51BEBFB5AAFE777F390E2851B7EB9AA3809194FE3BA1689ABEE7E43D44A5874E0C252793DFD42C1270C63C407AEF6780")); test_hash(&nettle_sha3_384, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("FCDF0032F34BA6C42D679B182D07B10F4DFF2189B0A5EF6642FBB71B16F910E3240ED9B502B1C6B395BEE74AD0FB4191")); test_hash(&nettle_sha3_384, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("92AADC02BB9795A48B031034EE6AB873DF481D232932FB5FD6C3762E50E58DA46D1F5E5E874597F15C83127F0A3042B1")); test_hash(&nettle_sha3_384, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("0D0CCDBFEB0A933F211EAA94EB452900324340505CCF8DB7AD93E976271F812FB8907805F6313D0B0931F5C9203BDBA5")); test_hash(&nettle_sha3_384, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("FEF6B1F27B0CEBC4568588E627D28DD569A58A8F9A51A1D2887B40F5547B2C67C71917BE998D1987AC78E9077CC790AB")); test_hash(&nettle_sha3_384, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E9957732E7DAB64550F003EE6D0353AE89BDC6D69D05766024CFF189E4FC8FAA41DB72954E8E5AC0B29265C8F785E737")); test_hash(&nettle_sha3_384, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("98D73B3555F003058F7B5A145D89FAEC46C17099A354EF3834A20142DBD50A0E8054598CE7941BF5DD4DF7CCF218F02F")); test_hash(&nettle_sha3_384, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("3795DE490F43B9899947C1C305C30E26331BA0E611DCE7961172B2E4299932147BC9E241C32E61FA964D4F436ECCFD37")); test_hash(&nettle_sha3_384, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("E9F289E671541FEC4599915A0D9935BF5C20A12C203BCDE88A46EAF5CAB2D437F9FCDEF67B98768BB80C9A874B3F46C7")); test_hash(&nettle_sha3_384, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("88C23BE040BE64D23AEE8D7EE962228A6F07831B0E05FBE2F25F07729F00C2C617EB6975F57B3F17DD540E8EBCA654A9")); test_hash(&nettle_sha3_384, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("6C42DEE61CD97C50F5340CF4DC4F7E319FB5FAC7A26B41DEE66D789804BD1FEF1EF2911643C9C1E2C0485C979B36D927")); test_hash(&nettle_sha3_384, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("720150FD5A1CF94A42F922EFCBB723FF948F74CA6D0A3F399AC54DA8B3BC07F39E6E2979C16C875866CF2F584CA7F2DB")); test_hash(&nettle_sha3_384, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("FA6F90935843D4F58E77CABE4BA662B4FABC1732725FAF952EEED70FA0AAD6A98FE67F3B6736A1C8F7C5BED4D9B017E0")); test_hash(&nettle_sha3_384, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("4E2832FEE290D1917C15B31893F6578C1299445B99BC48708E13348A11EB2F27FE217A63F532583793D18CDECCAA78B9")); test_hash(&nettle_sha3_384, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("1FB97D6F42480E9F13C934C4A874877A808F1D73314C544D8570C0749F20FA35F53A0C0BDA1F10D1A10A029ABBB50BC7")); test_hash(&nettle_sha3_384, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("86B3C81AA398C8819AFC4F282DFBCE24F4192B2530C267A78373D253C35C1DCC4F40835529563FD42A33FD2CBD680515")); test_hash(&nettle_sha3_384, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("A6BF548AB19FF60D6A8729FA62FDC9B59237843739AFFF877233ED374BCF70A017126974C2D1A3222D8D906BE850A25D")); test_hash(&nettle_sha3_384, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("BA7D3B6AF5966C8C2723B1318820505D040DA810126ABC3E65088DC421E46D3E54DD31777C539AE083B7B8A4E2303836")); test_hash(&nettle_sha3_384, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("48CA5912C111DB667A77BE7C77F841E8B37130248377A19CD2FA3CD2EEC48B337CFE07C290F2690AD49E79CE3A9F9E53")); test_hash(&nettle_sha3_384, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("4B3849B0916DD445B1856E1B908C414C752D280DE2183DD1F0193E73FD1BC02198599502391E8CA48D65E610D6EDCD8E")); test_hash(&nettle_sha3_384, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("02C90820D5FA9A91072991E87BFEEC7F18315F8CA1908EDBF19886C4CA5BD54AB9EC96A6AB7B815B58538F088867030F")); test_hash(&nettle_sha3_384, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("75967501FF781EFC3C9D597179C8CCAEE4373D9BF6AA6A5BED5118303EDC8B7478A47F2CEAF0A6B5B7224E53D5F1CDB3")); test_hash(&nettle_sha3_384, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("298387BA8A3EB88EE36B4206E54193BC5857F2A303CE41DFF7C3BD53EF7EE3D34AE7E0C714311A7BD8D25502CAB414B7")); test_hash(&nettle_sha3_384, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("27CEF65D1AECB7051BAD55DA0D601BC9D7A16D938A5715374A43109DD41B5C27D26C91CB44E4B47002D9B90ABA0584D1")); test_hash(&nettle_sha3_384, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4AC9BDFD9F717D01598908BA457627D3AF7C8123F7110DD7FDB40E91EE6CAC201A8B728A384E663890847DFD4DE7FA76")); test_hash(&nettle_sha3_384, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("F03FA03E4CF9C23443D7DBDBB66D9ABBAFEFB6500143FF0BFB5D7D6CA2BF1D7CD043A7BA7EFB48F15EBC68D1F94598E7")); test_hash(&nettle_sha3_384, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("9C779D981F9B7E491FF868BE22B37FA9DF72DE55672A0226A821B29C045DF4FF788FA7271D557EF6025EEA255809F241")); test_hash(&nettle_sha3_384, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("2C0BC54A67B00AD703FC595751074C4E447EFDE00CAAF8C8FCADF5768C330B6C7F1918F044F5C5C55810D078534A7BB3")); test_hash(&nettle_sha3_384, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("2DB19CA557723CD3C17E7D8140CA301A5A2CB77E3F1F595F5B850A78943C7F36FC37056DCF2BADB90DDA77BFA969C0AA")); test_hash(&nettle_sha3_384, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("71E5DD0755CF8B82BC79AED6FB61C9E4FF8361C9AFC5AD980808A8BC480E09D59B234074472851080714E0275CE72DC5")); test_hash(&nettle_sha3_384, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("51F951B8F1013BA9BCED90478E248CD89D4DEBC6A19CEB6EF81BA1A5D8D3339D426D50A94C7CE3D143C45DECCEF94965")); test_hash(&nettle_sha3_384, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("210EBC1556E31A27EAF60A5FE3E181135C5EA117E3FF21AF2D04BEAB9A243FFFF632E3D7778F9A6D0304C1ACF3659A3C")); test_hash(&nettle_sha3_384, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("F5F659F6999BAD8CDC77C42901A8D64C1FA827F7848985136140BF5D4B3BBB3D964D2D8156F9FD02B6D382BC8410A88E")); test_hash(&nettle_sha3_384, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("B151BF98C52F63F294A4B1E990C86CB73C4BDD476B25C138CA66B2BA08447540B0A787DFDDAA3D38AF44CA8EBBED74D8")); test_hash(&nettle_sha3_384, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("47D74FDD9A19A5389313610643FA859FF0BD7B583B099FDDB9C980DCC000AFEB639DD99071EA31976DA35B7BC949BD4E")); test_hash(&nettle_sha3_384, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("9B809198DCCE24175E33098331D3A402A821AE9326E72775AAE34D1A9BB53D2B57863905CFD60543BBC42B454007C315")); test_hash(&nettle_sha3_384, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("93C9834501FC728508A15EB9205E678983F3BDB0BA447EE739AE5082DB37F2F2D485088130E0B1CBF0039D18BDF429F7")); test_hash(&nettle_sha3_384, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("C0AD8C3E7EA595104D4BC0A08DCBC85042ED50DD8D9B01AB47C9F066F91AD3BFFEDE4107F1EB1F5B61CA7D4091D68327")); test_hash(&nettle_sha3_384, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("AA8DAA02ABCBC5A4B3003BFF5CBC2C84594C5A0F84BD449A1A56BE59566E13EC6803010D422A4C244B99812F4537C93D")); test_hash(&nettle_sha3_384, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("CAEB4F829A925679416F7CB177ED4C99721B851AB59D52979BFEC6D2AAA1E602F4310B15624F9D7BF2D351DB73BFB5EA")); test_hash(&nettle_sha3_384, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("FC1FC7F19F6C9D0AD1462B24C121C89B01B4E083EDAD02A8DBDEB990D98CAFE0AFE01E2EBA646872CD816B5203EE8A87")); test_hash(&nettle_sha3_384, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("84803E50DEC901FF930C8A76EBC1F98EC72874DEEF0D249020B1DBEB4EA7D8C7DA4761EDE077158460E054A7F71D1994")); test_hash(&nettle_sha3_384, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("05586BCB8077E19F3F43015216D623B1439C49ECDD3C53255553E9133FD1A9008891520D2EEBE5684C546028CA2CDDFE")); test_hash(&nettle_sha3_384, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("A200D8EF3D120B917561EDC8420BDE022B3ACE792925C8FABF25AD9B0FA676D2260ABD8098F383C0F93043D5D3F56C47")); test_hash(&nettle_sha3_384, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("A8905D1E9F4FC96F2D769D31C9A120DE43A0B20115C8D17BF0313206EB9CD87AE41DF2D444C9D75F9366998263D61C07")); test_hash(&nettle_sha3_384, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("88249AF84A7F1E49D144869A3D4FE8AA6E1A4874EE467BC99E9C33E2105AF2D097417D6B78537925392DB2C5CB1E0B92")); test_hash(&nettle_sha3_384, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C46122D00B61E79DF025A4D525B8A602C7AC004304A993872E3A8AA37FC0E8EAAE5FAD9A220C5C6AFBD5A4783680013A")); test_hash(&nettle_sha3_384, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("ABA0EE3C16D3DC753F6E466C33A998A73282C0DBEAF51324979A58437636886E5521B567C9A62D405EE558FFEBAE91BC")); test_hash(&nettle_sha3_384, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("28B37125F233BA8D527E5284A16E6EFE9AE84D3EBC6EE4C88AEE0AB165C111A32FF2CDCC4213AC3267B0546DC0D74C84")); test_hash(&nettle_sha3_384, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("258988E54D66E0C53B263BA68D9E3AA47D278DF87C51219CCE6F2547281EA6581540E28C1D7E069254791F0D385EA694")); test_hash(&nettle_sha3_384, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("F6A9399B482A3A5EA6FE79A2DB7BAE7E588C9B7DA03DD85C120112FDBC234350529A1F37ABBEBEB770299E141EEA7BA3")); test_hash(&nettle_sha3_384, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("C0F957E52E40F9B8EA945D40779286F7257AD463A934B049DF40C31D3547AEF41AEA2DD981FD2579327229B54EE04E66")); test_hash(&nettle_sha3_384, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("779EECF39311318051BF73C441FB799708912049E28DF3FADDE449E4CD820CC4CA1BD0F8513927D9A64F5D34FAABA039")); test_hash(&nettle_sha3_384, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("3D6495EB3DA4E81D3470A050F416E2C8ABF657A26D4FD64AF35735B5782B611FB798A72FE7A61CE79D0496F69654CC80")); test_hash(&nettle_sha3_384, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("F8188EAFD0E2F9C7F44E70B38DB1FE3E12B1469739CA6A13ED5A8661673A318296FFAF8D37F6FCEC22A2D00EEE2ABEBA")); test_hash(&nettle_sha3_384, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("7D83C3F2265C90FEF4BC6BD0D17A218F0E196489CB2D8455BBEE80AB989FFEA46DE753346EDBD5C88448FEDB0D4AAD4D")); test_hash(&nettle_sha3_384, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("FCC5FCFEF5BA874A317B73C9B1B4CF6877373D41F0B8080A5D4F021E0D67F3B9F8CCAACFD4244FC10BA58B3A470DB48B")); test_hash(&nettle_sha3_384, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("9B336B4C2B530F65C01AF3F0A46CF1B626D5DBF1B2E50F790B9F34CCA367315FDFBF7D9619CDA4DA22E39F9315303816")); test_hash(&nettle_sha3_384, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("CAC442227F10C4935D42C2914043167890C3EE1F4556D38D20767E8402AEC4D70111F2034276E90F28102DE634E26AFD")); test_hash(&nettle_sha3_384, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("05E3FB83EE8D609874D5935283702F29E5E896BB090C48033489295989C45DD2C06F5BD558B6BC786AB1251F75664B06")); test_hash(&nettle_sha3_384, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("6E463C7FB5CF436B1444921AFE76D2FA4E7A23EDFC9D496AF1DC7E78A0173D797EFF80F2BB32CFD34DAF5633C4E6BCD6")); test_hash(&nettle_sha3_384, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("90457E3D33FCE103420056A1C712441E04856B17CF37A4E133841E6D9A944B5EBEF98CB1C1CCD575632CD3B5C177669E")); test_hash(&nettle_sha3_384, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("E5FC73C70028D1B82A9AA976D34F5FC72916839027038E79DF2E29149E861F09A41A8203CE922203F710964B4F5BEC2E")); test_hash(&nettle_sha3_384, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("B0A1BBA912DAA6D80EDC6519B501B629456394D7BDA24D46AFC9FC1D93A0B5962FA4F95214273290D32B3EAEFF6F9DFE")); test_hash(&nettle_sha3_384, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("FCE4637898BA0CBD9D7B636FEBDDC02A435901CBBEF8BF76D3E866D97D55354B71FC12E67A09E793D749316D714FE08C")); test_hash(&nettle_sha3_384, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("2B5471FAE3805852F4CF39541F8A0A3774818F79FE50476E225D89B62E43BE3255E96D19CBC334AEF04192840F075C7D")); test_hash(&nettle_sha3_384, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("D4D3B49878AEC72E2E7FAFB687DA7EFE242CB60ADF5C65C577C444CFC95A2A2EC670000C8A78898A07400E3502D73F27")); test_hash(&nettle_sha3_384, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FE1C2143F2957819DF9C9DD05D004BE0E557EED8C5A2B7CE457D5856132B1C43EECEC36AD704A930A85485A34C3860FE")); test_hash(&nettle_sha3_384, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("4D1F626688E6899B5FCCD47FAAB45E96C61E169869CABEF40283B2418DFB2888FB80CC9F2C526497C50C5244784F195C")); test_hash(&nettle_sha3_384, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("A063D778B0A2A11D3A9CBA425EE5938FCAA6E2BF1F30A665FA811601444D5749AFA18766DB5F0426C5B8392238B7862E")); test_hash(&nettle_sha3_384, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("470EE6D35157846890A01B3809EB923CC45DFFF2FCA2826F458325466C983B1C64BEA38BCAECA921C90DD00432ECCF89")); test_hash(&nettle_sha3_384, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("A8F0A3C89CF7E56ACC18ACE1638BCF133094FD9F75F05677C3CD0ED3614A593CBCEB09C78C86E350FD07FF4429A6A165")); test_hash(&nettle_sha3_384, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("C8A9A24464F21B133EBE20BA421A81EE34DCEACD5F04DCFB66D219F7F4145633692C572B63007834A406ECFB938A14F6")); test_hash(&nettle_sha3_384, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("91BADA31B57A4BF3D2EB19A34FF921DB10BD6406191486D25D5CA4DE5E00B5E2815DAE741064E5B877AC57511B949F91")); test_hash(&nettle_sha3_384, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("F310E80951C7BB6395CA168AAE7EC42DEFF6C4CD3F5BE9C8B49B85B405F731911AE8267FFEBD543DBDF409EC20A858D2")); test_hash(&nettle_sha3_384, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CFD05E080994FC6D7AEF2D8C6E44D8A5E90F5A231676E0FAE0D2B8CE162CA9D06712580C99997A7709A06180DD42FB91")); test_hash(&nettle_sha3_384, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("8FA26DD5A54BF94A037A165EC5CE3ED86147A08DCFE3B48818B0C0BEEEFA33B145323B598F761DE2B639D05127F1CF3E")); test_hash(&nettle_sha3_384, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("283FD61D1E50572EF403BF9C554D76D694A54F902C49795D1CF506F0EE263E7BA994F72BDC4732531FA7194257F2DFDA")); test_hash(&nettle_sha3_384, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("128DC611762BE9B135B3739484CFAADCA7481D68514F3DFD6F5D78BB1863AE68130835CDC7061A7ED964B32F1DB75EE1")); } nettle-4.0/testsuite/sha3-512-test.c0000644000000000000000000034637615141166425014143 0ustar00#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_512.txt using sha3.awk. */ test_hash(&nettle_sha3_512, /* 0 octets */ SHEX(""), SHEX("A69F73CCA23A9AC5C8B567DC185A756E97C982164FE25859E0D1DCC1475C80A615B2123AF1F5F94C11E3E9402C3AC558F500199D95B6D3E301758586281DCD26")); test_hash(&nettle_sha3_512, /* 1 octets */ SHEX("CC"), SHEX("3939FCC8B57B63612542DA31A834E5DCC36E2EE0F652AC72E02624FA2E5ADEECC7DD6BB3580224B4D6138706FC6E80597B528051230B00621CC2B22999EAA205")); test_hash(&nettle_sha3_512, /* 2 octets */ SHEX("41FB"), SHEX("AA092865A40694D91754DBC767B5202C546E226877147A95CB8B4C8F8709FE8CD6905256B089DA37896EA5CA19D2CD9AB94C7192FC39F7CD4D598975A3013C69")); test_hash(&nettle_sha3_512, /* 3 octets */ SHEX("1F877C"), SHEX("CB20DCF54955F8091111688BECCEF48C1A2F0D0608C3A575163751F002DB30F40F2F671834B22D208591CFAF1F5ECFE43C49863A53B3225BDFD7C6591BA7658B")); test_hash(&nettle_sha3_512, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D4B4BDFEF56B821D36F4F70AB0D231B8D0C9134638FD54C46309D14FADA92A2840186EED5415AD7CF3969BDFBF2DAF8CCA76ABFE549BE6578C6F4143617A4F1A")); test_hash(&nettle_sha3_512, /* 5 octets */ SHEX("21F134AC57"), SHEX("584219A84E8796076BF1178B14B9D1E2F96A4B4EF11F10CC516FBE1A29639D6BA74FB92815F9E3C5192ED4DCA20AEA5B109D52237C9956401FD44B221F82AB37")); test_hash(&nettle_sha3_512, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("4345B92A2AB7EADB6A24EE1D175AC258CCF2F694AC09EC9D47399E4D96F61F30B322C5438C51BACD0D597D00471A41ED8E9C9F146BBC807E6BC385F850FBABFE")); test_hash(&nettle_sha3_512, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("50081C93BF73ECC54A5FFE43FC14F8BAEEDBE7DA0302AC984C9E668389886BD064BAB26DDCB616EB4E0E726042B19F3FD50BDD0D2C5B34892E00E6F399DE254F")); test_hash(&nettle_sha3_512, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("150D787D6EB49670C2A4CCD17E6CCE7A04C1FE30FCE03D1EF2501752D92AE04CB345FD42E51038C83B2B4F8FD438D1B4B55CC588C6B913132F1A658FB122CB52")); test_hash(&nettle_sha3_512, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("A13C951C6C51F236A0197A29A8994B1C7294E17BA518ED1029D6F54AD739D8765920281BBB854D16FBB60E0385AFD6E6E433E63AAA77E73B8BEE7FDE569D6875")); test_hash(&nettle_sha3_512, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("5A566FB181BE53A4109275537D80E5FD0F314D68884529CA66B8B0E9F240A673B64B28FFFE4C1EC4A5CEF0F430229C5757EBD172B4B0B68A81D8C58A9E96E164")); test_hash(&nettle_sha3_512, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("7C77E30ECE98EF88964458683C5E0287B5896E166CCCA71D2BFD8D8BBC6D6FE589A0225EB1D6AA7B220F1410C9A9EC0672CCDDAA1732C3E2877FB5D232C2A428")); test_hash(&nettle_sha3_512, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("F5DF5952924E933330BD5BD7627A62C3672F24A4991DADAF78816E023769C91D1910537F9C19FCDE60FA6DE927982DD5F5970F74E30F2B040F67348A3394C48C")); test_hash(&nettle_sha3_512, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("80A1317EC534ED48D8A813E0BCA0CEE04F705A2F86352306A932EDC548B9A8F1CF79F95027F43BDADA8213449C54F68F4DD800B15C4ABAD87AD7A3B371A7C918")); test_hash(&nettle_sha3_512, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("54C274C3DDF26D824F5FDFCB349A600890057EB2E2022245CBB8BDC0D2240CFA8348F02191FABC0E10F9287185211C9F569132EE6DDE4C396668B4BB50AEFC3F")); test_hash(&nettle_sha3_512, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("00767236A7352551B283A8ECF4C79274F8C4CEA553AB43FC71CF22FB2F6865AD02C88BF0092F213057340C85A5318F62F4991C00C63CB0558CBCF13D6D84E73D")); test_hash(&nettle_sha3_512, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("001618372E75147AF90C0CF16C3BBDAA069DDBC62483B392D028DED49F75084A5DFCC53AECD9F57DDBB73DAA041FD71089D8FB5EDF6CFAF6F1E4E25AD3DE266C")); test_hash(&nettle_sha3_512, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("9644E3C90B67E22124E96DFEDCE53D33C460F132868F0975D18B22CFD59F637DD85AA405E39808A45570A498C0B8F2CBA59F8E1437EAEF89F20B88298ADFA2DE")); test_hash(&nettle_sha3_512, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("4739994390728F4A938DF7B3201CD63771858453F0FF1DDE9A2B9C38A27A0F6C868460D00EE03DDCB0F063F5F8BB7CB0959B7A222259DA0F2C57FA400B50985B")); test_hash(&nettle_sha3_512, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("AF69A46527C17117E6DFF32CBA289EDDD1EECDA13E5313E46678EB8006E7639854C3970DFEB4D907DB1151C1C5EE25CA6F195B09CA5A5CC97A4D64AC4C75578E")); test_hash(&nettle_sha3_512, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("191CEF1C6AA009B1ABA674BE2B3F0DA418FDF9E6A7ECF2BE42AC14F7D6E07331425133A83B4E0161CC7DEBF9DCD7FE3787DCB6622A38475189EDFE1DE6B053D6")); test_hash(&nettle_sha3_512, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("A60D7587424B7242D93BCCE515F1C75AE2BE7710F72ED3F4E5EA8BC2BA8D64099FE42B88A295E12FDAFAB441D772C4A9A7D794B27788EDEA271571A04305F253")); test_hash(&nettle_sha3_512, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("09FCAD97EA3CB6B7FC61580DE0968D238006B7E71F0BD58ABA2AA9D4ADB855D7606E7632138CCC0AA065CA0B92422262E029DA17D73CD3011FF285706C7FC1AE")); test_hash(&nettle_sha3_512, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("F61FAAB080CF9A5F75407B081A03DEF4F49A601A2BB832E8C6401BE0C98B3CEB3F75C922A91BD5060B3217F737404EF4612B9A009B69CA648B1E37B2ED49229D")); test_hash(&nettle_sha3_512, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("51DE0A622FC6FC702C7C2DB5CCB05CA0DDF792986E44B4D336A7A5DAF19A20A371D9BF7DDE822ECDD0A4CE28E4A0B46FE51A2AABEFA7865807EF3D3B1887F14D")); test_hash(&nettle_sha3_512, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("6286C3DB87D3B45CFD4DE85A7ADD18E07AE22F1F0F4675E1D4E1FC77633734D7962818A9F3B96B37FE774FC26DEA787485317B9622275F63A7DD6D62D650D307")); test_hash(&nettle_sha3_512, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("8146C43A0FFE481872142F56A9CEA44332EDC76B4E99C2BDC39D7F80B2A6B554C7598F09855BF7ABC5E6C048BE76F5F369EBB2884E6E37F186E8719DF3D523E4")); test_hash(&nettle_sha3_512, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("4B86FBF9DFB6767EB660AF9C30983ED65B6FD051247AB54767DFB49530EB3C01014EB26DF63E536CF55E0BCE2F62654FB2FCE3839B4BFD301570B1AB794DF67D")); test_hash(&nettle_sha3_512, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("21132FC11F6040AD493D627027C752CE29816589DE7BE78562914B63D1A9219803DDBD9673AA749F37FF4D6E1B5AE2A12633BA8B0C9994E031EBF6C42E58A793")); test_hash(&nettle_sha3_512, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("8A5374D92FF9A58E0451E609AA5C0C5C172BB2068C80562D0324F9CB6A037436910C6593F950C44374B4E5BF6F6D3A436ECE6DAAEB56D147D8CD839CCA35EAC3")); test_hash(&nettle_sha3_512, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("71025D089A39D27327C46C27BD4E7565DDBF9C286F185A08178601C3BAB4667F368A3A8BDDACF25B2B0AA5C9E0CD6C87DC32C854027A8954B5C6AFD3A85097AC")); test_hash(&nettle_sha3_512, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("DC29EB7130812A652AF3FF9B77629684634502EA6667E7E9F80090EC2A9D690C8C9A78645FB04D9CD269E706EE2C96E74207FBBDA559DC285C9BC52F15A256CA")); test_hash(&nettle_sha3_512, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("B087C90421AEBF87911647DE9D465CBDA166B672EC47CCD4054A7135A1EF885E7903B52C3F2C3FE722B1C169297A91B82428956A02C631A2240F12162C7BC726")); test_hash(&nettle_sha3_512, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("D2A95C6FC0F39C8F7A86C4DD6261A79C940FCB313BCFBA9BF71527F5BC70EF827CD97DFA18280E5DDEE5CCBC1D63CE88CE2BCDD82DAB610F79867A7C20B11E4F")); test_hash(&nettle_sha3_512, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("AF8C0FBD72B3F807DB95C9231BC4E93153DC6608B22F4707316AAB3D69AF0E63291B569F118B5C9E693C5BAC4630C4A923A4743581246AD3446DDA4F9076FDDB")); test_hash(&nettle_sha3_512, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BFC7D968D45342069807C5F1B96425CFFFE99ED136D47665E902E026C118701BB7C3E7FD691785115CFDB2EF235A66BCC1384A1D088B8CCA90D9D560913549DE")); test_hash(&nettle_sha3_512, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("9A348540AB669CDD8914426FBBAD192BA0DB16583E8D4E867B66CC78C6496E4D83DDBF7B972B0668DF7903B0FE9AB82B65153F947CF2AF2591121C9D1A78E515")); test_hash(&nettle_sha3_512, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("FFDB649D1AA7FF269B9BB0AE6192F7BCBC06612528DF0E68521D5C891E9BBA129271A07DC56393BB21218F5E2FB92CFFF833432066AA6380F3557A0748E65B33")); test_hash(&nettle_sha3_512, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("9665808D39B4BECFDD9AA8020A0A72CFD4F823A15D670D51278A4AE95507E16020AEDED6E6C0E2DAB0BAD890A9E7552403D2AA8D1EBC0B8EAEC9A3A8DBB2A9EF")); test_hash(&nettle_sha3_512, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("7ABA6B9F8F18D9D72B883EB988A5F4FFCC0217A3DA316AFF11B38976E90B0736CB000F522DBF2DDCBB61BA4BF44C356EC5B46FC86A5133F971A94FE2A9983260")); test_hash(&nettle_sha3_512, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("589C46625A6AC9A2C9C9A884F427C3C032887AE53A69932B72E1E3796BB9568929D163395A3AA8B2AB23C564937CD729206D9B62CC60353B68A69A739616EB35")); test_hash(&nettle_sha3_512, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("F7CD8737A1AB36B37612E57D1E5A3D4A269D18CF2CB7644A12540E3B184631794EC1A1DA118A109AEF514DB3590FE27BE0752EC0826ACAF458FB0A754BDC51F1")); test_hash(&nettle_sha3_512, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("B21BDEDE484CA18F672058667CB2F2DC922C44351E95C2CDA75AF7E45577BF50E3F203139F6262279ADFC3221B94A072641F8BDB55DCC02F21D0879EB5E7466A")); test_hash(&nettle_sha3_512, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("DB56265B9346968A390E9841D5B7878A158BAED946068E808E456735A67E49220FAB66239D5D506DD75A58F2C56E25C9C105A3827C1434C67255CFC9101A5D09")); test_hash(&nettle_sha3_512, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("4C825FD9A795CCD20A0892DA1572B9B1F70BA05FF2D2DA3A4726A74F9AB5323CCBC4290459C1BB46F0A1E1FFC357FF4766F4F4879DAA91D31ECA986AA30C7B00")); test_hash(&nettle_sha3_512, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("8445A05766A30DDD0080589F8E8CBF7EC59FB7A3CE73C0209791B19CF712CF1635D63C8356822272309C6B9F01637088878DBFFBEDB26D2A566185225C4DA56B")); test_hash(&nettle_sha3_512, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("2DC25165CF317ED7DE2B4F2FD0995D7785978CA8581EA8033E912F2E44EE613DEBFC5535C48D63838F325D1416B9180C20BDE82614504B7161F9860530ECA70C")); test_hash(&nettle_sha3_512, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("CB6110A02D7CA636463F6E3502CCF0173B000482C7E002AD9277C1D10317BDDEBC3DA7F91D0173E3E2F9552BDFDEA4DD1AFBF7508B096AAB1804921E95754E78")); test_hash(&nettle_sha3_512, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("7EF3A2894C6ECBC4201B15348F90671515ACCBA3C8166621F864A9184BF08C3F5A895F6B599D3CB41F20A8A1DF25AE84F1A6D7C8DE74FB7CEF48F7E96FDE8D43")); test_hash(&nettle_sha3_512, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("39C7AE0F80129D9D2980A6246E2B6F10A39EFAFD694DED12A6089509D95ECE506DC38C0A9DE487D9D401DB1F15193404911069533BCAE4C48C53F27BEE3CE0AC")); test_hash(&nettle_sha3_512, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9B8A7D2F8519AD6DC3D2BC5B696B354C5A8B4796402CE1242C52638EEA6893A1269820A642BC9EFE56CD7E26DC46E97A7FC58FAF3F1A7A25F86ECDC1F2F17E64")); test_hash(&nettle_sha3_512, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("B5CEEF23F56BE807B616C7FDA4867A1D12D0A16845459FC704CE631AD3279AB222DCA7ADDAE595D289CBA8996D46655FA9B6BE58700302E655C51C825F31BB2E")); test_hash(&nettle_sha3_512, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("143D024FA75C8D46273589B8F78432D49EF14178E4AAA27DC366C9CB787F24B73F4197A722F13031181A6FA6E4F66127893DA7B23A579BB93FE7D737A4194093")); test_hash(&nettle_sha3_512, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("0F48D008DD3AA630E8261658A55B565B6773992426B08592B4C1D77A58B067F05E25974E501628A2DB632F2DDDD73673119ADA5674D0CE92C7AA908B9E9C435E")); test_hash(&nettle_sha3_512, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("297498639FC7AA4152654E468E08F29AFFD7061D44E3F532BE4BAC169C877A2EA7B4D70D6BC0F678BE08AA064258EF57111310D13B889712D06530B690841DBE")); test_hash(&nettle_sha3_512, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1B6DA16151FCD18383372683480119A304796B2A5E54F7EDC6C7BC86817359E73F6FC5587C77BFC71B56EC67905FA7F15193F9F13CFA190BC7B05503A5782C8A")); test_hash(&nettle_sha3_512, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("B2F40935E7C9018814C4E2721D9B5AEEED3370690378E472BD29F227442CA4942B06189C346FDA498123ECE59018E42C8B7EE38191F97789B4AA93223A8D80EF")); test_hash(&nettle_sha3_512, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("C8D242FB5FF1C6CD11A040AEAF35CC09E355A975E04DED1D8341878BED5DFF8BBBD1B69F4D122CE53309AC08753B95D2A57721DFD12E70A8EF12E11E16DE0FD9")); test_hash(&nettle_sha3_512, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D1D5D5DD7D196B87BE4A38F2D9B4A69DF9DFE0A6E8CE71B08CF22C7F670ECF273EAF395D12FC63E1741DEF113CC7104970194A7C7C807E5319D7BB702F20B568")); test_hash(&nettle_sha3_512, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("D812470B2D135B6E1BC0C85DC0652BF9F6C2F9EE707A2E667181CC9F689BC7DF9CC999B08716868AFAC78244B151B725A027D9250AB7A073A469E7F09BDB0B55")); test_hash(&nettle_sha3_512, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("203EF6BB5132A9D44EAE93C7202B1469C2C2B93706D0A31B29223C411A39550F60F39B9556FD040BFB5F9F7099313B8874C8ED677CFC5F93D9A2941A9B0139DE")); test_hash(&nettle_sha3_512, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("23BEAD09707A77B295FD22FE001282338C2D368302A05FB114BA2A012C4DEFCF06F3887D6DB7A0A1DE04BC399BDE92D6BE71904A9AA7B92BEDFA0203F1D8B06F")); test_hash(&nettle_sha3_512, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("93A8DB85774B321090801DF4DC3CC75E94AF63FF6DCF50BD210E5B65FB35E1BEAEDED55602EB32380726029834982D77B434E94179D0A3EE1059345910EE1DCC")); test_hash(&nettle_sha3_512, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("3B7D98FF3152B2024AAD4FA0B40DC642E842D453305ECEF278574E386172F3C164E4EFB9C2951A23FC73D83C16B4900FB92AEB8EFE06B58F918BC4A481E4C238")); test_hash(&nettle_sha3_512, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("EB5067BF762A291CF258AD69A816A0B089E0BD44F8E5B74CF60BCE64734E59853CCB8D091CD2E33F90AA063FB7942CF5965D459200144C1A0801ABD69A9A094A")); test_hash(&nettle_sha3_512, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("B0E23D600BA4215F79D50047BBFED50DF7D6E769514D796AFD166DEECA88BD1CBE0AFC72A41E0317A223225B4F5882F723AFCBA3AF7C457EB525946DA6C53BB0")); test_hash(&nettle_sha3_512, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("83021062117DA99327E521D7C91331208BF3F0A972A6C755ECA46760C0984871FE03724A51FB5441C3CDD3D24FA1B8127510D6A42CFE18B08E8096ED702EF33C")); test_hash(&nettle_sha3_512, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("BCA9F06B6B9AB8F76C4F3DBE677D5B4B3103423644484C77CDD8C5DD6C1A0BF717C76E83DA9B2B4EDFE4CC133C1FC86396E8C3A9E42FDD20519FCAA19969189F")); test_hash(&nettle_sha3_512, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("DCDF7617F79DA8475B3A4DB1306C9CAF87F1AE85EC97721892D8E20D0E54EC82EE7A0F2D17F21A61AECD89A6C4CF5019D7B8077447EFE03DEF5208010A8A1E84")); test_hash(&nettle_sha3_512, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("9B8C7142180F0ED85359B6D186AE05B77B2DB7C3E1F066392E733B7EEFFD7C11F7A6C0C570273A1F3FEA1A0929D017C7A4FA00175B5ABA76861BCA7EE806458B")); test_hash(&nettle_sha3_512, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("3AB73A0A75B997C0EE8329C33E6EF1389E9821711867F775AF29517EDFFBE410D037143C6431FDED3D8CE728086C3512E94F038B9243B50CB820DC2445535D91")); test_hash(&nettle_sha3_512, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("DEF4AB6CDA8839729A03E000846604B17F03C5D5D7EC23C483670A13E11573C1E9347A63EC69A5ABB21305F9382ECDAAABC6850F92840E86F88F4DABFCD93CC0")); test_hash(&nettle_sha3_512, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A3E168B0D6C143EE9E17EAE92930B97E6600356B73AEBB5D68005DD1D07494451A37052F7B39FF030C1AE1D7EFC4E0C3667EB7A76C627EC14354C4F6A796E2C6")); test_hash(&nettle_sha3_512, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("635741B37F66CD5CE4DBD1F78ACCD907F96146E770B239046AFB9181910B612D0E65841FF866806EED83C3AE7012FC55E42C3FFC9C6E3D03CE2870442F293AB4")); test_hash(&nettle_sha3_512, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("D6299A21CB1B31F0A6EB67D82D4E738249013B75C9BCB4A4FE419036A6043A7103E9CA9B7D25759177C4B64001377093CF39F35C9B1625C6819369FA375FA49D")); test_hash(&nettle_sha3_512, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("07F0A184734BA4BB721F36D7B1B383F6BF99CD5F75941ECF1FF2B325F03AF970D1DB1F035975702093F59A7610BF054D12017ECD6109177CF061AB1496F87860")); test_hash(&nettle_sha3_512, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("89070B8B1E322CCF9D6307EDC11FC34E13874C4977DA9F6035D06FAF647D7F7D54B8250B541744298AACD4C54D9B41B4085DD35C491A461D504BDB42FC12F03C")); test_hash(&nettle_sha3_512, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("6C3FBE32556445DAD430CF15FE1243B6AB44349EEC2BE1132B0680E5EDF0B08B55F1ABE473439C5E0750132996195FD120C267B9100C47777B339132EC34CC80")); test_hash(&nettle_sha3_512, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("6AE3E656CF94DB10AE3C185362A6625CEC53E0BA4DC7D1608A3F2FCA3C4F31F89FE1B06FE9CA345E3F5E967A3EBCF6A1A16E24521D5C4690D9B642483AC7A896")); test_hash(&nettle_sha3_512, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("ADA8E78CE3E6D447BA2B7DCF98718FE7D43B38D68117E5779A41EDD8FA72198E3B3C1C0215925BC9D007FD2C355EDD668A0C27EF0FF89F76CF85363D4C9EE001")); test_hash(&nettle_sha3_512, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("3569D9A08DFB0001BE713940C464C119F5A4C1B9FF97D8297D04C7B2DCE2D684AEE16443C32E5BB2355AC8A336249D1BAAEAB4FBD04AB982D6B178DD0A5B5BC8")); test_hash(&nettle_sha3_512, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1343E3CD162D7986431BABE66383B84029665691E36CAF97CDACA17EE9E97D74201D2A828D72E9FBBD5E07831D90F09EAF3C863BD102CDB1EDEBC8AD58A53ECE")); test_hash(&nettle_sha3_512, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("BBA01DBEA9660F9C2AD74460B67A82440701EB995143FFCF7434B5D2DE4E35C82CC757DF776D46199DD8E7355AEB1F42A88F6F0BB50FD239C73898156E4DDBBC")); test_hash(&nettle_sha3_512, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("3268BC24E29392DDA1677B7A3CE3111994482D17BAD1C150AC885F1D29C308657C69FD4F7CE5967D04FCCB920DACB00D0CE09536EE92A6664CB20E692D91D8CE")); test_hash(&nettle_sha3_512, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("EC13E390FA65FDC11054E32C9F5BF5E6E97FBC34C28089346FF22D9762BEBF6A14FA7F9C2E6643D1ED7EC6925D0FA2098F8149058E99D02AD5CB61B4CCBA6467")); test_hash(&nettle_sha3_512, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6FD5A334D4B7F9C72A8DB1292CC8F19BF2A00F5C226C1636248024723CB876070A9657F48AB3B1D4229202B7BBC64053A48C3FF6B93AB11A2AF3237721C9CC09")); test_hash(&nettle_sha3_512, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("016C80CBABED07C50F2C1B677C43E52DE8D11751E54E596E0C04B3837A7E34A9FF5D2E98E7C58182879C15847D18DCE88EA900337BC448112E98CE1118820C58")); test_hash(&nettle_sha3_512, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("A4E85FF86482C10C6AAABC79A573CBF89A0A927110D755F22B529BD7CF3F6CC6CB9861E509657242A78B0C0AF78FF97ABCC1A8388270D6C8D302D45C9BA58404")); test_hash(&nettle_sha3_512, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("B97AFB77D39F8904AE8A5129A7DDC8EC9290AC40356E1B53DD057FA7584BA31AFAF9EF5B657097FC115EAA33E7EDE36DD00832D677EBD07C34B071E73580DD3A")); test_hash(&nettle_sha3_512, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("AB2FC59A43A2666C9206B9317479285E660B670C6F111F999556E8151E0EB8D12BC82C9A7E7B3F8D6F382A8D96775EA417F754FF552E1BAC271FBD08240F1B86")); test_hash(&nettle_sha3_512, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("0A673AF84E2D2317B80A873BFE38B252872708B38AF9B956E3554AC2DCE2F77C815593D99930E7AA666C57B59730712E5C4A9B57849EDDD712A378040EB824D8")); test_hash(&nettle_sha3_512, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1D34645463EBBD932C730E593D9C108AA86807DB6785F05C4CE80F3E8302F87EFBCCB1AB884E25F1DCD5485D385502995E7ABE2EF11BD3469E036D7EB93B4F39")); test_hash(&nettle_sha3_512, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("3F57FA915A782E3CC69815BA219F42AA2C222CD7F309F10AF843384B3D3939AA0B92DD9571686C7961E06BFEE818127FC5B5F32C67F4AA2AF10D4FA38F65E90D")); test_hash(&nettle_sha3_512, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("151382CA35FB20B895A9DC074D687F2F335EAF57456D357A685EF752DA59174D3F239AA9E04F142138D9413B21904665EF4DF2F63E663B490383660481F78362")); test_hash(&nettle_sha3_512, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("23AA4B74C54E8F450054B6ABDBC6F6C3E44366AFCEC099B155775DE040BF3B9CDD0B875F9D490FAA694F18CCBFFEC6CAB7DE57A59EC6327240AC59D62D50B21C")); test_hash(&nettle_sha3_512, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("3605CEC16A7AA8B2525479FCC1295411B6A952DCE233C9ACC856D6D17C9812C920178500CD0028B5998D07046C6A5CF398EE1EC97DF9182C33FCA86647861878")); test_hash(&nettle_sha3_512, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("C5A526D75816D41B53BF164B0467E0B80A9984D1830EDB9D49F7EC3ECFEFB01A2C824A0F645753AA463D567CB2782AFCB2B2C2102EA664C56998F79062636FC1")); test_hash(&nettle_sha3_512, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("B239941A31100AB1B24AF2D1FEF149DBA300105A31B72A8F217E306A0602D722CCD593A23E6539D3E4195A7E12CA19AE2BAE8B8399F7A9D50DB30216E973F2BF")); test_hash(&nettle_sha3_512, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("D6AB0D0B416D1BBC85479F9850585761B91775A60307AFACF70943FEB58657740FE35DC760AB9CFA672C6B5552AA67BFA1F0D6A6F943B3912C229B8E0155C002")); test_hash(&nettle_sha3_512, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("BC0A28450368C288013E2EB1196E58933CE05869CB55FA2BDA61D9D92F83B903E59DDE0B927CA6DBC46F5AF2EB7E8831E8668888BFEA46D78F4D274818D56328")); test_hash(&nettle_sha3_512, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("7820A20056DF741E19FF4D150663488CF86F936353E99E25B93220F5230BFBC13363B458D6DB92F9D211D705362B01782EC118ACFE53BAE4C6AC2C7E5D0111FB")); test_hash(&nettle_sha3_512, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("0984A43286A3CB22FB59F7880E114E23E3AD3B0D43025F3987D0AA6FA8E53E6066F80F4769241DCD062431C7F6712C57C6E3275ED3F2BC591DB6DC20E5BE0953")); test_hash(&nettle_sha3_512, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("A6300497F650859CD744679885CD5437A64CC3961574DCCE65E1611616A9F97190F39130BA532094BD62464D0B8B52297A2C9C279B2C9860C072CD44449A9CDF")); test_hash(&nettle_sha3_512, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("E2052884D112238807C02C135247F76E0E394BD6583BA83ED2731CF68F057276272B891A761CDEC6D8AD2E3F33E86AE9D9A234682BCE7A53816235692D2CF821")); test_hash(&nettle_sha3_512, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("FF6A7D0EFEA45E5F0ABCB173FCE2BE76B52D0F3FC363AFE31D219472742D73E56CEE2AB91A94D41335C4FA25CBDD6EBD1A087637CAA25099D5A9D60693CF62B9")); test_hash(&nettle_sha3_512, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("4183F96759E7C0628F2FC81979274F42111A43BD5DBB3685BB21704CE6B0ED3D164DECF28A3A991B303E1D7B86E2B175BA89945A8524F9C9318F12B160A1E4D1")); test_hash(&nettle_sha3_512, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("940C6F0BACF11E4B045F432003F889278709F9C3D8E420C9A17155F57E776D72B4306BBA4ADF721708F6EF457444AB12238372E207AB41D5EF5A68529ED0B26C")); test_hash(&nettle_sha3_512, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("172F0C680310375156911C07B1819F0B9D124514EC2C3750CB2E39926A28A4636AB7ECDCDD9D6A960D16C864DD585645D87F145C5B315381F356656D617FE97D")); test_hash(&nettle_sha3_512, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("410DBAA5E3453F2DAFCE135DC014F28FBF693C84EB7D4BECB80A3DB32E16E89062B3FF59C1DFDFAB32D84D20284632A2AC7F8F88D4B7023F879463BA18FF6553")); test_hash(&nettle_sha3_512, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("F93A099159C39617B75B188D527FC4DB287CBB4FDDDBA5AD4DCB4CFFC4DC59762BBC41A58D3A788EAE152AEA024BC4CC4F29FC7B8AB68065A68650A04B51818A")); test_hash(&nettle_sha3_512, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("05E69984EE99AA2BC851083AA44EE56FEEF86C45888867CDCDD0C7A8049080AE7858B93C19953A881BE5C036BD8FE83628C2E3AA9939A288B4AC4BC2876C2FBC")); test_hash(&nettle_sha3_512, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("BE22F3E253C2563C3353E693D2D5A65DC6BAC2CBCDA8E43E8584F9D851E602D4374936403FD688F0135E363DE8099F249DD21C61695C109C27ED5F4F4C1808BF")); test_hash(&nettle_sha3_512, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("1D1836C4E2C3EB27A74A9CD600C064391BD9EDD45464A5795182C8794748BA51A345C6FAE2B91F5758401E4F427D50B6882B1DF0977976C2C9432C1A9B3AE03F")); test_hash(&nettle_sha3_512, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("CB0D33C173C765BBA3714D56A4CF48FD6320AB8C5317E7AB1A46472AFB756232CD27F51473DCF9BD7DAC1AA7F669353FD8F3D27D17D3FE3EB3386876ECA38A85")); test_hash(&nettle_sha3_512, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("B579AD0C750B91E0671BB7F0482A519835D155AE1A4DB92112E66FBD158835E0C29E2F122A8C54C530F92633F6EC7B222CA3CED45B4B5A24426D99C59C1B6609")); test_hash(&nettle_sha3_512, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("689C878D8A44C79EAF0579DC96C0E7FE7D33491F59A6058BEE60E14B8006BDF6A6070B2B6D3BB6D7C31CCAE09EC403DF49DD12BA72C8532A8E476B4B415D8369")); test_hash(&nettle_sha3_512, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("4E4DC49E414C794A4B6D8D2093FEAB46D91321CFD089B1FD8CB5154F3E342645F6233A9216DB04F080E5AF8B156E782AD16E0B15D814173E78FCF5E7CF8EA51F")); test_hash(&nettle_sha3_512, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("2C8F456F9091517CAFA9DF1D09EE621EDFEB2C00DAB944355D592DFDA128F837228578E3965D3767959D3CDDE4E7B67E02241F28C5417E33EA74E39032F938EA")); test_hash(&nettle_sha3_512, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("3AE18402AD4123AF1AD868450591C46F66431D422A29D932DF94AF9AB3E256F806575B3EB0D24EDC7531725E0336847B2E571AE667B619A9D79A3E168948AF5D")); test_hash(&nettle_sha3_512, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("6F3E1294B67D875165FD09DD493DD55924E9E28E53AFA2DA80916D7D54E19C1705121D617E53F56EBA4767D6435E986FEEAEB965EC4956FD3C02DE1288FBC661")); test_hash(&nettle_sha3_512, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("AA3398BC7DAEB4F22CA6D1937B0C6097A49ADB6DBC03FC0F5226A644F217296BF55747269B861FC7B22BC5956CE3D8DA28E9F25D8C9599BC653CD0EE0C852473")); test_hash(&nettle_sha3_512, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("8BCBBE36DBE305FBB558EA46721D25DE7AAB7898E583E8BDF26701224387C524C683475C242C7DE090608A4F17663D217276F94F4188B942A03039B5E38D6AE3")); test_hash(&nettle_sha3_512, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("4782DFCAB650E7A8DAE9A010CB002DD0373BFBD31247FA9860876D7FFFD2D57C355F2054CB2EFEB45C5871F284F46B025798344A3719EFAB34D15152DD0BBC6C")); test_hash(&nettle_sha3_512, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("A4D538E449E2B3EBF9AAFC88D29E514BA0D2C8DE2706F3F6FA5A2C4F95F5DB5BAB59C1A69C16E4859A19730ABB2E6BF06152445EDA80E3BE5CE652023EA57E5E")); test_hash(&nettle_sha3_512, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("8732D243F1B3349F900DF430659B9AB9ED99F626AD35CB2084B57D60E5A5B47213AD213859CD40964C5A267C236D0E38167525F778E67E37D4F623A8884128ED")); test_hash(&nettle_sha3_512, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("97DC2606E14F7BFFF1FCA497965E36CAA3A81CFD6459D0254529F64DA40FFE7442C08A151D6CEE3B46BF3414E80110A0F71EEE44D7940027DEE90E919E498D65")); test_hash(&nettle_sha3_512, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("DE5978EACE4E51F7D289F2BEFBECB3AAC8E9CAD48FA0F7310C673D52BBCAEEBDE49CB5A76D334D6DFDD51AC1AB24E9E1CDC915069DBDDB3D2E30B0B0C26B3EE1")); test_hash(&nettle_sha3_512, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("33ABCA29A8A7094CFB10BE4A80E81F8001EBB933C0D4B98A695B22AB553F94F07646ABCE6ADF491817D17B78C40747D56FAF88A613138CA0E596636C672397B4")); test_hash(&nettle_sha3_512, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("4FAB45806B4628068458B5D0A2D4BF101B8BFC9276EF86AD5D883765C43F72CE8A5F7B4C5B535A915130BB185E699AB62228014E54DF790C0E93AADBE7E39E19")); test_hash(&nettle_sha3_512, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5F0BFB4146910CF0C320364B6AD8A02B0966229AB2676D9670F0DD241E8104DB02797EEFEA0B9CABBE90A44757B033755925B2FCCF3A00054F9AE8FBCEF752A8")); test_hash(&nettle_sha3_512, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("D38EF3B12EAA0BF62A75B6B63CFF3C9EF171DE1B75F5D02629365BCFE65BA7DDD30FCEF7FEBB82F19F9BEDCC1CC4C679B4292EA62C2A90A7562DA9A1318FE278")); test_hash(&nettle_sha3_512, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("60C95C274F99B8643A186344BC01D1279010BE55D1BE76F4E6F919F6B54D335EE0E1CA92133F3D7A2520CD82C4000E15EFED8D8A66F31B16B0977C63DE1BEB05")); test_hash(&nettle_sha3_512, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("9385D0ED9E73498E24B8C6E746A1C6BE8011EE30FCAC9BA17224EE2012378522C78F8737A224621FBA19C42040C5C7F38AC07B40E0E75EBC59D17975EE85D655")); test_hash(&nettle_sha3_512, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("7487164D408874AFDF07EBDADE8C62E756147BEAB3238B8738AEED927F54FE6D33AF3917D4E181B50CBC88A379C73585F9FBA4C1B67B4BE449004EA0F66D11AD")); test_hash(&nettle_sha3_512, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("0F41AB2D10C51E28638DAD178655F160B2F753DB44EED6CE4104693CC4A938D887617774AFECB33B890EE7FC577656CE168EEA42C604D152B952C9B772C9B530")); test_hash(&nettle_sha3_512, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("7575A1FB4FC9A8F9C0466BD5FCA496D1CB78696773A212A5F62D02D14E3259D192A87EBA4407DD83893527331407B6DADAAD920DBC46489B677493CE5F20B595")); test_hash(&nettle_sha3_512, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("2E293765022D48996CE8EFF0BE54E87EFB94A14C72DE5ACD10D0EB5ECE029CADFA3BA17A40B2FFA2163991B17786E51CABA79E5E0FFD34CF085E2A098BE8BACB")); test_hash(&nettle_sha3_512, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("BE8E14B6757FFE53C9B75F6DDE9A7B6C40474041DE83D4A60645A826D7AF1ABE1EEFCB7B74B62CA6A514E5F2697D585BFECECE12931BBE1D4ED7EBF7B0BE660E")); test_hash(&nettle_sha3_512, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("6C7E64EE0D826073D4F44BCF1586A83BACF3E2E138DFDB65B8B8B35FD7DAE300EA6E32C6245CCA27C674FEB2196755945AB7C5DCE99EAB9158A75518AC27C431")); test_hash(&nettle_sha3_512, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("5842D4DA2C309D9B2AA7CFAE702262F770A8E646620D65C17271416E9D7981FF93D228CD60DC1CC16921020D841E439E87F085E503D466C904ABF8CDD5ECCAA9")); test_hash(&nettle_sha3_512, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("F8B24527B5C84CA9A702DB2F535F78ED0323C2932A255DB24F872551CA7F5C0482B3690C62EEC8AD69308DB2D72308C4D615CDE3835B39B4F6FF115466F32763")); test_hash(&nettle_sha3_512, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("08C6E3938DE48171A99646BD090B7D53FF422AE63F99850032BD131AC7BDFBA8F83466AD31FAD3169D8A320FD9548BDFF2C40BA20E0D031A8054019C40ED2662")); test_hash(&nettle_sha3_512, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("6978AD4BC4F0FC44C35C6691CA46627D840BAA572DE9B0216673C988197191CDF812CF21920E052CC9CE1D507D1BA7DB6F151D01620ADA702DC637BF90809C19")); test_hash(&nettle_sha3_512, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("3A8E938C45F3F177991296B24565D9A6605516615D96A062C8BE53A0D6C5A6487BE35D2A8F3CF6620D0C2DBA2C560D68295F284BE7F82F3B92919033C9CE5D80")); test_hash(&nettle_sha3_512, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("FE45289874879720CE2A844AE34BB73522775DCB6019DCD22B8885994672A0889C69E8115C641DC8B83E39F7311815A164DC46E0BA2FCA344D86D4BC2EF2532C")); test_hash(&nettle_sha3_512, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("AFF61C6E11B98E55AC213B1A0BC7DE0405221AC5EFB1229842E4614F4A029C9BD14A0ED7FD99AF3681429F3F309FDB53166AA9A3CD9F1F1223D04B4A9015E94A")); test_hash(&nettle_sha3_512, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("26410E1A0D1E3659438DDDB2953EB3AA082CEB02A327FA0098574D89F9236F5DFF9C17DEF37F6CE4B5DC1EE5F23F578FE191EE8B51F1B8034BCBBBB7B6A500A5")); test_hash(&nettle_sha3_512, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("5015DA2A2E1661D3A52A65D19F02933029839F72717A77B5045198665093F944CFF85E094D418396A51C574157EED9FB6BDD4ECA53278FAB62AF699B53C82F58")); test_hash(&nettle_sha3_512, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("B27828CFEBCF4D896EABF1F84D079827B7DCC7F308A20476474DE518829A89AAC3DC50272CFA976B0B5819C45C9EEFC51B87A27D11C9E5F9579121125A887542")); test_hash(&nettle_sha3_512, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("42FC06DCF99B4E804BB349101B46D6A6A7366E47555406EA554248BAEF52E17AFA40829F5709D07FF407881DF106F156CA735622B0F051D8C372F6E811CDAE25")); test_hash(&nettle_sha3_512, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("0CA89C9B7273DE384FF33F1BACBB8505628C4D3E30350B335361563AD416ADA523122D37ACBEC57721F7BC5D9B049E1F4FE3C4CFE047E33A0E448EF5D5536CF0")); test_hash(&nettle_sha3_512, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("78C59A8CDF4D1D07A66BB2FAA7FFA2112D5C0FCABF7E3589E97623BDB922AF9AF24918C2CCFCE2B880BF64145C70DC9A4FDE78FDF0918DD2CE5FEA9CF99ACD41")); test_hash(&nettle_sha3_512, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("CF4D52D20272DE014D367310775287EE5E5CB34CF9AF78E65D1D1FE7FB1F13B62DD9B83C382BAA6AB4F6949478C8598FEF78E8D535311FC19808CB75E22DADED")); test_hash(&nettle_sha3_512, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("33D632E403C9F9A9349B28AA4821A12B1DB557D8928003D30C57D701CFF1C49BAC9472CECFF450E4D91D36C6CD78221790EFF6F0FBF498034014CBBACE5DCF09")); test_hash(&nettle_sha3_512, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("954C709ABCB0BB881592D93F5C2463CE8C060AD1DF3053302EA7B19F2B47BCF0FE359A832F9A865A8D3DBD3BE598DFD6D0FC1C574ECA0AEC78D8E3288399BE05")); test_hash(&nettle_sha3_512, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("A337062F5E5C9C35341A51224F2A59E6CF919A63BF59A6CFCE261194BBD660F28C2948D03CDCE5C7C151EC05B42AADD83051A16A62F0C7DF39AAA4EFC82CE4D3")); test_hash(&nettle_sha3_512, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("43E9D0EA8E526E83234D7B63D8244C7E7B12AE2ACC8082F986367268F10156574300172873845B207A7252624246E7D32CE0F7282E00C4552F6180F34E590E2E")); test_hash(&nettle_sha3_512, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("F7DA8D1E49D0D964400EE40F9C88E07025A8B0B00CADC624A63E2EA85B1598E22C8802BE0C1FF368519549A752E02546093D3B984E24600BA2AB7C792B9E074A")); test_hash(&nettle_sha3_512, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("D9A42761F980C78C36CF54C4207B0A62954E15A907A7CEA149B37A4E0A6376202FF8F12E16EBAD3AECC7FF3A9D6AD093B068DFE272E3B9646B1AEDC04961DC81")); test_hash(&nettle_sha3_512, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("BB65D8943413CEF89FDB05B35A55EC7503E4546A50FC3ECC825DABC1A1DAE6C771BB197F323625877E0BCCAA41253C99B6692976B99FC687B0B6B3E9AAB478C4")); test_hash(&nettle_sha3_512, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("540DF22180B69B9A83306619B2CA8CD8E07A34BBEB2219AC7CF88B468A947C4448489B303BD65506C9E1CE59348A9D863AAB5154848E95B5389783F6F5FB6AD8")); test_hash(&nettle_sha3_512, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("062E4A11A79FDB9CBC3A0E4C5F9875CAAA568BC713066E02D2A9CA4D27886CE23F70083A2BF4D0E7C55B120FE6D197203DC1C2FD3469112A08836727859E1F83")); test_hash(&nettle_sha3_512, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("9E1C6EE0C47B2D2CB77F602CAB53AC4C69C69778297894554196CB58060332C9FD8923F45C4B8EC26E16A5D04E6307FB99850A4540EA83E3F2626F3343E97225")); test_hash(&nettle_sha3_512, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("F18F0B072A6BF608A6C7420E891BE3795A6D19BA3E1276C826F1AE775CF125E428AE1A397CFD074BE0CD24F7100F51800F14471CCF4F485A6571E2B32E02611F")); test_hash(&nettle_sha3_512, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2859A3165F38CB59DE4275658BBAE9A0AD647D972CF98FA0EEC4C07EE75D576DBF9F5DD19A881DB4E4F7DB31EC0D77165911329CBE8A46D14D3EA7FDCB8A5C80")); test_hash(&nettle_sha3_512, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("9281BD03FE95545E5321A91A0AD8FA75A005B928C83450DF657419870C4E980E32484FCF1F598702ED20404FECE48A2EE9DBCF22120654AE402951605BED197E")); test_hash(&nettle_sha3_512, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("6CA7023E20735624E83995A9E8AEBA66B9BC8D0A30DF67108EFF8AEDEB3B3CA484457BD0277C2552CBC7D63DC87EB556F2199C54EA73BAE647764DE18489B1F1")); test_hash(&nettle_sha3_512, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("A965E699C1FFAEE369B3651C3A318582AE329AE51E6CCFB5275F58F748CEDB8F6B8434FAC4A1135AD9B555AA8CC1FF99A2220CBE83BFC1C374FFC927BB00ABD3")); test_hash(&nettle_sha3_512, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("4B44EC2D1848D0EC43AB0793390D24535F3328AD23C5F8FC43F5579BD16D84BBA08B233B0B5E24E22BF6CA2DEFEACA16BB98F8CDEAF26EECF2FC94AFE4604CF4")); test_hash(&nettle_sha3_512, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("73169F0BE264565E45FB8F4665753E55F240846EB0D481CEF0274E4A3D859521767D9F675C0628DDCE155267BA686F2142805713F20C4C25E0B24398C65E3480")); test_hash(&nettle_sha3_512, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9E1C196CB73D1EFA288D63902C64CE1A340BCDB8197F4AFECB1118DADD0D076B5FB7F6F809666CC58D2A8C1A68C65D0E91554C41D083F56D7B3DD37DF1B6C494")); test_hash(&nettle_sha3_512, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("0C429CC164253C09538668135C9436FDBC79DA8E1FBE92E7BBC6EB30627591E7347CCB43F7AEC2D37FF3DABCFC9FA0C80629937C0C177C1C7ED0FC76A15DF075")); test_hash(&nettle_sha3_512, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("700112FA90A1A2FD039A41B6485401634E757840E422AEB4A236634958192FFB2F2DDFA2253FC1ECB211C7E036098B714E62F7BF2B6975B1E95FAA9B8D02A73A")); test_hash(&nettle_sha3_512, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("901C6D85509F01A47EA2E2792A5DB728EA39E5703EEDEAE41365EDF10A866B922B1093E52E687E312DB129DA1F053EF6848CB0B314C9A3A999EB3E75E14C9CC2")); test_hash(&nettle_sha3_512, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("4CC9A61FFE08984417712B80F962365AF36ED66A8AAB2A788D22A5C6B23962D23584638E712E9183C0A271383DB0877F722D399116F9BEF79A56AB096EF21749")); test_hash(&nettle_sha3_512, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("B36EA56BB6BF80D91D5A605F8409AE6B7D879EC40815B35C664CC6B01BF6C718AD464F15C34DD1315A79A5456B6C3F8ED89E60390BC71EF747E12CDC77706245")); test_hash(&nettle_sha3_512, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("8ECB8F622DAB7087E9A95CD0341192FEA6B1C956DF9AD3DED823948B7849C4F3150C9559520953EBDE98ED76F6E43BFE4FB25FDA712525C6D3DAA80323BE8E4A")); test_hash(&nettle_sha3_512, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("519215DA34ACFCD62DD617ECD5978365417D57C2671A7B48655B89F448B23B128D3AD04910A1BBBDC00E954A1E49765176A8ACA4C37D56ABF0E0B72E331A8D7C")); test_hash(&nettle_sha3_512, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("0D1C1AD4E1CFEFEE854C4A739A0342E39D700DBAF4891978D7C839E87C680717D63AB4AA1ED7EB657CED9F8D2CF47204262E609610842FC5B219ACFF7EB188C4")); test_hash(&nettle_sha3_512, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("0A5D9EF40BA2B98EDBD7918CC6779483A1A00BD94CC1E1495495CAF6CD47C6239571C3828F4565A0D53786781D712C10EF7333227F651974628887D442A5EF9D")); test_hash(&nettle_sha3_512, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("EA83DE9AE057701F6EC68FF67E92E0334C18EBB79AF1953C2514408D58E69F105441642A1D5B7D6010F7CB15D131DD531855CA337A7B0B794FA6D6923F017AFA")); test_hash(&nettle_sha3_512, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("6651C25D33D10B72535F1DB26A1DFE2EB99CDD505448018589B5B88B7CAB63EB439C31A474C6F1191DF14EFC7D0665CC7B82A7DC54A7C6B0C2FD1F75C30D6872")); test_hash(&nettle_sha3_512, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("A754652247F7285CE2DD8A10035C69961E4F9C025E1FD087CBD3126E049A9E832C3F3A491FCDE338B8C01946CDD7DEC32A8FD7ED1CB3045BCAF3398905B1BB42")); test_hash(&nettle_sha3_512, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("FC1127F6650F32638453AB773F5CE60F9F6165BC9928EFF18C7A3281540C7A615D2D62A92E557D4A1EC1229E84819D2DBF06CED4DE0FF90040ECB961D678E181")); test_hash(&nettle_sha3_512, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("43C21BCCAC7ACEE8ED437B874ED7CDF20EA2E9DC98AB82124610DC4F8416248B51309045CDFBCE92EFA9E56C5B36D6E5D27580319CE69C22E5D6C87E551EED4A")); test_hash(&nettle_sha3_512, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("893934B8C630A9BF713C64FFD1128EAC75D1CEFDEF6642FB27F20CB56694C2FA8BA6EFCF3E0E56C7789CFAAC6B2F7B247DEA8367FFD269E74B9CDFB0537031EA")); test_hash(&nettle_sha3_512, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("B4CB58D8497978916DC362D37ADE12C7A0D8FE3B08B370659B27218291E04EF343095A91887B040984CB80B0C8611FD12C18EAD37B95320D59EDDB32113E42A4")); test_hash(&nettle_sha3_512, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("35C3F8F0DC28608EC942CB6287482219B42B2EBCBAD92B4C34E77E21B7D93B0E85EBF483DB2D4A979C48E58F746AC3DCF563CA7E1B2940371D8D83BF0795EC45")); test_hash(&nettle_sha3_512, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("B90E0CC6BC53182C4F2D17AA51391C8250C3032A12DAF2FCC641B49AA81ED9449403567B75D4121376DD8CC2D2BDBAFA456308AD7C0C13BA85619D75350727E3")); test_hash(&nettle_sha3_512, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("99497355AE1791799D11536C73605CDD1496C74E3E930B6272A103C3AA8C984D2D74B01AE72C94F2A4D3A069EAC6E00984D21EAE3DD7B32AD082B396601093BA")); test_hash(&nettle_sha3_512, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("C98265396F3278FC532125DED097A6851FC5BF37CA32EC26F43E64874241309F568A217119BA984C54099F8899AC94B7900A4DD9D3877E18371F5DAFD1921F08")); test_hash(&nettle_sha3_512, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("FC03BE193A5ED0E6B3502661C2D9E4E2A503CF3FDB231526A90C3C4C26089C787EE6CBF50D90AF61C17C5DF0B29C373B426740CD0D6FC370DE64EB2164BBAEB2")); test_hash(&nettle_sha3_512, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("FB9C3A9183B6D251BF61FAF1843455CB9C1BE35EABDC131D5BF38E98337934968291E9D6DC104374BC234FF22CC23CD6F338E7A3B019CDC9DF6E3750B6B01FDE")); test_hash(&nettle_sha3_512, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("F7965B71198636F162D5A4E08D73E8C8A9AC1ADDBDFD7C180C489CCA7360B3FEE3A4286154460BF867923B348BFE32E79D9139A0CB52C46FA20785FAEAE0A8BC")); test_hash(&nettle_sha3_512, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("5337477487A0AF43EB7B995293CA2BEF6EAB2432B1333DCAEAD7064406E22861FCEA623FD8B85B30465787352A36C943610F1458FD22E3F55DDD195A6ACAA374")); test_hash(&nettle_sha3_512, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("28AB5C6298A602AE51EEEC4080245F7CA10F9A8C304F22B5AA88D0E49226C01C2FD3CC5D8E99309767816E4F6D52719876065495DDB61DD113CFFF06B11D8604")); test_hash(&nettle_sha3_512, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("2AEEAC015D93245F6BF727CD182894097B902CD407D7E0DD06DA1A63F4451C657FF39F925E7C8A894AE593D11EBC2D5D1DE3D9A18018806719277D993F7FABED")); test_hash(&nettle_sha3_512, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("D0A119617B7E30C2A85ECBB3BBF325DDD589431C8C2E2F9FC6E324A6ED8BAF11870A80556CC0688FEE4DB70F22B9424B4F37A0F1E7EA314684DA31BF473B3F34")); test_hash(&nettle_sha3_512, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("1C88789885DCCC9AE81029ACF0B6C9D083CDB9774C345F1C755E54C45E9AF63A70DC2ABAEFEB1AD416F1BD3D9B69D4C4404D22C85E636A4703769C0112B550B8")); test_hash(&nettle_sha3_512, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("F52D7DD7FF248A1BCA7B714F14A79DF5766FD67C0031A471CC509F3516D7C348C33F7D4B1CA331B9323896B7074E10A891CEA851F9AC20245812B8CFAA556352")); test_hash(&nettle_sha3_512, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("A8AEE42A77C9B6387DC97319581959D9BD878D061487FD069ACA04D6F84D347E23587A6C7C56329B2DF88C56C7100ED51ACE5B5F778D65478F059CAFD6C098FD")); test_hash(&nettle_sha3_512, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4B961C4BB6035E7BDDA2E1A3B6F9CD52D1789866044C4A925693BEA88F65D046238BBEB4E7D3B060E47288041407392B291AE610BA70D6B4D64E74E7A7D0256F")); test_hash(&nettle_sha3_512, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("C0515B65B640B3FFD0A1582A54F4C8FB35C109B7FB472666E043D3C00AE3E0E0FA156C4CEFB46B5B7B4C0E480623E1A26018BDAEDC3E27D9C0D44C3E1D862015")); test_hash(&nettle_sha3_512, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("45C584564D9E0B8239CC1284939BA407A8E5E981691EAB6A04D9354C9C855E400B3037151122CED237636E61A7FF2905E0213A6D07306C459E2189E3E6A9E0B8")); test_hash(&nettle_sha3_512, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("136723350857E03756F02E60451A28E711611927B8136DCFF3E567DC618FF36B3100737C9781B9C84A576745C1E6BE030DAC8803A71464AF39DB94D00253AF3E")); test_hash(&nettle_sha3_512, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("C0F7713AA021A04525F751722A9AE5C4C7934D0A286F1FB05823D86A96251C04DECD960D8D4D66E2C565E6207A49612E1EFDE386536854B6AB9A4807B0A145BE")); test_hash(&nettle_sha3_512, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("FE1CB67D77FB463F77747FED292A989A341044A8B65FA1DF1441AA41A5C795916626E0E479FD0BA7F9B1DC15FED245B99598D35359834E8FD25CF19685219BE2")); test_hash(&nettle_sha3_512, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("4043CDD3F0EA793E49A8EC382F8071F6020B529CF8C82E969429117B362129B7689D3F1EA7FF77EE50263CECDAC5A43AA2AEE97CF3E665CCF535F6DE65AD0100")); test_hash(&nettle_sha3_512, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("7392BD445F58CD5D7D3CA98579CBAA9A9437D0C95E7932B4004117F207F8AA39156BC42537B0C790150D443C2D68C2C43E362DF9D019601797162E63076936C3")); test_hash(&nettle_sha3_512, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("9FF0F0D70CA076CA44C353A3C678C2095C89F619BB53EC9CB4888E2F14E50FBC146A7B521356369F1B9D5665836E45D5400F9856CC6DA3B3AFE6F3B0471FC9C6")); test_hash(&nettle_sha3_512, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A981FAA9D3CAC492B2FA078D1158F81248DF8DB36ACBD5BAD3A6C633BBE500EB481D2937BEEE9A76C84EDCDFA0F997EDCE708F07851422A7597E2463FC1912CD")); test_hash(&nettle_sha3_512, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("89025C13BC6B61A1BFADB1D37D676E49E6754E9DFC00D52C5EF13BA57C845D14AC75D5AE6F06714028103C3424717F4C2FBF6D88D055690987620AC5B440576A")); test_hash(&nettle_sha3_512, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("1545D8334836F7436F77F21532F5D3058E351DB8357EFC1E089583A0C40AD3A6AF5F2FEE793D3FE1B4721F6817A373499B20912A35C4609FA9D84BD274E978FC")); test_hash(&nettle_sha3_512, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AFAF201BA353316C1A7B810F120CFF941BB658B0763EEF59433403D8313B8F00BF18177898AE71907D3B524E68BB028EA1442866856111B12089BCBED177FD46")); test_hash(&nettle_sha3_512, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("3FB4F21A231973D2247F206D47B19EE1551647FD4D4F21FBCD6F653577C1AC69EAE4DB432C0234ACBE17B2CED0238A56ACC34D7BB82FBC190903035B7C538857")); test_hash(&nettle_sha3_512, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("0B1C53E68667314B5F3F0F30E25C622B1A86D10701D4A0473FD40F22C50ACB47D63EAFA582A2FBE5453A3F73BFBCA923680F4C2C7F99C98388C07DDD7AFF2C6E")); test_hash(&nettle_sha3_512, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("D836D0CE3A28AD71C3A876796BF65AAB838D84E4802ED49AC04484AE06AA08ED31DEB5C38C1022F0ACEED49CB58E38D3AAB09EFECED9349FDC33379251259826")); test_hash(&nettle_sha3_512, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("61B8A7520DAB4D395044B1A9CCC4F5263EDAE0325767E3D2A0EF225933A81F7E3796280870DBDAB8457D585C4106315B537653DC3D77E915100F421DB39F43B3")); test_hash(&nettle_sha3_512, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("B847B292818E800BAA415C2521A8158A6AB749934DB693D0D2E4613CDAE60BD56075CF2C29F587DC3530164190BC2C02D97CA32347FA2AA431E511BB7D1C87E8")); test_hash(&nettle_sha3_512, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("95ED6D8567774E66404FC32B7A01E1C625FC8322AB9BE0CD7C936731638B04C09748973D95665A35B218D1531411F3AA5E5C47E65D857A43783E2BD3C9D29005")); test_hash(&nettle_sha3_512, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("98350793FC1540AE72757C2D1BA0FA34DF1923C987F365752788E3C65931746C36D13FD293DB8EA1B6374872CCF74E9B0CFF67C6DEBB4263390CD96E2BDD864F")); test_hash(&nettle_sha3_512, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("C2493D60E1EFA6B472933EDE64D1F49EFF773635F66C6454E57E47935A0F4C5B94548DA5C369BDAC7146E54F017C3FD674CE32F8D95151C7CBC3E3BBA3EBE0D3")); test_hash(&nettle_sha3_512, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("70D7BA6585CD2EF91BB261025F9DCC80F8359C9DC30C7C2961F0D1F6057B9C44E3AA67A4BC00F137886E3CF1316D75F8EBF651C79DF9A99CABD0383008372016")); test_hash(&nettle_sha3_512, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("B50D0DA9B3DB1545CC1D2F35465C74D07543B3564249F12C546A08797EEA73326CE624203A3D25C92CE636BCCE86DA9CB9F39BC755EC0F39C090A0E8A72DA70B")); test_hash(&nettle_sha3_512, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("83752A88C915D4193296725DECC50C9C05D25D6BBD9AF2E0EF06286ECFEE961DE959BEDBB130704D432C2BC89930208F450E0A022661724043D268CB24E7FC47")); test_hash(&nettle_sha3_512, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("7288424BA855A76C7480B606F8F32E94396799BAB8BB3FC8FD21D180966C64971071E2645622524EC7D1645EEA7B7C1FA21F7F5B6B90F3E5BEB99222F05EA905")); test_hash(&nettle_sha3_512, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("E9399376D89C4DD4464E45825F4302CDCCD4C41DB4E8951BE17BCC6451858332398B7E4E7F5EEE6830C715451E4AACDB179DD5247BA6D5728CBD4060AEB77CB9")); test_hash(&nettle_sha3_512, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("CCEA447EFE6F8B06AC42076280377635F5FD0767F4AF8B245FE63B79FE4974E9156744E60E98D12018214C39F8A826D506D0D5948645E9F883C208D37D927A41")); test_hash(&nettle_sha3_512, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("7E03FCE3B67EBB28308823F56AA93DBB4D9EFDBD93300D97B1F99EFCB82C3684C5A5A5AA64E7A34C69B89399CAB05F22E8E88607B863336E4CBF8CF6E74B98C1")); test_hash(&nettle_sha3_512, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("6A457AE74F89C42BBD2BD2EBFFFBD71F036FF7B76C4AFDDFFBD52F32E588A9543CED09DA9A3E130AC1A19EF1ACB2FA68AC41917ED6BAD37A60982B16B5EB4FF3")); test_hash(&nettle_sha3_512, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("91B8CD795D1A6828601E00DB0C91FF9A6F837444F53FCF89E990B88F5F3E34EB490E72A1795FAB84F78DA3F7AFC89896C7CDE5865D1BCD74D5639E4903C683FE")); test_hash(&nettle_sha3_512, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("7635D79C1B32E4934EB0090C6D46C0B240F626C77D84F8EABF571BA8FDE924F4A1CF456704B101F667F912DEDBBCBEFF2180A419A68C7B790BA606E6602D5115")); test_hash(&nettle_sha3_512, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("DDD0C521ED60C55F65BAE241A9072D7F6F6CCA7F64624EC92C037BF8BC16F0602E75EE46879AF41F3EFF5CE235905F3856A031C3CC90A4851F4CD8463AAE6DE8")); test_hash(&nettle_sha3_512, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C84C03564D024F90560001CA4CEF867AF77999943E313CA17328756C43D2FE31CF98812D3A7AAB1535C28ED29D692DB4824E8D6DCE06C9994DBCBE0F82633FBE")); test_hash(&nettle_sha3_512, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("B4563191675191ED4D6107E52FA15ADC9D70642358D8C3E34DF10274E25D373FD8D19E92472B823E28BBDD1D541A95FDDD0D43C79FCB3BA18A7EC038D3EF69A6")); test_hash(&nettle_sha3_512, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("A30BD80CB3ACB3BFA7E037A3D0D2500974D71957F68135133020C32EB4D688F132D0FB045BE027F124B3D935CB889E3CBC4A4A420026BB2AC2A4B1B15C57BB64")); test_hash(&nettle_sha3_512, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("4A5809E457F54D9C7E8209F6C482D52A4EFE6D8A20C4C6FBA83687294929232D25CD7BF511D8E6FBF272E983F07D044F8723098D7A381F04E957B0787087EF02")); test_hash(&nettle_sha3_512, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("A79016C34BEE41AB5CB10278478A5B55D07C2E0831835DDE6F8FF8DAFAC37A5F88FBA07CCEFFE35849DBD123B06DF2335B002645D078FE1B08843C257A1BBE56")); test_hash(&nettle_sha3_512, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("603F7B09565634D4410B574A4DC9EA467437964517E5EFA51A362A30E8C632C55162A3351BB5532E40948AA9A1E3A8786C0422AEC3EC338C7F4B57679200452B")); test_hash(&nettle_sha3_512, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("1018692D530C55BAA580AE1E7384351100D4637CD33869C71E6076A3D4E310D964B81D593E89718845AC7A89E8AD5073506427C6C8F7FADFA0C5DC3CFAA5D924")); test_hash(&nettle_sha3_512, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("E3C0EAFFC3567BD72CC02150A75F32DDE53DE2652C5313EB3E97018ADDDF629DA01D97D0A9E2519451A7292F5DE00EE4456FE6E4F14F96D5DE7E6F174EDB28C4")); test_hash(&nettle_sha3_512, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("192AE7A0F7A816FD3D4020BDDCF2AAF52A64E6384DCA527F33AF4EE69099DCA97B890A99CFAB9D904A35F2707856696C30C6432DF70A6CEF704BB268055A6D07")); test_hash(&nettle_sha3_512, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("6BCD7E7C359FDD93A56D79F97FC2D534619F14FE443AC8C9E042C5105FBAF2777718DE07424A62333FFD43A501A8544449A7CAC3C8D821E380B0CB8172B9493B")); test_hash(&nettle_sha3_512, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("1FCD1E38AB03C750366CF86DD72EC3BF22F5BBF7FEA0149D31B6A67B68B537B59BA37917FD88CED9AA8D2941A65F552B7928B3785C66D640F3B74AF039ED18CE")); test_hash(&nettle_sha3_512, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("F39EF0626D3FBD9CD435A93E7EEE41E4A2FF5362F56C988B20870A3BEFA50470DC5FABE39895C0761289FAFD9147ABAB02561F300D0CEB9A732E14CA887CAF18")); test_hash(&nettle_sha3_512, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("81E8B59DDCD24811B405F7529DA125F0DC19AE21E8795CE9E6692DAB645B7959446ADCAA3061DC4642A51D8A562EFB03A7680AF0F52C01406D5C213EAAC6BE55")); test_hash(&nettle_sha3_512, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("63424B09069FBD2D0FAC00805AAD07FD56E30BB8116B5476AE90BF6ACEC84C3B45368A9EBB7FCEA8D65965F52514A2A59A06E6E06B07DC6AEE7F756BFC188E25")); test_hash(&nettle_sha3_512, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("1E709FB3501FA818F57E70C365DB45CCF2EB8A8FA66DE9B5F211D6F0CC9722ADE963C965AD5F6937BA62EDC2D8983843E0F3679D9C97B30CD54F2409DDA5F474")); test_hash(&nettle_sha3_512, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("5B9F0C544627FAADEA82825A569DA33A75C5DA6CC169926DE0556A737E4DAA07ABF1DC3DB0704F5D67FCBC4CB62AAC442ECEC867A2C16846F1D53D205CB872AC")); test_hash(&nettle_sha3_512, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("930AB42A9F5F5BC5F2222C748F2478A00F40C3B6D6487D6D7ED0D71100F40FCBB2C66566EA26AD0A417629F5A61DCA411CCD21F7367D308F3B1B24901824FA9B")); test_hash(&nettle_sha3_512, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("08203943C58210D3F82758272BEFBB9234FE913409A07944645959B1A6AF2F4363ABD7451232623DAA8E65C87F34939C140608950FBDBBE83D66407944F5423A")); test_hash(&nettle_sha3_512, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("A24DD6A50333F289C175CD4EC185DA9906E38C287A339DC4DEFAFD71B2EA32A6F6AEFE758E25FC8F043E806F1B2EE019E13B85536CD3EFAA2A9B5994FCAE4788")); test_hash(&nettle_sha3_512, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CD1ED5FFF6FA3D453872510B6B2712EC9C6EBA9543734D88511ED475905E123ED6EF6624F220445FE89C257A9F9C5166A2772EF768B50E9290FB1D4761ECA6C8")); test_hash(&nettle_sha3_512, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("CFAA0EB1C9F02C0469EEFB31A1A53CA1A4765F78EC171CF15DA7D5C512817B8BF7D7CD7B1416B3DE2BBA05EDFB0B493495AC2107A4B686D5DD8D6AD41B4AA3D7")); test_hash(&nettle_sha3_512, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("2BE71EE9ACE2DBCFD43D6D020C07244554DAC8A2CF1571D0FA1D004933739E8978323056797E04C333F5BF187E64F1D881E502672567F204DE0E73CE26E7190D")); test_hash(&nettle_sha3_512, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("6E8B8BD195BDD560689AF2348BDC74AB7CD05ED8B9A57711E9BE71E9726FDA4591FEE12205EDACAF82FFBBAF16DFF9E702A708862080166C2FF6BA379BC7FFC2")); } nettle-4.0/testsuite/sha3-permute-test.c0000644000000000000000000000421515141166425015274 0ustar00#include "testutils.h" #include "sha3.h" #include "sha3-internal.h" static void display (const struct sha3_state *state) { unsigned x, y; for (x = 0; x < 5; x++) { for (y = 0; y < 5; y++) /* Is there a simple and *portable* way to print uint64_t? */ printf ("%8lx%08lx ", (unsigned long) (state->a[x +5*y] >> 32), (unsigned long) (state->a[x+5*y] & 0xffffffff)); printf("\n"); } } void test_main(void) { /* From KeccakPermutationIntermediateValues.txt */ static const struct sha3_state s1 = { { 0xF1258F7940E1DDE7ULL, 0x84D5CCF933C0478AULL, 0xD598261EA65AA9EEULL, 0xBD1547306F80494DULL, 0x8B284E056253D057ULL, 0xFF97A42D7F8E6FD4ULL, 0x90FEE5A0A44647C4ULL, 0x8C5BDA0CD6192E76ULL, 0xAD30A6F71B19059CULL, 0x30935AB7D08FFC64ULL, 0xEB5AA93F2317D635ULL, 0xA9A6E6260D712103ULL, 0x81A57C16DBCF555FULL, 0x43B831CD0347C826ULL, 0x01F22F1A11A5569FULL, 0x05E5635A21D9AE61ULL, 0x64BEFEF28CC970F2ULL, 0x613670957BC46611ULL, 0xB87C5A554FD00ECBULL, 0x8C3EE88A1CCF32C8ULL, 0x940C7922AE3A2614ULL, 0x1841F924A2C509E4ULL, 0x16F53526E70465C2ULL, 0x75F644E97F30A13BULL, 0xEAF1FF7B5CECA249ULL, } }; static const struct sha3_state s2 = { { 0x2D5C954DF96ECB3CULL, 0x6A332CD07057B56DULL, 0x093D8D1270D76B6CULL, 0x8A20D9B25569D094ULL, 0x4F9C4F99E5E7F156ULL, 0xF957B9A2DA65FB38ULL, 0x85773DAE1275AF0DULL, 0xFAF4F247C3D810F7ULL, 0x1F1B9EE6F79A8759ULL, 0xE4FECC0FEE98B425ULL, 0x68CE61B6B9CE68A1ULL, 0xDEEA66C4BA8F974FULL, 0x33C43D836EAFB1F5ULL, 0xE00654042719DBD9ULL, 0x7CF8A9F009831265ULL, 0xFD5449A6BF174743ULL, 0x97DDAD33D8994B40ULL, 0x48EAD5FC5D0BE774ULL, 0xE3B8C8EE55B7B03CULL, 0x91A0226E649E42E9ULL, 0x900E3129E7BADD7BULL, 0x202A9EC5FAA3CCE8ULL, 0x5B3402464E1C3DB6ULL, 0x609F4E62A44C1059ULL, 0x20D06CD26A8FBF5CULL, } }; struct sha3_state state; memset (&state, 0, sizeof(state)); sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s1)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s1); FAIL(); } sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s2)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s2); FAIL(); } } nettle-4.0/testsuite/sha3.awk0000755000000000000000000000073515141166425013206 0ustar00#! /usr/bin/awk -f # This script is used to process the Keccak testvectors, originally # we used http://keccak.noekeon.org/KeccakKAT-3.zip. # For the updated NIST version, test vectors can be found at # https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors /^Len/ { len = $3 } /^Msg/ { msg = $3 } /^MD/ { md = $3; if (len % 8 == 0) printf("test_hash(&nettle_sha3_xxx, /* %d octets */\nSHEX(\"%s\"),\nSHEX(\"%s\"));\n", len / 8, len ? msg : "", md); } nettle-4.0/testsuite/sha384-test.c0000644000000000000000000000365215141166425013775 0ustar00#include "testutils.h" void test_main(void) { test_hash(&nettle_sha384, SDATA("abc"), SHEX("cb00753f45a35e8b b5a03d699ac65007" "272c32ab0eded163 1a8b605a43ff5bed" "8086072ba1e7cc23 58baeca134c825a7")); test_hash(&nettle_sha384, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("09330c33f71147e8 3d192fc782cd1b47" "53111b173b3b05d2 2fa08086e3b0f712" "fcc7c71a557e2db9 66c3e9fa91746039")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha384, SDATA(""), SHEX("38b060a751ac9638 4cd9327eb1b1e36a" "21fdb71114be0743 4c0cc7bf63f6e1da" "274edebfe76f65fb d51ad2f14898b95b")); test_hash(&nettle_sha384, SDATA("a"), SHEX("54a59b9f22b0b808 80d8427e548b7c23" "abd873486e1f035d ce9cd697e8517503" "3caa88e6d57bc35e fae0b5afd3145f31")); test_hash(&nettle_sha384, SDATA("38"), SHEX("c071d202ad950b6a 04a5f15c24596a99" "3af8b212467958d5 70a3ffd478006063" "8e3a3d06637691d3 012bd31122071b2c")); test_hash(&nettle_sha384, SDATA("message digest"), SHEX("473ed35167ec1f5d 8e550368a3db39be" "54639f828868e945 4c239fc8b52e3c61" "dbd0d8b4de1390c2 56dcbb5d5fd99cd5")); test_hash(&nettle_sha384, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("feb67349df3db6f5 924815d6c3dc133f" "091809213731fe5c 7b5f4999e463479f" "f2877f5f2936fa63 bb43784b12f3ebb4")); test_hash(&nettle_sha384, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1761336e3f7cbfe5 1deb137f026f89e0" "1a448e3b1fafa640 39c1464ee8732f11" "a5341a6f41e0c202 294736ed64db1a84")); test_hash(&nettle_sha384, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b12932b0627d1c06 0942f54477641556" "55bd4da0c9afa6dd 9b9ef53129af1b8f" "b0195996d2de9ca0 df9d821ffee67026")); } nettle-4.0/testsuite/sha512-224-test.c0000644000000000000000000000103315141166425014262 0ustar00#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_224, SDATA("abc"), SHEX("4634270F 707B6A54 DAAE7530 460842E2" "0E37ED26 5CEEE9A4 3E8924AA")); test_hash(&nettle_sha512_224, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("23FEC5BB 94D60B23 30819264 0B0C4533" "35D66473 4FE40E72 68674AF9")); } nettle-4.0/testsuite/sha512-256-test.c0000644000000000000000000000105515141166425014273 0ustar00#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_256, SDATA("abc"), SHEX("53048E26 81941EF9 9B2E29B7 6B4C7DAB" "E4C2D0C6 34FC6D46 E0E2F131 07E7AF23")); test_hash(&nettle_sha512_256, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("3928E184 FB8690F8 40DA3988 121D31BE" "65CB9D3E F83EE614 6FEAC861 E19B563A")); } nettle-4.0/testsuite/sha512-test.c0000644000000000000000000002022315141166425013757 0ustar00#include "testutils.h" void test_main(void) { test_hash(&nettle_sha512, SDATA("abc"), SHEX("ddaf35a193617aba cc417349ae204131" "12e6fa4e89a97ea2 0a9eeee64b55d39a" "2192992a274fc1a8 36ba3c23a3feebbd" "454d4423643ce80e 2a9ac94fa54ca49f")); test_hash(&nettle_sha512, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("8e959b75dae313da 8cf4f72814fc143f" "8f7779c6eb9f7fa1 7299aeadb6889018" "501d289e4900f7e4 331b99dec4b5433a" "c7d329eeb6dd2654 5e96e55b874be909")); /* NESSIE, Set 1, vector #6 */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("1E07BE23C26A86EA37EA810C8EC78093" "52515A970E9253C26F536CFC7A9996C4" "5C8370583E0A78FA4A90041D71A4CEAB" "7423F19C71B9D5A3E01249F0BEBD5894")); /* NESSIE, Set 1, vector #7 */ test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("72EC1EF1124A45B047E8B7C75A932195" "135BB61DE24EC0D1914042246E0AEC3A" "2354E093D76F3048B456764346900CB1" "30D2A4FD5DD16ABB5E30BCB850DEE843")); /* Variants longer than one block (128 bytes), to test varying alignment. */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("5338370f5655f4da14572d4fb471539b" "201485ecfb3d3204048dc6b83e61fab5" "05bcbbd73e644a1a5d159a32a0889cf3" "c9591b69b26d31be56c68838ce3cd63d")); test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890") , SHEX("33f8901b053e4cc677d3cb4122d96ad9" "b96b13bf76194cf962488bb4de4998a7" "1455cb31582db527adf77a485b81cf5b" "722a5e8638eb6be487400f3aec006e7c")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha512, SDATA(""), SHEX("cf83e1357eefb8bd f1542850d66d8007" "d620e4050b5715dc 83f4a921d36ce9ce" "47d0d13c5d85f2b0 ff8318d2877eec2f" "63b931bd47417a81 a538327af927da3e")); test_hash(&nettle_sha512, SDATA("a"), SHEX("1f40fc92da241694 750979ee6cf582f2" "d5d7d28e18335de0 5abc54d0560e0f53" "02860c652bf08d56 0252aa5e74210546" "f369fbbbce8c12cf c7957b2652fe9a75")); test_hash(&nettle_sha512, SDATA("38"), SHEX("caae34a5e8103126 8bcdaf6f1d8c04d3" "7b7f2c349afb705b 575966f63e2ebf0f" "d910c3b05160ba08 7ab7af35d40b7c71" "9c53cd8b947c9611 1f64105fd45cc1b2")); test_hash(&nettle_sha512, SDATA("message digest"), SHEX("107dbf389d9e9f71 a3a95f6c055b9251" "bc5268c2be16d6c1 3492ea45b0199f33" "09e16455ab1e9611 8e8a905d5597b720" "38ddb372a8982604 6de66687bb420e7c")); test_hash(&nettle_sha512, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4dbff86cc2ca1bae 1e16468a05cb9881" "c97f1753bce36190 34898faa1aabe429" "955a1bf8ec483d74 21fe3c1646613a59" "ed5441fb0f321389 f77f48a879c7b1f1")); test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1e07be23c26a86ea 37ea810c8ec78093" "52515a970e9253c2 6f536cfc7a9996c4" "5c8370583e0a78fa 4a90041d71a4ceab" "7423f19c71b9d5a3 e01249f0bebd5894")); test_hash(&nettle_sha512, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("72ec1ef1124a45b0 47e8b7c75a932195" "135bb61de24ec0d1 914042246e0aec3a" "2354e093d76f3048 b456764346900cb1" "30d2a4fd5dd16abb 5e30bcb850dee843")); } /* For first test case. -1: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b a54ff53a5f1d36f1 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b 5be0cd19137e2179 0: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b f6afceb8bcfcddf5 1: 6a09e667f3bcc908 bb67ae8584caa73b c3d4ebfd48650ffa 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1320f8c9fb872cc0 f6afceb8bcfcddf5 6: b47b4bb1928990e c4875b0c7abc076b af573b02403e89cd b680953951604860 5a83cb3e80050e82 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 7: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd b680953951604860 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 8: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba f1eca5544cb89225 9: 8093d195e0054fa3 c4875b0c7abc076b 91f460be46c52 d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 81782d4a5db48f03 f1eca5544cb89225 14: 475975b91a7a462c fa967eed85a08028 44249631255d2ca0 5e41214388186c14 db0a9963f80c2eaa 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 15: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 5e41214388186c14 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 16: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 caf81a425d800537 17: ae07c86b1181c75 fa967eed85a08028 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 4725be249ad19e6b caf81a425d800537 18: ae07c86b1181c75 29695fd88d81dbd0 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 3c4b4104168e3edb 4725be249ad19e6b caf81a425d800537 30: 9068a4e255a0dac 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a eab4a9e5771b8d09 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 31: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 32: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 a0509015ca08c8d4 33: ff4d3f1f0d46a736 4c4fbbb75f1873a6 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 60d4e6995ed91fe6 a0509015ca08c8d4 34: ff4d3f1f0d46a736 fbae670fa780fd3 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 2c59ec7743632621 60d4e6995ed91fe6 a0509015ca08c8d4 46: cc5100997f5710f2 f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35d7e7f41defcbd5 c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 47: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 48: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 571f323d96b3a047 49: 6b69fc1bb482feac f61e672694de2d67 dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a ca9bd862c5050918 571f323d96b3a047 50: 6b69fc1bb482feac 7a0d8ef821c5e1a dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad 813a43dd2c502043 ca9bd862c5050918 571f323d96b3a047 62: 4797cde4ed370692 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba 2c074484ef1eac8c 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 63: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 64: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 5a806d7e9821a501 65: ab44e86276478d85 a81dedbb9f19e643 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa eeb9c21bb0102598 5a806d7e9821a501 66: ab44e86276478d85 29fab5a7bff53366 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 46c4210ab2cc155d eeb9c21bb0102598 5a806d7e9821a501 78: 995019a6ff3ba3de 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 c8960e6be864b916 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 79: 73a54f399fa4b1b2 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 d08446aa79693ed7 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 99: ddaf35a193617aba cc417349ae204131 12e6fa4e89a97ea2 a9eeee64b55d39a 2192992a274fc1a8 36ba3c23a3feebbd 454d4423643ce80e 2a9ac94fa54ca49f */ nettle-4.0/testsuite/shake128-test.c0000644000000000000000000126112015141166425014306 0ustar00/* shake128-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "sha3.h" const struct nettle_xof nettle_shake128 = { "shake128", sizeof(struct sha3_ctx), SHA3_128_BLOCK_SIZE, (nettle_hash_init_func *) sha3_init, (nettle_hash_update_func *) sha3_128_update, (nettle_output_func *) sha3_128_shake, (nettle_output_func *) sha3_128_shake_output, }; void test_main(void) { /* Extracted from ShortMsgKAT_SHAKE128.txt. */ test_xof (&nettle_shake128, /* 0 octets */ SHEX(""), SHEX("7F9C2BA4E88F827D616045507605853ED73B8093F6EFBC88EB1A6EACFA66EF263CB1EEA988004B93103CFB0AEEFD2A686E01FA4A58E8A3639CA8A1E3F9AE57E235B8CC873C23DC62B8D260169AFA2F75AB916A58D974918835D25E6A435085B2BADFD6DFAAC359A5EFBB7BCC4B59D538DF9A04302E10C8BC1CBF1A0B3A5120EA17CDA7CFAD765F5623474D368CCCA8AF0007CD9F5E4C849F167A580B14AABDEFAEE7EEF47CB0FCA9767BE1FDA69419DFB927E9DF07348B196691ABAEB580B32DEF58538B8D23F87732EA63B02B4FA0F4873360E2841928CD60DD4CEE8CC0D4C922A96188D032675C8AC850933C7AFF1533B94C834ADBB69C6115BAD4692D8619F90B0CDF8A7B9C264029AC185B70B83F2801F2F4B3F70C593EA3AEEB613A7F1B1DE33FD75081F592305F2E4526EDC09631B10958F464D889F31BA010250FDA7F1368EC2967FC84EF2AE9AFF268E0B1700AFFC6820B523A3D917135F2DFF2EE06BFE72B3124721D4A26C04E53A75E30E73A7A9C4A95D91C55D495E9F51DD0B5E9D83C6D5E8CE803AA62B8D654DB53D09B8DCFF273CDFEB573FAD8BCD45578BEC2E770D01EFDE86E721A3F7C6CCE275DABE6E2143F1AF18DA7EFDDC4C7B70B5E345DB93CC936BEA323491CCB38A388F546A9FF00DD4E1300B9B2153D2041D205B443E41B45A653F2A5C4492C1ADD544512DDA2529833462B71A41A45BE97290B6F")); test_xof (&nettle_shake128, /* 1 octets */ SHEX("CC"), SHEX("4DD4B0004A7D9E613A0F488B4846F804015F0F8CCDBA5F7C16810BBC5A1C6FB254EFC81969C5EB49E682BABAE02238A31FD2708E418D7B754E21E4B75B65E7D39B5B42D739066E7C63595DAF26C3A6A2F7001EE636C7CB2A6C69B1EC7314A21FF24833EAB61258327517B684928C7444380A6EACD60A6E9400DA37A61050E4CD1FBDD05DDE0901EA2F3F67567F7C9BF7AA53590F29C94CB4226E77C68E1600E4765BEA40B3644B4D1E93EDA6FB0380377C12D5BB9DF4728099E88B55D820C7F827034D809E756831A334C078FC28ACB76B5ADB3BFF6DD659CAA49CC34F726880F293BD3FC132027AE7602242064EFEC4D9D656E069D4DFAE0B40C1D6B6CDB21D89D00E168B0B74D72EBB3B672B57AF3E99C85DA2F41CE70672CD0E0521678FC56EAB6314A0B3AF8B724376C01433D84943A73AF703D293634BC24322992756EE261FFF0D71BFFB8AEBF1026A6A345F2EAED505BC7E02498A3225FC91499DD5F5E30E386557C5FE0A88BC2337C80D7EA42B60622960230577CE800CB63594F619B7DE31E026429B7648C5835AFC00559FA4C7695D6DD9F7B2537A265E9AF7A2C986F8B60E7DC6EB3C4D805A6EEFB6FBB5BFDE21ED7E41CFDBEB02B0BAB76F9998BA1E52815A246B084EFAE7960AFFC2BA5C647E7CC05EF8120568432DFDE1D7246473304808985600A1AFC20B99185AF25E89DC2EC6F4880DC79BAD50DFFCC9EA")); test_xof (&nettle_shake128, /* 2 octets */ SHEX("41FB"), SHEX("09C9652BB968996A35E4814E27587131F53FD01AB9FE83758ACEB8134FCECA24C84F592CEE43A4476E8853FCAB7DAFEF7B60ECFEBFD70DFCF587B3AF358A286FE3713BF4735A84975BB65E3586C81EA716BFB999626DC973A495A6E0024061387D628E9E59DFD2B39C68C8CEAD665AB43F6D2625A10630761DFB60276EA97B280442462246C6D74A1960A8419A76A37B68449A9E427D6A7EC1FBDF4760847AD6F6F5A08CEFB767CAEB6C2382F4F3D0E49DE4428CD4240635C9136911A82FF0B9C74569A1B7C8AF72AB1EA5F2F6F6A45E3BB08229ADDFA916B18A74F7939C5130152AC8343A10694154FDC6E1570EC7ECABBB01EDDC92EF0BB1B3DB914C74CCE399ACC9B766FD7494B2EF27AC57B80D52535942D55E2DBFAA61CDF3F48759AA612DED11421855AD15FFAB91462A56F873BBAF4FE88457A47B6C0594818D0A9189895239C1429ED8754EEE5498F4D0FB6C9D0DF0EB5316289E72C6AAEB8C61317B409156D4221CE6CFC7C5F39272D87C2D884F88F1B8B3C05CA9E235ED92C7DD7806CDADA7166CC1B9107DA5E6536D4FF111BF9199D6B72AC17D874323D68D76AEC4650F1A4B067C50215362201A7F71116BF6633AF08D712804B83F08A5DC7CCD4315963106D50453D44EFF59C9C652F4A924BE93C0B958EA286B0A4B597899A28C9BD5419C042668AA7B0CFCAC4CDF9260F2824ABF3EE79FEF53EBE3C36DF831")); test_xof (&nettle_shake128, /* 3 octets */ SHEX("1F877C"), SHEX("E2D3144669AB578347FCCA0B572783A269A8CF9ADDA4D87782053D80D5F0FDD27835CF883036E536CE76FEF689A5E7BD646A7FB7D74F090193B2390E614759B7EB7DE915A38328745890B1EF1E7AED78168E996D7AC774D47F8F118B3E00A7BD151131BA3705AE81B57FB7CBFFE114E2F4C3CA152B8874FB906E862840624E02BBF9502E46D8888433A38E82E04CAACB60019222D433E8F2E758BD41AAB395BF83611FD0C3F7FD5173306182449B9A22C4013F2263B41EAC4D0EDA16854961FBAA6AD04A89E72A602AC59659EC2A60C1D020BACC74A711D4254A2ECC5F8F0627B4F72AE130C50590F8B91C52957B795D12DA09BDD40D41E3CD48E30E37FE5FD0B86EB38AB4661085EF515E70231A5F11F9DBF7433763B17D84F36BF42FB6D57789C6DA2BE8D205EAD87BDCC3FA6AC85FCC3E70571EBB2EE4BBBFC04E71B3A88E000464608475C94C7D7EC1BBFCEC980B166096E9BDDE9192C53E350D3B92F3AB0FCEF4E49E05BBBC18B11ECA942C8A0776ED4F293B7FC9B8E7C0303A29A41DE64BFEBD2967875290D471640A914B0775CDFF140B2B66CB099A05F5357C9D5E7F9F1D78B828CCD23FC7CD58329613DE4BE9869B4F2DB18F5792795C34C43D23E2CC5525B4A363A9619AD57E42C36EC459FFAE56B61717EF36AFC9FBE5A72A7D23D435B2EF38A2B0E22AB5DFC8BB8747B6EBF17A63F6368795C6A16DEE05362422")); test_xof (&nettle_shake128, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("B5EB987E7CBFC7C9D140AFD20B500E30F2F71188BCE885951F22FBC35DE40E7411311BC8479F895A069600483751295F5C3855474D65436B347608583125A6BD41CA30DC99CB342B72A96F8A2213E98A16BBB9E38A141B4FBA68C1A723D1D578A91B4A1BAFD03B25BD3CFB6D4E1E044637889C6D7AF0209DBB5E10837D5C5991D2766012E7E86A82838B455B96D882B7E25C9072A66DA22B0ACB992FD3CCF5FBC28625B896BDF8D4B7358901D12698FD823FE09AFB4F238631EE1277752F2900E38C7FC163381A01601DBDE8CD30A9A8EE8353DEF6C610B50962D0EC1F4F3EEC2AFD7FCD5296E299C23005960C1AABF3408EDE96DE18E10FDE99774B5BD33092639D8BE9D872130C96311EB6DCA82CC28A62C01E3F9C454251D87FA890284C06187F904CF23CCC62690628C590BC8B84EEE68371D3412DCB5648A634F2359951CD011028E61C28A33EC4E31550C1C0E4123D1091E22D56BD587E73B7DD43C1B431D9547398C5E7EB6C682EA2FD758C86C1222C0D6AB236B8106DAC19338E86CB8F6EC0FB607D70C938CAC172C80079B018BB62939546505B8B6E146A3AD7A35F20D7F9A353F1E6535C23AE93CE8F78C045402E707A664F5918E6836D343240E6112EFA29DFC4D18778C91E2B8530E4FF6E4947623D31DAFAC9B0D194E36C44E10B1A846935684F89ADB44782E8FFF2E3E62B65D18140F10D36CD817F835EB0C0")); test_xof (&nettle_shake128, /* 5 octets */ SHEX("21F134AC57"), SHEX("7BFBB40DA3704A558291B39E1E56ED9F6F56AE783270AB02A202060C9173FBB0B45575B32348A6ED2C927A39A30DA0A2BBC1807497AD50F27A107754AF62762C0B9E8E62438101DECA378899C521CB76C75D299EDE19BA70E2AB91DA9E39EBDC917355B6FE28EE254C0CD48F3A28FB51766FD58154C98A5C650A4E4841D14E2C8F5BAEBF5AAF2A2120279D2D33214A51CA30C4E05209BBD60106CC343EC867EFFC826CB32A2E736C4AA561FFAECB46FFB74D1B3FD36242244312067C7CEA2EBBCF988E17742C3C80E8DEE6D509997866A308C101214F860512D38E3B6C307C1CE779FD42FDCB9D909A2D6F9DD5A3687708905390479950D55E8890D10D7057863CF006034A6D01D77FB33C0E28B093FE3337BE8416202DC866796739271C9E326199092FA27556C9F40D7E9BAC869B6D7E8018409EA92AF2464C58245E89556DA3E80B6B4200B9E53FC80C93149E3DC4921A5FBE7DF67F1D0B753CBA41B75EE5CBA78A89A2A85A46BBFAA625A40EE62616E68B07C06339717C81B4343760E97E2676C347D9625ECE383FBB8448E7837DC704E2956B18CC506E3BA1416C936BFD66E9AED3A2C7B0A8DEDADB04AB711D147F1C1C83322EC1E6F1468AD770663C7938D4032758462513652498CF124B6357B4F7C7E4DB0D0C0C1B7247875CB6685E0567A8AB8CFBE9383DAEAA27D224CA9C69C07AFA929FFC09A03E165D72153AD2")); test_xof (&nettle_shake128, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("8D876C67A5CC15A544EB81E93B6FC15713FD1C55D778204EB6AF7086AF3FE97D12B4DD22C7AAD54EB9C9E391B90A7C55ABACC3C81DD1788895F17033D561060E2B9CFFD47974F196C6907907DFDC65CDF33BAAFA7049635A70353D92A56A59ECF0CD291AB9B509D296356E8B0C91983D158DB1568681DE035E56B86EAE32AD3E0193CB816BD2D111C266632DDF907BB276E14880571506E2C328A3EEAA9744210EBFEAD123E241A8C49C92ADA79B718D970F0E8525A60FFE9074E73491E6F0EED1E047EB95CB52C47F6A1BAB77017D020F016B64798E5D7FC360D5FA213D44E5B75C918C9ECBB134CE1DBE13C419DA62326A550AD4A22E171CE75A369BB820CD75FDE01993CA131F302BE7941F7950A9969D78148FE7C45BBD22FE83AD0354194859F2F0DDA1C92F2C8EDFD3F7A9D8F618D0D02222442DF41D858CBB7A46E5B12A0923DCB53587957EE07ED3E1C4A46EB1141CEE394972726DD003239ECFE8FDDC4E58C50359AF3F89FE58F5CD5AEBC0DC6B9D600F3ED08506256F18695DDC1E3B459AD75090F0764FA89E5CCEC98EE0B387B5FB778620BDA72CB3E2AE50DE8B0D6B43F26E13A16FDF08BEA752B457BF486CE427FD17BD4C5890A89AF2C85B292C51CEC75490C1C6DE9D60DC49D3A77EEB7E19002150794234194115BC685E9981F88B0E1D9C6585F2C5F9DC805FF6C7636C1E06D9F5C018F74A2CE92EFF6B26")); test_xof (&nettle_shake128, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("E2A9537BAC3C4DFC9008C1A7ABA653883D7A1DF35685DBF49ABE5A7E93BF044BC3312A5E4D9743D72BD28ACC16F64AC5090A71761D936FB9DA7C782AF9BC1F636D0E17CB41C7E0E9DFBDB2017ECABA6DBECDCE2AECCE3ED4F59324E74D58D434096356E567B35AC85F7CA9AB80B1C987CE70F998ABE6536FE485A866A22CDCC37DB08CC742B4612121CF34C2D404B37E8EA8D90CA9CFD0C8C6ECB6B44BF73F4D048A0FD85591D8726BE6246DF406472CA05D18DFFEBEAB7ED991BE6CD2940EC9B26F9C9219DFFFCD721F5DD93CF5342A89A6C69168871B14934D4F1794E14B92EA991A78292423F5CD0A5D3454E55DEE27077D6AF78D87BB3FB9E139331ABF326FDE2FE1D3B1533AA038BF59BDC2D6333F968611A4F9BA66EFE92AE8C099ECFC1A36BE726816FAFCC0B016C58B1E42D2CC7065E71ABBD7CEC1ED547AEBF46F5DD72BD472CD764CCB3C4AFACA540BDC27F52F63151E9FD90AD5BBA7F84C9EC7E996692B842FB1A54D2860A301A9DF6F357C2E05C14154F5FB77A86E4DA9E9A039CDDEB10D6E5DE2E0A585B2701D48E8298BF71F5F72351F8EB3FBA5426286A82ABB75EA46BFC0F65A2E49567CFC970C36D63B2CC73AD7F9791179B1A0C4D84651DCE57B966410CA23CFCB9BF5BD70D56F5BF1A7C939DE74924EDBFCC614113C83803B123F3EEFCE2C809A7A9FB01C709BC09B5F7632D6B59E31A6469D90185477")); test_xof (&nettle_shake128, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("977735A853D872FF7C17C4A825AFD9DF886AC43387DF245C37A608AC7F4E0ED015811167222000AEE1968960174EE5A39369A23C5DFFB4991AD247B8801DE71BEA97069EA77202999F8E8CF3829816EE598B00C4049265DFBB2B138B13EC3194B988242BC099248BAF9997AED80E95B5F859D42B12DBD578FDEAE47CCC2F8D3E90BF6E8D98AFBE2F4813F68B6FBC4C18C9B8A557A0D87D744A4238D89260941030945538B2DF07E05FD45B50BD790A0510ED4430ADB3B7768DF8C4914E0914FB00DA09331F11371052D301031853C7F3C32528C0622A77C48463CD1CD96ECF7490F70F16E941CBFADE71DD8477ECFF1177B7193E456ECC42BEFBE070667D6F39ABEE5CBA354B33A83602C1C17280D2DBD0CE597ECF1FEC3B27810DF38C2805D8B85D60994EDD2C83F5898CC6623241F16C4C92444FB6A0714D8BF189AA5AEC9D5BF1448805764EA0CCC8B6E399961DFA7CB9D8DE8D800080EEB5D010BCACAC6728E8DE482C37270459DCBC80F496267377D97817149372A053B2D53209C2DD61216CC3AAD29C7238D6B142D71A92CEEE4710476C2A48FADB683B9423727CE772FCE2BDBCF781C119FB43526B8EAAF1D10F21E586952227E29BAE61FA2C7EDC6260F76AB543244E538180CD90C207330EF29CEA987F7ACDFA028A78D3E93F11EA159B21BF3F50FAEB7961874E816162D42735C9D3567AFA45D1D8B66CEFB58678")); test_xof (&nettle_shake128, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("1D96E0454BE037D890FBEB776CE5C922BDFB827AF1D1ABEE1BC8B3AE95453532D40C0B3F9C93E400FF70F6FBD4DD0470DF1F06E04AB4A596B6F92BBCAAD3650D60B940096260226913435C9BBF5F29DE8BCC9721748E3F1DEB7FAE88741084507E1BA72A267C2C2276D8BD8ED284578B46AE81230F383214137CD7C190524818576F77B0A53C3421E0476D91E11BAE79ACC4995A24FD1398F6F67E22033BC381ABE6DE4E0563238FDC39A1B305FA9403EE35800432999EB3421C8CC17F77F2A544957AFC2CE9496D2B739511B3CC52DB118EE874E43E95FA69D7EF024931377AF86A9448F3899DD0A87EDCFECFC1BCF7C17D470C71CC488744F2B627626112AEE465ADDE9C6719AC0F6E928C77B0BA0AE8A5CE20005C46768021438B611826675E0B94FDC7484A3854936216E2239650C794EF001EF8F9F4CB440664472445875D06C519E14C957D6FCFB73FB72B46CFAC4548BA94B95979FE5FEAC07035E0FDD21AF7E3B69228AFB2D97F2A333A5D40A84399C6D4F5A7EBEF9ACD08D66C2781EB9085A42E38C434230816B90DD838A2F10E727EE5F58D7469B47FD5324EF53A88208C44943009AE7A2803D55760A6AD4BC6E961C8BCC7F7F5BD07DA63709D85832E26772E01886B2D5B73CA488B8402C6A15D2AEC605D154F9A41EFA93601D26374D3FE8A5337E98BB7A1B5F0071D3C8BCB69CBD0B3683E7A494808C9BC4490")); test_xof (&nettle_shake128, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("0C5DB5EB4C5C83FDCEFE9EF623596F96D2078C6DCC5D9B5E4F1EB5ABBEA23ED4478895D9D9C8FDE4733933986C6CB4D03AAC65DC7BD628169785CFC5D9D4D33ECC7C6AC98312F020B117C831B2ACE85E1ADBE0A5349BBE9FECBC6E998C6DA1E2F333C105362506766D105F707D905CB616D8BD4B23ED5072E3F4D42412E3ED6C894CD37D8F9A46BE6EF9A53D60254F4E9627625A3671B234664740C24BDA608A44EDDA0CC652B843DF722AD38B9FD7F122C89D8DF0A68E03FBC0320BBA016A0F3C36FBA6278F9C2AF9BCFC9F312CE55F011255332505FCBAF0ADC512864D633CC0FB4D81BAE980E9522AEBB2A07199B238592E4379537E045CCDE8B0FC44B2781421DC657938851324F5FB6E1B7D9548A50CB6C02A71B16DACE90B84EF033594B2F0A688F6F9719A1008C1451353F8895AE1B7B16B27AC94B67F390D9586B7EE31AF7B6E7D110813A6A4E01D4C94F17A1EDB0633A1C4F69DE184BF4315DC98BD453FC22EA11F8EA5F5548C5DC09D3F186B40C4783AAA4BDE1A8F2AEED007A0BE440BE16649111921F779C7E284B8326785D87C3DF06A05B3373E88526D9E8AFDAFD8E673D1876711FF2F68ABADB7CAD4545F0DFF64BBA98C86D7422C4DFCFA8F2BF7D72FF0617BD076B4DE0B457F5FA2B881FCA5722864EBCA11602923BD0D6B21A9D7101ED1F34AD480F8F73E2ADF821B2B259D6DC535AA94D3CAD7158DF14E")); test_xof (&nettle_shake128, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("055C0A829125F20A0DBAA6106DE95579BE4188363C7D7E3F3EFC40AFF360298897968B250B8410829CDDCE5EDC80B764A5AFF16FFF1C3D29614C6BC4C80D095F0C73443E8FE596C86C83AC1D9BA69847F6E64CA643EF3D7010C5F9944A660B14559FF27D4A5AA9862CFFB67B47810D04C736BF842450A7E5239C5D2C61087888EB892B9BA495EF7031FFE2A56BC4E8FE4CA92D908666091D40F8DBADB0186DB30AF31A4BCD3FAF962B56271A4C5C4A02C75F11D13F3DEDB0F57EE554B9AA47B19109D3CC2AC58D9C55653B42BF5CC3C8143481146BB54B6284077E94A6B2DAADCCDB3E85FDEBD9003C12FC62DFD07DCD9CE747893DC611EB71580F2AFFC624958E1C78C1554706A1582359F6962ED70FCF82FCCDDF9FBFAF0023FA1FE771D358A5D69E6F8917EC3425543557ABA96D40303C5034FC7A873CA12D485998A856DB5724009B884590C284B685DE5677C76944D07DB1FF855743587374D9F0AB70136AFEE1D1EDF962D1AE9D9DB036F28499ADE8386E78D2D54F8F54A85EF0D771750A5D51511439ECFAB2A486FA1CF77E8973E977BEC186ED45F6C49845E9E19502CCB3CFBC4F2576D9D30A003F8C00DC209EE68F147CF17BEB5E5E410388A0CEC4643A3BA24B6532CD73DB049B74E4EC5DB415586095378297A60C2EFB70674C473488385B47EA9E9D39952AE9A515E139B20D76A30E65F09B7D701B3172899643")); test_xof (&nettle_shake128, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("9F8F1774FBEA8EC70D0661F8DCCA2953EBD20FD73BFD74E6BF037B4FBFEF17177F1A02E919FC2B40BEDCF640BE5F191D6572BC57C0F5EA29CDD413E8A97BC24BD490B221FA452594F78136C68B21984DAEA6B61899C386963EA6F078A9A903F05506D0C5592E341A798DC46C0198C039FA2913B7F7560CA6A703A6A86B18CD67ADB53A13295ADE0BA89522CF98263094B362C0635890CF4FD14D0CE5DEAE75049C5AF37EDBA5C0803B26EBE951996018D66390FBD37FF9F24FC5A7435513D3173E26E1850EF3AE729EFF8C38AA18A41B97E11A7AC452445D7EC617B8E0894153B067EB380D83209D05BC1B18B41272ECBEF29472EC90686256F0CBBF9F5089A78D853B50772E494BF27FC0DBD3492FB16B8AAD6D7AE027D41AEB633CFA3CA931CDACD968C1F24684267ABF45534F89A362C1195F8CB31F1026D3D554AF70DECA0C5FD3973F55F20218056FE70B74A3311AC394EFE4FC0130B5BB092B33BA3B91E2288815BAC931C5625297C2F3180DAE4B824409B435842AA12F7F01A185F699FDB2C6A9D42CB475B0493EB6759FD5809781560626FEF4A4522EE06A2D3FEE7CA2203EB84B717A1A825A2965D2C1C1CC0402658EC5D2448961F521AC318FA4A672F0F8051AE59C05394F84D25A1F9E27B21550A71EC285C8B2F86BBD8FC0DA09614BBB635F905AAE3D401E7969DDC9FE0837959A6749AA76FCD3A70920766662")); test_xof (&nettle_shake128, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("E73D11EF660C0F9B35CE16C12C58051953C229AC29229FD38E00ABEA6FC7917427D30952DC52FF435A928F34BF14EA4EDF960C78A5008F4678727BDB4C591D47C0D3A1ABC314CC475E47CF68B243A0F193B5A0FE06613C2715829E672EAE605905E6F52624F971731AED8D1CC022CF166C7391E249626FFC578F2CC48F89784D7F38DD14012151834DDFDAA245922A27FDDA1465A8056C511A72A784095496FA0258007394C193ED705588607DF19A6452F4E5C890FE648339A597418BA2E7E706C36D3DC493A3A6842F39409CE186222AFB81EB044081C6145CCF8B0E852DC602A2B7031355911A7C1B16ED74E8BD6C4EC8AC56511768C008BA25343FE5CC7AC262C4662AC803EC1082A52A0530F0C8431F68EF9F7C4C7DFC9C05228E3638B7A26DCD9FD28331F7B04BEF3956D6C49FC946DC97E935A76B3B2B4DECDA6113A9DCAB916538520B28DEFB05DB55F2D168FD6FAF678C6ED335A33C5DA6B575FCCFB64FF2EFBC5BCF2500F006E2F3DFB4C60A2BABEC8240143C779A3D9753F107BCF9981206922757E04FC93083ED10A77D5C603EFFF8592AC3902E2D07B72A5C75C71B631DFDBF3997744FD63250D2EBBEC2DD3BB10E05FBB3A993831D62A6C03F403E30EA3B80F2C8A3B80473C2D2F2C51B8B5563E46A0A57A02C4E73DA0491312865E15C4251D3DB6516A51DCFEFB1167CEF7021E570FDCBF862BB5B81B461E2")); test_xof (&nettle_shake128, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("B28D5EF1E7CB85B4406FD3349EC1D5F3727A9FC9C7132EF6593779B0D3677512D5F10A6022DF96AEFFB4252159CCE5562008E3E6BF02DC91A1DA479B5B091C88B65C80F4E8D83279DFECCAE72DA723842EDCB2BA02C4E3E9325804A04366E7FADCEE8BB2D678E31928D59F2F0A546C742D8120694F5F02810D5BCDC320855164F60226865BDCEC1437F262D6D222D1CBA8577910847B75D5C4549BDDDCA32C3768F1B789CEF62F56993CB72338274E5740062BE3EC7AFFF53215E894600B35DDEEB1AA1E9962B22329FC41A5696580DCCE450DE6C11F92332A3FD959CA5B367B9EC156FAD0318191314E98C1E2F82FCEBAFCB6523693A0C633B82251AA5AB4801B1AFB004FB28DE7B790E65F50E0CC85181FD914C76D915C1E220A53070D73BDC1C1BF2D0D9A3EA45697C3538AFAB5F577E09483195EC8B7737236491143D7AB0F81228031CDCA4EBB2442AD5AF92CAAEC92CC1F72E32E573D57BB48EB58453B0E0D680B7A3D46B4A5716B7756F8F73BC876DE181C443C082022C7A3322059F83AA16FCDFF5E078AF2F85562F0D60632F4A76B29F27BD91301B276CC414AF7C7B0A20FE0D0540DBC2B7A4F6918B37BAC345411247F2F7ED5AEDD12E72ADE756DA4962C2E19B998AE1A29E0DAF6379A45ADFEF26AECC80D9ED1714582F7D40DE0C3BFADF4A35DA62ED4357B88C45227810D63F33BE90529F426B6AF513C1B43BA")); test_xof (&nettle_shake128, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("D7DA38E9032FFCADF7CB93C9969171A0493525F8EEE3073DCC9AFC83C704843A8173EF5374C4D564BDF246D41AF6EDD0872E5EE43F5D2C5C85134166F9B2AB9203CFCA96A405F934F3B834299C954A3D30A2CC6737935DB8C094636D659D8A3192AC8925809567719FAF13AD40CCBE7FB1099BF4FCF415817B32CE923B1AD764B88E6FA24A9F0876C84D8B6FBB0346A87248A99E15C528D8EFB167F6F1F00099D67F5B879FE8B7943726F648158C0356985CC48D92424A44B906B14EB8217B5C75D88E50311007C1CE7BADBD9A48ECCD4F8936B81D0C2A76918A06E3D2B2936C5A157D9375058162259D7D0AD25DBA2490AE1BABF69176B394FE2F00DC000EDA5A0DA049153C077D51A89100DD5B8EF4EC3868F5C9D8E4C1875F292C4FD22C51ECFFE30AA40EB4FF50FA00A61F6116A337BED4D13B52E12F06BB4F8A88060B77B9F1300B5D895F7314AE728421CA951FE8DA4BE55723AE5533E59E06E0BC8D828603CEDDDFDFB9D82506141E1D90FFCD65403A94586C9259A6CB18550BD22B241112DD9D866F12ADF2B009740AD71630C35B16E062460C708831DF28918A5DAE14BAB1CA781EFFAFBD267081A7FCDB418417717756F34BD98A799B02FF2E275193B0C1B721C2696AD732AC77AF212DA45B22F27D54D1559A1CD7B39A49A6286D305DD4A257452E930D5F2C3CF16C6674ADF81BE1D8231DB6C1B8A9CCAFA6E98B")); test_xof (&nettle_shake128, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("3A0FACA70C9D2B81D1064D429EA3B05AD27366F64985379DDD75BC73D6A8381045C2AE2E9C723462EE09EFBB1C2A8ED7A0729D0D9B20F03BBCF55A86859ECBE80C8CAB60BAB4C5D063DEA224E825E38642124EA705327E075B61D08E0B49DC184C5194292BB4A797CD24D924CC64816BF911FBF4985130A59D68FF0673CC8C4A390AD593BEBF16419FF464ECB3FC78C160B6DB9F755A5FAA7A9365B58CE7F90465AF960C48B771699E0EB227F5370387E6248E17EE192007128EE7AD3D94BB9A2193BBD4618AFB3A399CB2016ECD5F9E41AF10701FF1915A6E091F44F193B0F729CC4AF5FECF683B1C7DD2644D7458C45FFD635EEB85C79E241C1F4869CDA9E77E80F7B878C24E9AF77D22D8C7C0C406C8AAF50F57BAB68FC6C3A20274B6BC353E6D60DA40E8369139B4508DAE96DBA12DCA9D80A19041A3798B252FD24BF2BE64035CDA6D95D6E570EA868EB8808193B3792897A2147396A47D27C81D40FF4BF9212AB239D7A789D8CDD545A98B447F6ABBFF4BF6FE631CF2483881E933C1E62A21BEC503A6EA60F3B179F9CA6852DAABA4CED7ADE5E35E960463FA4C3A32F4C580F03CD2E45F10E32507FB2880827F56BFC5030A4CA94635EDB134580715A23C87D755FD91B1566D1A471F310EDB2C12AA11F2D280683F43155D67E2EC04EC2CB2CEE53A4D00F77AA73DCD6CAD61D1AB7C30A627CC75F83D48BDF9A76AB456")); test_xof (&nettle_shake128, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("3D62E50DE92BF40637D481CEDBD22F2DBABAEEC0E94D1F99F3EF2E68B1F55D97ADA13D2372104D63946E3EB7C50D7E58F5AA0D5730E4366BBCB6CD332AEF45DA6C4E5EFFFDA948E4E7E6FB9C49B46AC954CBD53A925C8EBF73BC4FD53ECF34F0D67026136E8CFF3C8B8661C9D5D19420509B47A19D4C848C83B791D1F843F8DF7F69F736A414BB9075B4BB6070FA094A0095F101FE569E45E4E7FDD2B3622B5B912C21BE28208CE90C7C342E6DE485D7344DCF3E89D9C71F320001C52054EAD0EC37B4CB356CCF80088DFD2EB63823210CA3767ABB13623C9BAEA9BE5ECB8DBB8D3DC97C88F6BA9C4A9C443A00E9A476FDAD93ADA9F64D12803DC7FE1C7126D23430CF680F94F0B218A06D5FB4F7698DCB5C896070A03D5DAEAD54E3624EA55E966EA64D0714AAF9E17FEF5DA0998F6A301B20E988579FD98831649B5F71B67CE86F65003EF5F160B18CA218D446C6A18F341282CC89E585894A2CDB24E107BCEBE66D3265895A622E51B617A57020B29E236DF78271B1B87C5FFEEEFBDF3F36EB3152687209929C800B9CB4A29CFE7AFF4302C990E60CF61ACDBABC3CD7F98BFAA55BD61C7D97B3B0A935E254D1D46801FB6A02567DE9F75343B612F95DC555340BEE70E61BA8B3E1D7478D77D52C5F395301178D42FC3DDDD1322CD31ECB8E236F1748260F45AF38A57AA8DD1796BDBC99AC14D1801BE95A08C1C6C61B70AE")); test_xof (&nettle_shake128, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("D062C8F1218F1DC5F3CA5C2FF3F33847F3F74C6A40A3C2C6C15E316B6C9FB36A7C1DA9C25833D25C8DC7FCF4F852E3955B4C9246F4CCC3FB9BEC64990E5D84730D56E5E4839EA23B258BE3660014C49645A268EB03BFD932D879B2260BF4C6CC4EE97C8BDC9C02E609372D1FC24029193475992A27C52C20F1F821F285BFD1F4C6ED944EE89A96860364E44971E0B6AAECD446D868C9F7175C7C23E980ADAFA860E690EBA14B71F7EEF16DA6017BA3FAFCE89628F64662AF12BEA0DC93222FEFA733434A4778F0F2F5C0DA2439C5C577345B59771A4991A56EBCAC98961E7EF8AE3F1F8062C1268DE1E6CA5291D4D7F1C1C4652A49AEA180A5685F9E6C8BA01F8E3BE7C1E5D40A9A0CB8661FC77F624F373C90DA1876218A78BE6507C2E999A25FE87E5F334ED83689936AD06A7F031590AD13105DCDFDE7554D42F85BBA80A03D3C1459A25F07E93B77293B48E8D831EC371E268E361454CA01539357D4C10255E3DB0576CA7F9E6F4AE766822274A6669AB218474F9D0CB5B96FD0A55D4F454C6EE31E3A040568CF77F97D5B8C4FA783AA5625BD8EA951DEB4BEF186F37663AE83B2CD27276A390D730EFBDBB798049B151E4962B5B17C4739F9127B87CD5ACB00C4CF04295ACBBF53324C3C539BDED5E64FB4A3BC08076F52EB0A4BAB60138E50DCFBE48765047FF4468404820088485974F4C4FD8546538698EA3904795D")); test_xof (&nettle_shake128, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("ABC182A9D28B3E043F887C072ACEA1E0E6C26A90BF6FE9E1BF925D20100C3F8E46DD5634CE077F6768450626105210BBD36789FEB64E9E0A0EB5007EAE54D2431156A6BAA49D85B31A716B69336DBCAD7BD43F0C9AFD4D62BBE69D5EA276F01B1B39C637BA13F9D5CFD637FEFA3D80706896F47A58D602166645AA5CAFBF5C280EAF765A47F4981A9673EDB27089F31314A6367BFB333E4A937CCC3E704218696F998A3269518965BEA095A934C171F78979D6CED938F8FB3D6CC8F61EDEABFDEA038DBF7159917E3F941C2D17E351390AB77678477B11D2DFE2351180E305025403FB826255DEF38AAF0ED06BC2AF707337DCDC1E5A08FE03E9CD043D5A152EF37FD4893266ABC1875DD28E2C7160700899D5F39DF5DEAC2E91131360922F2ABB6BFC49A8FC0B638CD13B6037F99BD0D72A56346804E146E8B2889AD843813DACB56FD8D9909A989C82064E4838D4F01C19A8E8D1B189EB060F642CA5CEF14A2F361C1F34D968FDCF37D7837E3AA9B866935095966109C763C8DD1CC70DF91FBE7B5AC7FC6433F5DB4B780BC9BE4EF862B596E08AD32C201A07F04E267EE2705245C48918B71C84D78BA48AF70A4776523D37A8B90D53AD45465DABA2B48CE0C09978FAB5F4A0CFA6174D55612B7102CEDB7A591EB6A778BD41CF3C289D06E86B4D329F71DC6C3BE75D7E661E7E9B5F4CD92225FB5991F73237E2520B9AA604")); test_xof (&nettle_shake128, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("BFCBFB531C1689126C2323F9294C1BEA280013A2315A596ADA34F022BB6D3D8A699BA8E2C54AE3BB7B32C422C727B41678F781D652DCBF1A40B8627B56E004AA5F1753B1152920121B1A2D8CD5E9CA02929BE7F2EB433BAAE2FA41830F146C72A12AAA97E8F8B863749B3026E99E0BB7E0A937F003604B470C913546E73413A86EE2E9892FCA2A7839B20309AFC1FC9A0EF14478CE0CCB5CCBE37469B7DAC3A7B74B253CCF2ED085F9A0BEF3759A4002E2E67F81D953E9BD53A4D39A267CC0D262E5D80F50F8B87D816C91A2C64D798784A5677744EE02B5DA2CF07D79282BF8C791433E0B3E296C38AD9E0162BAEDC89F1B368537103EF797AE54E68AABD23DE81B760689839341155930796AD7A49702113F737D0812E20B850C38C3767421177B39FB60F3FCD0B81A50A8624E57B676203BE7C8BDC66BE9ABB5A1AB175705DBF65BDF5D119F331205AA74E6E04C766E408D0B2651511CDC513C75C6E326220DD3DA4A12C82317455D450F44F5F1E55BB7A91BAC1C34C1E405BAF53FC8BCBFF7EA119CA53F6DDFCB5E4F2892B837846CEAFD8ABF5BBACF09A3127685B8B40A2452E52EA6C006F22EC7FD9DF925B939570096E5E0AE74D67E46E5402DC94D4A47E460D718C98A4426F3E68DEAE1A4E509707A20B136FCCF3C26C8956C14312BD855F0B3FC6A97CF1C7E9ADE4A4907A7CCFE6EB5830D17451378ACFEE3884E8A")); test_xof (&nettle_shake128, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("E3A05F6157BA90878E8C394E09753A69D271C77B233799E0D68A32209F0CDFCD5E3F41DC9109F836A4C45043E7EABF41946FD05922723B0E6526E5B99B10E89B3C4CA6CE5A2C6C431FB14E6CBC7986C4CA691037B1F306F8ECAA146D3E0B5736A53A2BE74E1704E65864C3ACF042459BBFBB440EC73EC884D89AEE7525CECBA651429F2CD092E4B3BF24AA144873EB870749564A52AE62FC86674B0D9FCEE67DE8910DFD812CA75A47F8FD0B2393E616FE8250899C36C27DBC30716C9F5FA181AC6A6065B73E3DDB94447E22EB858E8D1E12C24B80D99D4E6291A0D588508319C5B54E616270FCC504D5925B0ECB12F211C3B63286383498FA1A7B4B1BD399934DC6DF4B7A6BE0F42934052AAE7624EA4B6837E07EBA9EF2D066A911CF71776A2EEA41E04122E5AFA6F91865DAC64686212A93CCE21305D925606FAAFABF7C6D27A8A91C5BD24730E2EF0F11A9467F7661736123E7B8EC29B4ACABF9AED239EBF3C79F4C37F54DB912916EBA3A91AD6362DC616D7339AB457629BDD0FB97B8AB605B9FEFB65E2E70FEE3F2A29A3D6D487682BEE87D5C615870CB615ADF197AEC1E5EE35C242149DB2D5DCDD598DB5981A5EC57D31C9644CFBDDC03FD2F5F8881D2244A094FF4140D252E2505089337B925D84E3EF632C96888E0FE5C23B1D67A64FF3269A430DB1927CECE798ED159DAAA3B69819FED596EABA5B6BF4FE3E688")); test_xof (&nettle_shake128, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("2D81F6711464AD6B3DE6F985E02D52C30DDB350BCAD92FC15DF3A67290E4D74E2EAC52EBF9479DC223770D6481B1A640784B6E4A31EA840692E625BB2D400A5C0C7966E5C4AE2A4CD0A3204D7DB266745D64122F83141FDDC676B57713E45CA04139D49BF42EDCDF443B5600668C1534953AA95FCF4BF9A8EE8B52680C9463E5CB5AAF09F18EEB2885A061DAEE4C3EE5DD6E824BDEF31A93E092236F91B8E2ADE094E718F8E203E43EF00A843A2548457D0EF2315FF91E5221011B874CD798254FB4A2E4C65405644E0DEAC6529EF59EE52F2496D9B19485E8128A76548C212D667637213B637919186AFAF827A1A0CB5F584F475723D7D2EEF4162E05F9ACD221C3416E7E88D22D4C471A05EB0DC70822E912942261E9369C0D35A672ACC5A48C86D6835ED99BC201A02CE40E86E0C096B2C34E5BCA207E5C5C90CF86BB3CCD7FB89613E53EC90245F9D8315D1102462CE10AAEE4608101AEDB37857DB22ACCD5B024ED323151D75223E6CB0EF402F12EE2905869396EF6AD09F6FCFC57310BBE46CA7817021DF43FBDCCD9D62158AFA8F20300F8FA17B202733438C1F6B0F1D1FB1FC8AD8414E864DEBBEBB5F96367135224581B9B8E54E64937F708A2CF07573A42C45444C37DDB1287D4D27CD3A9DBE476EAB7C39A37722BC4A1345A34C168DC93D48BF719E79F25FF112FD687B86C20C98533CA4B0FBC1F3D4A6CA469E4")); test_xof (&nettle_shake128, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("CFDDA60353118CB298A271246886E4C7F976465C1B65FB51E87F7E5A9BE050B38BA3EB23F52116F0A13AD802E12AF81A0626A51C17E9EDEF5CFD1937BD774B4E63B19BF1BC61A4ED23A2ACF45869E4EFE9CFCC8C89AF6861E4122515E2B5EA8DBF024F36EFEDB7E6D6DDA829A5E45E21466F4BFC55596748A9FE0A61B3B9B9AB2906008DC3B8BFB71761EEACCE68FED2F0F0B380661831E4754175AE79E9C093DB7F2219C39CC36EC72EA39C65128D835127C3808DE4F3113E9CE42BF1F86250919C8907E21B0905D960480D9786ED5BE6FEA4CA1017708E1A153846AE80F8C81DF6118DE9C25DE8B72473E5A2F40980417259CA2D3FAC3AFCC42E1D5DDEF03673CC2D9A7E6170357085A135B31B6E8334D331E222055FE01AC3DDA56472572CFCD908797BBD7B8DA672E2F9A10497E423AC9E84C17C81F81A944952C7511FC34C5626471B85D80CBC618A68DCC343575219999F28D01F732E76DCD6B056F60D0A9CEB822C1BB772F55BC85FD122A0972B0C0FE8B88D731887656036A4A4278D0F46B27B93530D3DDA7A689DBBB73D9DE39A6F96082C8D9B9AEC1FCEF64C7434C38B132A66B3E2DD51367EB83FEC5E6AF8B18A151058D092ED381AB4A86CB542F54EBF5B0824DF726B91DE3BD088CF8D1E55EB1F2C834AB5AB9E25BDD0A4445C692D568B6458BC29CEDB6CB5C5E7C29F16E1B95F22C2752FE1175FFD41F112EE")); test_xof (&nettle_shake128, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("8FDB0BFC41E23944858401D837455D17966DB41F4B9D2BAB52E208B2E32B22E1FBF3CD83F13B6B99F14BCDE767B286F7D16331FD56DB42A4ACD9C370BAFA8C99F91A5CEB24D52B52CC657686163057471F2D8C982AF779B05BA1E49114BD55BD59E1DFDC69F49EA96F771FB4F6B67D1606E6D652368A31CC3F7418427A8DF6FFF8E0B5E43EFB6D9795D766017284879AA199B6726C84623ED69288633A34D3742D20F1249E1C70370BB19320627598D208A7531EA233E772CF7F3994C06FFDA7E63B85BEF873CB89A83499174B461B36A375FAE6D5779E23EED9D6624DE2EF309721C428D8A64A2FA7ABDE1BB56F66F04225E30501AAD9B9D9078CCEFC8F721252A232B82D984DC5D1A03E9F94630B4023CCC4BA6A47FFBBCABEDD754BB403C25EBD27D445743E17DEF49EB16A75B25921E49373A4A669A3B3C6BF5ACF72FAAD2D9E0AEC3723FC07E541B72EA98DC3E7903CC89DF00F6B20F147302D6AF18FC94FBA446D37F5EA3A49A9B2942DC4926E06F6D385409753E3ED1C9E1672B783E491635B2701FCEB0F133C1CDF9364B7BD55CF1CA89DE5ACD13FD7B94B3EE849E789454EC39474636522FE41EA3504CE134610D675D5CF299F3E94686F1AD9BE58AF227928B9033823CA7195E6856F72008B31F4AD7095F98B4A5256D2A676817E02E7839B2B875B59AD020B97BCAEFD515B061F49526821043B3B1A1F29B61F5B")); test_xof (&nettle_shake128, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("64C80B3CDEBA491185A9ED7E0B5EFC031E36D4F22F9B99A30237C5459C7DA37B16296A7D2E221B314B47F524A01D94845F7B1F38D7D52DA83860E576E8910365A217EBBA342C7E26A350FFCDA54FAD792756EB1D87096F0625D6B237E77060E350B9CB9179DB967BFD8C63E15AAA24336B8314B692F027C99EDBB757E572B0DA00B45D90200BD778B396D18375D77E0CF32E7EAC5003794A010B3A1DCC5968F59A0CEDD4B2EBF4F0F151E5D8F88C297506295080C91CA11DA2CF32447245E0667D1D4FB619C514014ADFB7733D972198BA4846D57EE8D9FF73D543CB32CB6822996D04B08AF13DF3A696DF38C29B677BA6FA481A5A22D2611B8D721EF11C4361A3205F75C90B7B439B47893CD5C38462646355800EE91DD9366D8CA3C2EF754B8DDB4FA83397FAAEE9BB24EE4FDA89532CD7E1F05CC4D52754ECB59DC6BCA363D9E804B32C47664BE92A23023BDEBABC70DC45F15A708D5A0CA7E6F461C825D58784748284722DF182296103D27A2868C06DEFCE8F0669A173A9EA7C9D7BA1AD721A48A7076CA7E005D0BE0C6F5DF889747A581B54674DDD18A3002662A8D1F1373CCF9C0760B008A805E737660CE28BE2DB4FDFCA40BFDE0357615B8B09B264B9A9C3EDFB70F967BB520B09A76654ECA9FDF6AF19B298DC3348E7A5771F3C3E2ABEE576819A1C59881E6B8FB1DB1B114D746E90CE6F9F6C09ACB5C46B03653E")); test_xof (&nettle_shake128, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("50102CB39FFBD98F3499FF53914870CBE4440CA8B6D61B79B7E6481B943D8E532947D06A5E04A6EC8E595958245088FA807600B1300ED4DE47A2E800D812BADA538E351DAC64DD3043E7F655B411241C9031ED2765264E372C6F59435988963EF83098452029761D43E4D329CBBD04825719ADAB1920DBED999C1C82BC9A362AB6C0DE15A65EA6E7EAF9B75FA15543910E7CFC214F25CAFBC771D9E641FA65A6F52FA97CE428910972EFCE8C23FFB56AA5ECCA3EFE08E12125E3C88C652C89765AB1B72C9D16AE3CF4C8A413ACA5675C18439F3909BC8DA92ED71C7219A89DCDBB3E07A3A8D4145B2D65E9525D3E583C70589D79519793F463DE6799D682E24E83E91A96E866BBF0BD72C041DFD44FF345FA83C24C13AE0689DE442DD01C85179E69FD9E07FE2E2AF1F5D1B5365FE16C3D9DA5F1D83A6BD71923252371D230D20DE8A76A810EF29469A370CC552BC0FE8329CDF85905134BA4F7C4F77FC83BEF84F7560ADCBBF8D384267AE24EFCBD78B8DEDC130BA739C5CE96D8CD05299C50037B94F9B48012BF346E079C4599C2DFBBB1F3980A1800BD593ACDF5C7E355D3CC44CA412A3565FBD8B2A9E8A9E44667979C9B261AAD8EC2B201259A2D7E4D5DA6D5DE05AE61760EE8DEA70CE5F380BF3F1620B3C67D8EC5DCD47EB14C078EFF113A952B7C77B8E832DFCBB5E7492F090D8D4A9893D222AB77BEE17501B8CBBE")); test_xof (&nettle_shake128, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("EA2A6C14ACAA13B8CE15F4363206525A44AE834D82B000EFE0438A4321EC1EB6DE31390BB495EA7F067D4A3FD9BE173981076BBE4928F2E9173F4A3158DC4DE9F940BD4C8E76C2F886C5D4C07A28E6CA1B35A4C31C153323508DB12D63908ED758195CBA55B1B8C9687D219E4B053849D5134D3BDD8D8B0ADB2C02793677853D6FB496813D72DD415F9EE59B6C30AEBE1BE2CC5FC3D9B4D4456AC65BE1970E5853F87C57BEC289E995FAA9FFF16AAB0ECA5EEE8319897D24E6D68F29B9A8937A0D98717AD61370E25C0F0B68974D41ABF5DBC3C05A26C4B5BD4C60F5D2F2F0126675B785CC2A0D0BD1B2EFC2BFD14790AEB55DB281535950891BB90A6A02279852BC07D6F03F7C42B4E2B4DA0008E6CCC0A8FDDE198159F6A2BCD516EA80D48F8EE63580ABF97980530AB589FC2158705EB0B5015D6B92D41D4D985661BED07CD1E43595C1A9C902F08976F22E01825CD2C9970A2D09FA0AC68C3428FE2B4957E528DEAB2D1324DB176761ED9A3CEFD129EDAA882C848E994B45D7DF77A489569B1720C183902A5A7E8116223DC3CD0FE84826A28D2266834D0B09AFF134611203D8704FEB7F1BE1736EC9868F4F638598BD530F6D0DAA795EA85C2954DC188A27A14AACBE2EA7CDDF85B3DC9F2DF61175530127AF3594EA39186F9A18348F9D60DD2B32DB207E5398F59DBA345511D9798613D66318C7F3504A431A0CB8E9D9")); test_xof (&nettle_shake128, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("3325661A828829064E99ADEF00E99E8B9B08A53A4C6B008FAE8DB1A833CF26D83F3F8C613DEFA9885593996ADAE75995DD196893DE7A89718296F12611B3315E22218B8E26E8124BA7604B4CFE5F427DAFA90E78D0B5E14351D52F9B8EEE659B54E07F1A8AA08281B2D8672CD405359A681C74E84B1F6F6553ED9B5184D10EB608B37807E5A824C3F0E1126824ACF192C9767919F1070E77E2F81A1B5E5DDAFDCE09DE562CAA1470BC1023E0EDB8901EB9CCFB813366EF60DECF20D0BEB552E7883EA4063383B123D94C35F5D00D57827D60DFB3550485B75D2235400A696684289962C2F71227C847548961B4F3631C656ACCA90F9AB21547A99197C32FBDD410FB7DEF62D1B293BB0FA36921BEE609A6D7C2C9D6ABB287EB2920003C1E965BDDE75A90A41518855039E3EDFEF1A3DDDAA192FC6198ABA7C0631949F140291FCDFB8D387AD4C19F71B6EC4A6C3F5B22A0F8BBC0F852E03953057CEAC0183569815625F566F050AC6B14BD87D3056A8FA5D99E621632AAABE723189B0E87DCD3CC3D29A4E3ACF2EA915A8A7E0ED73AF0BB905A4E8B0599D20D699D2C971BBE338C964BB735F72540D8DFDC069F950AA13C814F46866A32C3EFD0EC5D28482298BEE0CFED7B8725E64C75ED0A35D8DB157278D169849B56AFF015603E1006C168276D96AAA91EBCFC6C6890D5382CDF1C6C5A1BB6A3C090F37ACA605E9E7459EE")); test_xof (&nettle_shake128, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("1ACB385112F369E6D00420FAF1291B1BAEB428C09017B647D7343DD2FF50870CBD47601EFE679AC0724DC63CBF543C87DF5060CB0F11C786E97844A02BDAB528D3FA5890DBCADD9EDDF2DE00A639B0FFB8FB2CDE673F66C54BD554E737B5F370F53823B135B3257AF3394408A853666BB00139F147C6EC198A5829E8A5F85279B306A428DC2579E66E1E18EB3C4971644DBEDF4F99BDDC9E4096D0BC915AD1F72D522395C6306D047C399BB1C4877BD8278FD29926C3B74AAC5414E9E0936E01DAEE1061C5CD243C380AD802459972D3C2DF479719A554CD9318A8FAA3016AA6EE057A4E57CCCB698A4B0EC411F31D11F0642053880662EB3E098F88F74C65225669A4CC8F3A04E23F6E5E40F9A3C7FC2B4993782D58B27F80040DD94475A85A14BC792C6B86525D359CAB32744E2BDB4890A392EE847C065364BFA18C85D7E328E5ACD9F04E6A6542C8B734A3E3795898D7E48FFA8686CC12497883092395239A55E56AC18C4D63A9281FB8AECA2C099BDCCC65CD239CBE597CF5D577585FDDE3F4B573A666C2D1E3C611DF94C9C519DCE3110C33EA697FC1955127C91BDD420DE5EB667933A49E15959EB3049C7D265CB638BDFE3D6425E20DCE650892E0FC346922A4277C1CB1ADE59886F8006F0D0074937E852A0542B5A111CC4ACD65F3B2580670DFD41C0C9EE3CA5FCCDD7743D131EEFBA0543646B31A9EAAC4CD30DE")); test_xof (&nettle_shake128, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("3C7002A2ECED36B19A3D71464F86A526D0F2A92CA76FE392810616E75A25C223F06BB1EC3BB5BA0D00A51958789DE67724E1D57C4806F6752E610327B4C84E9C5E815F8765E6B452376CB1EA5E3151C21E789FCBA16ED05306C53F2F089B21F2B5590CD4B48647CAAD444450A1A60E1CD0BD87465C2A3C2D25B15146767B6DCEA1A8AEB8B717410EEBAB139B041FBBA1F654A7136B7071573316B3A7E5BCF8929CC1465FFDE55DF7449C7068EB1D74C0B12418B50046FA2197A47F4CD15E7D3702E260C188CFDFBD55CF4332BE6CBB157FA8E62D003D902433719B516C59D31F8F935CED0F010EE66E8E48448FB9BF3A855BED9CC604DF713A689009223F858DE44137CFDAF2B194131B84559A98AFD4F86AB13D7A1DF01E414A10768F6D48E426EA64A0602BDACA1CA56C903940A35F28842922C114F25F7000D720EDD40AAE30F300ABCE4FA5A3B6088B27377D7767762B220DA383308D00A43E3B9EAA1899C3D4E261EB132C41029AC024D781001B56A1127226C3517A015782097D754233D83D3237A04754F3F22547C4321FC175F9E83E679B0EC7564D942D77F64EA480780242CCA0BA64A8C41C7E94E575CD9E60C229E4765C8BC993048A81EB4D9A7F1F1FE449ABCC1CC5B5CF500D922A3DD26D6ABC62085249AF7A60271177B19F2D150495FF3B4E8AA0414C58FC1A1979EB9938FCFC6AB3AF97B9A7C8C94D12C821")); test_xof (&nettle_shake128, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("E22AC7FE9DB19147B2DBD586D6C5837A5DD3DF2346EA61DAC753B0371274DC110612AE3DB350EAFEEB89BB1179EB9D84A0590B243D0DD9BAA00796030D2782F0163E85328A0AA06974A7321E66649281DB8C506400310AB3E21243F4C2CC5CD8B36AC7C35C235305E6B1585B33784897D82A2D31F664D963ADA323A9C922A61D9AA5BEF0B90C6B7183F1FD0ED4128B2FE0E12EB6B461176C52AEBFD608C00C7D79799071AB30DA33CA9AA26932AEEE0D585905BBC853E80AA746706FAF7BE50C90C1FBC18E290505277E9BB9BFA9C767E952A68C4F93A044F62E066E61A0AD301BBFB921C818690BF6D116C6CBE7DF174A7E57E22294303820494757B3254AC40404A7F4A6D1F9624E5CF3A770392B2DF9FD1FFEF01AC9AFDC74442C0EB6F11E1EABC59270B4DA6F2D6356E79607D6462C08A6F29154BCADF4FFD6E20ECB700E188E523B3930E35C8990AFAD2141FF71912ADB07DC00D5BB78D7FC5590467815BA9F46CE4F5CAD34910A574687D8F7FAC2F60B34D4C3BA6D25D3E5118B851BCB73C1B1004A623F8DDC8A0D07AD21B45F543CA8E705B3864D1C4FE024A19ED5FB0542DBA0C39FE0A82D83266D9C124E61DDB107D8E0AB57C970CFE5879DAAA7170022408F7A9A228196C5C7AC614CB98CC276D1F5ECD79347A41D97360A19E65681A5B75E78C7F79ADDCD401DA6DE7DED3B1DFF1F746806AE03F496CA701C8448")); test_xof (&nettle_shake128, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("FCDEAD82F39CDFCEF99C1BABB674A9A8E24AC594646C31D020A4CD2BC2554AFD78C4E413F7804FA1708B9F4000FD860E3070F2E1BA9EEE3805352AAD655B4B0A728F2D5FCC43243825BC0DCE33CA716626DC76E920D72575E26DDD7110D0F991A91200B513AEE23AC9BC7043A152ACE0CD0B49181D2BB6BD36E93C0B627ACA9C6AB6C85ED70CE762429C8F262708103284C0A792138F10E8568EFB2399B38A31055C1188BA59344E6A2B73D5C04AA524056649844D1DADCD07D35DF5D851EBAFFCA5703B80153EA627B1BADFB2885F70F786D34F5650FE73E3690A8A96610059253DD3ABB5FA7C54CF6E77695D24A6594077EE4D3673F9FC56C62FC7F710CF872014C0A7DE8B1CA6AE8CEFAADEAF5F4D055FF765AD418713F2DD08EAFB5E16EED9FE344EE8D4388FDC22351F63834017B539E3FF143F394B5B74D06F65E96A7A3D028FD14F6C7001EB7AD2DCFCF4B2447AA173A2AE8EDB581B5BBD89E8A468FE0A38507530B9795DA3BCEC6DDEBCE9EB3132EF18C9C2A8B936A431C8B121FA996FF9BA5CE522986B678A5EC99A103A91CF33196E08C82DC65E68AED238A9316A73E71CF5A67CE440B93BDB845B3A60539ECCDCE41BC723EC9A14EE4E082F60C0BE3D5E50DFC8BE1E86A97ECEE9D88E2BB2A3AFF47FBD6D6675D81EFE0708926B81AB314A524FC745090162D2AC723C4326E0F9E16FBDBA2B1E9914BBEEDFF96B")); test_xof (&nettle_shake128, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("F9A4D63D82C6EFA5B1FF90B26510ECF06C53BB1C3B7427B64C41DE1FA03BC0728085C972E94A7FBFE5F3150A7B9FD8477C6CC1C250DC6FE017B0D0668ADCA12E3C1C9BDC78247529DD1F69198BB0A371072F0225420AFDDFD64AC1F7A8F06FEFDE803579491D8BF61D6CA84E985B1EBC7F0B48822B8BDA9CF9AAF75B7C33C5D360547A34C68114E8A894D658E4F27E3C137E1B2A203293C015975AEB49AB315D142024767836EFE41DDCF42458C5B5238ADE07302A0EDC28A5E4F686D1F98372A179DCDD2EFF78914AEFA492C05AFF03A5CA3E188F611AC24922CC28AC8010572F406C0ED1BBA849664952AE23842454F60D7F4091D0A4BC2CA6C7B3E1C7DC72659DF6A709587BDB30FFC3BFE6391FFE3D94084D93F2186024B9AA7EB52D5CBE760E5E3A49496A2239C9C71FD2C18C199441F7509108B8E32BCE086A110507038069F99477DD9F75EFDAD8ED861C38C61E2888F7BA3E1AC237A2703BCD64F19BEFE921259F88D225B9B5461F070297A28908A35D78BD66165C8CA532EC58C64DA1988E39D1237588661933320C80B30C183126A10222D6C2DEBA60A55EB6574AF1050AB4A6253817EF90A1DA8B42633B97F792950364D1E7C490A5A2BBB8C3412289329D2B0A644F8A447C5CE8A420C402429B94F4FE11BCC71FA2314D4692DB47EC2EB58C32513B07B7CF7DB276D1AB7190232E7025F805CA2FF9F27AFEC20E")); test_xof (&nettle_shake128, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("CB65EDDD9ED9FBB19E03DDBEE2D0EB5F0C2610F0AE9F89C50A463A303C3CEBD64345F39F1CE7E04BD5AFF16B15D5DED79E717CE07ECAEE9B7BF1841B17A1266B5F92F2A92D6BF964E53C3727C50FD9418C1CDBD06F0F0510FEF3ABED7B4CC31534E885EDD00FB1316617D6433B249956E1565BE72E5483EDC6E5E90B470CB2E089150D3B3B70FFF3227131E0DFA12A2248C064DFC83702FC462FB2165CAFDBEF309EDF1BB785ADDBE17C6E6DE702BA4BE1229A7AB7BE122306E306E92D0DE7020FC1CB568F5EAB5F0A2140B010587DEBDD8404DDA2C4D6E728A4F1A55182E018789CFE03600301641D5DE2DC58FECADA9A9E1425DABF1F00EA013C05EF3D64113FF351F10916438C6B92B6B6BC5FD3D6CAB43669A1C60ECD39829C327899885EDBA19B8A9B4992805916C460E5B5F72F53242D206D2B3DA3A976784FC40B6A4F0FCDE7422453565398A040F9E5545C482EFBF9D3110100DFB04DBFB24A94FCF3FA05406EE9B7E677BA0D3A52032AEBC2CBA54DDDD8CC0900C90F48CB9AE107DE01C3218F0EF5BD9DB9D7DF8E926E60A384DCA5299610413316BCCAF2821B926174EFBB791D465F887CE3020B908B07E545A386283E17F980639E81E71B0203A3D22EF233B4B2E593FADB04503F0CFC5EAD74075767228458B1EF4C5DA77D126D6DB7EAAD6A2BF5FE9C18E562AFE5671DCCB60F8DDEF168375BE45EF2A391556F")); test_xof (&nettle_shake128, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("7A3E2CF760D677AB42125BC78324A8E42866E2C148087F92FF27E149DCB2ECC3F3209D3000583D96C60ACCBB637714C4175B0DB1F982A99A7D121774AFA37ADAC741AD9CF72BFE7175F591E18256A95A0CBEEA06B5CACE02C7903B1448DED23F3A7AD61F9C5CE0F61235520706667E94062CBA04F735CFF813A5B7501975BB7DE70747E619EFAD4D548CBA8FA818A0F4B59F8974429075DC492E014436CCEE77FF6947FE3702659A14BAF89FDEE45DEDCFE4CFB1D45D59EE5D79DDE87C187AD1E04F06217C41C35F1185E63B625E30E67C5377A11909612DAC6539F72A6BF46EFA1674D41F00FC2DF3A603A480517894B88556971B793FE3D14E7699762641913ACE9460A4791487937FC6C94B6A0A091C465A3EF24EC55ACC8BE486255848DC7BACE4A3F860C7DF0307B70FB33D8164FE3FEA9ACD2BF3484BACEEFBB4D24D77BDE756CF7614BC2F4D037E16943E08437695DAE204CA08972BE843F59D608325C7D6D64B136148887B49FC71ADE52B11E80576FACBA740D88993DC77DF9B7ADEC54A6DAF3149B21B9D0D910F2EEF2C39AB3304F2E5656DF646E551BAD1E4B2BAA3C7BA7857CA2387F516A0DE8600F14B653055DB1221A57CEAE2E4AE4D3102B60BEE67A5456E0E2C0E5A0A2EC249A3AD11B533005946BC6038A98D129FC696F48F05F0914913D45BD7626046ADDB5AE3BB4C4E1BEF5332767B49D8B576953832")); test_xof (&nettle_shake128, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("0622ECABCDD9A8C2BC20FE0B9B39CE1A6A835B5181327794DB2E1B40070FD9D89A498D242AAAA8FB5063D5E2AF45A1CD04CB28B96EDF844AA37C7CF6EFE39363AAE56E1E6C1E537CF8E58C20D5AF57AA0687978E8EA46936DEFD6A6F3486ABB9E1F04B6128710F75314DF64706190F4AACCA8FA9F4E1008385E641F40FABD228B9DD421E30184995720D49112FC429165AAB6DADB0CFB6F986E11866D138DDA8A5B4656B062D73CFCBC8B8873509FEA2820E150672AE7C01EACF5D9575EC6B1DCFF1F55E6C2DCA4ECE5FB4A6F1EC7BD089C24149F1136AF9018920977519F390FB7929FE84228D5ECBF8FCD5291791CF7FB6CA7208350CFD5D7A761CB8B6524DE5A85467DEE4202232218CE6B39E5505EF02452B4FC0A87C32C9B9C9B8BF5FBD5755313F551891C5D11E26FD57B65A42DEF3BEB07C88D117CD168335A7749B97B1FDB04C7ED3D2AA1A2DB4E70226F3D8B87ACC19A1F34F60BFC1CD0EA1864C5A991CA21C72C163D0B6BA5833D8EFC7AAADE5BC6D335E62852ADDAB38831AA04DC4247DC7E1CA5E0B2DA9ECC5358A889EAD2F2CDFB538D900FACE60AA53228145644FC4AA2BE363655ED6CCC47D23CCAA0EEA0048887E2C670AB4AC85BC71D1CAF7A1C02EB3C784FB189AE756EE9133115232A92105B033148C1C9806821BEB545035A1359CB4290B736D3D14C5F990AD2E4FB02A1780E34DB86FEE3BD2A3A9FD")); test_xof (&nettle_shake128, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("0D126808ED2AC9458F8002CF172966C8DAF02045518EDBCF87FD315F31EA781C73579DD9BE6A3000F7D6E5C400970D4B6731F90D75CA01E55EDE430D8A459A98C71D9CE16BCFC334BFA1CE8E18A70A50E3B795B810FE3273B9EB7DE8D9B7175F97C32FB057678D819B1134AC30797F6FF7B622CE48616436FF7C38453029DD7B35E648C14AC725EB49067DE2F0DFCED2CB89AC6988CA178E72D0D19ECC481748BE17E8BAAABDBADBB84D0B2F2A49C4E60C00018ECB61D2CD25D8841157D9B6ED74C70C7791F6F88CE61B5FE0F28DDD2B4EAE5E2A71DFF495907FD883CCD522EA1DD55291A5B274B4333EB62650D55B0CE61EC1761CB2D5EA39C712365309537918EBAC6EB8A0BE3D19CDD0F32FCA2C32FDA5DEB68EA99FF5F7B66EC4FDBC2F8A829A4B3512A52044A7F7C567532376D971AE504601841C8091695533266D14A14AC46A7370372195CBB4BC212EF72A18F7962EEE6738EF1A669B663B336CB324ED808C3AFFE2F39514BECD5D654715C85F3E5CDBD9029C1F589CD0D563AA98C6FA99769815922CA7A30F13F55843DD952F5724CCDBB58A269DA7D066A548540C23F4A740D82F90246D193C22A0CD0601C2030E08E5F0A9AB7B468DE0530F50B156C38DBF08217B63B726B85227A5FAD8BF9165E76B02CB00CF7DDFB03D9D38C882E81E657FE5596B66E777E672FF416A3155D4E2EBEEAC5B49A8AE3851AB13BA")); test_xof (&nettle_shake128, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("863DD45342E1AF41F682C138EE8DAF96308B1973B3740CEBE9C2999D4190B05C7630EDC87F9942F31A089712BF2B705F1F3D835E25E51E8BC6D5FFD017A5FC2F30ECFA82C6B9033AA336ACAEC58FA5E0D4F4B40BE4F60B0AB303AD007336B5D08989E635E92C7C0F22CBEB049BB4761E786FDE0E7AA378F6C492B3357916DE530E7FDFAB45D2116B3137B0BA6BBC5A04313757B26CB3467031D82A98025E628F0A3BCDB234D4E7FAAEBD7F7F4E94A2C4DDBD947A3AD2E66F7D45E66C89AA037B956AF67D7A2DD696D231D31159B5E217EF4A911A24B4C012AD67152C9A1FBF85BFFDEF6523629BAF766E22F009B6371A4C9473A42AC84E2BE89D2698E668373A01A2E8EDF60F9C7D83BA415EBF8588C0812A4409A5EE205D794EC5E3B5A3688D8520C98D516C877F5448B6CDFC1A1DF445008CEE775160096237EFC27FD32E1629835B6663601647AADE495A117C025E03C80D8DC2F31BBB7CDD4D2C50C7987E8003AC04226E5E051E8D2930F93C143F2804DDDB343591CE11FE55BED40A5DEB0728EB575694D4F62B7E7901E3A005A306961051A0219FA49E263E85E87B2880CE9C9CAD37F5DCF001DF265FB448093CF08EE592C66D2BDD37907D6492B05EF24E96B08DA4E55A289E6A2CCF65624257A754C133B54DB543FFCE3D11093576357C75D09E0E5D18D95D2FD5206A1F5750030FA789B83A81B6E81D98B1D360C179")); test_xof (&nettle_shake128, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("015BB0DE6A28737D365353E9F0052EDB5272A67F83863341A7B798CA9197A051039987E22E6FF95F31EF2BE455956F7C5704FA4108F600DB247802712ED268F35B27AB89AD0116245783DC7BE9B511EE4A0388A7EF9A234E1161F69910D3C0C76738DB4BE4480EA0E8BBABB081428410C34CB54968F7DBB8CDE3336317B6D813A9A859E4AE69BFCD855D261EC89A54C510C4DD2F68CD5D607B299204654F01DE5A8158F2E2BBFCB20857F029A579CB769B3F232A17F546A653D04FEFFBEDF3C6875DB3B1905E73A4C7BB383A6B825C240F047A2B6F6B944B3C51362DD2DCA46D23CB502A7267ACDE99A8E76E63086461EEC706612452E240F97873CA213F9FE6A72E66D91BD3F60D04F7DA7CB059258875F0D458120F0800BDFCEBDFFE2ABE784189406C9BB63F3E807BE88C72CEEA54A55244B481875DC2C736D899D9A928CF02C2B5176D8AC5B64BBA7D949C974E613F41B5CE1B687B91DBEECEB66AEBA8CE8799B3484D9255D54559ADB01D960710D198FA8C5A18EFF47E3399A8E2C386D846BDA56E5D9E7C9478DD563C50D840DC664D105EA92B62C6656E2CCD31955EE7C438256B2275036DEB2380C08D26D26C1E638F7EAE12F5E8539F74516F1340DA7B16A4EBF8ADC93F690FF39B39C612D42F8D4CBD764B2F7CECD12250527810C490B0FF8A3991E3924EAEC03F67BA99759232D00CD58130BB3BE9235E14772462")); test_xof (&nettle_shake128, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("9CE519A1F37B2C70C6F641C076F787E8AB26186EFABEB6CE18EB8E75B0A8EEDE06FD78D326EBB3B049AE484D6AF7B1DAEAD737653717796A34DE1DBCF900FC59B299756398EDCE063C5654205C5FD268AA71A639C35E35D4DEEBFB8DCA17686B58A639F0DA50E1A7938B47A466D03DE7041B5192FDAF036547B7F22D5A23F8B6AC48E7C67B7372AF0E358CF73D2FA922AB3CE823A68B95BC3A543BA236E413A3CC2B3181DF4D3649474213A0F8148836230BAB4AD722B2A3FC446C395977CB3875C06C0031E807C24BE7EA9B025248F1A99C494472CF417A803C69B3FF8880C0D364512166F7E34F9837B5C66931017A4DA3E63998D0F402D5A75212C8042712AE4AF4B4900EFE6C9E1EC5ACA07FC230E6E7834A5A865F2DA71EEC9054427945A913C5345506EE32E6AEFE4EA3E488BA07455D98C94B5078E75E2304F2E85DD9DD4BE18F023D1AC6ABE5924C8E7B8219E3248F14EB4B78B6C16FE2C3AA40B97566AD3BB89154926BAF8820D7E8E4557F8138EDAB423CC0C800DBAEC892482B6155422D2AE3C1E90DFC96AB800FD35DF97092AB0A83A40C7B925514CCA3833BC1FF6B7E25469D6744A117699C481E4EDDE082211E9D94A73A0C29FECDB271E75AD038EED0C7D5B856C1768C4B9749B25811F16B1C408C1F2E3F2BFDCFC8E5A329B675418ABC4809DCDF2A3C4F867AB9E0C0AE28924FCE90802715FD5424E783C4")); test_xof (&nettle_shake128, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("648167774B09A9FBFBFD351051D18F9112D63B066BEAF5070D3780189658FEBEA0A4581DAFC6948EC1FA96F0364EF3D1F2323EFE5294BD76C28632FDDEDA51079E9BCA5C1EFE95F76BCD4593836B9C64D82DD6ED02AD07622BF2B1F7F0B0738E0E3929F49EDAC321268C78D47D853390FDD8F1BB29C6DF469360E75E96493DD4FE5BB2D0816938D5642B87F0344FE4186DDFCCA06643A691BD9272F407D6DF7A1633550F076042277C325152C8673F3FD6C980D6BDE4EAB43018E322DD3647DA183910CF4BCD3464CDFE0D0283E79201553BF03B028FE6F4862953F865C6108BCE672C4DB5503C1D969F87BDC310F7B78D9DF08ADE46F54EF718083F90E60599E41CCE34110BEFBE315E8A0BB91D428DF35AF59CD4F0C8059B6ED68339307280B05C3AA490B7900C13C3E12F1A4A3983DB5F0A620179AF9EF900535E32146C8801C750080E363A6A67E4A9037FC4301FB28B006822598B38DC38DEE16AF9A1127518684BFD4A0920C7267AD52A447CBD6178A0329D4DA146657549CDCED7ECF9C2053541943AFCD508F677549F364D7F793A7B7BB8FF12B7594FF768FAF6DD77B3CEFE97715FE70D8CE8468AEB8266CB09F21285A001AE13D0FC8F29CF8380685034A886DDFE8D3AD57329E6FB92D2A079E5AF01F77AEFD78A29D294A6A8E37E20159408BBA4F10F6FBA5D54D4C4D93B1ACD65D84088ABA61EC29E122EFDCB6E")); test_xof (&nettle_shake128, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("BE4DDBAD9BE9ABC823F65A647910AA06265B547B0234C1AF6A12987000F710016295EA57CC5F30656C56A66F28E85C24567ADF2224011191A045C23D4491E444114392B74BFBC60858E719A67BFDEBC135725DE961EF7A81AB90CE4192107A5CA84AABBFD919BCDB8270E8079E29EDA4C22E130A1F046E5A87A4F2CDFBB4DAFAE337C1FDB5BDD9DEB321704C585D632CBB7A0438427A86CCF7575856B535B2E92A3872F2B5D3C945C16F3547B4779E5798BC82883E850585A7FAE200A47B68FFBAE54B17238D7CB3FA2C9374942523584D85F1485969BF61AF5E117275FAD27577DAAD38EA3702B5DADE3D27B4A2E2A66F88CCDA568D5D4A11E1DDA5D8BA7ED9CBDEC91487C19E1F9A57D59AFE374741D8FC9DF32B3BB60F8FABEA1EAA95289B43D1FE712A50B73BF68CAD16AA25A1DD95D80A0F174061A01D9F18509589188D186BDB991AC9A41423BAF9154210ED6CB098D6844699F07A388EEE76E8DBA801276F6D2AA7965065F3C923AB64620DA1E17A444790F9B7B326A3579B9A5EA5FEC313D294F97FC846D721945B6ADDE91B66454FF2F2A81CFA19F6B45C51D07BE8216FE7C1E052A24904B2EC2E9929314CD9DA48450BEB8FFED8C499816C078AEB2A1B52F07B5917DEC0A7BEEC2B83F778BFB15CE413C9A4307CCB7C83C879824D0CFCCC4B3AECC519326FFAB353E37C59BB99FFBEB44A95BEB1DAD25843BECC51")); test_xof (&nettle_shake128, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("2378C76E867947E94C0383861E60E659401B1177BDC1133FBDFBA3552B458DCF1BA41C825ED8F41F7F8C8986B0A47B25BFD5F0294FDC707C8389560BE932C582E2B5C63CD85754E9D96A9725C12AD234B887FD5E96CCD52507BC564F59E2E0A8FE89A444AA3542C2B302D1B9F8F3D41F1C960E1867A4FE64D5F6216E64199F3D66FE4BD22ABE7B23EF97328F5FDB5CD502A118000E0606D31560C2CBD4CB7EBF90A0AA1826CB32AC85156B678198D225F4D58D3076FFF881D9E6815DAE811E7A04191602E4287F72C95A497C2DC47C925B7B1B78BEF334B153566A8B46AC8F6CC0765300E970B12ADF8E0DFACCA6A59092891D73ED55DD624A2464509FB5610BE2AE0696097D5645CBC9E992B7F1F39005EEA0AE0A8B55ADA1F28EC2A544266462E6A3BA97A000EA722701690007EA7FD41FB3F83BF85D5E19AB140F2FFE6DD70F199B7995997EEC43B98ABCA0E7902442D0F14E7E4B288A83F8E4F5287F78F57A2DF951D62BDB9B9CFDF3D28F0374BBD3B4AB955244AE444E23988721E5B3C4F536A80FBB7114DE769D587600C92539D92C3B2621C679064693BD9893BED3C353AF5347707B6586912D6CED5903ABB41DBCD5B4BB67EF2A315F8BFD23073D76715E869F474DF6F5C98E3C1E65117B1844B03835187A6B2AE054EAE51797DE704C7D4C88A258EFB12D1FD618D9E95C4AE37EA0F54EFFE216C71A0F0514BD569B")); test_xof (&nettle_shake128, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("66C5253CB16C479B2D7B63E7DB76CA275F14319DACC1D00C08A7E170D97366638949FE0FE252448D9749EC105105E8BB483224076FA9204F9A4585F150EAADD931B5D895EDD8F2AE37E30FD991174064F7CD93B03434C22A8E5CD27CFE19B5D8F4BD405A9D182E4D7F9A2B009C68EF4798A469662E40467AD626FDD0553B0EE86320B3DB087C096B54FD9F367199AAE4490F796BFE72DF10756BB10E336DBA6305B686A291D1097FD9DCB1A629F38D2ED30B87A8F5C1EA1A2AE384BD5F316BF112F6BED8DDC50B4E17509C3D194750D02AE76FC1105753B07130861E866E89B2DF9C498C87BA2B9161753303E0DB34FA6A523A6BBCB262D3C644D1EC88F9FE1710A65290DB69FF847D850107E028EE6CF444E5AA986C98D3D5585D66B4FAFA1331FF4A6F54EACD712F39FCB234F4D4CB8C992D079471A269CD3D3F733F0806A78BFC30F8FB3AA97F2F2AD36E8AB019D7E833855299EBC91CA512FB226D797226486153133858649C31CE43308E6E0499EDE16AF5FCC5CC9593A71BEED6206063D471A79F65E640B8C20A131FB15439B9F35D6053DBA46B2F2682281E9572720BD3945CAC603E61E82BCE2144A19DC1F254179E011D096BD9FB2CAF77BDA529BF7F654118D5DB1CD2F973F55EC7B11AB616E731955752FD8347718CFDB2CF6EB6551C449CA601299166DD7E10EBA447DF8C29E96436B6834F162D7987D9F55B12")); test_xof (&nettle_shake128, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("0128B09A01815373846EB62037245B4BF522303FFF74A76B0AC17482AD79E0BB2686871B1916DF154A7506985F2A3A6D86074C988C2FA255DDC266CB8EFFDE2D0275BD3360C1E920595E185EDA95B54A0B02D6BAD88F63509C5B816CD375C0281D1FE29F11318BD35E4AFE0CDF51B9C7CCEA285787FA74A72878DD3878565606F4889D3454913B0DCB7ABC4B2F08FA3F2AAEB6856A25185A00B1BE8A8BC7A9A34670793923647AE426BB98C75E45896D4DB8A990D2712401694E202EF2E3F33DF1120EA9E821A874E67F37648A898CCD759A1DB6FA6FD5C14756538F725C468BD3C0B6973A7592C8CF0091D347174E8D954E5795D360C4DE1D0785FE45B71DA884659C98BAC3005E5BD88817450359B51510AD95F16F08ECC64CB9842F0F8EA005315F6CB17C1CF6E01BA64F6847EBD4472DB1AFFCBC0E7B7F5EE8DC5DD18B148BC542CF0987E294AFF2EDB3EE60C8AA4B8BFBD42433243D55B4B9E00CCDED77251F789AAD74681880AC765B21E01D499553ACEFA48456A7E70A9A39163C2E089F26C94733DD63EAC1D2BCA7082145402FD762665C3F72760DCFF13CA4E80F504148144054B714573381C7770C33E07D3A787ACC072F3C35B9573FCDC352CD87BE8653618D159F78BAF16ECF6F8E316A97ACDF4BCE2C65CA1BC98F257914FCE9BE62E899CA3BA40A98A57AFC3D63B0B0B92B69FD0DF0451D7F34297523A99D58")); test_xof (&nettle_shake128, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("FB206D80AA1D2AF8CE64890D3FA84600F80423AA98447792F732FCE4716E559F7FD4338BAFA60937781B68736603B7A86F1688A2EC60880F6A90781DC8BA3D9B329D662DE842961AC84D8FC876449DD8C393441767206188D561AF59BEFE6B91E365413A5F357622A670E22E730183358F9689E70F1B0D09CA9924903379394F516003E37B800602EDB84912492288A2E09B46BACFA3F4677D2B24605A584B3CE3174FCD1AE4DEBDC99C9A75EA7F4E770E2EF184F801E4D111EE5B11950B29376FF19B30A50C4DF93A82EC891A321F9A6EA1E0F96EDA2FA0C2FC176D5151A6DAE7C9536AB17BA47AE31AD69B2AF9248E5236AA58D7B864202512E5356DA226D5750CE12C062733BD73B7163812EFD452FFC4CDD8E5611996E23CC0A5824C5AE4ABB59A5DAE40563965483B66437B1E75369FF6AB31ABFB34581CCD00CA76CF72AF7ECA65824A46A48FB88C8ACA06CBC5D3785DB3AB78BB1174354C7AFFA85086444D3EC92538CAB178023E46C7E5E5EA2FEE1A970F41D374A73FA6D477D224F095A829AE8E0835D197DC66D1DEDAB9427DC085A6A95C4F065CF656AD1146ED0C45EE7BCF9F6185358702685E9539C921501E3338C2A6DF7B5F25BB248E567F2173164CDCBD8DAF0130879CA8362CC6CA28F531D81D607258B66D589EAA9CD5A22FD7490B9A01CB6C0958C2820FF832EB94F0E0CA959B93DCAE56A4FB52981F09")); test_xof (&nettle_shake128, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("EB74359AE344B26E3533947E26CEFBE809935CE7CE0D597D1C4125542FFBF1783052E0F90A402D7888CCA5F96CE9D874C600B2E026BA4E79ED427F3DA96448BEEF4701C27CA31860790156E93B12A9F42929A8F8D9771CA3BB59ACE00C4732983997DCAC1046E574EB9E5C912AD4E3813001C86C91B6385E92DFE92FF5CF90652680392A33F6A1937A77DF9B9EF2556643308029DC5B5FE23AC9B567E6C81D0E909A279E58215D22132ED83DCF743065C0CB16EB7B991F842125254BAC71D80B64F205D799F698F0FDF7EA19C9234357C5838A0BF6ADD176416DB3324CB07B543156C38C2FFB0DF104FE3884A6B8F03B0E751B3824FD097FBD3557C5B9C962E9FB29175D1F20799FF6AD9843E1A5B64B2E69FE39F77C2D1A3FD3ADB8672D1771FD6769C54775DF97B0964E14B2B326362D9792C0C4CDC37AFF30DC3D007AC62141D370F0984F4B3D16B87FEF8028792CA92CE6620952D766474566C1E96DF672F3C335BF2949228006BE2B1912C0DDFE66BA6648EB6EA8624B5DBBDEC70BD0A745434DC5404C7AC7DCC94197F8C48FA381A5E8E7FFD1C35442C04EE2378D2761B3647A7637423300CC09910B9A4EF90D4992A8FF8FAA3B6138AD01E7C3C89660E963BB2422649589DF53D5181479CD55A55B1B2807ED120FA9777ACFF785225129AB1802EC247C48DB4BBC284768BDC155D77B072D686462D831491C80752E13")); test_xof (&nettle_shake128, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("691033AB5C34D52ACBB6EAE6A669CFB53C39A8020A6EBE9600ACA2D9A2ACFC898A0DAC7796D46E6F304550A8894A9E1C516A1A127287D4EF74E9A403D326DABE1FC548D1AA1323C2AC40938708D7872960E11248235D2AA39CF3ED88A18F8A2FC2794174DBD4C1FB8C686B37641C7CDDC565683F0D173952D2C1DC26ED5F5B806C127114910892B1BA0B0EB07C20AEF016AC83A78C152B4C4EC41CCD8974D93E686F52CA8656DA6D85BEBDE10C4447005278630595379F57C529C4EE94B8E4100AB930206D9CCEE8811FAC2F1B5425B6F0740FBAF2F8470A9985B77865750326CD60F855F4427F6EBBAA27CDF0A0444FF278BC22A55BCA5F90A58B27D792EE6E8998E94819B673B725079C95F0EAE473F62C09D9BB1060EE9F6263950150461A13D758B8DA498284F8F355259B2B332AE9117D2A35E0E09BC8CA406C14E8799CCBF0592BFBFB40C1DA7B5A88609D71093B46A91FBE94C78A6C9CE9C81A2E189BD832DD746CE19CA3AC9F56572FA691CB506CAE417F405088BBC6425118BDBC0C99F97702029C177D8EC398DFC19A98AE3A3F86AE1A8122ADC5952B1891269C46821C1561B21E4B47F36904FF7C6814C0A08B6045400BE72EC1E647887E27AF46EA49C9EC4FF621E544390BF60429CDF1307C93A3A1C8FAE2EFB6062B9314A06FAAE8F84481A369B64234ECEA944EC6FB3CFA31258017DDB373C55A64C0F9E74F")); test_xof (&nettle_shake128, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("68E791106DA01933EC70EB650AC2F03EEF1685213522F2E88EA7F8DFAF92AABE75EA0D169D9BC11D13E294338A57295279B28B41D8A4B738CFFD629FD4D7D5D8AC7B4304E384DB31B0328391C19CA9D381E66D41816E647ACB66F312A418795C0D65FDAA6E25AA24811022C2BE529C83BE47274E8C01D4A2710D6AB8BDF095566F1B3DBDA7D4F1BB5BBD3EAFD4486AFE67B682066B8CECD447B9C2E9E9416F2CE5CA8CA1282B4AE9BBD7C842F776BFF7372591CB3EED785C82A27076470ECA15A33D5B38AE02FCCCE396326F1BBE28995C0F8DDE42C09182995F143A0F2D4427E8F2497F0B257CCBBA286C2FB7885B642494F933B584B0CA83B545FF1521F67EC8E5AE4D93FC82544FC20778CE197F3A2F64EF3D9CA583A0D821A5151F462CD70C83724F9976457EE49D3CAEDF9B6CF0AB72FE7DC0C9F41F9C5ECD12D5F2D8BD6EDB2CBE11F0462D36CF248A9552B0265E386DD44B9853F0AC63FECE4F860107903F8DB2E1F6F4017F05338FEE8467C0C40720663B54F556464F4E87F20192299EFC178BC73FBBF350782520900644265863223BB42A5ED2E416B9D31F3021EBDBA693CD56C4B17EAE16D1A10A381713AE39D5AD6A220CDA8A91ADFCFAC51C65D03910DF4AAB7F7BC1CA49CA6AD08EDFCC976DE0229AE9D379E067AA9B3FC3A6CD0DBD7D1FC63C4AC2116F9BD3CD70B94A53B71987C17F65D5E77AD5674CC16F")); test_xof (&nettle_shake128, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("3AD90F57FCFFBB40076CB98869510BE446F8161AE4F37F57939F8084CDCDB4E64DC7F380FEF8B68CF274780A6A5FF31B1D573942E717470742E891B084E24F9441D27F7FAE86A8278E84601B9D4830AD9FAEC738FBBF86AA299653C2ECA3B233EA2D1350DE9FEAFA76FB8986010A26EDDFCF33FE976071B3C719EA15A2298D060F5AF88E3F06FFB4C70AB13886686B8643843C65BD882C924E760B9D78D705B78B2ED14980E9E89D6E99E8945B3A92B9AC282642651D94600D8E5E583A59BAE4CF6C4A38353B90894A7AFF2881BBE06464FECD3A54B2726A55FEC0FE5BB75F403DEFAB989F75DC04123F5563999D1503413412E16D671969AD0D97A6808B1957A7481D32BCCBDEEC7809A90343EE59C84CD6AD134529CEC5E42A31843BCCA3449DD3A2E075998788811A601A3661E241A88406071B90C88799F370DC83B440C9247DFFAB2955DC5EF8BAE47C1AD9157CD0F5DB61FA245D7179A8768BB3B2DA7AE28129258FB8A22F9FD4A7906432EAE33158D4AC1550E379EFEB091C883A0102F7DAEBEC2AA4EACD277A7E45DC03CC85FE952D326C3521BFF980E16BB00426D2138A9F32593CD1355EB7CCDE7FAFA16AD8638A9C16CE34920879E753C723C494E4F8B18251D20EC437FD42FB178017E7569647720D309097C982AFF3D6C54AB23DFC665023A01B3990E6A8999E7037C0405A4CAB91876BB660FAEE8AC30FDB9B")); test_xof (&nettle_shake128, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("58B040B46002BC13D05C76E840037B3EB08DD51881CA6281595D39B8B12D1C15F9CD40D94DAD00469BF5EB73205FC649C501B57A33F4EB39A7FD76769A6EB0F84BCF985C6ACB281E4989F5EDA5E823C31E94F41E577B0069809E1C3B09F4480677D56C487CA148DD5260027BD9EF399A3F08F5F5BE869AC7A403B53532B9775DDEF6B80918BF367AF8700D6B9E75FDCC45EB405D37E9A9D7F9BFE2517FB5BA5225C72AA292AC7835A5BF4FA245E782EA67081448F31854F91F21DF99BC13C615A67ADAD644FA6336B2288F1E29C649341C6A4959E5060A99F69981A10FECC30E29CC7784153816BD228FD7859186375FD66DCC78EE4AA5E9DC0B190FB8A6CF2CE15C7F3E0B54597A559BDCE7BCFAB8FCD25EB0E0C7DF02882CA67E2F04E6266558C7F36FD0A2BED459B50FA2D883C9B86AC8E40A8E92F4099CABBEE9E7FD1282F06B3D590897BDAFD8643729B09B47544BA3F3AE28DEFC3DEE3CD6586B340835F3AD34D6E16053E2AC94B5CBD4FCBBCE2D0245421AF021E6E0C55C53584CC917D99818D4F0585AD66500AFB13C7CF90B233D01DFDDC738C325E20B63CF82A307F44C543BE58974110BDAECF43468C902429DBFB0458936F67CB59C4E4415B5D03109E88451989CCED136DBA9002752CF608423CA52483B4253D24E5B45443016DEE2D75E7EB9DE415A148C439052621AC1DF79E60CB585A4B08CA70286C77949")); test_xof (&nettle_shake128, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("D0E4650C52BD1FF64C2F5B7853E8A906D7457B67CBEA12322B5D1D5BCB8C3EBF49CC6DFE8FB41895131956661C772D2B90DF4BD6B379715278C9E72B6FD93C3968FBFD3194C2C527D15C6311F1990DC2ABEE5B6645711251B3D39202C9D3FB147B39D1D3DA108254FF8DEADDAE6599E17C301BC18DEEF2A9BA8FD035A084D5917FB9E4E56FA6EE7731332B50CA3D2BD069F793AC6867448697395CC5147481F9F6499433D6242502EA1E6226A88068032F656FC8D509D041F1D0978EBD4F2EB347E75758A29287F5BE37F9D6C14E4934E5E16806D6DE41FF8268BCAEC27E999A7BA73B2131147FE05F9EE8A491E47A3A7C8CC93E6D2DB374BD5E091810F0D7103215726A6F80D62C19D9BEB92DDAE8C459002376F58511792CFBE7A2158EBBA922656ED88163072BF6667F121747F05B84D470193ECC8BBFAB750D162CEE7139EFECF889ACCEFB6CEC328A184F5CBAECEE51119A87CD21110FC20EE85560CC979362C12F1C7665ABE62D5ADA62DA0FF3682B32C6DA7150841205BFC43735741E07363B9CB15DAEDB03352BDFF62CF00399CC429A8A25CA1CC765AED117B72917B25CD2729CF46F92D8D3F1131AF9B6BF16226140CB57BE5C96CB2E4A369D226FA82BF0DF3FE2A4EE373434C5CA68682C0C594B783A0B2FA6604EF3828510E1C360A617588AC81BA8D1C18C23A30D245DADCD1C6893D3809D6EB305E538F39DCA")); test_xof (&nettle_shake128, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("1EAE5DF54490647FF03985658785B5BC1480D5DDF3EB3A1FE649520E07C0174FDF1DDE9A8518879833D64A99F3255568223E2DD0C9A67BAABDF222C2A314936CD57578395288D40DD047D67ADF8289207C6C672023E25A5F66D2BAADBE2972EA32516AB753CA37AD5F436A94CFD62182B7D68EE0E7A016C8540840D1EADB3A158D88A9E7C90F551FE857C17265AC59BBA6947F24582319490817B99A591978CA945D4D0F23499DD3AA73216B7C28EEDB5C8F3C0851859D6BA9B04DC67FDB4BAE4D73BA540E66536BEFE2FFBB5DAAF91CEB627CF4869327C5D3C2CE79700795E7975A8C6F9C07B95265614DF45E50EA89DDF9FF5F2AB150629937B9197E543CA30086E829AFBDE5524DC1064AD96FFB4D83EA91CE7CA8843C4B1A9722872057B0AC9CE57E7C97D22CC06FF1F74658AA28BF398EDE9F186AF6E485D6408CA4A4564689183AD52EC0F38250CDD837D684A1E4FAE12306D066F2F1ACD56797F1DE2A9DE8095DD464BA58D5B2D58F9312F1779EB2B2ADF1773F82FBAC43B18EA5B0CC9FE2FFBD9D2AFDF61026363817B795A2590336EE1855384E2A26C7E15E8706AEF41C671F2D8E2A0EA2B0A558CB35A80952825C845875B2A907E84397E2A3D125F64C313C15DCF0CDC6637176A58FF6C0BE30315863C64A21A1FA147AF0ECEDC22FDBFA9CB892FB17D26C460B7ECEC9713E90A46499BC30CD2735FE98B13E5FDF")); test_xof (&nettle_shake128, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("A8A37D45AACB607C3A2DD97A43E22E226F11EAA21DAFFB8ECE97E42DF057DDC9459EAE2AD1C04ABD300833E6D63600320EE9E368CD2DEB5E38ED7726C583FC9EB411C193C42DD8A1D5577ACA20B889A5382C0F1A59256BEE99AA09A6B2CC7296A8DE514CE14173E683268746738C2F8EB29D6F51AC434BF51872BE626241E43183F6C7621479B62739B975B6F25E63D9668D3198E82E66E9E5FB871DF0AD3A06DA385C4A7FC914CB371DC1EAA929583F14DB910C8883C7B90635E5D3FB5A3652E98AB62AC884C885C4606E8F453B89BADB15F7B9DE49EFBDBD210859AFC079FD2A1FD82ED87949AF0906B5E75E561102739D4CC58AC9420694F5C043DDC463E0438E3851AB841CE31D994E1FE378EF75E7F979B7801A284AA8BE26222B2BAF06857E8ED6765C9C040798B2A6520E56877C1E4297AA43A860F734A6667C1613C0EA76EB70435BD64D34B11728113BC5CA24734A41F3203641D931CFC74E46F3D23037E3878740A6B152A77BB10791E09420B288D89E06DBD6B882913589D82DCD808918AC853ADE79B7B8104637F8C73940890AB44E31DEA7830F2BC08C26EBA38E3B1B198650A9191F366D90BFE1A4CAA7E03DB8357BD8258F13E5BE051E638689E99BFA6DBB5E2A623BA8B2107AB7A4C7551918A1C023F1FE7DD5564861FAFF0060E30C14941379117A3D1845842D935C4072B28913A3C89D1A63D4658048B8")); test_xof (&nettle_shake128, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("140DFA98962AB4D69B6063B0252DE5E4D65E4C00A9BE1F8EDE781A54011D1DB01366193A4235F6E7D684B847B2DC4A0A5239589B4C0266817DC37D850E5B23A40B50A6D9D1BAE6E64FDA20A3D27F933AE866F9C8F00D455D97BC71D5F5A7C9778CC8FE1596191C2B1882DCEBCD37A9A8C3605359E886942B04EBBCAC83FE730B84BA3B4B3022E0B1A1110EB4D23D2E2D05D77C230E36A1ACCB885C0FAAA312B7F975CF8DA5D6B118ED773C5F1C75366E16A1AC75BE309EB328DA88C9FEDD1A13C84E2F856EB0DBB249B3C166F9CFE917A93A3EF624DD4782B1F84B3E2ED70E493615D6BA9928886A59617A35AEFED5B46D773FD5B22CBA302205CCD97426B7095872BBC7D1932F6157BD3FC9D4A2182FBBCF4BEAB71A026AA212BD8CCC81EEE265E4F53390740E3E9B1E37CA3A7C3A4FA824D0AFAAAB7CC89C35756D8F80896E8686260CCD94857870490AA8AEE2FD3842C62A256107A7A06F87894EE70D218B6166EEB67B6F711D421C45FF2CCC903DD1683D12EB5EBB9464EC0B3C92CB62EA6CBF37591B61E6BE15FCEB0C1731B42D8D3587762167C3A43F62FF57D58F2A2247CDF43CB756F6A25FCE0084D74BAA73A8CE12E41953C03C2A9FF94468A69C03C2B5F6B85A2F16397326C7DD562E90F8439E720C1AC0B4273A7DDCB71581DB1D6A57BA4E028BB96462DC54CEC9EBE36C704C44E5F60D04B993454DAF405795E2")); test_xof (&nettle_shake128, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("F0FC5662D4D28B3235E49CFF708D90BCAB50764C4081E2F30F0479573ED4FCADA1A85443D1369E09CAAD970570A4CE3D8EAB46CCCE3E48DF5F26C68C7485911286DDB1B369D13079498653B21E3BA7FBA9007500BE927490336082C1D7FA5B78BB741C459177C05E6294DEE054FBE526D983B496E731B3379DE525493733305DA1E1E09612CD179EFAB1E6E67AFCCF60776E319651CE1A1FC66AC945BEC6C45A99A5BD7763ABA920314F04E67EE193484E54461C68E67A922DAF9205FAF10F4653541F2A5CAAE6D28449CC919341CE63939A0433A9DBD307020E80B65AB7B2AB39A9C29D167DCFC05624860B50B0C3FC3986B020B48F5FCF00C3A6BD8FFBEC6A34ADD7E97B106B4C1DAA9E5EF91B797C55DE36B88E9AC19B301979BEBF36FB86F4F72A6560A4125BC1F657769F89CFB1F3A29B2A0287072740E52A60C1C898EA42CD9FCFCB3987A015DEDD297F8382D639CD7118CA85255D1F98ABF1F5D94649A161082D7D5944B2B4EFE4975D5EA38138B91AB5B61A790349D5463D2DD278196364115C18B95F916EEEBD71A21DE18C9AEB22566D3AEF009A84AB5479222EF8F37DD29C7B22D0F1627C25EE467607F86DEBD8267A493CE5C361A6F6126DBC8263B6FA5D5C9B9F8AC9FDDA42FAD433BC9A76A218C1134C1CB5F03F3F7387E245089A5B18C96DF31211B5983214B64FF3E1D90BC234A2F5EF7E993C8F4E5FA9BE")); test_xof (&nettle_shake128, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("AAC37FF9FA6F64049B4D72457C87BEE3FFC23044ABE0F1D121392401B60E3FEC089D4AE3340961915BBC79DCA9337C4A02EE99AB932B346375169057E8BC731FAA49422CF5296122471580AE4263B6C01D8BF9C7F736A4CB652AA5E3521BDFCE2CE11332E53236EE4F613B2800C28E5907D2C3214F6071611496F80594193DCC09AFCE3EAB1769A5FA2DF9ABE16AB019759A07154D21C3365DC20BDD7C9ECA82045092EA5405B56861BBA693F322871BDD64E2E41985775ED7A3F1095C74EBDCA15B9EB9F2B86234967DB868A082A146A439746901EBA5DABDE0F133D99C89A4D6F769D1C6FB1758B3CB1E8986A025F5AC2A8D6F1A9AEB66DD3C41D41221706A4824CFAC6A6DB69E3D157244294B9D25B59274B1FDF992988F3F18B91FD78767ECCD352B7CCD335F96D3B3913902C885C470C2F7D2B00A92269709863E77D3FB4EA1C80CB58C9CFD996E0C6FB85F3BB5308B95E8B43555CCD4B589829DA442BBCBF0A5C7B9B24E3DE846E9E8433F1A4A326ABC7AF83A5BBCFE9B4BD848414B2560C58B3E9A3CAD48F860BA46A5111D0AB629B91369A964BF22B5C2C6DC5C3A521DE18DFCC43BB2E641AFC466B75FC3529BC4B99B843A809773DD2130452E61EC162FCCCB0A94B3AB0848EBD59C9FC25E84349CD2154E5E326CF2B97071E7C47F0F574D11729EEDADB3D0DD0FC69A7F7224891EFABE76942808D6459217F06A7D")); test_xof (&nettle_shake128, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("3930D75F8AEC436928F62AC548FD6B215C2E6FC22E918690F0CD699A0CB1AC218BE324232295546CB3C421E939222827890A8FC563F6DC455B7D0CAF24C7B1BE44256DE645EBFD281F263C9006F78A69E8939809538A74E646E75C4D23CD06EF68B617E6C5D36C85348373FCFCCF19AA3BD69E18CA670091D2B50B0C2A3AAAE21FBEFF894A189512F4EEF17258AF048D073179F450D366295F609567EEA83CB6A2E2B8170F69E739DB47874E1F249AC9595442571D100CED32C151ED4399F5AEC97875142EC1E8B748A9FA5C3EDE5548B875E60A224D9830419E233FC9A88CF0F937566EB289591916C1D159BD68B380F784BD3E6A00D4C785694F38FE3D8FBFDE5063B91FA397AFCA0731B97294269EF8157B531B08E15CC52AC8E5E768E6DD3905BB9E1B462481AFA989441CF0780CE6B1926D71940D4EC82521A4347992B37AF9970F47658B05AB54A617275F51FD723A35E72F9F965BA4330569573A58A0021E1DAB0AF22EA03E1BFE1E88EB2D2B97E5857793FE7B63371F3569C77A77E331924DCFA9FB8072F4EAF3A78FB6462A5C68F26D034BFC0B3BC8ADA4992C66B4C8B2F0489A446B26333146B4420CF2B5AEB41934B3CC05B7ACE62AF74997B797C82845F4C4D7FED571879D255EB34482B86383E924D45B4C9EF52E76FF236A0DAA1C9F6D342BFF82305FCC88F8B13FBB724A9FE732CB33A6D53D95753FB350C4")); test_xof (&nettle_shake128, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("1C8C8643B1FA6B0D217D21E542850127895DD4E455DFD136C4E221787A8F3CAF76478BDE517C7DC3EDB97C8AD824292EDF671BC4874044B96A109BB5821858E544090E892B3EEACB739AF35EB05DCE51B131394C9972247F1C0D7D335D18B9355509BBE94C4DEBB0C1B18614CF3FA8119B70FCF5B59E37673B470CAB14302D805BC32352B340FB71F7E824EFDF2732EF3D74998A5AD70898115C9CBFF3D5067EF05D859FF932304A5AC5F6AFC46C879F0BEF369ECD7B5065ACB19C655F7FC2DEA4DD7AD38A2AE841A67EC1EB4869EC285B5A517C930350D7CBB9C61CDBA188553B9D4EF140DD1A8ED312822E79EA68662BBB1AC3643AA56DE5991F5F128F036B32023CE34B7A7AF7CC43D6B67DEADA4849BFFEC361699AC7175311195822382051BBE20565552014D6A4343CD94F7F4AA705E1D5388AFE2D96BBE8010FA0E82305B94B70AD954BD5F6FBDEAF090AC510B75CC91DB450EB522183371D6B9D09D3FCA171FD10174ACF3FC47D915619DC0D06D8567C4E8875D0216DE9C7AC1E7D1758DD59573273886897382CE8E77552961D51ED0B87FFCA38BDB6734A23FE0C9A403ABB4FED73DCD504289E7E14906A10B121A57B94C2C37542EA833C55C1130AD70F753C9A368F7C7D1B51450BBBE794F2824713153F83FE6AF09545ED91F0E39FA732205025A49E1538FF7DAAED5B72EEC88862DC0213A012239DEBD24FCB07")); test_xof (&nettle_shake128, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("1DA38DF421AADB3DA692F4987E171113E15D3685DB1017EBBFD07BB68DB236903F3CD3EC679B6BC9004072E90ECBD0FE0F2FC4F5531D24FA6F25BC6EAF4B545A2149517CE19971E3AFB866DAA702DCB94982446E7AF77418164C5E92EDB14D98EA0DC32A3E0BFEA4E71E9C8F58A751578200772A1E0460083021552FEDA426AEC69346E0FD31FAE18B894B67DC38D7E54B662CE051A8453C1DB20F55095C177F5883625D40BC4B49965C48C4A1188954C50DFAE423A12315DEEE0FEB3548AA9752432CD6857AAF42BF80472178D0714D777135898F71D838058F9F31E6AC92D819C44775C2EDE28038E565DC33F1A157D8715AE67AB993179469D6C98E8574A7D8FF2A5F12353F18544E2D623AA42AF85159438F247AA947922A5AAF98BD562AE54599783853CBFA5CB67EB1FC36CFBE5AF1C18C99D867CB02966D90EA8ED648831A2228657972642A17DD34FD43C11CD7D407CAC86E20D8816E69763B60294C19497C151620A2B93B3B3E87639C233C17B9B865E920F6EAB6C72218A182DD46177A7AD18E3775FC0A5A0EC956B5E92D8B48A22A6364006BFD2843B3EA4CB63B8C0AC10970853D196918DFD513D4E1A1558EBD3D4C60BA253078417304A50851BCB6E41B5758A08BE338D62B0021851A42962313C11BAAA95E434F6329FD5D6C85D67A665A675CA527C555C77C7435786BDB8D9642050931C57CB79AEE5973AA")); test_xof (&nettle_shake128, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("660BA471FA9414C985A47B1941804295ADAE88BC1BA145DEFB407AD66F193BE41EEE4E0F71D175F6D1D65C4B227A899E0D282AC714E50E3002AAF8696B00A736A60C9CCF94D15E46DB68228BA174DAE1575138D3F9EB76CB16FB09A50A6F7024206D4A02277D2D0B53F189CD8E45E85F4C0FADFA235C963A9A63743D88FADFA6CB99BF47F32488B4E009B47F7BF59A01BD92C0B6E771E8784B67A0AEED96B29E6A1B110B868B144105B85C11CC01C589A89342DD456E154A0D2A638FEFEB03058CCB301FD551294251D32B3F03BD62AC5ECF5A249940C2401F751A9FCF036A384ED26F569D227235CB47673F7003C4EFB36676044D09CD586A54D744AB4922BB337D4436C4BC76CF4A478D1CFF7F7D97EE2DAE912C5BEC910FEF7BAFF0BC9E32DF5ACE8DAB30840A31CA192E258A4141275534361977D2FC22EB1C1BB62A21B893A65B16C45ADDD3032F2CCAE38BEB6DE32E1B5FC70214E2BE1B7BCDECAFD744F82EDCEC99F92D46AA66044EFFF26EF3BCE081A19F1B7392C68D2414D92D426D78B4BBED4AA32D05BEA547A8DCCA688CEF6B0BC754FAE7C13915B97478BFA72EBD409FBA5AE48CC89B37918F04C068AA1883F2A950675761120989A9F7821799F5EB64C07299ADE85E1DC1BB488BCA7B96BA7F04D49CAB2B41803F17BB94CBF04B641E140D8686EEDCE954ED1A712BDE789C31F02F721F467E167C3E9B035687")); test_xof (&nettle_shake128, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("9D027F5434C6F6EC15B26BF3D61F31D81D46C0FF426D4209E0FD3F9A3E01D0AF5BAFEA98F9E3FB66E8390AA2ED009C0D6DBA82B3E36CED600FE79C0F50EB1C1F7530F20D51782C13A79AB1D0BC655112D745043911B5A9524E6EC88122CDDAF702C34FA8840E8785A7046B6794E623526826B471CD9F62CF9AF02E398C077C7F8608730578AD22A44CDA39DF8F101CCF21052C52FC12967DDFC77C153D8068A2B0B783376FE56B1DACD9A0B3E87645132BEC0F3C2C9A521DEAC286750C2C42B4A29B29144FB1B0F5CC997AD57D04BEA965343843788DABA5600A7AC5403D649097EB402205CE4BB12EF836FD4B7CEFF704F8A2BACA5D6381504793F1C6B47D15DFA45F749A28C7FC16C695A0BEF69437AD3F8C8D3DA5386A6D9752529EBCD84CF92D641A4CA1755177BF7E16CA144E270E4191EA26BFB144528521D32DFA8319FE37CD026E5F707F81DEE84327CD0B74C05CF69543E94848CE616FC118F73206B132F0257925B8D93DB60FA6E034D27A65EA0B2EB18056CC4690BE78D9BDCB4DEB61FE5089C58AD8CD08DB2AC9A2C2B0811EF71309DB1831D9ED1032A1267D3152E4ADBF2042EA48069D0519FC5B03A5375EB355BCC327766B4B3559737DD4EACDBDF5B28F121E7C13EEE9A8C10E66F22CC80EC40AE72CEB0B2821BB7215CC9E645B65E766076AB78D04771DA21B501987F8BAD685C6EEE40C9F60605DA631CD")); test_xof (&nettle_shake128, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("3951B52498F3C2E30411A6D89C55340A73066B36B1AE55D9C95142FA1EE13EE8B7296074D82E44D752EE29705606D823809786DF5A2312F8922E4C50FF0D7297B864FCC3BD81311D69D2657169773C41A8F7F0E62E076F5C0055DA042DDE07D82172BFFEFBBB031FB715546CA47903895DCB4807B9C435D16F90C41AB7836A53454E089A25951545F0B39A849F329AE9568A3640F08329B0422807AB15461F6C67E1A1E5B8439F4D0613C5B4A8CE10AC1DB59DA2CFDC1F8FA78C60E88A7E6C0F2488AFEBE16BBCA680EE65BB53421E29C8238B7F0D1387C60EAC50ECB43AF4FF075520199BEE31641CA433F35D62B96FE477C304265002440018E4A4C656679189ECA635FE4090724784F56DB38563EF05A8EBDA4271ADCE14B8644BAF09B83574DDB6803997AC473BF537F0F93A2FBBD0E0C75C387F21EDB2EEBE0088CE8886E6FA9952DB209BC16E624A72DA33878538549AA8F955CABA17947FBEB6A304EB9B1B494A197814EE4281A74334F71780455A352EE1586BF298361C40140C3B6A384167632D7EFD7F3FD327E18769DD481444400B669BE07EDDFD2783962751896B703B3E196EDC111411DB17531B96D0557066DD6D2FA3EABE0E4735837D1DA7BEA7543D6B591E55B2D95D46F822CFAB994770F8F51A58BCFC10B4A7DC9C8A645937F5AFF66A59687457CA35C42DC2C9D75EE0AAFD9BEF334D12DC33BC0881A9")); test_xof (&nettle_shake128, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("B21B2ED68FA53BF4EDFB8EE5282964C8FC370A702A229D3C4BF87DFA5279B1AE2FBC85A00067F8407F586B52B5F1AAF97716025EC2E292206E18570AD50CB51E072A7A06781EB9E1B1B23C576C689DEEC4DA40513361B413F513A0EC21491F0E6EFB792688519C1E6B0760B3E1DE34890C2BBB5C3A44DAC9B0B0EF2B1B4CC4E30DA7F93F52D656712EB12DFCF30C80273FE5A8F42B909AA2C9E1E9C82199418AB858E1B8897AD632C0C030C9F56776378A86DF63A5CC284ADAFCEF50DF97847DE927F296E63933FC174EB3009C5580CFE39B77BF359A865DED988D3BB631256DE6EB736C637693DC5798429498609A6201C6E9CACD7782DEE77B3BD4728BA32A0DA88A14212BD204292B6EEFD0C7EC1814B7002D8FCB08975D4A9C62100F94404CFD32EBF49407BA4C6697CD65D7C40951CE7774234C4A793265CAE9037020E35D38C9C016B15D214550A94F6B245DC4F5B9B1C8298D683AC59ACBF177F266F1818628B4174D66129C057B1336F718F67D5CE7A3627E31D8E64CAB4BAA5E89B7B2971B4C82D23C36305B01D30F830BAEB2CACA3BAEDA18F912E4DBCB1F5CDCFA9F562E3BE2B01826EEF5CF0D80DA116765E0D467352264C8A9C1242F74D98D35F77472CA4DF8234E76F7600B6052E7516C514695BBCFC1793A9C9AF512E1D2EDD7490D8BE500710B305F9F54FFE4D87B50776A29C222B09F1913E71F63AEDB32")); test_xof (&nettle_shake128, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("0A7A5CBFC9ED4A55B8C8CFE99E9D71D4EC34AA1C4FE8A69A39DDD2C0E1923A3D4D7EEB8769709172866F0F93D96504307700D75F4922EB0CC199ACACF31E8BDBFA166342CD7294A723608528732BC85D7AC57307C37D07AC03D99009C2052DE7536B9049B0750A5186855BF41FC58560EEBB743F6572C102F21D3A92F8908434519D8F797DB47CFB93BBE9A567ABA819FA035F64E2A718497FD815968F70869066AE8DB9314F006466FBC53660BCA5CC65B6586CD75E58427DC7B3F7D1A7F0A5804775234C8D0907C5906AEB4EC4DF01E081695897B324A97485C22F694E48EEDDC010D198E5DC4C65A24F62D6FE7EE0E60B2E4F79A6BF349F9612303CB272C0F1D0A952312F151EFBDE16D17D3B2F2BB9729F444DB0B1B993A6CD2EA973D430291D276CB479D8F07B9FE022F384743EB3C1593F062994D2853AEC6267E68C724F959ED98D9DDC0919F53DBD54E28BBB28AE5F0EABBC36A81E25A02174C14387E8C1695F97DE66C74BA20CC8EC1EB5D3DAFD147A894AAAD4B20DF7A06EB9B676846133868F02EAB7102E6D7EA8BBA678B0DBBF1F6D6D6AD0FA43412A8A53C6D814BA26388BEF08F89042E573FACAC5588E4B5C4E2806542F2E68148F4B7CFF1EC3DA21F633372B567005F2CBE81DDDD450E597FAB577A1935281F758193CEF43961C380B62F0CFD084FB4FF19045CEB3422C01E5CCF9EAE9C3B300A117F1D81D")); test_xof (&nettle_shake128, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("0F001A78A98382078267D5DE881F8717B55A31C1781473BA089C72CDB201CE93B943687E3863BC24BE5D255A4C02E43EB498B9EE4D8A0CB4778A742051DE21C4FC7745525ABF188F38B7B46DB5DD7AB30906F7A31E0B030DDA800C7766EB48E0F4B12C474C3535441985F40376EDB99FC2A0BB2BAA9ADAEC49C1F5FD3A604EE8DB5D0C51AF7EDD29306686B3795653E2EBABD2E9118B789868A7F821FB5BC5E4CF732456448417F43F6027337B4E1D481D65D239DD15EB66F5C6C289EE85E065FCA3DAB1126E4522DFE9A1B428310C7DF543BED5D4439E87549AB0BE6ACA17180714D2636FBAD2F7BAFDBB1961764F48518EA1ECDBA3328DE8A6684730E747174345B77052E8CCE9765ABAD9F7B3AC4E8C2155FA5AF14FBEC002B20BD2EE417F6CA5EB8B95087C34EA52C8D1DC95453F6744272BBD1F14A1AFFEBE475EB2D20CC26C5893F71995B63E725E7B02FA02B3145944D9D8A32F898DFE1F7FD7A73ED1D67DDE341C4F95B603597F74269835762A1F348E10BF5FF15B7A325077AA6DA99A8B92885A344AF35D9FE34A5B5549D37EC1C536D7B71962E1A54E2601E0F0EF19A2F81151A477D35F36374E7F44E00B25C2F7C4FD804490BBB68BC755F19EB25F04FF370107237153E50BB1F8867917CBB70332B41441B6434458C848970BBE860A07DCCB6E6F9C076998B54AD88D500634948A73A3478AFB1CBA9FBB399D39")); test_xof (&nettle_shake128, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("D442B526EE0DE0A7977AC04F9C822EF3369CD2CEDACC05ABEBC71128F0C0A2F8D5C2566CCDFCCEE773AFDD2C0F8AAE2E59B56995F219A9B06B638DD91D0C2AC8D11ADA3CC491A5985255716C75B474FBFE4DF204B75176468511807478FF873F17225D022A78141B962E1A4EDC7F93BDE19DC7D804C11C49942A54CE606322693845C11EB0E20E60AC7A15287848C37EACEED986F98476AC62A23E366804EBD5690856D69E82CAB976A79931FD5058F0562B006E822087DD8D277338A6E555C54A536D29831D6587B4796179A6F45C89DC9E85DD3067ADF043E3CC90E96391D60145DB31BE7778DF6402D7808F46E42C8BBE987591EDF593CE50515D4DFD647AFE7A65579E894EC6951C2F03CCB4FB4F4F212F3D87E953D4BF6093E4D390260791924EBC438B56693ECB11BEB8B10B85CD56D39A95BFA7924B9F78E181337E550AFFE40CFE99C709994EB9F81BA4E14C6663733477320EE3A62955975E5F3F25EB3922DDB67F0A312D916B8FF2C14493981C7A6FAE0E14F222F194B674173C051EDB795DED1041073BFAF62B76D3623D065F797A82BA490CECEE1136C08193D46FF6BB06B414C8A861A4604A4CBC87CC652EAAE3D648E4D2CEDEA13344AC22CBD4DAC4AC9D6662D3694B38BF12169320B5249021C85A7477E2587DF9617D7D44E09BF7FDAED71E3D5818DA093E6D019243A17D9F32A5046FC6BA19EDB0AE6349")); test_xof (&nettle_shake128, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("6EC28683A74038F869A23B21669F27B746A1AC2BD41E3BBAED1CFDCF79D7D1A9499F2AD4701F64830F14C27FEC0CF645E553B3D76D8512B879D2D19E37D93B0E9357160FFC00F20CD96FC1AA520B0870F853B3241B687549DC2D1F119198CFFAE38402CE4CC77A973CF49F19A52EF7232E39B5638C680D44334762657397CEE9DC65FA37CF9FA1F902AB290F8CE4CEC82ABA455A794B576BE404ED24BD50B9A4923D04C3F19CB812E00D6D9DCA00A906EC0F3460F14D3CCE6CFEA1C78E8400C0FC1361A4A60810BF51AFA3CA21B18C7DF5FDFBBDD8FC1671D21CEB404F9DD37008419CDFEFBF1D57F7AB7665BAEFD500C38A5AB04ED47E4B3256B0B015D0511657290418D5DFECCED4AA47FA14A9A0E9766F3123C80B65FDC07CBED2C8B0753F2B20EE271D11D28FEE068BDD3C4F449973463C17F21F60A5E59BE4FB3A3490ED87AA1709A62643E65FF82F2980BF2460FABCA0719E575614A1211D256C59F86ABBCA382B36F970C489660C484CEAB850A13011FAA07C93D2FC2E8E447A997B0BFC286769017189A68D7DE05CDDF696EB93FB8792F25B2979AEDDAEA7A935589BE4825E83E9BB302C3A6E88D83BBAD06BA6BA274A672CED23276A499DAD01555D85C620B6FC64C62282C545195EEE61C8A127EA8994AD5A706A2DC17AE5C6F165B477655D067267D88374F674BE12F58A35DA878346BD48351175EA72A0CB5E40")); test_xof (&nettle_shake128, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("FF0DB45E2E8959375D3915DBB45FC32DC6CFE7D2BB227647F6877619BB6884D8BBF9668F407784739D34975576B99AB1325716C2B83212DBE9E5E33B5A6EC68FD75015124F1DA731F519F983CC783F176286228E59068AEC6241B24808406CD60F67D5A1AB7083D7854984A1F7030B7D700D5D48EEFC6BE0AEA46C8022256866CECDA897DC22D4A18B28126444D956B93190D7A060CEBC2E8BE65D90CF7837A90DFC9ACF4BE4193A892DBA8B3A068E7BD20D12C47A95E0482A2CD4252A34E1F13BCBCEB9C0A12E719A27E2759FDE1B2F6E75A0A38CB80EB44C023FB0EBC33BC8290513D95C431D72450951EC1A86A89D59D435CD3D4B4E069556A00A443F045224D46A8DBA8CD7E8BBC89A21D3CA024C4EC96BC7169E6AFFBB05DEF58A0F2535997F345C8660451E7CBCD83C622EDD0D8A8F30D8377BB31BEDEFB546C989231C53447B7817AC3F822D596B5C746D5839D6CC8F6D45C48281357E87312C33F62EC568DB4AEF7F194DE67981D67B2B6659268556EE38DF95FEC4BC340A3BB9539EB6143BFDDC12BD233BFFF5FE0743DA3DC89F57DD159A475D6D8882BADE66E4C93D6950ED026C747968F84DED68284F5F02A9F7549B88F244FDC261B34BD66CF2FF5A6925565A08BC8A5F8828775A5A35147C57CF327C49CFEA4797CC130D1E8AA278256FCBE416420FB7683E6D0A5B1466A586E98C144F4CD5FB277C1E59B190")); test_xof (&nettle_shake128, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("5C00245176070CD2F23F1C5E15B21A9161BEBA24BA71D989BED890782ED39EB857E325AFA269ADB03FF1AEF7D26EE524D6CE821D2C842C43D0FAF47B602E55B7960FB0A9638E6DA8272DAB5B8DB784DAAC730BF0394D50A59C87B422080191769C21BD08A32AF4C263B09D61A13D0EC26B6D1D63A2EFA5B4FB9CD4214EA76B2C915F20E242D104745EA9AF73251F2CCC9E78AC8FD3C5EAE80CA665A87C517EA620CE5217C215AE38CC43F2756D9331B0359FDEA9CEF8FBBFD3606AA5FBE2D5BD31411A857B3C8E79A2FF1B00E3EF56BC25D0D83958B64DCDC095241837E333E58E4DA64F3B5B57308B165924B4C5F70567779248EF4400BE3E80F699FB3B6E40C36BADC2BFB504BC777733BA9B59659F8661D57B3543BD26101FC3DFD6CCF430036776DF0F2979B03DFF7E6B2E98F161E050A38F71EE438088D953EF72D5651B5674EA6FFD3440AF8AC94D5A808EE426959131E460C858A77C4690801B5B3A28C6BF555F02B5C60DE30C4301363BD6322A289F36B30E00E152627FF7485F032B61041D4C1EB872365B8BD22F1A6308F5CC56D4707752DC3E32315C8559A3B8083D2F743779A3EAB10394F8DF71A878CCE871E0835B57DE865CF16AD2D2BD1E5E5705F68C6BAEE103C785E43F3582F591DA55077C6B9EFA8F93300822C6EAAC9B5A71FB676C0E73928ADE3102B61284C676C140F33A17FAB48002394EB36265D1")); test_xof (&nettle_shake128, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("812C14B78AEEE6820EA1CF8E0F3C61AE7CBD2AE493017ADE0756FBC57545830910DDC27F3183DF48C1E1D6D1A9F3DE220F17402830AC73F77AD2977BDEF013C739CA0E9EC11AC4FBEEF624F0FBBC534F0467F09E775BDBB8ACBCAC8B3DC6ECFA92F35EBD729A1BC90236F57AD32FFB46C055C93412D33CF612059C4D5BEDB6E45807A7CE2E5029C0594CBFAECEC3F9178EB01D60ACB5A72D5DBABD6F95691A1F949E4DA7B48AA78C1BEE810B175218C5902753B88253FEF57681E60FDA1851A18EC1F3953CDAA6B9C32D085C7EF9BEED9598354CEA388F3D8EEE372312168B590ACD0C330816949211D8CEAEA737EB87BF9E6D4929D83B87E287C887E32B66FAF1540B64C53593BCE073AAE4BBF711FDC7AF6E7CB0FE938D2F87643FC4DAB4A7D4154015E82422C14600E44E41D005DB80CBB4C297335EE0E616E32D7E9BA5BB0D88FBB05B4D5799DF5462E4544D3883CC2C4850FBE5B43613841B0D515093D246B714E96656E1F6227341E76051D5C9C52730D66D075DF0A9EDEED5D8E878A1FDE3AD2C962608CE17655AE769C484E676904A29F22A3B4524DE2894AA633DF9F65CFFA329AF056E9BE4E67E7EBB786AC3541C00A792B4217E5EA2E51FBD979CC8C6E40F59B6A665F1BE6E6F2FF4D1D48250BE44572FC5B731707B8611E8CD7679037D565BA7B066781437FADBB47F68AE752E879286A25020F8E00FD7E62AF6")); test_xof (&nettle_shake128, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("CAFA188EBD8CDF392EB8E67776D6F574F72615ABBB5DA35999507460FB1D357938F521BB18699510D353D3B42EF72E704EE769C02A1EE7E366871F28B25F798725CA3FD147F7DA2B49329FC5A00E486A19E9465B782B1176B84465A96F083957F3D55512F6CEF4AF5E891108B468326C1051EE1519C21051353F1EAA2AD39A32E5ADFD30026D4B56A2498309C27B03A195FF5A7CA27E5184E322B9B783C44C4E0842F6695BD89D5648BE09B927990DC3980E7F818392380840E1C4310EA67ABF7285CFE20C50933A92E74FEF83AFA6B6CD6A372AAFF36DC582040B34E8521285EE9A67235D016CAFC9478B80D7B9778CAF5DA4E7D1865BDFB903DEDD7FB8477F007E60AF960BC04A81E77A74AD25641FDB9D81AEC87634D692E445807C0ACE094F99DB07FFA01C2DA7517D12C830973D425839722EC0C5A2DF093F01EB9F5A6D2E075CAEA8C7AA69BC899463D0E55C81596907F1B0F81BAEAE734B24FAE3D99984D5E39EB4822C4ADEEA640228D72387656938CFE5DB953C1ED993FD9705CA9C9C70E6DF0075392F965682BC163BD85911C99511896BAFC35D9378B12E00628EEF3EA11E908F92498C90314C55698A6B9C6D8FD88AB4D7250166FE57E9C106FA674619C1D53CB3DE576806742FA538B5653BE7D0C08282A0159E7B4F3273C4CBE1735F3B07AA0004CD5C7F763983CDE554AD9926FCFF1D1AC48B9777C7266C8D")); test_xof (&nettle_shake128, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("105ADA0018016331E288A355DACA7426116C7C0AF86060A1A652AF34C6D6BA4504E5C681F493AA44BB869997CF024403FE9516112C732C26DEE54865ADF6594BF7A546B5998EA1026FEB209E30D3BAA289B81651B29916EECB48E6B4D6F8CEE317F46732B2BC865D78FF0237DCA71EEC837215D67F9B7C244232529FB1801282F77CB08DD3B4992A0B4A551175173BD50FE8798836C60BB748E6D3112D7EAB27F0AC52F48FB776F92D89C895D7B1F148F27EF57B47DFEA43AAEE0C8507654DCA384FC7C64B39227B6E750B431588D56567EAE250ED6AED8F987D5A6140F0A7C9A4D47DE2B2036038D43D9630E849431B7A3F7C853399871BA360107009905164D9707C0A81D00A276699249ACCEFCDAF118A8D28FE791FA0FC4D4A2CA862913400FD550513D0CCEC4A487521EC53B33D4FBD2D5F6713F0F1F3C1E6A2895C4E2B56D86904CADE3EF04AF4CD1F3E8AB7876DE83D133170E3918639F508858A335D4244C8DA8893D51A7D6CAD5A2411DBA3B95EE3B95F3B2EC6DB652868A8158FFAD739199C47C32D9A4917AD06CDD7149738E8568B0EB6B7A0252E151538286D122AB6A6A68A6BBABA4958C0572625E7F4837BDF970DB69A943E5C80E5F98DD0FCC590B782308650B86E0C12A0CF2FEB059A2857118507639C4B56C749F3840AD13325C5E843ED1895F6CCD47BF2FD68D708C1B2001A083777896BA92BAC91E280")); test_xof (&nettle_shake128, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("B37F11D6837064D393422AA32CA502E6FC0DE85697E9DDF15B45648D99CD2B0E35653FD071546D893ACB91EA8438E768BF446781A2BAE49C6CF7E589FE80B2C6F35628A9577CC1F902F061E425A84D224D2D8C5FD4C06F1C7CEA72BBF53F982626DD1208CE375EE4F593EEDF93F72011CAB8281049A76EC1F90528D53AA2E0589BF90440907B0F02C51A1A1D9A4C4B31FDF378A548C4D65CE4EBBE77B4F95E9AE29A3CE0172A4D80C370D6967BF27DDDB29065566B2C3205FEA1E2871F6726DFD8FB5BE9199C31E77615BF060A33F3ADF9A1C86D205C2496DFA694D343C058F7F212D9E056D6525479DF0C4C184D2D8191A9FA849FC0DBB2BC27741CD5B43C65DB771DD99872862546B5D1C313456423E649E9869A43B6ECAFB030897D049907F307C767885014F7DCB21FC4C7E52E1F6E95A017F9AAD349BFE109AD8BCCCDA1E4FA761317BD7B7036A09095164A79A7A4952FA2512A5B826009414BE0C504A27CC3AF069718DAECDBE4F43D93A1AE4E1A9B28A48F69533E6EFCEB17520D78EA41500797B18E193C98C574A5339D2879DA6340D8EBE07723549E51F71BF956BD90E74325BD912FAB8C63150BBDEDD455973C084A6E96BE7AA3B8BA503D5215B77151007A7D32ECED117503F1F509A2F6750B242AC63D2A53873D8CBD3A30F105078F0ADCA870DC906C0CF7CBE1197C13C0C65FD8471BC52ED07D8090C83CFFB4")); test_xof (&nettle_shake128, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("A0042E6235AFF4430623E540E15655139EF9FB84BF8199702EC9A68D4802E7F37328A5CD7AF4153CD203938DCD947F0C7CB7F398A4867FCB38694BC3CFF4C10971C44EC166F225CD4B0F1C264743815CF7BF37933EDC38C3A1453852E3B220C5D5263D67C82A7E62FC19D24C9B32C10A8A6B2DBFA059197C97DEC62A05456A26CB555546A4219A905BDD2A0FFEFD1D63A56258F5A9FBD535276A163745E8911D55A5E47A4C3411A128F461149B3FF20B9EB422661A67B4785F38CCC43F7B87F5844D8E4665B0F010AFC1270B14176913DD56B76BFDDECAD17374553FBC5C31A7A28E98F58036171BBFCF79CE10861CC0CF343822399546E100C532BA2E5013126976E02C7783193EC43C7E35FC2DFF6AB1483F7B5E5955C91F7F7ABCB52A132A038FCE9387C4635E1A3394BFE589D6C9561D05CB210B25D575BFC0251374E541D72DC2C43E8FC51F98DBA46BDBD7A4C6EFD775E1E5CAB94C8E03540FDF4D1EA7AEFE8298958B618A288A31BBC9FE7B2381200652D5B2EAFC6A89F806102F753824ECEF4CDCC3E7329DC8F7C93D94F98BA5CB51DB8F615D59476B32BBE20111DDEB7AC6B9AC8CF66CF7B338E225BDEDAD4A2C5F0C2941808EE7BD2D2E59DA7010CE6656F6B11FE5925508E5A266E0C6F079533C97FC0FB5559E06793AE9BFBFEC8BF4D3114783ACF6D0E709AA1144326D08D415E7AFCA80725DEC248313E982DE")); test_xof (&nettle_shake128, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("439E31ECAFD806B8E573AF44AAD0B7143D82FBC725C963633D67665A2116949EED1BD5338839CB0F41FF79E4B5A7F0B3A2FDADCADF52D7379A935AD0357E7658FF2538B99A993EA6E9AFDC9A2B1DA9B68F9C9377DDC1CAABF7334099043E0997F446DBBAEAB14A507220CE36EF110128E0ABDD3DA6F98D2413E4742E82D749433C545EABA95151695B38D1E485C49CA747A11B83CAB42896CF35B275490CBCC856B227C0BBB11EE110E37054B9D8E64E645E1BCE138EAE18118357C362AE2A729407EFEFF38AD2ACFA4D17203D17B933479946E39C4E4BBC467C7B623042C4B770C179991BF159F8A1DF1D3A13218A441C7A3F296C34B1736A62F1C09005CBF972A66BB46D7DC124BB43CEDCCD07F9C7993C9E365A13ABAF64859CD4244223D074005906558147EE618F8C68403B3733AA633DF77F4F743652EE53C26FA64D251C09C8ADC99AEE3D6CA13CAC5C6A4B95B389E2FE51E11D85E060CB76E331628D0494216FB2378917D09A7558262DE00A345D7AE026BCC7938BC3BC039E9C50A62F8FA7AAB5AE44E8B9A1FCA0B65DE335F5D72FCBEC9010BA19040C38B5B37E1F03CED896106C3254663A5AC8A547E5E94738EB86787CB237A2AE65A0D7DC3EF44711325BD1BD4DB4ABB1C17DB9FAE2C7DEFC2CE08AA1E7B68654F936355EC50ABBA8A1AC45C9D95F1C0669E8812F313D63DBC7F7DC40D2EA71DC8F9F1581F43A")); test_xof (&nettle_shake128, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("91349C4ACA2EE1A2646A6A92E4335E7C1DA9F8482C2791FB96734E3301123E4059F603BB4C42B4FF5584CCE75960B5AD5F667FAA54DA85ACA5FEBD5908FFE7A1EBD05AD9E4DFA8C8D8D92B7F94666C119DE471326E1F673EA67EDA5D66C8035E047AB08157E1228B4B09309F19A0208EFE7BE1788C2F77347C644B4394933F6AA3E10C1B9A984D12A6D0C68E280785EFA11F1731580D6C71C98D6E6FCBCDF56DD55D87865ADB395E7913DAD6E9A4EC938A1D7E2391FB11CF6007FC9C02EA70F44B67EDB1206DC86C00D1DF6906C878FFD93B034F830C05F8571A6068D87A2AC42692DEC62F4318F8FE6DF3690C480E48FE406B85C9FCDAF558AC040FF15011B6C1AC183AEDA7B00BD48E16B7977098BA9412B470B7E7F4016209A02F0F585C29C554B5CF8ABA78E7E5E71447929E598046BAE2BC32958E65A7F7AA29A29C2EC8B34E521BD3601F755BD42EDF60B0D04539D4BF63ECC09943E0C12860F0C5665797A840E85496C4E3DF04B36CE8FBA42DDA559D630BC2CEC7459020FC32F1545B520B0806BAC854E6974A28FB95B41EEAF1CF01DFB3E89B8861F205C100DFC063CD8393330F6A00FB379901D0C47EC2E4EA5D96722EF13FE456E03107AD1179625F968864FB40D7B64879535CCA63CFDD660651FAC389CE4864BC3B382073D74D5346E6499801FBBDB590C1D4D983BEA74FA6A26FAFA4E57B65BE886D55A54622")); test_xof (&nettle_shake128, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("5F8ECC71A5D264ABDDAF1B4895CB11EC9DD50F3DCCB1E1562F1840A0C196A85181BE2B69011DE4A3C75087A3A303555C074A281BEE10E66AA2F15E6A531E5133B6075F84A82BACAC7D771C3EBC74DA2A1CC1921B3C20E99E2866031BF725D08B4400F38BFEFA0F810F82FD1E4BC12DC9E20B3295745B7F132530583C44A18806F537D96B3F352E61ADF285810D32758284D29AE60FF4845893ED07EAF2720282016CF95E28C9BD49F0AD80B87A4C71179ED9D5744843E811D9C162CF57013A7FA9AA9D0A313D44C6BE7FF069506067817BFEB731EAFF820C812765614F3C1A33ABE050DCDE56FD5C6FAC1A43515E2F5CAFBB00A75DB2FA51145A994045B8F71A6998E6FE47CD467549E548EC4FB43C23E7759445BB36A444FB0C91DB3F9A81F1048E21CF32BC3E427A6109DE84FD0EA8B006CED78D08BB7C5678EE401EB2B73F0CD2638B2C7134EDF7F40166EB23D56F7E4BED122B70981F8133B594121ABEAD3E6C96E0C2D76D93B4323DC8CBD869A1811CAB6285E0CAF2C021792A759F8FB907FA45E2B276383F6A385EB299FA5C070AC7B1B713685D6454AFB9AE4850AEEBA6A042F25B1902D18CF5069EDEE770CA2B342B3D3208BDEBFD50822B1CA0C9526306C061B2B4EC6724A35D86B352504D79F44EA7B1A8926C392001EAF2018D4840500E5500472AB05593F3AEE0250C27EBDB3EEB5955DD7D73DDA812D988FF45")); test_xof (&nettle_shake128, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("FF65B09E0A806202E10997EC4F42A049E0A97654626056EBF7B92A44E06AA3D11769160A5EBF6357DD6591B373F9943110F609BA15B5893E7869B17C381B549267130047C1286ED9C56F83776A0F99124F8E8939C8EAD777DA433F8C786BEB7B16B3CA4E4F13CEF93B4236D82E870CD3C6945FD7B8F0CA527AEE5BA66B753D0E6DC84E4ACC7D51686C2D9E7E3A31BB0731FD0EF488F1CAE2A8CA588B428068E09E63696F05B71BFDBD89F4E7DCAC2BB804939868DFE7849FC68B095C8C6E7BFDDB3F35E9A8C1B353158C1F3533A0A327789CA271F6B5EE1711ADBE112166ECF76BD0BC91BF957D4B60D84440BEACCACBCE2C2775AD1A2437FFA3B7DCFE2B4A0CBDE28B09E4C306D8133ECA952810D22C132BDC680CFC7E74BF5949E7D532DA24AA71B22B4576CA48EC1FB264D157A0CEC81377ADC125F29B27CFF0640E0CDE89D3875B749E412A50A919A08586A62B8788C4ACEAACC2842C7799D125E99C6A2C1F6150CC503FD420F5900DC509B4815A54B893B8F36B1FE27052A5C66324D7EAE83957DB1FF627508B77FA072F2A01C4F406B6FEFC5F552CB38EA06FC2DBA6A9428F4980D880751E459A1D5B9B3E637917F177920314C7882AFC3298B3E21E18CC126E690A594FEFA0AB722E2B1EDD1C24C0EB118F9C16E4964D637C4BFC6865B9E290C4DB71C510A1CE623132FDC742CCB5C5BBBBAEFCFE6F95F40C861964F5")); test_xof (&nettle_shake128, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("0C3F7284A63D46A75707ECE96D5DD51409A0E601765E8760F696175433BF34A781B7DCF131E425F25C5CCE52FB457CB5745E62E7A8F9BCBCB9113FBA1299D82E403E34A6E7438660D0C7930B8A5CF3F127084885447A91D1F5D5F117E3EE8E2C529ABE188745609E9948E02D82F1F87855BBF46E8E4FD39402F749AD00FE886759956FAF77E0689485C08022343167E23180F5F1B1D33B8BEB5F73EC818B92426CE60F5016B8E644DBACDBA9900CAA61D75985B5D063A3BBDD5B95937483A970BAC40A0664E95C7C4F26A2791754D77A6FE5C8A80DC3D7321BADCEE567B7950A686B1490FB0CA411F08FDAA06753B67477F67A1CAAA38F09530FE58184CA552DECC0E54B4B0073E77FF4351FDFC5F7C6E6F153935C1E5288ECB57C3DD6022DD0854B2F986E292FCAFAD0421AAEB47A7BA53C981DEFE9CFB53C95EAA02AC7F1DD155E476B6746DD2F1692A7E2D6EDF79E795924A0B919BEB278A2E65AF71FA1CAC81C5D5EFB138B1DD374F98B98CB5A14D96D9249F0F9CD42856A275F92075330B1926DDE0BDBF123A8BECBB6B6B3797DD89BA4EAC728E6B56696A752A07EEB1A09810D450B2682F2699DC6117BFB45FE306ABB889976838DD1BF31791402CE24F2895F70434FAD1AD4DC86F0F309EE90FAFACC7E72C0B717289D695E4000FADC058A119D9C4BDE9AC0F8B45CAD48C78BD2686105D9A27680CB82800509914206")); test_xof (&nettle_shake128, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("88C391F4788DBBA363859497F71794349F3A81CC9D1746CA273208680A0CE4ACCC12021E1EFA31AE40EA75A009E95DA25F9F0CF451F658739E2453280EC6253BFC1D8DD72E91B4ABDCFCB240C6EFB4E829934BEF46069274A60B268DF86A7F265B23089DCC09D77B8BF9A02A84ECFBCA193208AED46101F48C10778619C154F880893FC0C440662AB04106B272A9FD18B8723EACDB8AD190DD58E9514BCD43A9299FB361DA76F7E079A0E83615B6CCE6E69CE3E724C36561C728010134ADE4C44B18D1FCE86289310D30195A936BB1E23C0CF98DFAD41E6007E56C905F5DB8DC13B56E16C3454146C31C9866628736B5F537268E0FFE463DBEB2F3DAF103D24F95CF5BA0A4D94C68D61B6319389761EF1A0F22B3D416E67AF916AA4772277F4E51D3A8DF919300805A0CAF8C36A43215E7307B49AA9697B6FEBEEEC4F4F5F7F664C120FF27C8DDCA2224CEA4733DB2D1A1C28F8C030A23039BD0514AD6808805FB5111F514A10EFEC4F425E1C91B0EE3DBFF70CCF6346E6F4640DB8184DA28FD8C63156B28226491C1922B862203F23C870A2D88EB5FF5A6930820A4D81A62DD8C4F381F35C18012336011DCF71D58D167F8C5BBD3E5F0F278507D085F01B0DB2EA2860490AABE253DF4694288EA862F9AB78FC60827241768DFE617E725482DF62275031474592A57FD33FFFDD837654C22C96424A09A62A5F146FCBCE1F2AD")); test_xof (&nettle_shake128, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("20F8FCA8BC4274E6CE95C558FCF5EFE7F6A43FB47BA3A4AEB4AFBCB53DBF5BF224654A242DFC1F318A4A26924E5F2759ABC96D8B9C50C7185B5A7C3ACE2BC0ADAF1E39C6EEFD79CF89D2F3A8829F180699DF802662F285960EB6676560655FACD507528D862473623AAE970E559117687F87AF4A981C7F2F1E40A1E01F2A3AC0E89D1C62ED751B9B178155F2A72F215E51E49A4E585F4422C757F891AD4004FA618DA654BA3CE4C6A7614924B9C0ABB8B2C6CDE9B8CCF22A1E30A21A33723992ADE39424252850535DA5FEF4F047CD998EC7AD87DC784DA7D755BFB9D5F6CDC9EE52BA15CFB7F1429A15F8F0C67F98D6E44CBC8BA16D0DFDA6D72FBC1A44932AEFC2D8A618814957D8B748E0CA0D3B5095BC8785B6C20053E4A204343316D74FC96E16C775AB43CC33FF2B4F4CE85086D47BCD132C0B0E196344B01CF6E8BDA3E06E2618D5604BB5040474413FB54669BB744704D89C5B06DEEA58D4E29F6DF9C926A6CEA1297967DC66583654FDD3F6449033A496199E4B6F37E0FB31BE50747376122951575095467010006D5F9EA709D0F15927A060D828AF4180393EAAFA27701B919DAF424BFDB3F59AF0B40D0A4890006C98894BDF402861C76655414AE631A50FD80F0E5C63002B604AD1AB9684C094BCDB82C0540FD6E5924AC51F3FC6DA074AC7DD7DA1A87A633C16ECDE716641975182803039231320E9FA16430B")); test_xof (&nettle_shake128, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("F0E4F184D33E8B5F8AABC173B04E61BFB420E34AD22E3E8AC318AD06D92E8B5DFDF4B0F28157FC9E7D64545F527C805D9F953626BC35923C922FC09E7D2947D342BF91E54EF34FB5987704F7D0C36C9A9347F3A99027E192907342B2531BD1DA066D34ECC1FB50C85C261DA65F4AF9C2C9E93775F39D632E3DFC1216ABBBCC8DD2680F8081A2816BBDC1646540CEFE4881FCE2ED57B4822E11461B5E6443AE2DE5CCA426258D68B01520594B9547A714B0A377AD398F42599358F7F33855E64F12F88D9E2909E6397ACF34ACF79632AFDE5711858814B84F472EBCD03EBC9671F3985C99DCAB92FED40DE97A3C425D38DBC48ED34C2023771EDFA4F988931B7BAB6FDD612D4AB6DC39D43E66D74307EA8A9359AD73E0965E885AD919F12E6C645C0DC9925CE65F5F3EB132C7090BDFF4230CB16B6C9567AA62DD92949AF10A6FE66CC50B29CF189DBB521477A99DC45C937856DE855C303A5EEC572DA0CB0F584961971A15D8B0907151A046CC1B193E55F7E8419601C1699DB52BBFF3142270F22D628F53A18E64736C1DCC09F7497CB56ABD9AF5917EC07C35BFE8D041D00B379067F2D85E05732D5270C61C592F8088DEDA0CB76BB2826492A61BE9270A8CD7F9D26F51DB2207763BF41A465ECC8B877FC53139925D45541EC090DEB2622864D9E3529F0F23B090912E04BB95F56B1BD33381611D973AE347FCC232CBFF00")); test_xof (&nettle_shake128, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("1893FF8490BAEF747390ACAC15D42CEDB909C2FF3D30B2250A3F9DE11E79943B9AAA5C5747736E29E559F93115B0C029AD6AD8779804083C3F211C8D6CEE56AE65F0B650CC45B9DF5436456879F62648EC81FBF968583582CF4063B5F007E1B04A9BCB2249833170C1968E3040C808F2D9EBA238E74931CBAFAFD94690A275D1A1C1C29F71B8DCCCACC4E9543FF05900417D7E46C64FB4454B3DDB7A0BC01B85A0AECBDF9272EEFBDA881D2ABE77ADC9F17A26C50DE64DEF1AD2A09A79EC9F9C64895540FD56E93423DD7DF3E566D168E2560D8336177937F46DF87AC29F9FBDEE919DD8D2462FC1DB70E27B992E35F1376459FC15B76FDC3C6D9C3F6D994B300423F154B6FB28F845AA3DC8537DE62D81C78326BBF8A89E39C865F395BE31B38BAD26CFD4CD866B872D427ECE798968E66658839121301BC52E07CAE272B6C373B01C4ECD42F75D3CD45B2CB1131179A9F21F8CC84C08368547DACCCD56985477B4067B865B0268C1366D35C59D7C4EBE54E0C7EB383860EECFFE308A2E71858ACE60EE4A2898FFFFC507F0011F47B16BC9D696955C8E2C7FB64F4EE9DC9F9CF9987EE2CCB0FB780BFF780C4253E398763AC6668FF7082A848BD5E1E31E6B5E1E771F7AE21918C1ADA32E788D89822ECD3029AC5604132A681AED4348B631A2C9CCF19D14CB10F570E3B7F9F301B041E6B901CC007CDB125AD9CFDF7A889AEB")); test_xof (&nettle_shake128, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("56758CE6042783CF0D18A2C44FBF953065571BCFC3D19DEEC28F0D6564B18B227B6DAEBAE658DD065F414E4FFAF756D10820FE38C61A767BF2FD0C242EA3E994CCC6516FCF68BD7514833E061A65392D175CB6EB87374DE426730E4E771C7905706BB5D7E3364F946B8A061462519D0BE6F72B0220451F2C6C6E5CE217262323E4FC81DBFF169DCA043487D88F02BB5C22434FC31043603A5140364B7C2CF179FF13241CED0911ADCE30C4D7B7EEA34E094C86B522EA88F0126943FC2E3F8C1C81753C4A10B844ADD7868457DFC91094458806B2C115A052BD616161AED4BC1690E5DAA09BADFFB3BE59318D7ABEC04E7B5B439B92E63BA3EBDE71AAE8C5BEC81C9073072EA49E85B53539C2462A446448F4D362136638EEC10F227A0A977B3460499A77A9E951124B55340E49F9D2B0A60808153D357B585F2C940398B12BB807E730DA556C3D156D84E5C0BE2C625E3FA725AC5659E07348894842711A704A15201C72F4FD2E54CAE47531C07C7D1FDBC61446E35666175B2CB7B25A5FEEDC1E5FEFD2547F408F0E91D65C7AD0E636FC7D8BAFBA355275AACD0E2BFAAE9FF7B750AE20C828D66793A7D275DE882DEB8A97002C9B7B90F5ABA4D1E7B9D5E4BAB59DCC44E487BE10854C76D2EE6EB5628F1E791B731E5B1CF339270E90B3F25AA78B28EFDB906AB2D5560D976AA8FD4A560A29DE12C47A360131BB5F1F8FD71A")); test_xof (&nettle_shake128, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("D5076FE06DC454041F41D77DF1680958CB4EB8311940D58CBA2D6CCC1B57EF7D66D0D947B068928E0284A292D6F3610BE7CCDCD2117D59EDF468F4CEF33DE2BE52ADFEA056F586047F8FBD3BDFDED58237C4CF541200488A3DE301D5F36C735C387DD852959609A9609D370F63EC8E1649119F6966887C38C99F94B2293CE52EE234AA5AF55B0EB3AFB8B5A1D283BDE8F3580F5AD1951D8BEDB834EECBAC86CA72435B52519091D94647ACBBCB1B55DFD9A531C6C966B481FEFA1396CF42FBE362ECF403FB046AFF1B080D47BC282F4D053BA30C2A00364E11EF82FEFFC4096DF1F8AB109B45331611A8AC84B8DF0B7B94952A5AC80B075BFFBF16065D8E5A47F771C0F983E045D4104B7E8E5226EBD9D7ADD387DE852DF26EE9DA3EE70C7E20B877A45797DE836548664026A380F306705232ED37F4104114D58065B1C74441EB9CBF00B8073325B40851B44033FA4E65148161B0DE0C1517B6830CF5417EA3C004B7465C48F9B2766C43CCE5738E9EEF6D9D0F296DCBDB41DB35924EC1B746225142775268908A63EBE1240CEC4F02972523C8C7DE4B44530D1821BD43694647F355FC0473D7BD4D3E6D30EA453EFDEAC396E0DC03F796F70709F118920F8A76D4D85DA2B5DC2964A8824BB96AA892E43FCAD95470CDDE85433D5CAB38424609A9682E1FEDF7776F2D77F2FFD9707FF110387DE49F9422F11933D6CCE6DDF1")); test_xof (&nettle_shake128, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("904786DCB5A8F3C4BE4DC96CF168C65EFD3DE65FBE92DFD96B1CB99F33581F561E02A9D85740FC7295726F36F966392956B2C61122481D7DA372662D0F2B42BEB4228877BB85A3AFB52C689B3DA75637B52B81B9182EA56980E2C0AFD0D27644D0CD86B770FB3F4FF2618FF000FF7846055449E1ACB3721F03A0E65FC377F189824E06B13EA6A797DC7E8A8AF064075A9424A709456CBA62C43B51F4145D6F5456159678B09FF1A97BB19F4A41A836B0E6090617A2BB9B9ABB7D4B6777489FF1CC36E6FF828BB27B26DD61245A3F583839F4EFA1C453D6D5E9B2B3947EEE25D006DE476BB37D505FC5F0AC0AB97F8B56B8587A8FF2EB61C3F83598120B469E9CBC5FC03AFE2F72EE0B117F818EB8B33CD538AFAD801CB75D4B2F51578D628A1701DF56B9B9BBF10A30DE0893B6E3CAD4E264C5829B1C5C35B3A1B859BA7E49C29C93F98E69EBEBF8909F535956DCF767C51E2AFC49103C052AAC1A39D02909383AC02AB8220E4985872916DD6DEAA9E3F57475A33B0DEC69F266F1B990DF7F9F85EAA82FA226DBDB94292B91C3F124B8BA13C3ABE0908E52B67EA7131E61AFBF20293A61CB3659415EE890C151A5628225D61DED612DAD545B62D819A4F3D1ADE9CAE43B9CFDFA4C32A8D16116A58EE3743483663E9401CF1280DA465025EFB103139E4E8850D1329F1B9BF5E1A8C05D20E963E824EAE0AF586635D19D13244D")); test_xof (&nettle_shake128, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("9FB52B8120553CA1F4B801FCB753DBB0E45AF3F160749A05FC2ADF8FF1F507DC304214D785C5E0797C2F6F767D76A3EE22CBE0D114F5F8C32BBF8DA8505090381E16064C001F1807289D0DB586C09A85EF727F393BD2EF1F95CDC1777E137B43DE60D425C5F5D685D43D5F6912458FDA3F4ACECDC2024CB7E6F4340FCF6333CB29BA1801AA80C0F8A248A21305BA62D62E689D55D905EB03368783CB32F765A55D3061774C9344E85C35F8B944420F47070B34C9E8996C281D890E591D5B5CEF03463D86E88211917E7DB7F5BD4F36565BD855EFDDB859C97C206D5F3836840FF3863B93E17AA19281202AF6EC0B1B5DCC7C00D9DC08C2DCCCAE41EE2FB8E591A4AADADF2B28FC2133067D45F98B4ECBBB234593159888F832CDF1BD4864B8B720E42219A220C7FEAF6C0D6A1C14AF2F1020218C65A475386A71788F7BFDB172B12819F2D78D6D200382992D9F39500C4F15E44E1E48FD5734D110FFD1967E098F673492630074DF33434C36EC9FE067E8E794794191F355C2D564FA4BB691702DC55F4E6C83D1C487ABB281F0246814A1EBE626F05F06D09A371AFB4E746653872F83B42509504B057DB7BF06AFDC913F679EAE1FA4D945B93C4BB07E70F48F147BD668B121B05A777A5637CFE24A2BC155C97B9330B3E3B848F689A00AB1F916F321FEC05763DDC6D6563E7AAA3CA309ACECBB0884DEC5815558D8FF72E820")); test_xof (&nettle_shake128, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("906BFC0B13DBD86ACC32B93C56C7187ACC1E5984C1A7AB8CB4EC39A00355837F70B6790360AC9C447E28E93CDFB58CFAB3DC8EE4C2378E68298ECA240869FB5652803F590245F8F40810FEBD33FF25794E39758E9984E47626EEA8AB2145CD2E260873D4524759A855B2DA0C8A80C6C365E76E8B37AB4B9A6D9882870DC22F61A341FC932152BE5C84AF645EB71E6713B1D9B582491653A8365BE531D565B27159F9C5C7FAECA04FE1E626C1C9A7E7FF3882662B084B827BA96E865B753FE73E3936E47EF9F1EA151878F671AF51722A4755041960EC2A7C2C4CD364C4914F64E90BCAFFBEF147E935A6B03166065506FA7F20A707AD4771FF026D7BB0DB7E744FECD63782DCBD9DA7573D77F82E6A5446B1595F7EF81084CAEAE91E522FA604A370612A6BF464D5872ECDDDF46285A407D7835E22438E82E62CA0F1FDF7B420E15F9DC061A3519B8F389022BD06E9B31A34F854F0F75FB9CC538ADC0AE1D981DB68C17E6F3A91D6C60EFBAA357A49FBD148AB7EE2D96EAA8909782E74A9895890D02FE8C8B09B8A9F2A8E18200825C51896C42C59AF9AD93D847F4A4FCFF008D1BB8D6BB2E7C75912A086A23646939DE69D7BC42F568FCB076EF9C37912BCBC0259FFE04CA17F799FF7ACA1D34FBEA76EBEFDCF8D22BDA634DE9B6852A5DA831EDD0B92AC09D9D8235A0AF2BD5FA6B0157722115561EFE7C14C22145137D729")); test_xof (&nettle_shake128, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("E2746CD339332913E436FDC5B21215B39D0326E95882F291849BEF33AFC6C7B9A02F438C2E6F4175DE5FF04B79256B845213B917B34A0111814AF58B06C8B5AF9D2478AD18F012373B9F030ABB79BD7BF380C2C2EF07061E75D7BA113845C80E43BB718377732064B80339E8316068BCFD37ABE6AEA6EDA3C58BBF95A77799155B30FD6776012F098EF9F29DB911E11BAA67937A52EE25C429836FA45A2ADCFBC704A404AF8421FB3B75DFEA979F65415CE0E9B6D17B2E5825929115DAFA8E9A51E16F8E2563876702E04854D48AC2159BB782AA6B1B764A8359F7EC423CB00E9915BC63B27F6E758402B56799D7C3093B1A222FFB8C0F08273A6D5115D2CC7429B9382763807FCF97BA5EE82F78F835BCFA65645AD36F56D595ED06924574B581D6C460BB0209CD69581732EF9D1DE78F0B8109A6D4C271F2AC07179A84BF36AE328B1D0862F65B4ABFFFC0E4B6A17FDE288304234CC2447ABAAA223D16DB5AAE8E026D17A9ADDBA9C51F3B63446DEFBB9CC80323E6B22DFEE9D9E438BCF5E14EDDC490D9DCEC2F5C635D32A1B6C64D1CFD07DC72E954C97DB2A6E82DB75575172F6AB0D4519158F84C836F3B7B4830CE0856C37839DD7D7FAB6A9AB00F9DBC020AE45C6450C257B7C0661CD75F515EE380C2864F0610A682D49CB4D19409A317AA0D6667E3E61FBC2D9027F4A5BF4FB1A0D142183F84FFEFEB92EAD6ECB2A9")); test_xof (&nettle_shake128, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("0B82455171770082FF4A4FAD8A5DE99DF716033D27071278E9C1256D63C34778980889FDB7661153982EEB0FF904E24D31C8D48D89F412178E527D054F822DD2DF6C4FD555E55CCF3452FEC05F9CB3BD4F0B4D2EE851EE3E22ED180F0C02E618563BA89E42C4C6A7DA1A9256029B6449A9C63625CEFCD003F936613092CF59F676AC91298C820436F58BCBB2F61F3945E67353C854CC384D607DC11B906A1C1A5143D9AAA294CBE03F946CF2703C0983727FAACAFAB85C6725E8A9CAA7AA69891799C560BF6B885255674A2940DEAE220BBDA252E636C4526449BA895DE17312EE0BD0520FA68DB28BF122219E571C081DF18C2437E4174D1D6B529E394C4090E5FA957A996564D11A3B4652522FE2999903F6095422B4AEE2D47F2CDD4301BBE42AF671F58228D76D7CBFDCE870242872EF85D0D1E18CEA60C87565E48A1463030566C9E34DF8829A58FA36770E861D6543B50AC6A439ABC062236A065BBDD866A237C09897F3CE2EA5B0B1D8B576048685A53DA7A409FC6F121DA36AC23B9419F254C76E7024FAFF9D45BEE4392CE4C968E737E8F9EECD4800F7C928E30EF664FD4D2A7150954E0599CE5C4F07B9351A408CE35166DA4240F1E751CA4A7CC4946F5451A0BD137857DC003B61424A6682D942F4DA9644672ECE7A1EEE295EEF46B5AABA3F46099E93E01BE7AD9A5E27D378701CF9514B374204D387145349F5")); test_xof (&nettle_shake128, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("4167BCE24865262ADADC78E611A960807758EC6D0D46E3CAC221B4FE9818937092BD3AC5219F0FD765B613F2EB7E36A5F48FCBE3CECC67540F9282DB1842F95CECF0648C12E52E7EA0C96FF7249A8446D0DDD7625BC55568642DA2F2CC897B14D2995DC382293CF2DBA9A63EAB9F6940AC9CA87FE5CFFA196DC930FF3353E34313894A3D2A0A86B0FCF7631735A2C663BCB71D5947C4B2E97441982B791A4F20BB86F7FB033210E4FE58DCE7256309FDBECD7D7F3FEF2D1DF7E0247FF981D417C56EB7B14B7C9453786C7B30F173C372275324E834D94DBC6D10714407EA7886D92F810F2DBAFD57484A09D70951CF85C0B7820643D0E7EF706934CEA0CCCF94B1D1F75F1E05B5D033A5CE1F804C3BC7A9CCF00C8CFEBDB62F8C654805C5ACD4FBEECB6745803721D17F2B8303A98ABB9B8618107B4493735B4001757890D772F78093AAECA244E5297CFBF0B9442370C9FE0EFEC199201E8667D61FE4B9CE20EDE827433C91F521EF2B296B15CFF658E18226F17DF114675F57E988A14B9F104F933BB685A3A9DBDA96A9B87F2EAFE028A7C656300814692C3DCF00D9F07CFF361F601BF2A1FAC9EA58D7543604382ED7CF35DE7AD7355247318796466081FBAA05FDAA65665448DE1FE67AB560250A213FE60F506E9EEE720FA762AF7D2A23492597BF37E0067997095FFD63480BFAFF67C084EDC5BE6C0BFFF969BF06E25E")); test_xof (&nettle_shake128, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("4EC44E5E1F62935ECA450494ADD6AEF7DB1C1C8353F1354C4C9366E9E56A8D5BDD02383B9A04BA4927959531B9169606CD982B6B72927D2E433D900F3B402D7F5BCA979B3742E2E2C1DF8D4E163628357AEB37C94161F8A9269832DC28A4E4983B45140A5A7C9A4313FE39BB2C117453C2E5CEC3C0D4D5C1169B042E319C77712C0171E3487C590FE9B223B7F681F6C4B46ADC912BABA3F1E190CB66DA0B38B3389ABCACA3D4EACC26046CC71C4B3EE1520EA84A1B8897A7E39B9EFD65130DE8F694A0A81F4CE994A0F4FE1CD94439D6551CA8B695A5F22EC51022ADA24C3EBF42840C42B2E345F8AC07BD5561DB40D66DA87FFF248909EAFA8D35C380133AC87303C83A8368492406B45424CD0C7143BCA5BF6DDB6B2FA45FDF45B96BD1CB33F16C1843985C5A8B1B902361D10B235F3965457CCBF2ADE247CD371B9AD808FECFD503272D4918BC3CA6EDF09BDECD56DFF372DE8E2E1D35CCF55E7E81AC5DD717C49F492BD1B242331EB66287F10E15D7BC69DEE9C3F1032C162B0845083ED653D38F270747510F82E43F0EAE6EBDFCAF296D360998A5AE8E735FCE78AEE2332F7766FA8B289B46CD1F129BEC02DD6C3D7C63D544C22687AD7E4802E0363D05B8B7965C1D9C9EE8D08B0B54A8D55D2A52E0A053D31857EF350C713CAF7D7B00FA5513CBBD6FCCCAAC97501E3964DDB3012D2E101C59CB8FD8B28AA567292E27")); test_xof (&nettle_shake128, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("4D2597545337647A12662A7A13065021A6D206EBD13459DB348C1F5361C5990DAFF469677E61DA9A4ADD24A1B4ADC67A092BDCF80D98C0A858EA96B0BE188619A82A1F5055B461660CF805AE75E4F869CB830E153E840D6F164DEABE9065695F6C8F982BBB7D2ACBFCD7DE93E8028AC978E0D78CE878D3F813ABF1E1B51806099DA8D76E16C47D0C1D6CB70E766F5F3F2336642B9BDC2958DEEA3D6EFC30FC4E54A90FDCA6BFA5E8D4410D38CECE522B3A32F11D4599D464E9CF16949385110D71D86A2943C03E67B19DA04ECDF7D30A3B9E16D256D5CB1545B1312B6E62AE028D61317E689CC3EAC351B034E83CBE91140E20E292A3AF44C27A026DCA5674B9497A10876CA0F21D79184922CE71FC11AC98072C2368F70D113A413E2B9FAF616E3729E515FE22146A35CB93D0178C1C07FF9F403BA947759CA0FBB09FD66C7EB562307F46C074501EA7418FC64911AC940C28E75E2146231E0B94893EFDB0DED97478796E87DD906FFFE9232368CD0673F9966E7B312C44F26649355448FE2FAEEA198A5F6EB45040D56068E5B98C02DD948277E1FE5061EFFCB028B61748E2D10128E0E0F7B70EC8CC6FFD071C65B5C1B9CED47C9B0DF76D3B0A5255E27391409B07B0C112CA444E2E926BFCFFB1AE7B00252F6831FFF4992D63BA2114502DF0A3489AC58F463C8F9A1B3CBD3C8836F4CAA301B7336D8DCD255C0762C15E24")); test_xof (&nettle_shake128, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("05A819096B5B6835090CAD5109CD34F40A234F1569B226C42F0207AE06E6EB37A50AD688C81A98C9E747BEB1BB2AD741454430C0E36A8B4DE03A1DE7C3D1FBD836F90DDBF10B10AD9DC427F0039DE7C0A8336B10A5F2A24EF2A0DE7D5765ABE3ECCAE743AD3339521D78006F5859339F15B5A4C82FE758294CDCAD306D30E57EBFCA0C22042FD0CA678BF2E5D59CC39CF1174B1629243115B9247B620BB14217C7EDEA7CBFACD209FE77206275CA39D15F6995E27108C9740A27E98BC205606D68F4D5592756390DCF9C3B5C58585142BB6E31928AB39843538001D792DB744145E5E148F15336C1D6F334608D514C8A0D28515C17CD88C47AAFC95A7D42785D8425AAE5D2D8D74A90914AA30BD428F0282E51445DEEF80B7C1A4429E4E810C753DE4AB21D2E6E895FA4797F3B4C267CFB123C337CBE0ED977A9C3D4147780DD20B2E0C1781E3A8EC690F3D32F38D55D8AE641F61537E0649FD681857156837DD46D1E6005F5747882F895684A6817D40EA1DF7B6B049DB621CA257A3705896DA9B5E38A6D5EFD1D2FB4906285B1AF522D34A5F141C1B72E74FBF02C9BFC38D744C4D6B77C32317774F4F3743B7E684A72AB54BEAE64994F20DC8AB350FACAB35726B55667ABCDC7CDC18576076B5FCAAB6264687D497D32EC0D0A5C42FEF8899441F36F7B72925326885E1B67D59D7BC7DE352F8844F44C3B634753812844E5")); test_xof (&nettle_shake128, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("B83D4F95FEAFC7E5AA60BB1035F69C8074B1A25FF516AD6A18DE1808AE64AE212B63FD05F983A65BAF28B228EA3AB587B163E334A70ECEA2691A77AC940259827355C5459D074532A3EFD811F419E29FD67D8CE82BB4F79451F6AB0A8EAC6BC48713A04F318AA45DA6246FB8CD9C866FAFC9A48C5E6C6D05D501D00E08F7D4320E5E294FCA2B6439DD7EA3BEF65CFCF256E9C4E6F902BD9F6AEFA2AF303E0028D0DD0B7E266F31E21A23F546FC4CEB9BEA5A4034D3DDF7BF63B546F8A1D73F9F56E1C70B6B5E1ECBC244651322025086A933D94D1F21C9BA03493E38D28CDDF351F4DEC99C734589CC45684DEE9AAC79F367B940D6E1AB57AFDAFF422F9D60E83FD6A080D60267D19DE6626FCCDE0759697DC7CCEC6384B7AC7E936A7F12E134C053B80CFDC38609149B277B9F6881495562EB466B99D4D4A1B80C3751F51B3D53261DD5BBDAF1B5401373140C35D31907EA197397DFEA7C420A80C2151E73E0EE8E27495B0C9EDA13B93E8DDF9426C26995317CD273960301973FAA9AAFEBDEC14D92466B059D3FA7CDD533075F5861C538D69DE08F490616B650AB5A0FD177B500F05E011AE3AC06C2480816770D0EEF7908761AF08302DFCAC984BE0B3E60AFFCF5281FC6E28AEE30421E1DBEF6775CA9BCB2803954C0BE501D55D5D0A1CC7882AB5F1287B5A3EF564B91735B9CA85D5E7103D0175B2CA00EAC7B627BAE5E")); test_xof (&nettle_shake128, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("5A81FB81F8CB6473C04930BDC5C0A9CA96D4A500A7BA5A9167491573AA7178101D64F46A93486406614AB9F397E78B0198FC988CCA849EF70C39B0B3A844493439CECA2B7CFF8A32D18285BBD32B1E5EE26AB0F82626F4130C1B40CD6E2C9DBD6677E6644A1ED6A016DBDA139B868FC2F7C9263BF4535E8ECC24DC626B1F3ABF4B08E229CCD076DFCCD89C8EDDC77E9FF0252BDEC35DBF712CF0A5BBBA7B4C7B702CB9353EA4BA3D0E0DF48D6C56D0B51CA269C9E428B22951555C8CE65B5704CC3F4ED38649474C4C049A63894405186E116E616D686C7C033CFDB75B8202FC6B6EEAEF697A4F5277DA6C5E7EB9814A6798262535292AB6791633CD687E68EF223464493AE8D1E27F8B2F483F5B137E48F4390CC27D96A694971B28C9CDB1A24648A0E0573141DA6A1AB54789199E8E909F6FDB0766DEA735E2D87CCBF975FE8CDD6C728DF888FED6F049008D349A476EB63A87E0CDA622F9B611278868E8396BF4E878BFB58AA847F04C2E3A90DBF386954874BB7B1E8CEC42F1AC16C1824F328AF9CB154CAFD4C9E2348A02B0F9638C8562655CD5E3FC2BDED644DB61EA0C4DD27E8B79C7BE52F55C321619B5C8BEDA60D00DD3DA3C19D4C226ADF2D5C4A66518940F2441BCAFFA704C80900512516BE2710301579F023393892FB27EE9DBC71AD34EF26651E133B3C21D8914BB6E9446F11288E1A76431C3999686881D62")); test_xof (&nettle_shake128, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("E41027E76A055F0A826481C650FC24F7816460ED519AF8802AB191E411ECA719CA1696EA14CD62306071D4E1DD65333619D0193D9830B6E8796234F892010681923BF30A1A0AB89D82E36DCEF3ACC00DD286B84240D0282F5AE182FFB84BDA59531C519374ED5A2E80DB2137BEE790CF49B9FAA524F75ABCDC5AC3C3027F6DCA443B2CB5976B9B8D66E9EAA1F9F62A23D5C9A9D5FEC16A5925ECCF1021D3253BD67F471BA1530C0601DD96A4D7ED6E37DEA3EFB24284B61002158AF78E35F8BD617C9E7D33FA4128C31980A6D8631A009FEB0039B635D1030C200AB651C3701CEBE8F2CAABA57E452C0E8FE41FACFB398A2769AABCCB21AD2AA39DDB53EC706E796E7327E30FB4A631E6F2A35A8DCA86769BF6697F8490EC5980F3143EA2FB79FAA9A5F2AC7B5030170A4548AF817CD80C26E1B013BDECE9CBFC553464F1597077E3ED435804DCFF5FE05BD39E87B9B35D9F2810C32EEF8E30459566EA3CF380A7F9E1E2BD3E4843D06B018B55006FDB22EE1CCC0AE615917E8D17FB019F7419FEDB242F0676FF4815989821135073E5CF91DF42CC6C6F532D3BD8BE9118EA6E583D360F1F8C20600A740D9310A984AF3C82A48FBA84A84AFF42F2F1EC8C4115B5704704AC2073F2014BBEF1913FEF7862F514B198983BA63F4D38E81D822CFB548AF76F561EBAB987B208B11824481309B7AEDF0EF44376847162326193DCAA")); test_xof (&nettle_shake128, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("28E204A3450796BA182A339CEF54A3B224626681C51297A71C2BC0ADD56BF57C7653BADCC1438E3CF7156EF7ED4EA9A084F3041A8157E1FD2AEAD827A5E79257C1BF7E37D4FBC089422ACFBE116A2E3889614B8B01BDDCF63B66589061A690790357BC31C68014CE422060CAB07F2A254C83E1A7A9AC1A0807462E6DE48B194AE5FA0D6BBF39AD1835C86BB25F5C273CB266DD5167350904EA22F912343E261E38B298495B38019724A1EEC356ED016BDE8A81B3764A39D153A5691C196557E6FD50DC5E42B6E6376E388D9C14970B67E9910499D94F5839ED933246DAFB712A122043D7D5047F1B53923C14979244DFED3CB742C1BD30176985AE2F76B912A6A3AB059F2BDC49DA4EB6A9D3FC9CBA1DFB1ED0A4ACF46829D51FDA861B8DCD62424A6E4272A1BCF28AB878FA9709DB43D800E9E6E33F6D644B62EA30BF758E496BD152E41715E6AADD766F1FC6BB95DBF19F497729BB30B29FDC4BC4F5502396969CF6957BE8FA7F17A4F04A6FDE71264B0F1B40EFFDFD560868056DAA10A6CCE695AA8A815E43121C971E4C4A3FC5E6EB27170D4539F3A37A4665F179CC6C804DBFB199814FB2D5121FBF93A472DE6F4D1DB176CED29F254F228538B065F8494ADCDC3D1117B33A1A51EB1AC3F6D7C8315E5A674703827C0C506977D1CD68873B4F18D9A03CA54F74D7F82900A27E8863CE13E92E0EAA86C2CD5BC99121F1D0")); test_xof (&nettle_shake128, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("FE3145A2E9E54B8888C1FB87A70402EB4600B0A2D636DFB23F869583900544F602B9DC325B6A9E8C0A9192602EB5EE581E3B0BE65E918DBBB49EF017F174C3AEB12C20D13D20C3370E1CFC19634899833A91375631713DB2954A8E33CA839EE5F12703C814A63496BB438195D89AF5CDE1F22ED8AF340B72B6FD95660BB304568AF54F162D47CC3783806274F967835038858719A4E3115E76690B4E848FD6ACEC695B3174C7BBED140DB8FCC2187FC0585F4E975FA5EF3907588E415638F1487E6244F3A773F8E2B3D9C23B4154509F87564BC76FD437C718BFDEDBDAD24E3393A851EB30A82A641D3B144E3D9D223B1E92813DE477DAA28BC9CB621F8B3D06B4A3E3F9A52EFD9095365976144325269160F7B859EC570A14DD43057BF4AB3CD2ECF13E921FB8212F4379C59B332FA1817360747F58A63E0F635FA52C59E31962951AAA64264DD3F26ECA0AF7C423C0D3DCA624A4D33C383BA0F4E04630D74A40F760349116D6CC1A8BA17F228D7BF24AF707D130D13AC825DB8E6ED4B97B4AA589230CE9A471DECBB2DBAC9F68269030ADD24C712F1C2CE7E6DBD330DEB3249F7AF42E31E717666236DE7299283063D3DD6CC88D0096359A1E83795844714BCC9D88DA6FBA06D1156114C62FFB5D9A58274AE471D544D7E9701ECDAB9B63B2EC4FEEB07126F8C1CF8BCAE823E7BB18A9566627CF95E6D8AF7BE94275932629")); test_xof (&nettle_shake128, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("4A021C69D45ECF926FE7592AC05951D86FACB97509B459D0459CDA7DCF2B084B91C8550A9F2A92C490C270CA90C41018C4F205E5A33B1584FB54BB1F163A3BE83DF0C721235E24D4410F73B2680C0835B840DB4C4244C1F85598C2B3A50A896F40C8FD249E99588A8AE1FD6D706A394541B942EC543343FB377854141A35BD35F10983543B17FC5C30B31F86C48F601506C21EA462420C5992F5B5DD12AE33CDD99BDD92667D4BC87410B1456929350D06C91A558A2A17964C3EAF7BDF67F743AF6ADAAA92766F36655A9496263B38F26A7F1DADB95B6A5B63F3FF9E0081F61D0351EE557199851596E5D221EE891CBA27349B4BA671EAE59473FF0C30F0DAA2F9706977C79746C8C1B70AA1397DF9F692DC4D1182EB479C98343DE7BC11D940DBB778AE8A75FF09D3BA328A032122318C021BF07AC179BEF0EE42FDE3D8A64FA0453057B1B2FF6804AC6719F6823270647E142BE5D338B1458F8CC7AD7637942AD4F0FCAB36EA6FF768273362B8EF001D50C4E5BDBE74F48DD91854A92FF02872C0963A2C2C52D0156E58BA1DF0B7FD9A178DE79CBCDEDC20CA2A226551C86835AE9ECAE09FFF19AEB6B114F7CC602065CBF6A6A740874FBD6662A3EE1D407337B935C4975D269DB7C54C453AC4674B9CFF128DC20C62CC86B9D14259E06315EAC81923D415E1F35BCCF48F48BF655E6B87F8A0B55A21AC760BDB828BA351DF")); test_xof (&nettle_shake128, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("2D008F8ED51C6A86910C30ECAF2B6441262D7CC66E54B39B9AABCEECAF2E96A0B5F1CBA234F45242BD8F96A57BAA98CAD302814C95E067CF8F47B2A4E6FB6BCC5C70A7A750F754824E9F970E4C54D43CF8F4E0D433B931DF2B6BEB10FE5B28F2A6B5CCE24D0C6B414DC8E3C064BD3B26BA82E4464B34C3735E935EC3B7AA36E6AF002A0AAADE986B0A15AF0E9F1AC5B8CDF3E9022CB6D2BE9CF5B30AC8E2BB5E766F528802FCAB3C3C3405F25367FEEFC12F1C7D99717F2EA62D7001B4845793B288DD9E777270608FE40586605AF8C9FF52D0FE4111E8DA8C315958694ABE386C85A86AAF2038DF6281D8CD73E201973704D314DFF7A5C3B4D6543A34C6FFC561195CB3B782C1ACC2793BA6A75974126BD3E4188FAA0E69B255336366DED52D809D6F70DAF11BA57B604DDC8359C1E5D9E8F2863EDFE71935BA18A4D373E4ACB73CCA7887B0F3A84B2BFBB5340AFB87BEAB7E3708484BB4EA2E17CFF49DAB7236BD83DD11B2761AF3E7E58452E9BAFE5C665ABC543F41D98C6478465BB67C6D9ADFFDEFECB1ADC2E22B97504590D07FC112E03D1E221CD860928D13995FF1DB025927B2B7EDB434DF01F1692AB329D07A1C6947E64258E53A8082EA6945E1FE21ACBCC1475054A0A9493ACF37E5B607C79A54C985E70A99041F3EB3D5511390A1F81FC845C9E29FC39F12D019A0DE262FA9426C123EC8C2C733ADB2217DEAAB")); test_xof (&nettle_shake128, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("7A46B367BAA023EE1922A3408B145DABC97A55EBC78CFFF95FD8D6206E5C10EFC9CBE3644A49C200097BA79F68B08193C6914E016DAB98361705D27B8B046F087DF7DD998C02BC80BB173772843645C4F93080B0EA657EB0902AFDDB28963BFC845ADAFF3A431705C74D92346BD678EE699FC12E9B06E0C0E08785A419CBC944E770CCBF89203FAF5D3B629D541BD51EAFA5857F585537CA60ECE26E09D6B9D05166360417B5259DFCBDDC5B6FA5B653423FE052E98387C97AED7DFAC41274D9BD912BDD661A02CB80CAAE1BD1704320BA54ACCA5EC6854D4F83E938F8535EF287AD26F9D47D047C74FF6E4EC338222BC7A1E346ECB50A72572D3F7A9621DD0574A9A109979992F18690750D035A65B29F0387FE78E91948B8EA8EA31A074FA405AC30D44FA3CF16BEC6D44B5C5791DC2376BD1C192175058C4CA5B1E0D989D866D9E076E8252AA53C5B89D7AAFE5B753705020DD7F79C93D31F768ADE1F54496B62F6D7B126A2558E4B2A3B7DFF1F046F9FDC7BB2902389E1C0FA49E00F4E892D75FBB5A18B22F863B7D57A8F1895B13AC99042B8BE114308B730ADCC2B8E5C2E6DB1C7DF35CC9E8160DF55BED2C9083A2BF79C8F141E44D48AB49DA6A77D7AB22F4E8A6401C9A600657C4E3D66700F452219BE1B5008344FD3B6E76D10445853C2814D7EAF753F57A70E0644C94A2E3D21478ED44D6C5D568E68231AA180BB")); test_xof (&nettle_shake128, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("224E3495D98A8729F88069BC2578F98F76EE3D73B1309F75357EF595D217E4D851BEEF015DC7BB03F9B8C80AD1B132AF1B99F42459527FB67ABE4B5EB3DBECB90E679454903BFB51E9ACE93A4784722B2D0453F3400632A86870A427DF2AAF93081AF99CFB012807766C440A010E6EA068C2BFE388F26D95BDB1947BDF1E364D252C81835AB7083AE5CDFC12EEE193016E5BC5A90C2529419DF2C0E14F8FD900D4B9519705221C70DB7178B81817B0BECACCEE975B396E63383F03FC8097CE6EE9A612D53EBC572738B17442C8C5F2D8E7C67073B6FE241E6DD00D356641552EED0D1C32A09A34223F1D3E0305A38675EE066B63155BC2B7851E0F51967DF90AAC3ED7F88B1EDBDF123D02C2F4BA23FD2F1DA2CFC2410CAD5188975BB5465F502B33A4F41D7B2DBF63B71085DDEEEEB6B9BD0C9F89F4424F55DDA4804E86E2B983130B46403FDE7B70C5006FEA04CF3350FD6124C735613DCEC7696FC3F75CEB8238D09D1B440E759AFA129788A91C43FF7423F05C6E9132F644458CE8369DD714CA9E4841DFBB29B942475058837FFBF1F59706915EBC473868A718F2887AAC888D2C7FECFC1F8E5CFDB5D3B2C71CF1CE400A0CAB18982BAA41B84415A0A49A25E18A8F4575B46A544F1079431E5F07915B92D8BA512340F2E43B689DEE6118786A2410D58CE5EF6E8446EE49CCD2A50557D32FD1E9E0954A4373545DA250CC")); test_xof (&nettle_shake128, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("CB85425A1CC6A4FA6D8593BD03206867737F8D749D2BD7135ADE0D7A1F216FB92AC5C4897CE355835490699A0F715A2357100CB8932BEFADAD55C0B5D90C909F0272F16BEEE79CA7F7F1002F711BFA3BDE142FA6D5C908E8F5923291E0D48495E50DE065CFF609A24AAF17491D228E5AB226E21E790C13F8917C1284BE0434C8B2B2A3CC672D484A25A47820390FC50F2736FAF26E65E09DB68F52A9A65280789017F1336250D41C0DF4C93AF9E94036E598E6F06494068F4A59813D1396B00E65E179572FBEC6D30DDAFB3A898CC244E1B0E82043C1470B7602D0A65E455D297770265F72D82D584657316E52CAF4C8BA8CB4E3ECD82433DBDCE526EBC60217529CF03548CB114D7208B93726B5556E4DCBF2764712144024510AF30265FD4FB13E38BA677B34D69409F91F6F44DF602C9F84362767D1E1B587054FF7CAB98A3CD4BCD2319278F0144DA884306660DADE52096A10928C5AF800819E3D890DBCDBA7CDF1BFA4D992074D60CD6BA33C98CE2D9D849D60EDA8307B0F509AE78215BA900D5A571B3EAB6DF1575D7D2B8CAC2F03C4B552E5247AAFE2349F5EEB0AAA56627EB4D5C33C92D8B1FE5D591FD25828A5114C0F8B3B6E799BB69ADCFD03566C7959D1DB21B6FEB79E02006D1920CA35CEADA75B22A0B8235E9C6182872377B56A762AC54A719D8AED8DBA18AD925FD21C77E84D92A75F3FEB8692144F7D28")); test_xof (&nettle_shake128, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("93BF13DCDDEF177EECFAC1D8731237CBF8CE4459ADFFC34289016A689E88E5B000553F08989EF2B007ACB4AC69EDEB6CE2E5A7F85C9D75F7656858A7B824472BB89C2D25701CCEF18E8707D2C3444A28AE245D337CB3DBD4E2000D7C44D474CCB34033AB203D9B1CA69816ACE4569771E1F7F66C7E482F81A332D8D16D0A4AB5142DF5742570ACD048C52E8BB777D68041A67E870946AEC83DB5464AE2863020A4126EC32E1D64B5B1A21425C66471C7FB6C5CACA4091A96ACE9BB25DFE5627562892149EF463ED60D03549CB9643E9BC7403B244A0E9A5A8A38FD785984661C926FD959117C229EBD357847F853768F632A0A2A0F1703AB5E130524A33F825731740AD0B08DF92F8FF6EE73C1E60A35DED2882675C6A7941DEFF0D934BC2BCE9005DFD49A9CEB0F08A27CC972A66232A068A93C2B4A143C57387C257218E850CDAEB93C474C8B5AEC355BBA3A4D0B09FA9F7F32534CAAA727120C2D937CEE1039DE63AA5AF5803F7A1BB2F203C87DAB85ACA2E68A88C9C7584C1444024109F9E02CB994CD7C89E87B976A6BF7D75E570D4A11D15640A4235667669BAFAD64CF940158BBA56184ABA70E6097EE4F2379727F7BFC5FF67595B3DBBB7EFBC13EA4AA9C1093EE2174B5F0304B10A089AD1980C8A64A9B4E29F68F2BCE9AB7D31AC30B9ECB5E009169413B64D661E7BC6D909396C25EE3E64DE744FF937F2498A361")); test_xof (&nettle_shake128, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("0DA9BF94215FDA7F85A36B7D31080F48FE09C92514A844E7F8E5A54E422997BE17E0EAD0C8CAF75A27B4D721F63DE3F4A9326E74081EC77A71DE52AA4E7DF346C7206C8ACECE21F739352B2EFD6446878075B585735471A189B32F41CF0C48C0E92BF492752792D05E324FDDBEAA786DECD3C0E24BE3CBFDF160F45CD87CF73E61C643E46772EF8C62DAAE119E0010FD84530025ECCE198B2B86FB6E8EE88F6C47F6B4710E5764F405E7856688EF030E5FB84B24B48292DF29260B918DD4FC54C325708B83A9E44AB92F67217B9EA0A488C9B45920B76A7644C38D36F9AE1A48F56284CC354BF35CB53F0E7A5745955E0E9A77400ECF97B0DEE9F4B32E8E7DBB100A1749762821AC0746CCAFEB49162B0115B4E3D26EB3B9FBF662CDCA1CEDAF5AD8933C7EC1CE6EBF154474FDECACE144F8B86E24B85C4FF0EC29736BB0B778AC071D2286EA20302C98B6883520D5B4BA22AFBEC4B6188FEFEEFBC487D147622B3E97DAB9319DCF6C7EFD3374FEC69D575BDAC70D400923234CC41435A803DDA6F1C1E91802F56D048B5147A1B9778FDCE25AFA4B0846D7D5FBD04614EA62263370B4CAA6E87E0B6D2BEFCA78E6A0B7E5A6B5E891F7BF4ACCB221359C98B3091C75FFD25805EC452F7251D8720AE51AC49620C6AD376F13A16A269942842FACD25C2F68A4B93A5A7CE9ED38C7285B2777AF32307D84A84CC5F937B7950689CF")); test_xof (&nettle_shake128, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("5BC15E410825D711C7219161491C5F068DC27D0B66B5A7F0AF4F86DBA7392037E886D236FFC9EA19511AA43FA27DD2C4B8026D074B3033D7184C95858DB5F237A84E93065F9AA4B40123AAF318356CABA01C20C97DF8ECF528F56B22A927C705F6DB6C2E64B60D36FADB2D867C0F5A515A2DC7DF26B151D700E43540B82A0CC2E105269EB6CABD3148871CCD3B2F36B101D051D60E28FA838C67E8F655B1532976E512DB752A2941DBF6FFBCFC0AFED99D379D4E86B8C32327F6105BB75D7669A2D69BD7A2C40DF3B13899377A29AD7D724574F545CD91A67659B3781B788B4E9EFB137BE1B3B8D93C491BC70581C241B184C915B651737A0B2A99B50E8786DF067CFE443879D4BF2EFA9970A2C214E538C2086AC7BC47DA706513BFCC4CBC6D5F387A9E3BAC080138F2D713C6C9AAD2E0CE7A938ADF4BFA3CF688CBE7E22FD5707EEF2D707E5004CF90DC880E3AF23A435A2682F9C117BEAEB8F5A57F521708EF7233BC6AD5750DF2272EC379142283BF5EF492240335740F43DD5042124C9B37E726438357472013ABE81ABE2C32E8E859E4D064C3C4220E5F0B5DC984EB1A8BBFD6DB41470174BFB8A1ED5DF559A65B1FF02CCFEF42DD546CFF79D34FEE13317BE00EABE8C6FF6D722D048EB757E7A38C65CA1A7B2418994D53CE8090122C94A934554D0BC3856E041D0A29F8539246924F7634B5265708208B4C59DCC084")); test_xof (&nettle_shake128, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("D289FC6490F9DFE3335FE9F43131ADE538280B78DC2E16822D5FCE70E0BB307FC497E1390E04108C66C682FD6EDC0B47450AC2FCA43C151982F2EDE9F82196CAB4381F873AC6E21085B2B64C21A1A5DC59C440ADF566159798D6773A09FC737B6CF1BFE0CD0C9B90346F1290DE5E6AECC1F464E1B3E522DF1A986D8AD7C2A42B1A6067A3448FCF9E4BBB2335A3E4276B330C421894BACC448DB09F72751D2EA50873A9DF900C775D5E36579DC26830C37851BF456085925185B91CCF9A35B36E5358C4CC4F1C807D285421192BE028CB7D5D3DB67AA11AB666382641ABDE3F1690490DE0D556B0A25016D5B7171AE26592B5C460E41296C01222D074B8C53A9F73AEC29C63E54EF0D68FA1E57C604A2F4302B7AF05B20D28E5722B0229EAB76FDCDB1D2F7E58EEBE4BFCC82B4E4B6D5E6FAEF0AC442B78B483622EBCD98EFA538527D4C0E72526D9CFD1F13E24613BE03A79CE2612B19D7C9B639D3C2BAD28E968E7859D224958C017637458526521C770DCAB61A84181CD0E92AA485AC2D3883070E8DB9FB5F06EB5E71D10C175E0D7EC69947D1FBFF8A857362383368F52C193EFC3DF83F5A9B6DDD53D736A3543D46388B2845632C00F0676715CE8C1AA3329515495EEAF860A9AFDC9630B06E9B5CEDCC7CB571179F35735D02D185D7B03EDA48D30FC86C239AA3580816F3AF360FE78E84364872C2CD9AC5EBA876AF94F")); test_xof (&nettle_shake128, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("B8C21DE1F120C5744352EB71EAEE81E9DE8A8CF6EE3E2394438013D9B1D7780803C28186E334A34B4CF17550AEFB58DE785E358D2AA6A61BD59BEB1B2F494CC9976D67085210D64FD1C8FFB0FE69814C2048D0937B17E79AC9CE6303562065D4C79438E87C7687B8B10AD1E8F9364EB9EF997B09B963C7A57FA9EAFED8571F5FF9B7981418AA8904FCC2267F3723FD67A427E7CD3D5EE6620BE53367ABA1BF9D2EE74C33BE1049356CD8A3B4AE481748872717394D6793A25CF02F95B6EE62EFD8E269841234F07041D5C3940C7BDFF37686B8E72C23342578FA0DB4DC21F4DC03D3539B851F5441B54BCD991322EF0FCC85C14DEF9BE72B8B4294EF34A6620854C291F91CA67152B48560683DF13F4DE00216180391AEA39BDD22D563E48CC622BDC72C990F795CC6CDC280BF917743A04854BBCAA2CF64128DE9C42E38B40107A97F71CD1B89DFEAF194674CDB35E036B45CAC35C45EB2ED6BD9F8ACB9402BE9E57ACC00E0AB6C5B32EEBB9867878C23F4275DC2A8754328DED15E206AE31B60BEEAF27F7E2A571C42994414355C28715621D39566FCAEBE6251EB5955FB8A9B1BF4D897A4931C5E7C29F27F28AB4D2B9950A81DABBA7EE63B679DF6E5C1DA4E23BB9529946E4F467A73EF02D1FF59D7141E6D59E14450B7A35BB4795EAEEE51545563BDF99BDB5DC0B17CC60FA04DFB3070930EE46577250FFA863528A498")); test_xof (&nettle_shake128, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("F1E1E702011F4A39197D769A6AF63160BED980DB70888266AFCB744A8FE41F1BD9A1B668B4A96A6C3C2FEA3EC1564592134854B26E31102D1B95F112118C959475AA6F2DFC300E389FD061FD6667DB36C32055901609EF59B3A8DE4F9BC05D52745C78E8D155738F30EB3A8E3B61B36AD34A6BF7C59B59C1F973B9F94C9ED61A746F85610B060E8BD04CC9691E7979EBDE5E9833AEEF21F9DCE96F61A21D2B8864F07FDCD6D3F2BB3DB29CECB6670E859A4962A5FE0179236BE7426E9C9B2A0B97D11B6C9E049ABAAB494513128471F88914E506C6A5006ED295F436410CD24B4CD1EC5AA0CA7A66E29DF6C362389C7A9B731E0720400C0923BD8C4A98A651B62AA8AADAA5FAD481E08A17A2B3F86AD23FF6303463DA6300B47483F7696962D33AF1DE2739C30346665F60C90FA35B74CC240D3831C01ED8CB91FA34A584DEA37846CF4A0B43B5D1C26597B2AA1C973A070F120F08C78A9FC8D524FEC1F10274F03A4A7E8E8C4C1FDB415A1AB18B4C1F07E1936F81FFE7F2A0A1A815E2F29334F1B1E8029E7E12A798187CCB20F6C1EAF91B14B61B2FE4C3852BC670295BCDAD418CA7FCF39C69FA9F9CE54AF17E695F1D614BCBD49FEE3935238CE59D9E378F3E596B34149149E14D9B81F0BB09C2DF8E6E632436EBD525BBDB657822940D25713B737A2DFDCDF0B4F6DD7920A8D1E69EAF7B764D0A469CC1CE6DEB70DDD69E")); test_xof (&nettle_shake128, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("98326BE2F713456EC96C941FA0B58E311C226474487F78734C8D0514AFDE43293116D6C33FA3EC687D1E9087572C68479AE1080FF8B2238C11AEA13D9A020A7B3FEEE56FC2FA69914489EE11B17CB9D3AF448525C3992232B58F2182AD27D93AB88B22DC94368D10B112AAAC096DCD8AB76250984EE4E4D3CCAB7FA3124F7B02D05111D97EF0CC52C5B8221383A6256C42762E546ACD6691DE9810FC2271D92834DA1992CF4031B98CD0919E01D35DDDC738D6A305C6E400049A97E14AFBF40822558832D23165CACAF16A514EFD6D207A95F97C330CA333C810C19AEFAE12F3AA267CC9FCAB0B73D2B7E5F3B007CD8055D0C4665C9C53FC818A53ECD9C0DA776EEB3904409ED63B337F755CC7783DA8CB713B51C720C2826711FF36D98723C8B00C4853EED1B3E2F8B8D74ECFAD079A49F37665DE5031F2FBF54DA6F1FB796913B9DCE2BA1206E4255F39C314A34AEEA01F1965C36CAF89A2F7FB9EAF7E9C97E2B70636ABF0ED00F59D1DDAD409AC33055E6F7517E962BC535EEDFCBAEC203F91FBD2B13C26A20F9C2236C55F4B506C7AEA579ED3A0204BC67002D158D80139379DC23DA06B0DEFEA079E8FC1D51976757E9A455719C45B8965959A2958E75B7E6DA966B86029D22FA50841494303AB6B16600324EF918AFF9DF161224F1A7F26B7DF364772724D4B1AFBA11B5C114563F9DA2604A2D1B60BCC3C116A5E9C58")); test_xof (&nettle_shake128, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("D539B406312A6A14A2CB8C2B2BCCB28B7C164DCA4BC34564E65B807F59809E0844FC897BBDA2FD7A0082BE317B8CD94C2B2DC8A625691D56AB21A2C854CC6952A4374CC34374AAAD9090326D493EAECC945848FC4653A15E2566A960CDEFF139508882B766A1ED60CD292C696CC75136A6DBC0BDA628ED1E16129A9025D715B7F83CE3A35F4EFC7178BDAD06FE6030E086D416775BE9DF9DB66A365F56129F7B25A8701502BD36CD439A4CC122DA4D78B1D832F5033123D9A9D72EDE2ED7D7815EB7A3EABBD21E2E507DE4EC4AEA0B40792337953DCD9D7BB952F710F8BBCD7E8CC1ACF3B7AB4EEA9C066D9D0D27AAD600405AB5DAAB1FE4551CDDEA659307B7ED1913BD8635AA409754A1860377E0453A63EE7C2C6CD1A33099A81240B92382572CAF3698C809237548002EAFCEA5BD042DB3A7506189E3FBB4DDA6DFB1C95BE136011FA127B0FA3A4A386DA3C327B072417BBC5346A5060D770933142B6CEEEE1021BC0DE076C2FC8ECF7A16A6CB752F39B8FA1EAD88A7D4364204BF613F5B108E2FB60854F801210180B9DC4757D145E715D4E2D79A7D4E8AA891977DFE08A92AA423A05D22B06C6A3D1EA5953214855BE7CBE9C2E62F2A7171BF014F3F077AD244FABF9C1584EE12DFCBEA4E4816C470AED4FCB900A5175C35189380829E92805E47969FF5A1C3B52FD850FB404BFE189866844E7B586DCDCBB236910011")); test_xof (&nettle_shake128, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("60565A24B70C76463CDC5397BD0C077B77CC70CF33128A0366A7C30161E21C32F2F024511A9605040D699E1410311EC3E8952938C91D73AD71803BE3F7AB60E2AAC7A91D62FC0729294BCBB031DDD5926F775FA85D25C85E1CBC349237F9D1E400E64C15A797C1651FBE5B8079D586BB751E1B765C36A40008C9C612A8A67C49A2D4C15001562D7F7197CE107AA7601E490FD3CEE738D397A5D9E1A9568385A243975B9AEF5E24C4235CB3612527B7ABB7DCFD22A124F9BF5E1E169F2F58512B8AB04F4953D40E6B1D4FFB920186E4C0751F5D8516F142C426F3893B6B4F45567461059968369B3D333B74F9A596E7585C6646AF458173500B052213EC6074890AF149A6554A92106868A64C3957F43C8730DFB3136040EC688ADFD0E79EA74E07F6A6418656343D24E446013ADD76058241F19F5CD42F256F8E98C7A5F7B9C4CE3F5D19CFAE69AF8DE868FFB5807DDE0C4A5DAC1409297C5B8AD27C1E1B8FFD570BC41F71F21AF7C9639BC6502511FF9D6CF63BFE2E8AE791B50527D79334CB87D9BCA919833D7123B8D77F96D07106BDB50A3C4B9860E5E1CDBFE4B49CD4063D0C4796BFF2FE1507F43CEE6CA6BD19038CD6B7118120C25EA0DD1BAD05018DF08DB67AF168880C284DAF7DD33A7BF18248BA7E79BF18B68C3E14664D0E1349D458CE7E128999CDA5EE706FD48FAD8D0489CA8C5718CF3D2C16563178AE3309")); test_xof (&nettle_shake128, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("7FD57AC85310E74667C025609A2CD37D12EB3FA49F9D9B9AA4568C1300C4B5FA69B6591F82D4C7C5B25EE6F4A6E2521090ACA1588D75B4F6BC1D58B106E825BA2409F84BE64AB520CF4513A7BFF52FA7A67A761B86E9D749FFC71532F202A2B619FF772EC25C00C269E7FF10EC38B93999DD8BC7B3DB40CBE870CBCEE6C0A6842A72F978BA9AF677CF4F055762ABB1C8DA60CF57E9352C48B0BDC0031FDE8A146B8D881DD4D0D05BD5D14B52C89ADB6A27CFDA2B3D7650EA650BB75D86748A722D7E3003E10E43D89AE21E9155231556B7335F576A922248EA2040DE648A0D49D8EB88DA240E586DEAAF9895CB2F35CDFE60E61D6643E5B38FBE40E82BCC8462FAC98F078DFEF5D42E1D562997EBBEAEF637FA8F65510E604E99933D92798CA05DFEE0E935910BE5086DBC8BA9493CE52CC49B85B062164F6BE8EBFB4F0C27641B65C397B92182A47D4E926C6D6947AAB598EA0D012EFC47556EC7F6407A2DFB3CBAE71237D968EFCF9192379384FD2DDA510BAD5B30F01852064938A17C38B6166170FE15F09F645CC740383715DC35C98F6E2738473D324C7C6F63E76124824554B0EA34120FACD2826C7F2A717D2817D871BABACF1F061CAC045EA61BED8D4AAAA1D41A277E50C09606B1786BE65E1ABEF10F6DC6D28EB8206D3E3B8A56FC83728291420ACBF606C34B2B3E852381EF31556FDAA341E05BEE90DC9AB7173D")); test_xof (&nettle_shake128, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("CC03A5BACC26E1580F37813E60005111261AE521159086C7A6C3087E238D2731A02BE233200FA54BDED93D6959DD03B71A1A4C7CCA20E9685406F70D722DFA1718B3A169BE6A8C5FA275EAC81667046A605AE8514BAC24F216358A27F036BB618951A1FF5AECA2F64FE1571CD01EC7139F86D370BCBA6A721520BC115330398F55691D7A212BE824F27AA10305523F7C11262D2EA2520D72AF1E34A887BBB4A8DF9966FDEA757351EB67DF1DF9F9DFD7D7892D3CFD1F0B8A3A16AD5055D5904DDD900E4A5F94941FA796E8F32A04E807EDE1958191D58551378A57087A62F48E3AE2852EC03654CB142D2B851C5995324D15927F3DAAAAB188DDB6665E08596B71D9C2B740A15F8E78F02C6A820C79C3223A98D79D225375F6375EC21A5216A9D01D0238FB456857E7D6611CADC2DF844D99C6380CF59E7BDC268CE91D733FE00EE99A50ACFBED98E6AC17DD8A377EE4AF9F318BAF14143AD4873422DC56AA6E4DFB6B0C312AB14F16105D8CBEB7F57DA85644005CA4294FC8667C1CC1FC78256562CD7AEA9779899F431FB581AD6CE91A46F003248A42BD286E9F4A0909DDE99E2FF674D4D5E71EDA126995DA15F9C00F11BA6691E3614CE6FFF05AAD6B7C63A72DA235E900698D09BA3787742EF61701EB25C3D70927272441709D2625B23FC97FBFEB1FC06D3693509424FF5DBF005023CE06D80D7956D1DC0030BAE8D0BC")); test_xof (&nettle_shake128, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("FDAED26927DC53F12F002A9C47467A4EB53D941B08106D6CD0BDFF6021B6AE116562D2255562F70BE884427A8B6D593E0CB7040ADDB87663E5F03981992435C2BAACE87C49CDABDA178D0663CF81E96C2EDFCB6D50D48ED128128F6F3B56E33BF33187BCCB5C2BCEB418DACD4C820EAF880B80E32F00B7105615CE305065716316221019A84CA2D29FA57565CEA5239484B8E9740AE07048BD0F75B50827C138979FC9671B4E684952DF9A681E0C7ED8101DF50620DEFD82132EC81F5073991E65E1DD72A52B596CDAFE6C5B6D9205533EF15D137A1FEEA7564C03E3A19E2B9F40600FF1A66A241737EF7FAA29EB83793BC40D1E48CDACF3936C499B572AEBF2DEF5086354DF7DFE682B9C281F4CF68405D0268168F5495913F930B6009357867398ACC5F951D55D854B0C42D2E2127CAC73AD0B75139111414F6D6A68E01CDB794EA6E524E45A62A82970D22168F37ED72575A513751368718AF490E28ACC47D2BB7D59F567DAAED80093929FAFC0EBA01F66D67DAC97A99886D0B11EC0C4C23A593BBF05F3F80A047A07C883063A9FB967CB9A796D18168D0A7F731132AADB3D105B1475C583BCD4B939015F460FEE9B6F23B0D3BB3E2E7B7C5615AC8EF7305567397EC4C1DE8EF5A05C2A14196AD00660DD0FD11838A707C0FAD38D343AD9D65056A4C3701490B3CA235063D7D21BF02FFB2E0DA3D9B9092E20DA716BF450")); test_xof (&nettle_shake128, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("F375FB504784706DCD5BC3A500BAE8DE6630009D865739A0B30C81C74E0379A59996410854FDFF996B46F9F30BEDD7DBA1C5801A68D1D3792119D7FEB29A648E08502CA04637AFB9427027D59E9DA235BAA4D602AB2FF257BB5FBA4AA79C9D285E99FC4314685181020C2E9C1CFB22D1E7B1ADD9C037A7F81B7E0135F9628CD67B8591271BC12D025322BC21E7BF4E91B049E291DA2828DE012384AA65E3CE26F98186828A3C144A095D82BBF5A325E41DC28A33828D9717BAED4BB8BC50116CF39C8EB6DF037E29ED6A32FC5039EC1704E199AFF83768E58F1858ED741DDDCF75E8B2621BBBE14420217CDAE7561C24213F76530204141EF5C7CE0A76C587C2223181F5F2DF58BA5D89EBD209C004F5A2155CBD896A17701B19D5CD5D555F2A964BFBEF27D22FB428DB161C0AB99D040AF196EFB7640EFC55B7CA8E1BAC86F4368F612EDB120E2A7CA084B9F5EF8DA0A11136C760DCF4426CA98F20514049BEE2F9E6F66AAFC4225CFBD4397BBBFBA872A47BE903EE0DBEBC7EF85A1395B14504C18A8B5BC5416739DAA543DFAD6B4B8A88BB87B388A6974AB90756E836DE528869EA2734E75D8AAD84EF1A60BD371190808436D5C7632A2F027C3CCFE8F3D94B0C262FB7AC99103B0688238BE68F26B8CF35876B6E214ED1973FB44B9C3F3DC7D7296BE8E150F82E80594E34A3E008EF40D9647EE26E1E4CFDD8DC673F2AC5")); test_xof (&nettle_shake128, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("98D27AC62145261BF2CDF99F8F77AC04697D2FE6F1531D3B1E113A7BEA4B9BE780394CDE5EC43EF820B0D39E20A287B29390A68091A8938EF5640437A0F09F5262BFB4C55F703D44E7E21EB69C27566B66BDC95A525B988BE281243DAC0CEF5E04195B318CDC96035205CCC556AD42B220FCB0E01516E66D8CA2D045AE0AF7FFF91119CD4C92E664FB339203E8C0B3766C78874DC85D48FE668BACE760A96F5D562FE4ACE97FB33C93F160057C0475EC440111C46777B0E2C95DF666EC753057596713FF452EE59DD7E1D4DC278238518E23C78E8882393B86427E8F6188D7A08D770B2D19E08CA672C89582431F30CF4A0CE89E87A635EC2E05765DA600115B704E35B787FA90AC545877EBC8A5616EB998380D4EA1C6B127844A422789B9B3A41DAEE940F75CF975B464736616D80D89387C171D919874F38453AF44ED16888212AC279D4890CBB5672254D76D5FB922412A2EEDA598087558B1E89528FB1EA285303ECF4843B18EDAF6130D1374273DEDE9EAAFD6E6F448547E96AA385235919600E4BFD04CC2BDD89E6860ADAC61E73E37C563709F3187439A305B9EA8DE8EB552A615712451D1DA495A8E02B9733AA1F7B78DE6C0F0CF6A379959EFBFA8A78CB6E93A758889D826D7E3DC741A10BFB55544993683B2383419D3F5BFBAB13EB1EA0575E528FCDD10FEDB0C0133C8E78FA0DDE413FD951262E0CC958D2850")); test_xof (&nettle_shake128, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("6095C8CAF02D995DAAC5F6CD94A33FE0CFC2743574B352FC35A056135D20BE12FA7826DD41BACCA18C90060C08C5BAC8B3E706622A2BC8AAD1FB6EF93259A5B8092540F68497F09E47476F9D94111B2FAFE27CB04DEEAFF43A435E2A5C0E44AAC6DC3104453896C9C702E8F59BB61A62ACF889174955BEAC0319FC897BF989C97307A997F4570F3544E5A003F22A7C5295705201F025EE7D6B5B278DEBA559FFB82F22AFF5DB6D534E6C50FC4E55FDAA0DCDF977178DB7AC2D98416A6E0F5AB5A49C29E414BC0AC0122D608A592C605E418EDCD083B26429BA0A1A53584EBFEB4FC005F144F04CEACC971C9EDD23950A1B7E6A4A9308C517FF80EBB1610F8E78D963E222BF148659BEF6B0C8BE1F466FE786128431A9950D3C70493D1CD72731D0A3C956E34F35339AEA578F614806DBAD3C02389643340DB162661003D2CF42F1C913A7FAB77EC3B9E8E3177DC0394305C21D6E9713F34516CEE321992E4BFCA4DB5DD03E240A7FDBC83826EFFF82E2B36BDA326D8FD0C858B00E02A83D0DF7216A475CDF0A37B0389095F501CF47C497E23F199D711991FE71DFB56D789F30C86D3BD17C8BDEF8A797BCFD3EBCD5E62CF99BA0403B79BBC8A0FCF4FA7C4E65B674A796AF85E7D09134FE214CE8355EE337FAF6F04660753C1A96D95964E587F72F0FA5BFF435778084EADB1807DC66772850152AEA381866202C8A38723121")); test_xof (&nettle_shake128, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("765A48E25EE43AC1630C65BF5138F5F792095E182483DE8887F0F56ABDFC0526A5B9EE792A2533409F3FCAD2B9CD43D7CFB5454194344169DEA3FC67CCB5B9969449454E18869E7CFD821ED0F3D655F5B33C528BED1778BD504B2C84BD38DBCBFBF5CAD7E46F37394622C4B065686773AC0171EF70717E8C6A887AD952343D02EE96B4129B3F189C631A719910F543540DE4AD65993B634AFCF313100771468C81B0E270769ABE2BD6603E525682AAF172CEDEADD12D9389B86DD6459DC490CB89A637F6E24C5819DFB51C817A3AC9837092D408C6816B57A4B0DCD0FD1C7AC49FC012BC9C22D16C779066A670252515938764F4E05FC57908FB67A3C6927B4639014AEA06EF91F8D43E507C48A567F36B94591EA1319D7F266722BC9AD6F5CB8196994F7DDEA570720EDD94E6C56D215D8290CF0227DE007B71E80B65301D53363D51C73303FDFE76A064BB1169862A02F541D782FC64C3DA45FDFE2FEFBEF8A9383690F1D6C695855387CC206B9E7266D6E6C9A2160074A962DE01FEBFABACC6E88CF7F724CB4B2F09862D63CFCCF1D880D956E7E5381F44568DE6BADA3923F2F09CAE80D25661B9431201C1918DF1E442F26710314D8B3F88E94502E6E9514C2EFEEC7A816E82517767BF7972D6329BB54AD1BF67842C449F54C8CFE2FFA312129995F17059F59E7AE05D21EA17F8E93C1FF4D9E2E71C9ECC9DD5512FD374")); test_xof (&nettle_shake128, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("270EE64E434D9CFA8A81B256AA86959D6D9E92B10325A1816776A309002E7C9346F21BFCBEFFB2FB31BF7214572A7F437E3450AF26743B418CDEA45AE28557078D8275E406864BCA916F178181CAA3396B8582B04148249102D761111507C48722506D0314A05767E89B3D9D5125A43A2B13EA8827CCECAECA6CBC864B8B7591B15BBE0BF1093CD15C5C14B4B3705E37CD97752CFCCA1C1A4340C02298B028A633CAB0E218525E94C3E150EEB8BA36C3AC4E8EAFA5ED05D9A79519CEE2A8B8EEA9D8EBAF54624ACB2BD593CBB353BD2F577CAB60508DAB081BD29200E9A9E9357978CC15F4B98A383C4A46594303143AD019D5BCB052504EFD2ECDABD1731DB02D6FA4AC9E1D3037B75B7A5CFF8702F8EDA7F2CE848A0B96EC2F7C62BDB1E23DEC39AF110A4E6C0597D61C8AEE900276FC7B1AB2F63BC9874A00C79705D87DE2135218EF233C8939671399A32C02DB4A6D779F7F933E7F7A467D236178E2137F1E5FF53A3E8FBBDD8D01B737EA95C762B4D4D65BDDF50C527E01DA1A322151757E0F10525196D3293E1443BC7282496F3DA971869DED47DDFB7BD99E799EE60FD3CC31BD4B3956DAF6D70F79D4A5E4348004F526D90CA47D7C3A9EB09074EEB00D799F14DE7AE5A4615D87496FAF2C60D1074C194E7CDDDC0765C7FE7C6FD419335189C2D584438D3879C50D43E6CB25D5776B4802819C5DEC7CB2197B334615")); test_xof (&nettle_shake128, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("652A6B87D0E770909BBAA2172F47CD05B7A07B57D9EC47396E9CCA40EDB76B99BAE0A8FAFA517D12ED62B5E95AD89560F3EACD241A2AF24BB1F02BDA6F0A5ACFA85F4F86CFF75BE9E7A57E0F182890C39ACB6DE889D24EA360DD5A4C59E54DCA7306AAE46768205C3440AD777A853DC8FE2D2EF2E6A5FDEF23BF514472B89405FE1B7342AA4FB448E0EED8A46B6F259073057571B03A4DF2EAF696838A51449A5F7DBE9644A9D092AC68B9A30034460C1891A389D06A2AC3165ECA91F203DED47B5192C8F6AA2E5FABDE178A012D94A8A35A1D446D08EDF55F4E4163C2BB9C46025D8253B3F062926D17F853728EFEFB10D69E6846BCE7E7A037996654E1C36C3A55404A1FA579A1D55FB95B30EB61EB14A29BFB54878C0D59A4209E1C746F7B2A2F2A28BB19A5F0342026BD807BB366363623BD68D4C9D9BB42D2AC67DF49DD3727F4D2AAB52A678F6F98816FC86BA0073F4AFA336A32CD55DAAFFF5D993926522D770AA44D62F6AFF7E758AD33DAE3C642318894C2DA99F43ADF2F97E53BA48657604259A8BAC4268933F1B97BD47FB30F95AD284F8345D6E013AEB9DC2478CE49CEB054555D25E36B13B322E51BF1C1E7C062E328AA440F87EE883C7760FE2F86B487BBA73163A13755E6CBA804F0EA6399E875BDB2966D427933D66D82C4D17FAF6CDFBCDA36F09621A3923B4EB93A27E44796CD1C1770835B83E89D28ED")); test_xof (&nettle_shake128, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("2716A3A219BD690B9B0450CC0BF4F0713C46C4C02744F8F71DE261B94159278566583D4DD04CD573E79C576C1F25834C91D3AF69F3A301AEFA516082869F3CEB0F916A903D902175EF29A0B29AEE92CAD8555A26E7CD0395BB937750246A8D5A722DCADE4F44459A15ECC29B207FD8FFB8510722D925627372D86528B9B513967B5BCBBB233B459AFB5AEACE48E5355C3E7A387F9DCC9A55773276D14C85B8EEBE3D211FA08CBDD8AAC4656F028FC16A6D6083A969BD6EB5247695D8F6DE51C036A743D2DB7480DEA41C228FFDFAF129BCF0D0D5F7644405FF8AF778AD9A63EB54F62E1517EA4CFAA92F2F25E5F001A562B6B4D28BFB398C26DF8E88C288AED5B7AFE8686AA4AAC77C032D21203FB7BA79707A7E00371F56FDFEB0E607252448CDA319C39447ECB7C69F36424D74E33D723AE53996B35E5554182015493AE03DAEC5C31B00D481CD430F4723677C7B33F6E325A855300E66DB559DDBCCD550DE02D797D6B28A1EE01FA13A62F721BCC577A6C3363A03ED976391E969379BA3BB6BBF99271F3E5DFADDDBF0BB32DB9ECD658F0DA2863FE8F48CE2A13539D8E8276C083C4CAB1AA9D92914ACB238C3EF0A5952E5686E39D2804DED740E0457F69FEE9489B7E548514FEB18FCE21F265DCD56F0081528A24FCA7595E96D31CAEF0969F56B122749C74FA108C41D34902828B22F814BF352A1B5B52E9C65F75F232E")); test_xof (&nettle_shake128, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("6995A90158EA5FD54F6D4DA0C129B92EA3E716E196DE4AC014CAF106EF4CABDFB9ED799545A0E53E32ABA2EA78A6C7CB936947F79817D200F32053E81D10131278CBCB903980E13125C99B1696F26D355882A107FA65FA43766C929485696D56D49D371643E9D360E25668B5B7BC7CDE13B678723FDC4598B60B6B19B47791BA99F4258ACD94604F26D5587EE8DFF613DD53E083CB2B0A202930D61435601A1D3CA8D97C198CC278967BA493B675D2F42CF4F41072B7A9403DF36E0E15B8811E37CE1119542C5168C95396653F72FC9E59727DE36B693CA58FE374AEE8DEFC657035FC874B7851EC0DEDE274BE064D258C0B39A238D2863BF8B7EBD0F7E2C3FB2A7EDA6800DAB2DEF61FA8F5E6891652796C2E9CF586BB0549F6F73B3374A4D7C6345FF73FBF99FB25CA47823A4B0470738AA67CD26D2EB954EF40A4121DFED58A1741EF335E8ADB32A588452774FF26B04EAE29EC1AC3BD83D2F3A27AF2A464D29589AA837890D7711CC0AF76ECD6142EEEF1C904C0CFBB287BABF951B8A10281A7CD1B49D766704350C7612A74606D2BB80DE11A37CA9AAA1CCB91F4AAC8D382A5A16E0CC7B426065F3AF566592C51B52BBBF007F4F4B7910DD0C7042406F61E5EFB6E04EAAC76E07A7E86C6E3A5706B833C52BDDF814E1261724F97DA9B7887399B7FDCFB14321D8A16683C1DC615EA8C738F0BF6076E05855F80D8DA43F0")); test_xof (&nettle_shake128, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("791C8B8021BEE5393FFAF003B9C429A5ABD2E35C5C7F556E843D735265C5B7807343EE946BFF31F45B5626555CFD792F55465AD9FF95647A41D9759DE484A0564492236FD770ED3F78C92514B90636CEEC76D3FC44A6CCA482BCF45D3B5BBCDBB1EEF6D5D6EABFD0FD10B0B4AEA88C5FA68182A8A9805B5E90B1767C9E79500237D07BE59C0F09A9AF2236AA954F9DDAADE492D691E36F3F4043F28BF0BA6349591700C4211185D99CB25553E2F6F405F9D8E00FB658BDF4A091CBC7092934A6DC6D65E42CC9042F90D169662F80D66386489D2E7F750251130E1529CD8BA70929252551B0617C960203EDE536CCA5EB0C5217E9E4756D7B57CCBE5087A4FB9710EE89FF62355203DF415975AD106D84DD5526B3EF3432770B163856B4D46F7315F1ED70055CBCC4C78C5C0CD4B19FCED545EA00F0E2E9752A227445DEC6D50B3D73ABD2D81C9AAC6B53E108DA04C42D491254AF39584068E34CE2F4026FB63C29A52B913E5D2FA42FF7ADF413227B784711A3513BEA6AAA97DC019A25A0F09EE27A46FEAC4EC13B43E341C505C308ADA1DB5D72E0609A0A68698C809067F2EF17434F3205E03BE67433C1D67072E8CAD0E2276723AE7D9F552DF19C142A68A7B875CD7A73FB586E128856A9259F7373242C498E621E7F16E7AF57F36953001925115806972ED2795B9A2F398676BF37F2EF8FD4325863D599E10FD84D8D77D1")); test_xof (&nettle_shake128, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("42AEF4301642ED54CB1FF9B446BFAB73CDFAC0320167CA3460A9AF1995B5DD50C1ADB402A55A3E5C4F7BE66BB2041F3E4C9EDDF7F08826F8B9C1163B0CE8B31769AA72AB4C598B3BB1CD5791A6BC30D11F0591D0EAAB34D80F134734D792BCC6EA61AA535F4F28331AA6E9A572D43F776341C971829C67C0E7D9321B09807965E1E9C70E611A4BBC3C42743A2D04F50804730C857F02E631C1B81DBD33D3EA2539F9AEECA9842B3C95FA1B8B1C330926FE5C6A396214537BD06B49B7951AF0F9AE04D158F364757A52AB1F21B4155895929480D87AB365A7950B321D5FD0C18FE3FF63B10D3CFD74AF45774500AD3FAD98DA5D240D613B386E677D57211B8781AEA7EF4052A25E122064BAE6DD59B00D533E6B041130B89778DB87F88DD37DEB78136B55A958744B9769612A0DC6D29B6C0EF863934302029C800B50AB385DE742D436809C7665B868C83DC450E438E94EA3124DC080355AE5931797E75DFACD09A7C97345608E021BD2034F7660ECD194F628A9868BC0DEF0231DA66AB89E2DF1EDA2C403203F971C1E61E4098FD306202B9F96C78CCC37EFAA7983C5D7712034328D1E65FBE96DB94B3BD88732E60ACE5EF946E896ABD4E1F6978700C12C4A8A372CA54B6F8EFB3402B898838A26D8900F69393E56D2ADDD2A0EA26E7F630BA6D19C46DE493C516277FC491F1FE273D013F4A32BDE43994B031EA51C2CC8F5")); test_xof (&nettle_shake128, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("5E0693E64DBE678055A31D80DA85A81A1BA5EB1CB6394B7B1AA2ADC2B8C1FEE4F41DFF3623502FCC349D4B2BEBBC1311EF291EF47F490C6FC1323075B519C87DBD77CB94C213EB548278A6C11B0C321C941FBEB9742B690A9777875D8A1FD0627B5CE3679A6DBCC8B53D775E73AC9F951749FC353EEE7220CAB40F4F7C2EEA311CD0B50974AF188EA9742509C4121FC07A70FC28F0633B56BABB451554BDF86396594B57B1F88DFA07DD4F8C47AB5FFBAD03DA1DA642EF4A6E75A952E8ACB3989136B8A792E6F33B24DA2CC4E422192EEBAF121561BD33A6D79DF6517B3F001E674F39BB98D9AA0E15226389B17655E7B2796D75EDE0430A0E7D07039B8E35642570F6457F8344A59DBDD5128F74F9AB83CD152DB17987019AA0B27B6E7951CEF67B574D05535CEB5EB023A39B5731B6AFE6CBB8BFEE0F71819D791C288BFE9EBE6706778FE62A80AEF22CB9C0920938502F30A20FB4A4822D0C0D42D50D67FA6A76EF919C985C6306FEA73A3BF41006F0FE60C0D92B80106D8C715B97E35E39FA8ECA59220B86C2C46B9C61EEBCE07DA4B64CAD247A67112F6548AA693BFC4BFC9AE78144571CBE7B81B83C8832938A71FD3AC6B8E4AECF17FD2848FD9558DC5DDB261CCAAF083AFFA341EA295C7264F35734F5179038AB70C90E03BF53E3FF438A9C0655EC38F5B9DAB7A4C3BA852A2A0593C80999818B460015C79093B1D6")); test_xof (&nettle_shake128, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("B620CEAA437E16A85BE761A8563AC80D9C49608DD0EBF9A4F049B9541623F4A3783C9E67B85820BA44A80F1AFE3FD835791D9F3C785BD8A77C9623EAF11F695675E3A2FB951D54050D0500688860BD270D3B723BE51579B81CF4ED94CEBC294A97BEEBB5A851160012514D3BAFEE6E275ADC7BCC64EB7879C32D8E0605241786DC3CC1BD44DB64BBB2E9C6E1FC581A5124A734625CD811B6BBE00B203319A736EEA07AF977190D777C12465E1614FCA56DB7154F9C456F59989062D60899D7CD7925DF1E1AC2EECD9B070F7E380B0775089F303B864D5CE049C55177E3421443B508EDEEDAC6307967A4321121EE2227C47E357FA92B741FAB390957CCD9337B42BC18E6981FD9EFC9241FDD24BAD0C6772216BCCCB92C2EACAB3A312CE020216DDC9175F3F86343E204E1A76573294DE6EC6BB75679379645FB973C37354323E15202415172D7F3D6A1060FCD35DC011B3B2FB4FAE21C69AD0119191BA4277ED6F71045FCD69F267E667DC4D219FA256BF35ABFA06A05738D212C42EAB91C2C993A5B6ADF9ADC0F276E79EC9EED6F115AF4BCAFBA9CEC43B0532038E863B2686996E997807ED67DE7F48C14B17D40CFCCEFD9A943CFD7C96FC665EABC70E606213DA37CD7EB6F942A6A5608305B8CD8B9BD4D625DE5D7DCCB554D3CE466D6EA8C1D9F111FA4E96B253EA11B4DEE3BE218C880844006D6401659C35C2A293DA2")); test_xof (&nettle_shake128, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("224D0DE7B21690B72A375907A10A4284E9E730A20CB3B4FE396CC6078D9DDA5D1A8E81934745361D8EED0B31B6276DB8F280104CC0E0FF4B36723CB302381A9BE703B0DE4C624A27996155599204DD2E219FF77008463BEB4461DE2DE3010A002FDB300C24B1A80C8DF311C80D174590043EC365FAC147A671DAAE41F38914E1E6614CB62C4DB154735363D7C7B7135096D7EDC6DBFF1DB407C0061C3135BA4577D5682E57007AD6E5B9ADC87DC27EAC3D03B3FECE4D9B4C2B2667E6D9311E342D037D58BF67CF38A4AB448AA4DB2C847E678F66AB45F0BD1B581AF6E881E63FC170F44FD0F8D87D6FB160A78097A4896BE055D0167007D9CBA610DA08C8C342E4BCDACEC6F0BBB30108F29A21947A9D842510E68FB175078B9064364046E544023CCAE9448C0727E8FD26330F26FA60EF891489B8CFAA623086372C09C0373C9FFD7E3648EA0F8DA7FA99D9F2D6617C0467F2F069F85ADEE5535100C519A528C690EE9192A888ACBC11BEFEA2B81E8FD380CB8679B6D80E37CBE3271AD1EF633204A8B97DA2E05565F8500DB9B1FD8032C69F57409251932CBDF046E0AB99896109F2EB1217351B242EAF3236139F20EEAC594750231186628453970F3C8452E454BE3D4D80E99503F350BE1EFF8778ED13F3D8828768E2F66E03C246B4FB59CC2CED5CDD266D320195A601C4E4928D84C62CDD8AE2EA357E4A8F34223FB18A")); test_xof (&nettle_shake128, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("78023C45DC98541F14C21DF4148A80ECD01F52EBEAECF7C28E9FE2B2C69B4B882805515064800089E6F18223A624155DE37EC8EC07E68E282204F3AC9BC33F8ED6DD98ED2FFD9EBBD0627B0EFC88F7BBCB7815795928766698DD530BD0AA461AD9499971FE935BFE38B6A84ED2D842572EEB97D7290ACE13C41899656BC30317A95EFAFE163494EB7E358FC31A39A20012A82F564813234D598EFDBA11EDD2B0F3A2554BF4FB216084772DF94E3D43E55F188BD8B8B5B297E406F2B8407FFDEDE7EDE9227ED6AD78E098147A658269C26CCC0F2988F06DE00651A7156407CAD75884EDDF56A755EDDD45030A4C43A82D55600D8FDAD155D13014CD27F827A30F6031E0173A2E8DA9A8FD9F7590ECA5F37747E5ABCC9C0A0EA589422BF9647F3FA9893BA3616C38C15ED6CF1F9EC2A64B616A3C5E6C5862FDEF36E2A44A911269F4ADE8F7B90272EAB51FDA36D9CD0B88DC8951088EB0D7D68BEBB332D22C4240F5DD354CC67650CFE4659D354742ADA6828A7CDFA82F77F1C846361087D14173775F44C8601A56774280D941F256A89EEB850056B38480972A6BC0D893A2105C584BCC3E963DF2DCA0B39B82823F5A4261FB9D4412ABABA7785FCA635A84BB757E1380531F5EF986F3A771E4948653178B240A32F8672B8B655F0BC832F853C206D2F6E73DBBDC2669DA67666947EE50CA82CCA023B5A3C485A9D21623D8A3D8")); test_xof (&nettle_shake128, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("31EDB63FA182A6DAADAE56C08BC794E74677457C69CB23EC82D2B8F74B8649F79754A8D9BD42BA3BDABE0C4A161F7464D2CD80972824E6A04BD9CECCA798C2E26937AFA93194246468D66BC8769A26088513962435D3DAD9B1DB5544E6A2050238A242397FF6E7419569AB3CE2EC14C54481D634F56D1F32D453AAEB23B2078502190C8D1CF54E467CFD51DCBC6E82F95197AD1F6CD301849B76CCDE540CFF8403D19ECB88DB81A45FC13629800D000FC5CFDF508014D4324FF6D2414535E5EF3418555B81AA3CCC74FFC80C6F4F170A3DDD304D1D5EFACF554164E0EA798572DBB3393F63A7B9C066AD68CF25AF0D36400E427A5DB9B3CE639BE2DB8EDAC6AB1EB2E362682D6B0ED0D2B84CB28B56F1AF4F4A9DF0FAF3447DE9A2841B49CB2AFF2423A2CF58930D0BE6331349511C26D6F07A0ABD32A54F70BFF5F43C599AAD00931EA7F28A85010ABE8C93F941B4B4931813796419FB41F3BD0A6203B14BBB288116736B3A31CB53FF26EBA377624C1A0A280B768DADAAC7AC69835D8C324234EB907B64053678F629784C6CF34E0AB5522D6E9326998AAF24D1C1C62B93652896CC6A9BD7DE4F4CE7F6D309AC957C2BB446E6BEB8B026537F7FCB7E45BA1083F1D690BCDA15B1487DEFBF59DCC1A5A6EDB3DFC783B4224702A7F6E466B4E48DA6C1ABDD918512783B6A7FB6446D32FB580FD292F2EBF8E3D0302545B8C163")); test_xof (&nettle_shake128, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("2611992C1226B5B402F19662FDF3D9C44D118B949C8AA1073B8BF8A5DAF30D9802DF7B1ECFE6A9A1E9DB9AADE3B308867397BD48B89EEAF36C3EBDC97B35EECC2C241941CE702A0AE96F02E881F82AE2842E1A7BA19D3390B2D4B5E2BF3883ECADC81AFEB6543DCE3857FAB5F926B1621D32AAA0B1BE10452A4E4D2229B0E50B478E28595E564122318ECA4DE680E354A745501A8A11AD263E22B5A69E2F70A3F53594540B2B9160C3057A32E633C616F6DBDF8D6EE19936CE8EBE8BB7BBC118D720EC88F3536FAD10FB623801C720D07365148672384BDC9039F0118C356CE20EEB8CE68E7C85A0E4BA3AC5BC7B21E6B567F13FA1D5A4DB953589913CF2424B7B3DEF3B234388B7327A4E737B590B9AB1EE126D949C630420A04C32EDCE22DA326236980734249CFAE18AC0FC2A253CE77D2813694FFC66B0E60D3AD245AB4ADD0BDB1CCA7E4228B73C18335558959A06BBDF24DA8095184B31CDE2F4DEAD983C9E29DB2D4A3C5C40C7775EA30A80CDCA44B4DB2783379074017FFB6F27E45B86F26CA42742DB1B11E11BC5B99D5642E482409AAFAB2BC833B31774A8AC578BFF32131D714B2F8DFE91F4DB4448C34E341D26FB64AE00E5E985F16A35857E44B9A846402858A192EDC0CEB7A6FBFA90F0EB6D743BDA4BB9C9E621D7433AE693CFCC991B71EEC3B03DF1FB03BDBA05A63B9BF17C3CAABD40808CBEA2DF0697C8")); test_xof (&nettle_shake128, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("6E722A099B2B47E38C69A0B967420FC5C1CA2926568BCE435E5F97D945B261C61483B45F517827DCA03FF3AE670883077D5625112ACA377E731364932767E5B3AE406ADC06283549D64FBF3EEAFBD79064420EDD544914FA479355F6BC6CD0A88269EB1B4C5E6E2F43F380BA5C1D343338FE73DA047E9AA9A06C4A14AA7096B5AE025759244A99A8FBE61B7E326841EDD3779A84591E9E44E810CC24870B42BCE705F06039FE93627B51DBB8163CF8D4AC0AD3983ECCD3A90A85C58AB222463323D5F786292DFFE07E607C100D2C830436AA1E4741ADC7A7439053045EE3538822CADFE37413EF7948B67F858951DF901A7E3D39EBAC040EAAF4C6277656EFF711034EE862DCC247672DD0BFF9B577286750083FEF332F630348119461CADC2089C332F9A0078D074CEBEE2E8B5B8A1A5B4818A53E9C99C330DA1682073A7631ACF1BF621C59AA45935FB82E634D2549FF405D36B23327C66F9B4C7E092B409228F8B0C95539C3A9D89FD7FF92D2F811055F6ED23CFD984445F7BE0B906F6A920EE0AF326F4F60D8B5987C736710796B33E58D2661AF11F8DDDDB12A12B196308F6493567904D49124DA69D291D73B104B5C99C002A6606718EAC2CA92F8A6BE6328A5DF6968DB53CA0DF2990B68F0A15A7F8B006BAFF2483A0F6D93281C62FE689F5856909CF3C56C5B16169482CD779A3137B6C702C7641B2EF2E9987F5497")); test_xof (&nettle_shake128, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("7B35855B74D677AB6DBDBBBEED8F8BED3B08DF15055606A7E7FE9F5E319BC70BD9DF00A8571ABB6E6C202461EA00A2D701DA5C3942975C48D78CE565689E36379EA603FB1C6C53B508E0952B892A5ABA6660980A38FBF7C91D43BDAD1F3EB20910BEB91502404B21D3C5283A0A88403C6AA47D9DD0A04A23DCEFCD3527E4E961782A0E585AAE6BC9B7E6ACDBBBFF9CC76F757887174CEE9CFA531C380467388FD2153BA8ACC2AF706F35667253216D3A1E623A747748FAD46AD65265E4530AB84D39D9988EB876853E976156900D9DE464CC2C57385F55242608C9E9C26B67683293B1F83181C60BD77549C576F2BEB8E54B3EC5BE2FEAC8CD340CF104B0A49D9FB484B538296B31E30E55F7A8421E5E16B91869214D2F7F4DC68736E09FF2981518FF83F24D51E5F9D9300938600EA6C007C9C98A392B2E63216DC1F07EF4D602F47C1F234B857D8650D23EDD344152EBB5DAA47BFF8E394931397AB2231DF1E22C566384112E8560E69EE422758E8A76E03D16770E5D417B6FB5C68D9CC93E16759987FE02BB8C99B8D368248A6893ADBEA888315D4AD251FC57FB1EABB2AB314B24ECD374F4566989038134788F344453714F05A81CCAEBE92C75200FD8A019E33A362722F222708C4F3894307D09A4B4D3666002A8EAF2D6CD19DB119A957D2B66B0C788241CB7702DDECB63142AA7CA5B028327CB51D72904F2D819B707")); test_xof (&nettle_shake128, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("5B31C72A95D9EA4AB6EBFB2B2501F14EC41223A010E123B68865DFB7061F8CC00F69BE86E56A376A377E9544860F44B543B48C8A56C6A25546AA7573C29DABA9B746A94EE82A33825047C019EEAD9E7A79D50362F649ACD1EF27DF8BDEAB02965AA0C0CE67312433E0511B19A5D213EF9720E688A80CBDC7BA1C50032701676BD4AAB79675F85F76B7458F3E6D723C62802B1892F0C2B45138142AD9EF329D771E6873BE098CB8C501C3732836EED9165B69AD40AE5A642D980C7BC843FA76B605FB68872DE523C591CE09F21976AB47FF64F773B5D7EB54366BC003FD6F75745C4B14EFBD1ACDFEC8439550681208543E469274A1FDDB16D4125A01E9107855149AEDDB7E21298DD8C309AB1C1BD506F2D377042F27FC275017B642456C93FC882E3CF44C1978307E7B9BBA16F612E28E99D2E18D2D85DDAA235FE65EE40D905A845768372DD621E6394AFA4C59378DB5FEEADEE6E342D004598779F08EB9A231BA0CCDA0A1C7D19AC741505F0D931C73F241D1999EEDE40AA53A8A47F629937D29D1A6D2AEF1807BE7C333DAA332B4C5551A7F37177F484740BE772EB03D04E82B2487AA65A2E4AD00F553060C6A9577D21A6C3B731D9D1659E54BF14CE4E4B7932250A8F3711FEB7D9997A5C554DBA364DD1F16AB4F34B37FCF5AFBA5B06BED58E6ACD232D69963AAED993F51A1C4A2347D8119D381686AB0942190680CCA")); test_xof (&nettle_shake128, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("D4D8F990ACBC762BF3BF4382EE78466D36AEE8E7D3597C8ACDAE9A6245020BA5D936E82C2C8D7F861186D428F3ABAC5E1F5F4FA25EA3FEB4FCB850ABB7F654167118574A730CEB1EA5D4A3EF579AC58169CD02DEFB896FB0E8C0797D9A326C1AA696EB1AE150EB2ECE9B49725FC6C285AF8DA2908EED93B6B01512B80E03BDC74E9A528843ACD2B9FDEB352230BC1BD9F0F94EB5C9356259530E8E0060E0EB0751EE2F5CFCC2890E0FB8E5512530EA0D6A7475AFD535C34BFD14EBC48A0268F3FA671E87EFFE404D63A03EE92759C6490ADDA245BC924D582209E7406905678CDDE5529F68DB56602D546D2E36F5417DB7D3ACBFDAAC622A65560611FF98A262558B304728CBD7BA748174C0EB2FAA8907E1056B4AF0F820B849BD9411129F4FCF0CCBAA3400C2B7B16A2126C53EF6CA35122F8A8B92549E6AB330C4436268080898AC9C03C27CEE9164EBB9C4B1E54D211B65284047F2C535D3F871FF50B81C437DAEBC09507A318C296F1FF48572E4BABEAF96082B177B4B80BDFC2F99FC5B5BD6983E0DEFB28C98F5EB2ED1D4B36641D3DDDED2D8268C10900284B8146359694F4D09F176EEB550B7629E6A936E0BCE2877C8525CF4983327227E13B119791D465F9FEBAAD25943ADE5631F1DAB35AEEB7312EA7B908D19F257015C1CF6BFAA29728437F7620CC9C0B00E79F684E4F4313375845B9B524B3842FA0DD1560B")); test_xof (&nettle_shake128, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("77A1157DFD30A79C34D64CC29B9712C9E1CA76CA5565D0861D337627C20A25D85AA061B876A850B43C5EA74946D03E35B6669336AA47C5859EBFF82333C03741BDB0930375C34275F2B2CAEB83CFD28965DA12F60A646EE52372773DE04613A3DDEE266E20E0AC047B09260E0B69F4F134B5AB8EEEE481F887087C0F8639CD32C19FA514A3114E938EC70E8E7E6CF40D11342775C0AEAAFD8F8B2DCC884CAA603BC8FFB7A282FA6291BB3AA37F37CF9707632879532CC93C6F5C46FA6D6235D7FAC64DD9104FAF484275CC635C3F732C30B155E22552D2BEC2967AF002683DF1286F98F25D916EA9972DC6D2C5AF1A1572BC5363023621A33C0FE41285148CA9BFEC731ACF75743C9C64B48BF98FA32B6D92BEFC777F6B29996319BDD632D56F1BCEA5C52DB9E72BC71D6CC4D1CE7876B02FD48E4EB1110D727AFBA35AFBF8C43E3445B650F06C91B90B12C3036EBBDAEB3D2193129B22E188469A3C2D469F24B530200A08E931B2E95891D966C7A50C2365A73D169D010FDCCB7F3A739D4A589A84780ECDD84BB34D54EE5CED2C729A04B27F9C82DEB329E491C7B462308C397BEEC649E4D76239A75BC8BF28B1A8CBB81F25F73E53E19B882F0855AB1E93D45F9293508C66C2211E978267686F5F54AE987D59D73DB8144834FDB2DF2D52631C7671ACA994A99B8009C98A4F847B71A29B3A0636670721AA58BAA5A11B6FE8")); test_xof (&nettle_shake128, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("4031B77C2A88AB9A31A357652B5EC18239EA42FEF5B390156D7A50A1C1D826A52297B169BC808725B00A671F83F856FC37AB8C48E5D12E277558896F19FDE5038C03A95A3762FF48DFAE4D644B904845DCBA1145084E6B7316FCB5742F31325308942FC31D7F465F6C4D686BE9788DE37FB57A6CBC67CCC39F09831ACB1B1D8010254E131FF7A05031F031E6375CFBED440BF0D66F7021A927AD249BD3C78E2596DCC4E4FFC58D0F7331BED5BCF249C8092832C17C701C65BDA1DC9C50894726B04661F5FB4FEB570D5D3773E33D2DCD957C171ED631E4AC5A8F42B3828F78BA032630596DD8B8462A2F25E502B25DA1747D80F96DAFFF366E787A340A0AF43AEB8D95D565B1BD8D7F8DB4FA4C76F5F8422E6C240339C3DFE8D4D13E1DB745D8212BCFE232AA5C519BECCF64B38085109753E2FE5014F9EAE6761D6D600EA05CF0AE6D4300C7670FA1849333BB739B43A7CE58998E4F834309E9505856ED020EB8205571D3FCBF3A9D316A4A8B6E3A397C0200977CA95E854AAE35A5581C88448966112FFC0128F6A7B5DE197019D830C619D70803B72D318D78FA067DBCAD646857FD8CA5B6FFBCD7E0E3D02B6D13EA02B9C346E0000C2488FCA6E8E868FDEE7891FA12B095860B11B7C5459465D09B6A7B388D9BF6EDB0B99486A8C949DCB2431CC8EF13870BB15956B17405DD1047B6D54CC74D0D4EDC3DF689E09D7381C2")); test_xof (&nettle_shake128, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("31B51A74B7392B14E2FD94E248E7FB7740536FB6E88CA508D019066C6CDF83BAF2162F4DD175BD7E78326F1A5D6BD3A9D9B5874C474C08612EDC3935EE24BD643A0A3ABEE5626C43E99BFC73EA434872AA22BEA87311AB71880096CE23085DCD489FBB2CEFA4CFBB06D12CEABD4B1D28611606CAE04EF71E7B37E881C2C1089E08268CE45E0D25AAF6843B45AA50F2BFCBF8FE291FB2745B770CBD758CB0A86C8FA439893D93B5667011A8EBF345FA5059F062DA72D0E5C3417BBD3C6ABFF924EB6BC74F6DD0B30BF48848117E7820AC9892EC18DFB1B567612627F9C2585342D165418D211CA7FA4A1AD6511D3B68539CF2DB2F6C3A4C1055785517E0528A6CFB006B54808D7F897B0386F7514897874C5A4A3A30D8D8A277A6A59710D0BA870DF52F2A0916AEDB0870963C205BF49C6A2251EA92E2F9B4A9B9DF98BBE752A5DC258E55A8B3854BF19873F1908E95B537DE470319CE3648BBA5A038D11C87B4FB9DFC9ECCA1BED391C0D48825B022132DB26FA3D17D60985D5D0611353F96B03C4B5831FB9BC0C411D1909393B54734B59B15EE26A1952438C886D61C5FAAD119EBE8576AA904F18FBE19C549ABD70F02B1BE98D343CE0082CB6005DB51A6A10AB5E50A89EE44F3502AB19D62C04637ACD5C49DE78F5A509674AE8EAE906693FD8110E0D750F61562D088E0B87DDAF96FC775CEB0F13800669BF2A00424E6ED")); test_xof (&nettle_shake128, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("3CC7FD2AA14A9DBA70ADA029992842231C54ECD7D14FA4687424FE1B54A58C7DF8A1E9C87569B695CDA9B2A27548398440C77A5A66BA94217DC24854462FAAC1CAA8D171E610B6D280668BFBC87C8EE2160E148A6EEA29DC04A57FFC139089AD5EA85F89EED89212EC7439530767563137A4C028A5FB28C1AC53B3696282560E15C1585E51B799273709CC5A1C1A93C774BDB19C4E336CDFDB696A39EF6A8ED8EEAE92C5660718A7E90C691C84A56BFFF85DA418C9DF7A913352FA53D8635F9FF4644B8EF03892FFFFC937BCEE4B9D66154964623DB90BAB15EB783EB14888411CFE2EA417A373BEB4BE6CA5771F6FC0EA8266D56275F139EB3A90C3915AD6355287E06FFCE64D84FD8B0E06BAD9DFAF7F7EBC17CD7ED316977AB481AC47253E2508D349993FED324FBF97067AD19C255275D7EE2E119FC0F4490C62EDDA700C27B5088D57A7223729A64AC1A418071F4365C61F898A350CB9B82F59562847016A40E72F862E10398FDCCA0B86FA1F92D17F35A07C46B3ED570738D231DF3B80B0C2261ED932822D811970509D7C664D20BFD597543B3FF61D6CE3B6CCF924ECAB5FDD9D0B0DEB0444E62D950CB6A688BF470C53930B44FF4FC9B4DC7903E97BF29C5373582DDD79C115F66D31F839D7BBD34808539025AE3DA3FFD56778160E18F8FCDBF6744431D42CAF155028E96CE1096F856E805D7435AB1DA522708411")); test_xof (&nettle_shake128, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("4144315DAE1FA8FA09E41ED69B72FB8FC64A62F8133EB9C4BD53D6CA7C3475048AFE1D0BC778672D715ED01C5532B393888BDDBDC4D43DFD82FBDE560A80329D03AB5F4D62358E65D36EAE4094880E810D022529A8945AC9BE8255CAC708FC435310A7741825257BABD70E84BE8A0099CA66754C135476340F1438237D7C227C31353D3878E67A1856868C665CF049E16FAB2FA6A2316053712C3EE808762920FC814B3F336FF8C9846CB43422458F743ACC398F922EEA476823CCE9AABA48D159C55BDCE636D231F18F49C9B70794FBF1DBC4F71D87B917EC9D1AD5545A4471592883D63F91CFAF7E64805F82411E715BB61CD96EAF2AAF6A22C14790FC76310FACF3C2FB78B34D3CFF50BB3F3A19227A18A91E7A6D3CD38D5281CDA2CEBE333C7EFF4D357C55889109D5E0B762471C565E1AAD50839D0298EAB2723EB4E9D1BE73FBFE507189E5F20C54F256084E5EBC04CC622B080EF52C38329F301F8F97FFF2A7D8249E2EFCA30BF77A8A3B9630CB5AF5E9A34318B94E17BD8248EDABDEBFDC37E3476155434D32B7A7905786487BA232786C290BDD790AC255BD100EFAE4BE59FA6B1674C651E8EB9FD2ADC4BF5BE6A763408DC558825B3A22BF141FA45E6DF862959F9F47A91BDE715AFA65099573F1062333FFED43870CECFAA423FD2211F82389BD80F0F033B4FA12964448846E55AE2BA46AC9E7422C228D75A1BD")); test_xof (&nettle_shake128, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("95597492CD331A89C013D6179031DDAA08A90FA825C5A77BB5E27E32EE7EB1F02EA0D348B5372EEF60A45A84B84D45C18695270FCFC07F3EC95E00A2FFE901E5C9EE3DAD600273AF0D73FFECFAF141C3B63F3FAEA90633917E260857CD1C4ED198FBD4753E82A42128F2525764B5A40A66E1623B81804BD3F17622598BF39FCA57D8C8D0E2E2EC45A4EF13A2B6B0ACD6E6878BA5BAEED796E3B3498385AD7E88576EA08E148698BE845B3D7483371B43FA9B35D785A0028BA84B0C8FD81122935DC09869E065D47D95287D3CB4346D8BCA8BF5D4DCA3BEDB1AAD70EA3B5ACD48C5C02FED30B4706C104DC159EA96971E8F44248501BB782DDC201569622C1F98E893F820D149164F9C465C41A998FFB561CFCD7B3E327F78961636192D6158DA80A7987533C01C2DD380912C1ACF14330B85E93CE05F2238AD0C1A05995B631ABC9CFBE70ACA565E9A1CDD424D3F8DDFEDDC0D3D3360CA917B30D7216A85A14BB13E8DA29228E57AECF1906B084C72236B91D669A312F01A4B7787C4DECEE4F63CA276F63766EDD2E46555C328D538581E86F2E3D74F5592C1016396082ED06ADF8DF9EA53B5E0C020AC75B636A828CCAFFC064657A657F24E62107D772AFB24A5EDDFDAA4EAF2B99341AFFAA1651010E15F6F4E41A67C1EA2101BF5A61C491D5A88577C1FA3BE0A0E0781C53BA9F9BB85DA59C5D0F3B2AAC31F45C9CA283928")); test_xof (&nettle_shake128, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("E7814E78CF280CD8D0B27B311476F21D6185ABF37FDFE2851143EC3425F12DCCCC0FAA95B2E6F8ECE8C4156124C9DFBFFA77624E5A4A9553F11675844C3AF0E816CEFCC3EEA430D7C730CF135FF6A34E542E50F25FCBDBF3A051F39CB028F20B8D6F85221B7DCDE00D7E45B78529638508AB2E6BB8D885752CA6C97455E61564C2FFAC68E5892BDEDFBADFCC88018A92B599807583E9B8BAD62306948FE52B397CF88D20D440898075E3674FD09469D1FDBBB2350751F21E48BE74F2B04E7A148286FD25A90995B5A95716D67AB566B78394746DA84326B83CFF482F82DF9B8CBDF3D92992D0F05275D37AF3FCD4CE211A9480DAD745B6CBC4789C9015AE23D1C3A25D067C9A9F7E611AD05B8D44940AD622C48730282789A839AF93D0735725CBEE9DC4231E8773B6DAD31178053014F11421AD0ABCBF32B1E6386691759D58EF7E2A6E2BBCC11B5E62CED89C4BE975FDA74ABE9395DFFD9E8C102A5142933252D94B0266FF776E9224985F3F2C96F7BEED03BA881B99479862F8B7DFA96AE0B2D2A97F773164E1B473A0C671ECCCEA64DC67F3A53A21E51B794AFC4531AE4F41898E250C80622E123B27FA28EB7F07D4B4FE63D75866FBDD730B54A9297697F541FB429084AD43DC69CCE73C6C17253C481A002AD7EE11FE077554A4BB45ACA4E9D8B8C8E8407866C011B749C3DBA372C2966AA0C20F43C86C01EA74BE5BFF")); test_xof (&nettle_shake128, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("50F678CE2970C84EA11DBDAF399535A692DF95267340A394616760BA82BAD865F920932DCE65D0F10B5AF1B378F76BBE05CD8C8E16E5720E527326FBF375A5F08AFF54C4554282058636C69B6010330C1DEFBA22F175BBFE434B6430C24C06F034F6BAC59D1063A4DB1FB4243162F368385C5083A93A7E693009BAB0F3D8F24AB45F3D20E9582D1E9D0AF578BFC8C9A0F09A92E4D76643EBA46E71AB177307EDBB2DC46139DED52FAD1459A41114EE88F439DDD064600402E237835797B4BE67EFCECFAC28D9F3F8B8CC773147400526202984C0CC2CC6616AD2EF5E0FC16509372F9EFE63D66CD41C61AE88928411054953BD95813E520E02ABBB52BC49CEF99CF09BC3C83DCFECF2F6F4768ECCCC8639752A28531C0A4038284C174B34978850B02E45D7810C4FEB224E3DE0C89CE69B06DFEE9CE2ABE8AFB209E29194ACB6C526EAC490D5A9518D5A7E1C1A7CF734C92579D162F2862EBE0722E2DCE53DFFE84A52A459B9C1D0A677A41B0F1A945AB597EBD8544AFDB1AF97CC1E3027EC287DF62EA1E81E91CF4325D202DDAB62E09E6094FAB327CDCFE2BA6F760C2FF7D7992A3FB675C07F77DB5BAD69056BBD3A50A0A24DF64A73ABC3CE3C1F131E7E6C76F0FB207F6D6DB54C8D128F2C8B670350602D7B0A52153452CC92EE4F185F4570405E54CB95647758A31B8434EBCEFDCBF00A43857A58F6506CF8B7AAFF3B4B")); test_xof (&nettle_shake128, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("C860CD3E9223E1CB941E130F9F71C376EE3A9B89DA339C61D90FF2B48D1F285FC48A4B6D87C199989D3CFFCE4FD84699FE385C7CA018D4F31F00E41216412932A833794AF207132EA430B07201EED784C2FBAF9506957FB9F7E18EB9FDB06F051419BCC7D67ACDB93A9F78529D9B5344AE3C4FCCFFC406350847E228BE20C93B22760BA43977451B3740BE9E3B283C86959CF062B69D5BCCA35BA5362EF0B2ECFDAE225CFEEAC473E420EA1AB7CA03D4F4A82F6C32FFF843712B78476ACC46E4B88F280E3612D5AE2FDB94FC26D5C40812B0E9577DD995FD4F5282E180C37A02D6140FC88EBF5972739D591F13AEAB894F240ED4BE309DAA4F3B0E2D536F3DEF87BA53A881794B80EFEEF855BD35026EE9D8492C90208C313288CDE719A111BBBDC3BB56AA218ED1B466E6E01728DA23950F821016F313A69665D43BF2C619884D20E83D6202ACBF85BF86D271A1633F32372B067BE55570CCC2C7600B0CEA6133FFC787B743F3D2346564A2D598049D92F9C4160873AC7E03143BC3AC5366EE6C4621C25AAC1E0AE4EFF6A35ADD223A61DD044593629C082603847BF2B7F07A4115DC1C87AF0F7854563EB18FFA8E24EE09E299738FFD4F1E79019FCE4E4582B063EC1F36442B085F82FFB99D409B4F692A8EBE9AACF2589306204FE0F168373476393783874525FB808C2B90F1FC5D7A368C90AAB7AE46E21FEAB48D667A5A")); test_xof (&nettle_shake128, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("97AFED51EA7CE6D0082A0EF242C37FD626DB617DAEC0C967076D8E63E4861DB3AE1308F19EF4B9F0B7246AA0E255E7535B5C70B341BE15EA4537CD1F0235C0F9E60C2168C2B04FDB3DD871460E0BBF1E3193D04E171E0A24BECE6517CB04A0B020AD042F28680ED42EE01D4A05C3892B0654C961743591722054CCB0756341B54643817802B3E05D70D71E339E487206EC34765F5C0D2346135070F50D28B8AFD91EA2E88FB9DBC1A932FEEB781F13FE5E047F7F43F51464B9D28CEB8B19BF34F03C1C9D1DC77A8FE475B349251E7AE0AD171C1FC81B862F7F73302F7B48337EDC72D39C59785C5572929A6E4F947632B41ECB4EE9BC5E69CBB746E2512986D3A23C7F455FBE5F1891C7101BFD3AA738C5C84BC194753D9671B8F3EEE5A35399615537121713DC85D23E0A7B47B55DE82C8109DB1E0CA96C471F366318E5FD9671D6468A36BE694635F65249D65B9AB9A6E6A5361E35350CD258B8DD145A3B68DCC900673BD1A13369163E5B5D3BC524849F73C68F01C7C8B88C9643341D225E13DACA45C62D9B5693E2E04163F96454A52B4BAF64DFE2293E438E511854A99682059BAD034712FA3E99384244F83AEF74B96848D338CCF439BB073552137E903767117959A2D841A157F468E597522515BC43B121B257B698234D19280C4F41EB865882E4ABFB4571DFCB2DEC5A30CF7D6E867F8B5E0880DADFF8DA337230EB")); test_xof (&nettle_shake128, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("1A895365874A70F2304878B1334BAA09EF898A0607F3243410EF04B14A8490C193A18FC2FC0AF0655E219956A8DD3C7055DA00345CB411AF9167CB9BDAB8939D1565647EB251B7459045184BB050F3700CEB6285114509C8167DFC122B33CD3DF761F37A3573A75F5C16AA2376B3270A26522869157A3BF26C4D30A9C1D7B4E7490FC9FC5A4EEAC331996B16574A27C32659D0AF52E0E50F0C221342BBFE2AC04455B659B814CB888DBBC90DC3A899FDC538AE8E8FEE2FB085FBDB79830392084FA1761A49619018F5EBFEC31BE185F0945F4CF9F5A21AAC1DD3F1F3C7B9FA05069264F6368EE4D3BE24ADD6CE5B70E328DFFE08043587C39213DD66A6890FFAD586F9B13CF08DE44834278E04DA2F91DE05257E0AFC44B5BA9BFF15CC6F7EE306482704DE0FB80B93ADE6537358B252D050BEF48B9A246CA75D62CEE920272B9C4B06FD39FDA8DAD4D1C3B01ACC5D507299D44DDD034D21802E1FAC9E02A7C7CDB00F64FC7794A253B1BDC042C35416EC64A3392FDB954D63BDE0C1BD7E08CFC655BCD02E27537EE61FAE64C0187CCADC045F91F3BFB1758F224AA8768981617F20C889A390B59588E366648BB3A8680B3431A4D0596FC5B5F95C4184BF361B7A2CBEEB424FD08A98B322C37F703A73FA874946CF430A4F068BB1D16898DA8F9BB04C03AB3F068A36EACE3E2227E7E92BB189B1A4A14C9430EF5833214A62EA")); test_xof (&nettle_shake128, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("97FC612935AA839179BD26673524AEABC59FA66AD4F719106826D62D56EE0201965D4659877928087D079948D4B3FFE6CB55BB212E802807A0B9DCE7C6CA2CA07C357943891A5ABE2DDA248B8F703236FCE8EDE40EC6609DAF6E012791C53E10B0000EF3B8DF19082A3EAF5C0C0B524816B66BB7B08CB6B65207D0D7C84432AF10A552DF425FCB2FA965728EF2B974FB59065EEBB105719D2534A58435651D743C91FA1953255F777CF6F92D3345AB9AF11BEF3ABC00FC46DC4EEA0557DF7B683FE58CA3887311224567880C7FB5FFDD5B24B3B8EE66E63FA09202D3133768AC2A4933C923159D651D616791A1A2BDE91EA53736EA6B4A097BEE70F0EF943DD246184EFAEA018B9DEE2C4FADB93E7A93E40273B5938647A6A10D31A0354DEC08A03937C9E5AC71F52DB0F50F6D066169C03E883476EF512ECBE2D109D5015A1BF660EA842436060ACCA32E846612E8FD799EEF914E1EE2093BB2E30257BF432D5DAA8AF87625B07C3C6327768F0867AF0B80DCE96888FE27203BA076E5B8B90ACB51D2AE442B424D6651E8BB7B36BD770C3059CAF189AA6CC8575F16B58241FB0B7454E089949FD3AA8B347E0A76D2C5BE54A60D9DA4BE789656FCD7BD5ABB9851EC7B72AD4BE53D9D2D771EA11644A9AEB6061D74293866CB112D89E93BA0CDB02390AA66F5CEC4F9651E306876FB5100F8EAE6ADCBFB87BCE433983768D2CB")); test_xof (&nettle_shake128, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("531D6B06BEFF0AF847CBF3484D1DC52B2E7799D3C5C384B25858603BE71B0C57AC073A330B816BBEE8164116424AC5AF8E5B44E875E9A6FF54C54E4030CF51215552D53FDF24FA63E95590D4B11A86E305AAB52A62F7F8B62FE3365D239B53B540ADC34303D5FFDE35B702844D05B3CC804365BC38C76F92F1EF81660FC8E8BA535EC58D2CBC4B0EFA6D840F537740675A1EC1619A8956BA91D3B91D2417C4D151AFF2CF54880B0F7B8CE36A432FC44B30312FE9817BE795F07C8E521A183930EC5422079B915FE6ACE193B7F59928A2F85605D257FFC3FAB1762CBAACE675FE130CD4FC90138AE5303332DB73C0649459C4F8E0C44291AA61EB3D5982E77E1DD1EA3646C2557E62DC13938E805DA7AE0CD2B3EFCFF6E6E61A8F2793E94665AA13456453282C7DB7ECCF7C52BD5BCD1A7A8D0FEC0A5D69DC71FB78E8FF08C7AD7420C0CA52C80E274D9BC623531E375FE41436B4062EFC72154657536391B91D43CEC7EF9B19B901183B70866EA2C4416021A339B827D23626380D72AA8A3D66BD4E119B2D254EA426F1B40CC564DB0605E015773907DD964471710E7EB3435C6CC7951BE6AD4207F40485693F57ECB41D6774A840E495CA1DCDBE1F112F61F8E135F1245FB09059DDAE40250862C79BEFC5432B50B8B8A4CE0804A3127697BDF3331D3CADEA1D459F565E0F2AC133234160F8111766D31A89C64351817AE4A3")); test_xof (&nettle_shake128, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("4F56F2BAADD2B624F6643C1DBB5ED95F05FBD0550C3E5829472734BE3B4064529CC3DCB3F886C65F074539D3F1B13215256AF4952784FADDF00E184211DB2EC238A5EBDE55DAFA606B0AF6D108791F63121865B6D064CE12E446C0B719A856B1647DC4BA13614505D9B3A91417537E0B110D086750325AC8A1964B8A36BAB91BAA1141DCE862167A1EE4DAA01DA6B3EC875AF9636268CD995DD980DFB6476C0BCBDD8430462AA56BFBEA69130DD43640E23DDC4D9B469A521A533DCA9E8A197130C3A9503393E958A77CDBF9F93FCA6921283C96EE38C7EE92C7F0781AE962C68A07014D6C623A3338A1A19216925A432A9971E7F6366ADB701EFC4D4404E02DF452F9A6B9AECE18AA61C56CAB2582409E4E741B0CE17C6FF881E3F509F536F8F681268E71AEA6376767F5D49DF3239C65775199B68C84389D1D4A426AC10D42046FD6AEE02D4E0F48BA2EFCECF83130792996801E64B81797214A2EDA5B2296550A13E38E7DAF36F9F2A7B89C1DD0A95590E2B77415C3A35B9EEB89BE993333551D52835FE36D91D2F205F626FC03CC4F9386E4D815F6B8B128A9C13AF40386538AFD481650EF886D3DDB7B0772252B73E9F44D7822CC99455FE118C6D1003FE24F304B83E6C76419527F1CEC5E5CA57F7911554D1515A026E573D9D4BF5FF7536475AD14BDB8490CE353E1EDFCB038DBC2819D4EDF325D6C3479F2C3B02E67")); test_xof (&nettle_shake128, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("F153AFF7498C363D04FF8BEB191E394852B79F54681E8D03F04B31BC037102BFCD4E7D709A387A89C7DD124FC0192B586F7AD7755C36A8D5DFCB6DD855671298006EF379D2CBBD12CC5C05186717A3985594F19FB4AC62C673CEC6D374114270EC32E8C0946C3034AEACCFC38B745D758791842995BEDB09A4778BCD504A961CFDE3208728B57D246ABBC99DC632A2396AA5B3497D4F1F94FB2C90A5A1F51DFCFFAABA610C747CE10E5EF2ACC9AB03383C8B8DC73517E4D32FA7118BFF599A83F937358F7407B4EA4771D5C504311DCCEBC1262B464415ECA2E3662CA7DFCCFE38157F15B36682221F65B6F65877726072B9A30C0028DBDFD14C7842D99657778C339A5248AEDA1DFA8B9ED56B79F107CB3E690D56A3DCD5DB03C47E46D29C433BEA894D1386133A78E8EB83C2E6BC2E7593CC3AE4D2C0BDA573BCB16E7C44732A370FDE3AF4DC452D029F44DBE0F539811DDEE2CAFA9DAF752169FEC82EEC4F35093237F0ED1CA6CE62A1221AFC870020B0CA219D03E5ACFEF2592DF5916FEA97154E62485A38EFA4DF203EE808B12692064C609F29EA0C6960569E102122AC74E99A992F37C1A090A9927DEAB998303E47487E2910760A6D604A73C78D66213A5D2C28C91528340B2D6371A391C3330FDFAA70C5D109A209152D21B63CF616C9C78621EFBCF52064DA08D90510EBFBD957E28053EFD0B78F28DAD025A72127")); test_xof (&nettle_shake128, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("D44138D25419FDCEBB743314D267D3AB2839CD302EDB06DE0EFEB5B837F19D7CCBE8A1F22922437FC4EB591BB23EE25AF00BC1BB3FC6F43D524D5B8447AFA47D966440F620D45C3CE7B482FCCD768E436AEEE5C25E9CF4C3FD814949B61B40A54CA867825BA2A55E6C3E778FF5CDED4346530BBB8D1685A3300E995291B06AE05AEBAE336C37ABDE854E57180A79BF5BE46F6C879B11FFA6573717AC168AC16CBFBBF5C46F81A4EBE14F0A0FAEE8D09D8664D26C327721D25E551676A00492442E3F73E4B748943B188ED3E10A22C54C16BDC78AB1FA8A50D6D46EB057DC0FB048EA4FBEE4E5A1A653131855A03DB2FCC39F698D14D28FD9C361818267E222ABCA88EB0326F4672DC1305AF072E0B75674596A616401DF9A53D44D53FA529A7C28CE7D5A71C97880725D51A58A065136034DC3D706F13648A68AB4665AF00D5D0FA0FF44D1D1A4EBC44B3A13D273848A3BB558BBCB599300728B7FCC6FE16C5A6948BB09FD1B8185BC6863C1D9F5FFF7F0A82EDFF0CE04ECF004587AD52AFDED64E4E094B3BC15A3F7511620958FCFAA69E869E85DAF7DDCFF6CEA52C1631ED6418C822380FEFDBEC1255911829E780F99DAA9C6F4D729A91F28EF1D3DFC505971593663710F82BB95FCFD1BFD5C3CBF916AFDBD7CB89FBFE586982D0BB7E78D031EBE310606557F83A87FB1070B6839499E4D360E2D36607450C720AB8A72F5")); test_xof (&nettle_shake128, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("D03ED7399E6FC424AF6C4F08715B409BA54237CFBCC4B27A2D97811F1CFAF8FE8A1E72B72C9C0C04587D89D9D3B46487EDA3AC473DC325E2477FFD14F37DA4AE638A2B14E103E2AC9E2F94A8BE49B28DB4144E2EF8A673412B214EE502FB517C480123289DE425543A51910BCB3B52E9B0A5F25BAA700A3DE0782D4BB409938E7BDA9B9A31D1ADE69571E4F1835E7A89C41F35606B9FD7DD513200C3CDAAA0B25B6B2BAEA99B79380D33A21678BF7FD80B2B714E894E61321E559645047F68597244AB611FBA697A079634412B64E2AC53EC230859EC86300B4544239BBF88558CDD48BF183FF1026636A1A28B512704C60E805CAB7E1F8534BCEBB1D40EABB8B98877BCA3A98375F2C305803637B75E77EFFDDA79991F059F697910453D2E986C9E6450A6115BA82506376222FE56DA466FA8740707116F50F27911BA028A633E30A4F83558EF664B63B6890B766E46875A6AB2FEAF64C3587A3F3872D179E826D2E8C6079F159C8A54F36CB770025E7628E936B2BCED01B339E13EEDF21CF01B783731875BBF199227B9A87E5DD4EFA361B86BEE1198B54626D105FF05B293308A7DA89398F50B736D04113F38E3EB803BAF06F049D207E1B6E3C919139BA6A94EF97649151327B2649F7AE1CE88D42CCEE07D826B34943CC5D240C20D084391EA0F3AC7DFA5772BFC3DD37443C14682ACB0B127C66C284F341D5BADCFC381")); test_xof (&nettle_shake128, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("5C28103BE52C28589EC6B8EA53EB4769AA91CFB8A8F5875A6201BE4F03FC9A1CAA8E582A11FFC6C9FD4CBA3F5E3F21549514CBF8470568DFA2ECE224181B865E224F8F07CAA4A0891DCA60EEED7CCFD23A62731892A1EF32D515165BCC4885997ADD88F59D0124B53E14677F8C4FFF979E9998A76E7A3041D3FB0EE9FE528D08C80481B8E3EB77189AA29E64497269F88894DBF7141F21175132ECCC4E56BFE70CD2AAC208A6A0898A474470A5961324E16821A78AFC25FDB7CF1684295C5036C95DD52478BD2FDA24A733FC7E08BFFCA82387327E69BB63F8E769B423CDAFA965734B666C489044C23617594B309AFB2F262BEBF447A87F41E3824972FFFD9F4A0D06B4BDCE742123C6FC7B85939DD8F837ABF2990C6DEF398DF2B44E40E3C25A6D9E4987B1BD636FC276CB0000095CF441BA3FA274F1F95AB321DE9A5A9BCF219449EAB4E91EDFD058674A4E8CC5F8C0831969DE0C17D0EEC98DF883619FA1DF794F2D09372A7EF20BB06427125B6C0849EB80238855CDD3CAC4C4968601D053D7E972785AFF96D5483ABA9D55E3695655FFE879D27FF6CFEF0328764D87F786F6BC74CD40B48C50BD1428BCE5AA96A477EA02B70D17333FF176F2E70B6EB7BDEBDBD0750414E5F32BC521F381F1827214F4D5746A40558064D49E5484D54442F7414BF25DD469181D524462AB73B9D31A729DBFB06DA0615FBFE49869D98D")); test_xof (&nettle_shake128, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("0AA13616E9EE0C4C35FE2B921118C67145B8458E6179431E8145DA829A2EFD5B8831B067409487FF6C865B8CD69695FBB2B1C4AE1FCB014540B842F5FB3EA40DCF7C16FF295B2271215F5367FDEA93C17B530C472B6200362ABF8D81F3840738EEA11961F7262C163F5BAE5FED2ED42A936CE1A1917DF2360DDF4DECDAE45E1522400F37D55687CD334B47FB8B55464AB7CFF75E9DC0CE51D60B43BC2D468F1DD5BF489B690C7DCFCF6E75301C24BA534047739FE592E8637107CCCE1B3D2E4BC037AAB54B3F8DFE57B9580CAB38A983EC5DE9184AF589D939FB7F6EDC886790D1CA4C780F82437EEFE261EE4737545EB7379FF09B644936F8EC9775E9F118A1958E7E4687C205424E4A31C08BA819F6827654EED2451F6A2242F81AAB3A9AEDFA71437E5AC288BBAC9505B07E302BCDB109FDC9E2B753432AC6502A3FAF9EC54BFDA1CE399561410B62C4FF8FD922A1BFBA071348ED9F1B242DF772BBA66A76C0C1CB209CCF7828051F0A85BA54D10B4DB0D71E37A77ABDD510EA1FF02EC72BA6BEB54523DE49167BF01594D0C49020CEA7809BCC89A6BECF9A6C655D9D1F06C2CB1D2D15128FBEC2FC388DC39AEDE65029954735285463E2684226A10770358156C98300FA70FBE2C200DBC0D60F3194BCE21BCA23AA6554D56503C56E8D4A4B246348A8DAE6FD1150CB6663C113B3F15FE8DF8066C9BF3979CBB3DBCA43A4")); test_xof (&nettle_shake128, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("E27B1C3BA27DC48F20B9605C4FFFE0F610FF909B482D213C34B49F0FCB04A927F0B1C4D2C6AB6C9BBC6E7DB696F7E41FA1875D08A65E21D0459170E4BC955E7E596AA01C8F52127E858687E53F17691AD1B1AEF7BBE75D09613281CF96E86EF93850AB4277A54B45DE3663A906B55BCEB2528A55CA6E17094E5D0D63F3294D8BF4DF2DA524296CFCEAEC6F1063A7BFA92B300A1C4BA7E2CEA76EC4C7FE9531E7D9205BEB4E2B5FEE32CC0881401C573A88BA9D29B5F5A5CAF044B0A7931BD605073B19D50F82D822ACDF1A6674CBBA6C88362BAF769F4220D731F3E8DBE707B12D44208E646A441FE742290E9FF783744B0F5627CEE1B91DE431DFDCD7AEDCCDBE04EEAD6DC6EF9E9C50131FE37B6707EDF8A021B3D9BCB0F62AB331F43C80B49F3DD5AD47CD3956A2B45A510FEC358BD211B2FBF06B6DCEB82A3190BD0AB28C7CAFCFBA4432102CA3067201533D64D44DCE8A632C204CCAC68B248F0FDCD54BEB300E32CA76F03413B4401BA4721863577860C892252DB31774EBED6BF8418EF0A12508BBB15B41DC0F2EE5A890915ADB2D0F6E28ED207EE8B6536015B763A60A1A96C9945AEB4616613A0EBA3B87C02FB1DA1F9AA169EF4A5CCD967E811BF83D2728B88BB5CF2A5FEC6020137C668EE4F21EAE6D2759F054AB1559F9241EE2B65CF36A907720A7DCCE655FAFB5E534EAD32A4745A947BA6C4B20240DD1FC40")); test_xof (&nettle_shake128, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("B0FC5EAC13AD8A3CC49B96E1D9FA96CE4658EFACC7394DE19AA7A28CCBDE37CF1201DEA78B4C2F127D397AB5EDB08A505F72C70B61678AE081E139F761DBD5741DF0CDD04D5A9015C0A65975E7DB09D9999FB77324366EF22BB63F2776F9A783A263CE31583D0860F3B91A6620312ACA03EAC2C38BA62C9C9FA0B060A4F8CC0FCDCAE1D414323F2D649A8E9F808FB02DBF926DA2FD36C64ECCC04909E2308D2C0367A069DD64E2DFDFED7A5A941D2B84C5B6A69956D43843C9B7F14A0636036444870B1B9329B38285A1054A1019B6E01DB1C66A39EF9B20EC4E51580EF546E885B99C0E3EA1CD724F8BCF56D1D00D1AA3B8D9B487964E773330B3F84577DA7CE9385D37A8F503456897F8BE8DFA9A60D129E538AE0CA2F6BBF851F1E56CD3F14864EE0B119A1BAC4181C667EBB6C464AB76A6B72681758C70422207E6F62EE438ED6FA467408CA04E48C53350FB11282E89D41A35EFB31C80B18BBF4E28CEE577798B9726A270245F35FAA53DA25DCB9E445A842D843DA21F197F36D6B43E83C3617B2AC92AA937697D5589564D0FB4C225857B6CEF6EAD6F193AAD457A5F5F7EFD7FD88B1AC34B00F4788C4A549474A852403EFCFB151D941C949BE41151A7130D54730F615E638DAE243EAAB7648A028CCD05A542054E66B3D5507D78117734180D7656D77677A2C61040DC7AE56819489C0D106B798B9C549046251163A4")); test_xof (&nettle_shake128, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("7B6BFD2981CC29669A120D28930CC39BA577D26BE4A822499FD5D36C7BE1528DBA41F2A60C0F1832AAE0EDCC384B5552013BE17E1C81C326CCE1FFF5E32B24985A2E2121B072902BD2FC6CE05476ACBF2D2719128AB1C35F93EF82290A56542A044B295A26C85E4BAF8B8544816F0BAC4753D405C9CE02AFEE0B312B5EC8AD12A07BD3D177F4BC7AFEF6E092D23C7D445F8B21DB59C9A6E819AF9AFDE919AB550E1A6640967D296D3DF3D987B6E62CF781A65BA41177ADB60B7CA83F57C5FFEA1D1D96BF9EB2914CCD73162A8B61B85211D010AFB8AFEDE8EA96473B080E98EB7A2F000485BFE6E1E7E6E2DDC1901E77C60DB3A65C2F5E57AE72B0CA4BAB6E2EC40F62F33E865F04598F66FE14039FE03C5DF379319413440A31782C2FE4092B0B701E4B792EE449FA452C023FA79EAC7A11A458B497213E7FACAD5D5ED475E71FABB4D9F6A2C2613A8D4DF3F574B5C2A884645B6D5FEFCB355FF18DB8ABD8A85F2BC531EFBEB96F24E204733E9EE3F0ED2ACDAF99713ADF32DCA518D5D86659F25EFB8EC5E5D82E64460094B88DB621962F76C9F12E739A5061ADB812043B9BD01FE9B4E549BEE9E304940DC7F05D45ACEDD417B9B37F214411F75B427E2E9CE14B6DCA4FAB0BC893001CB7A0529C1421E5B721A9BF9031D164C6C6192FB38C229C852474CBADD6924CC8A401662DB173D7FC9FC0028C905574802EA77820CD")); test_xof (&nettle_shake128, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("6D3173F315362F961F2728C60EFFD5EC721D68EB7D2E11C1973A84A19060EB5E64DD8FAC20C76A89D811CE260D7020EA9F7ECC78EB3DC91171CBBD0818B31C4D717274DC164EC5AF48BD1916B0440B4BEA6E4D482329C17AA557DCB4DBAD69AD74BE1560EFB043B78301B3B1D42E9C2B096CF5D8138811DEE6FF3753055C77FB2C490BF79E2F7C48D492E59B5D74798A1095D9BD03EF74CD171E615DD3845499A546BF69AD263C1B845B05B5B3CB32351CE01EB10B918D192D1605802A6607EC5DE09824790B5750685A8C679B54789BEC0D6FABF80E5438F9BED0DA8DC5773FB21C4CF231E1163B30D676A68BA04F7C6BFE5AAA2807A52A84E1D12855EBFB2BDF44C34AD846293D71E3B05D17C1D4102D5C7775F30D13F8290C89DFF886B1D126834516FD3ACC848B988ED4C4F046B39CA0BF2F17A0876B5EA782160DEBF5A2709BD38FC0F6BF3D1E286B7A34A59AFDF4B7559AEB2330D94576BC10BF5D1247EEB12B45516C2287D6738080569FE9179B83A27F007073428C7316AC974DBD98E137E771FC7F4ED1B779C3C6774A2A36A5CABAF10CCC742D9190A3278A33D6AF490278796EA76D8706B99561390E06E90396C4CAF101AF1D86748171D07B5794FA831ACC94A2452769C83203B2F845AF987C81BBD02AA91A1CA481ABB0B25991C0E61836ADE076F25DD1852A032A223B3D8D12CD544ED0A2F97D735A0E1AA9AC")); test_xof (&nettle_shake128, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("07CD8E0F1916D265A748A8EACBC81B045D004FA104FAA1E3752B9AF131367FF0CA7F63DB46480B67C405EC16EB2922E60667018B9ABD91FCE022AE9B0FAA249444B12223CB43750A42B1F9166F54836C7866BEE31ACC681B521D61EEA57C2E84A8F8CB9826E20AD2B14377B313225B50A1B49AFF085F89AAE22D3BEAED142C585316615281D88C5482E9F7E23770DA82F27D2511E30DD1958C903EF7AF6B2077252C7701D474F8DA4149AB45D80B6CE9EC1CF08877B6AB13CED7FDE405A1DED59F856068D3619AEA92789E8E31BE67DBC2F402FDDEC3E3E505FBAA396BCB6DFC5861E497EF576FE4015EF743BC4D5936F8A5247B7667A321614539BD4DFBFD79F3BC90E6CCE084E8AA6C9ADC17C2E1704E4E2EB879DB4D6A7A6621C972EE54CE582F3403C76BF3FE60ADF14D21D6438146EC92673B4D277825F1BA515C86345CC280FD66A006A387488BCD537C5B0325B21BB69E629763259884E9C3202A16ACB5234CAF9882ABC9B0935466F0C7104A04981F75488EEDCACA9EF55F03E3323FD4086E19043DB1F7ED7F9AFAFC968B7313FE6705673CC31387935F92C26AF140D2AABC7BB76F976ECB2A6F6DD1D0E65DD997F8648B7BB9F1C9ACEBFE1988E9514F8770DA4DF0B5EF397E58470C656898667A2E0218C70CEABCCE94025C3914C91BC1BC76E82B1C17A7B938E92A57E953CB80AB15726776382C74DBDB5FAEEA56")); test_xof (&nettle_shake128, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("16CAA902C04424D5FBA44B3ADDA34326EEFF62D6354E3EF5200DC07A0325B2004CFBC3C972A453FA32BBD68AF381F78FD768158194ADAF9B10A2A95D9EA9E8D0266C5D3271BB7B59226C8EAA9F15F9ED324AC91FD88B9A23F50EAF0F17D8582E8476E8806F31B58ACC36EBAB6B856CE1738704753A7ED31F822BE83E4E08F2A3F3DD52D4BDF8090DAD90A015E9184A3202974897D525F23A4EAFD1A565B76411D8B78DF548AD2BEE3830FAAA3E8ADD2DBDE479236AD2DF12841622877EB4EE895A0AF9799DD727ED96ACEAD478C8F4B9AEDDFE7FA3879529C60026BA0A7966799B372B922B4CFF3F6213C5D73C0D778CC4B9CE67013D905870B12CB3E2326223F57FDDA8DA32F3700E855FDF3DA47BCA440B219A925258D6B38625AD1408AB303855E3734067ED188FE122C5C279710E8EDF954CE4F43F692DA7EDDD3B84164C567B2852EFA262AFB09F49E50B8DB278ED215EFE1F0F43EB8BED5C3F1ECAB591E191CD36B6EA75260285F667C204E159E72072E165457A170F32A7FE29664051396BA1BC202663F1CA8F17A99598DF58A512B6685798E5E93FAF9B49C9AF0CA8FE4B6544492027CB5599448643E1EFC642C7C71821BC06D5C600A80CF43FA64342CFACE0C57071627903DEF82A0AB3A3089C06F89F99A5B3E11524ED2FAD86B73F3F48BC5B912CF31286C498305B77CC8F7D54F343993888CED370DC93E0CAC9")); test_xof (&nettle_shake128, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("1E8FD76A766A100A4434AD568DA7E753C08E76E515DC7A4D42A9CBE5369E3CFAAB7A09799B9CB66940DE779266051581E6B039E76F446327188A6B34565D738F1A926DA3BE16CF6EBD6FF7F788FDBABC0961158321E34C26207ECE1A122E73D5F9675A2FCB2E4871FC04875FBDB9B6411BEBBFDBE71DD643BA6BB2E2CCF46D1C1DF9DC6C0777E7A19823C1D55A648B847E398F52D02D5632A69323E588ACB113289260752BE85A42746E62087B5A32DF812817D0A2409C36F6C80912D4AB80D47C7DE7FFE26E10B1C850B7339274DFCA594D418C3C4948BB3528F4EA463CFB54F7944B32C050C1C3651168BDDCC873ED8057372743A6CC8365763B523FB3D9752A4FDB167A768E96C7D4F277BEA031B941BB7002DB130B76123A0EDC4544DA03D9255BDCD896789123D9999AA6BDECCA01E4FBFE33860C74ED2FDB54412DB927DF2D896D289A87591377923EDBCF2D2AE204AE6EA85B1A9AD2C2A2729DBA3D6E6FAB6269288416D569532793E49F61E7002871B8F4A68DE84DDC42D081D1C4CBE332AC58C3D81896A438D1861E594DB79390AC2BC9398DC21B27E6F7677A94F91EBED0103B2E8CA4068D6489BD0AE5D6B77053616335ECC7D7218B1B2DF70A279123268A06EA959965CA1AA26E1DC273142CFCAD570330AADAA62E04C383A938CE349C997BDC41E9BC38C29767B964FE2D8F6DF96EF1A5BD0A38F06734327315")); test_xof (&nettle_shake128, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("58407675270C110F4E998D9EB9F9BCAB175E4D17F2C3A88896F31CC97A389728B3A93729ACA3AAA426E2CAF11AC9D121B3239915C857FD377FA2871F76E533A954E6790847FF03531111A89B35192BD624A5FE0823992F9A7C25721E10897FE397C2DE7828C258EF6083544AAB1C7FA5AFCB7B27FC37E64DDFE827883FA0389B8E785676C92396C3E1C1E161E2776538CFE4B6E20653F5706F034929EA002926C0BFB6D9C31857BBBEF51CA094FAA6A7C9C6B34DD92182E21AA47923C908FA00617F9E910EEBFF2BE3696B6BBD489D72510840F075E24C81F63A52772B8B5F3296C7F7095B4ED732F5DCCEF632A37F0419378EDF651DF2870119A4F1EB0C961AE792D7DB1FEC88BA12BE14520648AC3C78D7304305B75D3B1AA631591C1B8128DBAE0EBEA7AE1DD44ED1950A87BBA1BB72FD0BCF158F7CFA4881DEF36B30A36425C429E3D4BAE81EC821B58B6EE1C5FB9C9D93993CC1C341921797797D39CC523D32987EB0D75C0E502F52EF1FFB3DC10A19766C2117122010AA729326AC5273BED622CD04B924C60CD405A14ED06ADFCAF35B1AD5EA469CDEA963D7E97B2058D2588BD866A17D701761439C491A0AF937F7B8B5E8FC781737986505CDCC593DC0627C0FFABC0A1737AFAE194E24888377AF99AD33AA8A0455CBA1411A40D1D66ABD03F2DA49C34C74C65C830BC68C36F87F9E578072AE67A60C23A6AB0F02E0")); test_xof (&nettle_shake128, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("D102BF50A47C12EA4C8D5169BFD14CC92EFBDC10B042631B1E0CFEDB32DE59947EB35402FBEAB157062BC6E89E0CBAE88BC68190B51FF1F45EE278A486E8535CD9D272A4439EC3F7E65F1C11209B77028B78EAE7A19CAC0BE054FE0811ED8A1F230954FD78130D27D909555EC58DAD0A7494BAC5323FC56E616795DE5D16C1E6427A02E7C33FA8C74459A24AC3A377A7D5D9036AFE7F23830FA3ED8F4762E86B3ABE0F3159377CEBB1E6844835374534F86C04B5215345947ED2062872F3C8FCC82826B0AB63A9A5EF699687C44602F61BF1E9AF303F977BFC3232235D95B5B6AEB5241010F01DCA2807FBD43D84675C5839A6E2D73B60C037A9E2D98F3AF199CB28E4EA6B3BEB9DE80A702C8B70C039B32B7D63C892A6DB1B6FE5A9E2638E8344E4EC2E77394FA03735C7201A656FF0A95E19A6F8D5A8C41605A2731235BA721A4A74F7BCE9CC2B1FED1B92F42C2EB665A41EF09B83E75D1B3A438DEFB704BB360404BA7D67BC00DDB8541949633A106A2BA75930F30F6079BDB01568E46435CA6BF80CEAF3F0D878A560C969263202A8EA9500B71369C958737D85BC3BFB4C3452A47CC9ABA4D69570AE9A2449C1CB84CA47F226471423F0AB54516458C23E31DF0F80F9A3EB37B0E74DABD4B27BD1DDB50650C92FD01ADADE439445A054D463F3B068E0F890C33D9F9BB4C31A15945080717CCC0CDB71199B7CF607AFDF5E")); test_xof (&nettle_shake128, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("29F1559D1AC3E5F5D6F36852E6FA06AE720B939F3EE14FF2B354C9B941A4F608313FD16527486E4DC5C032D0278297797CB591B80F3190EC0F1FA08F87A529EB22A2247E71F05FB4B1ED4127BE219E73B8572F9AE21356D8C245FB3AD4DE33A743536DD852F2772595D2CAD5E85928B6199830EA78D6D0226E7D2CFC35AF41EBB590215E416201A58D990A848125247A1A8319630DB6FD7F5FF4CF2499F94F1C0041AFC9764C2BDF2B0FACA97B3A9F8F508162077FB21549AFD5095AC0F2D744065B90B9CCA781640213B3920B284C6AE6E9877366AC4695B19BC7DE88F3E6113FE6491E7830B4CDF74D3E170D7390D9B0403923C8B6471EB5D639E2704D3C360F4E38F6774C6A440D68C2898D11F17601F33EA893C5E4B42D2A7BE5D07492D20D1550BA335E3D105B4898A2707E5C97B61011707375D5AF0FEF1477FEA62D383C227E2DB4CD59B85E45A81A4562E7541DC2814F20C969028CA8A0E9C14386A648346898DBDE372ED9C09A40A2AF6E0AC541BE0ABBAB84B2DD6A2FDAC9EABBB8C87F58DD95BBA7DB96403B9BD2274367439775119DA7EBB8BC46FBA2A50C75454E386C3749D03691F6705E70AD716095CB30326B1E628B0E29D7AF932F554A6FC0D0769C4D0A56779A1878DE7C3671B68A4964C5A9FCD86DAA7BC5B95C6044AC825BAEB4F073AFA2502CF3388290F5658094DFF31F9C68EFA7AC1D74881CE092")); test_xof (&nettle_shake128, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("C73D8FAAB5D0B4D660BD5082E44C3CAC97E61648BE0A04B116724E6F6B657684674B4B0E90D0AE96C0853EBD837BD8249ADBD3B60A1AD1FCF8A6AB8E2F5AA7FF197A3D7DBEDEFB433B613536AEC4D655B7BCD778526BE667847ACD2E0564D96CE5140C91357FADE000EFCB40457E1B6CED41FA102E36E799792DB03E9A40C799BCA91262948E17605065FBF638FB40A157B45CF7911A753D0D205DF84716A57112BEAB44F6201FF75AADE0BAFBA504745CFE23E4E60E67E3993622AED73A1DD6A465BD453DD3C5BA7D2CDF3F1D39376A67C23E555F5ACF25BCE1E55F307252B9AAC2C0A39C885C7E44F204CB821C0D37A22DE3A71F3A1909B11B7181C42BE9B78AA0D0A15444F330007554BCFCC0D8FD87D6431FB93C7CC38767A55D30D3545560BD380DB8C4C0EDA9399F68F854644266C1B7958B270E75B79134AA01E7DCF1E6FDB6D9AE5D02CCE8CE8E480475E9617CC42A91C08D9AF6E5101B8AC5834ADB2C66987F42A580BB503A4B34A9F15ADCD0E23D0D4029479764831D06B5CAF3F14B91449F15A291F4AC250B270B6CB3C304725C99E32645E1FC02A0CDDD9E717911F2342D9482F8E0979985A0170D725DAB4EA66D44F626BA475925FA39FC9DEE929C06D009416C0ADC1D987CD625A20ACBA4CC87F72F610867C3A7A928A3A0379676E8FE257107AB2F5C030BD2480E3D1863562E1FD0790280333ED9D5DD5A5C")); test_xof (&nettle_shake128, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("4A05F2EF1AAD5FF4306429EC0F19044077FB64BFE1DCC50F74C3F045E9A9C3DE4A3B5963AEF771B049111B7B4640E20B1BA84ED7AFEE325571ACF347E311F33C1D421F21D663065C4DADDBD1785C5DAC0D554CEDB1A45A32E28145E98F49DEE285B33DE14C336D10950ECC30966B79E8613FFEBB702FCC00A1C4250DD385ABB537A284E9108D16B6F08F4E103F2C5E9E5C879CB5095534151E3C9A316D06DCE53B7F01B424D375B564FE6839D1D1F00A2E62604060A9748BCDC8143737959FABBCAE1851213E6DC28BEFDA48149DE6AAF4A60D4615BED67D11796F6173C3DCF139037B31EEC9A8404DF07597BC266D3C7D9EB9A7CABF749FB44E40D746D0E9DFB5C8BBEB25E3F1612D03D3EB0C154DE4B2708C4F8A89762E171F744518AEC134A02EEAF49DB2E2C6C9914711288D6B0CE877861D9B10ACFCC19643738287DA005282F3FC82F9F50AA681F2F55FE1809C9E23A3A59E51C2E894F718372F9FA1564B47AB3F43F0747A17839E933369B6778053E1764F52C5F319E33C8B25678F72332E33CCA97C68F19E058E70C31410DF4DE7E08169D6096B7B4EA48271EB684FEE9FC8B561C3FEE2DCE83D092B142BEC1478D26B48C3C6E597A7B2E44027E1ECA23178D3AFCC67BB530A529C7E1336E1ADAE74EF0BE9CD61E91C6AEA57F7CCB23B64B2F84861CE159209FEF7A897A16A871AA99E63A5126DF2B03387E42C3D18")); test_xof (&nettle_shake128, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("D99E2166E72399F4B775C8C446CB809F149095DF22378DDAB711B867E3CAD17830EFC3B9F7D90FBA1327E103D3191595AD415EF71604C7A95DFC417F14F5B5AC1B6905396ED94D56ED993E240586E95D98F3D34630C32FC1719E7754BF4F12A321691EFDCD42DCA695BDA56F975EBB08D59F76911ECEC5B503E7030D1E626EC89CFDE51042F1B75063AFB50FF7B43563A09E209B7842507B67E85E87A99FFFA72DA7229CE5C9F5303EDA061A209F46C76BE4114BBF5EBC5AEDE7E22F5921DA87265C19F87F1E37CCC218ACB903BFB4D617CB95DF94255F980924A045B959AAE9C58DBFDDAFB47C9AD78324D27495EADFE665E8B7154EE52AD0219421014FE945AA8C2F3B6223F99E170D2D169C13C0D1CD481B6901A1770DFCB39ECCBB40FC6790E69C61C9EC6E99AF6E557EEA2AAD2E73D8A82FFDD2FD32C63DBE4858D97A5955C6B3420FA12AF5CDD10DD8C9D6D3C230272187E855B9F405853E6B8E199F071F0EC781BE8DFC29E93288F22F600302475CE1651D3CB671A0635BAA3DAEFB73487A813A0448EA5F2EFC915C847795BB0F4F5879DF7B5C95A2DD3A5CE79DF85BCFC1D99AE98748052A27B775B690FF9B0240E0BC0B79935AF998BBCDFD37A2829482A9F51FFB253152ECCD35588D2CD96BB19441A14D7CB3B7EB2F47CFFF6BD8FF73BDF9D9C2A613EBFC5D69A3D7912C4CF2B41DB244267AF889D47A037EB961")); test_xof (&nettle_shake128, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("CB7A1F8F3B4A92508EEDA0287EF3407C5F1A51F2600D3F13C214A36F54F5FA63878DBF6E76E570B72ED63159E01BB948D0ED7602E9D649AFEA2BDD4C97C7B22AC32485816D9F0BD8FE1443C7709884334E4AEB5104FAD05B6C62FBBA4F5C5BD2CC9CF576991DA24AE01827F3EA70509E45E1BB0742F3F21D673A34E9AE992ABFF4A33EFFE61C2C7ACDD0B653757C987DC1F575B7181E79702C82A389B0DDE618DDE5EE97A1A515365D04F3413BFF31C3F9F222BFBA2061993C7562AA7761175FD51D48BEAFE94E16AC34179CFE68791FFAD63358885C289C0D1D5C99DC42B7DEE58D9ED595CF5158D4D5055CB249025F3FA9690A18C9459D7E8111B88AA37D26B384A7BD02E923C2ACEDDBE31A6F3237CCAA778D5F7C71CA96E72E11920377C785AEE9DA9D8F11A4D4CAAC6CB66AE4F251422104E5330BF06C004791ADA67D687A0462070B51C0860F1AF7AF4968FEAEB157A4A4448B69AE1166578804D384720A2BAA55F06AB17FE0B4A5E4EF058A14D17F99BCA359CD1E95DE00B5F309052FF4231ACE9E1BCB6684355EDF7924BCE95264C3FFC641588FECC3775AF5E5361B5EE995F85F9A612A0055B22F2D440DFD80E91329A2FA02E20476CF84120634F9C320E6803992817947EFD9BCF620F4B038CDFDA1CD559801CE76FFCF4AF63A4AF6284293789B548314B2B88C2DDD31A6C92E4E62B705E196CFB2D978D6F32F3F")); test_xof (&nettle_shake128, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("908FC63FEE9E11D44E7BCEACBC161269A96993D101265F825B86C107C61CFD11EBA3CFDB0983BC9BA3A81DDBD8517D2E313997ACBE48A47AEF48B3BC1A56EEC2FAC280C96D9ADB557B14334C6C555F374AAF9F9560815EB7278DBC81A78E3DC4144B879119C310A2283862574D055D2B0D8D53219C479E8C2F6DAC3186C1EA36A6517D26E14F2230F00A1B30B44BF987B3A3F47240498734E6858444A82ED1098442688034D38C578E995424E1FC2386FB10E682EBA287F3757B8A4CEF19544CDA032C3592E13E07241AE38F0BFB77B030273B28D09637B4AD359C7798CF6A76980A3EA331597DAB4E18ADD97B8404D4AE4E5EC874D0F31A60636B2BDE4FCFCAB9569205E7261FC728A701F19E3791B538BB1AE8E1435A85F7E8F7B95AA45D275AF770FD9FF856F6666C8598626CB54404FBA35B523F55EC971F70E10E09FAB0A88E39CA1E7180B482985E82EACD81CBD2C8675F8BD41691CFBA39228D4FE2561C2E8BA1DA3124AE3204517F09CB4ABD54698F1010E1836E141C706B9FF0916BACF70010A0F75110E79E95A48FCF4724BC0674C9AFCF12DE59D31C64E532572DA4586BC73A6BEBED22752A05BD1ADD51464180DE96CDB44D11611FA661D0EAC1080DBD25DF51A2C7519489E05E1BE5B05C60070EB8075A9F0B3FDF6C14D6C07076578ED3A16D8E048350CE9B2956ED00AB61B024AEA9E07C87665B7F33E2F5BA")); test_xof (&nettle_shake128, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("080C392EE04A0D4EFE020FA6C20236E7C1290088BF6FFC2CFCF72D1B16A21ED000FC7A064491899BDA1AD4856449D89AC7BC54E3896534837EC4BF950A18A3ECD5FF286D1D0A02E90531298F2430484A667DE0121E0D0B392679AD9168BFB4F0D020E7EC1AEC006BD0E8A551BB7EF0B751D0075F615C02775C983F45212E4F394E7680D9F81254431BFB9E772EF2CA54600D2F1F4DB12D6DB49BB9ADF03BA6C912E0A8BFAB20C0F4D3DA675A908277522C8964ACE05F138D192B7A2EFD8FE663FB4B2486339555AA1C35DA18D8899149339F1AC47555080627C3AEF75DA932BB063FD3DACB6E0019C7DDC5627776250033E6F47EB5930907FCC1F1B627B520AA18B22B12103F3E361801C6EB8B72E18CA9C43EFD1E8A04948A9A7AE1B92E177AC6D3CFFA217E13CCE790EFC636153FE24821A7FB500E61F3098711F60FEFD6EA90F6F63D6822331D8CEACE7C192E3482192B0A408E5C5A36A7C7A5490756FE4022C7D16EB28232A70EC1BD675DEFE9F87A52CB633DC5BD99CA49D2BEE54870FB0919217810AC08312AA2DD16556089FC8706D0293EBFEBBDF11204793901190BFC7AFF9C87C9B4FE9116DD1E1789E08776EFEB71F619827A89287E183DD77C42D791E7CB4ED2E051F2CEC42D2AD83B50EF3C0FB6ADFCBAED484886A4DCFF41844ABBFA46016A0FBFDF2D891B982356B315DC17D9FB62517E3163A93AAF05A12A")); test_xof (&nettle_shake128, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("85F82CAF1A3D6DB8E7C6CD49C697DC314AEAA79309FECAAC21FF46639EE5CDCB719A6379D871138041F2908D4DD605AC31FDE9F89A0136018682FF1CC0E36A3019A260FDA0FE430B082445B7F10F56A50E69A8260954F72B356B710A35A5A2A22FAFAA5B3E4E3F0919A1FD44C24D33EFE5790F9FA707DF0E06CB4F195F1AF7B2578EEC38B8565D34DE9665987F3710D8388176AAB6F3D7CCAB61713B175D5343958419F7C2D65775B7BECADC1AB8DFE486EFB98D336AA17EC4083DEE1253A7E2B32437D75FCBD338F77BB1548C704090C3417DB225534F85C92AE1E9B16F66A624F5309297F2FA3DF12FAC8AF36A1F2A11093D4544E0A67C826D7CDA89730031D4A35C64BFF9CB9512C09FE45F0D628C075737819252B38724BB5A341D3045B4FA4B8BA742B947EB66A9A9121A48B8CFB83B41C90A7A672A4B9BCF2D1A32266C8F13EC46DF4D80384C117A56180398D2268C8009CF586ABBB7452911FD73C9C3449004A11AED41B557A33D7825C42575C75C0641393346C753B1415D4D4AC224C831F185C2B635C4B6B1C388358C232DC629A090FC0D472A4CCEED43FD9657EB33850171F9D6D2DEA433874B47F77DCA16CDCD782EC1A335D2DA3C235914315A243EAC2AB81E06D97DBAA25EC029A62F58A1DC78D586C226046886C23A3D9681D68503893F8A9ED9A5B53A22A1345DB167BE59A6AB8295B41FC464329A6CB739")); test_xof (&nettle_shake128, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("E07CAEB114B9180ED922574BADB071B5962ECAB18474D1A82216B152DD0DAE5CCE14001FBE59E25F55604CC3C26E5D88A25393303FF47C1F14C87EA4D16B0A435A43A3DDD22AABC7ADB4680C8FFA05BAF28F45F95ABF93F8453E267B5E584C7AAB8E2CF2723ECF211B958DD8277B89D3FF2470CDE45077DE7535840B0BFEF8D2AF5FCA3CD91FA6EA83C5F7B58C75DA302A67154474B563AE9B59B1A3BE93BA2BC2A5484BA24CC409896109CD57AB6357376FC0B65A46506D34DCCA170DA71CC52DFF4FA34BC4B979A130EF5663CCC28FBD3E36B6CD103212A96B8710B49EBDACF4A8C41A5860175B694F75F077718C93170A98EE9757237EE90E8692E4AD6C1AF6979D567C104FB3F30EBB5BC52B99A934D527FD44704DE65431D8063DF25E4B31A89629E1F7B7AED0E49C2AB6D3055675C7C63AA4E7686C880F3AF3F6CAF7251BD8B9EBC0A3C46C72B05AC4DB44E85068811EF050F042BE1E7EC841DC8F7EB2A7D9D2C10EB3603F952E307289C1634C7D9E648C36B75F31EA91C7125DEBC5BD3F70F7CCA9330484ABB5A73523013DC507E1FC5689848D6985F73866ED146506DF21BC98D35BC24256C4F911C3D4CE437798431F68E7EA9F608E7BD98D7DF892581B2756106A5C7590F6C33116B7C269D4A3010F121AEB0B10666AFDDEBD18AF9FF571241EE39E4F2E7802CC75DEC1ED6E7F19985774F0733C833CCB9D82CA1A")); test_xof (&nettle_shake128, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("1BA3E5682B5210C2503367CF92FC02BA6FEFA6C43CF725D9E0A5A796F949BF605C9401D6235C09265C000AFCCA9FACF32B1C6CDE831D051DBC604B72B90689CFF3E9179BB0A8D151C2FCA7DB9147A8A95AE8831C475B16B2478FD794087D0D979FA66DA5240AC77BE4CECB3DBDE50FE372C5045BE23FDE7CC0B6B86A0007D47DE80D59A2DBC7883BBB2F76B74E7EB53E8C929AB73819BB09CD61010689DACEF17BEEADA0311F2F6594922EE835DD09A61B41AAF5792C63CEC79C40EC126A68DEB00EECA6AAEAD43072AC65E7101B4C7A3FB42101BFA922E43329E736D1DBC90EF45032C82E26CD102176CF8490B554AC9C6FFFE81D281CBF29BF5056C06CE2CDA918BB3C9F8F49A045DD2CC4D680BA8A22562F1DC53838665720EC60E4E3BCB76014B619EE24FF41B2860B3BA4438527D975A1302E8FF1923211F36673B0BE8B58BF0C7FEFB0CD50A28A386CE6DAD7C30B8F6A3A437E864143143E638FC6474A2A8A6640862FF4C4491FDD52ECE0834128137011D46EE7B0CF611B237AD515BCC11FB7B0A4650FD6E60BA8B6BC601DE5CF75A66C3F16AEAD1EF19C47420A9840CA4B1352AF4C5C217350840AD035621EABF2EADA2A517250D3A6AD834CAF2A472B2D5DCA3829C372EDC64703226EBBCCAFD316E4EA3A9BC9AA8DD42A9715B29702BBA9AE232C7806E5C0C02AEA68602F4B580396B27B94385A3DCEBECE345828")); test_xof (&nettle_shake128, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("7F8D0AB3060B5A6ACF3522A83AC1A432DD9EBDD62BEE5CA14CC54FEC0D3AB6D1EACC33603F214C35E8C256BBE7F0A1C110A65A6E7F5EBD6733350DCBBA851271A0EA684A0AFA032EF530511B5FD923399DF93567D9BB1EEC74D6FA4AC5451D81FEEFCE00A7074A1F32498AE68380E2D9800AD3DA75E0BFACDF66B9F34CE4C60615AB46A8310F85C2A7F9A737E8E19E0BCB540FA9F621378C44E2DBBF57C059D52F79FDA1DB8A3D5B44C558C8CC70901219AE76CF5F6DB962ADBB6515B25B5FC81CDCA21B7A51911C5F5C52E8F2A863E9F09E927D8F66B063AFC73CFA8592B710063544143A8B5D06CC78A604E9B72771DE91F48EE55C9FDD831BF91171532AE5EDCACA1BDE2B96362D4E30115E12ADA76ACA05DD128FCB524CA8831CF2459A53D97EBC3AC5A25517F254A14316A402A509FF5868CD290C88F43229BE54A3443BC547A093687B3C3D97A4D1A09004CBAA6939E86CD75F5135D9FBFDDE568E651806AF401095C3602BA958FB7A0F4276791B28A6BB75A6944EEC6EB8CB9A7A9E288916A15A496DF80777FEEA0F42695AC62E29F137E355A13B630F30E5D4E4435C3180EE86173F59BC19B79065CF3F33F8BBEFEFDE35A8AB09C13DD9D326E98C9730BD033CB2DAE20BF076EE9CE764D48BF8A0F7BB9181E60889293866E1C601AB38122220A2CCAAC996FB1770CFDBC4E628BBA2B3122E0CA351FADA84F8183FF4")); test_xof (&nettle_shake128, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("C625EC73E6D951EB899E865B5012ED72229958F2850A79CB8221AD2248A8D670A8072519AE6DFF8CFBF7A20863FD01183D55093C80CCD14106426579ED2FD99578532F9B4D8E11BE19A0F0A8336FCBF1BB1D6D91247DC87B563C1399F50144F563F8583DBC208165C106567EC51FFD321D9F2ABA7AD2E7F2C1950D04E9027D7364ED831C2155E17C0B083B2EE2C4E720A2638CBBB971CCCBA1DAC6860917D28D341A49CDE2B8727179C8B596C045382E6E7C23A35D47880B4A47D3DC79687919194397C3EC00D9AA232E666BA24A1A39CBE847B2E864478AF2F59F73B2ABF2A98481430943980BA197DB6E67A87F3782B7BD99A6E27F82F133DBC6D722B5CDE09277F2407671FF44C1117E1265F5EC9FABA0A946B67DD268C3B97BE198BD2B5185EB07378FBDACE2B4B97C8DE2C05176CD186B0AD3F7D54DA7701654EB1D1FA200191CEA96D0F02C86CAA277FEC59E1C93097FB5D0D43600E3403C53798A33EF5CCAB3D5405E5DB570A26C3A0BDB304328FCD36E327B5D957913AACDC4D938BD00577963D5FA343109F4719D8192B12272DDFA338612AAACDBB4CB91E129E4401E16A673D6FEB16294345FCD0E9BAC8BDC30EBECC3BC6DCFDF25ADBCB42777A6FF4C05B5981571AF8A33D9E7D34534F8F89F555A1A55761FBE2DD66B93330820D3EB032D7A56DB79AA7CC372340B953097453509F240BF9AC6DCD0DF08D21E10")); test_xof (&nettle_shake128, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("5FCBA2303DA2ED78B7A3B3DBD3D7D57BBF37B25B75BF8330D39576EE26D830002F5FD36102BD09A6025532371A6246417F94A527220194F287BAB34A936836AE84D87C251674F1BD361FAF5ED3C023A96AC1E089050C7975D4FB6DDA11305D73F2D9BF03FCDB4ADC31C5356E231580AF9E23B8AC79B28409DC4EDE2CDC5D98C67508ED4D688377583E06FAE8F195B10C60FA61BA10A7A57A8A52029371CA12C9FBA5EDD2378FE78E5CC119695FA5F6ECB4F7C27B0552B1231D4A1BA31196CFC7D30E92603CF2BF14E2D4CF8860A3B4B543E48401D9FDC6B8D0E1AAA559E91ED8FE3D6DDE2F8A16A59AACA1FEFD304D0C42B78441D4AFE148B1ABF86C92706C5C1528D54566EBF0F4F7F6BA0ADAF6ABAF5BF8DEA607B6C86C789E7EA3229031BB69E60BA745F561208101DBE4774AAE3CCD7DA3E6C4625B0744B33E6697C31650FF94095C5CFB87024FAC512D81CD395D8A30FC562E8E817D5DE70E991E4B3ABF091591769EA3B42197A4F4DEC475F3CFFB47700E832FB072B4783DCF44014642D9930F09A2E3C4984A20BED71E4D2ED1C5FE750B0F803D4891A128731F48DF37D7E30EA34F7ED816C51F3DED629C7F430CB3F1ED74610E4D6535DE05EB6E7520B1CF6653DA236DC9E4F8CCA8BEB696AF2A3C15C42E6F87C2EE1E9013E7FE31E891F6F9658F2E270A423154824CCD6BE7498A6FFB8EA6C4E5B8A6CF1C33314C03")); test_xof (&nettle_shake128, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("07F4933F2A7C2988B9D753240C1EBBEA38E95AA1029508296BB49BBDF3BC164839C76D905596EA153C4746B4FEA069D2A784D9CACB598A24BAAD6D215F83F72D4B52604EEC0066344FD062B1835570028C1FD61D5B4785FF5B904F5DB03C4EFB61B424226578392B9E6259FD86DC979526C560057B9395E32116371B3737825A9579B92E1AB5FF9006AFDE8A618687205438D99B7E1BA038922B140BE0DAFB7423092F362F537CAC8272AA5DF14B2DFC2B73F5F4104BA1FE603E00AF8E47898C0E955D57DED792C3C93518CD84FAB72A2022F189773FAE574D5342EEBB23F7D7497F301023C1143CB3481ECB0EE732D1477E6BF872EA0D0DC0623A5C0AE526D8885DB1D3C1CA0A513D2E4D53E13BFD82129DBAA7A2BF6004D2091E627928203D05B11D9F6335DFC73CB9A7F5C3CF43990E8DF0269FA9BBB1FCE7646C6BA85BEFD3F9ECE88A93CBECC3F8F68CA4D0AE8197CA479EFE0327463AB5B78685BA4000482558CEC55D8B934726B820EA4FA9471AEF2962A7E1CB4B2891C0B545547A146CA28AD3E9CC6ABF69D7DFB87B298CA252387888E20CCABC9E9ED484262A3B6A1F857E6900330ABE74454A62E2DEDFEC3AFF7BE28E4351C4AC0738032B81C0FF12AFB4CB1B94F7119A6F2AB4157CB7C2FAB41879943A075233CEF8A64523F70E3C6F66C5EE3D5FDB99222B2A3EB09FFABCAC867E0B2D06955CB80E7EAE176788")); test_xof (&nettle_shake128, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("7E3FBAD2449B2F16426651EA24F642FB8CBB40B1969FBF10C5A6C3E7B1AD2D413C1F8A78CCD5F4AB0BA0A04529EEB3F72B656EA1030CD94DA5CE6B6D7C44728C0CEFEBD7FA597073F8BEFD6BAA5325918C1BAAC3B8DE7D1E4B723C0518936CFDE3F039941FFEC3979AED13C16E5F24A8C01F4D87E07F797E2DB4D5CE17E4AC40565D32896E3B6DBDB50FC2BBC4D13C2E375F171D8EC62C423A126B45D3C13B6E3EF9CFB9B8FD25BFA74A1793EBBE1168705B7A26EF12C2424E9689D993BA8C02790E83CE166DDB7C838DE164744BAB16743231569645B144A34BDE3A40712F01DC02E476140D07BA3DC4F51DA894727443892E7B12555932AAA5755FD9887A9EAC8C949E71EE35414150B63B00247CADCDDA9C2FB245748DC519C39EC8877C860729D90BBEFB89C5D914F99AF63725E91401ECAE6F69C67CAE0C94BACF3D6B13C273019CC3B5D416D6A24D314EF01C6348F2E539578F9368C234EFB559352E5ACEDD53C14A35F680428BBA25A252F056C4E452A921E4F83D648838ECB076F4764256912D41D504044BA68F2734D7236FCCD924D22735F6CFADA2349421BFD51341EABA98DA57B3F1A1B9B7B4588CF3A0D1A7E116700FB90C3DE339DFB9EA3662364807B91F7D2105D59034A6F5816070B5C4B24ADAE525C1BF2D267EA4B03079405A436DA4264CC50B2B30A0881E4D22A1904DC7311CA397AF7399734A0CDB79")); test_xof (&nettle_shake128, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("B6869F1189F52EAFCC0353F7AFDB8076C5CE063E2DF404F3D1314A4DE573541927E9F4C67A554BC82E97C3A2F6C679C812C9DA6542681461BAF009F3ED10D7D2C571288A41EFF6FC73DFF8AA3CB40288C84C9ED5CFA70F59395E09CF3CDD58B4D2A65187CF38828B981EB5BA8F7E591070F97B3A567188AD4C455FEC91ECC2C9829E00639BF6CE1DDAEE45CE19D9A183F0E93630886F511125A69218D86C5008760E8EE0CD299062CD1A06D0D2A5E07A0A30DA7DE30531136B4BAE8546290469FA1B18557E3B1316ED8FF1BC94131E9797EFC0A2D997F8DA22CE6DE0358128AFAFF496DB6466210A8682F9D286AB66304E79CE92174ABCDD0C4DB508F03C2BEE0C87F6C39D0FA2EF7F3DBD4201B4A46F418CA1DE312A2FC9F82E6008BF06042050CA302C9A386AAB9A3A8FB558EABEA6771C6FC301F7DEA5C13DA704E4F41DFC2EA508F1EFAF743FD4A3EBD9370CC3C872A41C4BD40EDDF311C2F5B7C208BBDC7BC4A93804D10B32769A333E8BC2507143912CE4D918D0DCB4D6462F0790F10BFDDCD7FD711E14F411A6CE58D50E70E1EA23645E97B6C154E3BBA3AB35411537BC8830ECBF953BB8214DF95E6FB5AABBCE08F8D017958848916FE04B3D2D5F69DB9234220DA3388E3385CCB90194959027093A93F7048F35E3A5B0AEF90A792820B242C34700FBE7F7E00C00D6ABDFAE26DDC95CA47A72133F97924D67291C6F")); test_xof (&nettle_shake128, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("EEDF8414ACBA3931CCB5C41B045E708926CC68C513372B2A5C9F8BEB76C060461CDBDE486F81952169B465061541E397192CAB92B64CD5AE0072811017140D53861F56A96A66211FB30BD1E911D31FDD29CE66882529874724A64216C13AEE8110B963ECC99CF46D2C1384CB39B27F2EB85B517893AC45A126F57E93DEDEC78CD2708E2C718D783D847E2FBC8B3FDC67260B33852576910D2E43923BCB8882D318AC5421B99BE5E532101833585E744B65EEA3104337FFAFFF4266B6ADD5F081E42A46C5365CC2F03DF43C3AA3D0F9A9C477D65E5EBE634C806246544B97EAC179C932E37948BB5E5C84DB32450F3B9FA54C89FD03FE58861B8E8A6C8C3D7205B7A65A02B90E0412C493ACBC3385E1A197DF785B02EF42B0BEBBD5431EE59DF31520B88E30BD376BC4E720D71F1C0C9AE4C2FBE126DADE6F667E2CE825CA1118F5B82F2A86FD5BD80621FA6FEA14768EFD08D75E4C416FD1245B0C07568DF42244DBF76614E0F3010684210E49D0868C3ABF1C89084510662BDCCF932176DAF9393B00A4FDF911EC8BA14E81B0648E5126B7B6CC1DFC902A53D0BA7204C256DE67FBB525F6C2D4C4DB08484A14431B350B76B0DDEE9924A8E0DDC4E6B9DFA90FD9BE0BE70BFFBF6F9ABFE0EC489822B94DFEDA911FAA7626271264100E2A40A2AB932CBE92BF2DBF57D273B0B056A6DDF29BA36A7F8138390865AD9ECC76BBC6")); test_xof (&nettle_shake128, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("61B6E091F3A8BEF3886484730629A32553B1EF7EFA8689AE6C01062F505ECF48E8460B66448D355046FA728AF5778FEB8B827BA30211E5B1BB82F6BEB7F2ED7450E9EE0A19A47AF63BB687A0A4E611B3762B97BFDC6E212EDE1F874C33636AB4EA613BA991E8B9558F24D1C02C5731B155DC1EDD6E984C5CF51BC59BE5E084AE89C87AC2AF5792C6DE0B76448AEF8C5F248CA6FD1525770C8B4434A76552834CF1481843A9E3A2051108D3DB6B8265F736395848DA2C5755B504F4B958755BA1820DEEE9EAD314C9515B996AB96C8F349BC12618FA4E8A026EFC5508707F642F5CAFE1EF135764515F4CE2DE357D93A0F3BDFE8E3A7E01140212A735FAECB49659039AA05F0C5EA0690E304C155A64804954E24039D001A1F7C2F1691E81120FD275A6FB292F3FC1BB16763887E3BF327FD36FF14D8B89D02990AE9D4B2B4F5492934079D17945613AA03771605B259446664FADE2292036ECA5894C4EC3D6673FB95617770AF54CA581BDC6B52097938A98BEDE6CA627A9322D4FF7390DF9A3E46FC5C0663A88A16A7D4EE708D92EB5EA6DE0527FA5BC3454455B678791E07586123CEC8864396B4B972BA29C935E6D3BA2F7B2FD315131C0F008D047E6CC234535D947F068548287140D4303365990E62B4845A3E7CD90667039C205BD1B836C4240B2120B54DF12C462D2B10FFE2D61B456F090EFA26C53E1F51D2292D31F")); test_xof (&nettle_shake128, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("E4E5622998509E275AED8D103E2581877B09D570EFE558CF03626FDF3A2C04044C1531D3F92A025CA693FCAB59D90ED2A2DD33F4768F56B972B2E87D34E8F293862C22602DE928714C34FFE22C118C474467005C250F77971D59BD93581E5EDC4F2BE3C61F5414DA40DDFD3053595E616AFEB18D3CCE87691AF4C228DA5595E2C4498FDFDE8360DBCF014B368A88C5ED7A71EEEB003E8839A371B8D86F7B58DA353EDFB2891BF5A5CCBEAC1E5F2EDEC1442FD79B6A31B85E4702DF68ED3A0504E26489B15C0C1A52B443581BD671FD207302B4BADBA9F41B974BA6179EA1671E4660CC8F5A35F71A8B9BAAEDC457FF13263B062DB6059FB4275D2831218B04B2E24F1E3B3DC4CEE9261A1919343D5274D64CE11E0C27866ECA3C91BE98762834142C730F4C3354F0866D9F0CBDE0E54BF747E0D8E50C8654A1C87FDF7EB6D13C06A8D0A02FC6EA72C77D1D957B960D6726EB5F1D4B3C056B2B67D9C23DD393A25D03129FB4D894DCEE892D4D7CBBEAF404FDDEF8707C5850B319E04DF5D64BB9F256A6B2A7BFABE6487B16DBA0CF415F8DE98AC8D63498DF68DD9E209B23297C79D108BEE3756989D751D91FD0954A7F5B166109FA11C7AF4BB18B695FF6110659E37683F92BA03C24DB9276D88E6FA587543E785A4D49F37240CBD826162E0C2AB12DEEB71552FB1AD45E7E5780F832D831D2AAC556A3A0005C37C148C41AE1")); test_xof (&nettle_shake128, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("F3ADDAA4382A61CF38C2963346547922642B064CE36B4D424F41ACB02AFE7AEBBCA83DF589208FC828EF58300E96A4D20592BFD58640CDA4C970E1AD58BA410ACCC75CF6D2566B6A10D7FDF02D169E6BBE8953E5812CEBF84E6E79B952680B4CB59373D8A6741C3483389E611A290D1CA14178556D0CFE750C787C4DB1558A1F39A2F39F9021F1E420F57CA91CD1EFD2D61D0D8CD34AD1FF7E607096B9787A51CB7684D8040FC66710C63D85A510DDFDD3F60056051406E7F217F12867312197690EE8EA33E6935306B76AD816043FCD52255976F9691C31AFB361612886758BE8AE9112412456B4395017AE96A3D118E351EE2D17FBA96B3AF726AB1B2EFF01FC3B8B4DCE461A452F0E6885EE4937B34BBDD357A83A68A95D12BF9CDE1C5ABAD70CE7A30B76BDB601B8EB533D57E4DAB508956440FFA0EA3EF2773A446E2CB11F08226385A71D93CA67CF6CCC8EB8E48444D508EA035AB59AFF79E076FFF850CD497798F49BC633EF41B0A4239681DA28A3BCFB2FFA3A992909E0A0148781A1BC03FE3FDF9B7B9971213F9BA331E5B1235314B3F173D48BC3249E946627F84070AC2D8B57E184B0E8EAF0321B38857383BC1C27CF9390E79A2E09A3B5552A7AA9CC55AAB534BF7D7571D3ED97C258EFC9E2D3C1D34DC84EAAF55D1725AB388C0A5FA4DF270630E468980FEF3A79A67CBB2289BB03CD239C14F15A50403787A3")); test_xof (&nettle_shake128, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("EB6CCAAD9EF05B657B6835655748051E33250C4FA600B3431E96053B0AD6ADEF7D8E5CCEDA256D96CBCF713E1998B19F8033BF032C9B2A56309B31755DB88A5CB11669A49AF4999C551ECE42E69DBC4D53B0AB2705295A649364E8AE495C793B73AC4F5AAA01A7A66F4542A4A5B29AA266158D3379ABB4C26596CC3E7195EA9112507ABA0C1BBD8EFA5785254681E11ACBF65A977199D0D489CD4357CDF61F0DA3B640958FF3EC7CAB5ED0C3E725EC64D18CBC8BDB097967FCE3AF9A717F591DD49AFC38FBB4437915D7B161E6800C3D8C0EAAB61C5ED05D8711B00E75892AAC5169E42B95AC207A27981684A7A26B9C7E00F7AB9A2DD84437940A7169BC998A56E0A31693345AC53F45B9A7D0532ACC80E093624C5341312E7F2E7FFF5B0712E2B119F4C6F5CA1E55899F394C850EB038BEF7EB1DF1303B7C97292732F96F4F6B8CDFBAD6C8D6FB5721A5441B4897FCFCB2959026DEACF17A99A27EBDC108EB1D77518C342B8E9892CE44241F94B88803D7EF72E26E8209BC251FAF58B8E0E2CDACA5B4509174B07C98AEDBB2C3871FE972A4C31DFAFCA4109985904DAACAB1C124E659562B77287B6D9DB73A38A26AD0E746B71FA086F6AA4E39207093A04CDBC69993C2205CFEDC4D321694D3FAB832CD729EC2501EF2D386EB170A011BAAE3E83A7EFD110FD36C9A7FBDDB835FA033891FF21C4B634368FBE8AD991649A0")); test_xof (&nettle_shake128, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("28721A5CA8A0B2F0EA39D1E51F18FF57F838B0F7F95106E13950D717E3BE00F9CDE1FB3EAA37E3B0DFB080B1A08EB6D07B4C36FBE73C248FB86E993A7A44A42501593B8721082AF6836EFB165084AB5DD13C26413AA4303D19183CBF09526E9D6F590990C7A61103F82C3E3E58A673F8EA1D00C85EFD867D4D7F9A0E295636933238C39A721ED301D4168B2346B115998279BA080D3D63A7F8A5BEE1DB83F415F9FA26CB0C6511A3AB2CA7CEE4B30188570FEDCA952B91A299DB985E0EA5D884646DE594F5A3ACD3CF975CB8987018EF6D5CB6C7044D946111D250B0EE5F40329D6EC2423D085DC8A8F8BEEA38EE4F3E4D7E206B6D1B988AABE52B074673C1D74C6DB329CC978B88B0C88A41BB91D541BA4D3ABF38F892E90639ECB37C79172352FA2273ADDF88BD6CD6A76B305E001F78E9D6C29C46477DE5ED69FD0D398C8008C839C87FD95C51D35AF3AC874F9E33E60813A984FFEE299547BDF305756A9F7560411B7BB475870D8ACE7671C093E210D3BDB10D31F48E0A78D1D9E3E44199CC49B7D2A9E2CA0EA8EBED0D265FBE461A12883EE515FD738BAC8299309C86B77ADBEA857C4C92ED8E0F380733B47853CE530091A6D700B4D1EBC9830C2443C7D82C3E0E446CC72D4FE75A5C3AB4E38971EA41FE993BF270C477FE90E2E207DF59D011E23777FBA3B454138B31F1E055818CE61649F0D4D06765247A9B8FEB8D")); test_xof (&nettle_shake128, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("1E98D0535E8D9201A8E74F5D60FE3151AB5C246993D2C39AE2C906720F898DA70500D14E94ADD0842DDD949FF614C1DF73D57879B3649CCFA780D22131DCB51E14CAF79948D497D0A4B8C3BE023551C68D88DC3E36AB8D73820FD880F3964964FABF60BF9009927F25D3EBCEE347C54B3E7B9A957F0CD10AD15D0A9A2DAACE6715633A9400DA882337E8505A431251BFA1B31096004E6E0F40F00F6C389A9FD5DDBBF7E7F26F1259D25F2C176B4B71F0C00DEB9185FF0E4508FDD0E057AF4F4D2DF3A15DFA5416ABCAF086D0118BE1AA70C7A14DA41B9612814C39B6E7DBEB9A415FD4E7AC8F3E046F0BE25BC0D05A183A4FFFC498100C21D013D712D7FB48667454A4A54BC6CE355107267E245675002AC83E00A26A76EE6081F8C621620C37A03FBFBDC6F7BD88A5D996BEA811F9F753A2486262E6452F896AB8F40B2BD97F95038DB68FED4A52194B9E85815E67DACA1EEE6B0788343999453E8758AFD73DC3E1B9088561305E929A0128C6D229743567C7885EAABFD9BEA8644FE8DB4D19187FF46388DB5C1583DFFE70DA6349ECA26E839DB999F75C1C72455643A902466C24717069EFADED38C138D6A499FCA999AB653F5B5DEF624EE990F46177FEC751F55833E721DF57F6B813A55C2D0C463D25E96A53DB14E6CB4340F6059C924CB7C4EDF94812959251282B5F46ADD9A97DC8951B6AE72F7FAF6EFE2BD11D9B34")); test_xof (&nettle_shake128, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("518802FDC9FA52A2A70FDBF2AF1B43EDE346E59B2709319CB57FE6480C46C7513868686CD374AA43D656C6BA98A2A879A1A3D973C46A10E95BD0FE28029E5BC8AF03029D744F4B2D9BC9D83CE895618B9E21E6C4C2D295A285F251C26D22CB1662A2AA4E8609C8503CA9C908EF853BA212A87411059118596C88795C972F8FF55607BF82B8C128AB5D041E86D5784B35EDEE160FFCD06314510DC4AF9B9FC51999D70C9A10449C5B62B584614742032BE710E50B42ACA942C7C73776EAB51B0FEF37F5447E8CE2198266E7FD1E378D5CB2F296AFB77600B64677FA13BBB19DA426288F423EC6617BD19A77833F01CA5B684BDC5BAE939A79B6203B22F4FB27F4BE92EBF337F9153CD3D78DA095C0E76C9877A1A80D2AE4DF7CE56A8F876F32E1134E0C51E52798389C35646D3165DC164C5F77ED519345D21D055A332F87CCBA7D3EF19BE950977710E9706AD07E30928639148B1250026FF23B04A06E62C2799072A319E8346EE80F9A0A2389C4B80B9A397C45BC1F0E92620455A1A04B6BED80B1BB1B78370992C5E41FB56E984421FB1E8465132A33D6D227C85970DF92D7159E6F59EB766C3511B84C85865DE1FB3FB3405D2102F1CA0AA4C1EB6A0EC90F6B89D783423D848BD70C8220C7F024A43888B9947D1E9E52A6204CA17B04765F503A887EA929AC4866890110FED0713A0479C6FB619C08BF2CB24E026EBC6151")); test_xof (&nettle_shake128, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("DDBB83438554C66AA9D9569AF53EB13DA65440E0B1AFD88B80DF59E767E069AE4C70741F68ADC2A674D66E1829AB7DF21BAD9665E5ECD655F756A78EB9F78D838461A03C1A6D1836B27DDA6D269ED65B7E352030401ACC8266F41FBA4E234D225EE32BFF12406F7F620CB3484D6757EF3AB69ECD675A9250200735826B630B72E64F21E3D84B135A35E1F4AE48AB2E80424C10BE6BB7AA78F8DF9C91537FABB91DB4D58428F6DE62364292141E9A7FFED93F16D1D36C3CEB4960E7CB8FCD8B91EFF75B027159586DC304051556E1401A6C555A804616AB2757D699BFB1E37426983C39F34DF6C1FA6C084FDC9C633B6AA331C5E5028BD185A4EBF3EB0CA4CC397D481F404440F4AB2AB7DFE0FFC935D91D417D94D9858F89D28B4900E634A5CAAADE9F149C6CA1E011EC684CFA3B3042F9A320501522B6211DA5F5555C87102DF37F17E4AD3BA55A37381D204FBA5711ABED49EE51F3985ECEA7E239FBA0E8A060A4990590795EDD1A936C185BF37AF9B95FA3E6294A780DC9FFFAD7D9319002D18794FF0DA59CC6AD9E3AD9D74BDBCA343EF694CFD333F87278E59CC445FBE0E622857F3745FFD8C90A161F7F49EA875BB1CB234C63AA0C55E530A72B19CB770FE91872A91420FD1CAB520EE922C2B6FB59CB8E516C303F4C74852769EF1787FBD7429D33B2FC0ADC18B23034736FAC59F926E88DF27D811591F03E7009193D")); test_xof (&nettle_shake128, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("3A0476C8E248067F0F96F01561CD0F6E55BB31FED70D2AD5F282F030044A331C6A20F14F254D1CA11EEE4226323874A1035C0F522284627B51F29EE43B291D24001C4A44C638AAE5A89045C141E16B562FC1893F39CF49BBA6D17EFBCFA4919A1C60D60CDB132CEF068A05A81FA5C374273FE366F4CAA16887C5AD1288BD066B741D234FF63AAE976E742F5DCFF610CAA33826A7856E5E5265FDBFA04007FF3F0F701850DE3E911FD71E00012DE9823D78E381CCBAF09976FD686811255423A7CDCADBD854BED848EE0ED2977FC192573F2F36C62A5539CE807C2B01AE7220C6139D1ACCEC6CA37F2C964BE922547BC692274D557ABC1E7D521D1215CC56260D0C7EF4C3EEFA6D54182FE1928D8179FD4508B8A4C7A3F78D2D0CDF76ABF581F0689D1BBAE1F7ED3A8AF23D687C369398C715F71377DA92A518EAE81C7587876691AF81B982340D71F3FF3836AE9E87EEF7DB14AFECE5F57E45746173E7834132F922AB5AFDE73076B67E446A0F096ED2BC87E12216BACCEAF1E912CBE89483B5E0BC35DF7C38F79F31C1567D16A321920B2D0E6F3637B2C65AC762239522433AA51EB34A2A174C93A693C187E97B3BFA4C8C9C7DD512A74F26EF74EEE24D3F425F0CC05F0A3A630806FB960437F6EDB2C31B0103B3933986BA9E0B2D26B554FB9AF7DB5454A18A8D52EA8445F6844BA7371511CD14FBE171BB4045C7377553E7")); test_xof (&nettle_shake128, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("868C7566EDF719D04D7457BCA5CA9B4B62F309FBE1046A7351F24DCBE2E2224E34CC23E2C859E83B8B09E15FD575FE5225A03D1869CD1879728825A67008CBD1C7F0535086DE803A3E55DBAD1BD9998EBEACE9CBE63C4500B5ED3380153A41C33948E82E2D375E70E2A8C3F1C1AEAE72D000EFCBD7F9DA3FE0422AEB9A10B81B07ECCEE0C227947E7DD5E2B277A80718015BF5CA4C9B3EA5EC7CAC5CBDC79642CC0B547729A0956C739C956D09FAF013F402D764EF87A5027049C4FA0BD8EE8D77D99F3124710DB8B274B1F8878AD74CF88F21ABC520153B2668B79F824D74C4F113A66A275FF882B64794E307182C5EA6C96A719FEC5FCDDB619579246EFACF142F976DE21ACEB21136E9AAABF231706C767A664602C676EA46C70F0BE2A7F9907A484BD6064E1BF132FEE115362DC13566F763F4CB29A3CCB68594D9E7427F2D29B1A3D02520A81AF9D41990E04C9766260841E86965DB59B764E1867F9F2B4BFC6C13BBC08C4DB843982E262F75CE6F0E034B58DE6ECDB71A5E32E9F91CA8398EC286277B0DD6A518031C16AB864971C243CEBCF3755A72AFCC186C5D200873EB27B070603A6FE494ADCAC893162CFFB544C2B69083693A407DD92CB4F6B1B341EBE491738258EC5D109856BF106B56E6B96481B933093DC4DBE2CD075C5E3B760D36F3B92A286F91AF57604B70206C8922ED21006E05A271F1415F84F6BA")); test_xof (&nettle_shake128, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("49D7FA3A63EE1611E9ECEFA88F80DFCAD8D7AD69E6A899AD04D102885AE1419F8E9E6897F1D6937177E1BD8CA104A7C227B8DCDAD473D0A2BC12C1A2287B5DC66A0F808D02C452BDFBF5AC4F43B38105B5A9F2E67A4C6C81FE5DDCC1AD3EAD625B29031FD5F1EF18F4AAE15EECC2B6F5A4336E5BE3FD7D3970D50261FF6F992E5A0F818BE342B910B267C8740B7F331E0623B5793D4146DBD8BA3636D12914DF35CCFBEEE62BF3E0033DDD26114EE709A641ED54C21A130C8B3E1F9A49965E48B8AB914AA2B2A377DB1873A1882625EBCFDD1C366360B8DBC631DB94BFF615BCAB90D8BAB3C14F2CF4A6E4C4130AF4255ACF14B2B3699EDF8753C745F9D8DC23AFBF449A05FE05FCC83FB609856A5BE79B06E57D3E42531EDCC13B1AEB76BE54CEDF8665439731CEE4144CEDC0E8ACF9EE2AF245769D24DA6261E368CF0D599225C397C61A87EA8C0EF648A74CB1E3C5ED2C6CDB766E83BC68299B1AD882CEF5B436608847548141FE1DB303BDB13771EF19674F196EFE3502B14A7A47283EE6BBBA86354B88A8FB15187E0AC84CE0E9CDF737F62C15ED3A4A6FA0708F91DA2190268C0923D1E696B5E98251A6783479E6BA28336C39E27680BB86BEC2991D82EFB40CFE6985944ED3B18E2ACC7E51BB24D0F2C19BDE84CB271FDA6BBB5DE6B40203AB54CEEAAB0D84A339DD84108929663A50EF23BCF1E79909E2275FDDBE57")); test_xof (&nettle_shake128, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("815BB24A227FF0B94478EC10D6B4FAC313D56FD9DED13E94A57869D8BC5E542E47CD97D42F1387757539A452C5C40492DA8A4D65190AE36BF2E169446BBE5CE0742A1A9865126EA07AD3875D47C5ED5F85C1A7A57CC350E05A4DCB1F052D9FF4AED38C5E1D65C05C3C7DB8A9A6C00AE2B3B45FEDCA8C309B2C369A7B9608AA365015AF193F33092D084B2A7AC5CFCC018A045A1D89989FAA5FB16F854453D9A6336B900ECC4D9EAEF9DE4C6A287C44D0E4866CC8E4F8CDE5317EEE01113DA6A64B88A1469835BBA057760EC1D03D63D9CA40AACD7CFD8619E92739CDD72C9A11B0705A4E50DC386D4D378E624818B2D36B4FFB6DD1AD2C9F9D2A8BC4A7FB73827930E98CFA03C221B7C9D648463B8C2AF1DD195A817C0E986E8DE6C11371AB830EF74CC5E734B56C6C013350C1212901322BFCB0CDDDF13344473E3950C393466DFDB59FFF9E582E9B79F5938B0476DE125FC36FF74C03CFB685CB09BFF4C234F272D9B1BA6A2560308464CE36DDC0EB6863AD42B7D0490091C05A745CA5F288B303A0FD08BFF7BA2265B6C12B25840357DAC735CEAD9E6087D38A97421CD4E54518D7C0CF0968860B6348D1531C56C1B4F6B5C7771377194EF24E91F9D9DF96253B80009341E10122C14D919A037C820822A23E47620B35D0DA729A1AE329F99EBCC26FCD8CB9C67334F8B04714D2B76D5D0EA6156187C9017E764AEA66E88B")); test_xof (&nettle_shake128, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("47A1ACF4036C3A62A24F7A2E1147F5729DB886339C7CE7A9A6E7613BB60C475724D573E64E4027F296023E762CA20F880AB6C73142D3D1D36C19905BBA147317880DD9210A75FD7C552076F2419432E46C858E69B7F7C72372BE510F07F21977DEA627514F6ECBB34DDCD6CF5D86B01BE3DA48481B25D56071CEEE2142A9956AAB4760666DE359A36B8808D1DF3F3C15F22163CEC7C1181445DF7D06E79BDA799A6C4F278968B677FB78C8157CDA2FB7447ACC2D485E6922D82E1AF596C760FCC2D7D83A6A4B52400E3FDF64A2A7E4D9D9C59930579D4516618FE9979B10562B35F26CEED8D53DE5B322B3BB4F1B989EAF31517AD896CE3E57F879D6DE9D4A847E4F7C9EE093D7AD482D84D947CAB0B6619D8895FACC2DA8BAC086E054B3ECEB72689DF5730FA6E51F98205B1FA5AC9DAF82A78867B655B39792C686518BE3024A5F975E97A021F64FC75014635371C9DCC8952F2B5404582855FFB049561F3E20013E74C8A05FD434516218CC6E463F62515B454B358C611F2902B9D11BAD43862497532DF84DE73A02054459B79CB956E6DFF229E8FBC8CC558D666E10660B87B9B0831DF729CD87A22FA33891D9CEB2CC7CEEB1F316600B9432346D1FC211CE1946946F33BA59D6B53F9208F8F1FA8362524448CF87A851CAE07D0CCE86E594B5EACCF0B4F10F8C4D414AC194909CFE526CC87FCCE1386C7F5537D10352F5")); test_xof (&nettle_shake128, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("2F06C83D5CBC776C9E2E490482D92BBD8D32B07B1028E046582DD17951C13CDFA27C065A2821D997F37CED1D3F69ED8A8EEC35A55C1419B28770800A66A8CCC05332C64B0A310A1F4A99EE9A18ED342CC03A89193BB63849A6F0288B29B0801000EC0E3961FD85E6CF488031F028232B8FEDE6827C7C24FBC33A26A87A9B6210004038C67EECF0EF9D19C3DC8FE2C7DB8A449F168A98CFC190043FD6E2FF366CC35556192E39D1664194D6943F9EA5B4675D5051100E1497C1970C2927506B5B717D2DBFFCC9F62A0AC338340C8C473B397B98812BC77202A67426ACB83F4A103687425D9F793312570FF6CBD897733CE7399A3853887918A9EF8D0BFAC5A303B9E66CEB5BA52B826EADA8E5E158422A6D42F89E986C30F9D8E14C8B3FC7DAA5B012452666612ACEE1884C069F98E476F89E74B35EF94002744108A0EEFB9A9992104973E1176F2AE0F560791B9486E7A27C75BAD42054047E87FB95F43AE211FED7E3948745624F8EAE4A81CFFCB4BA389E169C9B55FDE64DBC31E6287144D0803EC3F0E5A86DE5FCD0CBEBAAC40D7103B3C0BCC8AFDE491B25AA472BEEF91D2AFA59D980EF1A833002838A2159C0F9FDAE39489B6E865ADDA3EA6DC8E675E45A45857111A2EB49FE3ADCD52EFAE414B6EE423440419B310E3CF751F497ADED9BD3CEC9172A23FFC878DD9FF6033EAC9C4CE7697BA9EEF60B67665CEBABC43B")); test_xof (&nettle_shake128, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("ACB6638C5302BFD244F9C4F1ADEA0461562CDBC92670F2C0C9135BA8754BFFEDF6621FB48B702792F71AC3B800BACD3A18791642865247B75D086AE816CE17F6D0CDD63D0A2FDBA9C743FC9E3273E6834D21F12554B977A146906682B5DFD85F41BEBD1ED03CA3B67DE188A0547493753465D76145F5F860EDD2F8F3C09ADEA139C3E057AC64487962E3EE38E1FB9F29BB5FCF2D70993AEF47E56A26C70D200D357758A4B34BD9327DBACF987754D805CCB5D2F4CAB0E238DE726E6FF78239C0F2E020A1FE4D4F6CC27C0747ECA37B4F72A110B3B8715E3DB07DBAABB0E580C4F20DDCB7ECE60B295211AB7CEF858153DBF3F8D0E27F621551B317534E9680576D629C5928F1A03C9928A93B67B4FFA019DBADF9AA71D37E79D40051F6BC6DA2D567E3E48706346275DAA4506A0CE668C2D4768FFF917A11E4C1726842D315DB4D189FCF686C8BC1061A63FB05A73720088C9FDCA783EAD1FB390ABBBF0B6BDCC775CA9AC32A1CBBD66BD80DA59152C97E295AB35DDEB7048B975C9E2A794993852F31A18840528D2F297454598A3F31BF9973B9CE54D5E2A8012EB2CEE9D49FD8299DAD5BB566629F6EE4EDDD71E6D08C223D0A1F48BB804096B24BC6DA27B80AC2EADF7B7B39C29F3DBE556AF66463785707A23495E2FFAA815640BC925230DDE6E5E545A7C414543D55CFA23330BE5CC1720A816E4064FDC0BB45C0D9A426")); test_xof (&nettle_shake128, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("2856032A7399BC2D4A4D43D7DC024AA3040ED171982042E0D1A4063B6603526EB4DEA45FDB007AC0E61043A11A502D4C49440C174BB183979A5D3A35C593E1A01886C60472D40D161A0512E3372BD5F8D35A217391D5AD14DB17EB23BCB74D7701286A158B03A927CFD03C4062EC0461F8C9C3D4B8DE0D70CEC5EB018375E138278ED9ED366D546D896DD885DA0C3513C5AB7EFE2ECA848B270CDAC3D2FE7E14F3DE6848FE01D64D841F198C85CE57E16B06FF41FFD454B6C61569B71D538CE5729DC5A5AA1D4DFD5F1D3F4CCA0F424701E8857EC66C8DC3D44DAACAB9D05626751240E1E8F1ADC1E064AAF47C66D9EDB0EE114A6155E28BF4769F88C053313792CD9BB2D9687E595D321E152CFB42F67EC9DA6E373E7621E4379A3C22B4828412223AED28946784CF67B6CE99918E0C1217501624599E4E79E90016ABD265E21E91205824B7FBB95E9ED999C50F90C5748F83E71EABB66DC2C16CAB63C064BB88C865FD30EAB8FAFE0529312BE74B55BADC4C944C69B89D98E7E07054A0AAC8AAD91F53582B91CB22A56741C41998EC878B11671AFC9DF26B5261BE5EEAD565BE962E87A40A5200A0856123ED7D248431EFEC79D7932407A7D762137EEFABBBE0C6C482CBCE115FA9CB7254614DE54E361C5CBC4EAC03757B83F4E4A96BD47D8347ED5E2C9E96DF3F03A9762988D671AA75EC9F3B5E833570F13CEA7C323522")); test_xof (&nettle_shake128, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("6AB8F0F45B860126332E32AD1819FD5A23DFEEE2C7FE47081AC855901D2DA3F590FB64F989EA616FAA0533E49A3B08589FF2DF8B8A27BAE25A23FA93710032F2DDEC4E3F905CA8AC37CBA1D9D225B2F62343DD5418283DB7D6E427EF537650944723DDD7DFED6394BA1540B2FE72944C330CFAEF76A9CC3998C1B6C38A83EA71B075F1E65C9209BEDD565149137A4BE1C640F4EC86A556B196BDF14F5C336418DCA1330CBE1781DFCBDFC26B562025C9DB90461658C4F1947A1B1374D8120168A1AB8D0CEA7527F0503F19C4605463CE134CABE1C72866F37EA2F105D44A3F2080DD42DA509ECDB1EA8C0AD439820D4BCFFCC5C34BF78CD8BEED8E394567A78864517CD183EC4366249FA9340FE4A112DBB418B32AEF24426CC95E12BD243F3BD4E744407F3B461B7E8C7FF096F2279962D60E778E1C362A5F47E4ACAE0561944BE126C8ED384BA5E71F8C23FD914D525D3AFFA915CEBA52CB3B6265E003D6B2483C7C331DB0F56EB5F4D0B4A7DB558A154E34F539136C6869126FE3A7FBBC07A92CA251A6ED301CB1A8415FF16CC28D1482FBB7A70DF1EF2D5AA55A084116577301EAACD88BFF5139D091D0BBAE55E31E50FBF28952E7071594FD81B626FA4194D97572058F217ED070B97ED42D8C7D9DCE730D270A01BF847929FF0E2190446D82F93D9C2BF309F836811DE1E4700D9BA736672B407E539219634F32956ECC")); test_xof (&nettle_shake128, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("6E9D7E55E8B258208FE6C1C50CE490BF81748DEB2B4401800C2423E9479AF3BC1B4C37249A2DC00F120DC5E2114ADE14C830437D6B0190FEC5AAAF57D4E9C5078B867B2905D48E6748E85CDBB3F1995389AB373014E6237948B8343AB418716F0E9971DB6A179B11277ACB2DF6B6B5903EBF311F2D94B10C3AD0BEDF2ADC7486929C8C43CF0ED6673C6468CF69B493C9EAC2ADE0AB3987179570886A28C08D0DCC83B0162A8D459680FDD2422C2C40A44E3FE55D0AB24CEADE4063C995915794B0C842573E2E7C4BFF8E201D3F9B3E8F49D90186AABC9DDC6110E98E3410617DA24FFBA5A7E5C3193C16B70CD6CF919DD6F15DA3627F42B6225EAF4BF1851A570E099FE3B8E7D746C34573A74744D42135332DAAC9A9341E598C714FAFBE052F7E745BA1D424CBE0CB1932A9E497D2111AC597F7E5010A86567C51218451EC3D1461D1D2D54F5E8754C854CD4D60972BC09482084AB865DFDA01D1C7AE4C749BFBDDD19BBCD95E8A53009529468BC4C47D9015A119B9C37DD2C149C65E6C99699C69C3CFA405C65E0E51A3585D35EAD701FEB58F1AC72D74E87D2C65FB072C11B235FFCDE39559A45F881DCB292CAED95B3AB6E0E468F86A235E2D83708044D75E768A2F3EB13523338761DBC38A8E014052DBD46A0064AE0255BAFBA6A0C8FBFB40CB41DCDACBC5466787638B901AD452D7D50A0C610001FBB6F126902D2FD5")); test_xof (&nettle_shake128, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("BF52ACA76D241CB569D39EB2D8669D1B2642C0CDB8B141E87C3B1BDB1F202641A1600AD388806BA9F5DB50A7CFFF97CB23EE977C0D3899F414FF5C47D689840F59E7E7DB2EDD92AFF3FB36FD198E7BF5D81FA279F743FDB6B9C00E974065802903DC40CC3E216FF727A72F267624894F114C62E7B101D9DA391E3A205C7B492B7EA28D836AC6657960CBBE4C38A73F87EA1F8A155A62C0A5D5BA821D9ADFD42BCF42CB3150267AEAAE507A4009BA8DCF70A13AFEDCB2121503CFFE786304E3AA980D0FCD7C908406FD2CD9CAE45DE97414647DE04D03C1214C967A14756830AFA6F83AD91CA66D9DE50B8F0483F99572A284BF9468A6ABEB45F335EAF0782C04563DFBF231956BA4575DD9BDFA10E2F6DF8878415B357867E5C22B9CF349B480DD0CA1F7CD432FCDA057A5F9AE580814A7CFE843FA831A5CDB87646BCBE70229A3EE7CBB3094E591FACC8680F298E10E1383D3A6387A503FD537A6ED924903CC9149879A95A164A8B3BDD385A69A93C58AACC066FBE4E59C7F6E16C00E45BDC19EC267F7684705CEF34D830ACCC03822EFE9C1B3903C47FCFA91FC7A7B58240765EEF217341FF96F0D0CDF5062D8B1939185C47FABE5498A784622D1B2DA0DBF06DAE6F661206F98EBDB257BB2FC4C86EF6E7C6E31E7756C8CFE7C4842CDA9878D6257EDD7F204A009A9E1A492F5ABFD42B48593231324728F8A510C47F516E2")); test_xof (&nettle_shake128, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("08E74B227985F88B7C1884A179D0B9C9F58BD2078F8938519F460511B00003E51A8EF4C93F69B716DF11DF2839688108ADF72476D1675E4DF3399C05257B1DB542D92F0E27FC59A927F00C4758ADA0FD95DB9D3251C01CB9167B2D6310E051407A2EAF415A2E478BE53C3945A702F04E25713EC2E2E1D51D636870642F6023A43FD0859A3B468A9502A8EFECF19BF97906E199C095464600B0B7A1B180B841158C6C98D13C371F7AB56496EA14CFF3110AA9D33869069A1F9215A6FD99CE9226EEF5A272B004827DDE0E1B1BF4B0C0CBB670CAF16B1840C6E88E577ACC2ED4493C598B938AECE1824717964048786D9CAB9ED14DAD9F87DF1E9C374010D89D4A8616CCDBF687E12D7CDFB388CBBB88B56FEE3AEDBC5360088A49FC1B2E1DD5518E0E00F50E3C922C8CA600A41F72B985F02E32A1F9A1FEE1E1929F5746FFEB87EC41F08861EA3463ABB9803CCE8C8257853FDC0B0C077D4255DAD1FA9E5D865C981BA15236828E7E425F5DACC4B738DE18E6C68A6C925B72C14E3042916117E91CB69311081E4E845B09679CA0607BBAFCC1341B283BAD5465633073E5DAEED6541B1FD09537EDA2F0D2A51CFD8715D3064FB074B52D48D4E7175B4AD0A0A6084128424958275068BAD56B5AD2769918B6AABA7AB1E8C9F88859B3DAB310FBA2FF67BDD3FC9E0B2EDDE0B716897220AB75611975E137DB525DE4465ECBB2D9D1")); test_xof (&nettle_shake128, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("3B3E210E0FB73556801A2250F1E76C45DAD31E12F9EE3448640B73D5AFD6D2D6FACDC1B0CFA53F46A56923CF16B6BDCAB566F3A0105E442ED7E88C09D705249BE34463D435C14D5118A7E028DC35FAA98112F80D816ABE04F7345EA55E7F7652995FC047AFF6B8E4D05C24A0C78FD9FD40835E523BE7867312630993FC9E5CBFB47048453C205880EEEEA2ED9A198AC145537BEA2C216A60774C400444C07CF6546159EAE47FD6CC79CA43D0D26C79DD13F39748A696F181984B5B8EAED82976C9B0C63C915BC2A2DF91139618AC82E4478EA26F9731D422C692AD1BCF483936D99F65CC8E5CE20CD94ABC2C4176B668D1813AA3ED84CBE68B8C982A8F884671CCD29B70EFBA765CB4BE7D0D139798FBF344D7D1829F3AFA946C3558B4C958A9235E4E96B28BE25641120E00EFE178304804D90946CDD1DB6229C0147339A1F75FBEC606A3B3FDCDDD9235EA6BD3F166AD132F8C222E45A805D166F8FEC56D488A2AB66737E3238E67419E194665DDAD4D8214394A4DA1AE09E0EC4EC5B209C18004F4008ABFE997E456BBF99F1FD9B31E69B934BA694ACADDD534E4BB4472179403BF9014A9EC311B16CA2900C669A8981BE3B5A8A9D3BF4D05028FE6D3D97D54B9BE443F9B0F73E59780D09AFC937D1F36C4CD8CAA1EB2A8522AAA175FF2E4A3285849C059991174BEC1BA6E42E399C4AB0A566BFBC09CF1B836BF42138026")); test_xof (&nettle_shake128, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("615FBF41D7184EF0EDF7AB0B079B76A4A7BF2B10A79A2FFE8D22E2F0A8B6280559BFD74E4F68E7691264A5B4651AE0EDC504F6AC0677E14389D92913660E75626615622DD458B7CAE4EBF1DA4F7ADB0771A809BDB44E918F7D681711EAE7ED84745A1E7F3AFF0931162BBFBE975C394AE6843CEAD454A00EA54DB5A55AA845413EC88BDF9119E238E6C84BCB76342FA8BA1A448AF7CBA6D0F1C964EE981AEF20C5268BC1C3AE3F723E48D1932CDB14B95629DCC5269F2EA77F277354BF910B05BDED92D6B8BAF9601080156EF0D1600E80D8050B99243C64221E9B8AE82773C6BE95829203FBEE6CAEDF299509D6A2DA570320CA6410E9853575A342F9E9AE76E27E1B0C892B2C932D80AD2B91A8D62D805FFDE196DC1F169D2B9D51F28FAE6546887182B91298B7B2FDE472BFFD86384EE1B78B4B5654F3DC38FE4400CEF50338F1D79B478C6781ECA2130CF3A86D9124C31754989A22F022658CFA62833CD5F25A021B03A84A7AA3F8890922AD179D589E46B535B0E6033C8383CD6B80324EF8EFB3BC6CB9CF5BA0BF5F6B185B83EDBE3F0BF27A9942FA87D172A5C9294BD63396EC8E1A5C7EE0BD7DA1109A69E2ED928025B8383C55C6EDED0BB9E23E15F50388209B3508FBACB7DAC520E0327F2148FE27450D0C5C06712A45011C95D7B02C0E0F15BF8C222527451C1DA4AB70CF649A025F8C95CD919E937B079F364C97")); test_xof (&nettle_shake128, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("8043574AA03D7C6409677E5E579FCBCE191118E2161C214640D725D384A3D941857498CC75480574F9BF4F7613241183B7B1354D4D08A9AD1AF03230636A14D40A30A1CE8D1DD9CBFFE41011E40D3FC3DC1ECCB83374F14209EB83BD16861E161882CFC86A5332BF0357DE84D38CB6FE65FF8EC3C8A01EBADAC09FBE960E5D55F752878A608B3E67EA840503D59B6625B42570F74671B4267246995B5575294D20B6E693D02395AC5329451F905B14D7FFF86A4401F78E6CC7B83806C19F30AF6C75787F56222B9FF673F5631165ED8F20DA13167F4DFA4C53476D7E2D7F76F4EA6DD77072FEF26AC3AC7F65EA2C4F113897D4F00ED38CBA8AB162B1BC3151D769D24A42DDF88F9515A04E3FE57FB4ECAAE26F608FA6A0E30166F5A12223C10ADB56803343E938EB88C839EF9F91FC7A0B9DF899AD3DC328166C8AF33DE8560EDE98EC371A22938252432FA57716C4058B7CDFB1DD7F5087CD45EAE5BF1A4C3AE03C19CCB580EC122DFD54DD2106A4E5A647558B24D15D30CE2FCA05673F8991003EC61270F279B7C2DE67D1930A5C948C9259D4E9DBDAB2D94DC1E1403697499544A1FA1109956AA22DA488B61A97E933FECAC59711E1BD5967DF18130CA394FDA025BA334B2857A1EDECB002BA56DCCECF9044E579143DC47BE03072D935607DE1E674C955A63508CB5D42AF7FDB80459F4A239DC78C31097E71C06924092A")); test_xof (&nettle_shake128, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("2ABA810B7512B1B3B179995F76F843BF39FEDB5B969267D5F545A605ABBB3F627B59550678B4E3C3B8E0959D5907F88B814413A5D94B0011FC8BC445096CF1B49D11FB2A4EA1EF1F219F7DDEC03B3678F2D95DD8FBDB7A1604AF0D8A5F3DC33E257A54CA3EB50C49C03BC55545A36F807ACE5A69F2D7069D3530F304F419B8D5DCB80890036299465C3C9C45FC49A73F9BE6C869113AC03DC5DAA116BC60F687DF7DB354201DAD9CD841467C27E6F0ABDF5EDA1F8B7646365A93BA71E1FF6C28D83AB5EA309E2C902A6A1A6396525A97EABF4F69C56B3527811046674F99EDD2779AE353654982A10C22BAF7FDDE401CE67E8044539995F528B398DDDE5132FC156E5587A9A3B3D5329F8DF4C55E86F3FEC30788D8E00DF696CCC46A564F2371932E21A45541315D8C31DED3A161E0F595EF47F8FB1DD7F1B57537FA36D105F1AD0E60C917F01D9C88FA0020349CCA8B01D77AFFE23CA4B575ABF1E42726B271FE77FF0FE81A8A20C06AC8DB699AA2E11F05CC5E9BB794B7E1F847F411FC4621281D257219709D38BA231E7060F745FEFF6B4BEF5DF477A24ED763E2BD49929E6C8C83EC776BE988A8528B1FB360BF5D7BCD654FF9A1CFE1EBD5F6F21954F155B1F6ECFAA7E6CD4E52D9B08C68943B29B54C5628F3EF3A966A94FA964A5874BD2FDAF65A663743F07EB0D6B3B3427DD419C8EF627675593728885A3DDB1E3C4D")); test_xof (&nettle_shake128, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("3582DEF5C0EC3C751727CBDFF5D9561E3A0F9EFFEF28C063461605140A2126265FA88C15B9EA3AD5CFD82378F78AC98BAA5ED67969473ED9177EF14F44BA210BAFEBFCA9C8DDA7E1AB5C6881AAE8EE0C824B47493C38EA7B5180323C7E962ABA1DE928A0ACBA596B2F8B7AF188265EB92C5BEBC9EF0A41F692E4B762990A40866AEC96CEECB20EF9F7CCBFB83A85485163789811FED7B8E0A43FD15CFA4BB13099F3CAB95791F8B05F5027672EAC2D397FDE1CD7E06FAD506CA1EFC22AD9CBB354D98BE5790B4021C7AFE6EF25D223510664DEC63D35158999C9CDCC513C8C7E93175A677A30259CB280ACA38FC7A8997B663A29EBD98D1C35F7DC1DAABD6770BFD3B84F1C0314E67F14E7FA9A881C21BC0E5C2AFD5F1B14EF4EDF9AD382F7D7E008934EF762B41782DCAE9B64448ABAE73D5A3CC80094B4F9983CB92D61C3555E58C0D24726E8073C39C3480FB2BA9F8679B9E8618CFA04921741B3EE72A276568068334E61089CEA277CF0D34EA33E02095BE33202EC69D2314128DDAD63F001DF3809BAA75E3A5720B34E8C7A63E06DA419A4818E48B30D8B0AE2E2405053C9CE76AC45C52EDEAF6237260F18940F0300125CE674BE744DC2A07262A146CB3BF595B59EB499439D94F8135DE7E58C0FD09744EBBB97BD4C10C178904F52C7481B4D808E663DDDBBF3235844CEA3DB323BBCEC1756BC4480C4FED0C14E14D3")); test_xof (&nettle_shake128, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("8C05C9635942C0661C29CDA0375395B595A82E4B1EF87D767E5A820CC6975F2B1AF87B76F69DE5BB9B77E14753C2EFEFCB735601DF5CB4DDAF5810BB89AC8863379192C578A3F2FEA30994EDF58F5A995857AF481FC4FBAA552E6564AE091C3EC2C5FB5144798405972C6947D45696F7E918D6820274BAC4ED1E721E85EE688E7EF7E6B4C87CA94CB6AD3221B5B0189D2F39A5482FFAB8A928A8FE4C117827E33E9C8B024BC35E30A9475D54293F196C83EED3B458D7E676A48D2BC2E09AD96167E556F00799E63C8C0668AA3710769C6533AF4F04816355BF4E88A2EBBA1B442BEF0BC9F7DD85A1FA42745893CD1F87614356E42E897821BBDE09CBA135ACE56612AD79A99A3397D2BBB6FCBDC505A0372DF7ACE31B53231887A618E4E846E3E458078B4AB9FA4D6D4D118F16EC8AA376B40CDD1594C0C41FEE2DFCC866FFB1F9B8AEFA04435F895B6D73E2FAA89BFF85FF14C133729B3789251E2A2CB38B8D5F9E6F8F0EEF26FA1A17A8255AE9EF58FA4BA9BD8A8FDE46ED5B0CFE9BFCBC20BDDAB37812FA44B0A1A99A6F10CF0E6BD931B6AFE22AF298483FB4D45BCCE9FD79C5A9CE2EB3359CBBB4673E0FEB2D1677F06A15F0938086DAA9CDF2B08FEF130BC793134369D4344D474F93C3C9EB877D0DE0CFEF351FB2589436DE6247B51352CA913C3E774B70655AD48BEFB6E4D494A6E610CD968E8CC613339D789C16DF")); test_xof (&nettle_shake128, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("84E7658F462F68915CCCC917B3F7A01F18E9E883CDA1FA6C856E2D3B77C53B9E9C3841EF72295CE3418319E1DAFF2F58AA0CCF89C1107C459B505A46DF314E670B51753CCE3701822C4FAE1F08EA93789FAE1A8A61755FCC17F57C8C8E344208A299995A3C3ED6266756D17DFB70E67F27621A6AF9EF926ED36F3CB169C9BFBB84DF0B2C51602902C12F519EA23C3B4B8BB2B1241798F72A748C6AE4E439CF4FCF0FBA17407D1366047B4A8DED133DA17A5CC2BCD4E9803DF6E5FC76A732EC64CD4C556DC97C8E8BE5BAD0FE5FE440E462DA16FB1C7B18A97F58DA4B5EA9AE8700A3E2D1325EBDE9DBAD97FAAD13DB86D8F438588AD1E966E4A7DABD0BA4A3907DBEBD2B2599718B885730BC1D7491A0E2FA468F29843EBE5E551E0CEFD21F85568D6A77B8515EF42908360B57CAD79B0004724DD117028BBCEAADB514D45D76FCE77FABFA64C11B9AC2BCB830F77C79FCB67A71D669BF7DF2F3B7F5F9FAFAA9571C1F2A03892E6BC576699806539AF01C1A840D6B168686C5F0874BBA3EDE49B161719927B5E32E4F19982D6D32A0453877F08C592EBCF7AA323F78A66EE81CE5297E3B81A01EF64FC9454FBEDC15C13A39F6AC8BB9A0CEB14E879181F72719F325B8EE60B3CF56CCFB42FFF90CF1FC987F4ACD7F052F137572809BDDFC6D6D0A7F082F9868F3492924F8B9BA5D924C961A4B9282F312916100AED0966523C6")); test_xof (&nettle_shake128, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("83E17CB699843EAA6308F12943513AB4E4912203026F4653EF6711E5968CFD2CC135DA5B4E87707CD732F538B904148B0A50BFDD3F72155D85A22936C2BD38BDBD2B13145ED531E85F2E0319B6022E8F2115E6FA99E8D92E8AB418A84AED36D574B82A282099DB5FBBCA069589A3EC308E76B03C8F6C3C5CE11DF0D5635740384A22F9047C52F8C561A9848F0104167D8BE0A4BC47BB8A6474180BBCE3EE691147B74DC57FDF56420848DECDF3FC5A06648C1C42A0172FA02DF905F8318482F8189D5351751DE1ED5A63512AE6A4C456FB7D55F83142CAC479452879E71FC774C9BD9FEA4560ACB7786CF56FABBBD3881BEA980061623645BCF1D20448ACBF69FAD1030008BFA7298FDE63963386AF5C2B230E9E367B78C4B172B142C7EF43022C866E975F71128719DCBC2663D892C6C4D888E66C67D9E767AF52231B93DA9ED7895B4B015D9D84623C3008871B95382EC788FB58222C4DD8834054C694722248F4A7D0A77E4BD2A5C418BB5229C0E2EC9ED3E03E79E3F824C2C6E1EECC72A13E341F46F3E30085B3A3FA0C55F59C56CE150537E305C37263AED88D8EF9BF0CDF9978636E03E7DEB701345D9442725664FCB38EDEF923CC11CFB94AE152D0BAE72E09A813A3C25002FABA1DBCC0BF5102BC466D348E6027F5AD72FF9DC35D9C27C4C1E5DD39A647CF24269E6437FA114C74B6C1604B906C8F5ABA1AE06B1BD9")); test_xof (&nettle_shake128, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("2BEF02AAAB7478A7F4B6E3C22AA5A979BDBA90CE91A42782E785AD6D06F82EF0017B54C408CD7027FB3057BEAB1DA1B150E54194BDEEB87F65EAEF6754AD8E00EC4B3F98ED2E64B85A3907B353D68614515A2A2D110A1E3249286377446C5339284B3C3EBBF8D841D49A34F7C79C935A69CE342569E173D87DF08B332F45C42C9B318C6B02F4550058E2E0697F1E1E76DC0DC78F1DEAF7A44BBB58152964DA263F633F09FEFE2C62F4A482209FC9715B0C424221F7BC81C67F438D920E7D9CEF3D98BAB3A27AB5E136439DA3C5B8774C01E6906416F0D48675751174F09DCD2185AD246CDD351414B9B5591E500B29AABC046F048BBD5776DA155B13A5970F26B393EACB372BD28B4934A6F252BC45F7217B29FD77A1DECCB20B060C9858A98485671E02ABC45DCF956255E52B5D21A59902A33425BD6853D56C18000F5D637CDE2F109EC6D9FD3C5427E6BC2468A71CFF6C57476FB1A850DF304645C0E64F969A541611298E1B19F95EA628937C2ADFD563FA309838EE470FA4810317177D61ED849B9FEA54410C877B1C5C59625AE5314E823CBC1D3DD79BC1B6498E22F7D15328EB55D0823AA19F0922BE4D6F545B8A2256EE141EEBD18FD1644368AE4DDE10482E8758E4865FC1845CB50155F574E177A3B0A446361801C2847FEDB035EBDBC0C7A67D216A4EAA7E04862D6C09D3D04693DF25BD2E3FE0A43AD80A9212DA")); test_xof (&nettle_shake128, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("824271A836FE959710453742E9D957981C2CFA672894C8A886F57F79608DD62FA4310FC0582528E15CA09C7A92D1084D45ED2A3020A9A2A10C2355FDF052EBAA1007B0C01E1CA19D95B1B05C03167923927AC26E33ED6A823C72D105A2B35085926BDED8E59A49CBD7C606116BF560FAC1364C7E5860A919167E844086D648BCBDB5F148CADEEBE2CA2D2C34E9BDE155DCC9CF99DB22785D8F5327AF41BA93AA1DD59A25F26615FD6EB6D57FF6475FE10BEDDECBD16CE84096CDC6AE5A6B7FAD0BFDF6E8CFC974B082A3F0C6D8C5B25295A81BD2650446E7447951F7002FD2F417F4F553F2733D294FF90C629EEF9FAF0B39DC9CC4EA6B50D438369FEC506BBC185D37DDA2EF1C6E7079B09BE893E6C1C62C24E6296C8CAD9921DC182F23C027CB753212E3EE41C401396322A43F4800C48ACDA4A6198E40B76F0F6CE78354BCBCC33017FB30C33D7A90AF566F4BD3BC2CBB08E800BBC7F309D749F9D2A352D9B284C358FF2109BD2C2CEEC6E85BC16B83A7D666E582C3E3D39A6A92C196A11A397203F9C5613E2ECC8B2B91C229FE785040A17485B3DBAD2B155C270AB2A510CDA80E99E1A79BE01C7262C217DDE69D068753F9E44A3B035E10BB7AA53F397D7A1EC95342DDC973CDDE9583B8348D832B976B255362240C5927D24A00050F970334AA404C531D93621516DAB81E0FD89611C238D85454C6D77F1AB5D7B2C5BB")); test_xof (&nettle_shake128, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("3768C48BF02D0DB9AADAFFFBD228A4119AC6B7A815D9C74C714EAC4B4BA4A062F7E9962B98C361A6B596838C671C95892FA4E82A95C60B9E8BA787158808C2C00BEA3BED0AB4846FD57E638DD29B2ED47DF5CD19699329626F6BDDD14BB709417A972AE8020D05AADFE12034A98F9121A191926566C499C536B2505AEBB97C9C49780E5E0007EE5596717E7BE42D40DB322BDE5B7FD227B15987B599C71F1F20EB8BE722DDBF3C76F9EA58B490EB11395BEFA02C259505F038B40E312B5AF1519BB6DA9E99E0214C2249A1E8C534D768A7DB9EF46970A64C6E5F746B7C50670CC8E7765C4B55B26F3A53E4C3178F9599435AAC9B96A203CD04988D1D95E1B5C29F632ECD66204B7BB2B7F776F2DE67DCBF7F0A81FFA1CD18506B8FD9DBBBD354E3CD388F21EDEC9A4EB319C766EBA3E1E8565B0CCEF3698592E19081472004AFE38FD8B17E6D1A5AFED52EE44990598CE17E09DED65965A380E3452CCE6D053F22F1E8CD24A76C74F6A69550C36B43890C7E239658B7DA6DA768869D3D96333BE7422AB7C2B5D90B2C3973D666B4E399A2C5F014566E3BA919AD1964A148DA2D35476B17799B82EA54AB6CA0BAA098D0734081C7D52B7DA8150AB3C1B8DD1174418700C46036E3918E5A21E70679D72952025FB52E9348509B4F10F412A8C8C11EF59D57A3A77C5462253C87475F38911AD2B08732DBDDCC6D6A1B438896327D")); test_xof (&nettle_shake128, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("EA94DA7FEDF4B2296823EB57F0FD81468F4476E6F9035043F84BA952015AF88E68233219E4D31D809A9B13A703EE6E99C230E1E037D777FDC6B4BCE3F81FF2E7A15B9DAD86F4816D1ADF0F5C34E6EE2FEC26353444EFC417BABE16C45BDE0CB3B06ABD19F354F5BA5298CD486DDA4C6216D4826C3EB1B221C24A63BE7DC751F8AB5458000C28937809359A4C49200949048156D48D537466EFFD085610F221454ADDD95519071C8A671EAAFBA7B6F894A3274599C76BF0964801FA38B601869D4C04EE9FC6AC7E54B4A6D8522912F5F3F2A7C6CBEC20FAF1E164388D932C5260763457D27525288BE09ECDFAA1A892B99AD0DA9FC1CB3D60B1B85DC953CE9B37711AE6BB82A1F96CF2479155BC3B328803D1EAF56EE0F02223BF167FB33E6E7190F41A121DE59B9FE9790C8FBBC2B1B77ADD9C316D75A7F4DBDB52DA2EDD9D2356C6AA77A1CECB5330ABC382A748C8972FBD78315DD2A4ADDF335D18D5C97547641F6B5ABC4C5F166265D6934C77879A5B4CADD27A8A7F9F817ACB1307A88970D29DD929D5B03A71D5B863A997C84D01B58DBA539CCF6693B6004812727B254D22480BD50C5E07F162DB59EC112E1DCFF813BC266F704357202AD0723B373BDF49B1EE3D4E24D942D2E8F95E41FF496B9F4F535601980366FA79B662507CAF88AACE17ED6498E6DDB65C799EA698C7B8A49BF48021CF3B41E96225C43481B7C1")); test_xof (&nettle_shake128, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("73E672E46B274D309899FF2C8186AF4A9F42872135309C85621347C55EDF8D3B5A7DB51B0242618AB6D750EF75CF816C23A0DDFA21ADC9976CF47A6957E914BAAB02E4C2DC809C0D2F67FE759E92D7755CE965EA4B4045D6172E1A0C749B4498795FC375AA6894118A1BE2821A7878D25F597633CEE5576B3D15E23CA7D664709ADA20E3CC182D3004B102BDCF5566AF522C5511049FECCF80D4A6C21D7CCAD1B24DDDDDDA0DAB0C2FF40E056D0A715A31DD35679FD4A4CA8BDD17293F7FD63319BB5B4ABD3698D574BA5D36445E7FBDA9EAB049F6A8B277C0593949DA84805036B776368566F622DF37FD3D42EFD06EB1D5C1C2847717F51D236D4317498514D95E1F4587669CE819DE249EBC8D05D55E2C35DBBFF3C017C7A8D55B1B184ECF72F288948027E2AC2CBE6589B351437E185A888EA5AE7219B9121E438EC3CB397133B75330B1418AF085E7B42FB4C3B0F41A95BC6583CA7DED8A470E2CEC237013DF9CBB866454F276648B1DC0BFDC6BC5346348735764F19F08905F1D17FDDD454BE1B0E8DF34879B4E7709BCA044AD49A14F9EE971283F2A20CF6377C648E9D85599FCE482697B8FEB218418B1EF0979935E0F88EA5A2D38506955532A0B9DA8AC1E7641622DCA9F2E31642AA41DB7FC73328590B69459741998AB90D796293999BA8A2111DF20256D2FE50AC6B0BCFD5EDD61C260512EC357E844596EFF10")); test_xof (&nettle_shake128, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("BDF536D8B28E91F00B710DECD109897B4E96882AEF06337FE83B053EAC20CC54523D246C41C9DE3115870B82A1BB2EB2B1E02CCF7A4E607BCEA3DCAFCA38F237DFC72D447CF8C544F541C1B53E7769B0CD6F2EC6D756891DFC818323CC1E1AD565F9130F59889798E418FE5FEB176E77F5FF8F10C6ACDDBC59C8D084AB19DA2EE5B737E537609BFA6F81DF1846B033663D586CED1F4E86D99131D37EA5807881D2DE749803E333AF2C360F8EE9FD99A166F3FB8F0C50BEF02DF50EE615C08E88299A1F3CDDF290A3BC9E4357F3D93D76EC5DF462175EDC5DE421A6BA456EA7C42ECEA24EEC74011132C27FC63F1E969B474438222C7DE33762F5377C197DDE9AFA9912900FF25373EFC3A3D023E091350D0D269BCBFF64EF35E2E1E1C300214C3671932CCCAD7C871FEF4C969B34CF6E8B0881C2F7704B455F118E3BD37A74BE89354D8C8DFCF649FA03701AE17B705A865C7CE9ED81E4FB374EB643294356EED48B3579315BCB32CE6C7F302ED5BCD68F2183110EF7FF60AEFAC6BFB8252BC66C0F4026DC37EBE4D9783CA7459394E929B8A83FD8378D9E097AFCB0A7163F16E5579E8F5546898C4B521264CAA006B3FCCDF46FFADC1925752EF47DA30F354D66F763AAE46A0BFB385FFBE153641569E5E222F374F8E21EE3EF8D42663A4C424803E7966F2F0A1EA723A06C92AF2393C8FA6711D89514C20B6170DCA448FD27")); test_xof (&nettle_shake128, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("B5BECCA38D903F2D87CFBA9A80C51D4A0733674C78EF85BB236E8FA64BDED9BDD01DB1905E46F4210BB65BFD26965AA3ADDDC893087AFB56089083C72F7649CD5987F449F9668CE66ED21514C05E7F09F52D84FDE30E96353D48DF0208415DB51EA5D120A7182DC9458C471127253ACA05D52FCC18B73CA1C3A5BCFF4D3B6A41C450826397D9B38AC5C8E301C7A4077EDCDB6A46B3979128F20B1080F7768EDC1F651D1D122F97620BF2B4E9FD20189BB331FF9026EA58D7203FFC49E901FDB9233255F349A19AAEDA9EA1E4F3C45EA9C54F41CE1625C0EF02DB370909949BBDFBAEA49FEE3E3CBB74E1807F553A2000A3C753BC5D529B4E25154E2C86F755645304F2D18ED0E62B62C87931DBDAD5D1CC9CBB64430D56AFBE7D4C708EC992EAA8E13C5B3CE0343C30AE3F09EA3ED5C0C933A0C76F0FC18FFD4BAF93BF95B2C1023DC87D4D641EBC6E1CEA6E756F45FD2E58E0562F43389A1048A8BC12C8B3B19E05180597B5CA79B7531C6B8FCAB88AC1AEA686494B98E211C975B48B7157F985F25B168B93FEA82218A227D0B89BEF905A5F13EB37438831C2CD871FD8A36A4EA22879570B22C63B67BB60EC1E415F4654F6A3EA5ACF74DF41FE09DE398351FDEEE499CD98DB89B320A58EE62F8569E10DA4C68B9B61620E9D51A343D06CEB484CA532AFA8FF141A4ED8EAC22870D72F5E1085107781D2E422B3EECABF88FC")); test_xof (&nettle_shake128, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("EC7A09A04EC20DE5EE683681D42177715F85562DF50177CBE122DDFB9C5E81EE349D3E2A18726BE2E46287759D6D28398851ED22AFA78BB4B3A41C76F7006F785887D2D030428ED6ECF7DECBE20BF09B1A321B96616F9D1F4ECC90BC2FED1C30C18BAA23455303074F10ABA5BDB596F3BB5BC1FAA89589A92AA95DB198915C1FEC3420D6A4A5E79808012DE71B41CC7A77AB96821B5BD1E822A06E698101E7E4DE1E5E7CCF9093992C0B62419A660E1AC4FEE0B1D0C4735416C18570697220ADBBCA56289C2475E17AC6FA89E96AAAA8D5F174D6D9A3EDB4A6BEE4B606D0B789F942A1F8D5BAA758AF6F6DFBBE59686FF6A8D625302931C34C8D908BBB0C5269ADC95715F90259384A0F88B6BAA1FDAA5BD57F5FEB2FE0B968120AA0206F911D211C2D77CC465BB6E1839C0271CF55F12658A1FD1F2F4538BF7E9FD784E4C12AE95A5A2967D2847EABE150F2E113D8542B9A7CAD092B3D86AD4219632C5F3740EEE45AACA529D83F0BF3CD656384848AD577CE603D31B70C40A55DB571868C1F5B7ABA3CF853CB0ED682BDE964C3051E7E81D4454906DE1966491E1CAF7073035268311BC1CD3590656B1321D8D6885D15C0BF840BB40C0FA4D127878E422DFCA7C3BBE8CA4447D5228F83E453C94002C43F5D87E989627F89CF5B6057DE6D86D2A82ED982035519F47807CE6C61DDCD9160FF0DDB3BFE08ED966C08317E4EB5")); test_xof (&nettle_shake128, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("E65D36FD64B13DB62CDF8640E6A217CD4952BE909BE1119B04CEB6C8A71550E953BE0ACE373231964D61B89A575AF582A66D7BB1441EA399D59A7C585D762433D64F44C53DD9B8FE8F357A26DC66E04B15B9FFD0FC7C1B4ED07DB3E4C80A3527602DD16BAB1F8ED85A821056F97FE2912411F7CF6BDB9070997CA4D5BC16B0B26159F7F3CFAC7252241C079633CD8287CC41FB3F7CB6185FCCEE1E3467E90788B9E943C936C1C82115EB5B5A1AF3FC6B0104959E98E0EBB0F72FA02FA5745380952A6C2EB0AB84CEE35661F34CF0DE4E6985BAEFFAF545D48ADF065F13B9272098D5906DA5C8B688A3C922AA74D840DD9C1EE31BECABC417EA07E2C45A90E1AFE588E65109C8DA674533D506E17EBA1ABBC25DD84CC79A4CA0E15013D9D014DACC5F696A7BECAC187F0A7B233D59A7BA6821B3EDC71C8073F2EE0CAA8C9F96032AEE6D9FBC15BED15E879D0F497BB8DE468B4050FDDD15C97AF4413C4CF60859EA04103A13704CC9B7076359E28A1B90949166F5B11055B415EC8B9A552AC94E4D1F45403AF5EBAC0762D1ED0967AE032DB30DFFC8132942F45626C7E50BBF80DDFAB80103E423BF00AC575194489BE02624BED16C4D1FDCD0011D0C64FAF6BB6FEB21E0F0653F05D8FB69CF891347DFF0A39136BB5D4D20101CB3EE900B508A136185FDD0FF54FEFBCC6C069E1A433742D51129A1B556CBCDB8A7E76DC43B5A")); test_xof (&nettle_shake128, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("2B6D5B37DA462A050946D447375EA4DEC9309EC30FB6C7FA68F67AEB7B6E1921A74FF35ED31560E695499F2A5AFCE3E900E1C6F199373951A406A8F57DEDDA8C9B9D2038E787CC54B62CBD97CD4247ED933DE1BD68FA670158701F088C6E785E8DDE870306B80DECAD2DBC40A8C2F02630499292A19339E4D63351EE5A44E36FEA062D2253674F5531B1C51FAF694A0E963859B26A11CE890A3E5C03815BAC2CCC43AAC806941BEFA00CC6BCE72FF59F60C85B5096BD7E9D4B60D23A050D3B4333A26B0CB6B69E62F33E87E65FC1562E5D1384F439D717A940E2A291897A4EB3F941397EAFFCF4EC738DC643E72721B5662F698BDD502ED1A82D924BC0D780A049F7D965BB585D0F674A06FE03F0B18AE56B7AEA705328072E4A374B7B9715882BD73C34E99656EC073B653C2608A04D84ADFB4607B62B4B504E43F07F9D4555935E3D432DDFF23D9AAFC87C743C1BF8A91EA4671A03E5461CF13E76E3C1779CD97DA4055EAB8E705556EB7538539FC6FFC1638E702CA2A60F0506693D54A35F7AF6FE0773A67767865B3F1397674EFF365B3849D261E29B160CDC91368899867689E599A85572464FD895CBA2BFB4ABA496F395E7950E064CA509AB8D8491BB193661E250F35D5E2AF12E1F981970390F456953A8FFDF72BF998D0FD7393C33FCBACE063C0D63F91E741F95FD542C6C509036824B2784F394E27F6BCE88B1FC")); test_xof (&nettle_shake128, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("E8B51670E0D27D9F7989447A97C07D8D142804F876E701A49E6C4A0EE149938881900637AC7329EEAB1F1E032DDC2194B2417856401060EAF019AD4D9DA3BC702BD70BE5FD9D9C9B86F4044AC441560E887AE21E3C3EF3F05E38C7F8B078D3A66C6FC8B98E33EA8AD1D029433626CEAE2468E3034CB44326C89D7A7188A5272C116D3783FA16AF98BA3070AC96C07E459F1127304483A2394837EE1A10020A79F8519795895F4786F5A15134DD44FCBD9BD1EFD0EBEE9CD991001FCCB6A92E490793B6F16471670E1D69F9CE49020C1E8E3B453CDC1A8498D8C510B8D21FA00239088E065B742C51257766F19E17B397362DEC9453F50328C5E14BF800396A0A3A1A957B29CB1C8FA059BDE39B995D45900B56E2C8CD2F4E8BAC756350DE38293D1FE4436489D9B23860E1AD35E2411D0210DDD1C3D8994635F29674A64AA5F92B2088F3E7B4FEC26485D93483AF96FC4C5FC9F34254E014DDBAB361DC55E0F5019BA9FF8ED7B104E09122A80BE3BD29A3E4C4C26A7D2B08F8915087D9A6A2E7888710A5B2B87448B81F889830E26E6813385B761FE97E3729AD04BCF08F536A152039F04C283DD36B9544C4D6CBA97E26B61E034259CAAAADCE508343DAFBD4DBCBCE25957406B22E13DBBBB186C18DCBD5B8AA18C86D8660698AF26997726FB7AF26C397DF8608708AD5D6524001634575A2F1070A5EF72D327E91C7184B4A")); test_xof (&nettle_shake128, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("120CA7E361A65A0985563012CB908028105ABDBCB51CD8EACA141662B0C184E9B2D6DFCDADED7D7CBD42455B3F5A9F15596D2BACE19510256275209CC9899A87C6224DF8E919458EA46A35CBC8D66A488069703CBBDEEA6D767CC315FBF518F7B0A0154448F8D7C56DA1B116730A76954C288B4891B56FED41B2EFDE6C27DD4B3DE9BCC25A2A901D4C87975E82372AF173982601B605D845DEE7BAC94EB410B369BBBDE500D458F9F8A3933D3BCADBCC85EA05ACEFC9A7A77E26E28E82DB157EC1CB2C99C272F33B1B2685533CD988DBDB6E850BD3C71E0589A165FC236A65B1F1DB750A3FDC1392A76E7714469B47E20D8946AF7D68EF9B16109178F662320D60A0D843EFCC5B1E56CF6D8FA8B649DDC28E58983ABAC7B2CE019AA0E07B387D8BA46CD3FAF47B522D766971BA603C84684BB094E38D82EBCB108CE0353E38FA0A4D7294F7B7BAF745F3E036EC0231F6A194585FF7CE1C792E4879BB44E4AD65717952B080BEAAE1FD0CB8AE87E6F130F91BB06F95E54FA924E2D0C42921D7CA9965AE70A3587F12017CF1E4CB70D1704A51EFE27DFDD919C7FE70F967CF7044C62D6FF232B6680278E9498F247AD92D5E9491DB0F00D583C019142A8EB63678231E1273F0A263C57B98E0AF650FA207D4B21650417DDDB40830F89E15C85E934FC745AAD87BA35DC16B7A82CC97926494BCC1FEB4ED43D75F518ACC22D208D3")); test_xof (&nettle_shake128, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("F0715DE35692FD70123DC68368D0FEEC06A0C74CF8ADB05DDC255487B1A8D4D1213E9EABAF41F1161719D065D794B750F84BE32A3234B4D536460D5520688A5A79A17A4BA8987FCB61BF7DAA8B547BF5C1CE36B56A73257DBBF1BABB64F249BDCEB67BA1C888370A963DFD6B6A2ADE2CEFD14C3252CB3758520F0C65F4524682772499463AE1A341800183AA60EFA05118A28201744F7BA0B0A3928DD7C0263FD264B7CD7B2E2E09B322BFCEA8EED04275795BE7C0F00E113827370D051D50269580300005AC1288FEA6CD9AE9F4F37CE0F8ACE8BF3EBE1D7056255954C761931D3C42ED62F7F1CE1B945CDECC0A74322D7F64D6004FF21684149307288B448E45433475B1EA1314B00F1FC450089A9D1F7710C6D7652ECF654F3B487D0283D4D8A28EFB5066C4250D5AD698E15DBA88E925E4DE99B69BC383AC8045B7F1022ADD39D443546AE0924F13F4896096DFDF37CA72207987C4A7705A7ABE724B7FA10C909F3925449F010D61E207ADD95219071ACEEDB9B9DCED32A9E123561D6082D46AEFAE07EE1BD132765E3E513C66501B387AB2EE09A04AE63E25808517AFEA3E051169CFD2FFF8C5858E2D9623897C9E85175AC5A86394CD0A32A0A62A8F5D6CCCBF493DAA43F78362BBCA40ADF733F871E0C00998D9BFD6880656666CD7BE4FE9892C61DCD5CD23A5E4277EEE8B4AFD29B69BBA55660A217112FF6E3456B1")); test_xof (&nettle_shake128, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("2E27811D2E132C58A1D053CCFAAA2813B620554C49C31CF208964CFA18A3EB5724D4EBB37E37398CE9201CA33C5F6A9409F262AFC5EBF0970BE0618EC7E56C15C13B2F0270AB5A9536FADEB84EB2D934B989354D47FCD1DBFB40FD96485FAD8DF7C6E62A60866F154901E4427C2B5E6059C76224589A6BE352673430740903E4225C1379561AE5D361B67F3ACACA9C7633CCCD2601ED278B5C7D6A378D713BC549E2797CA34FCB0A00E649AC3A4B59001E5D8E1E2785433ED65C76F4FEC4B0579059DD4DA49BBE678279F534B84A280F89DFBDA09E09C073EA11AFCAFD5685A714EC31E8F86B49D2C97E6A2A66B4F2AA76D9DF2D27CFACC2423AA18492E2F4EF6A9F8971627839375307F45A8B26133FF1D02F100EF05DF168A2BE02F0C17CCB90F23A0FBC5F536C410923B154E81A6557935E2572165A7E39F64F57E2B8CED8D2CD1025EDD5DEA6DBDACC8860BD6A0C598EEF14619D4BC11B6AEAEB5D10BFF3F9D5B20B7F2AB8254DB0C1765A10A125E98D762851F05261DAE06B224E2076112A62B4C3F3A56074E01CB3DD264CB1F4B58EFF2A1C9ACC4764A68680A40FCACC719286684FE0A742F13B5BDAC8AABFAC68174C7E153796C240279B0ACC719158D1FE4F78EC3D47EA8B8D3A1B3A6842970FD439C09096E8B032E551DBDFD0EF86DA0537F4E72F78368B319B6DB735AFFEA80633F2F8EB9D26C8CFC321C7C346F7")); test_xof (&nettle_shake128, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("76A498F8112B364E0DB20CB4E7AEAA1C96400A3E1EB1A24ED865203C4A583CE5CA10B47E725C362696F0ADE5FD75058D6882B435849030868486318E566BE51B6D985A76B36D98D893A04CC715CD26C412BB4CCDC0DB6D1B13CC071FBFC83F114C72D3B54CBCFE57243189251A7C0608BCAA1409B243F2652CF5CC4386CF4551D2955F371591C0A04CBFDA2736A514E773B5EE8C5CFD820A7542CBA65245F729E650D085B3F60EBCE2CEC0D8C952ADD51A664788B3197952E7D0D9FDCCA35EE118BC0144688621DFB373C2BC1DE7CA7BC751D539276A119ECAE8AE2987E018E9FD70C632F2A54701302C12B971E0EE5308378669EA10D0E9A7B955BE1C1BB9E7FF6857C39EB6B074C061F28D1979B33AB8D2F81078325C9F7966806D2CB62903FBAF4C12AC4AA15F010034080571BEE9E863C1CB89CB01B86643DB1D1A6C224934A79D969616CC3F9C1382B81EB83A8CFA2CDF20BB03CB67DDAFCF9CD827D76A0661B85E82664BDCED0EF34D2F807AD956724EA2CBC511632D2C9E9F8E4FD71E127D581CBBB39782BE58902927B0C0D922493255F805C5CC78A96AEE84ED086AA93F8FBF7282D78DAA0B9C126216BD929EA4A4E53F78088CA154E9A63B3227A25705532F699606EE73A5FCE6E6C94DEF1324FF2E0EDF6807700DED2F088E2D77B7F690E646E7A73CA05FEBB2634D862D7B21AE2ACFE3A5B3DC6ED1071B0F3E5E")); test_xof (&nettle_shake128, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("760DD76E50C13B411D04ED9D81078F0E5B9FC5DF9523F7C2AEEB418CA328E047071852FC5EC2F96C2133C4AA7C68306FFD70A782490F92812E04A3343B9502C14B781A4800A8928956EA457A3CFB94A63BB4407524DCCDB6136C5228FC1CD426F75E1701F0AB7D7ADA8079E4761FCC4DCC72155B4B27370A7EB6A5E3995A729AD8D8B5356A084B0678B114078B0D43C657A23F09D0862D606A8A485FED68EBBBC63A126FBABDF36151D5A39BF17632B3D967983FD62E19C944400F7A68393603243CE499947F3EDCE7F30206BCBFF83615DBAB7642C5D82DE050D67C93B836B554949B96947B7D1534E0755859ADB7BA5AC9F519B18C3AA66300ACF9A26849665810250004529334169211624C6A63350B392F6DC6753D59A03997180980EE0E742388A2BDFCA619524DD16250800918E95CAB914EBBFB12232F1687BE0B46426E126787E394A91F775FA91EE1C5D57AB1FFA151D554B79DE8EE9A937AAF5C98497AAA726CF01A9DBCE6E57A07F8D098B2844ECEC9856D3D8B189D016B34C4AB61AA3191B3E4C2B44F6BCC9444E6093A56545230FCFAD19A2CB124ABF524689F4F665F2E84D10A2C93B8CA412B6D280C2680E946A6C9225DB6F97A86FA3415A84D52FF3A0A15DC7CE97738B0B2DC1430BD56BB71AB89EE108B5BDB706C7919D5EC67C487D9C8DFA6D2333C59248104F33F4C162A5156A3A666948E3A6DA13D0D")); test_xof (&nettle_shake128, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("76BBAC5E72BFA9B5952D4FA8313C2C8995F1B762B0855EA28417A04CDF1BC9A72038014F4D1AF37D6338E217DAAB8993CFC222510A869403DC46B5D798646BB76ABF4006F31BE334DF8C6DA07AB8C6E6523DCAB9367E6B747600E785EA0BD3480A07D7AD1304019C0F00F90B2A650599B0B416655AE1B1D8FACBCE38D0DAB5A6375144790B0F7E8C61B4A98297C78EE6FCA19051DCF60B4EB1F6FC59DFBC5BD1B2ED6B9C72D7B5DC33E8D13566BC67013CC7114EAD63D25ECCAD196A5C258DE23D82E8CB2BA6753C9BC598A54F921CA924750A45353BD44593415AADD251B604457A3CAF3DA681C0FBF43E4F3814AEAD086A72A4787914FD08BC727A69CA5646AC709B9E0DF5B56C8FF82EDBE3C23218A1D5382AED38B3BF54EBFA6015C388C8E92D57CCB97FE8171E1D24360311D5ED53545B541E7F24CCCA9C5B520FECA2547ED6E1889A05EBA1C0831D8BA9162B38491287B46BBCDE9BD2198EEDA5FD0869A83543713BD294D84371F1932E3EB370E30210FDBC2853F27372DF095F71A34FA4BB0E1FDDA682170A29F9E29C2BCF946CD2865865A70DAC22A81BC387B6A06840230FF8790B6BF1953DB882DACB6A9208709C121AF24A6436B1A5312B3E6D77892FFF968138DEC8B933E3022B4141A4B4605524C95468CD89AA56BF577E16A365531434FB98FD8399DDDB58C0E5CE66C8A8955AE1ED8EAE5251026861C825A6")); test_xof (&nettle_shake128, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("1E7CDE630A92BD14100AE80073CCE0301AA6566DFEC50400147A9DFBE921BF35B110BC9C0B7AD6CFB50785C63881BE1569495092866BCE9AE303B3719B14A47DEA8FA19CAD3015D320C678CBD2B7488E71180D967BBACFCA686EFF014B7EED274F678CC43825E79C81269F99D1B824D913F8ACBA4DABF5441A29C2E769B44BBE9954A7444BFA438EF1BA2B6A3DB11E11151A1736BB8CA22494D4A3D126F100A41D49E6114CD66CB44B80C2E3308A0B551B692BC5B693BA9634E219E0EE8E7F28DF196D8C517F9D71A58F1D945E03FC25426E13612EF4158C17590922CD6A8DE677398690A8A1816C6A01B162FE6E5F0F502314C542FB568F12CA86F5CA6DA7B36255451360CA352C05D10C293A8A35417991EFE965BA6F5BB845BE9E8C021B2B4AF2AE50200C60B7BA42FB5D3147615339FD71343662090F2E7FAD4CD0AC0ED49C3FC8685116A8D51D4183CCC9F39B401D47CDE7EF7EEA63FC218C96EDEF7190A2529126633A7F3EEE421478D66CE367FDFDA6A9A60ACA3B288C6462BDFF20DBF78A3DD29E73D1A3E8F3FD824A3616722EE0B87A9E393CA89159EA8169DCA108F8E2FEB35C9372EC3B9112E534EDF733397B7585051257A564B844C07DB5DCF56403E59EAB6F56759D50C47779DD900849C94DCDAAC1AF51048098BF95A0B9EDA23DF0520A3DBD86A0B59CEE20822EFDB9DBA6D272A7CD5CC95498E340062539")); test_xof (&nettle_shake128, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("9576636B4F4D13A576B2DD4FBB3092F358E7CCE04CDDA4F83A10A8B5D35B5EE034543098D9A063FAC9CD26CA46837C5CB6E96F7596D4F07EA6FDD8AF8B59F9E86611F1514D5DC0B7A4216C69B9C85366059BED3EA5CED38A16E4D6945C7C9539E062DE51FA2DEE1C666DB1916369FA6BC0D7A2811ED1BEEAB61397B8A9FAF224FB4ACD7F8D9C7A8513C8A93D924FB4EE027821AB6DE0415AF9BAC5CF3D5CB7075BE5A6D410F12A9BBC96BF3FF254812C48423F383E4D74FFB5EDD7AD34C6E0D64BBE7F45288A49F5DE9AC14F317BD4862E1F25E338A0309739C8DDD27839B8AB3B04B9FBCE65CEAAB460DAB0B969222250FCAAD072C445D472BF251C4911C7D5D2B7D41C9D2840826E0BA6786309DB6E8EC0FD94031E2DDFBB0D880CB780772A93C0B4C32377C3C8CE97C73412F5C3E1CC72AEBC050737495C703459B9231C05477CD9A5DF1662F5FC883A91B42ED7ADABE6CB1EE654FE9E616B40CE9035CD3B91A05E050CB2558645A0939C536A2EF3B5C8353729C3EE238C5C88DB75C05DB6B2FEBE0A598F937CA7AD4FAF495A10CB3C3B9E754A570BFA5E723B8C0CC107F0EDFF76CE07A2CF3ACEC4BB44E11C633BDBF89E5501D6001206D457962AA2F57C9C2F3FCDD1B76ACE292728F21A6ADDAD4551970B1532BD3E46D9A5160B1A55CF4BE18FA15ADF0DB055BBB21ABD9A5B0FBC474CED2B8787732FCBBB231475F29F")); test_xof (&nettle_shake128, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("68618F4B2868634D8FFD3483FA4AA9C200B43FE87D59107BAC648665613805242B1CBB4DB2761D4CBEA5337E5E07005B5B4E8C80038019DDEC76395BA981D36823522698C98B80D313A7B6110A0BDE7ED5E9268FA655B8DCC2C762510FF03506DC1CA8769B372F07D0E325786FB1C58206578E600E9093AA84468F01A2DF258E670959966B419BA5D4B6063C997822E073717565C6F9B4777E186A0BD6D72F65BB3CCA7E82601F25667FA0186208F7988611A76BC4D116AB3944D6797828FC5FCF17ADFA99D959F5013FB2516A2D3DC05508E9C28AB5F9E0770D0DB2FBF9CD3C8AB90F255B465A9B724D90C25E1EEF81B839A971DD84C4D610E00ED858C78B2FC6147CB6B1266ADFAC5FECDA9A6F78B31AE35BE6369C3E8290E6F297B7FDB35BBD59F0BFE16146CF3A5A75297FFD5D02685C39ED9394ADFD3C7C814AE86EB652D152B7AE980B328F3E16F883C7C6DF6672EA1EA6E08C61505E65852A1BE11DECB86D8386079E17E72EF8FA38B69EC192C0B90622150A5C43584C3159CF61189138089653AE6453D24F464D96A9BD0CFDEF7C1C9D92D46E854D644982BDBF0E5BE7C38EDF469AD3C0EBAE549322BF271590E38AE16A1FABDA49AD6BF8B1218FD9072C25027AB31787B9F38529156113A82A8DD27BD22CFA719B3AB0D31297A0DE9AF901A443057D34CDC11747D6576B7602D7D6DF58C292A69B4549ECB1518A02")); test_xof (&nettle_shake128, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("9A3CDA57019548E6A68D89CDEBDF96557DAACAC29C5EF8532DCA123231D0226D0D7F62042D70BC225CBB1ED8902D8E6BE75B2B37504990471FD01F4C656E6F6B77961C753A780D91FE03598FA2D5F60B772B34918DB836D2CD278FB41B223A6D1F25C91A4B98B64BA3EB32DFA5DC5E1CC5BA1467F287D56CE98478BEEE91087DACA1E2FE0ADCA38883C9A73699AC98AADB5C4B087719EBA775B0ABB1B0E5ACB4F79F0F75DCB2E7E25CA22C06B1629EC1CA989AD1F1F12C4580E43DA76B2B58345B61085553A827BA0D3954B0BEFCA8394B9D19022D33DF6978148234CD16C7491075517081261E9AF8FE42C66A7580132EA3307AF3372489D8EFE01C5AE579A92399B844266D13804B887538D70D2A4EAE3C65E09F6BF877113992C42D490456CEC22FF8C60B0C7D2517A49D2822CB2B2AB6BEF74F87CE134F78141157D0498F267C94123E1606D4CE1AE8D7847CF9FB23D8A11901292CF36FB975FDF34AA0CE10B851E116EE7129B06D3EF10CC1ABA6F761EE2F1E4B497DA11FCA3E844A8DD1A6129DB5B3F863378D3488CE7E208241946BAC2E4AAFC912CC46E5A6451832A2A43176E06DBD49E9D379A69E6F08081F609B7207C5CD391445E10D10FF2B99E0D672C19CBD9F5FFC6CA46AD9536973368A747A7A2F23AADE81A43E49D2E9CCED3F64CA24C012CF3A306C40ECF36843317BE8D29803A40F6F71E7E9229154B0C4")); test_xof (&nettle_shake128, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("2DEC1B61A2977A54FF13CEFC08F9EC6F11BE80E7F5B77C4CCF2692450CE86C9D57EA58CB34AB2995A6193935DDE84BFD62283A881CEDBF685CA26A8A727252223CD6E7BB8A3C7751B8721ED16D1209611803778DF77C6A005E1A05AAB97F6205E0C1C6B339F8D8346A84C6A6D86EFEB17B6F8C8E30960DADBA3DDDB860F46D2718C7307C55B65AEF1082B98E407F56B633A16578528B8211254FA6AF384AF0EE36BA49638386494E347E961D6D65CCDF2D5D221AC54F6A2F6C4EAB62B7B55E26192A2E223BB053558A6C3646355F3686DD1D3712406677F183E94CF822D0AFA9416815C14BAB7F5C5B4E44F364446E08464370E60A436653B2DD29E60562712136940DF4AE19617774776F0784F7E8AC600BCF8359E02B070C0480F372DFD69DF9C33ECD3484678087087C7DAD64E160B32A0372318AFF1668F5A0B03C940C384239994F546FEE94E3ED0FB8AC259002D09C3110806FFB56419CBDC76F28C8F828DB0AEC39A573A903A49C0C9F77F0504B9C8CBECA83B6D3A7AF24631F7E4B99E9B42EE201CDA0AC1FFB79AC24F3516D766B0F71E1EFEF8E6CBE38C24D86B83388D6D3C2F9BD6AF94B8A56B6B5CD53AF40837FECC5481F9AF1FE216852C281E068F0891908B583845B58A4CB4169A0F2AAB2C36FD184B15C3E4008E38E00C0B6DB256B89C4C373E8328D13E840D65605C44AE017B0876CB5ABE1AC4D9CA14A3B")); test_xof (&nettle_shake128, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("DC2038C613A5F836BD3D7A4881B5B3BFF3023DA72D253E1B520BCAD5162E181685662D40252BEE982EB3214AA70DDF0A95C5D1031DE9781266B1E0972FC9777D4A74164DA68A5D4585F7A8E7438FE28D8AF577306B8E2CBF6863C83431CC4C898DDA50C94EFD4925432FCA36A6304790FBF4FEFAEEE279C01B8B6A8D1C275E3CB4E8BF17D880903FBAF27BFA65A2E3DB8E285878A94955F6FC14F05A0FA2556994B8612BB7A494B4DD8B3CF1BC9E4BF833D4BFBF878C4D3BDC8FC70D26D7B7EDAF0AFE2F963DC6884C871C1475F4B92378B9824970E40DA0A59780E84AC5138AA1EFA46C1B50C3B045BE59037C6A0C89E1D3CF246F1362794E8107B7CBA74888F0BF4B905CFB9C33517F472BAC16259809797F2FC883FFBDD7CEDE9518F891B9117DE5DDC6D3E29FA56EB617F25E9EB1B66F7E46ED54C1D43AC07471D35C57B8C73BC68F5612ED042BFF5E68634A4FB81E2EF0D92FFF1E11E43FD6D9A935678D2FDD04E06061DA3BA7DE415B93C5A8DB1653CF08DE1866F5C3D33BE32A3B8D2B7BB39E9745C6E88C782F220C367F945828B9B9250DE71E8A14EC847BBEEC2B1A486CE61731CEF21B4A3A6353C2C705759FAFA50AD33FB6ABC23B45F28EE7736DF6F59AAF38D59881547274CF9AF2CFC8FC1ECADF81AB72E38ABCCD281DF956F279BACC1796AD1F90D6930A5829BB95E94A8682A51A6743AE91B6C12C08E1465A")); test_xof (&nettle_shake128, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("91ECB5133525E291736CF8F4793BDB00A4EA32F48C3F24CBD3238E6408FEDFA6E7A750409F197041001C1A090659F8879CB26912B46A0E7E4E791FBF5692FD36EC84A55462B7876724EA944CE7246261F26038B166668E6B7EAB0B5119B44E4581F3A3280508CD8B3789AC37F992EB9777B9E11C0F19A3DA5F4B8D304AC4DE68B3C2CD6659F33FBE20B47E1F6B0CE06EC0963F8E7412FCD84E3DA3867CFF08F82AA17C43C19BDF3BC0D242FDA4874DDEC389564345AD11A267D7A466925D1E9BEEC667B029DA0982B37B51413B4601CAC17A02CBC681F927DEFAEDDB0F6A69FDFC39AB735470E86A00F82EADC94018A6E2A29E7F393F30D954C82936E158A364FB139FF29E42F30C0B95BD5714EB7A535A5B1D1B3B36A862E35D10D1F8A5AFBEEDECC51A855724271DA9FFB8EFC6615C42B03A57A2D762B46D5D94E097DAFE5D7A2EF522DDF2DDADC1F83EADB72510E770735463495B0217B8BC91DB597683254F6E0AC0E9B1E56ED0216EC9618173B163CB3F393152469268C056B1A204567EBE7367F863BA145C3BB367FA3C01E556D62FBC8381CB3C8A9BED907D481C093F14B70D1BD31AAA41FA753CE31FC59740A47BF5980F8A0E32EACA8A488572A3A91DB07A25C34330CB7DA7E0FB7D1541C3F3C377963DE4560A8D584E11E9C6A1B917F907C34F211CD78904471199FCF30D4180F88E7BDDC0392197444ADB1968D2")); test_xof (&nettle_shake128, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("54A3C3F41FFA1A12309CCC1D6B7915E126CB13371A2953F33D6512241A5B835005A7FC8844E4E5BC097B9C5D8E388DDB5A55F43905E11C380B8EF1DC661B77593DBFAFB6B2A4A28039ABF57706ED1193E860CEC1F5D9C522839607A02F3AE0D057100CDDFE48BD84F60DB063AA3011EF8A6AAD3947D8F86E2A6A28E258A99D72E998E4148DC877945844094125DB2BE06B98508704E3901AD2D8D2CADB19291AF8436DC4CD89D97060DF9F7CE0738ED5C1456CFEF18862DABE84A08A22BF310FE273496401619F156EDE9311697566B11C38BB10D4AC5787D4D6491CB43B4D79C5F062645FACDD48EDF609737C7FFC226E36587B39759F23DA6CF94349CFA50B9E18F1C6CD42DD22EA04A4A7A73ACCE723E4E5948FCCC9857EEBF22C9761AB8AFF73386D470A34254750BCE7EDC88A46F54AB64F562BEA863488F846671503E5E305F3CC61212E95D055851A4D4A9A145DF52DFBA84D27D084952F7E12AF3C4E20860A479156B48CD65AB2BEE5407AA200CE205E3E46C35DC4B50205C11187EC81ECA5BE3B2E90A170D53E6637947470220B2A6EDBA8C0D0E3525BE456417E6EA0FD98BF54A5804AAB6BFB728B22A5D01BAF0CEC173821F5E075A0E4B7649E303D17296981EFB88327D5B1A3A8CA72129B979DFBCFDC45EC3D1BFD01D10814F225C6BF09962F0491756CF9607D3974C24FDA6DDF6E87013EC5CB2B883BD0A50D")); test_xof (&nettle_shake128, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("264A7D71BA8E67773AC5AB0CE3616F1147341EDEEBA1A177E8529B0DEF09C3A99D91029D77C3F9F85508AE74DE172F358CDD2BC4EFC8B27BF280E162B03A08272D0165D9012099B8EC0274801AF9A0D672FDA4510C09347ADD664505BE434469CE78DF597A7890381FBEEBCEE79FDE94EE240A2B3DFD60B23F4126A5FC397B4B4E5E21893CAFBABEC64BF53F603434F168FCB667828E79F44B1526E9875F9EC9982648B9C6FC1AD6527D7FD2AAD064227D9A85EF9733B2B484202E00F8929E18899BFA6B92C3AA8B05F9EAD25DF02E02C7E8C264B67EC07AB47A7D95905F660CC6722ACA28215AEE543FB7950F0204784AFF77374B803E5EA679F22A0F5659A363EE122AA76BDC881EB28D5E347842B2CC81FF0447B68989E744E187808D7AF0011A32B66F9050161168D6F246A5C7B212838B831E71D71606F21A40D8A9AEF42B21465689B7CE967DC2E53F869F0584E19DDC629068C1ACD7E6B986C3D1F1E24B1A907F7ED4E5B83EB7B0A5C6A4508E0DC21BE2C1BB5506BB2B97D9721B57DEB9D4D39D58B77DFE6C869F5FBFD74559082B5EFC3692E72A9B961B6A669ED700CC41FFEAF370F88373D5BDA8DB6DD2C3BCBF1D833F4B9CBD3B4134502931178C58FCFFA80CB496FD850352634F73D002FC4A6725848CE2541862B3C5566A915878E60B3B4C1EF7F014F0F32446298891A383F63568C849DF2A208E75EAE37ED8")); test_xof (&nettle_shake128, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("C87CC74FE777B2DC9A33473F88383DFECE2244A807FF92BABEB7BF08F37EABD9305BE93213A63A4851BCDC648C2EB31BD509844A56B7B890772E040E67D32A4098EFBCCD0ED6D25B2AB9EEFD0B65EBB76D540D0FECEC277AC98139AE8F67025DEC7AE76850E047098557D2EF7D9319BC153641B1D2A376F23E4A1F2FDF1168EB5901B3E11A0410C8563DC4BF1FB0F616CFEAB2B086384207CF1A10D51634874493DB0533787C0564C1400BC56CDB7C32A6FA4800F0E685156F2BB63A63B67F6D40AB574CE0EC54A4A533958B3A48266EE038E5D85E67F3BA429EA1671D89A083B406A568A0795C56EF042881AB67665258EDEDB97AD04B5A30388D7EF0DEA494BA645F8FE47E81A2CC4A9C6885ED80C6F6D37BB0E81A60575201C0EC3E9FF30F70AE746B86AA3EFB309F13FAD5CA2C824C2FCD34AF1DEA5E60E4A8CD92E7B653301721937E03ECC2AD5642A3922D4D666448759961C6D830CCB45D666B675C920AC2486B100B5A51A7659F24735C173F9FDF02B1401A03ED5BC45EF098E799E7A3C29EB262D408CA9A6D2C18C5636F3B378E63F8C71C70058976E880D8A0F23E0F2F1CAE00F4E06FD60673CF0968A2E3C5D97A79659BC81F6639FE69B18C6E4D1F3BF535814A4D6187F3F9BD7F7509B2EB899A6ED48526C665B706A526F0E5EE433DCB3B5C7BFC99078342B78EDCA9502D6F73566BAB6AFEAF63EC9A020A7EF5")); test_xof (&nettle_shake128, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("61390F3D091CFA220147B1C85C59F1D6B7D9F87DB3A8910884AEDD2DB4EF65BD77F1D091D8375002713322F3AC618126D47DC4EA0404402FFFE139C8163CF8746030B2E57BB2A74965159F4484E3A4C41E7F849BFE872DB3B47EB91E4C9E67DC09AB0FB88FDE8A9815BAADCA11238B97DF04A0F5E5570DDC87D18E6E33339DD481D20CB746478162CD1464929DCE1FB906B6545D846D891CE91358B9EA029F281ECDC557CB769EC8C1FAAAD10FFE13B8076072455BDE3A3276CA458E8FFC4E377ACA54833C31E906866E9DEC7EAEAF74AE07339D70AD34278B076CA541CEF4DD10F68FB29C17F030052702B7B87D857F462414BFCB9FBA427BEEF0B930DF09C7A6BB35620EF843C9866E242EB2B30E30C4427C1E5671F2390F6F9F42B77305CB9969224355FB7A751E2066FB8C492D6070049C768B5263642802D21632DCF50EDC2C9357A4A3CA20C8446CD322CB5D8EDF82D31871424575F022D8B7A6B7BAA4F6326CE757AD523B8BD1B4A77C5D96E7EEF9E2963B02B107F7F74C9341D964D70DAA7C9E1ECBCC354935EE07192F22C15D693E5E10DF094FA8B74CB2CC87B967F11237B3AB5D3F53EEE9BB9E4CA16B7DF02E46EA9F141DCDA939B2D7C964574A0E11E3505706C0E9FE33BE262A7E6589D7BD42276CC3146F0A728131E9D346B91DA1EEB6B3E34EA5AE180396E219B5FFB6F87148ED8D4BAC21E760861B49F248")); test_xof (&nettle_shake128, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("39EC35D31923584FBD73A715015CEF05B945A5AFD2D109E72E356BDBE0F73CDF666AA7B01E77BD3BC0C409991F1129961F6BDD772ADE7EA97AF0B88A8875190B453664FFB64FC4FAC3C1108A3C222F23B12B7613941B137449471BA4847EAA4A16BEB50960FFF5DFBB2E756938B38A93509BCE5F900A59E69FB0305A19E460FFAE88D74A727C82FC7138B88DB07EDB172B39566DD22F0E852F715AF9D3C3F0089E9EBA72FF6063357DE9A744F20E1DA367F27C6AB6FC9D231A606A79A621F8150773D1DFD52868820EE5BC28D286ED746BEAF8F13213548DF0A56BB0E01E5BF6BDD1C901EA8C791E7916E5679C88D4D85CB1ACCA63C211E7218FE6EB2ABFD2BADBB31147177F123FD111BAC4880F1224ED01F3259E4EB91DEB7562CB9C3009B3676998AFAB8D5D24BFE7D27BE7F3A57A932C895B60A9FA74504472808479F332FD9915B8ED0C11604E80457C0DE5F7015C19A607AAFDE448FC08BB185517E6AD7DD330A465F9043A0478E1CB4BE9185187604F30A1680C67D3A0DB1BACCC05D401AAA8FC66D9189089EB7DDBABA05FAA8DD83FA544FDE68A793A36D854752F22FA13333C6152F7F18ED789848A13327071D85D5E36C4FC291CF5B4B9391F8E2513D4B660B1290790AB50D12B73FCA21A93F8998D5706C037C387D662FC20BE35228D85E5BD007A7173BD06E5CBB7E41063AE4843BF3F5A77C44E1A36FD2E1C31")); test_xof (&nettle_shake128, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("9BCBAF72085F4EE5B2B237F520977C7CFE8780BD62B0ABA13C161D0E7EB036AB27E9B08407BD501B2482C280997EAE9C4B571ED6E39A13D74D7A1E2258CBF3583B28E738FB14AB2B60E6F1E188953D96A9361D282B85DDC243FE6C7CC644BA203B328FBC4E0088E40283B6A62122065A11A164DD1EA05F421B4ED60F44EC982636F0253AE4E6EA320EDA2351DFDE0285D1ED860A51699E702A0519B0C3119462BC9CB3DECD66647823EE139DBFE3EE125A6F74AEDF5044238389E0B0388698FD8D7D882D010C194F4478D6DA8FC195529A475932E4FB178CF318AD8F24427BBB90C0B08ADAB27BE5A48C9804ACD9E56E1CB2BFEB236388917458408C446C6B5F1D3BD55AC0F6F1AD06AB419460F525B564DC67BC6BB2CFD08CDB510161F71A29AEC95C67323259C214CC39401E483E982EE6576A7F1068B088348916A5C47D1378236DDF475733F394E14216D2AC112457295100EB70381E632876E700D355973944ED80AB91AC39F2D9DF4E338C02082505C028EDDF867E60ACEFFBA59480E6953BAEA105652BAC6D29DEF70962B6BB93E3D9424A77D31D3020FBB3BE37E7905A6360C1B624327FD68ED02639A2B54FBAFDD9804FCFD60AEC2B044C921A77B25B7032CF685475F503D00D9A8DB733CB6115C1BAD1C847C1BBBD342E62470D6DF7C21119A35179AD3C7F68CD246B8F3F51E2635DAC460DB83FCC5C0DD049A2B7")); test_xof (&nettle_shake128, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("8536A6C25934A44FF97C0A09E026EB12B9C81CC8357859BA736B29BB329B182B5DA8FFD7B855200CB9D64FE463317C213997EBDF1810BF37E00D56F75791375C5FA84DCFA37EC196BB2DD3C66C1D33034AC48BC7FEAF15F9702D7D11E4712AC87934E2064283D04B56BDDBFB3B56C3CDE69B7D736196B9DC5623A3132BE33AF12A386A3004EEF98D4487B614547BA59EDABB0B83B6CA39A5955F925F35A5209C0CD567369751312A6A63D0F4821D442C14CC26FC147E63A4656745663CD96B01064F60FAA4BA98258B09C09833046412221A59E23D5266FAD8C068CC949D172862EC30EBDDEA21E1CFDD6B5FE4AF566A19D0D41FC9328EA915D8B97CB1D903BC40A4083F6997439055B44A695450039CC00931CF3BC9FC67BC417A8AA270B2B4A410BCE4A2131523749A957D293C1438A993432941A9FF4210B33A5CF8B4434553B17CFE869B940669CA9F18B128BA354855F08A692FC6D23BF0FA12D9F4DF0A571E44D4221E8018C4282559E6FF2EB02CCAC7A7B83E34ACA7D554C33F05CBAEEC49D0516B10DE06BCDEDC09D0C4A9810B0797B62CFFA75FC0D3BDD796327BB1FA5DCB546630E9BB0457D024E982D6D7930391066C58286BEAC627D6ECA09B4F6DFCCC71CE589B1DA1E890AE0C5A0CF531D9C1D2330BC8397F09F248F9919995326FB92147959C3E6C569ED662F6968F4E9EF42B6C2FB954D79DA22117373E27")); test_xof (&nettle_shake128, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("7201FC2AF67D095A5E317269E750F965B8BEC311EDAD18DA2435D2872C0056617F0FCCC80552010F996E5B34084B09F31F35870486A8C53D220D7D009FFC2C58F26AC41BAE05EB486ED4A18E74FD1C31CEA640E8D47D88C5D506C5719A3EAA4716AD4FB906A5085AFD46570F2B048264D4BD3554F5AB0A8271D6529B9E2F1634B5C78ABAB6BBACF4F01A4E33377F9E1FB12FC20435DE0AFD62F90E2CA73BD5260285BF5CB9B4302A312BBE48C3B68A4DA6E842B7D87B3BE0BA82C9B7953CB63B7E7E86296B88557BEE2EC9576A468D556B77F872BF728FE3051E4932988029D88320088B70C8B19B59FC03F2F32BF34F42746A6E9672C21EA85087A46D5BAE484F460AF64F8F62BC615E79ADF67EFA9941DEB5B358A5833CCE4A92DA0F237A506D530D64435689E1DB79F7AFDA051CFC065397C9393B3A87D6DE9C08522BEBAEF1B33D2EAA746A5AE7FAD267F168ECE1DB4BDF453A100FA3743D9DCA3BD0C00DD7033AE1EB573BB79C6CF53BB38130AF279C0A0F8198C5145A5DFA32B322716EF6115BB5466CE54EEF73E68C4C2B1D0C321A03B6C7BD1BE98DFCB50C08DF2005DAD35C430004DE8E6C531368B5F37E53DF3D376CAAF854298657573BE7038052C2169BC907341CEB02925385A9FC03400F53CCCD6D3BC039BC49F7E5CADBB68FD5E1589CF1B97C9C6360A4DDE6474FF39B96CC2F4C698300DB2AD5668BC19F45")); test_xof (&nettle_shake128, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("C7B0EA1011BBE2D11DF8353D06A6AD5176DAC3E33039C621A635E1124EDF2425AD88BA552D6B6034AE3A5FBDC735E4381064925BFD6CB5E3E753D27C7A77F4BFD3D33652461F5409CA29C060AC991F3CA90A29B9F67502A524795F1306430FE7961430B431E9CB7C21EABE1EC3D1D6440EEA64496F30A3A44172B2C5670DA2F4DEA42F783F5138C966A642488231DCA509C144B59E0F4A40C191C035E4A464ABB6F4B9E0F9ACD86B7BDA0485238A56B2934C7AACB484287EE013C46E48FB648E73ADD7E8ECA6B2A8FC34EA0CEB46B0C360A6004B34403AE5FD345A78B55634B242CBE07A6FB13FAB721EF976B3E1F82FF4DB06F86DCA50348398F1DC831C70618FB387F0B13D84BC8A606E72D6B85991A4D7151E2D9B4B5E07D303E2D639D2A243E316B6C328EB01F52C524FA7D76763EDE5F0FEC6824D73EFE546547798D9C78B22765E69EE0F72B538C816B230481214099ACF758193AAE0688CB5A9E11B323704AB7724E5F1C4355C11EEB595312A25277794B996C6BC19C77F0A048CD31FC8AB70C7B6B6B0DFEF5F632879DCCFCF462908F04AFC8B440E9C4FBEB428B70A56511EB7B16053BE225B72CEE491366742A77152A9BB0FAC5D261C01ABEA1B632289F26FCD628598C1F9B6AB1A5C36F926A2B96BAF71644C0723A6A773DD14C66A770F11BD82EA85C6608C821139601F9B98232BFC21C7A3B54E0F7A2A6E4CE5")); test_xof (&nettle_shake128, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FD6ABC78D5FF667AEE2029F1683E1EC57E82E69E6F3963E38486590650A18EB3A6B611D5ECDD6F8E556D2F8BED3726DC51B2086275923E2BAC576625FCA0A10CE1CAB318AE80806929EC5EF10F3262F460DB6D39D6DB17FE364792AC2CF5B067F260366FDA234EE09761858A3C5EDFA7D8C8BB7E968BF78922CAD2A276096E06164D15782B74E75ABCB32D1D87CC5BA1B188AE777B5FA570DAFC393C7FA0CA76623543BA75FF214A0F01AE3455A9C454BB6773721DF3376BF92B4C6DB9FD4EDCD802E30CDD698A865C29912517E0D195B1D05C391BE04710121C764DF515FD0ECDEF0D91603BC2A3B9F905B5D7C25133657FB6798ABA7119FFBBB836028764298EC082FD36CBD7D32A81C549B32E6E82C8C897318EEED0C3720AE2B620A40ABC87C28613AA2322EDD83414B8A532D48FA5769E4E8A46E159D5BF9926C6647836527BF5AB23846EA38F321EE7303A1DAFAF61C97D6059B10314F09F3D5DFF337802EDF70F27E0224D1B110453902D3F4D5A074F2FA532856EAE37307507C2E9BE3952EBCCDE1599A3A9B331FE760D29720AFD9134B6F5C33CDFA60E9B700E0FF15E13D197830BD93E785482BBA5DCECBE0977433AD8625280F0DAC5C6A4963F23844C7EE7AC6C88D098B8189B274D49194727118D6E73898584BA8FEAC1947E0B0ACB81DC7B580F06F52A5743F8E7E8066F6C76B5013DA694072434508C2802E0")); test_xof (&nettle_shake128, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("AEDA7E54B44C4EC1DC28A305AB30CDC9FBB1BD923F41DA60558ACC8C3FB34D85EF153DECD3090860E383151EBD008044B20B20B0C6216D16EA221ADDF00B99DFA692CE79E69AC853FD70C6D077860C54FF77AC55962CF0D06888CE0A95DEC7CE760E8E0364AE935CC8CE962BAFB617DBE45A4669F0F5C6A7767FB0C9BDC853C84CDEF5F722DA5C31D15181725158F946C8D810AF7296EC91F3EC782D38B00563E454AC9299B8DA2C4D2FE89C0C2C6E094A14DC3CDE4B4B5A868CBE8C6032812CCF17A1E511E7E59C0239E6696C2CE093CBF79F641CF1B59D97B88A16359DAE8366E23E13C7B8F9CCCC099F9B6CC0A228223FBDD5242139F3BE2C19C06A15563E404428052E32ED5F6EBC61AFE642340625C29174ED962D6EA5D8D6B06DAA63CDBE674CA6ABF8AACDF727BCF6279D4AB7B2511D782C21DB7BA2543C2273970CC18C136D74D6583782FD44422A2DD01BAB97AF2A420F8F1DE60AC0F4727B91972289943B5DCB3D22030D93A6ED0863E1920DC8A6688DFCFABFC3ECEE59AFC7B349F5B6B061E599145E2242C05D63566906A40B98F8D280F31D25880D0DB0A90AF20108715EC9FEE5FFE151BBA41E594254B7EAF61C5B444094B307511A1799D2E983500FE9643DDC2652B7B77FA27DB41B50F788224BE4B4F7DED43B56A3BD7EB52620689B4D22859ED3E0771431168D12404B5C56347FAFFB9E133FC5730EE76A")); test_xof (&nettle_shake128, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("9FEF3F4FEFEF93B5124DC0C0D3FCD29FC5D6F680F511C682BD41E397EEA9147441E698E4B420CF2A165B15AA36895BE8AE914ED53FC9950F16D540FF5054C0D731789D126091A75FC5C7DE3C28478E86E05C7A604CE904DA8F7EF031DC9D957401B155D110745F3145C34754A45B7FEF94D0253DE536BFA0ED5E655243E689FF909DED44948A339CD55B897D015BF49E890192D051A13C26BFD5E8E71AE287A6E2C18017FC997BBC41A7D39A18DE8B30F5F313D449C5095314E740501E2101807EAF33F596D0AD639C83BF7037E27C1D8597B4BC9F335433137EF4081E381B831F17AB09BC704BF1C581F4EDAF9502290A92501CD7A0E5F0AA10674BFC9B2C9C2C812F4C3725D6E7975A1F181BA63349D18EFB824DBC4D7D6267E7C4855AFB5F4DA4B26BF74785AC1E97D3E78DE97179739481A47686545A7B81F9D6BCA18CC3008BE300C34134EDCB9C87870D8BB4DA18CAD8C29CA349392FD82E0BBCA5A06A043826194A52AD80E1C3BAFA28751338BDAC266D8245E055546611CBF929CC8CE6DA35667A66AB87EC22CF3B54D8EC1D7CDEC5C75E0EC3B53ED0C030AE30913C12AAAA71567C731AC8C9CA1279C7A8FACCA20554A506661630F2B6B9792DBF5C8FD545C283DFC65E9D758B4B86079F569AF818138304E617D74081D80CCFF0179542F6FFF41151B85F84B2DD18FCD8C2B7790B645552C94C0348315BD91E1BEA")); test_xof (&nettle_shake128, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("E62CFE44B169A061FAEDFE6CE667056BC0255D1F22A56D3DF255FFBB145433FBAC3DBC0B998A40001B805927BDC1EA47762980586CA088D64BABC0ACBD488C5F08B8C220FD5A15EC679448532BB992360C8B166BD8EFB59F2B5E091F06CB1DF8D79FF9B69C4A49A9ECECFD6403D6F984A987C0FCE8E6ED4C0E9CAEDE1C522E4F71495F8599F2864C42809C931771A32FCA62B0CCEB02E5D7FFA15754E6AFA27E568D84FB041CD35140A48F4B23204CAB939B5C48217711A5426F194CCBF07491C0DC2F885156B40C9F782F4A17BB7108E465D9AE1F52B494C74611A1D9D379EA8835E0F98AC6880C339D70B65436A07F056E9C118A89AA41A0E4463482B5B037E96736D265CAECF4764E6F206AB47EB83689E3380DB572BF815F7E2ACC67BBA3F4D074DF16D3B95AED1C4718EA77D1E38608400EA88C6F5FFA084EAEE206EEC8D2560A601587DDC5804D86912E4B844D87F2CBF10634CC32F492BBFC32B4E746EE3FE9E9C9B03DA7DE441A53C0E3B648366A4A997A28DF2A10628406C530175191F230A97E2248226ECF6293D39809B0DC0493CEEC48337468831A5EEF0038AFFC160732C097CF96BBB90F5A302406FFE8C0F1FBD7554C1C0679D2AF199E565D96AC5697F2FF748CF0BDD87A0DA1A9DE71020DA59BF69ADC9E7FB7D6B8A38113C3370A120815DDAAC8CE49ED4738C3A2805100DE7C6B2279AAAC367A930CADCC")); test_xof (&nettle_shake128, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("E55556489CFF55AE9DF1AB48F860E81C3EB95D979929BED9C747FD1467D201FCF041D0B3D72EF227C82C93E6346CB02A5C78AFCF0B9CB6AF551E9645C09244EA67E02E17BF1941F3910B069C04DCD5FF7B4B9C69BB973EFA516B4AFF0F8947DA042E21BF838A94BC8D98E6A30FA830FB9774D14CED360125DA945F44528B99DF2095C5186776D434A4AB2202A8CD5443FF2636F6111228BF1F5C5BDFBCF6278598733776BB589230D74314083B983CBBC476E4C9F0996A01DDE09C8341DA4C2382923FBF32A1AB8E37E9A18DA38F54154C44FAB88AD8857EC5FF82CBE1C9D24D6AA676978FE7F18F1C2503AF6981551710690DB902F46AA5AB3856EBBA8EBC644C7339D6E28EEB2AEB6D5F168E0447CBEA439ECC89743BFDFA88F963A6B57F28157F55CF46B57C2396A357A8E44EC964CA32C51FA5DC17C1E0F6F80FA2C8D26E04F03C32CD763F6CCF0F16F915D72F6E9159174B69535D2229C8A543E992AB0E86BB51DA378EB378A0F28ED49A8F57F224E03C9C1248F0133D70AF45AC7F0D27C5804CC99E982A2A583AE566262F3CFBDB91BB0C2F2561651A812CBE22F1380929F85A94FA721AFE6BA1EE27430F2CFE89966A9919AB21036E81962AFDA1026B3B4A95FDF0BA51940053F01EEFCAC57CD11C4C60D66DE753F41A178CC56A938A72A0791874EAB6DAD49AF265CFC6A03016F0A1A490ECECD045B9F7509F1193F9")); test_xof (&nettle_shake128, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("5C3CD7AEFDDD08E09F343A8226155BC3BA959998299AED4CE4E85C6758833685A58E5CB8002FA4788ECB673E810C98BDF71A18F7A2DDFC351056D0639BC600FA42BD03B1315CC4C9640A8D61D481BC7F9077C9EFDEA6FC3993993CEC88481FCBA0E4C519CFBB57B465FD1E3D33557D8DA77321CB21E584E677F3A66D38C9E49D9A9545D6B84AFA37547F1CEB22C2ED9D8D97693A69EAA2D15F376E6DE77B0EE6C7DC28FB1C1BCB42BF8751400EA2470B87F19830A6EA33DA0912DC894892C6C242E90D24238439C6794243A5A6512E3486680F4F9166150502A1BC049F48EC80D2694FF8334515EB4A97D483E7E401BF6E446035FDDB8B600CA7478B8C40AEC176B79CC671E90CAAE5D1EC05E51D5E7EF9D8B4FF3B3B319D80C093A83A3D21F22EB4DD3B88FAB1345B29AB527F8D69CABE8FECE7E26D40A63B3FA08340501A40D433D77DD212FFB48265901D9A05E17E8F24786C7C23E50CFA11D5AD497D98579B02B642D48FD74CA608DC32E76C3961E07064168B898FDA5B4FEC10554F32426DD818B7E207F3FACAD3525577B5FBC19F1CFD39FE6453B274362C456B8FDB3AA26306E306EF1BFF87056AE99FD0CC9BBE36EC508532E8239B3C33B1705D6DA65813621E8D319460CB6BBE94C9CC0A5AB5C9CF538775D42068D9665239E1FAD0EE8FCA7EA4829C8BE493AC2DE44B340028DB1F27F9E4470D3EE6AB48B416CE36")); test_xof (&nettle_shake128, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("83D754C973E2F1CEA0A8EEF4CB2340F2BF78CB88CB3AA458E7C915B5C8412CEE403CB18E062D2D896D5BFFE7DD1C3CA2E5E37E193554A176BEB2C636ABB687E867AF6B9EB5FBA57F371C167CF210956C5855F27FBE890708A28321BBF2D1D44DC7A911906CC4054D6310CDDC4573EBFC9F7227031EE0EAED3A810AA18367D2F6F56B478881F628897E2678FAC39F76A745460DA7913374C9AF81415592891035F93286BFF02DC737EB087DB8FE7E77A188C206CAEC84832A120547D967107A49AF42D422EE7364DB5B6592185C07DC7FBC2D0ABC2A02C3CCE0070C23F2DAFF0C8FC61563CB7CE0E930B75C706AB8180BCECD4E2C47859217B42719EF341765FF7C59C239C1752A3CA73E04DA7918B61A4D98DF5481F3B2A23A4797D66786CCF940ED96D6817D6172F748262448A69844E59CE9673CD9AA3F5AEE057608D4DF64042D78A03920FA23DE7BC65881465B31C4204F68D69CDDCFAEB9A5A6F4AEAC6572DF206802403D169EB5B2B69CFE3FDFCDE19B198385605C864B5F02BDCABBF646C5945899F52830C3CDA909443C96DF6DC1417677BD80675621755D47D076DF56DAEDA124A3D6B1C7B6E050F6D3024C5627A62C57C94438A8A3C14C5F572210893BAFF4B7E4E84C99C6CA09EB3629087F1C700513F2447525EE23622099E8D8B5D2CA8918CC5775FEB5F34FE5141CCC93EC172168638A736CEB0541A1B18369")); test_xof (&nettle_shake128, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("C6D3296ECCE00F96E8E0224FC094279AFDC51F4D65790B7DE6612A536D16DCA57EDF5AF53B7DCFF98910F8C41AF597692C5B9590B7EBD712076A74BA9923C364E042286F754143B2F1E00C47D4D01ED6A08FC3B62918D4C7FC8A5AFEADF7B83A02ACBFDAD3032D72C60E5FF342AE9376C60CAC094780D9F0A6FCFE63496A1FC660A33E1111FF441BDB600B37A33256A35E86CB245CE8DD2951E6B4C7C96C8561207D402D143902F085191084EE39E8FB472965F51C6E556CF4EAE55C540ADCEDEB9E77699C161A88DD07093251DBF403E7A26EA6FF93B2E5C61E5C0538CC29D69DE806D995C9BB59B52915A61B9DAAA3B21FC325AE7E1D5923D7E2CDB4F71E9C1E9DEB331916F09B22A34CA70FD20410EEDB22118D606870188BBB9800445B136FFEF3D7539B7104EED36E3E663B5167A5649B0FD2013424153B92BF520845972C146F8E15670BE40CF2EF1E73E23E404F1753833ABEB111327E862904C7CA969F5820B41C6484AFCE6374C72620C1B0DF72C043C1BEF6B33EB17A64B0FBE48D68E60F90CFA669214F96709777B9A278B65F197956345395008272E6CC3DDF43DF36B39E491897323CEA03B88D2FB8FB9F9F1219E951F4CD652AA28C1CD03A369D85C7ECEE4C3016C89885373ACABC20E40DEA4BCFA7B499941D8BD06738A71F3B40ED89FFE85C7C84ECF5F644CF1F3A434D2B12EA3339303353890B3C4C5534")); test_xof (&nettle_shake128, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("E7B210D8AC4395B2DE4A9066A345B1592A5C0649D47EC8392816A65C03B5717FFED2427F513EC34D3DB5AD59AF61E0EC5DF9664A1F24E50A31C6C146799745465E3A130C84B52EDC04140AAD1A8AFDBC22D816339D5AD126C616B55302CEA748E744C6F2F538E2285538697ED1B2E169D9B335B6194B59775CB19B14E2A5BB0754705E1342E25EE1824C75479D317CE844D477599CC6A637604DFDEAAA02A3CD2C1B707661DBD2B1FDD77D2187C1E2295D92D98D4E5AD4208DB1771713BBAF33E63F16163F63EC956C7DB48D265E53058363A923BD51BC3602B184EAF2B8855DFB15AB9015D5FA72999CECFDDE888F95252885988052C9F1666D4E90F82C1BA1C27E4B0FF07F99BC4A54B9FDE4BE5C3882C395F69AE3754576F65CA8CB03EB2890447CCFB37A475748742AC932B615537B7FFDBD9E73FEB1BD29A8039B1321F8B7F6BD80BCE4522174DDBC4D6E95F18DA7EA0D4DAE4D14AFDE65F8BA726662563C225DE20A218927E2CEEF7573AF8313DB530D5FEB42BB2FB7B4DD616D25DBCC6F443A9BC91BA616B858AD827B049A65916CFD0A823A2726243D8393E248A8E1A66A057350107D01B65F4BFA03E6F22A4C26645B7C2CC63767E89F2A8860632226CD6FA6A68DB79949AFFD3EF91758168A295A5342E10C402F2B2076ADC203BA107A177D6FA79F12DE20D084CB463BF0C74B9D3FF6ED9455301A850008499CEE")); test_xof (&nettle_shake128, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("8DD1F85C100C7F05B59A9A0A78581B5541ECE6A40672D9AF23E9F80A9D3FC96346E1B0F3DC309BB110E3F9F465E08371D93616258FC5CF5F3264B6F20CD795FACECABAD03BF361324E242F098FE715E14D0D207B5122B01E47238E8AD8CD9C2E874E816C970F8CABA5C148B9D2638ADC5D13384DD5867679B5821A37B77B5C8AE773F982D07F037E319B0C2A88B8716D8642EDB7C51AFDB44297AA2AD22ED1DEFFEBBB8A89A601B3C8ED2BC1894AD8EE27D85E4B88547D64394709532582EB95A682ACEB7C205F4A3CC9693E443D7CBB1E1DEF42905622AC0E12D0543BE1786C13A913D45C63CD7F06E058440B34DD44007CD2B7BA489D89358276A3D597E19A0B973F558B4BEE867712543C1BDC817495D3222D4472B00784D7CFD83BBCBCE7E2FCD0F9C1EC0FD003B3D8EC74233A3BF7E95430189EAAB5CE341739C8F198052A783B9EC0331CDC1E2BD8B25FBE9B471A768CC6B8F2C90298196BC65861678C7632B7914D365DE4BB2CF9DBC4A0A06034711086A0D09A9C139132556EFD7CEDA2933EB9B86AD5BA22196DF404684993A8E7FECFE6E582E5A3A4717753E5F3BEF462DD8820BF3857881D54AF1D0F2ACE27AB1C208C3D5087DB201F155164C398F2ADE81CE38CE0D741920364C57580522FE1F0299A6263C3F4A78E03300372D379A4A9A550FFAEEDA27B30B329435A8B2E3C127568B48B1A75462F576DAFDDF6")); test_xof (&nettle_shake128, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("16322D3005BEF6A6CD077C13F13A0DBA11CAC621605D78E2CA3EBB07386C0ACC23D0B21573123E1BD43ACCC1F12DBCC34874B5C18B6D037B339E958972902BA3174A9831EAAB3543B901B6CF4EF5CBD1CE1B60AC90E94F6E15C7DAD13AC4B8AFFAB3141326AE057852DAB28FB1564A7375204805747A45C0E96E2E046611FFB1BDDB6E6EF5C0BD75E4D654701BCD7F903DAA5B2D32E017C5A81A907FA908C8523D821A9947E647767F04FE6A8D0A9297F65610B1ECB332D3DD37EC4501400C3C1E0035A48652DE4F0BC038C90C5B4FC2D969B1951DE5400184E6C761C7129711ECF3F4146C2B8D662C96A30491771DAD21E0D9667F7312147D53B1377999F0274D239ADA0E2E2843676ECEC0D528C89A5E6C4EA111ACCFDEA9D10BD3F79326283A609F1E2C9FDD4120367DC5403D53A6D0B0DFC3A3726096EC7F6CE189A29F23053F79E179F275E32DB13567E108A63C7033286C4F6636AFA91C37E32A5B2BF01995133FAD11A96BA922CE4BF5192A0536F4F238F9CF0AEAD2265AE73FF3923682644CB414B8E92E9C5EB8D46E39E46A5A394D75BA2D01A18B2309DEC99931FD9C29DD61073B23A19EDCBACCA8D9227E8FE23D313947AB6D9C807C8C3BC8E189158A1815410A94CAC21D931560BAE3AFE409D4904C32D4AA5C7FF6463EC8C432F97EFFD812DDBBDE53EA65956C9C2AF72ADB2C7B5BC1EFCFC8EF4FF8A152AEB8")); test_xof (&nettle_shake128, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("14236E75B9784DF4F57935F945356CBE383FE513ED30286F91060759BCB0EF4BAAC858ECAE7C6E7EDD498F01A082B63FA57D22540231E2E25C83EFB3B3F2953A5F674502AB635226446B84937643DCD5789EE73F1D734BC8FE5F7F0883AB10961B9A31FF60DEE16159BC6982EFB08545984BF71FED1C4CD81C0914B4C19FCFEEF54AF4BBE372F18CFCD3A18657F5B9450F99A78F0FA2C3CDCA7461C4ED7569536883B66CD87E9C200962902EAA16A54DB6A0A5CC26D889038C0760810B5BB4F33F1E5D639B6F9BC7CA62BA6F8C9F8DE770260AFE47F4E0F82F102198EBA27F543252AC8DDD83E1B8DB0A91AC65633FD12A550EBE96F93AA6704ED5905C234FA6D9203910CBD02DE166C4C3348FB81EF7B84AE1455FE318B5FD170883F49BA2F24289C479A2C7531406BA989BEAEF3A79F659028642E9B033F7DEB9ECEC3A7A9F1DBD2451FCB47C81E21E91D20B924C6BD04C1F0B2710D2E570CD24BAD5B5DE4E49AA80B6ADD5507B4D2E510370C7AFA814D7E1A7E278E53D7CCF49A0A866CA3A7B5BB71EF3425E460FEEB29149F217066613695F85506A0946CF68979F04AE073AF8028976BF0C5BDC2212E8C364583DE9FBD03B34DDEE5EC4CFA8ED8CE592971D0108FAF76C8940E25E6C5F865584C34A233C14F00532673FDBE388CC7E98A5B867B1C591307A9015112B567FF6B4F318114111FC95E5BD7C9C60B74C1F8725")); } nettle-4.0/testsuite/shake256-test.c0000644000000000000000000136017415141166425014321 0ustar00/* shake256-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "sha3.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) const struct nettle_xof nettle_shake256 = { "shake256", sizeof(struct sha3_ctx), SHA3_256_BLOCK_SIZE, (nettle_hash_init_func *) sha3_init, (nettle_hash_update_func *) sha3_256_update, (nettle_output_func *) sha3_256_shake, (nettle_output_func *) sha3_256_shake_output, }; void test_main(void) { /* Extracted from ShortMsgKAT_SHAKE256.txt. */ test_xof (&nettle_shake256, /* 0 octets */ SHEX(""), SHEX("46B9DD2B0BA88D13233B3FEB743EEB243FCD52EA62B81B82B50" "C27646ED5762FD75DC4DDD8C0F200CB05019D67B592F6FC821C" "49479AB48640292EACB3B7C4BE141E96616FB13957692CC7EDD" "0B45AE3DC07223C8E92937BEF84BC0EAB862853349EC75546F5" "8FB7C2775C38462C5010D846C185C15111E595522A6BCD16CF8" "6F3D122109E3B1FDD943B6AEC468A2D621A7C06C6A957C62B54" "DAFC3BE87567D677231395F6147293B68CEAB7A9E0C58D864E8" "EFDE4E1B9A46CBE854713672F5CAAAE314ED9083DAB4B099F8E" "300F01B8650F1F4B1D8FCF3F3CB53FB8E9EB2EA203BDC970F50" "AE55428A91F7F53AC266B28419C3778A15FD248D339EDE785FB" "7F5A1AAA96D313EACC890936C173CDCD0FAB882C45755FEB3AE" "D96D477FF96390BF9A66D1368B208E21F7C10D04A3DBD4E3606" "33E5DB4B602601C14CEA737DB3DCF722632CC77851CBDDE2AAF" "0A33A07B373445DF490CC8FC1E4160FF118378F11F0477DE055" "A81A9EDA57A4A2CFB0C83929D310912F729EC6CFA36C6AC6A75" "837143045D791CC85EFF5B21932F23861BCF23A52B5DA67EAF7" "BAAE0F5FB1369DB78F3AC45F8C4AC5671D85735CDDDB09D2B1E" "34A1FC066FF4A162CB263D6541274AE2FCC865F618ABE27C124" "CD8B074CCD516301B91875824D09958F341EF274BDAB0BAE316" "339894304E35877B0C28A9B1FD166C796B9CC258A064A8F57E2" "7F2A")); test_xof (&nettle_shake256, /* 1 octets */ SHEX("CC"), SHEX("DDBF55DBF65977E3E2A3674D33E479F78163D592666BC576FEB" "5E4C404EA5E5329C3A416BE758687DE1A55E23D9E48A7D3F3CE" "6D8F0B2006A935800ECA9C9FC903D86F065367221067658B4D7" "473ED54800D196FBE1089811DD9B47F21E3698B1573653ADAD2" "31C39F145B586D6C0133378416138E4423F7AF7DACFFE965706" "A3C49024002B53BA05871E3F066694B163630B0053BE41FA45D" "4317EAA84214254038A37A9C83D62EB9EA6E6ACAFA6BBFE5AF9" "F389690D5A9E27BF97C1B93D93ECF36DF6DA212E12B24481541" "56E94687336B6DA91E368512B9F34C616166542923F3618640D" "930F922A3DDDD2F87920378541446F2223F593931BD1BA02E29" "07CE3404621F26B900D05A1119A9E4934A7CD818DD9237445BF" "50475A011EA0078788801D21DFECB7A2BB294E4956DFA71D8CC" "472405342BF80120FE18A551D88D6ABC24D83F077BFB25EBDE5" "F4B03678D677EE646DCE3496D5138BE108782CA5A00AAFF3CB4" "BB873EC0F2E932DD74847033EC5F07254E3027B0AC12DB7D6D3" "F90B53D8A5BD63B99C3BF5CD38B453D7CB12D0AE2BF1CFD3EE8" "8AF71BB6606B0B791DEFC2D762C8641BB8319FE17321EBA407E" "B744699D92B35ABD79F5B9A85408C93D61233FECE638023875A" "A02B9EDBACC84003A28CCA2D55A0742D635FDA888905986CA01" "C1E6420D49EC25224D84E915DFD1638A492282F1FD053770168" "953C")); test_xof (&nettle_shake256, /* 2 octets */ SHEX("41FB"), SHEX("B64ECACD5F7499ACC085C908D35DCC1FC0131816F28D360592E" "1265079F92A5F844C4BF6AA50D98D52720797E8C992F43C76A7" "3FD95F9BC4CD272157842ADA2518190FCA342DC20D0C57CDDF0" "1B3DDF77977EDED63445E40BE82DF8D26DB629A2D307EE9FE28" "D2FE557E3971858C6D67C42BE2CF44DD7570521CE0647446742" "5B7AAAE39DB90945BAD388009ED5715C684BB4E4981EEA324EC" "F66584AD08D9F27C6A4DCF615591857BC7364E8A7C136661AE5" "FFE828C734DD5EA5A071276E8477B8525E02B7B445D91CC6E37" "D58740DC2B069BE6D92E7DF95C1AB52B76F7761AE34328962EA" "C7156E460B3C04FFECAEC8722A56E7373285E42D4CAC5498F8D" "7DD5ECDA9F9973A32F8D425171E1390BFC812C9EE4D4AB8FA9A" "0D93AA90A4C258FC64D77BBCF49977E87C3810C80C458516899" "6A31F446F9391A193B888CD321E22E9368F4F11495FE124141C" "04015532345D7CB0A13A4DD9007D737B3A176A88E5FC153D4AC" "2E8CD641C40C4261BBA70E1B87114030FF67CB22ACEC90AC288" "D6B59D25B00038468B4780254FAC4EF158EC2CD52C0AB9217EE" "D1ED0A5E7B4C4B3A64B1824E2B27AA53398765D5352BD1ED0E9" "C7B3FB264D141741659F7D8FD0EEEC9F9163C42AFDB540D5F2C" "87833880A0C942AE4CCEA7FFF2F4C798B8AAF24C33BE8054A09" "459A3AF7200D555334241709A18ECF88CE93C99234D6AB02859" "16AE")); test_xof (&nettle_shake256, /* 3 octets */ SHEX("1F877C"), SHEX("F6BF0397DBFBB20E4AE30F0A47FE976CD109B3AA09B0E3F29F5" "60E4ED333C0D083326B03F6EAEB57E277BBFE1CCE36C499434D" "838CB4C8CD8B02A87790F4A6717B22D46F9220391C420A1A1BF" "AA9ED5B85116BA1D9E17FF16F6BCE6704C80A49FD9AC42689DB" "0996C6BD3266694077C6DE120043A827D44979CE8CCC6AA7E53" "08EBA64ACF9FFFF51D36BC4401F8117D4B96340C62D106B0A64" "45F01987F9C4C0A420E1A9BAEB594BCB1BDBFE59B6065EB91CB" "EB252473C7858ECA475E1C81E8425C7E2C1706C4C4ABB3AEAE3" "9332479ECDEFDFA93C60EC4007A51C5DD093B527264155F2202" "E01D2083D27D71A6F6C92D839E6EA7D24AFDB5C43630F1BD06E" "2B45B2C0D0AD70BDA111363298AB9754F26DB00A3FD93D72981" "DD463DEFD286320A274F5422E9400DC6E7C78D75534C75AF6B0" "398596EEE5048919B8FE33467C2B7C227BC88994B28819815D8" "21DC27BAD0458D57F40B12A8A933729A0F6BAE74DBD150325D1" "4C302835AB95DABDE87A2ACEE9347609A6175DBB538FDFB278B" "E0B3D5F062768F9E0EB1AC9C36B4E05E3ADFCA73981CEBAF6E0" "47A18196EA78846D9A782B6E1CEE2036866DBCA749644E74EF5" "A4538D4AFB1706B360F734814313D20A1AC626BEE7AC0FE9F27" "7D48BC50816AC9743A61E32F8B26CA6F4DC81FE7F3558AA2F18" "586D89A8E3070868C76B4CA4727F541072DCDAB3D547D52ABB6" "F356")); test_xof (&nettle_shake256, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("CE7FBC15503986E3B84530D84A16EF64332A6EA57E354E9F205" "4BFC2AA8891F94B4FDD42FD227C94B33F9AD45CF3982239F81F" "BC2CBAC7809F01E1C294073AD6D2821C1283C5C427F41FD4645" "5EF7B4EA0D6D5E249AF95FAC80A8678C1A5318443E63122DDFE" "D2591FC690527F97A09920941B02439AF3BA36B17FD588E187F" "CBC1FF109AB4A9ECFC671926EF0CC9C82EE06EC6759E2758A88" "59B8FA9DDF46D6C049621FF589F3FF56C9419D6F48A68B68FEF" "D068ABEC24824D7FC150277C2439BF78D15D59DBAA2CB17E528" "2E6E9ED744841F4A4BBB778CFEAB0471CE850B2A2F948DB3926" "F733EF7B3AA9AB8EA84278DCA62B0691F5DD13EA11660A8E2FB" "5CD8BA74A352C044E7219E750F29B62F94ED268A68029B94B64" "F3D4F2193A7FC69ED34A59657471F04C4961084EBB581ABCC9D" "50E3674A7DEBB285FC7215BF6606DB1392A7F1619B347A4D07D" "230DA07811FDE2AEBE45A70178CF841C619F712EF26BEEECC41" "83A1040076E73FCF6FABE5C25A4B71D564A97CF3C88F1856D9C" "8B42E94F746CE4605D2AAEB56D1DA5527598E17E5680D309788" "E09910BEB74DF7D3C3CD4EC680083F5845F4A1C15070E57979C" "01B89DF7BE64435EA4817BC0AD23ACCA6CB878F7131F02F9215" "E2D5C12CF3B4D24B29620C891A54AC8BE6E3DEC08397887DE0E" "A86B81A5459B968FBAE18B4B0324DE7E7C1AEEFC7598644CE1F" "F8F9")); test_xof (&nettle_shake256, /* 5 octets */ SHEX("21F134AC57"), SHEX("BB8A8447517BA9CA7FA34EC99A80004F228AB282472841EB3D3" "A76225C9DBE77F7E40A066776D32C74941202F9F4AA43D12C62" "64AFA59639C44E11F5E14F1E5695208DB78F37CF3AC172469DE" "67B80014D1A4B968A56F855BAF35A275B8EC77B9CA591257AA2" "EF048663CD05D76B72CF3A9D2BB44B154B16E95EB8B61BD8415" "A867367F0031BFF5D49237157C197473309FDAAFC8146AB9FCD" "4254477B052AB306BB575ECA6872863B5F43F026C2BE3289E85" "7D50441330EC02F6AB4C6329B18D3AF0A1ED9DB70F34016EA0C" "AFF1F0EF08BA6D26566DF6CCE9A457E1900FBA3338A771E40CF" "B39581F16019D521E4F398539C4A6F2CA22ECF9158B96064C0F" "26B8A076E58B5F0BA3187342A5C9A5569E6D08A2AC27258CF04" "26D995724579C723A0FA8269B4239026A08D88738156943F1DF" "F6E0FFF5E4696149436CD97732424366626CE7B67A3BBE480E4" "25B51872AAE7CE59E70995C194E00FEE82119A4320A4B91158D" "B65B83195C9B799D3EAF3CBF8593D11DC67EE8C0CD7CA4FAE69" "D9F46A7E70186A33DFAAD510D8DEF82AA5710B0ABB70DFC396E" "CFD33F56F66957B82A220D1ECA09166F72358A71054A179C196" "1B64F26A3D7AAFB030C28A73337862E8364D3F562B324CA2EBE" "F58B7A8F089213178C8D0ADDB5A18022154CF010C722C279AE6" "0AA984597EC6542EE1ABDCAAE8D5545FF45E781ABC7145AE2A3" "1249")); test_xof (&nettle_shake256, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("69401EBF1D4C7EA500BE60EF06783DCB009A13B4FCD8B341E5F" "2E40F39E732237E86716F26873C1820BC36D20F6D5E64A9C5E6" "36855305CBC3F4BE4A9905B5F79FB769A794299EAFA8E81FFA5" "1BB4D602480B1C40F9EE9BEE017D5D7F6DE68C8A79EE92A20B9" "DA5BD3D01BC565CDD3E5786FC4D48F719C01CD6D3CAFCD500F4" "F768600E6891102FFC10F1394E3A40A1BD54381775BB400EE6E" "20B95420FCB2C86BBFCF380BC95EEFCA33BC8DE823E13B4B04A" "7AE1FDEB8279F3EF3E4FD50B2FDE530B0D4C8DABDA6F225A412" "1A79FED79D8A013C9DF1103ABF081294FCBBC5ABF20BA38E007" "5169A9C13CFFF94AEB271A46875710A60CD78915C33892D7FCD" "6C97A1C74846ADDA847F58ADCE8EF762D11C4F15FF8B97F9BED" "C97E1A8AE554C0B9E66BA1D48BCFAD0D56F91B65E25B03A5E48" "CF4DB0DBC467BBBC1E037743991AC72B4B259D65013A2708EB8" "25DFDC65093A4F4F5E98427DE7C60138467D8900ADFCE1F2740" "8638DC66957D27CB774BBAFF0BEDEE0F6553BCBAC9724A20E8E" "D0CE6B2F764E4F0D80E4521788A5CC88C3D36F19925AC2F205C" "F6EB7E6D6888EEFD0BE49BC8BFD8A80B9E05DC7513BEBA7BE52" "D39BF9BD2B2DCD03FDC8F8E7F90A83DAB2AD85F51D040BA0F1C" "0A9DC38E929A50DB7F99A26836612E601C6E4346E5E895EF4CC" "FCD6A5CC3777FC11FA64A9AC27D2CDA67E29CB18A7E99E2CA07" "30C6")); test_xof (&nettle_shake256, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("C02561C12CCDD167CA959D9756CC70946F7FED8BA705E3EDC43" "3D3C45D9299D0AEFE9E8E25D602C4DB0D14ECAEFDFDFED2DE13" "4AC5D0C4DFC02ABEFFFDD7667A434936151D529A93CB266100B" "94AD0449597B1590398A1A63C42649385B4CFAA828C89037E0F" "97BEDA8450A68520143889A92C258645664EB57CBA01C3B1134" "318E11A1848D912D0D2CBAEBD59A71B52495671C548522F4013" "94FE48DB49956C03044CAFBD40371EF657F1AA86E4969459BBB" "D21DEA563A51482A47147EF85487A5CCDBC532BC2AEBC3265E7" "1BD8D56F4521CD93354A73D175FCCF5AABEF2768DE2D8E851D4" "FC21FF032829411DB2668300853BA5F8BB1FFDCE3FF59197BD1" "833D2ABFB8C3027B36B21969F7E36C3B6F3FABA9454ADDECDAF" "C213D347A44B0D364997A9E608BCFF3D2004139CD05005B9BD8" "FEC09E5976EAB977B5DE8E39373C10D9EE2D2EC196B33689783" "EF3ABC3DBCECA9BF33E8DEE9A1AFDEAA71A2FE42A3B0C60781C" "9A2D5714278CC7CB349A3B6E7251B96E4E2FAC606B459C28AE8" "1B551168D28ACD01D4A08416B6714D8F82485A1C6D5348F7DC4" "981AA38E7F39EDABC981022C4CD3345383D8C25C929FBF66026" "F91664998BC34F9689375D06FF95D208D4ACC7791633B222ACF" "D3EA26F8B5C4858997A1FF77050F280AC7B7E5325ABE9E55FC2" "7EA8ED1D9D32194B0C5D8807F94AE6F737276065CA08C323E9E" "D421")); test_xof (&nettle_shake256, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("8A804FC3A4FEE6CEF6808C756A17BCDF6B235808493FC78E797" "01E59A9E9A67D60F0F256AA69DC0258A2510F9936AEE2BCBD0F" "679696F439F37BF9AFB170D44A58DBCF71EFF14CEC1E624D3D8" "F1DDDDD3E33421B1E305C794C2C88FCADF9D7C51F52E4352BF9" "C9C895AA457F5449E82FB36E2A64D1AA69771EF3D675F09030A" "95653837AB2237DAA7FCEC36651355B2507713CC6A2186E950D" "E82DC699122644193F8F231C607BA7F3BDD0A214B4EC0155D30" "517F681FDC2A89D3143040BE0E0B6DC7E5185C723464CCAA2FE" "321AF3B4174283355FE3D1CED518E00B6063DDD607B166BA388" "978294244EA8EC773A528003A04914B76E9BE3337D806CA20C5" "84B2BB66AFCD144417E3D93243F185D26DBA90EA39259C7F23B" "8A6427AA8A7622F277605F4A463F78A0C189C8DE2C553AE2077" "3D7CB4F7E26A13F4204B3752D9CEDDF29849798479A4BD0D7CE" "4D22CC51F88127435BD161F026B1811A723E786DB1DC01F921F" "E076C3532FA969EF1F8993E0A4FB6C17597D8DB38DD7AF259E3" "22751CC0A1CCA2EE4940F4EA56CE9179941CF4696256CD04AB8" "53266D12E7E679377D54E2C2F24832974C573192DD2FDD4DA5E" "FD72114109248B03F0AE03123252FFFF977BDE87AF8D8022C4C" "51DA68EFB87ABEEDA7A72EB4D0D1A2EB65EA4CEBC7CCABF3787" "B9BE98E14E4A273635F69E3E4BA557A1A42D1BF69EBD359B895" "320A")); test_xof (&nettle_shake256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("7B5562ABA86E6329693CE1CAAB2506AF93AD28BE4DE045E66A7" "B277C4DC3C2C9E698AD5F6D8826230A38FCE87142DD83B28F05" "5FA7A9212F5017374A7EAC5BB7824C1540597DE34BE9EC894EA" "BCF751BFD5DE029A1CADA7E599D433BAC0499AAD9782579D282" "23A5D16264EFBF55EB1370748E7DAC4B56255468FA9694A93C4" "B3759F691D9A4A08B53A15F61FAA1268E38AAEB43B3FCDBF0BA" "003E2037EB52C8E9931DB9C60FFC1D1FCEE7663D1017AB6DCC1" "B92472A88A3D568AF5AFF930AEADBAE751753CBF2F987338DEB" "1AA822FE28788866073319662438B6CAF6BD8D79DE14FDB6D30" "F7983F5711177765D7D5E1EFB610FAFC9DE733C9DB3FD2F1C35" "421D29CB96F87A0DD1E83AD19ACDC7C2BF7A6F047994A96E6D9" "1BEC34AAAF18AAB7B32A0B379A60F12AFC697770CC6039031C1" "3B5DD66E0D368609D3018ACCFB02FA4973BDA707CDA096D712F" "AF59B43BE3EF5EB7C227530C987DC4991955796B2F588359112" "B9E7566CA785CC5706AC333D12E2DA37A97A13B69540084D1A5" "908ED3BAF73A0E1C55A6BD036F1342F8EC671593B9B555DEFBA" "BB3364914E4396D6E2B2ADFA951A6A263AADA6D879B4FF330F8" "48D2598CB418E530BC63BB11E7A247C5A2C21D5C2A34D237219" "55567E4452DF9F5E2108C1FEA8FBF672422BB3B85C7C5664B91" "8D3F3644339367CEFBE609A9B00C250111801C3F365BA752709" "B76E")); test_xof (&nettle_shake256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("C92FDFEA927EEEE73162C436C6A3FB97291C33787BF7C2CD80D" "ECF6004C043BC4509A2CFAC1FBEEB0BCBC7C2974B168AF3291D" "EE1AF2D0826935DA79C5BF7CF3A211F347C2A44630DCC20E964" "E3BE24A20766A2EC50310F4B1990A3987FD8D144D3A6F091C6F" "8ECB7B2069905A7A1BCE8A49A9779E9132BAE521FC44689F786" "1B7C735815448984D6809C2138ED64A45C4320E09BF459A985A" "41D024DC4CE0D95681DC9379FC4DEE3C024436E7A949589A74B" "434F6B5D5742501D1E4761E0DF89F4F1943614C5682086D31F6" "EB2B65A005FCA29B48777748132A15BCE74228E5CDCB95C05F5" "1730E8E27E9DE71D582A95AD3E78E64B978D872B91A88C6175E" "C3F92D5AAC14BCEFD0F6D8D5E2E19DE467C530FDE86AAF6FA5A" "E0254EA01D70860278C24BE7F7C52669AEEEC52C606FE664D7A" "8E857EB64948D663DC11E9DE33A410DCB3EB61FDF6E9622B66B" "9B9F4A39C4B578A8D346906D14AA713D2B266DB5B85AED05186" "CCB2809B38BBB3C9F99C2861793FC70D972B51F2199674E734D" "46FE0E8EB675777AC9E4B578A7DE4DCFB5AC1E7A2EB0067237B" "985050D66885F85CE3410467B5CA374A9F420D8CE5DA4A4934F" "E78065541C53D071C88F0FF132EEADEFBDAC5E98251C597930C" "DB32D79656EB44F95C78BBDAFAA59B7E36DA08A58AF3DAEE995" "36EFB56319643FF422CFB53D152EA302A6458F58B5EB9F2C81C" "31C4")); test_xof (&nettle_shake256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("F772DECEFF020D1BE280E7F93DF5056577E78D104CB1E2AFD42" "2B021C6206D94AF56EB9404F8294403173E4A6932A1576BCC47" "580B6CE2CC80B20FFB274FAC017FA05B3D804A6CD8E874CF258" "E5D46CCFE06D76DCC18C9874CD3B7543973EBE3367AD38E51F0" "A46B92D47A68018A819F2D90724EA9F5FC51F444003757B028F" "BF96F5413296AA9BB8532773EB8CB7CFC803578FAF52082D4BB" "8AF606301FA927A94FB62A73E2E9FE367E782351185516C181A" "A674E19301A38D1375E1658A181DBF927973C02207BAC3A0B65" "C0C6904E8195A3C6550D13CFD46C1885987263E82CE56485759" "BFFB2647F420625F2B483C2750FB0B4707A2014FF57B1A42375" "B37B444B0811CED4CB93D5C45551D5E1C8DF20BCCD9437B7E43" "9156DD9AD4D905393AFAC1347AB2979811CD1BEAC7C454C4B71" "66B85BFE52FF6C4905C55D83C15C3A9A7760BDA9FC4B90EC4AA" "BF9CB3660A883BE7137733A1477971D479049268ADD74E0C821" "0B1A9FABA84FB940F62B1193CCAAC3F020D10CE14DD8C058C46" "BC35846C07A10DAE9C03C3EDC323CBCC83987DF1FB2ABD141C7" "C0694624AA68DF9C306D2E179FB4D603F42C99EA369C90C1764" "95104FA7DE772EA71A9FB014B467CA220F9C004F287F8F0786B" "3D47C9DAF3FEEE80B2CE4A92AEB0FF8E8C09448DAD76F5FB01D" "6997EBB139D7FA5DF8C0BF12BBE0AF2B6E354C4089F32B8C529" "4634")); test_xof (&nettle_shake256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("00F3525289B33FB3C179398EC76F2E31B824A532B2AA6B2DA6F" "FAD5287E07F9F9A2FDD2F2032AC202119CA0A01B7C9C6DE7248" "77FFC874D5E578066A4BE43757BC2D9B09AA7B483749E0F8858" "2CF9CC3D47B8A0A98D70AC793326FC5EB6533F00EEC34BFAB35" "18FF4E98B79582621C2BC7BB7AC8AFAA8D60DF3F072FCAAF514" "FA7FD9EFE2B1FCD3CB96A7F70A87436922584B93EF74BB03254" "16EEFEC14EFD150432366C1C1E5F7949C2573CDE16A24C42918" "C919ABD988F8951207149F873F78D2793FD642F3B3E93041B88" "55B8CCF62A2F6A2B8ECE4DC704CF693069BC789D470FC4938AD" "23D5B5DD20D13E31345B2169F750E69C4913E3DFA1F1E54A301" "9A8333B6648659A6A2E93882FC4F8AE0234FD149123D831F148" "213F578E8961DD07CEDF94907ABADF7EFD84500E501BF2588E3" "B155E7D24815DA9584595EFD2FC6F1768F651C1EB10E0029553" "4F89A8DDE9D37C05F7E4EF9EA236B615F82BFD07E7F6FEB1C62" "DFCDD4F598BDFB3CBB0FC3259ED96D52AE156B20F0F6EBB0891" "27CF98F045BDCB12DB84C2EE47800CE36AB10F982231FE746D3" "2FC5002700E264AAA6432E7BC6BF4F4AF41E82E256C3DD6DDED" "B24B3607015CDDF78BC1AC56F835D03D8297BDEE57F87EFFBD0" "66C3DE372F285EB2E7D7359684BD2072B090BB78C3EE71A45A0" "CB7C22EB4081CEB3CDB89CBAF3D124AD86A9A830457E273C8AB" "8B33")); test_xof (&nettle_shake256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("1CF1698F0702653368463A9EEF102E8588FD5E711F4BA16E379" "8D7C7730ACDCE6C65EA3849CDCA9D08437BEE09F78D52397C92" "D0F00ACC9D5E9450213F337B9A75697E8FBBDDCA67CCBB7F8B2" "CAB1209397A4EDA1BA9AB1B44366E4F7A0D2DB47D5480247194" "D486D63D72FCFECEAC8CFBDB7F8784D4CC9214B3893FC7EEBC9" "7A33B9DDEC9605484C96BB77CAE4D212F16229DD507622A01C8" "61043320D9C06373E1E0D9649D95B42A990B0B447ADFBD307DA" "D1394C30D12E010AD5F6C8ACC729904CCDFCA2162C32C5EE565" "4316E10A97A192EC23BAAF594B711277A301FE6EEB4B54903D1" "BB736D4788F65DBEFECB4761685C683DB56C05D0F26F179010C" "B323C2FC8B9A44DD4A172BE2228C6B0A0779B0637E6B5DE0477" "76597A17FE94D86AAED911A1DDD27F8F61710CCA8C5F38504A5" "0F01304B559419F06B5F043DFE984B4DEA2DB6090C1A836F26C" "0728048C0D89401722B9576577F11700BBC5A6BBF1C23C687BB" "478112DA0DDA52C1ED622D0227382F76EDAE51DB2FF14C098BA" "E8D25A2A53D98508DA98C99AECDDB7EAD8DA98AE41BF21A59B3" "FE4B3DD68F0FB15242EF3056FBF77462D4FF67E0B344BE02CCF" "03FB98F6DD5F6D306A4C2B2451EC8AA2933172689BD11A7E391" "1B236905D6D8CE1C030E754A0B493CFBAA39123B0DC4B7085F9" "FE5988B0447B706CF226EDD34B644BCB591A002A08CBA030F6B" "1927")); test_xof (&nettle_shake256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("413131ADD0DBA2B0A48443D3399896AD65BF5F4426D234AE20C" "9D2DB3D9DFAB81401D7722842A58312F837E7DE13069802F58C" "7CE9A3AD1703E9C7170D1AE751023147464CF8694515AB5E268" "36B935ED493B9D66D9229BB0B66F1C5AC721D8AEC1F883DEC33" "D0380BA79BE198A6AA1F2CF555818D54CD28C0682EB44FA0F18" "10DF50A8F005557C9BA52F02D70EF769EE7724B852A94E1710C" "6758307FFEE309C8F884DD0597012679F7C97CF59F8A41B06A8" "45CCDEFD5CBDA268885A2781FEE48FE4ECF4D0559868607F352" "4AA25D1A5CBE5C33FE0E8E8E47B6705203D49CAE7F1749DA49C" "BC469B8870C1CD7D029F6398CF7AA0D3114F56F78885093A59C" "0C188ADAA40976827AE1000BD6AB4C7A2154D80AC6786CC23AD" "EF333A2C538152584045A87E942B8033C565506BD319AD99C85" "A4655F6E47979F55B5F9F9822F9A338CFBAA50D580E27953BA9" "D13BDB3FDB480226EDD2A8F8F56C75015714A51EA63C73FFFAC" "63DC3FC6FB8D509BC40B87B9332FA37DAAA441D05984BA56781" "AE25D324E508B300E6B07629EE5BD2DE33D3BBE6FDDB699E35C" "324FDB521CDEFCE30D01570AE82803B0B54A7C1AF4B45121461" "A848477C11F535B700633D88A68AD2ABD9AFD09A4DDC1BE5511" "B574CA6E525EAC7A6CD7C26EED3E5656142AB8B24D97A76FAB9" "4EDD8AF21CA7170A98660A5CBDA15925E67C5C579363DC4F697" "0C95")); test_xof (&nettle_shake256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("2FEAF391D45B2B8632EA10806E35D465F2F767DCCEA9304502A" "4CF9CFD85F7CD46BF0E5CDF2C31A43C6AADEB0C4683B3FE54E0" "42C014457D0542A8AC09529C1931FD1CEEB0EEF6C5A1D28F7FD" "1E7998537D78B9DCEAD530B0AB257E273432D3D7205E451CEFC" "6906451DDDC6B3B0DA1D1F2DF3F043396858E7619B8A420D0CB" "2CDFBBE43E19BD2BC670E2F5DA51A1B8141F7FA0FA79538FC90" "9D31847C46653C8184114505C51C49C844EC18AE5C6EF782040" "0D0859B3820FED6B023D1A3455C2BD6E1A7D25169B58BB71A82" "107893F27E994BA04C79D209ED97E359D02B991E402CF0D14EB" "61D4C1ED931B4526D63E9E9517FAA5BC83A23521620FB5B9E9A" "C1CDF45536AF54E567F5D9BC31196D23C58C0C70939497A3E11" "FA544A37991B5C06B8D7F57D3057E83C3EAF1758EBD0F569E5A" "8979D340740A9FA1ADE5A9D956F171D9A0D0EFA871E98AE8D5F" "3D5733FDF0388FD8D9564E6C267C6438F0F78D7A224DBADF7E6" "E645EC6952B96A9D6FB441CDD640B576B2C92BC7C5FB11CE767" "B0105DE7907DC00DD4F8F25DC85B6A84083500F3127708ECC12" "50AA15D350437664D0D6ED61E83DBEB951260C1746C0F06423C" "4B84FE75A752E7F034B2584920288EE697926B9BC87FD086299" "2C3D9934876A978744043D8949273A3583A7C5DDBC25DDC0C7B" "EFBDA1F306C9EF7A2F21E15543EBD5EF87C39814C91E1B60B07" "9700")); test_xof (&nettle_shake256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("57119C4507F975AD0E9EA4F1166E5F9B590BF2671AAEB41D130" "D2C570BAFC579B0B9EC485CC736A0A848BBC886CBAA79FFCD06" "7CE64B3B410741AB011C54422568089405BF1E8DDD9E3BCEFE1" "A713DDA18CC2B73FDE0EB323FA7518DE2808C875A6C55111BE3" "E0CD20663B794048F5FF44638EF871FBA0F4C2ED41A96D36216" "06740935E9EA1ABEFE15A1A3BD55C8AE6B2C021CC772B34DA21" "9115C8F6072A09F2B718E26ECD2538E5F12068F577ED7D03A2B" "BCC7CA7DB81D2CBAEF2AC8F33B1355798576CD3545B9DC792FD" "BB9C8D1C123EE0407C6328E09103FA6CE1B4DC9FFB0BE7236DA" "B3ABD29E704D0C352C524FAC14E12FB61929D98DED973D7E878" "5A8ACF52AF56C01CE62AD93660C93B683FC22088D7302F72D0D" "AE54553B0C3E6DA7C498BEB3AA46E7459779A1B0E1FB19556A7" "1635B404C0BBBF3F34536F2776FA12206513FBB1F2A11CE9683" "460D22778867ABA7335210D817B720B3D8A8C48243D128EA2A4" "BA8996D160351194C0AD3988ED0AC5ED61C1F576A33C914C2BE" "BEE0EEBE55878E2B43A51E510251068E3C0F7C7292189573EB6" "AF979CDAEBA8B8E359E6B632BABAFE3528773CDD4A1861B7AB2" "532113F2B259D45598A76D54C739DC2F4AF2700F3B5CF22431E" "D9F73D53CAF41D134F5CC67ECF8F99549C091CA6697FF20E08B" "F6AE9B6BE74BC77F26DB50D25F48E67A94DD705521F02D3CBD5" "FD56")); test_xof (&nettle_shake256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("87F2A509E9D42B0F595662CC93094F26F06A86D79D98398B7F8" "7EE2BB5FB25384F9FE3F7A72AB5DE21CB3B7836F73618307242" "D53937C67CC5F36A7552F917DB12A4364736B08671314EBCD3F" "34C670E0BB066D3E8792ACE223608F5A152ECBF9FCB4242FEDC" "1E27143835F0C06320174E7EEEEB60F6B5A8DC9AAE97ECA494D" "79B3DDFDDBE91D3294AB4C3B3CBD1341EA4917733FB13A15BA3" "4B46F0D5981C9DC457A123C4152776E15B37870C24EDC0BD9CB" "73CFA5D290739C17289C2DE3A71ABA0DFACE3B76DF71CDB6769" "7321772357587E3C2319C15D867A76F5C7BF5CA2F523265D411" "8EAD7F96BB30349F5C4373D5E4FAB4076CEB6AB8C11CCDA6B72" "72121A11F00F67D7D5AE31E86EDAB458BCDE042C58E3D3368DC" "485BDABD40A3F6B7294C038B8ED3026E70ECC9EC7D6060504F9" "31AABA816D5AA5EC9FA7CEFEC123E71C5135178F252885A7153" "A4714E0D9C95AF171A6AAB936F0B464AB07E32AAF29CD4D9315" "62F700CA1419BCA2ED1243F8EE1B442CDB1F5252225954136E2" "E80A7FBAF9095108647AFF7F31D4C4CAA050EB1A90AB1D1AC0F" "67B9F411006A4B76D5CB4B48D2154DA87303ED37C9F911064E4" "D2F0531474E98F3F96B1A0A008DDD0AF4B86435F8B26BFC7693" "C338C6AF5823FF7A9BEFA57D72E2F1BB2982DA356A8B3D08D4C" "19355FD6EFB35D68B3A41144B49713A470BF61D0CA05E520447" "68CD")); test_xof (&nettle_shake256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("20561970BF01E4108BC498DA4B8F900A0FA378770DAAE9703E1" "66898874A1821AB0432D7CB1D0A7006E5461DD3049387C41163" "27D1D3E0755CDE00A3C40BB5FCFBDE5AD0A7E46650AE7CB37DC" "2F0E4F506DBA47437EEEC9F823ACD89F3EAEF767AEB39D38F88" "00DA54790F362A3C183CB9BC420047EE86B3EC22E2B2F4C029E" "F64A5270C21255D39363894AEE6478788436C758E4101F2096C" "D7F13FE76E54CC5CD85C9183E6E1A1A3A218379997AEF9DA643" "D8012F402FBBF88E6D0AE991EC4645F3118FEF0F66D7C8EE745" "28D622E1E9EF1A69E39CA7EA0E045BB568980D4659ED20F0CE6" "8503620A94ED7D5C9337DC20805D2DA7D0F14B5AB3B93637F77" "1C9E63D0B57AAEE353AFF672596C4660CB39381A9010600CE93" "197CC6A06219A3778B89B0F6AE003B5F9BEF76CCF6D551B852E" "076A678A74E75E408E1D4D6B1960488FF21B6F6B7C308205F93" "BD9DA1C6DA1DE9707307410BD7AE22FF24E24BBFDAE849FFE26" "66B1BDBCA2E08CF9D0F3F7698C4F983D4B92EE28B5B4B8BD98C" "317AEFCB41E56DD5534F59DA6C84B3D21587D2EE740F54A0C7F" "AD62A63B98AF747237B68F78A39CBA4596F81A223367D345576" "88B324B5335CFAA67E78A8095C92D70802A2AA76129DEE69B91" "D175BDC0A485A58C91CB8EF326B2C8D1D82325C4ABE4A0F764F" "C01A9F0A743E7F107CE384DC223D7AD7481AC8AB7BB273237CD" "735E")); test_xof (&nettle_shake256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("F29097E10DE56C3A4A24746EE4E7A6507050D18E40F1CB8C701" "B5E589FB645A4E400A3FD2C9C4D48E57BB9E146ABB1EF98D0BB" "C6375C266754C7F1CF62682F0C6A6D6B11E2E0AEA41533DCDC8" "51319A34FB197D56F4A35D3B82C3D314ECA59E03774E84391E8" "846D236D0CC51E7A5591205C6C1738B746E616B2A8267709103" "F51D0ACF3156BA42CB226BE3E94F2293E9E0FBC19BDF5717633" "E17B5944A02505CC53B01325D1D77965295EA6B6B50E1294176" "7F7288B9F4E6CCF3F567A1EA3D17379BD1DDC357039FB356D94" "57956A8E149E30AA5092A4F85DBEE2083A62610F04FD28A5A18" "80183366211287E9CDBE8B261E93557A38F6EC2D13FCDDB5DD9" "05599B5469257F3F2E83125DAE5F30E8E7514D55241121D9685" "08D1FB55C8F339530A437BDBBE04C42B6B229666763400F5493" "E31CAAB061A67ACCF41954C2AA0A7FA0087A4B828A1AFBC62BA" "09E91A3AA44FA4A74652882B7FF38C9C1692BF83FBAAA17F32D" "EE6D25518FA0721463334FADFC6D050E0CB195E477150CA1198" "EBE4D19ECAE1B1321003823BF04D8F9D4866BA3013C9A47FF0B" "53FA6C70F57D220D86E8BFE71A61354F099245004487B65E7C4" "5E090630E6F73FDC56B2EFE6B3469BD31D23384CD4A830A716D" "50C7A91DD09A45A79F47D73BB32D14BBE85CFB56BBAAC47D973" "A6F3F9FC23EDD774A31B533FCF7E78A2A75872C5954788097E0" "4845")); test_xof (&nettle_shake256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("BF4EEE53BAECA39E2884780A1F007B5069E7A90F1ABBD12EF77" "C77A4038CA56609D52B9BEE113536D8FEC7D264F2951072FADB" "F2D3A0B21690ED5478A540C02D903B3675787929AC44A2BDC65" "97B2EF2956B3640B3771EDB189E98FBE8FB4CDDC8C641ADC707" "D47EA2DBE17616AA0ACB4AF8D7197626577A5AB5A71AF722332" "7FE96C4472B3F21FBA242416A266BD863BE3598D57DD910A265" "335D17A7B51F59DEBF9F4049ABEA37CAD33B8F2032A4FD5FC6F" "124044FBF2A9E47421FD6C1488DF87B942CF01F9FC7F13F7824" "C7C09AAF6D739F4E3876B383546EC682DEAA6F633E630101646" "BD1456CC22A7BAC50190548EE56C5FB0115809BE6B1D7CF5488" "A26660E0A80DCA89EF655A963E8013A61CE27DA232430183D41" "C9C9AF96C14E846ADDF3684782E207916820F57E04C60E99934" "0F9630E8505C98F467E2A122FEFD1031D67789F890BE96D7B62" "9828CDA153F9CC19BF8B6D0B0716F931F17014D9AC4B6D983DD" "41EDFFABCF33693F7558DAB690F669C53C21A4D8DE7BC32ACA6" "CC45225A2C980AEF2307A7097995D97EE060005CB965512CC85" "CC81A75D3F2F0975183D9CEE293BC69A06C896634962369E01F" "475098C62D574A0D6A57A5FDAB004DDD8C3D96AEFACB39B3E4E" "1523447BC8FE397B488D8A5DA6E4978AED897AD0A2FB88C5ECF" "86CCA7A67438B988C04F3C14A754A74ED3D03D478CE9EFD752C" "0531")); test_xof (&nettle_shake256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("A697F36886208CFBD55C3CC1C407C3F978A31574E4B9A790716" "E601C6EE0ABC421AA5E5488B57E293CAD8AF40065C161407D0D" "CDFCBD172FFE700B60D7EFA289C4755733FA535365DB90082EE" "E0B812442E367BCD4451F152FCD54687DE4AE20F7FC60FCB3DC" "D1C419EDF74251EC84471D35E4EA43E684995101ACAACDC0D8E" "CF5F39840850557C70BE1477A2F168CBE97FEA85EA188594A4B" "DB583EF9DD2C5B682774E7E7E0CC85C1723CF91603793C711E2" "DA65869BE3A24D481C032A8674C1E0CD91A267302CC084B53C8" "4AF3D0A7D350BB62A2F3B9027E1F253C24D481A34AB8D8B164A" "78B0A60C95C13454BC4AE87C5E4E101B7D04C6C3F00E6BC4B4B" "B922F39C87A4AD843704E125F5CFCFD8A1E8E894230CDD7DBD7" "BD40A9CABABEB5BAE9CC49DB656AC90EBEE4AFBE3897B0F7A64" "059BB331A4767983403DF36C919759AD6BFA379920594D0F775" "BA2390A522C3FA7B0348781155EDD29BE53891B41F44E16BC5C" "290C1CF31EC33E66E588ADDD70E79FB26EEE21DFDF40A3C54D8" "E1CD79F2848B4238F7B803891EC01623AD92E53D3EA22197DF2" "9BB6554AEA8CF2D29EC4B673FAA0A0C64675F3BDCE07288EED0" "3D980C36E4D10689DD5E525F34DF78B1E76CD87F8FAC22DA1DB" "1FD9533F58577D136FE161A688F3FB9CFB42D909EFB98085FEF" "BD8D26498A847C9493E02E5364290CBFE45570BA39BCE1415DD" "5BCC")); test_xof (&nettle_shake256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("DA7660020D2EFF07955C3724CF85B1B9533278FFD2EC05522B8" "A876DB92C7F9998F0F029B2156D630DF390B3F8F5A31A8E74B9" "43D6B36E1C97BC4F059408DE495462A8E039F590D5FCBC3965A" "663F33BE332F9E56BF37D9108554DC9FCDEA2E771A5E22EDE61" "AD5476153969D1ECF5ABB108BBAAF6323D7E570B2747EC04C35" "E7DE5EA2AC0306042CAECF38B0060984460D000DDD3DCABCDCA" "CC83414E56EE2C44F6D6DCF4875EEDCC4EED761B62E1A338697" "0571EE127D84563034F1BA93D2A84310956C532F0EC4414BB01" "AD19BEDA20C714125176EC202A9F8F9917359794239DDF0376F" "AB51A5160F0FC5CD16E7B7DFB0943CD524064104BD1CCE97A34" "2035FA47138C27DD9FB00F6528409E10BEC016503B17687C66F" "2A00072B6245EC061598DA570F36B9FE8F4C35E3E8FCB3CA1A8" "D913FEAB1890C8AEDE727E63C6085B5C196E82BBF872906C814" "40EC8B0A65B2271285616C7111C702964E3232AC34E7CD4AD5F" "5568C9E30B813941C02466B817CB1523D6717E58B4ECCBCD74A" "923E806D82AF352395F22526E06A71585B71569E87C3D1AAFE8" "C06098204042CB2E41E92117E4264ECD229A7F2BF2A9188A532" "64195766707430B432FC332E160D786A9415A0260DFD91482B6" "83AEC0E62B0D1A480650041EB7CDCFFDC9601AB353D9197CA15" "604351FC226BD574C3B66B1C6227B7CF6577DF01520214A961D" "0403")); test_xof (&nettle_shake256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("F887A018985C64AB3D5609BE2121E73F7AB70D4A90BF47660E5" "35B72DFC0A1DF20EC0C372862BBDD1C74DB76A0ED12BBC03228" "3AA5FA615AF320E1C15315EA171EB224184691D13D38EF39DEB" "FA2629DF136FEE74C49D61282DB8DBFD0CAC30B135330DD4F25" "644B73FE8276C66325BA588C7178D39EAD3C8DB5BFB6A5F30F5" "90181C84C6B88C421A4ADE52B6DFB74D1F1D82EB206FBF8678D" "95442DB8292189EA349D3335C8A4B57E88C4F91B12CD0A3FB10" "830783869ACC88BA943ACD63ACDDFA8634FED8339626233614E" "FCE39D60DD2D8B1F6BC87799C4B7EBBB7D407C5621E56CB2E8D" "3952E07D5560544F810B2BBC56054DCFA0731A9B67067CD1C8C" "4951FB2AD6466098DA17C9547BC5831646AC73BBD06E596AEDC" "C57804B01EB817EDAF9D46E3728F003D286B95664317361EF0B" "5ADC00DCB1F6368295656DF2A41C950367BDD25BA8DB2B6B7AE" "EB1161FD089D02E35BB9188E7A91415DBA172F906264905BE8E" "E1E9DA5AF53B3ACFFB44437157DC275D26323402C07C77070D4" "79CC89AFBA181029FB97F9F0C9DF1B4BE0F0B000A218E380CB8" "4A40ABDD79E267578EE379C3B674A25A30E902400B0BFA6A69C" "B7AB96661781E7CF05A6F225F301065B59C033C5D873A5BE330" "7B6E59708599595FAB5D2A91C601FC75E97DAF27B9453BFE950" "29ED5B7F2B95C35377E5153DE2FE9AFC847A82888E9469E8DDC" "F4E7")); test_xof (&nettle_shake256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("2DBE1B6F378F1C56AACB5F9A71A12EB3516942F2D45CD4628E2" "D6DBAAA4CA282D640806C927C93B3DC6D1C96D528FC2FBDC91D" "7773BDBC26B2E5429063889F0842640D4EB0A69F2C705A11FD4" "0484F16A0248077897C8039C575C1A1C7BCCA09952EBB491457" "6C9A9D35B2043C7A5ADE1EC97B6D46CD647815941164BCD8D11" "7E5C4892B6A5A5155B066BCA61A9293E705EDD00DED6402F12D" "0DAFCCF608391F24657283102C30E71777B7B9F39F069B90B44" "A6E84D87660D1BCF9587A25EB59F814CFFA8CBCE7D7EAC35B27" "E8707F65F5B78FB16BE7C17812857B8CB6A447BAFC1CDF793F8" "3B6D29824B3C355ECD204631EF1E176B53A6B82FDAF3D224851" "FC7BC0F6B83A6D05D0432FB34567A48BE56368272D2012C0F29" "6324BA45B7438F13759A4A1AF293C244C5B326D6C68D28A5A3F" "CEF1AE25CEEC38D866D747D62CB9B5F8CB38B047151192FF44F" "FE1B35B5D08E95344E09BD7194CAC4D66722C9E365F3C0B7B48" "FE0A2293E478B4E6C8E6B7C93F41637BB0FD15FDC24E6443595" "FAAC6C342E8DEF79F01DFD96E624A8954B0AE93591375B8FA6D" "7EDA21578A51AE0EB69D97DE7AFC1F4FA797FA6D11D5C2663A8" "B09665463770000249DB5A23233BF83D36C7A15D3E8673F52DC" "C06270B246086E5AD0648236C68EFBF04A311A9A090C72A6A79" "116EBBA4BACFE7F46B5630F27C99F257A3C563B864933B8FC36" "72A3")); test_xof (&nettle_shake256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("59425FE5B259EAD7E04232543C65EB5ABD0C4DB6F9E03C18492" "8E877805B9E7EC156D8C1BD0EE27E4FA931832B41781DAD3C7D" "23BEA681C74251B1EC51A90077356D3C5CA2A2779BDE6F45BE6" "ADC20FE6DD0BC489B3D6E43DEC4FF6E33A24C62421A20B8740B" "A1E13BD6447E2D6CCEDACB692A4468C898F815DF88B8A3E0240" "BCD64D2277D8456642CB129F8627EBA5380A9329932977021DF" "D641498B40F8D75DB5A4F9F62ED2EFE831EBA92EA600BC95152" "B3E2FDA2873F54800C15C2256768099BA5ACAD759734533E8F4" "B5C729B42FCACCFEA0D6C7B5DEAD8A5A1D0D115836D63476EB3" "C90325F3FFC48C964F69B2957E121D9501405ECF5CDF5C78270" "19BF4A92417B1E44C444D8B714EE85154BAD6462317515CF1B6" "80AADCCAD3F3B69D70875020FA770A0F7A969E4B1672DCA70CC" "DB8D7122A7E8AE77CA7E0819D6CEE706D71F0732DD1AEF5106C" "65AD8C66FD350C13F2D02237D2B4B9AC3DDA52E3771FE5473C4" "7C77BF84DD90EF38104D8571AE25F6B7AE6B292708F0B967A99" "8A6D8F66429C1C81CE5C03843877AE4C56F14FE4F5A24C8F930" "72CE79E3A3BE409D902881B73D9BDD3AA0C8EDA88F0511E98EB" "93B271FF5F244B956B1DA8C7A8F377F39C803355F1D70D55775" "C7FBA96CC98C02999A47EEFD94E52811FAF30C099078C7C1C50" "772057FE65E954FBF28CC414CBD5C2EB12AE86A0912D3812A04" "ADFD")); test_xof (&nettle_shake256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("48612B3A4374024BF509409FBC6B12E049F2F5065A0CC31C49E" "EDD57FFD19F1C1AF6263ADE73B4C29AA77E5C05BC0AAD40C904" "106A19A8FD55DB489AC77904569ACD0D62F18BAC28A287299EF" "6CACD0B342760ABAE5A35A2E67F85E854DF55C5BFE831408C14" "EA2B0A3C0FFDF29D8B9FEA747EDB856DF6591B3CC76D3F4BC77" "70E38FCF603F4455C9B5019B7D8A2C939340BEC5247E597CFCE" "386A458BDD4BA5007D03BC82BF310B4A8CD328A62E2FA1E8FAE" "543736C10633B3C70B21B98C769ADF07567C3F6D89A006BE4B2" "AD21643BEC00DE1EC9F7CA7CA733ECDBCE3C58B45119E5F593D" "CDC5C95BD07082CF5D9B9A1AA11530E302E1FC8D6D2FC3B0FA8" "34AE3B2E98B428853C8A1B9266AEB7B8436543BFFAF69467D7E" "ECE47F2DBC790FCF2EFE2791213482B641388D58B5045774308" "78EF15485E437A4A1F2FEBCD994C088283D92C90975C976331D" "051EA2C2EA887A20DF5C90E4FC77A9370306152FD2CA6C6410F" "BD529BF9CA22B4C8FFD4444EEF136EF0B61276E42B0D0424F26" "82F291C7A704ACA96B355AEDA4D382C16B3AD879BC6B6881972" "94203661F21E3E881BBF4265C6B71431B5DC29F614E090D723B" "A086B23051B00B7E81AE8D2315C41A90E1205CE8A1C5A744F82" "B7582A099D61FC5FA6B2E9A28920E503B32A84F4831201DAF2B" "AEA8CB98E034F7AB63655E670952EEA74E3DDBED01EA9DCA953" "3184")); test_xof (&nettle_shake256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("775025E1E1E0A1C865E2B57B7B43ED67FF002DF27DE0A62AC17" "76F894E1DBDB2921029AFE631201298CD5D51B9A2A6E49717E6" "8A180EB27B9954A807667E4D24024DC3A60A60A819EDF287026" "0AEA535698F9B5D83B820013547E570847EF9F4563931138791" "B44AD298217000F039A9933FF02B99AB66A571D2D5E16507DCA" "9EEF54B1910E26EF361887512D646CBAD74F99DEB082F7AD971" "E2E9EE37AF77B80B2A763DE07D91229E8B5A0E9BF220B0C15DC" "939253BDF45CAF4A8172AFDA5D096B47793461654341D08599B" "FAEE496369D5D6E37562F9AAC399A413FF892F9DC07E624DDBA" "B1C72FA0F2D1AA98EC442BB1BBF7609074E61ED16D25367869A" "5F54E33B52DEE5020B9ACE4DFE5115ED049A6CE62227661BDDE" "DDBF77AC1D45114CB734D9CABC634908FF540C2AC162CBAAB65" "5CB35138CBDF81CF5318E92516EC9C4CF05E14547CADD180937" "55458621C0903FE6ABC29AD174187F0D5D6B314CAE5A4F95860" "12D396BBC69D81A66927352A9F4B926E1CAE962A73401587FFB" "C6D9FAFA35ECC1B678D0D050F790BD8CF4B6EA3C3B663CD77FC" "6004C257328256F26205EA41EF7A423CC757E81BD7BC408988D" "AB45E8D632B669DCAD4585DCF6348C8C5D2DC651A4AC1806F3A" "55DBE5FAE59D50E2B9F25F89200DD88BAAC59C14EA0798194B9" "0641642B425317BDE993AD1467200432B1EBF23440D0F789EA5" "A83D")); test_xof (&nettle_shake256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("36DA0700FD13A62A128D5C87F69863A9EE8DFC65E5E1F97C495" "A675ED8253CADE4F79D45D9E34C8FCD3D5AF760344FA76B271A" "916A539D467F9FEA26DF0CB98DCA0409602910D7F298D6E9360" "0EAE6447CD2EDE4A76526014FB58ABD4A48ABB38DA5ACCA349F" "140CBB391A6705E4E153C87A80C93E912C912B9C97CB89B101E" "6BCD0B739CF89D18B522A1FFB858B837C643240DCC8F8553508" "596EDBA0282847EA724B5D25CE6704CD3DF3EF40E5410D0C674" "6F97F390DCD77F69E6C41CB009FFCC9EF3C6F9B2DAA646DD07F" "CE398A9603BC223AA22AF0676931D4FDD5D2C06C6F2F4D31D48" "54F72E44EA149ED172BF152CDD08D33AF58878B8E268CE44E82" "46360AD41076FC4E9BD9F460CF5AD24EA05F4E32EE2AF4B1F56" "B8813599F23DDDA7FBD9195A40C5683988D1A84FBFC951D3613" "AB6FF84D372AA4A0EB2B68FFF9B37AD1ABF88725A5479E77E55" "F320BD8BF69A2E174F715B10D8FF4E8CA72F2E29AB501F9A74C" "D4DDFFA99522D1C48C619B1669ACF555F5E5221D34C7B36C56C" "53C3EA3AC302C197D74735A1FB295A39AE38D87F451F86C327B" "67C16A1D1BE50C453F3CA5C9BBC5F78D7C46F5FBE1B44C36615" "9AF8797FBD29C6B025894B66266332078860D083A58873B8EDD" "E27300B4177F4B1A70EF2557610F19B2FD8DF4692FA548A018A" "014F55B90D77ED357987A033ED8E83E07A5D5D3648612854EB1" "0430")); test_xof (&nettle_shake256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("4D2453D01B5B3FBF0FBC4E6F7D2F28914EFDE730877568F3DA9" "CA256C3252560DC9F9AC94AC203AB2A3829A3202E6F4D385D21" "5B843D64B52B3CC28B11E3876248B4CC692D4F7DDD46C36FB72" "92794875D8353D945438BFF037737E3E9133FB6559CF65E7129" "B98644141A1E5870B22751076F4AF9A14F2B0D198FF4772B91F" "4F5329B5BF9326FE39D5BEA9B6D4CD19BEEE8A6B8FE1CF3EA3E" "256C7E1A6A95C5B9336AC8CD2AF6D35C776B5563563CC59906A" "BF1ACFA707AE71E6E52D6A77CBA9E960BCE2D3C11E7A6AD2378" "74F6316D982207CD5CDEAAB3C5EAE28A3E5364626891555721F" "81068F60301B1DB9CC8D8FE00D9949EF2998273BCEDF012A982" "4B5942831AFD4922908624F4C2D3D218FD440652F59F536F8B3" "3EC88CC3E9DB8A4513EB8880B95F29876C4747A8F83D089879B" "29350DCB6CAB4497A8EB14AFA848432310C213D7439968D4942" "CDA32B5E6DF26D29F42BCD98FE7C67020804380D0D9E4A931EF" "9AA117F872C7C0AFF2E5F11451AF753C383144E60E661D6DB11" "FA78E542FD2C9DF493DA608CDEAD669E0AE4ACD76744CFA6808" "8420FA24A43B6E2C1706A10DB468D8A7B6E18CE68C4EAF1CB1B" "9D794AF9457292C2999DC18337531ADCA5BE1225BE1825B3142" "7EFA14BE2B500C0174333CBD3553E05AD1E4E27858BCA6F2BF2" "A966A8EAA6012F4ECF1F3387F3E3409D3986F2E2BF7DD239832" "C9FB")); test_xof (&nettle_shake256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("2D46D78B2BD91664CF875974D2CFDB0AE27E00FAEDEC3370C5C" "B83129EBE05EC438A0A02232601C33AD623162B8BB160F5D8F5" "C892BBA4606D1937A1E4F90782205CF7EDEF07C0EDACEDD95F4" "86157A0C64E0303D30029CEF36894100E79693F3E794596CE99" "ADBAF2E3D4B4ADA5D43B9735DE4B24520EA9C8041CACEA8AC65" "9699DF823C7BE9AE82D52BCB294A43A751A71F6E0B939BF9F08" "31443026A292058B62817FC9EB139DD0637B7EFA73344858078" "AED6FE93A6F22E1E14B92E87CC3CB5C4FD7170413C4949E5D06" "DDD44FE90AC4EBEAE413A7BAAB1FD2B99BAFF442E155E94EB49" "D75EFDDD9C0BBB6C1EC6AC6496145C755788DFEB766CA0256DF" "9C658B7BC660808F875E9E38B3E297543D2C9032B454161F9CE" "E80B0A7F9F49039728D2F12142EA22C4708307B6593CFD0EF5F" "38A1E29FE43058A735BA02D4EDC010C02F4B625AAF832030949" "E81264B213AA8A16BFB10D35C5A369B86CBBF4EEE8DF699B302" "B052315AB495B9B287E9883B05C6273B4C32FCA1D186D2DF481" "F54355DA3AF3E7EAB49C1406857CB9F590E7B1B8EA5B7A0C5DB" "B7FD778A4FB570BE2CB735F21CA599AF8903596E80F8379B517" "D6A0F7F7D5125A7D4375BD90175EFCF5316F13C8B09219BC840" "52B7FD2BC1D55656FDB9CF1918997717C6E2AA0FDB46530C271" "14263E017FE5D91153FDDA221DD63F14C25E3439E05F5DDDB3A" "C966")); test_xof (&nettle_shake256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("B3DC434BAD278ECE68C6DFBAC1416BF47FB37645AC6E6B7E4DF" "D79E4605EE32B9795ED18683FCB56F910E223704FF1200F015E" "AFB2EE06181E9EAB1BA17BC5D84BC22A2D5C134991C906A71D8" "B20F6ECD6BBC27FE715EDABDCF1C4E1A374B15AB4D76EA6AC58" "0904BC66010CD8352CAF365DA80094F461070CFFA34A86DF705" "B87CC277D80196C86C602326E8E3AACE1BE7F0136C0988FAA11" "A2FF91AE941799EC4DE96E9F167E4088C822BBACC46DFA327DF" "7210C9B31A9F7306AE753152A86F9E0ECB03FDEB7415C9ADBA6" "D61FCA7F4D3C776EE6FBE6901860292FCC6CB89FB45A68F6165" "E36885DD40671EE372283591BC90C2B4A542282B13BEE71EBBA" "4E12797DF59FE47649A27AF116DA9F41E0F0B6B962F7260DFA2" "F569A97BF47405A4EC4A6463680E3903CC7C3CA2F39E9366FCE" "CA8031DA89E447B37F3B80769FDC0449291FAF1BB8F9CECED3C" "175062DAE783F51637581E913104C7042BC328E1F2571CAA557" "2E75EE3F5A0F559B50191F3ECBC1FFC039BD3DBA90F7007AADE" "D690FF35D8D84FD0A9D427B2171072F1ED51A8EA9AA8A066FEF" "6B88915265D80CA283EAB1056B6BCA093D60BFE288E3B9029E5" "AA395C9F3E3913D4B22BADA270A282FF83C963E97F1F7543AA9" "2B5F419973671EE03A79D1392C40EE57265FDAF75977C9F0E98" "C2CEDDD7F7C52B4122A4E517280C9547DF99FFB30692ED39929" "FA16")); test_xof (&nettle_shake256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("BF7A4FFF6C7B53893BFBA9505594DFFF317A09278C3A59221B8" "DFBDBAFD08EE237FCC272ECB1C7672B41B8DEC7D54B988B4CCA" "65CF297E1D54DA65A176350AC489947359E11E34AB3E4D6744E" "AD1775DF90BD5BE0712BD54EF46DC279587527976461D6B8F9D" "0C0FE14B10372550ECF74B3CB30C463F25090ABF7DB84D32F51" "E8AEE7298C49607E4D3DD79B9348E33F2E58A7D0D76394C0B1C" "79642CF2C3077CA0764F291FF48A8CD723C953276A829CC1E7B" "798BECA33E8B0FC0BD44224CAB89BA334E52D6943A1ECAC72CA" "3BC825BD61DC4CAEE1A12E053EF31115456DA434747AA8D6DEF" "E56E35FE67D5E761881D681AD8EFD3AD5C69430FF75794FAEA5" "553FD91A4ECF7730EE8205AAAA0DB99AEDE2C52591696514AED" "17F7B8942026AE16D67588A943E5D13BF47F15F1A458F06ED83" "A48641941DAB491594DD02C681950B84718CAEF0E6187F23C89" "FE46A40D5C22AE297A05E8B613B264D204334BE5922A6DEDFF5" "B978767233AC58925C672F4F4B0B77326A5B283CB1DF217BDDF" "DFBF12E4FEBA42E23C18675E0FBF0269E2D53A024B4286FA906" "85C2D8E67E3A60BE0D7072C3AD8BE9F4A389FBBAFE191CF06EF" "F95605A89C3C668BAAB7657A90F23B6B791421D214767736CB6" "17BF1481CE103768E5A8A3384978EAA8F56A6F2E729D6307973" "ED19B270247867E5861172467821A22872E52657BA2FFDDF605" "2025")); test_xof (&nettle_shake256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("2EA40CA6662A79D253A43DB2845535098F8F4D791E45EF610B4" "7F90D0F28309EC047BF1C565F799253E32A3C538EC6AD842406" "D9BF127CC56AEBC442B4B8FBB5DA5C759E1BE0C201246B96032" "4A087B3A3093EF07CDF45D915C2A4B0FF70D64C1611C17C629B" "E9852CC408AFE212FC303C196F422A085A72684C10460E294FB" "60CE9F2D5E2A599E4F1E3FAB86740F61EE2DCDAF7E1C8D8BC29" "8F40B993CBD0A8EDBBE0EB8715B6A58D2CECD21FC637B02E05B" "AD75E3B8EF0C2BDB157288F763F0B190468016C186A94503257" "2E71952325D30D2DCDE2A915169C51D0C448644D785AC658B0F" "0132B3CC96884C41DDEAD9B57425FDC013D067697C0FDE6A2DD" "31AFE31CCCF9D85B46325D6CEDD80B70EC717278D70C4344757" "088906A577C2EB030F8AD2B18A1A196DE26648915560D228F70" "2956B27046ED63EA6BB863F797CDE111A02B19A6F49BDC7EAB2" "0E040938B9977D534BDD01D19B15781235C249A24EC832770A7" "6520F5C0E5F5ACC6E6DF757FDE79DE7AD8C43028515B82614D0" "DA808400C574E5A982D0CF9461BD25EB6521064152DC7BF3295" "595B7A16410012FB01AEF4ED6ECF22C209FCE011888E29B8C3F" "84CB29F42AE0EC1C4C6D4C02619F90BAAAF7219BE0F2129723E" "AD133ECA7E0D50478DE346F90089BAED5D1D04563F64E3A3D5E" "228988D71DA3DF85D906C9AFC972CA6314482BA62C557CE7CE8" "986E")); test_xof (&nettle_shake256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("489A2DA0386AD9F87188CEF4BC2B22186F74B1561D79D8ADE98" "EC2190003B99795DAFEFE1851276ECF233EC9ACC0142DBAA3FF" "1D94692430F67C2B1D809A88A683B73E00BBD678D3728EA98DC" "1A751FD5839B8EFAD1F4CB45009411B8F9B9442AC797B55E182" "7B0B6FD2A4B1E9F078FD43D9553399B9A52E7567CDCE4A27647" "820D8483F16360104A7AC8F3594CD786F51A9ED172443BCAC49" "E1F4B32E4E915A3CBD7AC18FE691E4B9BF35F31D1E8FA401EA3" "7458EBBB1CB6C4E99C6B031C6C6981D95422EC1A9AF5E74C021" "8F403AB62D54E28AA116FF96CE0D6E8076420846DCCF95C9AAC" "FAB3A4864F93B5D3869A7DADA5BBF8197411966166B2F4F52E3" "150FE802C96C47AFD6A9F64F7554FE3D52B79BDACD6C95401C9" "A78F11594347E77F727ACD5E0131CF898C4F36DBB067EE05E43" "8B6FAA70D8B7720EB94728440147B159577CB5CFCCFE9A9EC32" "1081D429FF88C4ABE02C7BEA2B10B61E521889E5CCC29470DC1" "6132489FB43092B6C9EFC9517CCDC0B0824A95501D74B445606" "62141114F0EB6C7A0B469CCABD358546CF1DF37DEA67E3946AC" "D70A504A787ACF86B07298938882D0B67EE67D69A8CABD0B835" "152633BCA5A76C2E6DB958FDA265756669D1105A67889F83C01" "918398BD296ED801A0B5F0FC8AEFDD5205793ADB85A8D6EA15C" "FBB6A82153EE69C10C2C92CB38C90CE0E73E32489522994096F" "08D4")); test_xof (&nettle_shake256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("578B2D3B14B19C349DCE30CAD612BC2FD7CE8D6F034FBF4D328" "E7A570EADEF3F9624B65251F992132D25E5363BD653122D5257" "002F806DCE93D0B15919FF9EF2C303C748D9782588C90E3B236" "D51B69B1EAA1301A703B8B6EAFB6C200745D5B08A07A69B6204" "BE3DB36CF6127E5F8399E5901318F9F0C18CEF9201CBD31324D" "87CE630A64518AA7042AB3E2C64F39231AC3DE7BBE859CD3A4D" "90109B2955FBE75A38F45C4B841C7E1E32F22EB69DB97F6AA4D" "45D12EC5180AFF7863C17FE1CB7DFF337DA46F7F5B0DBEF813B" "40DD67F985C978B9ECCC5685E059F55E503B5BE924769A11FE1" "873EA406AC79242FFD6D45334D7C51FD4D1D5EAA28E1388E3BC" "EB4D67320D9723D060EFF815766587FC11C13675DCC53F30EA1" "660DC8C20332A3FF05E2E70AC821E0CD250132A59DCC4F40ABB" "C8783690FAB8BD7693BF106E8F8C7A6D59495FB7301390819C8" "7C86BD94442185DE8B4CC784A690D742A439F73AE7E8252A3D5" "C0E4C0410FE919CD7A53F85F522C138A3D654D9B947963BCF29" "3BEC3D253DBAB8FD39A48A340F8AFD75C97519BFF4506550BE8" "F1C1C7C345C89EDAA8A56F128AF2DA8E86A19A6494BC33DAD41" "2E6DDDE813E3338D16C4C34D40C2E6E1CA61FAECB934D4ED0BB" "0A19D3AB88EA32F7E277BF8521AA733D7240394733A3A1FD762" "3463857E1633F0FACE8BB83437DCC308E4F6791D8790A54FF8E" "06F8")); test_xof (&nettle_shake256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("ABED83F7273F3C7A73A700565F16AECBB0E03D278594A29FAC8" "3B38689AE49A72411CB6FCA5D636EBA8C560CC038B47DA87442" "9BE7C50A9215B5098F94110EF4E38F88D8DB1C483D3EA4728F4" "3B25D94E0C89BB50C66CFA25A62FBF536EBE3D8E7E71529EC53" "33A2823DE42C50F02414C99CFC61B1E7B4C767828748216BF6B" "14658C114C52B7A53C52A3F8BB35048343B19C5B19FA11FCF5D" "78769F1712E6F8FB5B31C017D3E23091B1E8184752ED0669AB3" "8E890D3D7880A71B0B22149038E81AF04C4CC7CCBA848702790" "8CF2F50EF3D6563141DBB9B898D06B7253B4057E9A69D026A27" "F5DF48BBF2FEE2B603240D44B9453FF485B2212828061CEB54C" "DDC17C8DE430D2E86045C790B23C84499C6BB04151BEA457C8A" "18DCF0094F969365AE1F25032AE0524C2A09B69F71BD3EF46E8" "871AAD3B58C92BC4B694BD5D47A8A80CA8DAEBA6584E5D5B4D6" "B5671C823E6F78D8B67A6745236BF675E28A17C2F8CACB4B5D1" "67991D27813C5500951A5E78086EB87C18D0E26863260F69199" "89F5EB180EA48DE6A3750B9E2C1F780230E0070E216D373D3E0" "ED3DAA0F668A8810DA759CFF1494E3BD17B369EA71DE73CF0E7" "EB3912515E454544BE78178DB41F9FBC4BE73D1EAC8C015496B" "08839344D963F070E5AEFDBF29BD056B77C2B98826AE397ECE0" "701DCA8AA45245F26D718D9F46C90F34AD8EF70972ACC600BF5" "EEA9")); test_xof (&nettle_shake256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("A9D48CDDE90093FF80DC7846BAECF4C7D6F876703AA4404BE05" "0345BF7D2F9FF3F93CE132E38EBEA01AB691BAC9F8943CB33AA" "E7887E9783E0A11EBA2D139A615DF8A62EE4AB9E57BCE1F7FA1" "9C3B3F6AA88B547F0BD5AC0E2237B514145173AE8DEEB6F606C" "AF1545C9F442D84D36080BA514759E3C0D1D3688A3D8B7C28DD" "8404AA5E09AAC0AF3C14792D78434762169CAA935E2AED3264A" "1C0A005C359B3B58BB5F9B9A6E5ECE5186F9DC26C952A298B76" "C49138D20798BFCB843D06CF20AA1D540111BCD50C6D39DFC23" "EF7A8AA8E93526690C8608623A109B1554C840F15E670DC4C33" "E3BD81784287C3FE98FFCDE6AEF5DA5C0038E31D111C333F48A" "D6634ECB47C45213F23AC0C5787CB9665D3B31EC2A0FF9C597A" "4372DF2CE34D443A86B8091729049C4EE58E4ED17EC95033607" "39C966B1B3A005237C668A6258E67CF9B5B3611A91AB5779D62" "82ADCB74958B7D45C06819E78E904B4C557BEC431704FFC563F" "40321E64A7CC456211B5C981C6C987469FCE101A81076DDABE2" "2408E949E86457658E07F61F5BE6BFC68B968FFFE044BFD278B" "D91180A05A40FE65F26D907D205411B880D3EB4945652FC0C11" "2525E06C4795C01F4B67BE8868594E617BDA761465D7BEEBB2C" "564AB66FBF976D38521F83B8DF85A203197F0B6AEA473D3CF39" "46E4DC87739A418101AEF50D1A4355B1E8E5E1D638191DD815A" "5445")); test_xof (&nettle_shake256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("41CD43AF243BE7F0580A9B406AA597E72958D24E45F52A2E1A5" "9BC535C207EFCBC9D8B65A567CA05DA450458C2FFD58CA8CA3B" "01617AB6DF19A4C384294AA174D728CB93D6D82BC135EC92F13" "870DCD556DB4421C1C6563803EEE5EBDBCF14B3AD79EDB4E062" "970BAFB3E801D5DE4ACAF052A6E07B0235B0CFA4CDDE1E54C3A" "0CEC7E8401A4D38E12193E7CBD66213B7C7B0B8046220FFAFE8" "68E31CE93FE8BB7EAD861D96CC5A3EDD4820BC2C62DD8A4D449" "FE9B938F1A55262E7CC25BDE92315E329D8F612DF71649EE0AA" "A3983FB4984B6E1127188EA9F3D40590D854F5BE570543ADDD8" "E330BBA204919D7911E56702EFBA881793087ECF5CEA975A88D" "B706FB08AA8A10BA5F72D2302DB1A01BF15FCC3B05C96937005" "0CAC51F54990D57D9A37790B5E26D08B56DE0AAFA61EB238687" "D4396B2899FF6D250F92B1DD2ACBEDBCC1C0A194BA00DA478D0" "BB659D901009FF593F6A4F66092F67238909056E1A0EE1C8D51" "CD39BA3794CA92786AAB18D03C13CFC41F08373D1275D75FC58" "A9314133E62C14E05467EC5829967856817E7AF85DC0A83AF3E" "87097210E71D7325748022E25194512E54B9B18697C3B70B96C" "A8D572861D25178CBA90E503B84930BF714AAFCE91CECC995B2" "623C63F15A1F0F50849F57F5037BEEC1056D4163D728C59BDE6" "F526F331DF17B5A34177D7B05103735461CD325EEC332FE02A8" "5B15")); test_xof (&nettle_shake256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("A0B529DD351C0F7C539BFAC5A3302F5E88906A29E665DAF3057" "1447C3DCE7BCDEA802E364B65B3037903C5EDBDA2412E084CBC" "D4F51A4024CA6E154DA70C4781DCFC7836F06E5E4606D16D2E1" "BED0D60FB36B84F582EAFB152191CF804D121F0F69324156B73" "3DBC79E1355B9B4D1726E393C22C82BF1EE85372CF04A594018" "C63A02EDFBB2892221875F20DC73330EDCEE0E62CB57D2BA43F" "A1E8AF7ADF157A79861FB48ED49C97104C6D89D290061229D51" "BDFABA62CB77C498A8D71F627372244452549D4F7469ACE1E29" "EC39E60E8563D3FFBACA5804D6660C7C1559879FF1804CF864A" "E8D1C8EF258B41B21B48400ADF439A76C0BDD62FBBC2607D85F" "4295AA0875601FCC1C3BE531B526ED081188DA38B0E40F7FF4D" "7A41C4CBDBF8DB3F46C00D2DA9D7F8FA3459F60C7419AC6F691" "473136ECED7C342D3EB5A39F611EEDBB0DDB3EB12AD67F1BE69" "6795B951A7308DF5FDB83BE7BF1B650C1C9222C22677A4B37EF" "E0CCE03D7237699FCA345A31238067F83547C5442946FAB4E12" "9BDDD409F8A0176CE87A341BBC353CF8A3EB72E5C7AA696B12B" "16E12C13FCD597D864771C43777E8433899F157A0DD21117839" "D2BA21E85FF2E09FA0ED73C9AF26173B9C3B8AC5B1FC4BF7C87" "F06B5AF7626CA15EEF79D529454ACD23A7643F91811365146FB" "18CD0DDC3D46C72C7D1E97E4414225A76B55A19B226D5A77FB1" "B5D4")); test_xof (&nettle_shake256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("5EB982A2754FE46D19D8CBF86B4D594D14B421C8AB3AE447624" "47E9F789271F5A1175CA9B6C604FE8046A9A8C11A9FF9354BDC" "91BDF051AB6FA1F6A44D0E42977897F5342958ADBCC1E612A49" "B46EE66420E34F2233E8AD857359EA92E3FBE3F84191127833D" "6BDFF88019BA5B6982F446326877B3D3662767C6E91B0A6F9D2" "888BEA239B25F1B6A248A6CDAC1775976958FA9624EDFA7DE30" "50CB73602D24D13763C2D67A016308BF4C53D9C7B4A95AB5425" "49944B74A2EB30F688B1FC9138B57FB76AB320AC7BD48727CF4" "CE4BD34FC3B0C2EC0E95BDDD0EF0F5F70FD34C6C89098297861" "3D2132FCCF37541042415FDDE4AF368A207D59251F50E14D7A5" "310BBBD378781DF611B425495FC69A2A6644FC6B29ACCFA9918" "EBE05436EE9E191946AF9CBF15011BB53CCED508C4CEC0BC4E1" "56D0884347AA46A902F216ED6577E56129B441EFE731CF6C0EE" "AF378F5A29586F5A62D10BAB2778F106FC6C3EFBF2452C75045" "D578C38222E14247DB42FA60FA6D909E0AEC09EDFFF90CC41B3" "2A9725714E41FFA9F350FF3C1008511534337DECE84A0F3D5DF" "085993BD3D5C755B95E6ED4B36FCEE70B68AF427C3C80386983" "920307878C1A01C5D782AF85C89C8BCBB0EDB2274BF7172DBF1" "6AE9BA1CDD7A97D6B2BC2D06F20BD0431618115097621A36C41" "C9788DC68B95955EA5E097177D66B0897C7BFDAED8487A79E14" "DCDA")); test_xof (&nettle_shake256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("78C7D0D0FDB5FFBCFE55AC06F0E6E58C805FBF76FC2D13911B6" "B63888088CBED5F7E2071F7BBC12063DE085394A691DEE09DD1" "DAE2EEE0DD9491C23B0949C870102EAEE2F39E20A62D9AE95B0" "426C0FA05545C0F128FB53E0B8BE090C1C82F0B66DF4D7CD0F6" "3C9A85E17844988523296849AF7105F845E0F26200A26091212" "8FE7F2265C9E41D7FE587BECD50B8B729EC445C7CE9135C9591" "4C6C9686F43A56CF652A6DD275CA6A883651F78E8FCB8168E8D" "D8FD780735F087203EE1A30B5A13D5F6B7CEA34CCCA3BD336B2" "08DAC5878E85BF147B0B4E70D87F73DE0487BCAFB6ED9C3002E" "2DF56F215B78C7020A1BC9F433161BA7FC94B4CE3679EE955D8" "0363420768C9C7E3C6696E94ECCB0A748FC1F1F402EBEC06807" "8862F1E2DFC8CD6FC23FE1051E51DFE3D65B3779CDE8824BFBA" "8AB63FEF474D648FE4A8F9C083EE0E6CF8FF6768D1F54F31370" "5F4A3D7568192D91E9F0408E8EBB101CBE97AD9FF76A1F347FF" "152F45D9B20AEB7DE7CC2047E47635032953FC5CC5CE45D66AC" "D2E11C77FAD0DA8DCF15FF123365DC9F35DE92838173EBCBDA9" "DA15FA35D10B64E7BB71539708D8806145A1892FBD4176B2E99" "31514BEC17FDA5CDD82C8EF9F6EB4E2900D039115D5B1E940E8" "796FA8FD74127FA53990639F130732EB48CF50620A9DDCFB01F" "D69490A8B5105CFC7A3EA274006F51221C2356212581FB16963" "E7EA")); test_xof (&nettle_shake256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("832BEFAECA90FEF41577649B6348182753EBEE32EA688306DBE" "EF8665D6FFC6C5A26EC69EC8C90A0FEA854893C0C4885A2DCA4" "AE77243F735048FF31B80D1A4C84F055DEB1C11F76BF45DAD95" "16899555AAFEA86A129C4EED1D4CFC7604045D22120C8E06F67" "793644533202A69B683B2ECB19AED3DB158397C922DC3A90B64" "A8825541BA5DD9AFD7F82DBC603F156B9F619A83C7132A0D8AD" "71205C83AA4A52B6223507493E0F9FAB9530762A190C9FC5968" "0C961B08CF36DEB67A9A472FF93698FDB84DCF3CFF84C6E9D48" "804ABEB6AA47AD62DC9463C131BFFDB127F9F63F8FF88D9EADE" "CC6B0E00C657CE54E7BF800B9A35173DFC6669BB54A069D9EE6" "2BAFE9B3C791DD51A21994CEE03FA37FAA5D56518A6B65572C1" "B3A17EF52F642C7B2CEE065282FE742E5F9C9BA5003BF1676AB" "07439CCCFFF7D7B76DF84E3D99FAA269F0475CB5EA7DB25D3BE" "BEE36B96634B58596AC788C5F31B8DABA35211D4708EB1F778C" "A38ADB4C15A831D8769AA16110DDFC406B05BCF25B456113196" "03C17A40A24CB2C38079E5684B473DBDFB98877FFE06298C333" "37326CC2AD1BAEEF678BDBFFD89BB1E35827CE296E20B0084EE" "AA0AB1FC647EFCC0231DF9B9B5ADED6DAB34C75E6CBE206DEE3" "E794AA42500FBD837B6F6AA015BB4C923F8F1F769B049888933" "773CD24B688B0F787A2B74AD15275AD6C4C336CDFB1BD929ACE" "58CE")); test_xof (&nettle_shake256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("0CB8AB1E6149F41D29171DBB444B0F3C07FEFDE56D9CBD1150F" "C43E29009E0F5EDC50F89EA7CC0EA6C9E23236C6AAC72BB3321" "A51AFCB32F9AB5D1051ED244E2A8D417431863649699077079E" "1687B36F75C995D6A78B87A9E949A56A2CFBCC15CEFCAA6C2CB" "51F054072A05C12FBA86B10D303B3EFEAC18F8515BFCDDB1172" "D56B8C92C1AFD4AD5DE2476CF073B7FB4B7DDB8FB2C4BA8AB0C" "53474857F1FF47CD3B1060612F7C564988D2881189248CD13D5" "EA347F10E1F21E299294651342EBDBA1657862306844E274D7B" "2DC9DC6D92F395AF2F5BD01B13FC7C7AFF630E854DB63EC517F" "D3251D12C10B5F6C17DCB8990FB39CF1AD3B65F2F019B24591B" "813D56D661A904405DD814AAE4334A8EEF7CFA455C994C3E31B" "9507FC0E2DE00A1A0AF4DBCCBCDBF393391C5AEC9E3B4D3C8E5" "F879D8E75F63078E686A1BDD5E6358C5807A669F89F90D4EBB3" "1B7396C0152D5DBF665D28BC59327BBFEB466F1E7570462ED89" "8A31E386DE5538DB505FBD1B9020C984A49BC39968A69D5B3E2" "B9A9B61D6776D5349D4334C3042C0317A2A34234E8CB64B89D2" "9E3A8B6E8799822F57C3C6C739B3C263CB4B283EF0F859305C8" "4D11A9DD0DEE36CC8976E6EA1BCD04451B0E0EFE343634DFEC7" "868AD52EBC551D5CFC0277B15B854614FAD548337F20467D175" "EF3DBB135FC37367B916CA35E714B998C3553D5F494903A8B9A" "4B7E")); test_xof (&nettle_shake256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("9FA49C101D9901053C789B01A505853C8370FDD00F7FEC13ABF" "FC91C7B06E1211DC293FC0D52911CC12AA9CED634B398284F38" "70E82B7F5AF9C3298D53BCFC3A3DE488985CD1047318C2319B9" "E2AC85752B3B0BA2C151FCD08C99E1176CA599557D3A63F4F1E" "BF2FA31CCF9AFB729713387A7CEFFB6F61FF8162B1CD943D915" "4ECB362E6ECC6E2669F746B1422904A3DCD93313E4031238B6E" "B117166B374FA8AE8440A358C1EA7B11B88FDDBDE5737083664" "4B72C0219747A0FE793A1D77F42E66D2D695BC1D9567CF1A1B7" "43C33EE309CB4956BFC426B06FE20FFCE98A72FCDAD31EC5DED" "9EA45D494C89AE577BCB79967CB532B97CCC1708EB2AE8E830C" "AC0953C34ED28BE988E89992C9F0C8FC58FD5E7346DB2F24BBB" "57606302B0520D7AAE54F3492DF6040916AF04B30F7F2480B22" "B93AC47FC5DE2CCDEB27A47C25045695AE9F3E54FB27052CB58" "141918105E0621156FF4BAD6A35DF5BCAA0FBA8D67A18130F11" "7A09FF90B8760A7027614BE569FB67659BF0DCD1F3B7D13222A" "338F9E5736D5DAD6032189E149D22D56861B72A561A9DA575D7" "20F56C365C5C8BD0455C18B7B73DFA4652C1D570A338A5B1D2A" "2D00A4387613D11BAA57160A513F4B64D91739E032ED72BB2DC" "FAFE6BA6136FB381857071250CF63051059F9BA3719305D33EF" "9DC8D33FD6D427402EE348324C78920278D6E5B2678C1C4FD40" "8760")); test_xof (&nettle_shake256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("7818EC8E1A13963C319BD2199294E1459323556D3E1CA05EA11" "081FD706655C1CAD1A9270495E550DD34A71D6D6B2554C2CCE9" "776B30BF0CB151ED0A87CD09735CEBBB03A188EB8A1D62EC0FB" "614BB8D1D67418F91DF9E7FEF2EA9971CD46A1E6AD52D2433DF" "FE98DD59E0C9F32A4A493ACCE9E6B2D946A56DA432A43E45A79" "14959AF23F1D08F5CC55B3C06669308021C004F0AFB3DF5BC10" "A7F19A7ED2DCA14297281D49952D067B094A4068493E7DF9940" "3063AD007CE8CE76E2A7ED02F7023543E43E9CFECE94601379A" "048A73663A9B06B04704D59FDB6DEBA49799D3E8052C1AB3430" "2A2A2392B53A5FB9547628ED4F8F157DB8D795CDEA73F992122" "97512A04269B0D5F418E2795BFE76E939F8BC9F2137141DA25C" "F095F2B754F6D0CFD84B3901A903445B7A71612539F4F736DFC" "1D4DA1B9A8CFA87F15E34D4A813808CCFE2C9A9A710A1B97521" "66996EDE550E14B55DAD529C8A99BB9FE2688CF2CF294245707" "15C49EAF94C0EA0BFF227ED445435E3626F31CD5E887CF1490A" "9A2B7951AD42EBA5B24B02EE726F95E1E6862DC30636983C88D" "C915361F209DD5603672C9B4D4ADA1703F56955015B9128FF7C" "0547DFEDF772E63AD7EC847B946A66B6E4D3DC8A8EC3B50745F" "F7841318BD115BA649B662C99B973F4E7C26CB1604D407AE95C" "E967406E70396558CA27ABD91FA7190A5D0F4AC89A070F45B85" "8B86")); test_xof (&nettle_shake256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("5F6539A11001926EF3E0DFFB0142588D4E48ED4A212753128C4" "C944CC6503E5FD4111583D67FBFD4B2ED2D82447E985DD03CB4" "DA9CCD8ECF25069E84B4741A4C5756D6295E55075601098D996" "A375DFC3156D5F56E28FD8F3BD4793601603BC999BF93659D63" "F3B95AD0AF1F5E1749DF5197C95AEB05C683DCF37E9F362DB1D" "D64578E8ED9C1CCF0A3AD93E69B82FAC004ABB2489B0734C4CA" "C5B1A9316CC30F44AC42914AE696698862938DD0DBB3D8FA6A5" "3D1F70D25A175CF810AD901D29DC3BE40E4F19A5308CCB795F4" "4F2EC364946D99F59D2DC1DC21C5DD162B7C8CD5BBE8F4CA8F6" "06A0EF5B4619EA93B278DCDC2E943455F178ED62FA747193215" "D76C8F76077F9209A9311F1F848009483C82A82BE1A9FA17EE6" "9D1DE59AA305DA992F709F2C9A1EFB33DBC8108A7D22AD38934" "D2995A3A5D58DCDB8E435D18099D9B3A5F9CAB18B940F9E1B2D" "B9BC9768B6D29C2098273BE3EB77D07DC6E48868CEED85484A4" "6D94A3807CED72C292FD699ACFB6B1DA030EABFF5456FCDFAAE" "70E851BA49142CA528D91D00CE148758B54F0293E6C53C7540B" "55288322B015B6067DD16C0CB711C63970CC16BAFA980A8C3D8" "DA5FF2236D8DAB951A2FAFE29FC72257AD99409F418E405858F" "BD1A9EAB6930977C034B3D020A86C25586F8524D6577557D732" "68D225CB8E38892D3E7F0095F68A98C1B7355B5E331D69BD487" "FE4F")); test_xof (&nettle_shake256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("B3120C516E7A7039B7F8D2A886B4774FA9E14B80A7F7B1F33D1" "B4FAAAD74D549E2195E5B6345B19AFCDEBA3ACD5ADE7200500B" "CB9C94D6848357D6FA88CF9125E59D0CBCE876D681A68B6AE4E" "25DD5994D496B7C64F0B9124BEAC30348EA6B80803FF17C0846" "E19F9ACEE413E07E6FF849801C131DAF7A36F2EDE51CF9D21CC" "0ED6300EC5D6B64E6FB9F2A9B909DEB4069738D60D6F9F6CC50" "D749AA7EF264E2BBD6DC680823C45AA8D3A349255823EFBE4CA" "C62C0D38A4388B1FED31EFDC5BD3D6227106FE03B4A40F21F3F" "0411405A4A80E92F3CC045C7967CB7AF2F33879DCF9DA5E7ADF" "813091EB357EC9C0DD097B868FE2D715C124AD0A44E2B6DADF5" "B360FAF6A727448D5D7B76AB2C716543A09E2F75D570103A8E9" "589AE58D01904ACFA0DF54E6FFF01ED725266F7E52B992FB341" "44568173065E406A1E98D8DDE1889D0B7274011CA00357BCD07" "D4CF8323F103D682B272A98395A60A95237482F00DDD5220433" "2947D4708D9B8697F9CE529ADF3599C440E2B435F4F6D039B35" "1FBB198BF360D3A184616B86573E7E32113B1A5E1EB52A1D15B" "EBB3C49407AD6282EE2551859F9CF87D0D8F0AB362A439EC535" "40B4B024EB49B525ED29626DB292D1333F579B1896A6357F9D0" "B51BD283718D2A7ABD8F3786A7DF2B512070A2C9A1B53457F27" "C6B859A2C6956BFF50AA7906D546C67786B68EC1DF3E93CC60C" "6968")); test_xof (&nettle_shake256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("F59933F9E9FC474342B7BCB8B4DD6BA7B02AF5EDD2C1824B227" "BBD2A56287267804534E943EA69B571990EAD3AD5DAD06CA9C0" "BF97FEA1F3878824782E244D77407E3E83D5F527A1F5BFD8C74" "7FC08C5170E4F6CB114A9CC34E96AC2758782344451BFDCB090" "2EC52A9FC82087195CD1019A8E5B03E496A42762FDCCBA6EC57" "3D5C0740391697D95934F983231ED9642A0C6A2F92198B49670" "AA7F76C1715F3C80648E606B97CF708596AB9D8DDC7D039DEA1" "F4DE4D22E6ED297790AD73D9EBC2B1BC55315BB60E90EC7A2FA" "9A7922FA5A4E824BE742EDF41693F595571CA33EEAFF4EFDF58" "FBC0B9B1CB610AB2E658CAF31FE6E0AE74064DB62CE339C1F43" "9A55FDA0F594635573C511D040CB59F2BEF552F38D87F31AF2E" "98B59E9F0E67BC57D59F51204663511865BFFE1CFC42B00AC0D" "69487AABCC648BDD8201362A43AE19A9570DEF75BCFFA6D0009" "62E931AD32E36A9118D74C777F9A6D853496E9638332C3E6D7B" "0A5F030B2B4198C9B31A82CE117412C144914E784D9B0DBCB8A" "3320FF22C4F4F4810D5885C7DF3D0FEF30B4F2272230278C600" "834133C4E11AE65BCAE2069FDC1C863CDD701DB750DAE4CDF37" "A2314E39DBA691ED7D4A0087B8057EE27B3F6AF14AC0A742826" "FEADA8C5B5D52557952DA2FFE45E7C328E04C3CD61A5D8F5E11" "B3ACB6667A08498AE0582FE0E06105101CCEC61C63FF3CDE8BD" "1798")); test_xof (&nettle_shake256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("5DB567B895164625131B8049728A0A66BCDD2B27D37828AF413" "53DF5AFA10DF9FCCCCC110DDA3071A35319EF50821CF1796B5C" "319D4FAE433E8A2599325C511C3C03E6EBB7C10E3BE35451756" "75F7AB719E906640DFECCDADF77C345DD798AC7E2B7EE83C98D" "D194CA19BC1131200494A4B67428C23061CDC4000762C12565F" "A1C731A574530D282C2502356A75F03685A4FD08D1E938BCC2D" "6E7EEE748DD1391950A44AFD63B73ED549895F0CB38F7D29269" "7994520DE110F782B0CF47BFB07CFFBCCA6D476D468B227B340" "6F44CBF3C6EF6920B293FAC69927DCB2D153350C7C8BA2D84D4" "11E3CA70EDD9321CC0387A6DFB84221915094EEE0A272F267DC" "111F18E46C6D82CD6B98933261B5A880FEDFD23AB2F7B6CE349" "789EDE97CC034D0E0408E3E3B75D951D7DF039700629CE147BF" "B2E2772EA80C8681D6DB87667A63E3FF358E74AB45712F0BC1C" "747551DD96F72A6290C5E9679A45F37934E7E22378A2BB4A031" "52DFD450B98D76C233E107C57142B72389350072027BCDF9BD1" "82A304E8B255F28459D96687083765E46F9B4BB14DBC374BB40" "1EA0DA7557ACB2684A96F2791E1B8DB0919365820CD315B730E" "F8BB83124577E55A139DE4C9236182B885ADFF4CA2298F157FC" "460972D6BD67D538CBA7E32F9051AFCC00FCDF797FC8231360B" "A6B7ECD5C4D647338F23E1F578469E1558F49F87FEFE28CD761" "BDE6")); test_xof (&nettle_shake256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("B3D7178BC88BD577C5D95A67B110545C8ACF8F6FB56B5DA15F5" "738785E6C950347905B928DCA2E70CD2A5E574811DDBC894EF7" "FA8EC3446C7897B2BB2D68A61763A892632A3C5C6A3764AA0F5" "76717ADA5CCDA30BACCDAF71740316910CC08E8272B67521292" "FE1749026FADDEA743358421EAB011087D10D4208FAE8D5D607" "EE0D89976BCD79A12F4ED8B1C5D0189B0E2ED5B0B396C85B277" "63BDBF52D56B92E015CF080DF4F2EC80398DFBD733519F3915D" "3F102D0066D425EF9FE1AA3AFC8584C8F4D594ABA86AD52E71F" "A77893266C4C606A63891C41A679964A5E3AEF1C277D6D35D41" "0ECA6156F8CFED13DADF8022AC9159F913C4838AE1AF73EC268" "F9D3BF085639D69F2CC51C39EA594948FCD238D093A799F266F" "BD90B07F4619E342E38AFD178864760AB109CB4949E518305B8" "2ADCD68FE6E922D1ABAB2D132D10E0AABDAF78F0CFB74DEEF78" "CBCB422BBDE5083E57F016F4C5679E9D5010D4091B3FE615458" "86A65AFA49716EF8CB5A6C0EBBA4A2386A6591BCEDB3563BDA7" "F0E792CF28D257BD066D44E3AEAE8478D093FA9482FC26C77D7" "3DD3150D53D9F1A030063122916FDA66BAC51C69CEAE533F7A1" "569A3B9536CD35067EB190D2812EB2CD089D3E1DB98F2DFE5A6" "839F5B04B6EDCA6732837D23F985E1CC9444AC04DF0B2BBDBB4" "4E24D39DF2F447D72FFB90B7E9C68A46329ED630CDAE9470770" "4428")); test_xof (&nettle_shake256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("341AA5C875EB43F10E8DE28505858865870E62A9A4FF45BF977" "B947D0BE17B2DCB74D5880FB5316C5C0B5E1C7DA24D8C8C72E5" "CDA4A9405912D12EC5316611EB40AE84A903703F67D3817BB73" "AC7C2C449D4D6D737CBE06C144A20F99DFFC12A8F104DF9E448" "A96DE38DC6D7F83324FB3A2626BC91405EE5917F3765D9F2288" "7777226BE829584D6E0F6544B5E1C25F939FC9136BA2E0C0D6F" "6EE5F4EA97DE937352D9428222667D974F4840FEE0770657DAE" "58BBADB5F47EB9C88232FB7BCC6F1FEDA76600FA2659F7E8311" "29B3E3856ACA6D78E0D7C582852503A67876877DC6599C10D42" "DBB81E6AFD2919A18E4EC01EC7A032ACF2A8320C5AE348D28CA" "B36C85CD256DB5C30BA1F8891005E68F91D7B0CB0AC4476937D" "1748F2ACE0A1C512AD07514E31CB0CFD743E5C29633C2646AD1" "882176BA15E7CC8427FA20B2295100621A6E01F7FF4F27A6AC0" "766F9C25934E64546F16F61B5CEC865028BD0D7DCAFDB3D6912" "C5786372E1E4ADC6CC8DD3E0A0F299B65BEAC5FAE69E8219787" "A8EFFEFCB50E40C8BC1C3D033742D98FF30D64D72D089AEEE28" "489791F6099CE354385DB83256150A1F9B6CC7444665BB95614" "AE6E6F511CEE0C49288B3EB31F9C7D04B3D126A1535531505F0" "C2710CF6CE7A6DB31F043C7C535F89467CE1F6E85A10AAF5486" "A3A6953CD351D865F818FE959E6E74F2DE42C1FD6E219DEB606" "6C86")); test_xof (&nettle_shake256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("BA270D4DAD10865DF673F0DBB9D72EF788689673116CDC469A8" "CB9C89E6D8D511DBFFF6FA38E29257C9A5820781094300C088C" "DDA2A17AFBF164D13E360EC04FA44AE98CBFB972A68D35E6FEE" "E3AE61CC217487D7461F7315449E201D707F8CD0E9FBC64D920" "12B22175E677A304D903E556A5D1FEFAF8177A8EC3E50635449" "6CD693531ADB22BE09BA71B4710549BCDD6D5EE1ED3975258C7" "7760725D1C4416EF3F3B45DD8210433BB44882667A2154D4179" "2A37F2B7C5C85DFF707BC2A89AFD652D83904EC084D1E03496A" "7F402FEBA9F77254772904580CFFB1E7A0A8D489B6CAD6D97C9" "A5824545FDA36FCFA2E0A6F7E11710A8BEC33767303FE884319" "5E9F17B1B75A4625C67E39FDADECADA6A7E7755DA7742548B79" "7662B6A24194E07CE2E0302FEFF4671E6CD972324173F14F5A6" "0D443F6162CF2D6A3E2E0A7F2A6BBADACEC5F4B43D4AAD80900" "3722982FC7AF821AE4143D123AEA6B7D8550541DA9D704D81D9" "E12820EC03E8443866EAA80A534A5983581F1DAFC7F124915D4" "2F9A24887207C2232B5EF9D8DED3A3ADCB4D493FA2FDD6061F3" "9F28CA3B489676CCE7E0600DFAE247A62E96BE8A63ABB977A4F" "35F8361B71C8578BDD63F35D17CEA1463AE0709353F4667367F" "0FA0B6B6B6EEBFA049BE6133350F71E9CC1B157ED18C9D90A1A" "4D134E553165549C18004279ABA0C4EAD5F342CC05039DAE1C9" "CFAF")); test_xof (&nettle_shake256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("C2911768C4579E3876B6ABF0A4A30646D8271FCBF3DC682C48C" "10E41A878609301F10073F3EA87BFD934854147D129DEBA9124" "FC69B6E29C271062CC8B3A5785367FDEC382D365D4D60E7E63E" "946154F948B55E7E31A0CAB5D25BEA7CDCC82D8B6E200C28C7B" "4946B4CA30B46970EBB415FC18D9BB60C4F81A308BECFB2E40F" "796B8D6F914FA7F134664B8EEF9FFCA684B296D26BBA051BF45" "F3EDB68ACC5D0C79C08724BC7EACF702633C99C47DBF4E08AF4" "3A48A51A25620C1F16BBFE4CE1A52A60B4DD603524DE38ACC2B" "E65240F51E36C6533D85A7B0FB06FDAE420A7E84C4644B943E5" "CC4AC48505CF042ECE8FBB4AB90B16B7AF3ADE3E24F871DA2D8" "6813A100C82E62F949C3570FB117407AB71A660BB4284A114B1" "F6817621EEFE246CC0169CA7C09FE6684A9709BB5E7C5C09A35" "B4D5E109E133D23CEFFF9E438BE621577A98D9B49B0F30740E7" "E3038C8BCF07E88ACB767F9A43B60DA387B617D6FFF8A8D8784" "513D649EF3A142ABAC0BCD8159F4FB65DB24616225FB4FC636D" "6C1D94DB757E647934BA77C946BB7D010AE5C78E05157466590" "CBDA903630809649BEF7F0D27000A9156B2D05DB89AC90A91F4" "D1F295D296D7783E6872FACCB70CBCCD244BF620D5499382421" "C8CB3829E756E6B415AF3C26F952539D14BBBE56C034B58124A" "D973A726676B7F278E7D4111701D69681412BDF08731C4CB14E" "ABFB")); test_xof (&nettle_shake256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("C2AFC53CC5DBE46697F64D5B6B37BF1DB7DDD06D54EE9DA7873" "C77D91DE47377DBC5D525BA8C14D5F24A2BDD473DE53FB1BCBA" "E0ADF93B4525C0A77D1952A21BA5E575AB9AA889A19D85A02A1" "AE4D420613BBEB7BD2A7032137F196E0566C284CD11822EF938" "C191763BEB392EAE3FD6FAD77EA7252EE72798E5B4318961EF6" "7E595BFE0BE036C478C88B80C50C3F7BD047066F4CBE031A867" "644529AFBBE607C6FA77602ACEF9A635DE3B1FBD6C967B61330" "40D1A6649F1FF5598CE0E76AF8ACE89406FC02F2818EF8C29FA" "FF1F46A551B534BCE2C30E6FCA6F62DF3BDDDE56FFD8550466F" "48C0D14BEBB386F5BADCA240D848EFB66AC2D339A54AA1ACCB5" "C753B081F0B6F782388E7B82C77304F30E03B5D3BFCE0F1B515" "8AEDECAB4749C17305DCF231A04EA2436F423F5A818C461E90D" "65EDA69DDC5D977B19F26E4C9DB874F2602A3F5BE5AB8C5C70C" "DBC57E5BF757037768E1962D0AC697645B598C46D639C7A0DD3" "1B7CCFB88E4745BF2776505308C28FDDB084F67618B84D0451A" "B2AA45437202474ABAA0780935EE78D47EBB4E07C6466D3F8E8" "3C1B27EFFC1064FE01880D2A7D571A955DCD4F55D631DFBB3CB" "550E3541254C0D4041479FBB331EC591F8AFE5B644F6DF9F430" "0375805BED126EB96893BCAB7FC5AC5CCAD3596D8C011258F3E" "D269A6B0A6C4736D467BEE9D495D414B475D9354174B36E9756" "55C8")); test_xof (&nettle_shake256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("B9E75F5D4B74FFBD244CD9566DF861526B5DE9584D3280BA5A6" "84EAC9D44C91C0DCEC5827DA4EC0FA7F60D29286D348F576F4E" "2FA03AC5BE8F27E9F9912BF500D0CD549F5E5799697C61F0403" "C264C4B2D986DDBFFE72FD8CA6439FC01D1F7138A92947364D5" "86D67C300F27EC2E3E75F9088A5B787490494EBE0C42D00401A" "2ABA6374CB3E33BBD737ECFBF80EE24D4985F6D11FE24FEDBEF" "B387D4EDBF4AE1F409E67F10719F47397968E406A51B0DABB4E" "9391FEF03F9F7BC47193215205386914FADE37017EDFB0DFE8C" "51B4C35C0AEB6F8A8E6D4D69FB538ECDBF65CF92325A7F280E8" "069CF9FCFCDE610BD024CBA87827E92CAF22482413C694F9F1A" "DE65B67F8E1D32E4B5D51F038C2FA9D89FDB2BC1848E3E7B54C" "4CD4D021F4C8BAFF61875899B79EF4A1468B0443691981FABC9" "5D076070BBD5890EFAEE194A6484E584364BAC001FCB37C2285" "8F74E1A01EA8EEBD49D9A55A19F5967B898C5B71D5F2CE93F4E" "52CE4B4D00D7C42E58D71C174E9326C5AE1E40BFBD8BD37DBCE" "9369062124CB47D683DB245A4F289F052F89812440BE2ED28B4" "0049A9DBC75B3FB1003BE8A1B996BE44270A83DC20A38D62C59" "71D09D06FFDC3F89379A99923F2BE2FB6651407EE37F4BC8073" "E396887166AD4F0A4E156C72463A524EDBF462F62AAB251E321" "59CB3D79A2CB3A8FCBC196721642682646A83EE60425DD7207F" "7360")); test_xof (&nettle_shake256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("EB24ECB6C9CCCDA1E8AB1CA26683B63A43CA864E23AA7681A49" "27AFFBD8ADEE82704B24B321D6C909A1CBFCB453AC084557FE8" "4AB25E044885ED8051A0EBBB457D9821E9C132230FF27C4F279" "51432DA415D90D59CF7148569CBA02AF32A8F4B774D5E4667AE" "594C2CC4776AEBA2CA7D5F678C522A03B426AB2325127E56A40" "57837CFEE2607207DEA5F913CD64BED09E7FA723148ACA13F52" "2B584AF9A36E74E86415F7C064C7575176488895F0EE6A6795B" "51729AC947BF09668A9ADEEC199592B77227D62205857B75E01" "E62E3D2757F02C4892A9E9C2A9187F7F3DDB16B7ADC28C33F58" "89F87F949EB0A61E5FE431A3C11191DA6D127BFC899CDA0787E" "B269D0296F31F3580D9F630E0693F292D2B9954444E56A82D6C" "81319CD99D5DDB2F042E9242244455D5D9F59CE9DADF0BE7804" "94FDCABC72AEE397F13CBD656D246B6240A1C21BAD6E0126CAE" "A1C93096A41CF648BC0ED7A051E03DCB51E2C48AE32C8818863" "4021A4B64ADC4B2CA9A5118D4B6698E87C1E3D4C2666996F875" "4242214F3B07806C8EAC8CB63AFCE0A03B64D63D46AD53F0345" "DC3A9FE550D43E9E569F8C2BABB2C025D843F7D568DEE6BC762" "D3B4DB80B8A3119DCB19A17CF5FE1639CA313FC74EACEAB5F9B" "AC2E546C36DD7C292B959A2C9CA98CD143C5822BC94179DEF33" "D146A16091688CE192BF03A7E334BD033DB66A3D544A8FE17D2" "F5CB")); test_xof (&nettle_shake256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("75102A95654D885655B910E6778F8A72B263B0854442230F8D8" "923AFCC92C5BC98EE5F2E8D53EE1EB7F7A85A7562FB96535AF6" "C78F0491EB11B4BE2CC71CCAD0442DBA422B84FB16ED529278C" "57A543A3B8910D17232B2B7FC4B81BEA56A6E99F64A50DD73AC" "D26E506EDD60A788548DBA27AA66BF6D41C8CA0CC603D8CA515" "F3BC948AFEE2E7EC3F8CEBC56A01682E66A082846E8EDD0CED8" "5A6D5ADA77A9567424C73F049DBB2CDC180E6DD85AD73D624BF" "E10BA0CE3609771E50B51004BD62029259300E333D18697A3DD" "0408D37C5E275CC8A4C6C5AD85040365B3A427F21BFF9F1660D" "AD79D439C5DAD6855E75840577B6AA822F614B42CF57561A70E" "E8216F9CCDD8B10F36455A2677CF93756A3E30E2E177029C4E0" "A3860CC01619549AAB73B52E7E5340B42EBAE37478CD899B71F" "9FBAF7DDE36C57450CB5793E371C903EDE8143F9CA3C8EA2231" "BF5F3191A49681EE8F45374D81A774E9F8C6EE5465B567BCCE1" "C77E8289C72411A1C8F5402906046F42CAFE88B54A5E8C7FBC5" "311B1A7C43A1094047935A27B2D89E9470EA28569211F1E6D99" "E9FCD1AEA301A6271F90F51DDAB660E90A50D10003BF425858C" "FB0D67ED630F74D6FF46E57FFB7236D55703A55531F89D92EEA" "C17C6A050F56B46BD0466A0A918EC972E0947A991B024AF21D9" "F92B6147155A1EF08EBF620FBB65C309863A25F3BD1D9ECD818" "E354")); test_xof (&nettle_shake256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("603CFB5E53D83CCDECB22C5C75E67F5DFA0DB7D874E6D280DE0" "14555B1300192D9B769482878950ACDB484E87C26F366D2DB04" "9FFE8C92799954FE31DDE56A061E2F80A5DA15B65A0C9382C77" "90EBEE8E676373405BC1BCFBE974797CBAA998A0315CD9051BF" "669E00611880AEDD88DC690192D8D485726B47879861A85349C" "2017D9892692DE8DF315EC3EB4E6C508B85002FC7E6D7812FC7" "E025FCA92F14EE57EC9F507EC05FB8D143DB2EF6B83B8785289" "C2FABA51E962B77754C0081CC1253DE4CF8C36D2150B263FA01" "E19E5157EAC5521E29414407FBCB604A442FDCE7DE9C99D46D7" "1F78D1B9931033AF38940D70651884B766762605EAE11457A60" "F44BF5CEED9C0E9A9C600DA70B87B57E4B5C280E3AA568BC6E3" "988B5481006298BCF9239583F39C5EF439E551B6166DAF31970" "DDF7BB6B7E068DAE50C15D7A1B3D4F3587A91BDEAA59DC66622" "0C2DFD238BEF11F99DD47B87DBA8C60598B531013468EA5F15E" "DB0E2F43D4F4EFA673E88AADF4572A50C25B3B7953C4FF0CA8F" "32D374FDC3C130CCF67E95ABDD315FE7390D5160F6B307F3A20" "497C76F69CCF18151E5995452F01ADF1D55BF3A678D0ACFF44C" "50852F940DA91AA3FA8A5BC8CC72DF7AF11AF0E19C167F6031D" "C780DF8583F290059F5ABEC6917F7EF54339538424234454004" "BE4398CD0CA6CD1E71D0372F2229591F7647142C13C5B089780" "6F30")); test_xof (&nettle_shake256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("724E26AD36068E3825E1F997CFED8AD10194B96E76EF425BD34" "7254BF19BB862DD449E0182E9B8E20C8CB5440E34CB7391935B" "6F5D49F3319A984E313A9F4ED7107C43D737F016BD20D7F454A" "670199566CAB98C4D05F0D31B2811A48EBA4DF019936B0C6E98" "3C3557DCFFD42238885A7CBA1376CDAD15BC2FEF1E75013CD3A" "CA86FDE4B616F2BFE310131AA5EE826F5B0451D4DFC0F0EBDEA" "CB36A8B6AB96D7D81B2A21F7E09C5E908FCACFA763DED4361E2" "D9EC86559DF71A827662EF692D503C72987CC9F5A9FD69F9AAC" "4231BF27E8C64ADE3F9B51FF7DF4775B966A6C2FA6F913FD191" "F9B79DDDFC077363E1E62810F9D82C82A0CA9FD45B9267B1799" "8C2FB7E812195CAFB0A08831CA47857E00E329072037B3A96DC" "9780FDB52379E7180ED0E84866D42779D89F56F94A8D86C0600" "302A09255F838EFABBD08FA7B342EBCE887CBDE92743A36C14F" "61386BC9FA5662F7A2E39E0CD165E0E0F635478EB28217C1E97" "EE7DF96D6E6143918C7CFE29236E9911D10C756871E749E2CA7" "21DC4F1D0DAFB1715591F3708971409A54712588AF7CEA3FD2D" "0D06C036CAE4F76B885F50B3FE11A39F304C9702BF5F24DD5A2" "006E9FE6AD23AEC9598E34B4B043B092CAED032C3FA42306064" "805E73FE03560ACE3BD87D974C8FB95DA0C68E0EC4B245C849B" "BD06B94A319209514707BF5447113EE3B14AFCA06A6BF308DBE" "03A8")); test_xof (&nettle_shake256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("D0F92C3953C2696FC132FA48BA36EB7576D34C5BACFA4E9D9F6" "DEA8F7B0B6B746F6F7914EE8B9C25EBCA91D601E781B29C99D0" "DA92A1C8670918927A45B2AF16E9BF00CE9A877E361E797F951" "1B9A116AB72209D7E8DBF0E299991B173E4C654021517A94F9F" "4CBFE6FC4BB3C3EB5171435219EC0D80BE57E3900BCE9327D10" "DFDCE70BCD32C129FD5D5BCC54C4BC972F67562796466F9BCC7" "399DB8444C2EE896ECDA88E0F9ED729985992F0BD707ED3ECE9" "7064480AA1D10D4BB176F65DB3327A0F34D3CC32140A95594DA" "7707F565849D1258435285C1B9828723EF42C475D30040AAFB3" "237A759141EDE73070E8995D2FF72C727B1F8A215AF3E511385" "2FEBC029413C2D2F21849CCFF5269B8D188C147D4FE3843D195" "0FC09409BA0E5FD2C5567F11F0DD098810924E56463CE5B6C74" "37163C6201A9252DC484800303FACF0D6B004CC856BC68AEDEC" "5496021B37A667B02F5F7E7234484B531F07ED78B6EB747CF59" "5367EC3EF33DF41D25424A858F50A63D5D503EFEB895334466F" "C3B01DA6246A5801B9D06071D765A65E64F2214F93B6F072115" "343D711697EF2E1463E021CF3ED9CFCBE5A81E54DAB729D52F2" "F309BECF754E3D420CF0CA060C7BE4589D748B84028517AF792" "3767833858A35B26B0AB5C5E3B14E68BBF50AC28A3129F6AE08" "6BF783612749DAF4CFE87E75A4C89DEF988064E32D616F1CCC1" "7D46")); test_xof (&nettle_shake256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("F31DE8CAD77A334C3480D93E3B30844DF1EC344A8D44CDD277B" "0099F28001239EB0DA5B566FDC383F0E1577F67EDD2BC0F11DE" "67F3E7A4D97C56C9F3BB0FCB4D3E4D08F7F3D5C30FBD2D964CD" "45F36826F614668193554A33BF0170AC3E64C10E4E3570EEF84" "DF387944A6436A814DCC53645D01968C4EBD1BD0BDD76354580" "805BFADAC96470FD354BA2630F7FF8F7AB29282ABA946B1A9E0" "63C316A6D337A7CEC2FB4B562B899F626418BB61EB4F9E9BD7B" "294C7ECA75AB522D642CE495640E4BB1E2B14A10775704DCE5A" "DC7D7E3C091520B48DD18A291841CECE5EF56E1969915FB4979" "60D011A8F46A5B08EB39232283EF332F7AB0D8FDBD900BC2001" "83186BE31A6EFF7F5F4CD27C12BBEEDB0715A0E6E1F6E35753F" "E7F3996C75AE34D2E8E76E43F49EBDD505DEE66536E5F2332DA" "F4EE462B7B524F3BED1293BC45DF9511FC03D2734DA036EB3F8" "C62BB0E623031939E83745744F7DBE93E57ED65EAC1016E4147" "15B54AE83A15FAC6E76057D77C3811491F390C0B4EA0BCE2923" "72A8633E26C10C11E301E57983109903DBBF4D08434A6287B8D" "F665BDBFB03957CEA7AE4EEF506AB1F7AF1358EB48E7FFFC960" "6C266E6CD903C75772E2E88E954585DE90111A250EE62FC12D7" "5C5C58CB7C03C9C06C2AAC9EDBFEB02A1207AE5F9A92D32DCE6" "528A13725EDBE757F309449A40E93286388D8C09F9BFBF49E5F" "B826")); test_xof (&nettle_shake256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("A3D9ECECA03A1016A8546AD75C7B35102D5ABB0021FB5F2B1F5" "3B591624EF0F6C199F64DBCF325E37F4A361368CF60F3BDA9F1" "1BCF5FF2EB1A4C0B0546B5E898204EA5E4117F519F72F2F5DE1" "017B2BAE0723D91A430B2B3C1987FDD24FF0D0F1CDE2483A22F" "C37F296CE16998C12994603CFAB4B496D3333B25ED48ADB1EC9" "26A44CD5DB14C2072588F15EA752A31A8A3AA559A35EBC900FC" "E948111AF7522AFBDF7C56065B196CDD00FDBAADE3A80D2DB10" "271BDF6418F0F817FE991EC055CCA474B61E1AF6BE6FF6396AB" "04716809433BC8AF75369049E605C1C0028A0D370E7CD0C1EB5" "71FB379B757E8BD21AA61C2E2F2B0D0DBD2D73ACB2DD0887923" "B840079BC74F6C69682118B2B3DFD3FE94D3A76EB8BD68CFA94" "034DF0B5419104675B9F5E56F8C6E0EFF12D9B20E27535A09E9" "FA103803B62C66D7AE09F8E39A5F505F3BF93D27EEE1B16546F" "97AF0616BD4923425A1F0FEA1655334A528C5DA469850A02574" "96C820A351D826EEDAB469A3871182B8435615E8CB1C8C81D34" "F8904DF7F81D48FFDE990B69F0608E6B05AC130709D3DFA9E8D" "9F343622991BC686E80B4F0877C03D9B1E0A190D4C33C11246A" "20CFB297E127FC359AFD037B1A90C040D9E10F77A3F6D9FC45A" "2877711559C8B09348B203FC49A1770730D1206DD03B9E64C39" "0A308BC27896309BE2EBCED1A7ADE8D7187E8F6F9A76523FC82" "0E30")); test_xof (&nettle_shake256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("46F35DCE4FF3A34E944AC51B64AB60D314E30C2CA9C5B4675D7" "59E1E852835977B6E247C025A8FF0248C622C492A04B87C5A2C" "906B2C1CC8F9CF2E03DBBE046644ED26F37B2C4EB2D16B558D8" "2E2A3400EA2BEE9B4D0A3641B7065FCBC34ABD67EABDF5AB7B3" "F278C47D24EE127515A2C94BA955A01A098BEFB59261082F233" "83210FE82208574B95763FCA6132AFB3E644461B1D78F3C8E04" "D860FB0952F9A33A7E56C1AEC1CD3CA913CA62FD35FBCFF62B0" "032484ED07AB9C510C589F62965D676382EC7E55E359F5BFA71" "24A54B83C245725AD796987EF4E9186C74E8B1B53CF02753334" "1278B0A6B621D7FC68B556F0B3E1A95312F4FD3471EF1BF3C3C" "5ECE8269B29A51470ADE59A3F15F2600B858EAF8B6B109339CF" "1B15B0EDF36E0004992BED6E1B187BA60ED3E92A542A83753E1" "4E0CA85A0DF441E5B03A9709EB1AE714615C7C5F2F54C373BC5" "ABE342124BCA909BD4F6696950E0483BC798059A94CD8D852D6" "C5E596A6CE12FF053874F459E68062C5650ECC934EEDE1E7206" "BDE104CF33C95FE103D279108B60B4078DB9522F2CEB28B77DE" "F8E4E59C93552B8C09C0D74E8AECB3B6C50BE0C123E2EB39470" "908BB7288E451C51F6F7154143DC78D5F5C4ED402217A3B6146" "6CE80CCA2257D77DBB99B6069FDC6CDCA949BCF279B3E4DE579" "68DD0EF83C19C5E1A07B19B85FC60E593600470C3F4603178BA" "08CA")); test_xof (&nettle_shake256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("77B7496ED08C3933BD75983C0C0494BDD8262493A4B55DDCCC6" "4167E67EAC0F6E6307ACC15C33F3963744E26CA6C504D393B3E" "E8165E4D49EB3B6E649207653048F8B822FF884DC74937443B1" "C4A888C7A768C63D5B5D29E7446873923B9D7A56FA5D9E90760" "AB86D5718E3464821B79EB46D169141FF16120BFB650C76D4B3" "E5B3F6CE61FEBDBE09AED7F4C91066D903AF6E56531E8FF7154" "9508B6E420CAC6BEDFE0CBEAE6BC228476BC8C00EAE43D40C82" "CBDF6B460C376D7C11648EB2815B6506ABD4339B25D58D45CDD" "0A0B9E35A88E251FDC34D4810D659D179F59EBD03717FD31A63" "94CE12CD5569066E138885CB2BDEBBA06367557CE849EB869F3" "CAC38800D51C22B666AE2701E580796394DFA02F4910BF5F86A" "AB53951233364EA20CDA35AFBAB445BE7F686643856F825394B" "E7B4B6D2C918D0151F46FB9AEE8A7BA2D706E48CB0BC429B064" "262C1A0EB3524FF14632F5184575C15F6F4A3446E93CB4E86B6" "A931BA268409CE30B4595FD2059A27183B3BA8D0ACE8E482866" "D5C7D5B03DB8DBD24B99D59EB6EEFFD209E124535D154B98F99" "91D84FE1AA763C5133D41ECC233930957DCEB7896AF70F735A2" "F5C1E79480AFD50943BC5014BCF0A7354AA7F713163B55A1E41" "BDD05FBBA9C1DB2C69043ED9EEA4FA45C990CCB4A8DC41AFAB1" "8164018E54C47AC5BD6980FD796ACF0DDB42C7042A4877E8BE3" "DE29")); test_xof (&nettle_shake256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("8229BFC635A769D86656396B7723FB46BBA9868712F27C37792" "5CA6B358B8391E0AD8C30DA71FC8F0716BB95ACB0DA00C61F3A" "7BC8DF1315715E925F1EBFBFB5D72CB3E098F0C014A80E88A44" "231DDA194DFA8E35E359F60EA5D7A5E0D1E64A8FDE294F4ED2E" "3E98294DAB838B2C6B3FAFCB2995AC17AF67669A24FB7131823" "3A82DC8B934C8693B3DF784A5BB34CE9CB3FDE79AFCBFA66C07" "D1202C954E849DADC0C1D5BA79BFA74919C1C6FFFDBB834287C" "852522A65AE3D32E337C2BF16C3B5E22D4577F5B05F1B872185" "32041B9692B0EC561881479C924BA92E154B57A1AFBA6214F68" "FD067D109A92A9B0E127A0A6B78E85808268567CBD1A2653201" "233B4E80BE103EB951748A1D1F8A205856A650C58DF15E8E1C7" "6644E52614AB4DABF51A2320A98D259F8295412291464E1D918" "C9BB8F5282301BE5F91DCC507F140D8642B7A6FD37327CF38F5" "10679845853CFA039FF4CBF749D48032D6650BC7AC2BECAEFC5" "672CA7C61A8F6A1BD69D321D2AC1E6095B3AF7111F509BE0062" "707617C62DA3336C3086C39B2DCB9DA7F23BE732EF32F906243" "250CE4D38668ACC8CEEBEE87C43F077DF2DF1EA4F6345477490" "FE37725ECCB8D4F47B14A85B0D36FEEADD4A020DA3DDA4A4889" "5DDAA45B5EF8499E937D06BFE6DF88897A828DC19D9AD93C622" "E0263E74F818F921C4200856C9EC9D36CC99A6B0BD59FCCCE72" "CE3D")); test_xof (&nettle_shake256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("66126E27DA8C1600B68D0ED65E9F47C4165FAA43DC4EB1B99FF" "EDDC33E61E20B01B160C84740B0F9FE29FDA1FB5EFF2819D98C" "047CDD0CF8A0D396864E54A34657BD0C0355C75C77E5C3D9AD2" "03E71FC2785A83D254B953277B262EE0A5BB7D0C24ED57FAED4" "FDB96D5FD7820E6EFEEB5A9E9DF48C619C4872CF3B2516DBB28" "073273E2693544E271D6F0F64BE8DC236ECD021C00039FD362A" "843DC3681B166CBC2407495E18903E469403807FE623F3648F7" "99F18FBD60FFF7705D07464E801E0AED4F2F0642B9A2C5CDD0C" "902B59B1DA19A09375C1C13175B618091B8882A0E7205EE63A9" "219ECBCFA943A10D2D9A50C8C0B5D43B003F67EF0D52ADBF9F6" "59BB62FA6E00678BB8D4449648872A99EECDBB3DC381B5199FD" "500912AFA93C63A6B23D00D0A416468FDAB93AEDD9115265BE3" "A4440DD4029FF7F88D9755623E77F9430B934DAE529BE9A6B30" "7B1B292AB5918EB24B14598554B4CC6269419C701494B7CBA5B" "3D69F6CDCD5181FD03E0748D08E1E0AA5C4EC62C47877C10858" "73C016EF24E7E45DA71D3DB9DB23B153CCEDA9A9AB5CCD8C546" "6CEF29810098E976E4867075601F83A2D2CDA1A476A1E990CE0" "4C4567FFB99AAC428922D9D8B25AF68C36463D3AA4F689CD778" "F79E743E0BB5F935E6D45F978DCB2AED12DFCDCA469556556E1" "9F25D4C959C98785FB471D4BD1675D3B84742766D5BA4BFF2A3" "F912")); test_xof (&nettle_shake256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("EFAEE039C0412FCE8F55F6E7772889EC18D0604FB18040DC1E5" "783596CD820B421A0DCAA528C8A62B17A22164430672DA6D818" "E2E555AA8E79665A6F8F5721A4E17FE8FEDA551ACC9116F1F50" "E95839FFF2427DC1D988B0269838102547D4D46C11D2548BE3F" "885111D53F3061A74972C56579C681C20BD5D47A4C2A9523BCE" "154068FDF3813F5D45A8D446758C212614E3A6E80EBCFEF81E4" "4034E0F2D02FCD0AE5E6B10DC24EA09B94DBC47873768C0DC6C" "F2991B9477448540924CB57D3582D7B8E453E946C57129285B5" "48FCC831B3E311CFFFA3161941689E3CD649C3F47D96037804D" "0C6A4FA8C09B11A7D5A35F6C4AB89B64C735153422A3E529E19" "B9AD7F7CC346F904912E1A6C098CCED3BE9755137A26907CFD7" "F7AEB1A573A971C4A5760CA5399CBE642F0106497AA1D364DDC" "DABF375C547BDDB6011F26B564D0CCF4E055DC0869BC280391E" "5C0203005D92246E377DC560D16F3A9588068473B14FE7E39F9" "C25108EA279D98DF21902E60DD4EB03266E873D3B0C24DD3306" "6991386C4311E58197F24AF80FA150068407821C2327E900340" "550E7826B2F510AC65D4B21E9336610945A0E5A0EC8D132D694" "316F2B8A21CC24520C6204EF036116B2FE66A79CBB202F65E1D" "1782AE10CC71BE51DD44718E2FE9D229C705B94B9BA6B27A392" "5E55DA290875588C8EDB8A1866FAC9EFB7FB292F69A89ED772C" "C68D")); test_xof (&nettle_shake256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("F64CB396701785B64767D4F17A768EE198297A74E5D1617FF74" "A3323C096579C0279E351C2407BB889CD4AE718B09ABA711FE3" "AC14AE7D7DE0072E8BB0B6A1F92A1C93DDB46DE891CFB1F3681" "4E585F672BA871601E817BCD6327F3A7FA7DE35AF6A0948DCF3" "DEDBC8A7154CE8529033F67FC656F95FD47B60E49681895EBE0" "824DF50F8EA0480B50EB3264243A88BEF29F5F4FBA012B86A5D" "FC98054AF4D15248CDADCB160193DE7068CE71EB76E32ACDD0D" "D94F6B27B5158D9E63EB25831219768454C8A951E9678F41EF6" "F654CAACB0F2AB5DD614BF0BBD932DE06FC31D7259309B23DF8" "B5864322EB2D8F39A07E5A3F324B64876612BE4A1C47B06F7C5" "BB814169D94B78CE22AEB7249C96A29C52BDB5550C7B292C96E" "A9ED6700F5D3032D2A81CD68ED3A6DE8FCAF9379ED0D95C94BC" "B0082915FF7DB5EA1BC25645EF3B546A728AFF4CA20C6F8288F" "F0FF4B7DBF838E1A3EC5463AB88CC827D03A748FBB924797A98" "D309BAC09E73215BF8BE798C151D322D6110C280D85B45785D8" "54DA39A80F64897918C169BD7E1FC52D003999C084BF69B696E" "6D747E859DD2D6EC6FA1339A395858477BC49241B302FC74E01" "88A2A8138507331923C357AB4EED3F64FFA908CDAD9116039A4" "69229F9A62070799026097EC7F5A71A7FB01B5473E8035D383B" "9F236F2FAA0E06DBB135A939EF9CB31AF1E312F47C6C9BE1F50" "DA36")); test_xof (&nettle_shake256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("CD85DEB9DA581AF66C0B3125B697371F16EE34606A577AD6D8A" "C7E4E4A948B36C844EC9EA85EB168D7A5A1EB4B72A685AEB80A" "75075B420C9B53B963D960F7BC88DCED631C734114C28B2E20F" "0657D9256AB01B1AFEDDA9B9F85FD30D0DE3B98DB38AB90DE60" "045836CFB12C41E5BDAE57B937B637C11ED47F7DE242EB9F72D" "3253C5D883B22333F181FFAD60A541DA08601791FC0F8D9F44A" "94B551B1A879B76FC2B7931A2F4301D121A4E6861F5C84FFCB0" "139FC37268B5F8A4C3FD490809CF44F68BC1E665B369D4D74DD" "0BDEA71ED0514C37A47124CE146927274D95067C80036ED9F1A" "5B0A10AE71E837A09DBE4DC358DF4687392D99B2ACE8BEADA96" "56677518B1607C8E13B7F45100BFCEFA1D4E38B9BB29EB23D17" "B9CC66F70635A6C531BE9CB890AE833CD7CE35498CC9F81C576" "493913BAD87532B711F3F88873E9ED48A83B6B2C503E096A33F" "824FEB4CCC702E82CEF00FBD938FF9BEF6E3F80E149EB343381" "6A1D3FE7F005734192CCB5A8B0D7D43327B535547A9CC7F5FA2" "86F9EAC26E9E6A1CFB86DB35831F75A9902A3E78F6BF9B47288" "36C81B3C614923C3EA88D6C5F55449A83EBA0F5FF7B4F070842" "06D4590BF817C1FEB43595462037AFB6969A91EEB963BD244AD" "B1B654FC98A0B0BE99029B3D5BDD69D2158939D677B054CE55D" "ECF0F332851E0A74EAF2BF3EB672D4CB1F467D0E5391F98501F" "EC2E")); test_xof (&nettle_shake256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("A90053A8F738A68C18CB87FBAA8370BD14270412D0014C5DE80" "08FBB74E619182A0442C121F7E2449A5B019DC0CE597BF1D7D3" "E64D1184946D45208A864723A73CC1E242F7187811C522F880A" "CF53056D835BD150FCB7DB61363D22074349FF54A3E5FF25712" "72910A7333959D8CC29F69B540E5ECCA50DF7799236338E2925" "5656930E22679A3A585E32B88C27452BE75BDE73789B45623E6" "95FB7408DC51891D50A3BF84C5088C5F6FBB1B740DEB7FE38BC" "A05F1A3BBB516E9AFED0A41F8FCE94411CB84D8BFD51EF91718" "4A66C56B31A190AE02B86F62CDA2FD7471EC030E94EDB56C144" "025A1BA9B792A515DBBF402D33BB6451825E52A87B7B82C44CE" "E32669F96F3D8DAAC5923127B51AB5C5ED43E5A9344B32C5A37" "05345EE98CCC5259C9D3342CC10D660274DD628F1C2C031FE9E" "D282500D5C3982C7976620FB46190C57856E519C6FC1760A306" "C3497F2E001C7113248F53EA1A4BF9DB370285EE441E4B43459" "B6F8690CF10BC1785138F8855DF859BCF1AA581DB4A6EFB576D" "938FC273E7D126CAAB7FBCBAD62DBED1FE2C33F24640AFA899D" "EF2825AC2C0FE928DF223B1043117C061F1C7EEC723C5CBFA83" "14E1B18EA6CB63C02B9D6FA3B27929B4D42F1D785813FEFE124" "9F65B725D4DE59AE071A4F6A40AAA26935F4DEFDFA3760C98CB" "E805A50DEBB3011E006015FBE8400CFB1B6B3D2162014D675DF" "4246")); test_xof (&nettle_shake256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("27BF218A01125514BB1B78E582AAD16720267373BB27FF96A59" "4B7F10CC1D0A393FA753F50437C89301542D27C12C03F53FF77" "1CD0DF4B38F40B607B67CF419020D34C18F5BD3BD424D39F47D" "118C84A53A635E17365F84FA0340BE3212056C155FD227D3B52" "F9BE75538FC23287B5DEEC0E5737C8484ABBA0BE6CC43D956F1" "7A41CF81DCE5E78326633CF09326E0004B172763089A593DFBB" "C1A0960A16F207F464F9EA2AFFE732208E970E00AA0BF122863" "4E98031155B61F6EE509648D4B0BF58FC9CDDD0B470B95A0AED" "8A3A96DEB2F7FCF65CE08A826300D4E48A681019C5A8EED66E7" "FD5FF098308138B4E11886528AA9ED32617392B0F6E133A9968" "3DADDAC328838008BEFE9DC680720BF4231E88848660C8EF4A2" "973046D8E70D8EE8D8497AED8A748B3185A77B238B5650C9909" "5D8702209C0C31FE1770042FE3BDC2582F5FB841EB5A234CB4C" "9B637FB4C5DD9F90225DB4C62DA420F3D1895FB2EB05E3A3D67" "67F73FDBC8B94D48A555CE4CDE5045BF5325B782E0C242FB3CD" "27D963A9EF014DDBA4B0608F2627FCABB2EDF570A49AD5377B1" "BC7193D9CCCC23F5D35C2DB59D05DF8D4A8E5146298B6EBE1DE" "25BA1089DC746EFEF6BCE22B43FB99EEABDDAA76566452F544E" "AA85CE4559BA683A122CE76927242050FB236BDA091480AB1B9" "ADCA148B639F986A3E936BBA565B54F727A0D45F369DF25B9AE" "8528")); test_xof (&nettle_shake256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("2FCE215362A523D7B76FB836EB458667099C58BC51D7EE6F6DE" "B9894B6A337576B0DAF9A806488C3D238762B7A2E7B12AACD1D" "696517EED142AA5DC5A0747F08E5E39A2486D75F497CBD6C489" "9D6F5BF2AAAC9189A6ABC6E787B0D9C5283C840E518C6AB0393" "CF60337369251DF935A02DE0463DBFA4DCDC1DE9034FC9C21FF" "B9DBD7C48384DFF31012BD5F5A9CDFDB7139C3C35F560913D64" "3DDB728910413F1267BF1BF1586C5EE69DAD26B53154934762D" "4C80C34D511BDD8A391F83D224F9F8F83B61DAA046C542BC78F" "153A3AED27E1268058F6952258D274F11C8D9634A5BDD4E69C6" "0DCF1F89DF2238EADFE783CBA652A554186D9E8307C7773722D" "1049C3815526F583612BBD8F6C587D058B80FBD38113957E602" "12777A9F67B612312583FEFB67533C065286CF371001440B1A7" "A43DE2405E5E92D633F12A63EE2EBC408164545DF22803FF239" "DEE66EAA20780D103D940880E8BF68B9D815EFCF16F59E0D858" "AF33FE4D287A2B8E61C6EBF26E16E354B3EF63774EE01A14691" "B149D81F010A655F308E966C990E1BEFCB6E4253FF43BF473AF" "A78AA88C36EBBE735B6B2F92BA9D07A738E000C9B42BF8A3A4D" "8FB6C38AA36B3329F909676183FBB520196D0DEDC80DC6BA0DB" "4D72AC6544551CC38B23AFE000A91F10A89956D2120494543E3" "FF5D7D1B2791207860A0B921DEBBAE769E55713A1D611F6B117" "5BD0")); test_xof (&nettle_shake256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("992E831E9BF5FD994A73F17699CA0ACAEF65E8212E5C4A49556" "9654B5DB523BB04431B7910A343FF254F4432485B4A6A88701A" "FA889B11C45C53B4A1C4A1872FC685D644DEB5DE2340511F29D" "062F6CF0F39803BC333044CDE83103155A49F77FF8946A77FB0" "92D1CF1715F02297ED4F6B0A43254863641C4C244DB87FE486A" "3EB78DD3B57CCE06722CCBBF53ECCC862A8256625AB03563FE4" "730F74C8F78037BDE37D538DA822AE9141B8098A8B57D74FCEA" "A072746DBED8C4B23F91B3DE8B9B733D06CCFA2FC18747590C9" "AC01A9FA675D8CB51505098F8993C494592C2561F8F2FEE3B26" "7D8FB77A1AB853432850F90B8C52D08E23A19226A61E0589842" "ECEB48059F8F1B749D563E2C652B70C426B91B8B0E19EF2B319" "F2D7DFC25F0D712A76CA9332F92BB38CF89DED9802BB7AD5654" "B2357325CB1CF6F1C9FB364EF41EE8B0A8BAF5FF9E8878E56BA" "4BEEAE384BDF029E4911DF8E84F5B570704D53B67D6BB1AEF37" "976B38F405D9AEA67C6A6D77370E37BD78034645A9B64056723" "66DC061BF384EB0E9E73466FF5D018C9BA52DD262DC97970CB4" "B8AB467847C23DA0FB101F5A7B9EBA51ACE6C0119ED03C7A14A" "FCA676BED44922EDCBACBC79B6DB231C60DCD4ABBBFA0C13C0A" "B3D680AECA78EB9BF0F71CE6886AFF6C309594A9DF2D01692C5" "6265A6E9256C366C4C53B6C0FC38B6EF18ED8C571D94EE27E85" "0D4C")); test_xof (&nettle_shake256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("47CB72FC64AEB3F76085626534EA346A2B4797B5D61839BD7A1" "5DF05D5E3552C2751C697BC2C532E2B3A8934B9ACD898567145" "0DB65D6F44D9B6E27972FBE050E6A76537EED3E9FB15849ED61" "C3B2F6E30A8523DF8E95BFAE3A93BB306343212F1C288113594" "42759C85C3E6829A179C03F86A442DBABF49940297DE3F29CA9" "F6EE25EEF49B9C7B37DC4499A9D16D3B32DA2AB391AC1E6BA6F" "3967532FA18E50B1E52D6D3EB2447EE20CE459ED970D71E33D8" "0A20E933F09E494A753D15590A29B15733FBC93217B47B36851" "00AA31D5029DB16FD7E293C51C55E54E15457F99009590EF8C7" "B7BE110453B73B4652B2F9C048BD7F2EA2590D33ECC5508BD62" "BE3A0918C174D99C5939FEE9C48592CFC220F59F28F57777DDD" "43AAACBD23A61A8473D4CCF01389E982877282E8694F03683EB" "B44406C798104B9F3223B0DF50EC964665492EEE586CBDED57A" "75F17762A2903604F8120FD1D981AFED7D6AEA59FE70DDCE738" "A41F53F611B927EC3DD3AB7E89A0B0B3943EAA2A74FA2C02098" "4DCEB577F6B3E7AE98CBB81F3CD9780E52D44BDEFFAF466FDAC" "7A4429BC89295204B0FBB9C8A22A5F202E8536542C244CBF300" "0C0CC1CBB0C4E18A29CC92697B0E58AB1AE77AE10B1D3EC92EB" "697364CA69279C4EEEF39D27C06E63DAC76028DF7A5A974F8C9" "7AF5C7AA31B5BB5F1F4DB2E63B3D4C9F6849129084C77ADE975" "62B6")); test_xof (&nettle_shake256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("458FF16E716EE4C47F3B60B3E473D91157767621E9E3A200EA0" "BA18B511B00C9BA311C7D542289D03F07ADFA6110675DCB43D5" "D8EC69C0EEF6AAF4664F917E01FF8DC5F203E89540EB96640FF" "807ED60D761C4D3D92F55604EFA648C5CABA130731FC2BB5351" "46EF6EA4FF3A7CF388647EC25C3879671874BA259C6ABB31B4A" "8090BEA5AA7D6B05F5647CAEADA7BA35B45FEEEE744BC0E76D8" "EA6B84CC4103D358192BACB126800CB5A6E114709E7DA7766B7" "61B6FD0A83203B82B74E87D426E71AC1AFAE590F4F06008537E" "79E2025007CF2F5ECD0BC1A0E14C5CB8384B9DAEC501CD985C9" "858212CE2B9AB2422F6F7EE0E081FDA987AA90A6D51DDC1173C" "CBEE0592E970CD3DDA52431C57FA323758AC0A4E47D049EF3C5" "1211A4F9312614312B6DC119336D7BEBBF325C2C4D24727E290" "9058543BE4065C58F4E9E3F3F0ED88B8C392CBF610680123210" "D5214650EF8DE411B7F6EBBCF2DD95F7FEACD074A29516E42EF" "BE37C239E9AAAE6E0E1E1C61B418BFF50F0D7D56347579A75AC" "A891D51CB5299987734EE208F0D85512C846AED6DB2A2F453B1" "10FE2475852C92FF1BB3439D9D6F3EB76B49E239F72883D067B" "F9D1BFFBB1B668D677F940940B9D042C06EDFA9256B6AFAA37F" "918A99309E4E40CD3D374DB5A37BB43DA60682FFD1D01CD1EBF" "9E90971FE16176DFFDA5867150FB83F271E4402ED52C1DF78F2" "BF52")); test_xof (&nettle_shake256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("021F06C7138F663522BCD444E597C2B78F4C8369C88747A1550" "80005E09A68C6A73C4F8D1C7C088D3CDA2B48F310D5371F336B" "C261697542028D48FF92523DD78C100CD858FC5FD1F49181424" "47E11281881D9C22680800DAC76D690444458D53E35D263B2E0" "81F470C9E8577565EF7F8C530F78AEF2039A0B253A28E29E6C3" "0FD26FFF9677E65121B5175822D0942D0DBBA9F764514FB9363" "69F74324E8F950BFCC192A30921F04552245EE79CBFA319063E" "4DEC133E10EC6B02002FA61EBC288B8404DE81D9A513FA7FE6D" "B2C61BC4ADA6DFDDB4B49B5CAEE1D7CCF5BA6F40A39AF92EA26" "222850D4F4FA9079F79365806440B89663C705A247629C8E28E" "77FD17D39ACB37BDA2DEF7847C12D7F180A67BC788795D6AE91" "87E6AEDF164E282C1E76322A8F38856C6D95460977FE8F6A760" "F49111400467E7E0EAA5AD7E9C5F9A17B462CC8B45F308CBA67" "71CAB434F407CA6CCA371A6C7313CAC055A13D5C79195DBD949" "A4FC9C176C26E6D5ECF343B199E478A25DDA55FEC4FD416E270" "8AF001BB8AC3773E7824BBAC1C0656953984B1109F1F95DB0AA" "DE0CB53BE77E88CA83A86563E1E87011E718FB3616BA3E54A2B" "F9DFF761A42EE1E809DD1A431C7A832442461DA90E7AD5FCD58" "1827BFB2C8FDB0A046F09D30773FBC1481DA0FBB92A6AFD073B" "A96811ACDEEEDAADAFCE7C70E4CE75421C85E9C1AFB270D120E" "186A")); test_xof (&nettle_shake256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("DBC0350CCAAEE7F6E18576E435CAFC7CC65EBC81B27DA2F18A8" "88ADEE19418BF6F4D1B3088E5824BF663028A690354F4A953AE" "73CDCE6B095A835CD45ED5752D72E699ACF031529D73348218E" "AB5DD6F98D675E33880F6E79D0FB3A78E843F26E018F543872A" "313560F8024A6756013DB3AB13FB23661D33EF9520EA60A0467" "5454B5F3069230447000ED2A879A1B342F560A8AD2F37AFAA80" "668E90001D315BA266D03152E714434FB0F52E287A235EF5DC4" "252AABC8722B6920A069C98F69C64BFC31B1E13D01DD0052440" "1D4F8494111137EE283EFE82C2215FEA54304C3297E6A1A88E4" "6F000084AD090551A994308165AA2D0D96585DD4C826554CE80" "D3C00344140D4387322650F857350812C6C4E660D2E3EE5DEC7" "3D27A6455D6170569FB0F56313A561BC6FD1BB6FC11BC6A830F" "32847050EAC3451E153C00BDAB83D8CEF319894DB18DD80F111" "2E560E2353DE9C2DB6BFD428327AABA644C218FABF3D75CC42B" "3773DB2113D037588AF31F1B1F21D076F285F1F5CAFE5312E7C" "2FCA07AF2E6FE3651AEFA91BEA2740AFD1C2AC77EF03BBCCEA3" "6940AA9A7D733289F9575E9E14617AAE7402DD7847114C75EB4" "432FFC2D3D0BD56117F9286609DC91E9CA63E1E064F09F2653B" "A905CB12C8AB6D7772203B0AFE6332C4E9F73BA4B652FF16E97" "59FB70AD5F548540C7ECF6C6DD7D17C5D2A9B45C548B7EC8819" "E8A5")); test_xof (&nettle_shake256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("7AC057C0DDA89D3A001AB997F2E405B4C1D1906191C3A50399A" "9A49B2E01CB2C3D20DB6618A7AEC42F8143C580505145E60D6E" "1D4559FE3F46F5AA1373502EB0661A608C31839BC4D7FA44AD6" "586FBB53FBAD598C05B9443D6CAD708C8664079FB276947C4EF" "022C1BC7267B41C1764B249C8E7B347BF006DF1498E31CC9EF2" "558F96F7F7AE323D6A633E1BF23312C1E9E2146676730954648" "727B61A5DB507F1959250D49A52F9804668AB3A56ECB6C49EA7" "819D093E85A0A1335CCD4F54360466F7C37DF0F65CE52F7B396" "B49D39A3AAAA0FE33F053EA711351BFEC78A1E05F55954D7056" "B7380430B45275E2CF57AC13F7FE332B760D8BD793CE4F88613" "0C3E4581A5995F865DF2C68CB2FC01B558997A54AB8A684F5BD" "67855972CB3BD54A9620F71CFD3C9F0FF260B80CB14CFE4FA9D" "61583CFABB12BE42C4C64C85D1F26D3B0645AC60065F9E85C70" "883BE7F06B9376737F83313DEBECAAC3F1146B050F8B360A614" "B6C72EC91A3E44B196713F5754F1249F6DCEEBAEA8049FF32F3" "08513F9C0C2353C9814C0E67CAD64A1F332624490A39DF8F9BC" "FA61C315CF2563031429567334038F1D086BE0B9A4BADCD9C4A" "0840348BD476C00A7CDFD8862E80EB9A833BD2BB56D88CB55D3" "D064326B8FA084F92F3DC2D8CDFBA3E3A0E3EB9E44B1EFE0563" "BC7A75F9A736A87A89A15A6812110FE92ABF5B8F77EA88C2207" "517F")); test_xof (&nettle_shake256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("F0C453711D0CE1B3A120BFAF25570E3E949207F575782FFBEB8" "A6600D7CAA9938D28EC6872D1FC914BF8BB02331C40728D3BE5" "31197694CE644DDD148D0EF54C077D56B6506A4A941B087A61D" "3D57B8AE53824DA8D8CF069D1CF5DF46E309108D74F318D38FE" "1968F1550AD7921D976ED5ABC60953E4FD073A3AE7FA378A105" "E0FC3BCCB3CE3469A536EFA3F9E5C8590F19EC7E8708AF92A9C" "A35CAEC1743F2284DA30E613AFB371507EC61C5574771BD7436" "583415D8E4406EF39150E50CBE233A781E8867639DD491B1F53" "217FDE1FC5B93671C1B6931E07966DE705D162F14EF3C95E67C" "40AB1C0841380F9A9165C5222477FEB97E9A3C88104D7CEE9B3" "EC6876A0ECF0198D258B9E308083B826F32FEE17E2A59FC2004" "6CA815FE0955CA88A81FB56A7C90BC922136AB0B3F3E034B626" "34FC830837F2DFD86798A11B335D5FBA27398E5023CDE6F1340" "241509E92C6A4B298B3BD330ECB2012B8F95DEDF67B68D5309F" "A1AC9DB856561D6E81666A49AADE4DE719E1A4B519AECE0BD49" "41A36492E0B79CB7EFEFADF4EDC6A344C4B0640A17F0E7F70E9" "0E77DDE40A82457DCD58658316B4B9378BF058B05AE39D0C750" "692B92BB2D16B5F43200DEF81CCC61B2A26CCE991BF939534D6" "1592328BFBA68AA8C9F51F3A04466759D7D1B966789FCBA85EE" "120C66A8F3C308E6A1533220E4A38C21DDAA4B2FC51FB49F59C" "84B3")); test_xof (&nettle_shake256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("23F75EDBCD5D5F329F01E45502B66995CFB9A5F0748E9E1BCB3" "44B639873BBA79D21EF36B8CC1BD8A2357D8DFBF3C32BA6C0C2" "E8936FB968389D8D1388C20B9F572BF9CEF93891C643D672C86" "55BD67ECC3D0EC9452C6D1A0789AD3C734B926188E4A1B3D684" "F14C0A5D9E72CD2A10C5CFA8BEDC0BA5F3AC6B5150A256F2B94" "5586981F8092E0827294FB846986D3885F38BC6F945B900EBB5" "46094E29FACDEAB1BDC1D7FE1C6C83E562D09E08319E2BCA1F3" "EBD4A82B9ECBD8E6B38906D861E2E0704EE4F55DED4E7A74F18" "8210EE439183E80DFA8795A1F75F0EFD49A4FCEFEB97F187360" "69BCA02273FF542ADBB6EEC13128F1D74C87D6C6B45726F62EA" "57ED49321BE6FA516B1AA2349B3C85A5F971C4E15715BADEAFD" "2E8A217D1188129CF49A54FD85803EBB361D73F0D8D0A7D557D" "0E17C8D83C27DDCE473908A1CF9ECF0F8085E77FDA3DC89C826" "09A647E25FFA8D2FC86194B2A793C7B32B4C893115EAB9A7040" "85047F9225A29236C6188F017AD4972661C796A3258ED494935" "33BEF9A59A27DCBCF614AEAAF20BEF156AD261BFA23FBEE2D84" "D76AF0E721739AF02DF710D020CB80E895BF20685D3AE61DECA" "82D34206351870AABBCE23CDA3567DC1AFFEF9319BB1A212D52" "BAAD92D069A332BD020420FD34E6FB6F97102C9AF3C877ABD9A" "790BDAB7E7940B1CC01702D2E4CEEA1A3A2F20E3B4027BDDC6E" "2FE0")); test_xof (&nettle_shake256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("0AF273F2384078BF8BECF3731049A763753EDB89CA1AE2BA03B" "82EF5DDE8C5E23E692982C524035D406DBAD8FB897AF5D7DB96" "1652A0D6F5C18D71EF1F1A541D0A29085AAA1D26D2C4366DA7E" "41781C34FA40A3FC7E9132C3F0CFFFF267E2BC771DD29266E2C" "649A94F3F15FBC71A561968E0A755D4D0AC7540B9E674539AA4" "D15D2FE81AE969EE492CE89104F994C6201EAB2F6A726D9AB88" "479E324789BFD003EABC2944C43BC061C1E24B7DDFE1C980F65" "DD598C33942482475F4D717DEAE78BA3D8A7A887120D9A814D5" "81BE9D593422AB033A1776C3C7A6DA30D4D83E8E120AC733303" "C401B68D1CA76B2A20AF4FF0FE49780E25B43850D495BA91AA7" "27DBE6E28B677C8C7DDABFEBCFAAF67B8ECD8BE1B459BDD68B4" "29E7B25B6B0A02DD2BF0ACEFC5CBCFE5CD07C814E3266027EAE" "612C39077C810E766A872A79D68BC8FE8EDFA04CE2C80325C2F" "EB03B5C838425860B24A6BB2D91BFA5F67102A3F6ACD3DD6C93" "37BDE3E94699F3B3431D8293F793886238228BDDF4B38F229FE" "244ABE471B16A1BCC73BB7BAE6A93788DE0D349CB75729D422A" "FB32CAECCEFFC42B7BD0694B154286F4CDA4517534D0C2FA7B9" "8E72AEF0E2B8D8E0BB6A5FA82EB802C27511256C1352B20D2E5" "9D0D3D63FF5EC33670FA27CA69D2F586826D3A1EA098CD9CCA9" "231E74B91E999EFDA12F63FA8076A44894B40840FDBC4D25DFE" "1CF7")); test_xof (&nettle_shake256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("7FC1F7FC27223766C8F4310087A3C54A5A8AA061EB20D367194" "243BB62C7D90099684BBF368CB6BB71802C62C9F3258992C0C9" "79557622A5FB15CA0E50A26891E73790EA3DF4859829B4F683C" "7F5C2DB0FE08ECF76B9D4E897AB80530D9F1D1242B42170C198" "C7852566DFADAC5740D61A52C4882F46E29AFE2C7335C5A1157" "E5B93610D0A8E4529D8473330547EFE22DD9757503C7A67ADA4" "E9B2CEAB8AC5B383F2D6170D6D6A17C03EA9F9B9399FD6C1CBA" "624E7911DEE9892B31D463B3A44946FBF246D773629EA484CD2" "0B03D8AC428BC8AE87CC8182D96F8D220A7312DDBF191F45849" "3769691E7585CCD740C30FE7D63101023867C9A3F02D999BC0A" "D653B71DC9A611BE56A44D4DF2DBDE402A0B7B6D7644B5754D5" "0DC81F59FB17F7C38E62427A844DB406846BC74DAE737E24FF8" "06505C5C4351A54AA920CAD01DDD8A5960AE143F476608A6DB6" "168FD5D72453EA010B1139417277E6C5116D1D32008A40CB300" "6FB65EE9D4F5F9AAB1648B3990F5B9DD338836460075B8BC504" "B4DD2FC04EC57DBC63D32CA39C07EC7C2348A459FDE1533B30F" "496F84502367BE809D0AB0C6E86474EB2D7A3A4CE29CC8D0ECF" "B87B4662FDD789A99034A64C5B40F763D098888FB32346EB644" "C28FD6BD6BB62E0D5AADAFFEF0BF0BDB801A809F76D79B84606" "183067B5056528CFFF3ABA4F0EC0DC926FFCFC2377035C8B5F1" "0D57")); test_xof (&nettle_shake256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("1BDC443B8F1E6A47C575A1158C00EC9E69048BE22AC067CDC12" "33171A69E773B6319B0BFE0281F0CABB4DA1F75C583320A96A6" "2FE8DDF10D0C3F7871023562177E827FE0B58A02D38C5A4903B" "7CD8B0CA80012238372DC5DDA701A4287D071FA2B29771F7054" "8CE43ACB0F2E5A49313FC76EBAFE8B75E121F0294E417323EC9" "BCA9FAFFA81FED2AA775AA2D2C641D7BE624EA861BD5C24CCFD" "AC1FFDFAC4627C3985A41EE5EB57E229E1A1B9312C6FDA42916" "05D26BA4401EF106DFB5BEFA7DEB27500F11A09617E8CFFBD39" "AE95D9EEE736EBA41AE469988947A863FF6BFEEA212EEA29297" "025F96453DC3AD935E75F12C5A7F0E6C12213BD7BE910D70EB9" "78624843CA772959B5918E29AA377A7B4413946A97E546A9A05" "BF107C881C9499B9E907A667CCD1B3C64D674E3A5796EC33F6D" "6E4A2AE7D114D744BEE7729773A627C063133AEEEC4757F999E" "A7F01298A783C32934D29FEE45E2048322AA3FBAF20F9D70C1D" "8A0183A630E3E73CB2EB1C934DB4DC9101C949C46C1954D95A1" "7B7D362B87FC51BE9FE98FB76B19B7FE9D1D76104D3D49FA7F1" "CAFC252F2E4FF32C3CA43A23947EEDD4B88EA640E58DE625CB0" "A9E11212EC1FBB24BCCB39B06AC90973BBDD279578666E4D169" "290B0321C5B2197B6A5759FCCFD8CFA820ABA055F81F1030840" "F3BEF889E8ECFF87D0EE1C53DB99F67827710DD0CF59346F2CD" "53DB")); test_xof (&nettle_shake256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("78FA82E4172CD8CF41CAD3D431E39EA0C6A88544402B5CAD9FF" "3D8CD6DC8890260D989AEE087DAB49C092A94975EE3D5B8706D" "0F1F522E5AC350306B01B4B19A81377667B20C201241315C3C0" "5A9F7484EBB70E79588EEAD5D9BEBE5ACC3E226B807B46192D6" "4A2CB886E4B811817CF7F219934C57D5DC2D00E3EE234B579B6" "B6E2D5346D3876CDB3752624E65434E88D55E1284297CAE6249" "95B1B37671B89C57E876FB361ED8AC6345693D82BDEBE00AC37" "DE6617239205AEF566C1619F406F4CB1C9777AF2C07F693E35E" "4289ACBD91C59F067C502446F21CA1602D10CB1D78D18DCB043" "C4B4E06972178BAB4C90062342FF3646CEC8120A5CD14E19715" "F66EC6F619DA0EDBF1C9D9BADA80F0BB210F09476085CDF3832" "06FCDEB987623CD69D591F301D8DB94018EA3F90B8F067C3E14" "7771F148A60B440CA6BE7A1943F544375D50D45DB2BAF339441" "90F19446F7A1F04F7E45D59B9548E01EAF6E4D6D525B37A6576" "9D280DB6DB391F27A9D84E4D97C7CE0AFCA3BCCA7A97636FF37" "56C6CBA855DD5C625574277ECA6A2195027705827C0E4FF945A" "A57E25EFBB65F5128D312145C5A8DA0A4D46D805C3F6ACFFB15" "1B0484EF811770BDD87935CDDE0444276CC8B64E84B877A31D8" "17E95963F3621AFE6FCE57D94D50771F91CD0AB1BC61DD97BCF" "03EBCBC2C2EC687B705A2BCC5D0DEB20CBE6459644D14633C65" "B256")); test_xof (&nettle_shake256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("414EADC6832F91A04B7700E668AA487E63DB05151E29EF1718C" "7D9F4C6EDD1C88B05910F23D8A854B94C7156C421126272EDB7" "3A6E158350EC7A39980DA19316346D1F330C3FB987D7B4C46B6" "469B7A59EB6B1649BBB7BC0E074C00A152517624F22A4A58800" "447E7505D55F687F08FB939D1AA6DF8E73BAC6CE88467B30976" "150636146526031BAC9F6667AA71516F9C5F70E502D7D18868F" "6DD359D8D026A040AF3CAB533EA5A95DD7CB2006552796C5E1E" "B2C3B46DBD9F2481F1B428CFDD1287299E7C7129B377E3954AE" "0EE96F955B7F0354610B84652705A0594C045C3CDBD1B564BEC" "43FDB5928B905023B1BA41B448E39E649C0B65CABE745C1DABE" "9352D05F165BBED160DC2C52794C5D0F07D1E18F47CB94F2F97" "190944BE08C4BAE53755B30D062B3D697575AD56FD4C75ED40C" "F7C239941F7B052500EE5CA7CEDAA9190988F47A21216E907A6" "3C795D2292CE926D541F331CBFFA9F16516D54999DFC9911310" "CF564D8F1F00B92BD9FAC0AAC99A951EAE3175AD20558E8B934" "E05FF58351056466A61EC5CF4F11A01E3FE0CD6EA280E278388" "99BCAF7FBD8CD4308098E2EE71A4E9EC258D03118F0BC4619C6" "6E52F35F1AAD2378D82BDA8ADB750313705D41263CF2FDEBA1A" "D5E025FC76DC620CDC3B684ECDE0283F9A7D69A8463B58F4AC7" "F5B1E2F3F580CA7F4188F32706D722BE4543E8E0942B3169603" "49B3")); test_xof (&nettle_shake256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("0CF9AA0F0478443DF90BEDFC2457009F3E58B06EFB22D1F282D" "A4A2320623A250D584F27E2D45F708DA667A9BCC26E35C19C55" "B16A993AE9D98948FF2366D8A0AA06915EE5712D137D46D48C5" "36DB9A25BDF88F99A941683E342B5541AE481B1BA6A889B7ACB" "E9A6593C53349C1B7D6FC8FC66627A2FAF7811C0F0A49D90424" "6B95E9B668E8BB25D521F0905841B7B2AC64B2E359FB48FF29D" "7A314B1D2E7E01B0D210986664C249DC711346449FC77BAEE4D" "F54344CC18A816AD9C980BD0D9D01C4AD4EF0C702CFD8780510" "3910E81CD3F6CF4D13D1398E755E5470E23ACCA6B510CA59FFA" "0B523A9D7FF7A5D85FBAEB3E5A9C11D947AC5FDAC04B0B77E4A" "E7943F696849DF0FF931E2300CB099F0DEF86D835A8AF4B53FC" "6C3D38BA33158A1F95690E8C5560C060B0E48783AF1E2001BB0" "4CB4399CD27280715AA0EDA7AE754B8A13F84916B003F87DCEE" "BAB5938FC4342167EFAA2A889C48CF92F6892BD9BA41B61CD1B" "3BF94D612C2ED603687DE8644613605FE9F066E4FCD8FF75DA8" "FBC9C63C37D1828C173BC4AC668AACD20AB1E3F449A7BC4F4EF" "0A6AB8D5B0A70CC2D706B6C6821771DEAD7CB29F2332F4292DF" "7E397BDEE393D57B06A1AAD3DA51CB8F1D11E43D2FDBE72F69F" "951D0FD9217F4462CBE5C701FFF1025515829CEBBAED488FC26" "798BEE9AD6CE88F33029061A588E177BC1CBB24EB393481F3B6" "1616")); test_xof (&nettle_shake256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("2B8F5423A417D9B827D98AC1D21EB7C1CDF4348F28FF08B6F06" "389E4CC2311C5721509A5888DF03F7F4B94D42CB66F3B885EA8" "B130934A1025220769D1C352F72D378F3A63CEA1E762ACEA574" "66C3AF188772872C16D889F06BF0AA321170FC1AA842B413BFF" "9FA32FC1E060F868A370434C99FE586E8DF4C6DF1D167912F35" "E7BB983D668225DFE5A00241A1050702A5CEF8CB5EC957B779D" "6CA1C9F6858ACEB4E927E104A1DC59C5E90B31F4A6E27623B46" "D40D472D6D4B6EA6CE8BA4721A5A765DE104C4ED808B4EBD73D" "60A56363727CE0273710E63FB8A2D565C49823823F7B001E44C" "8571B885AAC4E14F8651CC95C11EDB3599BD85989C931F866B7" "C63F80EFF135DB2FE1B17D5DFF147959606FACA0FE22E5BFC88" "D43F6057DB91EB0AD0C5491B66B2EC9B20EA01E215F40922F41" "ED4ED64616960272617F32D62F28897BA03C5A8657B1DD4ADBF" "0F8E53492998922A47BB2D7897502F8687C465C8A7615089062" "108D70164677E11E1F63917A4F230E8C577346F880B7B8ECD06" "40D10622131731CF447662AFEBBB230C902B28D8445C5F3EA03" "1AE7AF04F5B22D3AE7CE58C6CB4EC4158DCA5266AF0C50F609B" "12C5F4527F836F8804777BD6C80F5D7D9B0F317CB5A663D3B7F" "3225361EA81415CD5AF56BF24629D511A80ECD169AAF9558AF4" "87D46A569495A70C76CFE83462733BF58B2A7C78A7EA1FD0561" "1DDF")); test_xof (&nettle_shake256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("C52001EE31F26ADB120EAD7699EE35AC178D71FB5B073129955" "2B57DF2A4F521A021CC56D54F2B43D18D7726FA977FEC221F68" "19B5B7F933BEE2EC643B67E16BCC26A7DC1BB1DA3B40F2FE026" "45CF5BDF3140E89ABACE926E710ABF0F07205291A336187AAEC" "AD9371DA35867EE8D8845E09FB47269ED94D04B47A3B6C460BF" "419F13AD2F65D63824805ED264AFFCA9E7EC9774C4E36695806" "86C0A02ECCD98277365940F4CBEA5DD5B0BC84F981C16FA6CF2" "D6F1A292EC956C7D0714C6895E96A7C884173E662CE5DB1018F" "B512CE773ED4752CFABF9045269922D11718C572A94ACCA1EDC" "04CE16D533B064B416684D921D46A8F2859E7D09660F620DAFC" "C232029A20886A552D29CCC30509A3941847244609911CA6C59" "6E2FD915FA8BE37D7EB41D403043683AE9C74DC7D6F4770086C" "F8C6E101E989FD6A5C60E34183C4EF08EA869FE2AF0FE5EF701" "A6A64EE0D0F813A14E574D504E219292C103469F9A11DE75083" "2C2BDE0261475856D5C9FB4727CA49EA81908A1F7FAA20248C7" "39179CC09D93E4901ED63F14A57B20EF9190176A27BC07F912C" "C62DD1328B032B893642118EF3426B1A8B95A0E36FCB8A77570" "25606E9E485B56E84D0E691234E072AD64FB8E836118634074F" "D8362405DBEC4D8AA12E9E84068EE3B29B7F573CE1B52649CA0" "DC1F758C1D4F5E2B72A861D6326F01084B6B49E478FB4CD8EE9" "2750")); test_xof (&nettle_shake256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("386C3B1A524F2EC39C33FB31CDD3981FDD57F1E33D04FAC5482" "8C54F42EF763856B72202799D4CDF4AECF073B8B9EAC39F0F69" "54545BF60DD55CE2FAB4558DECD7E1A5A40B87A293D35394DA6" "4A4F606956213326FF4D8849A3F19781AFA9DBC0AD0E0BED551" "164275D4FC11638AF3ACF95C86994C27AB72F0E5EE366CA8EF3" "9C000661BDDF23551AA368F347B4526474496CE14C30503C251" "3501404987446A193DAE20C4B384D0D9926814BAAA863320946" "B9759C7BF1BC890F88826DA59E028F641CFDF7223DB20B34B63" "89B048CBB85C4A0E4E84DC5C5241D2DAEAA82E9092ED266971F" "D185D3B661971160C05C4B42BA8E1E8E31FE588C0BAA81A2BF2" "017B1E0B99BC360FAF13315CE88CE653C20BBCFAAA8ED013EB8" "9FA5DA39FC49D99E3C050E622122B7E393BD933B72C5392B165" "E60538BB6E29DE30A5947053D4A23038AAEFB13DB8BA4FB3B1A" "65B474D94E4CF985B2402BF22CA7FB723DCDD83BA875DF3C603" "50886CAB6A1BD02FAB32F1DCA0CCD879B351196E1F8BCC3531A" "C653604932B69E7365B8B61E557585B7A836379D0229844F6B5" "D2C4F31A6BA2CF4A2585B7153C6005D10526DBC144189B0747C" "BE58EDF2F4FFCA80FF99A4BD7C8CCE3BCAC36AA5D0D7DC2B231" "A5B888198AD71042CDA93C5AEF246CF3FBE7A663FE60BC04CEC" "70480CC2D83C847371FF5347A93D54059926B6B8F52CE6AFD2E" "5630")); test_xof (&nettle_shake256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("6BB18C45BE71508441EE815061ED782F4BB5ACF5393BC9BB825" "FC79CAD025C6D970D615F4285185696CE226969D5E06E1643F8" "BA93F5617AFB096ABF46DE2EE7D32BBAA335628C41F1FF30841" "8556C51E6DA30639BA5DA36A14976DFDC013551F632133723AA" "9555B8B11BF0594457A6B288B01185927A48412019E58621806" "FAA968CA26366B884C428607D2D6FE9E8924E6D8D769A7D2DE9" "0195AB6DEE4896ABAC3119FD15EE61251FCAB1D3858527E2E6E" "1B8EC05BF8659EA345E519CADEDD779E40D2508BC6EAC6FB531" "DE15CF7F3478A4288DF556D4B6C9DDC5F1B6071FEDF3C4F9A96" "0B18F8301064B4F83620F2402614C600EA80FB2B24BB9B8B777" "BBA3010AC1FBE61AE18BFFF9502F66111B8CA1E0DF671C311A6" "F11697DD8C245C4B946B8DB03D6C07EF14C45CFFC328E6C1294" "8D4137D6803469E996C1D84C3C1DBB8CFCE592217155DC8F9E1" "E558CB58693620F57F5F81578F060B23A1A75ABE8010FC53852" "4DC1B5543D84F5F28CDE4AA509B8A034522F2F61F8E3A683EAD" "34ECE04EE84663475D65D6DB75CD6FBE011D6F1994D76BE3566" "04D93311CD0410D3B022FC328CC850D7BCC1BB96AE45E8B4C9E" "53904FD8BB8B0FA1D8AAB9BBEBBA0724DBA6A2C71F28AD705FB" "E6BFD958FE493AC47D70A1C4B3BD738C519558DF9F66130C688" "31A7D748B7B382023810865CD9989735E25186690FA187E8E24" "B77B")); test_xof (&nettle_shake256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("51F3DE30531335B02C0A8CDA5285FBEF9AF618E433142E9E971" "3388602B0486A99707BE420AEAB53DCFACA68CC6CC6A3133075" "A518D2EB1C500F0AC2E0B8A91D3303594BB38FFC45B80AFB8E2" "5C4304A85280E6124891E739FC9DF8E34ABD9262DCB4330C2C0" "F22E78447B3FA67677ACC1F3D8E836EEA94AEA4D616132650C9" "288804C3CCA5F1C0139624E198643D52C42960052FBBCF89AF0" "0D58600A9597BD12A39A33AECEEB161EE527398BD915ABF6427" "46E4C965A77E916E700CA905CB70222A3A8B8C5DE3ACF75A9A0" "065681497F27AEE6B1F4402EA711CE6B24592BC637F83BAF912" "D3E10E0A7E03CE9314FB264E5FFDC3564307362837C28AFBE2C" "94BD89AD3CD4A48C1A2EC38090C38E6CB4174149CF0D5841049" "C1D7DDA1E51DF8F3216CAA119A9E3229CAA062039EB165F4D5D" "E68FCB76ED32F1E191166BE83CB6384FEC4528588D8A3188A9D" "A7BC1F5DE68C42D9E2934CC1010DC535EC87804810C009982BE" "6646B3C50DCAB7EAF4DC7786503F29EB3F1558A7341E49348F7" "3479A2D3EE6B8AC076BF5AD17375D81F9E4DBB365B2489F17C4" "0B9A4CC10F6DE034B4B81A3D4F81475BABB9581C4BFEE62C562" "6FC436983570D5C6144FDD5A55E1898919A8BE4CE3780FB2548" "32CCA90F988004D12039A947502216651775160D987DF82F432" "75FC7B8A308C63DB7C28959AD9D8E6D27A5A551E685B6639744" "65D9")); test_xof (&nettle_shake256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("41143CE195B170FC23ED53D7AE8CA61F397CDBB72F261750A7B" "D26CFF56212AC7BB1B18D002493F418185ACC703DF4417F44B9" "3F4A7684D3D68F8F042A73C3841B6B5FA0079163D4881C39BCE" "CAA548A50237E3F8DF20F986552978ADA9C4EB2E57062DB8D91" "564BA4EB96503B932B5FBE3D88EFABF452A03EECE5B3E78492D" "C555ECC95714A1C5C1B201CB42E10852C9A5FE101ECD53FC6AC" "D7E1D0D6EFECF81BA76582E6E9CF80E70E52C0384EE05978A31" "234DDD1C2D501DEC0BF1F26706F1C6AF4A6DCFE1E7245D7BFBB" "96DA619EF27B4CD67527BD6B5117E4E55297B9474A5BCD251F0" "F17B10F196CFA95ED3CE61458ACC55CC2BA83904796AADD71E9" "78D4615E6588954F7D48B1BC705B497E073DFE2ABD5224792EC" "A6C09D611C311C544BB332B2C9D144D24950F3A27857B9F9AD1" "DB4DFB9AEF65BCE2C224EE9FE9785593CC9CC74D076BB5DC575" "B4EA65FA59A6DFCE634EF83072CBBABC5AAA53AEF5CB4D2C19A" "613D0054EDA3954BE7E649C2C38CFA9F7746941E2B77DEB63E6" "2A9FFEC59D15329CD7D02FCE7006406F3119CF579E1F6F0A1F4" "FC74C7031894D240B5BCC9A7306754AF9B43DF80005C7B62F88" "5574AE9C44B90D5CFB93990CAB41FC3E9962CD0F8047CA1AEB1" "399FAAFC6D6FCCF66B2F02CFB9532899CCE1AA8E822EE9498A6" "7C3972407DFE98969F9DF9CE328A4B9A1DAE1651BAFB32AE29B" "F666")); test_xof (&nettle_shake256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("1B0D344DE5A414960E67D684D301901D8E89C25EBDF7494DB9A" "1FFED44E5D688207F4533CADD09FC8BD428FDC3592959E90956" "13BD808797BFEF5130FBFCC1FC72B58D93BC4A291284115D5EB" "47911FBC0A4AA5875AA2B6EE1E1BCB296507183AA5399AE8192" "EC6AE579D9AD172F72F5A1957BA10B0FA4E9666FEE9611B0487" "30275A0F4D6D48F98D860939936C9B41D1AF5D729B11C930853" "46D8769C141B81FED9F17FD85C0197380482483C5F45B3D8BEA" "2C2E90EEF2EB489B6986A891BC0F29EE7E2943355E4223C2414" "27C49D7A897C956323ED10B074132449FB6371A9BFFDAB8D113" "282016AF1F7E8E26807A0B0B4809BC035BAE86F476F7FFE002B" "BE7E30B4C06B00E712F1D54E954D59AF083DA123034E73B9854" "B45E9BC2EFBBB7282743DC5942BF372D94432379EBEA4A65699" "7088004A5C2AEFD6A4CE6FE94C2A06C8A0446495DF224269E31" "0F1DC184DD37ECE4EE46038369C031FF90AD3787331AB6BB1CB" "AAB7A0194FBA947FC6485B371A684E7E1CCF4E9F4D272158A36" "B559451E48095B3C09328DBB52C7659C7E163504587962D87A5" "E60BB3C4868CEBC204238FA08B97AF71DE9ABE7F409AD0D2945" "5E1CE59433685EFEAAECCBE01462B1760FE25BACE44CFA6E1B5" "C28DCA00790D96D2B6FAE377CE4BAC7CE64A97AF68EE913C331" "07E4A62EFD4CC752DADB23877B54795A43A7AF8593E085480F9" "B43C")); test_xof (&nettle_shake256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("69271E30637CE53639A9A80582F8E9D91E0A19AF1C25A4E316A" "4ACBFC4534D7B6DB55BBDEA37F2526E5CA0407D0A39D06E2AFB" "6538C125B3390A860E033378440419FF91634BCA42EEC9AD80E" "55E65D43147358146038C9BAEBAB808C1A9B2D796BF22BAAA54" "D92298212E7101E56D1A0A229CBCF9E08791C6BD464EB997164" "502445C2993B1D2A6AC4242D1F4108C2AE4DBF48FC403FB8F35" "3C5CA3EDC09C5D4993048962D1DDB474928BFEE27DF6AF8BEAE" "B264EDD09DB4950AC5E12561751BD3ABC41C9A81F6C5C339AA9" "F7266CB4A28EE26F29571A7F4C9B350974BEB0AAAD642D9934E" "9EFF77ED136BF825A845041B9C01F0559BB1987FD6FC951322E" "4A4B4EE50C7A7CC43324391603D689BD19ADA54982E03A2BD12" "610A09BD076C0C3F6D6E0CA348110D8DC5DAA5C842198AC5EC9" "2A79099ADEA1FDA0DF0B35E8871373B312D61554391DBC9E1C5" "F9007C9D3799C24DC4A0894E175706DF7D04EB2D69D90BAB571" "17E04B681FB24945F3BA3DD7F1912171556464500D4FBB90840" "08A79EAC50D8BF59163AFBA8E0F1E5F82E15255398F62890C95" "21A0571813210FCCB582818A6D1747A31822DB55C4B6BF15A19" "076B7D6349873C88E86BD87D08E0058A212780C86915CA559E5" "81EC3DC7D5BFAB9C5403661F09484F908DFB2D98B65F8543FB3" "F102C2C5D0B89B15E565E9B04E07F7141E35102BDB056801100" "B160")); test_xof (&nettle_shake256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("2730675F5F4DB76D342EAE88CF856B370982277E24A1F95E071" "EB0C28D6655D9517CBA67DDE32BA6A4A322D37AD4A4EEF90A60" "E2FE3A568417BE75432F57964BB1DD7A5A165C24F38F4085CC4" "551C35BD0E2663198DF04EE86803D75EE5ECBB14D7BA6166934" "32B0FFC83F27E82016D7E3436C2384D1A7AB87E4CE758A5A83A" "4FD63831D6F88E4E80D1CD257ED4B418FE1BB498004D1CE8CDA" "CEDE429A53F06EB77D0A6AB47BEEAEE12FEBEB07D434E26A719" "57E55F4F3284BA0F8157DE3F1C8E0E4874DB4E65E5243982BFD" "57A9E70D18BE390834A9C3791E6AB6341739A963A946E1DA81A" "4D9B3722BAC231191EAA013E424C2B965967AE986D50426D983" "0E92499E0808FD6EA92A8A1054F93A0F84C11BF417DE01A7B0B" "A5890172BCAABB3D2CC23853822960E666558B2B4695F38A22B" "576757C0A1A84437E7B627989A4053B14954ECA09DF2221D6C6" "E88654EEA2A741DF3BBD6EF2A8C463D797222E72DE8E44C8C6F" "2FEB44E3D2310ECBB139AAF3FE2C4B2BC9D7142C0291BF9FC97" "71178A484417202DC721876800E010E53F1972E3630B5DCE021" "6351E687552AF2FABA699A4E3E0C5385D80DC367FD0D07258DD" "59A6BA5D2E0FFAE60A5E0C48243794913CACDFC14D20001CD9A" "097A9CC57D313006E0B8945ADE9791812B63E98A291CB009E89" "9DFCC7BDF9F58F3866F6C33AE77718081A517720C34DAEEFA52" "7641")); test_xof (&nettle_shake256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("DF6FD8F4E768031B0CE25C199F02EC29053EA8200B7EB306E80" "2C8DF23CB213CFA06C37630A3B14570968948C5269A67706225" "27C87D432098F0CBCCB733A5D28B035CADA562BD0FCC032D2F4" "5DB8D2C948FB341AC2B0C5C699C62BAB551553099E8A21518AF" "F800C8ED42B44DE7C30F29E691C1435CE72CB67060307D1B1C3" "8192FE198AD3D20E9E12A8C9529F8A134A0CCAC8DE552AF3FC0" "5D48FE2E3ED1DE5ADFA0B7C324320E262232A14D3A7163A0498" "0CFBF087BEC24E356DFD8AE4DE9B0620BFFD1FF904E58B39085" "22AC13D1D541F662D95008B1F8C52DA67829B7CD208BC9B8A3B" "6927E575BFBF7E29F1CAD832D9D01ED41E5512ACE419B92F71F" "A0CF5F79E33016D5E19EEFF561C94827584623118EA367D768B" "C24927C92FC19999FEFF28E3A09D2F266B28433CDCD51589571" "1FC081F8B1D143323B680E8B7469EB0FDD467143C292C8D822C" "C16111E9AB2A0C9EAD40B2867303686FF4B9BB4DEC4C8B552E3" "796CD91443AF8C4542897769EADEAEA39A366E91D65E92F06CD" "6554A1F6CA905996F5F62CFD559D1B300D912E6FF9166853488" "0E6A8C414FAD3C107A180BE3E0BBF4F33CDA343032D01C98C63" "20F6DE582DAB7B15FDD6E75AC3AC7FD079B191233D872AB351A" "E1A56F0A4CCA8D0215CA1FD5F9C45EE171F4BC72D18E78ED6D9" "D651E40AA77522F6E3451995FBC3207FC0F30D1B39EE836F937" "1A36")); test_xof (&nettle_shake256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("3C891240ED9F62F45658B5C1D3E4D77975E45CFB10C45513927" "EA9D911B3E41414DC0EEA38C8A6868A9E0AF20F96BAC833C1DA" "F71D0BFEABF41B8C26C011495F8DEC94D72ACB5C5C9ABB1C372" "F8B779BE741C860E722A0F85CAAC3D21C6C9EBE61C6489FF558" "1ADF5650B6416E0E88A889CA60CC641052D601D491057BEF36B" "4DC3B5B76BAF0DE4E7248A40D9BE6D55A7E8C26663828D08495" "DB33F94ACC7E7E49A7A61F352816D8C4C0E23F36540418AE6DC" "009FAB33C945C6E48ED60BC466478788002220DA9A5560425A6" "162AA03AFD5700CEBFAE439D20A85F2CB826CC8814940F2CF25" "E34754D8DF03DE448FD1D1AB38BBC2B1577BB1BC39DA7B91B7E" "63F78C5F43A875C427BB110E0D5FF07E004AC9D810D333300A2" "778A06369B7CD684AC86AEBC97D7B9C09442C35E66925BB0E4C" "04C5B3D11267F0F3812A5BEE8E18653D98B6B586D5735D4D3C9" "2E3B76DB5BE509AB32060E954D97FC8B6A428509EA98E4F8210" "F42DB3229E07E1EEDA684B47911556A8C34FB0DCC0998A781FB" "CA574FA891C24B35251C9D0D8429763468CBF0214B2D1EC94AB" "3FAE82E57C748122531C615BDBD4CDA56ABF319D6EAFF738BDA" "7683BA4CDD78737941DCAC4FC45E379BD6512EAB6D14C4F3D57" "48A3CF45713792D314F81F1D1F5ACED67A0A9AA026433F32053" "0632E5F72122B63ACF01F2BCCDA9BD4FC579E6DDC1371DFCBF7" "347B")); test_xof (&nettle_shake256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("201561B1D68F1AFB93098777B7D95E56B790194F45057B3B50F" "08EA89436E54BAC9A5E945BD1CBB51ACFBB0D61E539D1B3E896" "A1BC1426C1FA408B5D16D706457C35E3D67377AB2817127A852" "DA463FE06D2EFDD25016521F19B8D5E54014A54E297014230C8" "1C917A983FE4429B47F6A460FCC4AA5A4E1E322CF74A9DAFD30" "D313D2C0F9EBD1A8468A300F12E6CDC0E971BB7BFF172593C7D" "B286F467899B9A23ED3E222BD6124CB9C4FE2AFAC157CF81FF0" "98F021B95F1069D7609963621C368AFD3EEAF84A17F1469AEED" "DAEC2DB5BFFFBCC39A73AA2A62578775100A92AD74DDCE3A0DC" "B27A740A6E7C0F4C3E36E4AE55B04F04CB7D9527176BCD94DF3" "B884FD4CC2EAD608CAA016EDA2E2232D0AF888A3ADD12CDE0D8" "488650EC6047199842056744B77FA806BBBB96A47ED253192D4" "6B47D828EEDB9DC0CB38D576735E870826F829D76F58CA7F3A8" "0FCAEA1CAC1BC38A6339C307F23DC25E3231094211FC867B0F0" "BD9D1584FBFF5A52EC3B5624DC814208E484B5D069B78A577EC" "CC017FEDBBD139C13B50B395AD16CC551430229B56B4D75A145" "88A765728774CC234D1DC46F0E64E7845CF237330C3D2422CDE" "F5CB1D741741DA30F39D99035D7F7C49D6A3149D02DD061F853" "23D6E0054DB7395AB8FC496418B7770355B854FD36FC1DE72CE" "F330976C2FA6FC73469B71B80F5D9B5CAD008C38746A54578C3" "D195")); test_xof (&nettle_shake256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("42A5915CC1DBAC56FF74825DB482AFB8752991EDD5B8F5D040F" "E45B30161C75178D5D56F8A6FE9B11A71E19D0EE241A656171E" "BD9501AA4B5F2CF0344FBD23EA5035D9A2C42FCFACB5F13D921" "2805F353932169A0628D015644ED450E8F8717A1901D5A21FD9" "F8360054946A29CA31DEBE683956FCC9F862BB5AB04F07AB11F" "751FC8D7CDB0FA9C616DF691794C6D26CC1A18A45847FEA7601" "7D57D9BD6BFD1E5CEA4C92604ACC860252DD0F53886C48D0187" "054BDFE1939A2E6D5C570A82C300A6553BEE5E107EE319435F0" "AD18B92552ED9B4FFFD472CC482DF76B6DAAE5432D17C247544" "4BB76CD79313CD14620C1D2B3487D91C25A47ADE446E1DEFA7C" "6D2C2ECA3163106F10EDA5779EA6C21F8D778C29CA3601FE5F4" "56B74DD08C7ECDE8FF599B26540624BAB26314453247A945612" "4F680E68CB91B8247E0E5A06CD366E46055F31712DCBA81B590" "FBA34C8E619C8F3EFD39D2B69CCC6C3D184FD058A9BED65148C" "E65680F31715373526C509EFF8DDF378A0127E1482809CA13A8" "34FB3A1B00231F6B69A8523F72EF580150A4805981F9B1A7488" "AC880BC4018105545707B85F24569E4F864C30E66E750AE2065" "BFCEAA2DB440250568C6909590AFAC5C1DF88D3E6F02D2B4D60" "9460A6BF76FF7994EB5F64B00831C849F7851A3E743DAED3866" "8FD1548B333A01568140B1DCAA00E180429EC6BFEF620B06C98" "DDAD")); test_xof (&nettle_shake256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("BDA93EAFDEDDE22B029F4618B2135E9F7AFA583C8BAFC3B62CC" "667C4704CBCDD4AC6620361A0690AB8E857335C150C2D70FAC2" "C2F2D60D6472AE760C082775D54C8EEC450421D536B1A94A5DA" "5D803D951709A7F5BFFE63454306D7B229CCD3A89DBF9436C9C" "91C01A1D0964D86DE868B4FEAE6E3B88592A85E2BDC82CD5C52" "968C85F429B08A2E61E1FAAC0945606EC462EA7B2AF859609EA" "AE3025E43B4489F7B1274922FA72619B9EADE2F6C04D5863B03" "EF76189A81B9BED9A47BCC53501E96C2367067012036D07B95A" "C0604FB0E6A793881CD81D9577BF495FF769B72DC8B0D554CE7" "0FED81FD3AED5426525241924423A4B11391D3AB16C02577ADE" "31301960A579833C3FF5F9DC0EC068C3C92234B9DE3051B5833" "0AD87D0BB6F704B210E1C5A167684025AF9791757CB0DA0517E" "4A271C89AEEEEBE529609529B69E9A53C1631AB89AFA3D0FDC5" "82E923E5F2293903B75A4C321117BBECF2E114BE505DE8CAC60" "8C1DEAC6FA33C658D72454FC5C3784989803A839D565DA08436" "E700F3BC8DF99BD3465CB4C1E8886FB20354E132A629FC964B1" "0714F006978121E9737D70A77DC73FF77830E2DFB3ADBAABC83" "657D8700206AF318714867A1BA3BDCB8354B91F4F1A8B09BF54" "805BA01BC303E5F9887210584913C5130B643F15AB603ADCA3D" "918C3D5F15E97EC27FDA51E4E6CB73402AFAD08678217E46B0E" "2283")); test_xof (&nettle_shake256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("E4D90A392BAB78DD363C8747C586035358F051EE8909762C3D9" "AB4B2F1B7EB50B4738423C4A5087A5B12A9DEEFE186D0086F4D" "D0F9131ACCE891E43D131627316AE63C4E7D1250D809E78F94D" "276EF45C3C8EF4A37AC5910F1DD5F95989C938C98C55771B6DE" "1AE68F3A9015C1FBF2447F3F72C15847EB55E0296B711881E0C" "8518995BD7F75C3AA9C1193F3F7B47B9C133AF09CF53E1F55C1" "7CD96318C821DB4A6C7E79DD718684CD83D43E3EAAD165FE26F" "A204B797C59F33589E92C43E7E799E5A857ACEE310E66F1C99A" "2406CF4D2690DAEC060CC7E3019CC4A842881657E58818BA193" "E4C8B8113EA7B3BA930ABD58A7965F4A176CD5EA1447B417476" "94FB36775FA90999D1898949F8CB5943013A9CBE7654FC5D7BD" "7C915C1D251A22D6D8F7671D77417459366581C5587065C55AA" "EAEAC19488876ED0D5E5F2F3F0A07006500D03EF8CC151AB6B4" "6D587DFF8930AC8EDC3845BD2596387A56825A0036E1FEFE70E" "2A53A4C19B5E45AF6AD1C463042EEE139B244A7751DAACD4CA7" "C5CA075D2B639FB6AEE355DDD4FEC35F13C74E822E5F2C23A52" "EB2C2E209B62106195BDB80F19EF1636CA813E2FDD96425C971" "B6D0ED6B468A5E8F462D521E41586D7C848FE3103559D65B388" "A0D0F84FF6C4A48318BA3860CE5F2C419696931CD89F41733BA" "B732FCF8551B4ED28A3FD2F1DD14D2BD570048FABD6026C984E" "CBC8")); test_xof (&nettle_shake256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("AB362A6667C3143E58DB5D5E18294445643F1FB212FAAFCEA65" "6B4C9C9DA509609E7B99AB0BC1C7F782CC8BDD2C2C49A029910" "9F842442A6433D9515BADCB9E961C0EAA0CD90906C2970171EF" "25193CD49FFBE6609BC0F5702CC3FF1CAA859B50E59ED6407D9" "DA7AD2D44EA36BCF8B3F48AAB75C1EAF0C2A8A41E33135358EA" "ED3C5005CDF6114D35E4EA2B14E2F8EE6B995CA73FD75E281C3" "A145309C620B66718E058E171740649DBF4786E8B83C19A5CD0" "FE67B68E3FE2509662D968F4212224B466D04E4878C70B47409" "E5FB56FF2A5F324A96E799CCFC6613B28DF7787A6D967056968" "7D8345FF1F187DEB2A909C66F5B890CBCDFE18594DD52328F5E" "1D3B15F6398F9C3B880AF4D314B1924CF2FC30F96B45869E40E" "4A147D94A4BD92E3CBF64CCCA69B3476477B79B571FC5F91152" "9E151C3DD2FAEA561E9FDDF7DE4C93E5CE3BF3B90D25642EF62" "740EEAFA53CB4356CD598E9CF40339CD8166FE3CBEFC35B5990" "E642D5E2578D893C0A46505AF49280D544CE6865733C1AB75BB" "F194A4B6AB0447EE0F33FDBE80A41E860D80026A2D0C3FC2274" "C9A1BE2C07C57482B3E3982CE5495BFA0F9B5A10D2BC46F5DC7" "8E78168B552CE4D6FC9EFFC0FAA5CBA0CFB66AE078E6DC8DB24" "59C127F970B379E87A267C3A0A5E1672B5A16C93E8E239C9C3E" "51A96EC777361D0583010D4A0773921DC48B63BA3155DA483C0" "3D5C")); test_xof (&nettle_shake256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("D5D2074E7D45403D43D0FCE78C3AB81E2BD601A0337B163AB2E" "2E11CC4F0E73BC0E41ADEAECB5CE2B0422EE97DDD18869BCFDF" "9B4CFA9CDFF5DDFDE53B05D65B5ED250911B83BE8B9E5865568" "5A8D33C72826A1EBC1F244A433A9440B24DCFC691D9A78F3237" "9BD8BBDF4F8E2F8EDA7CA1CF74FC4E8C3C07349DE823980D9EC" "8229A3C43BEA5FEB0BB8F25610127ED1FA1741F90CF25DFE733" "15D440088C3523D9D5BE12431EB81E23EF5F5E9CB1571F08DD2" "4A7EB421CAA74C374F7CCDCDDEB4ED57297222210FA4930888C" "9AAEF06E36C78C43BF9196848CB07E1D941C719CBFB6AF8A501" "4EDA9DF9B205DC905B28EF6F29E2C29CF457317E01BB34ACD8E" "34C67F468CF41729BEE3532833D147CE4E5618855F28936D3A4" "EB6E0382049614A5DE0B05B317240A6E091CEF8A26C7E13280E" "02D19A6635033633EFB03FCD57AE2678C639B262F016647C61C" "E5DED0151951C7EB1FA1E3BBD1808210A3D22ABA98835A686DF" "3612AE6536D2180DE2DB5103E4BE1B2D74A8482450BF1B9F4FA" "91861505F5739F64D7C8CB8C5A3A2F864161F9B495445A1F668" "EB9A86E0C25D1BD0C50FA6431C4D4BEED9F53B6E918008B3DCE" "F98B484161A8DAC12C642DF9278601CCD80F789B770F05E8359" "495DDEF5D6FE54086827FFA8E7B2BDF03A33397CA2898214DE5" "A36D18AC33EE1CC0EE0FC4416A86815C7B98EA08C63D23CEEA1" "977D")); test_xof (&nettle_shake256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("8A80E00C325A49D17ACBB96FD41E874EAF00A0D141CB59DD136" "3365DB060F20C1015929E88E0BA0589FB35CA348B3F02CB256C" "D5FAFC7B1D1A7445C238167F325A2611F7C5E2B7ED44395938A" "5CE501D6CF78C9B9560D8F84210ECA3AC12ED40954EA0C8EF36" "2DE08CF11FCF47C34A3D56F271453BD62F74578F06B1C3958BE" "6D87331D8128070C244900B6DDE1423B2561504156FBC045755" "E1B591234960E1A44FA54CACB1795AD8EEAAD38FAAAC0A4EB84" "6A18B42A526018EAC0A5041DD1200C4169124590ACF93F2F26D" "B5D173608FB0B6C3C83F5C0B01349C558ED0E5851C9DE615CEB" "684A3C9C663119444008DA4A12E9386C98E15CF23CFEEB2F863" "2EBF15381D17268A5F92FD15D464D9E1F6EF896828420C9367B" "14C2B7E886F42C439801E0F119D1086F2A99B5E402E786B8C5A" "3B7902D2274FF1B5CB706AE0B5DA9CE63EA943B8AD8743C0AF4" "CACFA6EC9A2BFB45EF680385568AACC518755B7A2C4ED40F276" "E25BE1447F1131D064A5C54F3BDB80D4E6E1338108251B8294C" "BE4D3F182F3F462B3983ABB7F25B4D9AC8A3E2F3CCA397148EB" "CC154DE7DBA5A4820C677FADDCB502B6A67AF0DC0602CDE5BA9" "83C7BE0235C8BEDF1916F51433D80AD87B4815C6C397A9906B2" "D075BFC0F72431DA10F04AAE61545A62364F336754248606AB0" "62799988E6B0D71C2DBF907E211C963A3823332D6ABF4450D31" "1080")); test_xof (&nettle_shake256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("B645903F62E2A0394B7D98A526CE6C1725A03F4B35CAB927AD4" "FC2831F460CA6EB0959BDC5D90BB37E1D0E3DDC6CBDBB8F61D9" "21B7CC496D903A92166BAB4A436BBE6E9230DD0F91A6ED79188" "9B67727338EA636F54AFFE59D52CAD1B0D26ABA8A29C92874B5" "D6276369FC45769A3323C9788A7AB268081689614622BED3DFA" "207A0382680219D24B2854EEF3024A34DE3FD4ACC827D52FF2F" "1A4B40F1E957729609F8D3AFEF23A94D9E3EFBFA3E66BC1ED44" "C426D27ED4FDA0B4BBBAC6050DC71D064DE236DD800D0E24188" "EA0B1899AB6D0AC16986034BB1C8A21C7AD7F069E706730450F" "046D5F9B3C066C6CBF98C5151E5B45D6B0F3ECEF0377AEE19D8" "3941CAD4484AD07338E7DA24439EE38875498207CFD01349A3C" "B8BCAB058C70B48827C22278667026ACCE65A8F643BDA30A3A6" "FEBB5EB7B981963CF07F6FDF20AED8769C8EC35425C4366EEEA" "26AB28BF43E7FDC8B4F762A2CAC06D10E1A8C6EE35BDA64C6F7" "1CC02675EA4CD20B112B6E12D45DF6D37D83F04CE55DADB9F54" "C8A68E2C76AC55AAFB1A3231C277AE27BF2742D08FFEDF08DF3" "F098C5C60B59D2A89D2AF150B3FC73E399EF94B5002DC0AD109" "7767F47BA07F442D4DF4A4D72E5AECA7B2A37899F50FA3CDED9" "1474DA106FCC96B28D8418EA340BC983344BB58F244ED6755AC" "342B9E6B00CB19F9AFEEB3135E0374CE803CDA44E316EAA0B6E" "1E93")); test_xof (&nettle_shake256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("B15D1DCC49B25B2ECD567E1D0F46732CAD3F9559EFCFBBD1793" "DA46A5D9BCFAD723E504B12B7C1B65EAFB9647DC35A48448534" "4B9DEC5C378DDE04227F7224CFE6F06A962F380AE104146DBC2" "425FEE1D7AE7305E2D2C4E2F91D9188BC88799B730ABF3647A4" "365562ACDA20CBCC7DFDC5C6DEA8DDDB20443B9253466E4E215" "360F4066D918D938FDD204CA826E4A3358D169FB34410D45F8E" "783E7FCBF97A9CF0168E8EE6402C8B627DE5BC4DFFD8AE2C880" "7F863D10EDD57503A99A46035173A20DC10DF3E6BDA62B518E5" "8E94E5624659890F1174B3B7D798206691D3FFA692494829382" "1616184E160F237C1241F11779CDEB4FDD858B73F3DF45F05F4" "3BC81E0EAD584999DA04F71EA4914F8D8AE17DE086CDF69C31F" "CCB48B528781FBF8DCFC710AC421D28E93EA95DB4A6D38C1D47" "C800FCB3F816E36C86D6B3E5D6BB31C325C7A0DCA4D395867F4" "36F077C6711BB96DCBA9A6DEC6318FB9BAB829AE40BF70C5514" "6B87D9FAD9A839CEF462249BDC49B8022926E3C664D66595231" "23A6EE980B69BEA87437322DA1DD6235A74163968C0994AC0C2" "1156476D83F2B8697A1B510795D936DBFC2CFE67ED401CE708C" "7531F1B4DE75E8506DB082FD9B3B24673938242FFF4F30BE97C" "AD8ECD2F88BB5F497A8F154465921C9469B70FBA1F45D76C9A4" "0228A93D67836CB7CFE2F25A5F56C216084521484A7224A7A97" "6323")); test_xof (&nettle_shake256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("7AF1CD3572930B440F871CC3388678A1C612D6A590CD2B8692E" "0B96010AB4E122CF856925DC84AA0A87C7FB1661C5C74B08114" "88D3D486014E81B0D29B73450A0670A6F8223DF95B542590B3F" "6506CC18949FB6593F1A552E064B4E1576AD7A7CF202E0B8F90" "EAF90147D44EF16031D390940DA5D74C35A269B4ADF4A663584" "292007DA777B04C15C03F7635BEF56C1CA807D1CB3A8DAE8218" "821C44C7E6275CBF64D82453F764B458ACEB881816234494F71" "7F5240CFADDB3F11C1AF02B269F0F76B9DBC8ED643FB3B7C9F8" "A540A453C1EC85ABF9E8417B1E4DE9DC65181EE32802ABD6170" "A581AA2DD01188752C73D406461892D0D0909C5D3FE0ECBCA3D" "28F65B905A2DFF142E61CB088F9086D3C492E73C0EFF3AFBC37" "216EE98533B236406D80797933E54D3C21AE6B1B81F459FFD7B" "8BD1EB872FD62CC0B95F5384668A1BF91A474BFB97335DBD8C4" "761F3BB936E2032365256B534F98E9F4B3C50B4034478EFA268" "E9ED9EB9864044E90DCEDF4A2ECB9E8617C4E4ABE7CB4990511" "43C30BF73D397836E422A2CCD222A299603A3E4EAEA9BD2C3D6" "4A0ECB3CC7C0BC3D867C79231BBBC8C2ED4212EDC8B25C04C57" "E9A3EE8C103AEE4AD6AF025016C1A177288F4A17FE20A2E210B" "24A7AAB63D3FB4E687ED3BA2BC163F17C9067D07C18204D0AF9" "6A41CDF5BE9C6B89502D7CF1283E82410B11537CC931443076D" "60CD")); test_xof (&nettle_shake256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("6B1B8AAC47F782208F50AF3F977EAF8F2D69FC02390EE17BF17" "61ECB73D1088D236A5345380B6297AD1FDCD5117D16A3C410AE" "EA092D9892AE95C7B977930655C75CF7834C101F69D2E33A1A1" "7A489E040C5DB3F83A5216ED5778D391630D17405EE0A96FD7B" "834448FE0BC61CEC5014A6AF9B0F85827832E7469869B087249" "7033822D3419D43379AEB6C31406AFD1199ABAECF3AC8E2546B" "9736F8C4E399C8698B674DF5CF6BE81C73E52DCA979D3281200" "B9DF8D99BB6C65A7B6F620E1E4E6538A918C99CDE6CB33150F0" "896BB75421B8265AABC241C02D93E63476C351396E5B86DC66A" "05C74AE2EC87EA1D175D15A12ADF18F9792970DE3B9E30890D8" "896309815D57AE238895AA7E76DD6A46019F005F193C737B452" "D32649A8F39B1ED00AB8961A6EB04F699EA62357B7A38C423BA" "9D421529266459EF292B324A16062538E8C6550F822C2C14081" "6340F907D5D10B563198BB1539B82E5BEDE700F7FAB66EB8DA0" "45B23035DECD3F8DF11DF98A297A49F5B896A3536BB5A3E17A9" "DA1B266EE18FF6D4A6E59AF619306BF30316FDCCB7FBF580091" "6C18832F4CD21659774411F105DED35DE8B0D4B0B54755440E2" "6230E519B66319696E6ABD180FF5314EE184D3B2781F338FDD3" "E3935855F4C8B4021154EAFE67497599D0AE393A516673A970C" "FB9B7058826D7F0FC29F3ED34ED31F45790A63E5AC7918A4C3C" "B494")); test_xof (&nettle_shake256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("F76B436C25E0BF2D75A0DF0152D04117ED8DC0AE55B13A2CF83" "9E41A90C6070415EB8EF70A90BF205B0BB330435ABB41BB3329" "D015E9E56E86418BD671D0375E3AF8056EB882AE4191F82E062" "339D5505526AB42BF6CD54F0D36251A78EF274CBC797B89672C" "A224CB9B94E36648B362338D4981821B0B388E08CE97253B5E8" "C776E9B3AEA33DFC3815B5929A3800BB83543D42E0F331C264B" "1855AD3C002BD80D035932268DFE4CD6600F2B1F215F1670D7A" "4512E89C3D1509271ABB42E2608D7B4A900E00593E0509F7C88" "2AB0008AA83F5879F30D95A319A4058987804E5014212D415BA" "0E1C2407B9AA7B80945CF460E60609AC885BD7D639C9BCC961D" "6C32A96F041528B64747B5AB9557971EADA1EBEAC47F78B3992" "EEF2BF2806213952489934E7F5410602ED0987D8470AF3728A7" "F5BA326B77835694E32675E463C604C18DB4E4F5E1ABD056689" "66B8D102172E232B4EAEDB3C73E7A406C36DDC641469350D593" "336E9E5C8BA3C246154BD3CAC8E14CD60C9EA724FF059C931B7" "78B00A3C6E1016C1C41B3002F01D937499518A969D02AD08B5A" "B385A60CF5D018EF405DF9CAA63BC49015407B04AEBBE02F206" "DAB67E72388022D99D5BA4F6D57695186873276770452D60263" "5AEBBC988B7718F6EE99F9F05A6028E074BCE86FC134ABA4CB8" "2E1529ACC2E50E53F466B9B38FD3FC7181163D9A3B58F143AAB" "6297")); test_xof (&nettle_shake256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("C870CCF74F9A979827E1D0FF8E1DAC93A2E0F10A0BA7A4DE041" "853915DB7D86C65010DB41421201025D3465FF1267EA5DFC8E9" "0CDB4D933FA58F5A5E830C646A74E5BF807495D973929CD2D47" "63A0615902B8DF2D04A9D2553BCA94696DB2A332EC56B5612DE" "10CBD2E117AB226769A0F5E12E380E890489C4CEE3156B4CF1D" "4FA2FE55E20DB06D84DBB0F9833A3364F64481567C74049517D" "B8D75F6607467EFED0D8976ADC7C7F265371A552767BF6DDF87" "F88DD1BD326C46CC7C9A895D1D88D4452A1D72E7ADBFF6C02C5" "114ED5799C4E75944294BFF16DC782D529341BD289DA6136E0A" "4223F27E886D8AD057446E6BD41AB8EFD676B5084084A313E0B" "BA30C1DBC3C461AFD8B5C0EE02AA0D1BFD0A1ACE35369F78D55" "31286FB268F94D4EF50BA6A502C2EB2B744651B71B59974202A" "8088780CDEBCAF18AB8CA8E5AE928309EFDB5D5A639D7C83BEF" "87E5AAB4D403F7A9D22EDD1CBCD409B822F33225F05AE21C2BB" "E9E7A0B116B502DA93D6547E3931763F4FBE1507DC031CBAFDB" "08F4492396D4D32FDF8936D0BD082D45E70B3CDF8B807D974A7" "0BF17FC54A4A034BCD7F5DDA8C1002B92A641DA7E717D8C742B" "7F22FAB4918B1B3929C2CF7533666121184383746FC5FBB06E2" "796EEE83E6387DC610717FE4C7FF316D87367F6236E36524CF5" "25691D656F77732B4989D87FBADCC67886E151F7A61FC9141AF" "81B4")); test_xof (&nettle_shake256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("7AA373D1AD451F79A4B17BC9D3E2EC4D43457C6251E958E44F8" "D5EF360EB256CE5ED5082B938095DF2EC30DEAC299EEA526894" "6CC240AE0CFC0B8565235A77BED4B58560F111FA5630996AD51" "065A6A957979344C26C0FBC9843251B64C899ABA1DBE5124A21" "A604E706A50478DB8E93F239CD11D53B2F168A946E979AEF98D" "6A3CEAE032713C241B8176F1F32A7F132ECECE3FC57309F6F0D" "C9876B9327C4C03C42A74EC216E0DBE026DD167EE94FE8B0032" "F9BA033ED3E6BEF8DCDDCB288CE5F8D1B4DBC01A5BF51FD7252" "06283C7028D8013A170F0DC4AB107A442C95B0214A71D3BD7A2" "7CC48CABE6BDE4A5AA4698F56258E175BA1C6F7BE6D7EE60CB5" "BC4926CEC0D94A422554FECD2D7666462E125FA3C2FB84E98F2" "095B119AC492EF8EB3666A3BBE51A6E4CE3CFD1375A21D1570B" "E8A1CD22009E8261B3CD6F2E2085443A6AA76C91A349A7C49CF" "5F477FC017AD18439C580DBAFC94E96739732DDADF4829F9DA5" "FCFB6851AFA968E208D4090AD99F61F9657EE958698FDD1DD5E" "F21543D238D05C4C604E26D21DCCC8C878344EA888F12737221" "8A4511B803E3E6EA03CDDB2574E636EB40CA242FB31698290EB" "9C017D326A35D884A88C98B89C33E8656B717DD734223EE76B5" "EB147AF7521BF1F827827B37A6563E601AFDC3796D8DA4D1084" "FA462CD4AF969A800F522375E2C754BF20104F13A95FF2DADA5" "674F")); test_xof (&nettle_shake256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("A1D00913CC206BE2D1C38C22B6C732A05368C8AAB30865BE534" "3BE3C73AA6B7E8AFF69A544257DB1E6B6677E6CCDB6EB358A0E" "D096BC9FFF0DBF89B1E5345037864132FA7B820DDDDD5A88B95" "3CE834F1AA89BF56FBB02670DFC9FA29892FFFE61DABA419585" "0CA669F6E4AE00687AE4AF3A15B27A4E489A4AA01AE62E23FA0" "12CFE38BB601B343095B5DA20CC2B48352CB245C5306A2FA9F6" "CFB324B6DEBDA6513221197B24EB1EC2564E2527491B539289E" "AF593912458D835E3F8F46E058CD6B3B85D0833DE691A1E08CD" "6742E7B2957DDCD0E04858FD64987C66B6BAFA7A082F32D5158" "52E931A382792AB4FFE17B39D8918CFF002CB01C0CB1E1FD32B" "B8B02DF964752523E64DF6C74B8442719C3D7DC75CE9DCE5474" "AD6F235280CBD1F0268F19E695549016E948A7141FF4602330A" "096C67699B29DDBBB8F6600770CBD0E398B013932B04526A055" "B51D92F0AE8535A7E91936BF21AE70368E09005B14F3FD9E363" "5F35960D89E134E9B1447971B0D1CACF554845AE74CD93F73FA" "FE94189BC22D1DB9815A65B414DDE694FD053AECCE3BBC3CE73" "62F353A9434A49FABCDFD7E3CBE73ECE064DECA30E4BE01B113" "5FF6303E45E8065EF415BEFEFA948ADF42DCEF4520C2772C8E8" "438B60113919975CA0DCD2798BB026D4B59D3904FBCA4998533" "ADED822B15CCC86457E8507AAADC7E3EE221543472A87B730F4" "E5C2")); test_xof (&nettle_shake256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("E28D36BD926B9E8C105FE0099CFF1957ED7ACCB9618027421FE" "BF9DDD3129F4E6713376B3B7EE710430EF381CB12B831C80C7B" "1B93765F7693506733A75AC0E8FB5D3C30C6F4DC735C4C35991" "61ED02F4ABB5CDB174E53D93D91E1321EDFD79C0F63C92C7E5A" "253C1B8C4842F053CED0033405FAE5F16E2DC30024A6B1663A8" "6829ABFF72DE6F2A91C1CFE5955CFB584F8C65B9334590C9C46" "8A9B0FAC172792AA152F7DEDEAA4FA22FA7BA44131A1143F790" "53C7E2CB5AAF8ADCCB6AC72300892F792590BF5A1A9745FE593" "4C712CED382A316C487EFE0E6F146C8A562E6B40834FE20C362" "E495FE9E5CC871EDD2D61361492EE60CEF26ED38B4DA0480B4D" "FA66F5E71D44F10159016093841E02C34001800C5CDAAD0F9CD" "2A3144911031139CD6C54443A1D82405921B86DEB03E8F0C1EC" "D58F63B88944182F034BD07B0D021EBB7447F660E66BBC0A821" "C7852D183B806F0855AE194D80073280F3D07C2DC03571D5C6D" "0F0675AFD58ECFB211EA27733E870A6E86AE5108D8C1C3524B9" "9648541B61935746310FC6E99935E7C9A5D144E0735F2CC32B6" "DC42B34679052203A777AECF26D9461946699F834940BD34F8F" "CAC7C22E29B2B0CECC60183C44A5A63078127C10C1C14112226" "520CEBF9D47A7FBD4002AD482CDE289E7DAD3AA891BBA0B6B2B" "2FA378D26D629B4CE428F375BAE3FEA5E5C6B048928EC92099F" "3C3E")); test_xof (&nettle_shake256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("E3E693B2585C32926882C97BEA160D46ACE5ABF0FA47A9084FC" "FDB22DE3C65F43717358C2C2CE680D6D132443D478478A30471" "1BE3C5795F3EB0A7BF043CAE06E84443EB599DC259B3CE1F418" "4ABF1E6794556E9F2ABA99E5363DBC7E9C2C802976C87FDD7E0" "E3884B971AB33DA6CAFB65CCABD6CE492A59D359BC17D221638" "1AD838989DE9FE82245CE07CCB1239FA5A3D664D5B8F2E3410C" "023066AA47E030FC73BE5EBA27D83D656106401BEA73E36CC09" "F8A78BC0F4FD7C4B2B4E7D36F4E3CC31867D1EE207A7936FB3D" "5FCF512669AF63B9F01E4188ED39B1142CAF6578F788B53C3D6" "303C25C545DCE3F0B037456E3E7870392F43051FB2E8FDE663C" "80350F94F7A52D511A56CC268335D1ED24C9948C6E0426AEDBE" "1E082C0F075863E3DC0269BE5C83ACE9A98AF1EE45C79BA263A" "A81902E11F880205B7BBCDBA54F766150E744BD1E2C97E64B4A" "50A179B940C01A7AEFEA23E22DC3443D655E31FFAFA67FC5557" "27C8D02C3FB3DE7D6C13438F6323B89B7C975FC5B90D80BE8EF" "D41BBCE90F636CA01FFBE3AB39AA0F43460F33DFA492718A411" "711E9E7D38EAB956655314F35D36120237BEA48EEEDC5492560" "90DDEE8AB4BF2669131CFB590C65BBCE018CEEA3CE349A8CB83" "E3518CE8F353EB07F9007600C206C7F6B6B1DA24F1A263F0397" "73EF5F99FAE6D9B2B3160199F17D49AD69D51BF66915451F43E" "CDF4")); test_xof (&nettle_shake256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("A178F3B574A841C88EF21B6A20A100625334F4FEE5966AB2164" "686151AB9FED082CA4A9115A0B5F099C5DD4BE4EF1082D53321" "2BB862F084225655D8856E29F279418DE6FB723ED15C341CE31" "0B53E695C08689F776E4474FB6DBDB7DA46A9A2DFB7BC374AF8" "6984E1E10AD9D48B744A5FA98A0B161738468E06EE4E836BB71" "8BEFA381CABE18E9973FF07DCE1920B19DD797F84CDDC52DBD4" "9B4A462FD1A12ACD364804A290BEAB30AF0376CA098D44E5D14" "1D1636F6073569F2CE7213F6407EE376680E8D676942211A9EF" "B756EF9DCA40574AAD2084FAE0B617D727D7951C1321616F265" "69D96DE5ADA8EE101BCFD2C43C338F8957DEC234E23F5A1A0F6" "63EBECB98C35102DE1C101B99E8F42BD8EE7C528B1651099545" "F7BC9BC315C8861FD7EBF26B97A519931A63E0B06A73B14CD23" "65383B44A2107FE1AF0998F1574D9FA8818DC51D642240DBD0C" "104E89393B2C381944308D828720564763D3BFEE221BFA99D97" "6701717D4214CCE2FC25763C1B25EF67286BB7E497593B1A077" "912E3AF76993A4E20D4E8ADD7AEF4F715E5F1C8BD68E8913D9D" "8057447F273FC41F70A0290A5EBFDCE46209090032801F2CEF4" "4C8015E865D75759C7B2117C6E8EB6B57398B992B0E073C1FAC" "374C819B7AE16C464AB5019A45E7A6AD57B75380FF42D35339F" "23436A0D58497F7A12E4C3EB34816C4AAB9A2D3655079C12E05" "EA36")); test_xof (&nettle_shake256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("11C57A7AF45809863E024835F2A86BCB81763412DBCEB53F311" "53730FDFDC32A8ADBE3A8BD6D4778EA33AFC063D9767BC9E3AF" "EEA3C78FFAF5FA3023093C798F39111A182516218F0BC78C030" "7C75EB212B0EDAD184500261E00823F423D84BC2DAD3FFC6C2A" "B675A24CCFDF0DE5F669D1EAF91973071D50EC7D2C0CC4B6E42" "552199CAC4B65938F7E704248CBFF272C647E953FB9719FA8AA" "9C319FCC45E4FAD0752E7416F9DF0063F1A8BF43E316533C046" "C4F2E7254A02FEEAEBDCD4DF19B01C18B8DFEC1D291FD670BA6" "D434B41EB6068A365973082107ABD6DFB62FD428B9B183E1FCF" "CB654A6C7A55B91E0615658529FA4F6178FA4F5CEF329376169" "AF143B137B9B81B273796CD26CFD8372AC3184600EBCB2DCE06" "AA7F22C055A7B622717DB8E15571ACC61D94D8DA250FB8E6354" "9528CB53050322520925FE7FCD065BDEF0EC79AA38F1F105348" "614A57605C94BCD50DF80E692D1117C13BA3563AFB44E91117C" "9F6E4E7FA35397DFC58FE7F2DAADCDFC756EDAF5BDA38D6E1EB" "819A1080CF354F2AB779F63E2BCC763C8AC73C6D811AE2B5252" "E6FDEC79E2E97D8971D1EF39E2A144E84EE8087C673AADF3C46" "C4E6C1D9832E68BCAFF8C1E4DF1A5454D3A677040413BA32BED" "431B2F7D3F356CB060431A7F5B1B6CFBD5709736A408EF6CEF1" "B455EA74191F09FEEF230A1A0296807E8AB33403A9E3EA1650C" "D2AF")); test_xof (&nettle_shake256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("8E03C6B48B4E91BF5364CF9311172442253B6ED58B95D147A46" "74BCA639D75820FFE93509AB08FBE7EBA70544A9331C3BA3347" "B0B44E0FE36F9B799963212514AB2E673133EA5D9CF3181FFAC" "7F79475971369F7A0188F1A3687792258617C7521CF2EC97924" "1D8E9345B9205243A1CDA692418F8855BA61B57C75CE8A7B2D0" "19880D2C56C61DC0E3CACA0CD632E8819DCAFF9336498E1D573" "C16269D2D56509BECED579C80C3F09E4165081EA7910BB8D13F" "0373FA802F498AF190EBF8D7565A93A771AFCC8C417EA460E67" "F4AEA898C73ECCE5B17EBCF6EEF8A6E31D160038604499B3996" "5212588826D1F896915500497BF4F949E2CCC4C3439315E7AAC" "C2904A77AC0113A2AEFE64F6D625A7EF547E99FDCF9374300A1" "CC15373494BC1210B8DD5B5CE04B190A824566A9AE4A02DFC70" "FF8DF3191528A91E97DAD97057AAFB0357AE7F509FF7E464675" "124D0D23399AB6DB37B80397BCAAE48B8520860B79EFD72D955" "F53611E8D782A28C729F51D3174850E4FD61A4328709DE8170D" "1BB7B5A811BC3E0FD06F20F03CE1567CCDC5891673CD8E65947" "2015EE6A557D89B104E22E70315B40701B49C76BA0196F68A92" "55EEF2623E531D73D151A7F321409BDD8183CAAFFC18C6DD63C" "1EBA47F07B5B3D404C2203373EF356CD26D89DFD8F5BA2F7006" "46507AF3CF63DB907F9F70DDCB125259F28275CE8F41B63D140" "58C3")); test_xof (&nettle_shake256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("845E0DD7FCEA5E19E5DBC6CD03D58C2BAC4B81CE809BA7D0C75" "CB867DA6ECDC9CEBCA177AB9C3273C8EAD7B8C9F571D6D1D14E" "D0CAF6FFAAE4F1B7EBE653443E9BF099DD54CE3A021E0944BB1" "F8B34CB8CF199ED9B23FFC94E2FCB6FBA03D50D0C84C2C943F1" "7C1BD9EEC662420EE42ACD5C5F18223B92AC269B320BC190355" "0C1D55B7AE5804EAEB6F67C57537161EF8460E45E34FAB823AC" "0EEFA232404C7907DB88E4B1D74AF7DA5A2E38F82F96A86A506" "DF1E717E636AF1FA85BCA3259C78FE7CDE8FF56CD2461997FF8" "D3B31BE985B73E4EB0DBF36D39923CBA9982870DDEB52ACC02A" "97CAE8688E230364D5637170C328175208F8D225E2B19289A29" "205A9568F426FDBDA7BB04224808B2F21E4E80E2F18F4E79065" "4E0D6E486340464B6FA48C95F99A4106E95A6A378458B863655" "6C700D79FC45697C09A84D2EC41BCFD560F0A147ECE64006071" "3A86516ECC642396E16A63203CCE11809E7DADB5BDE418348E9" "1E30DC65E66242E29B69B9CEC5548D4BEF3E15A6CD4937C492B" "2F0FF83DD3ACEF224EF66AA27726161A418820196738EBD9569" "B49D51D1583129AFAEE4F9128C55813151895A046E4D5B4E7D1" "695B0D47BC657EF7795107148B165D0484F346C9C49A8DEE187" "E3C1F28A6D57FC3B7DA49042B37250DD02BC9807FE1AF57D5A3" "1664C90D5371542B28965E805224651F96836147E0300C2A938" "639E")); test_xof (&nettle_shake256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("EF1A40B1819AC20C49EE1F31E36B853619C8E960DA1A5BC8667" "4C5720C0F255E8099CD4572D09FA5B8F035ABEE5FCA1725F988" "954513E2E7FDCA92A55A757145B0E1A223A7CD4E0D18D3EC7C8" "BB33221B24AEDEA4A08F01B2130D58E19570272456697DF883A" "B29F4D4F86DDBFD1D97F1018277F84FFB615451190762B9B725" "56677591E6EBA3FE45F8769072E234602E222C77DFD8CC095B7" "3D1B231F3F09B89C2ECDCB741FED58085CD763E2B016623BF23" "92631984B6E4D2FE558B7F17973A8F58BE66D73AFAE5DE5C5B4" "6A6205E15F8A7F5B3ECCE65985EDBFE4C86D3830E642C99E44E" "F35AA55B834696DC519635240D6A693AC09CB3D567105420449" "664EB7B6BC367C482CB2682B1A34A9A051470EE3DAF8045B0DE" "FAE0EF10581830A1C21F75045D1297C9EF4B874E9004D4BF86F" "D770B820A9AA1FE967388215AAF00DDAC57F9B3B9CF0A67FC81" "E27565F1F3378A620C9A99B50AF301359E98D31EAD034DCB033" "4BF45D3CECAE0A95E4F0F0D60B0725F97AAF0EC1C4EA1D7D062" "D5B13A69B68CE5FB382FF7E25A219C7FE8CD1D78B47660319F6" "EA04418970EB3B5FA6778D84EBD4377C8B3DB2632CB616631DB" "82CF68CC4A03A44768B082F8A5FB606FBEDE8AC366B9D0813BB" "58017098A9B2D5BAF9C5313451F7FC5144F8A89EC34DA3CDDAC" "B079A963BAD7E08A4D68DE34612B116A0587731F4DF81355999" "40B3")); test_xof (&nettle_shake256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("B9A11246D631A7C9F33911215F36281030AA4959E598F2E3660" "2AD66E236F4EADC9E87A662FBB5E30555F7F2048571DB711D9B" "28389525DC1BFF502C1766BF7EC7A26688CF30EAA16A23D00BD" "408E11756BF0E9DC3265ABED5B83643260DA0F7B58919078EDC" "C9F62B2D14029657426407CFE5B514E17410F3351C401EE163D" "1897525441D6738ECCB5976C16EBF309ABE15FC5B15B3623385" "16BB8FC50DC69EBFD5E3CFC7B79571C7DCA79D57970AE090454" "7677B30CDD7D09A0973AE65D6E00F3F9205BA0D806CF3DDB5AC" "BFB5AC1DEF3AA8766E4921B42DF7B9E3AD5299747300C9D2640" "6CF195DCA47A673E232454DC80031FDAA0E3DA4B66DA9DF72B0" "40893378AEDD6911D35D3E007828EB749BED4E16657E9D33867" "E0319E6D4BADA0F16C466F3B1B8502BDC2584BCBD7128A976C6" "C8BF2D553D38AB28B982802D1E626C47B5EE08530FF22A9852A" "C113C560DDEF6931F6E6145C3E525F5E6269E7DFCD4C0517C16" "884C681B1BD78D4A415039439BC5947C65CC35BD52E7E2D0FE0" "C88B2C92C903A0DB75D5BAC3D3D6A5A323CAEE0E55C61E8BBC1" "113A7D8AED0B031020CD7C50346B2C9EEFE61C20C14AB947CDB" "7B3D153172D5F32BD267B4D77A7606CFB5080058F56E51CE9F7" "3E7D75C94A46A4E917BF575827D37773F2F9EB5A552420AEAD9" "8DF822A7EED212538E2B27DF5EE2188561775BD862902F3DD19" "A9C6")); test_xof (&nettle_shake256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("EA756978CE1BC77F9C84A151604F37CED854B00328DF4A486E9" "626C7DA6098F1A6380EFD8434FA59B037AB18C3488B404C03A4" "838A9E6C60B37C9348AA2CC3E09F016B1F07FED8D4A0B93BFD9" "121B4200A706887297A91AE12E1B385830536A88AFADDA80D4B" "14FC5CC9C49916CCCBB47F970378AEB5EA6F6F583D131E53AA7" "08196F749644DD153A3177F424921254A7FC92CA5CA241D54C6" "A1E565298D2BAFFCB173D22160241A535D34358FD0B54640CFF" "9E04890BDF23BDA5DC770240FEBB778D1D0B4B3C98CA7AFD251" "2596EBDF02F8E1EE5C74BA26A35E1482784F6284D0D5FA17CBC" "695508026CD49F30D82FE5819378DE13150805555406B8EBB6B" "BB8DEBF55A28B5F1350EF5AF18DAC71C9A02E76054EAF28E2D1" "259EE670492E75E1B3BE45492D6E3BC5096BA2952E7B1E97DBF" "5E18618EE7B197E6FC3B0A31B2F071376F6C55CEA08BBDFA37C" "F676A24DE82F23878566B48269141C17C7304D6252952158078" "B481FA4270C2DD631AFEE7D7518D1F1DF43B9841F10871D3B80" "E4680DBB89CE8C4CDAF4E16A4892A83F927AC7E4EA692C6EF1F" "E6A6B2FED3C8393A5100DDEF4B56FD158E45A95844E2195160C" "3D3E02FBF51A715C0117627C783D503CB241C636DDE3443ADFD" "AD82F5D9226D49921FF60788295A47B0D76AF43977FCAFEA4D6" "1DAD09E2318EA16E32C44B14AAAB6224193C3B9EEF105057A2B" "AE72")); test_xof (&nettle_shake256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("609D7E2F634D0457E311972039E1645E66392CDBD1414D5A8C8" "39F8B22618AC73BE81A745B9E2B83814A527F78D588119F7464" "CFB235E56D9E2F794A5BD510008689ECE3EE818707BE101A3B8" "A5E1211E3116AC0E9746F79A01AB9DCD01783E961C316EF4EE9" "08CD69C7C2B0E3560FB6DD5649896403D07F021539F8ADF22CA" "4E3535A81EF643AC230A0C94913E9584FD8AF77926360D280FE" "CA2283F8097DD843D509C5E34A9FA8B02BBA9015753D3F728AE" "F7053407A90DC48F15EA272DF1F478B967DA4C02C8D4F2903F9" "A98F90CA1589BEE5590195E0F6B24913641C2FFB42DA043B454" "8D82F8F0F580356E9946022B06DDB0BDE4947D4A25767C65D1C" "A02148954D1F33F07ED0886552C23286696067FACDF37B5D468" "B1A5F29126A2805BCBA687F61D920C53B8346579EE0D312691D" "FDA9E53B3A0EBDA1CE213C78DE4CDAA3C5D9C6D5A4C66A5B532" "37A7E5D80E8C1DB49656E28B2DF50C02E9BC580A62EE5E6F72D" "9681435BAA70C0B51AFD2CCC109D0D45634072BD404964FB44D" "2107A68E1A9CD60E63B847EA9C75EF14D19101E391D8F80D05F" "6BF0966C949DA6D9C8E2C865C0468C825E29BFB9CA2070518AD" "838A6B1530723F6261277EC7D1291104049503198B6C3B95D1D" "0EFCE786D5982F6D0120D9AB2D1C0DD9EA89644103442A76E68" "04A57B54FCA199E6D714576D631422BDA28C2A7F8838CEFF879" "E0D3")); test_xof (&nettle_shake256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("F5D0630D6BD21787A4101E2287550ADED2C2BAEB0CA91D24CB6" "1EACCF83B0D15700C6A95E643D8EA2383929D23DE5A1819EB75" "71F38CE173F378AB7275776A771380443B0CC1CFE1B9EFBAA85" "79FE6E002FE75B80FDC73AD20C727B003B6281A8BEFB7F7CB25" "45F42586AB879C9FF523D6ACF70F24994342EBADBDA27D3168A" "755C2DFC3C99360FE377C8A19F1465F6157CFF76A1D7C8A6FB9" "91058D582D5F2E19ED583136320C4DA569D9EBA4692E0BB19E6" "20C600260BFB0C95F7A8FA4560B1B715727CB04A8D37410DABE" "2ADC5CAB24465BBFB41AEC1E946BE1C50ECA676F47EA99D217D" "68F6B8F3536E879FDE16A355E71857143F7D07C9A207F4D61B8" "9B82354F0A0273AECA1361C3F949EFC2A45BEC3933E8A6E7A86" "E90E0EFE5D11F6A20ED9811A1CCA507E33CF47FEA26D7E67FA8" "8D374245B1A24D8F5C584DAE932BE1EE25ECC5EE61D31111A3D" "1EEBF220665EC401E28BB85B93D615B64EAD0FEF0E6AF725CA5" "EA8454B571A784EF95A020251FE236952D130692D81702B16F8" "DCF03CD82A809877B08774635A4859E1A516E9C4135FB415100" "359CA6DA69426D4139E90F00EFCADD155F85A4AB1CE154F8CBC" "84EFDFA7603FF48D5D1EE94A4D27DC9A450E35C60D9CF43594C" "9182B69FE9DF540F498C5C92DB68065F2ECDC52EE7D22736561" "FA617970375F6EA3D01FF39E2E22C979AB58DF80FFDB75B4258" "F49A")); test_xof (&nettle_shake256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("F3B73032FBC450B21DB7C6C263ABA819ACCB297B724CD95C552" "80FB7F4E6A5100181FDD6E010964C62FC51C0FB540794CD3BAC" "D695A082B20016E1BE1F8FD89E77AADA0747AFAD6ACB2F963BB" "476F1B515CC0604CE5A7B18506BFEB875BF483189D268255146" "FAB7B7820A26DFFE97C737A7D5BEE677524C4B64539CE760CB4" "AB6D03FBA155D05130A50D5C1EA81873C8A45F1FB83C2EBC11A" "2A1BDDD45AABBCC572D9E93611C4A1429B802EAF44EE19A4172" "43C069C99825959093A9E0E5BFF186C757A7270E33D02B81768" "D94014F17EFFAA3B2D92FEF370E552C8A8EF2B3557C2F930B7C" "79E9F6C0573BFFD8585000954D9264611E3D6BB305B08973D05" "83C7C2C5B2B0B5AA1B0ED46877FB02646472672121A60424194" "81D4A0A5EE001E1E067F6A7EE1EA4B880D00F7815FA9658AD9D" "D643139A37B3FEBB46585A2A74BE0EC2B8BCEBFD8F63672F2C1" "F213511E611C677CD92B2D6C4E43792CE3709AE1CACA3103F7D" "267940A0CA5868AFE6296458811BA67205A5BD4B27F96573F8B" "88F8DF2733B83C420CB2015DBECC6E0146657CDAE3C7A2D2DE5" "EAF8BC9EBD0A7FAB0FA37B24206B6118CC56087B0F573FBEE9B" "D0C4B70512EA4784D85D8A89E75E08F86D204A4A03D4C247CBF" "9AF7C20FD532A65D0C89311246CB572C77A35CBC9C65BE40FD7" "EA2D41A3F5A4AEF0BE01C4DF6AEF0190171932B03EB960172A3" "8101")); test_xof (&nettle_shake256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("FBBA34F9B8B88C9851E1B6A8613641A26E5E6944788449E7F78" "C66F32AAB088229599E67B048058A2BB6713C84033A2177B563" "407BF832D136FBA8A506B3E0C3AC8632F8C6DD058E1D242A247" "54D64D8A0E8DB424000561EA5298EDF2E5620237F4297CD4B2E" "48C87AF4ABB28167662B032F617D89C4CBBF064EF09AC2A1227" "85D55C411970A610ADE46475CC0E371ACE344B3BEE172D73E9F" "A4CFFD1806070E7CF48B722DCEC0756EB1EA059E8481DEF23BD" "F94A0050CE2848AF21B49B59320D5F4EDFBF2C1A653306BE31F" "3634E5871156C44D15F8C39C7F50FCEBB93C61DF9258F81941A" "EE98C0AAE76D92560FC4987C0CA8CBF07CDD9B96E1F24E83F59" "77A2C561870D6FD4752796900CC41AA4F2B256988403065A9C5" "06FA78C50E0B5B9592A4116FDE380EE9E6C7FC67FFCB5123FCE" "3B27A6D71EB875E88E0A8F20ACB50B3F2D46963913FCE830FB5" "E01BAF0F2FEDFA8E9717576B96F788FF8F8734C33C3CD9595EC" "2F6270BE920AA2A4FD56F83442141C1C1834820C1A41A51DA30" "8F5CB8457E6C835C4F075706051A7CDB3901413FB9B42DD9E0A" "2B8664BE7490CB4043ACAD67CC806886EA5C41BC8D81E00EA1C" "C7AFB5BC34E150EC26E4D6D8D5F0C5A362A28C98ED6B3915A09" "35D7A237BB24AA18D41DB5271BE154F4F51DC25AF823A978B8D" "41F46AE142470ADC4D008B260928F7382BB08C320F4802705AF" "6EED")); test_xof (&nettle_shake256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("DD4FC79F3B1D5201767CE9A0F89D3AD0A3949BD75668744B955" "23562A5107CF45ADFB39B5999D79CD3CBDB1F622B2B250C8664" "7A45419A243ADF4E7FBCFE227FFA2995BA39FDBC5BAE183B786" "704D8631EFF1F88CCB8563F112440DC48D87B97BF8E8CD8B894" "CEED6B43C857627AD1EFA81045CE505FEE7F370CFA478BCB4A4" "174D133D9A7057702E7122229F53CE03D281771CFE58EBD825C" "4285B4D7AAC7CB00A835FA094683F503E92B690A4A35D0E4F5F" "01DEDE83FC829E4F3C5F783737A68DFC9EAA3CCE682E3D52786" "75D17A2469FB0A814BF71FC212D7162ED80707AAA514CD5B682" "B95B948A8A9D79EE3CE1B9AD44D3E6E6EB455CF198927072D8F" "28950AAE0B5FDB628ED5280695E7A83665C94A23EBD16353679" "7EE6733166AF631F21F6C1FF398D8D363D6F7ED518FEAC9EEA1" "F98E9E3976706F2EBB3430AF64CB788A2461B736D91876FD481" "F5F0135B458B57CC00959BCC1D145B2B776D7B5B1BD0ED154DF" "B602F78C8D567F30ACF34341C9356BE887DC85E9415602E19DB" "053E965601CE5DB866C1A9EDE8C12A81850F1A46CDC15411256" "0A1E38C40A014E1109195FF23054954F463AA825FFE1A377D3C" "B1DB279D2E5BC7FEA045CF3B2681170CF42D4C0518BC9E51C3F" "854052263D31C50867426552E6CAEFE37267A7725A4460FE2A7" "F2D951DDCF55A66AB59DE1A66A7FD15169BFEE7339428308C04" "77B0")); test_xof (&nettle_shake256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("FE149A9560E60DD76DAC07CD65722403AC64637033653BD6005" "3F3958D0DF1EF1DAEB343FF6488587F49945A19479820A98DF8" "484CEC8E3608A8C7D15594F61FAF8547FB0BA643ABA3FE942E1" "91D61E2A84A548A4B76E0144B71E061D01E5B46629DC585EDA2" "1696B6F716ECD7D98E54FE49692B5FF7E74ED15183C4A4728A6" "A4FDC85FA56D49615E0141C65614DE51776C73A46D19E2EDA71" "226B5716FFD83C06813B631CDEF6BAC2B5F480CB59FB54DBD0E" "0FFF0539FF70FC1F5872D8B78B3E03335675925E2A6FB7FDC93" "78D3202F396F05DFCD0A2193FFA3DA954EB44486C054D7D8BC2" "2194612047F2F8C5FD5423504D6A06F0FCD4E611880C74BC84D" "7D5C3B66E017DCC79EF5EE41F9322F7DD863AA5428439D8E5ED" "3222F2346E305759B46826E039FFA8A2B0C7147C2AA44060262" "6FB79B0699ED15ED9CA54125603E9A9525DB238A518708E7870" "9D5CEE0F3A196B4CAB52198ED5A58C98775EECBDE3EC721214D" "B7A981C81D419F013F1DB230746BA5EBF30CE37882376DF8785" "ADCA0E04E9E18D0EC75778369F7516F5215AE92D67C4C475109" "0246A8F3A719BF83E3B310D61FADDB911B2080266D2B43F31FC" "9E3A5D9747EEBFC8816F63E398C9F506C00821D0F1097349FEC" "C2DC05FC420FE673F5398FFE828CB99B3EEEBE817EAB6208803" "339D8D905C845FC934487F51FFCDB4E83D8E337DACBCDC57F86" "7EBD")); test_xof (&nettle_shake256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("E38785ED93686FA741FBB6E5BE64933963C3C872F7A4E8C8D54" "0EC3F82284605625D32A24BCE8B40264EB51B164DD86F318ACF" "D9867F3BF23998275042AAF23BDA01F602622448957B81E5147" "5F15CDB31A9297EE390F681E460EC01A024F183110C728BB09A" "12DDE89E6F5DE2B4F8C17D981E3E9C531E6D4C19448A4A6BE28" "853AFA2FBA216F7C8E2CE4E4DE31F6B0E129CB5DA118B4A5956" "9A439C1095EB50C51CD83105B1A12B3F7086947EA7381969A78" "308F8FDDAC8B2D87F4540A8E7CAC8932CA76201F86561ADD09D" "833361851CEB9759AD1EEED4E00ED19C642BC6D0AED034276B6" "6D818E8791A7C1F42F8604E8B026D4635E3BDB27CA0FB28E751" "7BF662BB99AE3A3C698AD0AA2F02408E76A5F93ABFC933B1691" "A89EE3EBCA2885EA633D0FEA4DBCD03B05B68E0F4D267144FDC" "0898DE46011832ADC872F4A7F0D8933CDD482CA54FFA81774BA" "083D3D9FE07DE94F8E03FF66D9F1BFE7504E8A497591BA8F527" "58F92E0A4CA6A93979CD1F55EE9DBA17BAC6C69E83DDED4CE2D" "BFFB0B48C0C6AED657405DE18E7891B3C854127459E89FE5442" "CA6D5C223B046147BFDEE435CF4EFAEFD705373DC87E20B7D31" "C7D37907D30B8B32054BB9ECA80D0AFABB5EC5053D94D517F15" "8EA958C7458CF71FCA85B607A352A9A3B8F4F161E3B8853F6BB" "61864BAD12DD9B57ECDA507A3CAA63A1DEC726B518CB4FDDEED" "6A34")); test_xof (&nettle_shake256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("66FB94B62645F96FD55EA261E08A93AABE783F160AAFFE07253" "A1C3D45DC65F6AFDE9DF121A894A1A13CED4E5D492675BDA359" "26A1B147D5317D3CC09D4D34EBC1BB223663B349D3F66F05DDE" "7A66616E7F89B0BC6859A3EB8402B881890B21979BE6F60CFDB" "9F6C2FDE570D79CA9D24099820E433DD995E4C2271EB269937C" "BB96839A03BA7AF726ADF23B7FA2F86348C0489E09A559D0FEB" "FFCBF33D77CED28A439F09E2EFAA7D6334A783075B588134C69" "433AEF0F8665C05E97EC2AFE49336EE2CEC0724842A64123C7F" "43689D1EE88873F89AAAE9730B1A29768BE0E49A87B52C1F5AD" "08D700EF9B57A20F5DCC7C238A5E56CEA3A0EE1F9BDE550F279" "2741F607E81744855A5F109FE91887BC580199966DFE28A30FD" "1FBEA9AC4259E7BDF7135E4A9D83234F9D7ABE3BFB1F264E23A" "67F456096E27F540FBBD5DF0E8DDB5A6A455ECE063D4D528C25" "82BE8F111E1F7C7F204B82D40F60C2AF6099DBDFD64DF85899B" "A2A02A26870E3FECA6C07E99AD43F93D21DC275E1AFD1E136D2" "F49142B4D208EC865F91DDBA5822148C6884B7CB283DE5AACC4" "E8BB66BE3B08804246C808569B2DF0AEB08BD4C255AE1829AA6" "2AE9495A89D238DD93E2BDF5D14159E48510FC82B572402302C" "63956CD215341A1D367135623C644094CD845B08ABC7A8CBD4F" "3B66F48375DF7155BC5A781E69272EC1B3AE4E3CFA1D8D39BF0" "B4B1")); test_xof (&nettle_shake256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("295E0FBF3C5B510D6B244381BEDF20F8BC3D915CFA4BF9FC42D" "BF6932F44DCA91744D812CB9F639A9C3D376C49CE3C7DA90D26" "7D794805A61D20D00C79F42C37BE018C67857B6A02E46B6D6A1" "47506210651E31B280043610584A1440A07BDC8540AC46E637F" "7D947792A65ADCE3B790636FE1794E90598CA6340982EC58F3B" "24AE1C703FBB91412F1AE7C23A3CAF78C4BBBF32C90C365726E" "D4832016C5A19E94685A7CCEE376184A10BEED6DA7E26D1A426" "0EFFB7E9F7A0A0C71D7F164CC967C7526A0F1EDF1FF54AEB114" "109F7B34361DB5AAEF9EAD31A4D4896CB86556D2619DE0ACE07" "C133B14006119BD4BC8CF4F8EC09CD2ED91B4E524012261EC95" "37B3BC4C67100102293836E22AB5524C979F1C1AF51FBAA2ABF" "3F0EFE6818BDAF37CEC4D6CDDC98A994BFF1AC458637D528BA5" "F701DE0BF4E4E9E691149A6CD4677BBD9821511DDFA6561C419" "B473D2BA019CF1B83B7AAA3BBEE141E2FA38F032635AA559CA6" "29068DD4639CCF579118496A903BA7DDE88FF54806AE89BA397" "4B9DC0AC520241BEE278E3EBA1B3DF1C026A8E5F0D5F28C35C5" "B04145B570D2F06D25F45BEBF4DE2785D75B0BC9F1E6F9AEBE2" "AE510D422180CEF13F6B0C8A0CAF76609A158FB6F3B17E7282E" "168DCBA19E76DB7841E384B54F3AB29D78C86861560CDD934CD" "B63742933253D7BB82B453CF829F33B99B8E56B906C86131BD6" "4F64")); test_xof (&nettle_shake256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("9E8438CFFC23A52D75838690E7074D2C713B1188375D1A77F8F" "C8C24A4B89CA5979F58692D90DB14DFBFCAA5EF0AC0C2D16F3E" "84E6F771ADC26FA9081F3B10E02A3EE1A3DE40DB5DE17F7628B" "A3E20E5563BAD66BC32BBFB1CEBA7598AA4480C86A0C4ED1036" "08CCEB103AA13182F48D9FB363913000BA6559C855652B4EC29" "D06BC99148569B66C77F58A757B75C3BD5EF2FF832FAE020EC1" "C9E19C1117A107F0529EA66F0607A499DB0C32966A95D882699" "B96C4949912380150F951991AE7768E5A26267A8A43CA76AE9C" "5EDF31D7C52F2B09C9EB15E1CF47F85B20BD55CA47FEC048B8D" "F899A08DBE2E9C2F72BFDF3BB803AF10B5A1BBCD7B4E1915E09" "9C22307154012C67A39FA77720D7006B86A1ED4F095B6644AF9" "72CED451453B3DE57B1FAD8B4280AC62E1ED09E219873B92BFB" "50646343C46CD3C42E84E9C7F05F1AA5AFD583F685A20F996B7" "C0683002691CD28D454F71334C2387DFC43D32E633900699C8F" "C5E3A3F6494CA0BBA96EF10B7F367DD31623DDC14E9907F9FFC" "2C65DA666D06987DB1DF8ADCE1C74BDA7BC6C6D5263E3CD777A" "78B9020DB37D331A16C38D7419EC5036FD95B896373461E6B83" "84B2ACF96E46C7C9AB6D43C6EEEBF62B7BE5F95F8AB6B2AA5E0" "5D66BC4DF8A2FA1AD9C3CD9362CD183C10C8CCE216FE48AAB2B" "1C4F6FFA39CA9F8D7B14AC5BBD8C71F55776F6C0EA8583ACCD1" "956A")); test_xof (&nettle_shake256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("07024716B8E95D104783A37F82E66D4F5B0BAE8897F1EF6C45D" "ABF3A59253261300371A4FD20601503F6D187CED1067AECB11B" "4A4B5A31FDBDF4A2B1BA9C0EEB0C2BE7730178FE435905C1B80" "AFD9CD27BCC631C57A10F3BF3F285BB80D9C4F1C70ED3099694" "1D1ED225386B7F4777C18A01EFB5F1086BE223EFDD082E01755" "ED517AD6A3E423E924147761C95B74F6BD338F1DC0E53715AA3" "1BAC84F7E5BEDDCAF56574626B23DC247D0AEE8ED77760F53E7" "FFE467564AA3159AA300AD159159259DC3252D95942215C81ED" "5FAFE0CB065758F72366E50DF7FE6F2B41E36371408503C5E23" "A4CA0C93460C0ED713872F35CC71D1B71A34A80210069B12CCA" "79CBBB04836E6D9A15E78A638B0879F74034339BB4FB39EED0C" "8D6684A67DD89B201B46010FA73CE5FBAEE87FD89D4B5C40F04" "D9CEC8510BDC3D07539C82031FE9734826CF36BB41B30426D32" "A10225209C24B631A071FEB2A9B834810E81B6F87A6128F6781" "5E4AF6A6582EA36D9BE5DCBB1D7FD0BDA2D583D1F6BC2AED7A5" "34C33A8D183D5EDF42F3080BD07CE9D78647DF008D417D0DED5" "021D7B6996D6B541DE75DD175E820728037B531521851C9743E" "D03F8DAF292846B2EC019238655256EE960E0981DB7B65A3692" "B50F62033FD79A29F4A36C27BBE7A3B7BD1E813F3A2EDA1CEBB" "29979D91720CCD125D0C43D708892BC38D0D297047637447A19" "CB09")); test_xof (&nettle_shake256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("585F27AF67FEE2446767B05CE40627BB06D403430D94A62719D" "AE2864CD44E7A8EEA340B98DAD0520D8C16C1BB1AB562C0FDCF" "E6F1DE4F8A0601EB9A73FFDBAB82444E77487213D17BA31E2BC" "39FEC719979080A501C8E15932AD588000959A18447B98735C7" "3A2A8F4A949A8FF187520E6A9901647F47DB442BFB2772E8E8E" "22FD759F88722A98D24D01308B15A0BC715ABE9568A34201B86" "75204BF68AFEAE8CB063D6CC9EA68AF9E4CD692F9718FB5EAB2" "70A2B74AB623B521B4B085700CACE113168F56A994A639517F3" "6E3165029BF100A6F19162A8696B858A0B0716751430DB7BF07" "480427C2CDA01070F5E78E3DED7471874DDB05D2944BFB04487" "629A98E06CC4C984AE8C5F7695248D01CEE11D75A9C7F545CF8" "6BA745B8AD5564F33B0A8B72E78954A7FB253C07EC8FB3D3BDE" "29DDD91DBBD94D332FE9B7438937018E8243C2D2C30657959EA" "4D23A319854FB2CB994CED4286836E83324FEA54C58DB55A969" "165A1755D965C416E1D67468ABC701925F4A80BBD9AA9DA82D1" "48A26158712C2B9830804A4CD1CA14A2B246DFE8E8A12EAC9C1" "07E8CBBF34EF9517674350973E75799A251E72A352D2700291C" "C3F1AAD40ADC9050BEF9881170EACD3207AC0C573E238B65500" "B997DCEB347B94FCD5069CF43BF15AEEF15E4C135DD21B4046B" "201F411513AEA9629B9887D21CDC43768FC1C1B12EA4CA4595A" "D463")); test_xof (&nettle_shake256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("E57DD7DF74504F52D00B8079631F542A532610D77DDB4BFF891" "5BDFBC9B8F25352AA3D9A2D00CA2E14C77FF661B3AA44E30BCD" "3D4B110A8CEB65E150DFD9109EE948FFF11CD01F6A98C0100D2" "323F52E323E32E9FE7BBA6D4411EEE3CCF70122DA5BFEC8B92E" "72119D4B1CB1A1626DC0CB79FB4E4C938A4A7CAA7962B04A112" "9B4A0A9C457FF38E8D3379044E4B65B82336709B95401CD0CA6" "4C10F5D22A226678A1EA4E2C54509085ABDC41AEEAD761C7946" "F33140AB775D61F7B001F141D00F5209081B11FC2ACE5D9143F" "BCB710176BCC8AEE25D0182461AC1A446F3A94788B3513B88DD" "DF5DB0BEEFCB331CD2553416A3606F44B5CF36318C72501FA20" "07F76BA506EC510508B27D692CFDDEBF075B39E531BA243F3E2" "71B5F70EA6B58AFEAA0B8264202BA2C430C33D1409693AC5251" "9F44B001ABFA9C5595C0726DD1ED36C8B7CD2F29FAA912E2613" "D1C51E2D0C6F8B27FBCDD6137307ABDFC54C0E6C6FCE0630386" "2A8EFECEE12EB87CBF8423BFEF01C6FB87225DC467CA7A0B024" "3CA9D531811A5E5090351313FA6F73D413755551F6E7187057F" "DF4CB58A1B3B3A63F28A17339A835A73BF21EC013EF4B2BF89C" "B3BF1369A87239A546A6816D8B06EC5B1D5A179E67A86665EEF" "CF439D667F5F9890DA8B9E1E7E1AD08F757CB0E3EC6D8CB8FD4" "A140846E3768076D342FDF0BE4CB135D68FAF5C93FAFBA48137" "86D1")); test_xof (&nettle_shake256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("6C60955DCB8A663B6DC7F5EF7E069CA8FE3DA99A66DF6596925" "D557FED91F47091407D6FDE32023B57E2EE4C6AC97B077624FA" "C25F6E13F4191696B40A4DF75F61CD5521D982C6D09D8342C17" "A366EC6346E3528B26CFF915BE9442B9EBCC30FF2F6ADD0E82B" "A904C73700CC99ACFF480CAF0487CEE54CBA3753B6A5DD6F0DF" "E6571F0115E8737B071031023B6BB0D79864C3F33162E78269C" "EE23FCE47B91B4FDF91F98464A1D21E799D17F76C1BB807DEE6" "67B0B273054BE298299BD12B7A80FB354CE3E6D1ACF98443879" "A554ECA6B96DF061D04A117C98AEEC1CDE1AFA9CEF62DD686DA" "91BB2B1F12379BBDC9FA32A6B6998B77E8EB0B50507862AFA77" "99D018E272091F51CADD81ADB587EF67BA67618C45D1F3D559D" "BD299ABC26EC712DA8FA34BA33BFF400D1F0F8B6345CF57269B" "858578C0072A91A63EF85F9D378900CD1A55D2BD4630DB829EB" "484D89CE7A414ACA173C52534AD5F9355E80E395E79156D751A" "930F7F8B5D9F4D5A2C9A753723083C5E8EC6CB24D8EF93C8FEF" "2D1BE4ECA222C6E6C2ACFD684893CEA65CBF5B096B3D8660071" "36126A33EF496BF2310F293BFA4C93AB826821E2B93259C464E" "0AEB06D6DF8FFA30B1C1E7E384C7E427A2BA3D99FF8A666380C" "5C1B678F742C57B0C3B08849FD65300DF13499DD894EFC33116" "E7D0774064331FDD407487417D13BBA4285299AF650D3065D95" "1131")); test_xof (&nettle_shake256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("CC2EAA04EEF8479CDAE8566EB8FFA1100A407995BF999AE97ED" "E526681DC3490616F28442D20DA92124CE081588B81491AEDF6" "5CAAF0D27E82A4B0E1D1CAB23833328F1B8DA430C8A08766A86" "370FA848A79B5998DB3CFFD057B96E1E2EE0EF229ECA133C155" "48F9839902043730E44BC52C39FADC1DDEEAD95F9939F220CA3" "00661540DF7EDD9AF378A5D4A19B2B93E6C78F49C353343A0B5" "F119132B5312D004831D01769A316D2F51BF64CCB20A21C2CF7" "AC8FB6F6E90706126BDAE0611DD13962E8B53D6EAE26C7B0D25" "51DAF6248E9D65817382B04D23392D108E4D3443DE5ADC7273C" "721A8F8320ECFE8177AC067CA8A50169A6E73000EBCDC1E4EE6" "339FC867C3D7AEAB84146398D7BADE121D1989FA457335564E9" "75770A3A00259CA08706108261AA2D34DE00F8CAC7D45D35E5A" "A63EA69E1D1A2F7DAB3900D51E0BC65348A25554007039A52C3" "C309980D17CAD20F1156310A39CD393760CFE58F6F8ADE42131" "288280A35E1DB8708183B91CFAF5827E96B0F774C45093B417A" "FF9DD6417E59964A01BD2A612FFCFBA18A0F193DB297B9A6CC1" "D270D97AAE8F8A3A6B26695AB66431C202E139D63DD3A247786" "76CEFE3E21B02EC4E8F5CFD66587A12B44078FCD39EEE44BBEF" "4A949A63C0DFD58CF2FB2CD5F002E2B0219266CFC031817486D" "E70B4285A8A70F3D38A61D3155D99AAF4C25390D73645AB3E8D" "80F0")); test_xof (&nettle_shake256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("1279A95CB87B1CDF2F8A8A47CE55F0DA3766E35EC58CF921E07" "B43B176CFD6CE8508A208C9D6F5412515E0235C95397A47D2A4" "B13A357DB4882F69B9C910C985A5F82187BFCC46BD48CDDDA7F" "65C3E95481A37202EFF9C116BB3F784BD46574FBD49E19B45E5" "E2D18F57BE7DAC826A447ECA6E2A6BB44B0061930DF56864C37" "8E020A183DEEE8445648EC2F95EE5F09CFB196E3D8090535664" "46FCA6BC36896215BCE115B0AEE55737A4421316D2058F24C36" "D46279B458E901D3A8062300024068D99D8C1B8BFB6F3E5883B" "FEF3C1AED55989151C2CAD1EB940CC82398DEA1E5A92351F0D5" "AA7D47E16A949F396194EAE2EBEA1FB731BEC12D2734C2F1E74" "64CA2FE27F036BFB28A32A9657C75EAEE79F86F2CE5EFF1AADB" "68DA0B32A4BF88A37F1D66D13DF4ECE65059BD4ABF91A3EBF98" "2A1F5E9A6DA639623D0C8E5FC5C0C8071965221C4B79CDE7D44" "FC258F20CABE3C38862851952741FC9E9E87C06AB0CF8B8FED6" "C18666C5C70EA25973FED36D90429C54B157174A2583E142E26" "F2ED492A9FA74F1985FE52A421C2F97F94B73EC7D881F0D0B0F" "930461FB896B1806C704307CEF682834CB583B6E996BD31A6F1" "D8586D416FD8C91EBA59935FEB12A1E77D0F3E05F80842B14F3" "4F27ADD947EE3CA2E54BBE018FB8CA27FFD1C24227572CC277F" "723535CBA0133E359217D5522676485181ABBEFDBC31C8164F1" "7847")); test_xof (&nettle_shake256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("7A2DFE06B3AFA54B49414379BB9C7A80EFBC8D0630B8CA170F6" "B22CF65BFF168F2BA6E32806E6E7D9D366D53A319BC2C8B8AAC" "7CF8158128617229D76AE594AD71C0E0541B86078A62D71E299" "2E555EE6FBEA906CCFE58FDC7101964EE8C3C05D0C2C7D8A01B" "7E1629BCF62233C0487E36E1C25474E129B72F1F9BAFD6E0F7C" "9FDE8DD44DDC1DD9668840294C5B39C408AA1BD1395D1F4A236" "8D9D1E5168093A63732545FE594B32EE91F89B297E3A33F53BE" "9A1A00642C17DA7061C10D1525F34180D04C78BABF6B1C866A8" "AC1D19FC17C24F13CA4032D650DDA748E2A09D3D97A2125D52E" "670C1DA4AFE56E60DD789608F50E914317EBDAF125BCCA849CE" "37F38EEFE8998BB2B1B10CC1B28AEAD1FC48FBF1C95B2A0F063" "7609CD569050BB5F3711024CDE92BBEFF1C73C9B6C8DBA71B2A" "A238AA26B4007978EFB346D3FE0031C391A70F362C4C5FE1DA2" "D3C73E4BC52A400E5998660D8C127C46CC7FD589DB2C952D2F0" "77E4001B2B6B46EE5E56A44578B4B8DC1AFA33C3994CE7CE49B" "4D8181195076B938BF605F61A74F9C505C64C2A75601E7EC3A9" "4B22157308BBD481553ABFD8ED5575B828CF247F6D321FF25FB" "AA245F9B30B39171E1CFF354B9F20D55196EF66D32C4693FDF2" "49F528C86EB82779B5FEA03F8A95F31DC0579B1CBF178B23B27" "6E5618941760B117AF65B83374C919D6D423B575C5C459B5AAD" "6A2D")); test_xof (&nettle_shake256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("FBA46834A6995933AADDF85B59F60EB3B77B5AD38BC21A86207" "9D8D2227CB9B3CE3ECE89D90C70B990F7507D5C3A565974446B" "54D43288ADCCE2BFBA8914EB498DC6001BA169417AF6DA3ACF6" "85DCBE3CFA0C59963F0F0AB94D39F05A69D5DFD320EF409DE76" "FF85E01636F57DB9B2DF436D94EC2845F0C0D1959DB6308941E" "40C946F4C3B3277A065847C9E3CCDCF113DEC5DCBEF5AAA1C5B" "91C19E05EEB66F6E698178B7B02FE00B89DCC98526FA0E7B2C6" "247E1C175A21EA34F5260B0C0A625D7AEE1680B20B4667B44F7" "2F1353BC71DF6CCA4346EB54306DE3C380438A9B8E6CC47E6D1" "8D84FBECBF9A6132F63C191635999105967C2E171B74615F456" "D2E111E7FEE5DF00217B49BB49270BEFE5BDFCE1486C13C6A94" "E31A20C1D377C410324C08A17C2D04710CA267E85A2CC1E17AD" "A367C0F65AC3A70AA5FE14378371132026169657D1BC1B84C19" "08AB46689494C3E8A34835F4DC43D19E9328ED0A16341E5E9AB" "B80BDDEF1BF5FEB5DDEA560253532A6607E2E128480DEE2083A" "F54C67E971CC6B56383A564B0BBD2D802C6FAA7BC62629595B1" "7D04C3AE20F73B35A9AE4D356D401345E0A0D5174BC457256DB" "BD844F9A4BFCE0DD48F35C5F8A915E61A23899C40FA63A51F0D" "1160E16260BF4DA1902AF01C67E8997B2AAFE1989D013846CF9" "85164C03418930E61FD06F9D30F06897460DFA1987D4B5D73B6" "8CAF")); test_xof (&nettle_shake256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("4B60950081987C82C2F1A1BB9EBAA9A72E125557E296BCE9895" "561C6A959371EB1AC9A13914F4419B4A0A1048B3D422B53261B" "0AC26EB9852E9933251E154996DEC6219A7063D87228A8D72F1" "3FE94A0E75485C8F23DB2341EE7439FAF87A1B359CEAFE42903" "19F4705B49CBA0ADC24DB4FE8800AE05664C544D53EE119CF4F" "1572DAA355E48DB605695BDAE5BF22CFFB60C019934F2AA9529" "18B388EDD9C53DC8FAC2186CA0F77AC6543AC379B1ACEE9913C" "D75CA8E0F9D89616383C9541603430AA548E9A9DD8F90F64263" "FE42A9B8F66991CB2B8B45AAF683F51D194A01098A10D4BA110" "7C56173825AFD79EE0A334CE739915D4F046C814412DF526ADF" "F4F23811BF1C6A254372E8E46F0008F6332637980417043BAB8" "FC21E3715B713AB4BD1DDB3D50FB9D5D6AEBF94FFDA51D3BD4E" "25C82B295BADC7F8F11CA787DCA045DE2B52A79226ABB945F69" "732A1D0DA3A3228D44D8F43828D8958E621851F4824590C0719" "982CDBB3602465C28A97CD4CFA33D6EBA65A3F6428ACD37D669" "67B8C996969D866A02FF6EFC1B6240AB557321260EB4C9D233F" "F4E1C293ECCA825DAC943DD1B9A624AC37ACD1A818D2F74AB99" "B2883F0837F77D4D00A52DE0924EF55C7536916677D2AB4FAA8" "F19E8DCE97C05690570FF0117C32A3F500C2FE817AD651DF2E3" "C28F5E867083F607E8D0509745588ADD19F1BB7482087A50821" "7DAA")); test_xof (&nettle_shake256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("5CBBC93FED206474A11100E1973984D5BC5D06AD92996FC8928" "C1E6BFDCFAD5E32665F4743EAE8FD28289DD226A0136ABBD5ED" "BA5016E975381D4C3CC95065FA4CDAC2336B39342BE8070AB2B" "59DBABDC77B8742E4B3C86F1EE9ED0C2B5030FE1ADBE28F8271" "11FB137C180B9994FE150B1F5144081AD59131A6017CEB8FB07" "15DD2DE6B3BBECD2FDA4C3E9E8A652B5DAB4D0B39CAF6841383" "8CB1960241AF59A46C8B5FCA40552693CEDA564862DF42C5827" "EB371311FEF9231FE1B23ED07F72DB6410172597EAFB5D077AE" "D168197F20C3B01CC3C52A94546B722B4AB56211B48192F908E" "7E7A7B7020A8F6370A0B73E046E3211DF3352DEB1D59E4940E4" "5129A6667F160D2ED6EB703EF962683540E3A9C7C94A61875CA" "C09C4E22ECCED9E2CA6DC519698042F67AA518EAF3D338C5ACC" "D5C2DE5C3DF6B4A2273A0FB8880CF3F81D046AD8B24E73A8F3B" "D7CA65CD21AC2D950A7E36D0A25362788F1AA26B71CA434AD14" "EF3B002BAF6327D4A5293D91CB838E4212949675DF185B70D8B" "42C0C01F289478F0A9FF736E6838EEC5E54413CA6F7F22F51AA" "DA7F3E9C69B9009599BC437C0D806BAEDE6DC1B2FB9BBBA43FC" "3BFB5CFB408A9D8EC1C1DD1528CC2AAF144FBF9079F86577A4A" "042A085975BB1CB5DDBCD728DF6BA69CB23A8BDA0368924466A" "89DA791D4328DC55800FE8639987EFC172BB29836A901B3F4F3" "FE9F")); test_xof (&nettle_shake256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("CA9CF74ADED61A4BC20BA078E8053702BC1A444CEF69AB058B9" "C0F586286C138CF02AA36CB69E0CBCC52F455623D27B9597C93" "68EA5DAEC4278E75AD5E3FBCD480DDF8EF39B3D10808D202470" "D18118A215838A0F6C547D324FAAB761F7C8CEF462BE150DD49" "A26DF4E453F997C31FCD27280E846B15F640FF8C39BE270DF9E" "44CE57CA82F6F6762777089276A3E67D8EAB0E4A0C2E1946FB0" "8B3FDD3FAE438CC2E9EC8BC1754275FCF4060E31428B9F08E95" "3F9FB4F80560F2040E4B6CC7BFD6C278FF01ABA41F43549DC0A" "A0407E5C8346543B1F1C24D1E05475327A48821C1C1058850C1" "80776EAD66996DD5A02865702E0E4705E8E2E7D4D25F058528A" "C980EB831D6B70E7CC06EDA314D80E1433B2A63EEC405BEE2AC" "B18CAC238ABDF254DDBBE72640C8C609F70D04C77D2BE9190F7" "8C8E448035A9206841C55CF9152AE5F7CACD798AC696299551A" "5D45ED113C94CD862197EE118CAD47B8C08BF4FA1C6270A61DE" "6D538D608E126C0FFBEBC7F44D418BB87E557E550CDDA20C2C4" "7F2CF635411189D30DEDDBB9075FA6F0521D2C4FF0E4D641006" "CF5EEA1231A87D020664366EBA5C5610B63EE5B5A50C2C8CA6D" "7EB8CDCBDDC34AED08ED7E0EE437E235449D4C1CF095514E581" "E3C8A15EAFDAEF19FDEB31DE6619BEE6B17B31A96140CDEBF75" "34E0C277EE33C54319B140AF0135D6F91F7D2166026C67C71A2" "1287")); test_xof (&nettle_shake256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("9FB76F906CEF4A8C7A9CDDE3254E6D4581DCF745B26995FCBC1" "23E716F079E0A0B9F7C8CCD9DC5AF8894B2D9783395F7BC05D9" "5E20419C15D74EEAFB23B6F1BA427B4B20BAE38C2F6812B74A7" "A671384235DF3618A7531123412113D57B9C2924EE4AFDB9CC0" "55070485A2960E8E5CF1971171F604781865624B075C3C01FA2" "7F9B602C29E257821ED92B35F7941637C2BC6F0048A579E3845" "03182CA8498AE7493D398476727A2AD321785D2273F9F548F6A" "CA80FA7F1ACC1144EAE7C0AE58C3C4BCA20EEDC93C3742954F2" "E2963282084853AF5C8F30A1A4333374B4A66188DE73F773FF6" "A576A0A0DF3C690CC59521378CADB123BD673A04FAFB26DB9D6" "53D60A87F2834683D97F5D6E23FF2ACE2AD0A5FCAC71CB00320" "39EE01A2C3E37B3E1C14ACE44A5A6E43B1E1A0FBC8AFB0C811C" "911F2853C85F10D06253D29362D08523834273961E37C4BB0EA" "D4F79E33D77EBD0D843709B121F8B509C24396549D2187DF52C" "996EEA9805C4A3C4F7729003D7BD7FFAFD6384779D6B6163AD7" "C632A408922507188EA22D685E05C8851EA9C6E625D9461EF06" "AF864E93F9B4544F00244264DC57F4A91920FEC0120357B5430" "4ECD0A45DD8A6879EE01F66F222C6CBEBE8617FC06B28805F48" "0CBFE90D42A38D1981A4176985775CC92E3AA632CF4D5A49B20" "1EAE275628A3CA7BBD4992A39ED5737CE0B4C32ED4C4D84D9E1" "5A46")); test_xof (&nettle_shake256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("D512EF86B19C0FAB408DF09A8CEFF07E8259CDCCBF0C060CFEF" "D8FCD3951BED94BCC30005DAD8002227AC4524A8E6270961266" "6F54866074F2272E6CCA23A88D5A05DD5B44DCF411E137F4464" "5187BF03D8CA19DB835974CE314ED8F3F1CB3407CC48650A61A" "8352FA34C4C307B8DC438634C292E91871A5DC55775BA740B8E" "1085C14BC779A0260288B48C80AB4B2CEFF645FC47751D6DFD3" "039246A5E7F8B1D66FAE0E2B71172C24D599CD5836FAF10B567" "CBB834804C16D111B56D8961EC67CE6DDC989B0AC0FB3975581" "D3BD70043725331685B959E22AF6509D4C9CBB8D4E10C9876DD" "F6460D62AB09A97A220038952F7025993F3F3C5EAAEDC9D9AB2" "AE948F56F956CCFA1DC670C47CE1946EBBC7F1F537CBDDD3938" "686E65E58F1573806EE42DB6E22E1D5070820787198F27B8424" "09B337BF0A5647C63DD0355838F52971616FD7318164CF33164" "1FAB6E3B2282547288A76BBA5B973E138E4182783FADB159CDB" "1141DC950B70EF4609055076E7EFB532C9A944C419BAEE914EB" "EEEF7E1890B292F27ECB8B7DA25B0C7DEBC52FA75F50247BB67" "1087A0DFC15FF3DFF6A3E57791F2471889F356D44A3A10228DB" "2C3CE778ECBAC53F127DE3F4621E6D83F8714C0D66763460A01" "1958101123E9CE31F5562B73EBD4F08947475E62C6D815BD02A" "3BCB12B8D058DEF7A9DE8B4A70A00D039381D61DC6C0317A0DE" "62AA")); test_xof (&nettle_shake256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("FBE450F412E4DEA6DF16609A1C5513DDC550F7D7FBEFC4F5F9F" "193F3AC88351CCFB1C25955818DFFE5DF50AD08B3DFAFACFD7B" "FD484A628F6C9BB4E32F271F4846BFB90BE00B80572C12457AD" "35541C7FE0FCAF156AB66548A7D90458713F8E10E725C575908" "6D33685D43F3ED682B1F53453707FE17F0D389D0A8497E25856" "6E93062B31E3538ED95691CE730B1DF2F498F010A2C2DE04DC6" "98410A3D4669329E685827DEAE4BAF2C15DBBE975C9DAA13430" "C440543AD94624501AA63AC4D012EDAE314DF68D7D4954D4119" "C5B9505D566B8AB9B54007F4B8D92D9FEEC562B9E0E37FD8643" "907D8E7B6FDE785195650580373D3FC69619FDD039606064E84" "C6C6E44118E4921A2DBD185E7DE90508FFE7380ED1C9917E0E3" "8DE26D8941D6AB0D0B4FA213DB4B075A362B314BC7C3CF21A83" "41C611551057F9E07492C8D923D54336F3F0AA44422C423E2DB" "0D598216889753280B08103417F431658F1EBE267237802E1EB" "FCA862027A29AEBADF8ED9A603983E0BDBBE84B3D9A5F862ABB" "F5E18E5552C0D3E7577B96916123B4504AAF2107F643067B88A" "DE293F5B3FD3F6955CCD9AD7E134C9F5EE60F6DA78032AD1C85" "D710BC21939008111602147E0BF1D79F7F5302686729D44E44A" "7A6521B8270CC57CC8A6F16770BA66EDE8FA823FA088BB7DA7E" "EE980C6C947D7F510DEB93BF0B5F4380390408823AA8EB980CE" "0F04")); test_xof (&nettle_shake256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("6658EB2FEB9A739FF1724FE1526089D0AE807945741C2C6CB63" "0E8F5B9C88F3455017BD81A5ED8F441AFD50414ED0B9C267E52" "7786041C4E3F8DACCF1DB60A0ADE7199F689C8F0C04CC846318" "F0B8C34B122BB98386F48B0E69317938DF76C9C6D502BFAE1FD" "A37DDBA108AF9E2D07CFEB50BB79D828FD5A67C9C3771FFAA07" "C7A47FA681A1358611BA76B079F4FE14DAB9A0D3A4E5D2AC41F" "4F1374319FF9B81D970511464F5DA9AE9D6312FA8BAF22FCECA" "2B4BEC1A8D887F47811F1E7ACC1884DEE4740AB2F6E2B4F8C11" "C81C7E40BE19F90F27FD1722AB95BAA214B4096B4B11A1A9B55" "3C4ECD789AED9F22FCE58AE1963A62E450D754CB048C68EEF0E" "7D2C2A146300A902C56ED8D149BB5C36566CB8A3DFA8582562A" "48927DDEC45BE750F639881CBC33D3B48C128D91108F2A55724" "BDC5162B652CC03D5F591E96F4BB40A571E1B22F504A6BB6D8D" "897A73884057E1D2EB15DE0D3585BC14CDDFAFCE3AD5D6A861D" "7CF82B5F1AF784637A99B79F91528C4976720F34A3A12BA0A4B" "C84975CEE3167D4E72292E9295629503D642A29196B934E71C6" "3425AD701820E79DDC9220DA7C7A2AAAFFB852793E822B69157" "34FEC8B93344BBBC66C5192B7F1AB6BCC63713B11CC23D54144" "1C04428ED11444BB2F7EA981603ED4103F86E6623014FF97CD3" "2DA3C6E1CCC22EA8BBF3B6853764A733E61397302A96434ABF2" "905F")); test_xof (&nettle_shake256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("CF7D80DED88E700DED518B2F0049405AEA695691924B4EF0620" "5DD2849E7A0090647C3A23407CD4EBD5B582C32B6554C506E41" "6B9D13903A3AD69234826E36E3C5862BAEF9BD93EF345125678" "E32EBD5BAE0961935232D5BE54AC721FD75FE1165341A41FD88" "0D239DE12065471AEE6CF970CB6A0F02ADDEA861FEFFF91E6C2" "E482EA9BC255FB00CCE1FE8CE3DA479EB28768F356C2EF83F40" "0A0F0CE859606F3862A3579E609DE48F1CED3C86A9EA302462D" "E9A27B0F251798F9D0ACB22E6C71011F0DD45B11E8E33543A32" "75B24B6464980A5B6FFAB2E9C8055CDA16BE6C60FB616A8F3E8" "B759552A2DF2B05B846BEAE18A01DCAB1E92545B0B3CC2DC251" "34379021DD7DC294BD97A775C174A04F2F67591841E080308C5" "87E208D1B497E229220C38469944EF41F61A64C83E06A4390BC" "F318E53E4A6E9214F943D1EE957B71E8580E0A183C6B05924CF" "32809772CDBA700EA369448AB56F399385D4B8D851CC8D6E800" "3F1035C6E739C91E03F1FCD9662AC99E372B45FC08610265E53" "0F53FF726F599C33820AB468E6BC2C551204260271FE46C0A29" "75A18BCCFD87A53B2A7EEE2095A180B0A5BC7D64D57FF8EFA62" "8349E00C84B271DDFE13EB009387B1055F3B0E7B556CE6A738B" "9DC880B22E79666148A6C4D97B2CA581864FF4400749750BAB0" "3AF9232815BD21A1A6460483505C34F282D59863B9F491A39D0" "28D5")); test_xof (&nettle_shake256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("FDB4CBEF885524710F96F1B489099A8E5F9F5EF2BCCCC23B6A6" "19BC81F9DBFF63B9AC609BD5DA0FA7AFAC0E67BB96A54A1A64B" "4B943E0A492A5BFFF399CC9A1FDDB5787434F5034A30CA767CD" "8A31B69276435C99C64F3C567EBAF3C69FBCEC540CB2FB671CA" "3835ECD228C7C7649410107D399EDD661BC8947D43D5BC441AB" "2EF39AFAC6788BCCDAC5462D5698F60616114A8346707606D15" "01C834447031CFEA921A85AC882194750FB8E4D22573A27F290" "1B75C6887D085A6B47E2BED5AF785C9B60DA38BC9F61750F16B" "2E06CAA1CC77CAD2B95C5D583D0E1BCD7E10B0D8FA8DA7E0975" "07D11873395166E3591BAB851EF4CD7E1F05CD8401AE4967378" "94EC50DA4EF475424485BE599A4E8387B0309629D5B634BD70C" "4C95BE723932EFC24CA8FF978CD31B08666F2F6DF9E94A6F8AF" "CDDE6C6A01AECB63950A4B4BCFB4ECBC1FEAF3B54454CBC7292" "A65282C9B0D7C6A053FFC11F6888DA2BBCD6496CA74CFAF0F49" "A6F5F56E14E51955B73994015313404D46BCF0CA0854407707C" "176F36C3AE5986F67984A33F252B86B2758CDB7D2FBD63606B2" "E43F7BF0919CBF97D2E38F01ACA8B3983421CA447A78BA415AD" "D0580FE56E391817783F11533C8D70E3B8FFC4A3CCDEC56297E" "D51F80215BE98C26B343736196F5C68A65B308835C869328006" "1865435383272A77397DD6FC3249B2CE17AB3417AC9DDA62EE7" "4C43")); test_xof (&nettle_shake256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("748DE9C6E6A8886E9C34D67A5B2625315D8B0057766CE2853F8" "DD047A3B58A410B2327E56234572DB7EA886C90F6DF31B795E9" "3AF95A4C52632D7E03D255668255F54C0DC1264EE989E25DD0E" "A77A8855BC74EA1066F201C999C0BE63D1817DF33DB624F540E" "BF463C4B48569136E891C1082A37E6ADD6922C08FE512D92563" "9CC37536A324F3850932B474F313647E65FBF28CC1804D2EF15" "492CE09E84413A465C69FCA84014F15F2FF3FF5BFA6A9C38CB6" "9E75D66145BCBDC462E3A6FCDBD7835C44B9D95E1F6D72C1A7A" "F0E9E9730559499553715B0A7EDEB6E5C8C5A3536CABA0B67F6" "19AB317AA8F60A005860599BD1A1ED20FFD191CF7AD26B63264" "CE022E1CA0EEC821D6A4BFC1E97482CC33A14BE20D3F6EF96A4" "7DA800CE1A8FD6939069DF50C10145BEE28799F8A1C43D37CAA" "377AEAE5A2A19E6DA2F173124CED0AA5652AA34632BE11CFEB8" "FC3C9A0B4C45A7933B671432AA666FAFFE679562D727F786960" "609A91D0972C35B4B9AD27DADA6A24E00589CB1EB9E4706A476" "C5BF749091DF4370CF99FF6ADBE1B029505BBAD815AD50EBDCF" "22208937FBA80A453A99CA49004706A3CC3A95CFAB7F0C2FD2E" "03617F379FDFB8A91442754DE62805797ADB4CDAFDFB7A69F2B" "0CE9DC530A9EC8C741E892758512C4AAC208564935791713B49" "B95A9DF215FDD74F906F8EAA7B13A0EAA443D78A482364ABB88" "3813")); test_xof (&nettle_shake256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("1060697962EA79B9519FE3AAEF385C997B2E8028D68DEB08AB3" "B76F71CE161EADE98C89D223EF0384232AB3AF3A6CB1D43EF5D" "20C1B3BB819423C026BEF0BF54F4800CBF8E9E2D40F9A4C6CBE" "7487600BF451783A378558BA27268A5074AF0630F5F2CB890BD" "A971A4AB65CDC37C0215DB1C09BA96240BE066F95F158CF863C" "C18346866522529503E615E4CFEF990F49583EDE896BEB63B14" "89B6A62BBAD9330D5C3DEB673D42151ED98A3854C1E80E0868E" "27D8CBCDB90DBF3505610FE170537919EC7C191579148E06D7D" "89BE3F5C88C430E38FD36D820DB5A941680E08B5D1859EA327C" "82EF50ADB1D8E6E5184652064CAE2C617337ED36CBD1ED42CDF" "3ED0C411CBE1A9E92E0F4ECD3CF84CB6C07093D51CD4D5E7C75" "43D385B9F420248749675CABE9FBB87F56C865325B826C4D32E" "28B1E4BF1889F2D00BA87EF01720D73EEFBC38828CA76027C65" "6E3758DDD1CE730E2AAAC0354EA71E79D53C0D3526ED8FC024B" "B8CD675AB290FEED6CEDA91A29A71F5C128473EC94EE59A29A3" "81E5046EFEFA8BE3AF7FF0858DD54065B41FDE35F618235D522" "1AABE2B4BE62C1E7FDE8BEAD94F7BDDBAFB8A471199B3BC099E" "77D8190029CC7508D576DB31F362B09E5C1131B0572D86D4A7D" "4B533737EB4D7E504DD0852E079F2A1B2B3A526175948227EA2" "511ECD4385F616B3BB086C54F191046BD1782EEE96257960104" "93B3")); test_xof (&nettle_shake256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("F31639CA0F9455E11389937E9E58792E3D73B9CB950ADBE8066" "07B1AD53D80F2A199F577E278137035136AD2AFE7F8FAFFCF0E" "60F0B2A71E0BD9B938B28FCBA94A912F249FB9AE1779F87BB1A" "A714D1FCC57D4BFB899A233B99586F81F4885DE6693DCE78D9B" "6631957F1689E843C1463045CDA6B921173054E14BE9DBD0688" "90DF88932F68ECEFAB3AD3EECAC1B4C398292446B17E826AA8E" "35F6067C908AFCE46FD92899726677E2C0589F525AE021A22A6" "01839BEAFED00F6A8FF6223FC5A92EBCF6207341B63FA2E66E9" "DEE2FEF1217D9D39915924E522BB52FD29501247B1A7B9DBC06" "678C5F29AF7CEA3D8722374446992A4BFFB0E3E623E881EFA7F" "957DB1946496C2EAAE98F0929EF3DF633E67730D06483770197" "B9DD17C7C9838AA5003C5BDB4BC54E7389D453E769765879485" "ABB3D565749C8CD5E50DA9C4517F31ABBA38F1D7A0FAE0D2816" "CA0BA1DFFE569DF4215D215676DE0FCF55A75FA5F7E899F045A" "4B6051DD9355032DAC56FC56C4988A4C082FB85B74A4C8A407C" "E1A06C344B2E833281CA64C2F23FD8A9F996C563E9AF8742137" "617C0E46C5168E0B43877446E07563DEB3D7654D9EA3C8AE3DE" "C58C5753F34FDED605A49236336F0B355E95DEF3BEA7A367507" "F19F4E0A6DD03ED3090C285F761C48A3D3C5795CF277A87FCA6" "88495EFFDF5D10FBE07840C3F202D85044FA3BC41CDEC4D0AAF" "59BB")); test_xof (&nettle_shake256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("F04B251F8F1A9FE87E9F8B0BD8A641566174CD2157ADFBA255A" "4DDB7A001ECD9B479B7877C38E487DFF1D830D01DAB9684F143" "8C4812BEF8DA03ECFE57E7EB68A68E4FEFD3E0A70D607EC7710" "2538D5535C293339532953138995CB4F23AF709F5C103E662E7" "EDC447995FE5BC716C7BC482CD0CD13F17AB48D33C8BFAA67AB" "6AD30482B6DB8BA5B1290656BE81E1B543793D47C1D0EE7BC95" "3C812E187535A0659B2CAE6BE47284419744C6AA66B9E53F76B" "9F90D4AEF8DFCB04A98C82FB434C0946E5B98F2C3BF25C128CE" "F77EFB9F6412EB11F36E484FAF2043A40CF44C6C3D28761F9CB" "7149C3DB4620D09B220720767AE41BB097C865720185C19A474" "E4C3D706A636E42050A23766C2FF3A21C4E9DD7AF62F47ECA67" "1F473E2B487A65ABBFCA74CED063E33F75955E9958240BC3907" "BB90EC6F49F384DF5E936AE14FCB308F8ACC1F7A406DA680E4E" "FDC2D2BB74B922C7B49E4972E388596B4F05FBA68ADF9A22FE1" "6737394DFDFFE2F0D32F1283EA81996B8309C2D10D4E32D4B7B" "C3D88484BAB364D0B7E35FF5647053CB34180E037A66349A254" "AE2AA8F81CC7FB5514E76D9A01F96394E3A0044039C452ECF0F" "DF5B8A57A2A5600AB31AFFD1E15D4642F1A37DECA0EC60EF753" "797AD668B7D9F2BC02DE248C719311E5696E11688DDDDF71F2F" "1994331CBCFBB9FF22438825620033734C27F9FE72766BD9C7F" "B021")); test_xof (&nettle_shake256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("8728A95B55D97271B701B1BF2C2987AB3045D39FE0978C9467C" "41D44C006486CF3CA11B8C0D22C619A8E4652AEBE67FE9FD7D3" "5357633C8E11B865BD4C55571D764E6F92E29B5C93606273522" "A958EEE0CB2315E89A1B5C45E763B145B1166A4717784E993E4" "A7A699FAC6385957AA914BFC856E8CCC62DD39159F0FA5D2F4C" "74A4C9E1F3A1BF04F8D73BA5A3133243973562AFE874C403310" "86E7A9705AC76CE8482B7B029278CA61CF74B5AED280A6E7959" "06C4C3F525C5CB382E55AF0AC5C9EAFDC520B0AC74F14E0203F" "1209FE6641D1D971C76370204FC14BCD6A8223E30CA81B7D9E9" "4F35DC53634646A21C28E873BAF741705E4862AB6945653A312" "125F534A75B6F2D1CD4409D8F842DBDFF9FEA090F6677937DAF" "354F6130ED77C32711AA0C7CD448D92075909ED7CFED67BBD5C" "CEDFA34495624EE4373D66FC2F3B25B78AD6A1A9E9FA9A714EA" "24240161C8CD88F24FE72CC3160D5F68F2387347B580E945F40" "1B0B025A21E97FEEC0D4DCC412D2597504489B3CC20E3C883C0" "D88F26591AB840799B5E9B253FE02656CA6AE1A1EF1BE5F1961" "F29CDBE35A40BDAF2760C7BBF051ECB62322DD178753B3922AF" "4CEF0AFF4955C32F32AC28D3A44B7F1E8CF93FE6547E8C3DD35" "159E92A9F3C6E4CF2A75C97CACC0D732B984A8B7A6AF9B81898" "96FEC2DBBEA60C3B94904F154BDC8FC291E027ED03EEECFED06" "7969")); test_xof (&nettle_shake256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("B0EE2D0215F195934D2937D523D38F1AF153FC142C04E5D6848" "34596F3B909241938A56209D414BD1AE0CB43EB2B46C314C1A0" "A0B155D432947C318642FE5C5B4FD6D0E4C21A9DC594DB20530" "7B41EFFD14141454EE55DAD5667CC7459D0283CA6652CD5092E" "F8BC35C908ADD07FD5DAED66AFC6740BAEC7FCD64B838368A8F" "F0DCFE25B0D46FEE0B842F9E9F59EEE18D73C2549CCE009C388" "B5A8EBBD54B35676B6140DEED07EFD4624D5A7F816189DFA779" "929C5F6B1B9489E27492AD0F1BD085EE890794529B75E10BA00" "6C1B66F3F662C30DF8B1295E1FFC301DC7060010862CAA14D7F" "A09817F0D91E928ECD89FD8E76E69B3EF4986A15DFFCEDC9AC2" "4E5E28783667731F07998F8A36DA512BB5BA0CE50640A1A5328" "FE037F5872A85288158CD5C66B6C03F1925C12258AC4B5E675A" "CD73716AEAC389F9C235B02FE363A98CB10D9A0B44FEED935AB" "067C2EEB499CA83FEDE967F576681A13C999FC7C1C0FDE2754D" "FBA713453545C6AE722F4FACA5F5F2647378BA9308DC27D91BD" "1538624F459D0769F303AE818CC52647AC15E2AF9BEC6476A23" "2C1AE81BA4B355C9DBCD37323D125228A53086E0AFDC98C95F5" "6E12A48843170E9CAE703F5001B52DA42C0AC9D285C8A13AD72" "0104244F19C30B38CCD620EF8453401CA0FEEBC8B58025BBC6E" "6C2C788899871D3A5A363D51D8991B5CB5085F8AD525A71E985" "B3DE")); test_xof (&nettle_shake256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("19E39F7444A4A0E1C003631423A621C055D0E07F0E11EF5BE18" "36B71690CB0DE1565684C355EE9F2E6E65983B8101B5100F391" "57DDB8C8D92C736604693ABC56491C58CD66BD66498143554D0" "CE34D601072BF9D0E18EA1B018A7ED9A65EDBD0B81212EC13AB" "745728ED3A328EA157B9C4B3195F8CB8BAD94A977015B94FE80" "50F37A0BC14E58EEC7654B336A9E30BAAD27C441CF8AFE09313" "2234CE47CE3FB3722990F6C5916468B50A13C611B194D148A15" "1B9AC97A89539D1EFD2F9C6F72F56A8D22A557B23EC7D932A6E" "41B3F2C177CA9F2ECC2A1EAD4061DDFC04AB1198DB0E26C4B00" "301E35B18754DF79332A46190ECF89C0DA6834731CD19E2C8DA" "3A09ED16813D2A41F7A0A4ABE02C93F7307FEC1537ABA546865" "A3130D38ECC496E548A8EBD2858EC00A57E15E307C1A35D1355" "B8B97E9DECE5A63AD7CBC97B30F2C9DE69E4975DBACC31E04F1" "5A8C02E5D23ED01506AEFEE60A449DE20C5A50F1208097BDDED" "F6D2CB34036DA708BA53DFF7BD6A1E41057E05BB57B3F756197" "9EB69C40348DEF728BFA8382F5BC8DB63FBC08E6506AD80BCE0" "C71FC94036EEAB1C0C89A2C8AF4002BD15617834A901FFA42AA" "249F7EA700E6FF4B211F7B052ED5BDE9B242C9874ECF39B318A" "3713F1DC3066425ABE76C4AD47F43ECFEDC86A45E1E93544989" "CE7ADEA7E4CB3CF91047C4F9EAD7C98AE963F34E99874B4002E" "3FF1")); test_xof (&nettle_shake256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("18AF27FE1B4AE8A470778480F2586A370C93640BCDDC33453E6" "F3EA1346B5A4ED3EA3E2EA43B143A22FC66501DD52DF724C0E8" "F222380B4BA8BC23F2967D0A56EC241A0574E2783A461098F26" "3533389D503B5D8550C8F60FD6FE953C5631635B6990434F8C6" "8F8E9AC3701B3600C2D80F5B12D14218481904D1F15A776CFE1" "FA745103B995F9CA8E8E2CA062C5A3F1FDC848BFB0DE4A47EEA" "DA11C51C743CD15C32BF921D07F242B83086660605B29FC36AE" "394C215251B49E9777A93AD91179CFB0551E113DC372F992674" "ADBCC2D90AEBC572B4C82B454CEB33910B60CF81B1BA558C2E0" "1EC1D837FEE34B86124E15D7BEB7155E5456DC94D2427F7D916" "B9C34D24312EB2610A48002415182037AFE89B29DDF5DD7E70B" "28BEC4A1F3FEBD72CCFEE8360E838FD787D0AA2AF3A502D6454" "33AEB1CFF47E8E6769834CF0A2A85BAFE9A89B43302BBC64C88" "AB6FE4712F3181A056921F6AC281C872E3EB21590C50B915F38" "172849CC8415BAD8161DFE0A39C2532A34551441D78825FE790" "4B3FEBD8F645BE5AA6F7DCC6EEF96431086781C17615141D415" "9D6DA40A3A5C22631BDDB7F00040F0D39107BB366D827478515" "48F3ED3DBD028E3261561C8D7FCC077D3905FF42BF3CAA9E351" "207137F7E8271EE970117E56D30B35294E8B91588DD9D990027" "4DBA4108BE1595833284047739DC4E90F9E20BA5EFB2B736DE6" "548C")); test_xof (&nettle_shake256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("AE82057AC5EA69CC1B5EBAC395B0EFF26850C394AF8178B55AD" "808879AD634569BFD8D0C5F34F9A3B26821F63082C5D2C322F3" "47FA6976AA88ACFA9ED8393E126F7F47DFB523C0560DA535793" "7A74488B51FA67583C7A7E1230C015FB5F233E25B744F2FB683" "0278B123F7784C4F6070C8F905F96486B2D5FE137BE8D57150F" "47CC7DCC0011FD99F35DF4D9E15F0F937762C87153AC17645ED" "67581B38E2B34899A7D726A9ECC1CF2E5198ED5AFF13F2544AA" "A1A069CE8A30CB66E1B984002D20F769C0F94C95F99F914D324" "02741D5C4D631B9D6E561D32D1ADBD1F1DD692BB89F48C6BC4F" "88B669FE4BD2922CE6A3184605053322952E113C98B330385D6" "C4B6527303563DCDF099BC2102F915DDF3BE0989EC8BCEB029C" "E61974AC41A26D6DC7F53405A4F3A9130C5CCEAF71F828B3F7F" "58117EB476A46263423F68ECC3427D9A94C292EF7C4C1D67B32" "3FE15F69894DF362E54B441BA5C94D3E0B56B772AFB5FCBF8CE" "62647DFFD78BA7F48DEDD2E457AE9FEE60580084A05F318907D" "FB90FAAEB9F4D9C160259A6F8523AF77C8CD8AF344F41DD511E" "46C699A8F9A5A85EACA57780005AF313705820D8051D780506D" "02A09B04470398D0AD323ADBAA8B3DBF61AF68D9FD9DF29A76E" "0A37678C08C9D102BA960DB0B5D20B6BCDAD7750D3F8CDE6E99" "4267E190D7F3DA06C36CF7539B6B574034B43F55EF8DD370F72" "7B97")); test_xof (&nettle_shake256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("39B12FE62B75D707C8E18FE1C8CD23D3C1E15B7F46FFCB24C70" "A1D86604FE6BBC36282595346A3374B0B2305F60CEBD77DE112" "5373F5230535AB0E4BA011C6154F65216CE58A65856C7EF6091" "2877E44ED2527C3038CA202B5445E97BF817BB6419725ABE41E" "A1529B6DDC64920DD8396A7FE3B26054C09E310465BF65AA7B5" "6B1877D949DDA06057B7373023EB09E4CA1790D66A773BF34F1" "B9D4011322E08BBB7139B1750278C2DCE88626AB16813803E32" "0515640DDD9D6A7C5B0DFF8FDB445CD65D6BB454EDF83D6BF4F" "3387CC98E381C65AD3811C8DC3B6A42C203FD2AD6BC464783B0" "73C1A9D37C1D29F85061E9C426DD195A98DF3EB0C2584219628" "57EF89D643F8BB18DB27F339BA178E85144040BBEFEEB116088" "2C3EF2A1C4950873AC4E5C853E48DD7788250DAB58A06BEEE19" "03C2E68FF0F8D7E8F55AEB58CB0D65F5E74FB5E301BAE225831" "4D5B82E3C0D7C7782AA1B34E80BEF2EB258E0BD322451097B0D" "F4532A717E2F0FC166817E2A9E24A318E6A4DB618B6A8382A1B" "D1A600918CA08EBBC224AE9A7C1CCC8978759F512D7A97E4D1F" "05173B33F670BF3C40E2807128F752FD2995EC3A60891575427" "5EBD215821A4F04AD21DD823341B15A484D0C12BB3D829BF99E" "182FE774D2EFC726EB37638CBBB521FF14E10D73C7FFBBD8B79" "EB86470DA14236C087EC3BDD336E8244E780454DA1A8E70524A" "19DA")); test_xof (&nettle_shake256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("939D443F3AAF7809342B2EC600A9D1A47E0C4195C9E1D95CE22" "F95CB98AA970F4FDD29A7EC9DE471A1C342D4830D20DFC5ABFA" "98F8BFD4CDF752E00BFF151D7CA44D5BBE7AC18A9ECC1157354" "B2055AB08B1AE7B304623D643F6D471F23A82C2E1C67F11D527" "985208C5494138815C3CF6227A6A6FACC9E2A1E3D58B32E2964" "15E5889E58E1DC8657B0324BD1EAC60FF8DB83674B75683348D" "69978F04697A1D1D3E6D29D02094C277CF034D8203DC4D705DF" "8EAB7046C4811C18F2EC906B735BFD1C2AA3306FA0C9AA47E16" "0B6EAB89E0B390F37E53B92A1A160560E9A30EA3F005D100F05" "21AFF20A2DE0ADE53BCBEFC517647C81AB8684B2754FD62E5ED" "A0EBBF56AEED4F4992A0FD4D26AEC29BD186B2E254DA07E1C5A" "D03F8194AB350510998A3BC11F08EF33C61069D1CB7D271F7D7" "C799057E6C2ACC1D3FD8DD666E1B2C2E15CA2F99E55163BB01B" "CA7F9D53F6389704874B3E5DBE6E74D91F110CF8A4D5EACC7A5" "19F664C962B11A48E022CF65D4DB4E4E506951513D83669C786" "FDF84A79AEFDAD75414A6CC82EA84EB3A173E887D39230631B6" "CC2AD26C55C938C6C82181F57820FE88DEA96AEA2B20E330C29" "C09A645134472B1B1303B1F46DA40901A63C079689DB2C84E46" "FC548270FE88A4A2FB5EA27C58A4374F72849B9C5C7C18AE207" "5546868A05EEDC3D867F9601C5C8EE585F14A1E3A84E2FE9A1A" "99A0")); test_xof (&nettle_shake256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("FE0E80E36E66E0610581835D69A73908F1D951A81DE93FD2BC5" "F10736DEF8A887EEFEDE8BB6074862EEA4BB0F131E48D2C3FDC" "8B8B8B93AEF4C06BF97214F4D0C9000940F81664E04D88316F3" "732B39E7F9685BE377B90FD7343947E7A79FEE7BDF5757C386D" "E6D02035FD4082735CE2FE898F18BDF00F3DF5BD160D792D3A1" "56584EEE92B273F9A52ED221831942EB0F148DFBBDBC2196006" "4D0E9E1CFE4E08C7927FDF1F0956288419B0372D3DFF7D1A252" "8062D31D97D17F7F8CB09ACE01187710E9DC2CD842CC8C09A0D" "1FE34424283FCE75E64446608CAE796C1F6385F989FC93B31F1" "EDC36BD2C3EF3B71D14F25048B2E30A5F279180FF3FD0B8308C" "A93F4D1E72F7F45C7313AB6315D1F0B198F8D5B47742E94EDBD" "33643397661391A82832744EF99CAB293F26C8E9B0F9D6C9C82" "BEEEE0A4B4E6ED3EF2E7395FEF4222F3DF7B032EA28430478C0" "38E45D36379DFD182877F827D86081647DB55B2A05067913DE6" "94F84EE85BCCB1F60902F787CE27407F14C445EB5159BBF643E" "F6195DF2F23B0BC41ED595665D47B91223740709DBC82A86E35" "F615897BCDE5F597FE05047A6CEFD2529394CB85C4945F4188A" "078693C56A6124E040070771A4E509036DF1C9B24E2185908A4" "3E4FF81ADC7D10D5578B00A6DB9FB56CEA6D51590B1CDA9BCEE" "86CBD8263557AAAFB7F81418FB9DCEB0DD67EE6EE7BC761920E" "F784")); test_xof (&nettle_shake256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("083A1EBA0EE14492AF390762E0673F2B41C1179C8616870FA5A" "A69C40236A6CFF19F322A4FB8AEBDD659C5FFB5F1A953E65FC8" "8C42C12E37FBFFD6184035F0F31AD80F7E257FB2E898C9E5DAA" "5A20603A0EA41FAE59E7684646A826C4501F0A7A8C622CF5A27" "D37E998ED954F0DFDA36A86CE59C8A8DF3DA65DA575DF054192" "69438F0DC0F41FB34064E48BC4EFEEC93BBA805B5DC97F7AEDF" "F9E08E3D4B7E2AAF58747255F09A4B53658D7AE61D97EF42396" "161CBC2080DC7BB7392BFB348AEF7F4B2925CDF9F641F3BFFA3" "F140C0142D0E61CBE3D1DF06B016579A748B56C89D5BA88466D" "B79E891CFA7B70532A4D6649C4176FC21531F62F7BAF5D9EF29" "76227ED6EB614DC44CA99F9580C82418FF886E169506F8BBED5" "68FAEA7CE2551346EFCF70FD5C32B6A30572BB72C87C62B8992" "EDB3DB0B4C3EF8CA466B5144658BC4148909BD8D9E1AB5CE3A1" "801D15F93946217CE9D8C0ED536B3C2E75C17B7FEA2E99820C9" "01E80EFEB0FF7FB8226CAD685CD768A41B8CDE2C5CC8BC44B67" "3CE5C44F63840C99E557F3B45C9EC92981CFDB3E20EE040AF13" "A92DF41E8A0877D0559F6FF5D9DBCA2F53A4E2A8B47218CFAD9" "CA6AE3892F21A0D9C0FE91A4F027BC25985947AF0C906537E82" "7B3C79BBA1F37EE38F2897CBE9ABA9438CCE9D972EC262D358C" "33E2E6F2F814F0E28B4709C2ED119B50594BE98F594CCD2B7D5" "6F03")); test_xof (&nettle_shake256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("AF0FF42EE50B300F202648FBE2DC08423944429568354570F78" "7B96531A0045C76189E453369381CB7B0A537B9EC05AA22679E" "96C7BD7CA55793DDC73B6C3FAA3A0D2B03D7561D321FCB377A1" "BA87C098D9FCD1C03D7B7BBA6262687D71B1B608BF148694673" "9A69DBE87B95F0E7010103AF17A6B0C50DB308DE00442641B51" "C5852E91E621133EB561C24655C9D59C22B6AEA470E4D235350" "46FB88105E7DDFC08339E99D8A750B641E81EAAB46A18CAE3EF" "AA493790A9E942EEB6990EB0E14BEB6FCDDAAA0BDC5D67BEE8F" "DDF1931201F18D0B0EA4227D1E89BCEE6C293EEAC60D3A724FA" "6FDDA3AF62D5C4C5200E14E2D40F3E031E71A8DE27CE3D3956C" "ABE9C6A5BCD67C0FE25DBBDEB5720B823777815EC277B594C91" "4F07C989824CF0B1060ED0D4B3ECE3FB65A5AE726412E6EB6FC" "F3047C6326922A0BD1BA7604830DC4D4981FF12B0364435544D" "4836505719EEF8BCD246A326CA1A756193FA0A94EBE98A632CE" "5A0D88E115A4CCD1B030EA7B1651F43F22D2D2A530E2821F238" "0857E916920FAB974AEB69FDD7C3AF313B46F2DBD14D5B4BEA5" "14041E015EC93A6A633BD6477DE78B51E592B3D87A708B831A3" "7B70AC70730C606A7C880CE3FBC11B727E25849F2BE6586D32C" "F7F31E20A739CCB25B62C03C1DB5AFA7B1C00B003DD9C5BFA49" "606830CD5A9B9204E1A51EFA571688496D5A49F4733DAAA295A" "EE26")); test_xof (&nettle_shake256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("95D216D4FB11C900CB83674FCD99D4A0B0909B307A2020BB00D" "6D6A5590B6F82268D377E255BDDD9179249C3769AB3EA09D935" "7447E99F9C8E924FA8C39B378790CB629C46C914EC79BDB4AEF" "7C4D0ED5092B620A3CB3BF6D19DCB0ED4ECFDAFC9C049E7A8ED" "ACD6C91A3C15D7587C58669E0AC51E151B613503DB2AFCA0AE8" "1782CA58BEA22467B9FE7CF5F095B376BADFD9EBC0BDAEDBCC0" "832D80AECDD6919AB2D31646D9426CC46DA1E5398DD475E94FD" "FBA98129C8997AB4EDE6A204C17CAF9B1691160FA4362909B1C" "1BE81420092A8F5005A3FCD26FE0FCDEAD650665E4ED9CD22DB" "75382D898075BD2E68D240E13BC340C6E4A59AE944A626349A3" "E27F9C82F4DEE5B593CBBEBA0A2BA46A5C0FEBC5290675B2FB6" "36EE868AFEBE35F7BD08F1137ACB12C6D8376CC8E737827F199" "C899B3D8AAA937349CC04B3C64691931DC13F10EC5C57F4D5A1" "3A38E26614302C23E30F28AE09669C4A01F7FAC9FF0B2E10683" "43862364E799C63D74C7BFBC5F7CFFE79C24A58BC2CE1041045" "FB01653157C9945B626B3CD315D9D25CB0B694074AE8F29D372" "067C308F6BF0C44CECBE47E5528E0EF9E373DB63E554FDA5212" "E35898975D708652AD71C14A51C6E5E8A04CD9B7365ABD43F61" "FC7B3EFBE60715574C0AD0BCB0C1D53DBF51172E669E35B19F3" "33A3CAEDBC4E08617C47E51AB3863D61A13A8A2B2D5FB54190A" "0B80")); test_xof (&nettle_shake256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("C2C5A2155AB4FBD3A3997BD00ED2EA8F049205A6E0668DA09E0" "DAAC49484B0168E6767AD78868347272E6D8C97EEF06AD0A3CB" "9FF91678DEC7385124AAC34817A6DD435A0A88DB8E19A4FC75E" "8F9EB34376E8C1CC7951623171DB22DB1CC5DF9D3D607E5FB17" "E450C15A20A748C340A56142289E0B1EC83CE82D7706DDBA124" "759E895CB7B91522BC46E011B4EB98927D860D09BA48EAF80D1" "FFDF9CCA026B5360AC8C2F04E9B0C30582611B8E8085B8E986D" "28C330BCFE80DCF11246D3544F4AE7C655E46654DC5151242CF" "A7B620C429757B1D527071FEE890C73EABF1BD1630DC5BB4621" "ED4C5C6FF7F41F4BCED4D31B215DD2BE6A5952BD06DADC42A35" "5F628616DB922DB19CEC424BFCB893F948F1364AE7BE1F79413" "A879FA372EFBD59F62FC3879FBA03622CF947D0FD2C02460D1D" "735E41ECE1A2AB970FA9784DC67F0F7C2A3A0A5460F1B31029F" "B65D1A9A6809B4F2AE29F3A68CC2C780D0000F0790998C0FEBF" "AA59A1A56CED99F752684AF6DFCE832901B998156C73E007C77" "BF401CFDAB4E6BC582B6CD477FCCBB1549C870FD6E62633B90E" "D103EDB47D749D04C39D2DCAA3DD4793957EFD12D78B73F58D4" "3087F456833432124E312D499779CDAE6332EE8D884F5719D07" "786A7C85A9642FEC61B66834F98C25E0A802B3F84DDE862D912" "7923E3A20E5A20E184984F8661058D53FFAA70C5ABBBCAB51CA" "8E0F")); test_xof (&nettle_shake256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("B3CC34C482E9402EA5A209CCAF5D017BC118F61E52BEDEE634F" "D56C7616E6ADAED42D02F072AB4EE1D8BCCB8038B00FF3072DC" "D971616FD6A2B0012581638F835E5441842631D12FE303D6E53" "3D22EAB7CFCB702E4BDA509C832BBB5C24EC62A468CA885AB7E" "4E3B951C5380A30CB6F132408D31FADDEC570800B8EB58AAED9" "EBD8A0D6618D439B46F83116715568A5957D2DB94E0C2CDCF98" "21D86A71A96C622BA5C0F7C214375686E71F4AE74FCF5A75A6D" "B5F8EB274E6D93B52A2A5110C0B77A1E21E599ED0ABB78A93A5" "469747A6D1FC4E3E3BAECF8EF33580F00D55CDF9124E2BEEDB8" "814C8F5D5171CF6596DE35AFCE94CEC25FE5D6877F40DAC4B2D" "2FDAA0E98FC08DB03FDAFC3A4A2A98D0E865C99B766F55349B6" "88506D7B701BB01BB06F80D6BE98DD374BD84211C61112DD0B9" "A25EFA21F9804D724154881906A7BF815F206F4AA1175348212" "C54538BEE673B56582501A659061A157444DCE84C226936E99E" "51252418498DFEB02F2DC665B8CC4622C0326978FA7A7A8D171" "D445CEE519A32D81721F99DF529614BF09E4273B24A6809CFAB" "9A1E81E5280C84ED3CBA6D4B232080BDD034F1895F4010BAEF4" "62074898949A1CD5892AEF5DCB2B09D46201509847179505980" "A2846E58DDB22EA9FA0FCBE3AD9DFFAAA42F4FEF4A9DD839149" "5BA470A2EB80D5992DA78DCC8E893C1BA2C909CF8208A18C31E" "BACC")); test_xof (&nettle_shake256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("1A2EB5A7E3266CDADC696D082DBAD5D9F73777F5B95DAD3E9C6" "A936271F12762FF3E8D1D959ABBAC6933BB19D2A0125AD59477" "611F9F912F935D662ADE6E1E40412BDE3E00A99C06A4906B908" "55AF6095DD7E6114EA48DDC1A76F3C8FFFFDE5AC246F5C0F854" "831EE7B48DF6A32CECEC0E4243A792CE3FCE40BD5AB22838DEC" "6155C817D272F3AD602F58EF870D0126EA18AFD1F1527931C32" "1A8D6DA1BF60665D077AD15EF615584A249ECF7D3728C0E9D3F" "C09BF8D3FBB9D260FA4FF13BBD4DBA6835590D67EABFAFB92CB" "3B0435F26E7EC265F7E2077446E1580FD1747E871D7AD1E992C" "1A909E068CA3F8B8A927053CF31EF7E071D5C7B4044F2CF61DD" "D48E7B7115AE0CC2861DB7E26302DF02CAD460358D06ACB7E2D" "07615C0F3786BA02000893FEBD088584ACA9FBE9F14F85C8894" "3671D24E9CD0B8FA46601C2E40D3177EEB500E8AA2931473DC3" "BC46F71C749C281E02B67D8F0B3D012DE4942B1B3C60A2595E8" "45CA454028489417842D9A6C4706424C5C0A073BFD080E5F820" "CCCEE99CC4FD372B0BBC447C5F3F54D87755C0A59C986D98E31" "6F8F1899821CFAE312B9416A4622786B2910910B86D19692C8A" "7ED50D63E252A3A5655D6E49AF3082BDBBD07690DC6D4EA42F8" "A7BC57DB816929B9FF8375C4596F57D9359F9FCDF8A3FAB33AE" "27624265296A093DBCBDEA292450D345B8116B86FC54A0B4B55" "F12F")); test_xof (&nettle_shake256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("1E67E9FBB0568660EBA48D1C701D75653D97D9A94E770C355E2" "F3F6DD9B7C3CDC771FE82EC87BEFE4AAB21BA7C689FACF51593" "CB278F7A8A4D81B9CE798CC2FBA50145EEB0DE079F016362FDE" "491620CB0A3C26CB5D5FB09980E783774C8FD2C9D8900EBB103" "D73F0BAB02D0A8E2827D2471DB29F3D6EE5D9D620D4D13D8925" "F1933B1C66869BF74EF967204238E095927961ED5925D1A271B" "9277AB9DD7A30DE1FECD4C6BD9615618BF79850EE7E247121C9" "28AC9BE6F81D2B41378E984F4BA494180D7E45CB7ABB6DE308D" "B53804BCF43DACC10AB3A98157285FBAC9B183AA49EC18E98E9" "B40D12B022F40B213641CB2E18E3303E4C9078DA836466DB8E2" "E85962E5520E9FF66CF99F96E7699212816124313E5BA6347F9" "9DA7109940081419B4EED3F4ED2763D655A00EC6D183CA87907" "4F237BBC49D40D598FF2BD8F47D0D69F2E41397042B4398D4FE" "449CF553F6096BA25C1A2185A13BCE5545FD0DEFE4D11168BD8" "1B85CA5B0502233C43B6E863447578EB6F074EE2EEFBBE6C52D" "0E8B1046F304DE2CAF6484AC24783DD77774F0FAFEBAC731E42" "9DBACB0D95BE662ED9C71FDD6C0E6595CA063C748ECFF992064" "41F8E96C96063EF61D741B4D622B6EF6A6D547B738AB27B50FA" "D2EC5C479EA8069B9D67654C2F12D8232AB8A97C83AF190B8F0" "9E2B8F62B7DAA334DC8F26A3EA62A999433FBA70A27B9CF7FCB" "61A2")); test_xof (&nettle_shake256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("7204F8652F37D125BF692544B8BA0C8859BEAE66E4B04ADA568" "5C6B4C3C1B8A3825B2AD6BCB2F5443B4C28ADF57388FCFF481C" "A629934CABF872354E4A33942B738CCD4E1941621524E895188" "D2ACC9EFC69DE7A170BC974C430B9830E25DF96097B3785A2F6" "B86F39E59574E1D9C2B91EED2231D4D1AEFBD5DCEE3E5FAA424" "72949D0D19DA8980BFC6276E41DDD600DDF78E82393EEE5A9AE" "0C87578071D667B886EABBE6757A52AF9826F65E7CA80529825" "23F61184B5892465B3F82BAE68FE2FEC1577EB935309EDE8041" "63DEE46EFBF5C93E7A9DC3BA79CD9A866966BA1FC0A721CA4AD" "17364C3A4033E805616FAA6075672DD6FAE31A67D891646B74D" "D8AA916E078BA7736A9B00F73DF90B09732A42E38FE3EC9F8FC" "907A5868CA170C669ABAF99571D14771B91F46C68F57DC6215B" "94DC0BB03F890BDE02DD41CE5D0F8F48E4FDAEAD1F0A05DA9A4" "56DA80B82F44EFA53DB9899F42BA31CECD9D7CE6A5DE33B70DD" "6427D3A9B31C83ADEE1EE073E06EC4238FEE4EA0029876FE6EC" "A5DE76E4D32B65564EFCAA326AF3519EDA46EB3E443A85E78A8" "E26D21B158328A56AF40B07AD19734E341A45A5F43D1EC2C9EF" "FBC7C5DD92ACEF61607F3CFDA8BC72D33C045A6B883972CF4FD" "1282A0ADE3978D1803EE78BC6F6FD297EC9E3052460483DBF79" "E6C35AFDBC10FA87D769AE6A4E2849AD112EDDEC1135CDEC2EC" "FB6C")); test_xof (&nettle_shake256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("A3D5CFCDCC03334632027FA1B1ADB97C740F9C5D33F0B6D8468" "B4AA9B37A5EAE697D6DE7717B6F7C3E872DCC4A62682DDD76D8" "7657096D143DEDF97F2B9BA36734B9FF5816E247243B1F32F5C" "A122AB49647FDA690B83AE0FEE45625B4A2606C8E366CD5031A" "0C938407CC9421414CE4631477C3D4494570916BB41C60FC05A" "C125A3E81346759DCA0CEBDD763B61493997B774A582475D226" "1F6F8500D2C51C70DE11123756EB6B958EE5F20FB4A49429358" "D743E4B62D76904D23FD5DAC9ECBFF14854BF27DDA819B3F524" "21329B0576CC399EAC734D73FD9BB8729168E35E2A3490D7BFA" "A39E53E54340457AEC4C5C8F4C0FEE9339053646E4D74EF1A14" "06EBA208822B8E66DE410CFCD49A464D9FF545604C26CAA4FE8" "4B018C69BE18112B5C3D7325481078C712979DC88842E2842DF" "19F39025D28FDF45A5DD6E8FD2D12BF27D227E79210F6266B86" "CDC7BC6F81DB57AF57AA252C5BB95A235746B9C869BA7F8C90E" "0AD3F5DED409947173D071DE216ED1B137846752653CC6CFA3C" "52A32AD6CA0BCE29A5B12475C049488F0A79ADF5ADC4510E646" "8E714BBA37C0005A9CFA3DDB24363290A04BAFBBA92BBB2C2E1" "6CDD9D40707C56F49C05C5276C89BEAC3B239DE284867611CA3" "DD8250E8C7FDF522E0E84EA47A3A06554DFFF6B7DA13349A5F3" "6CA447499C45DA4C491DFC113892672B036507FF3A1E7E07B43" "FB95")); test_xof (&nettle_shake256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("23397CF5C6041FCA9F1503B12A47F1389C4C35301F1747D574B" "48DEB270CC2FD79DA5718D0D5ACB78A7F30782617AA2E03B9F4" "6736620E512A6AA4E55E2B94537A74357E5C1E6216BDA724677" "BFC4CCAC3E3DCF4AE21D7E56D55ED2EFE6FB50A2222E98139DF" "C739FC759BE57963D8427D0B5D2093CF5F42347A6D9832E1FEB" "B4576935FA18E93DDB20E8CEF2F2EBA33C66F1E5741171BB64C" "49F128A7B0A9F095A35F5A20A996A3F9D7A68AB3B0D0F84E8F4" "FD43078A80266377D0D7020DE67E18DE20656BD59B86726C99B" "1DC8FA25B83A1FC8B7C256DDAFCC67540C1287CC377AC10D392" "88CE00839AF31A1C078B403A863171CC669DD72ABF4D48CC72A" "F222FE939A2D75CD7F195D3BD8CF8069F6557F1FB37BC8F9B67" "7865E0D23BDD29C9B240CD2993874FBDD5FD3B8CC57B6226C40" "890057994A2E13129F4613D3ED31EA5804006F5753047F1128F" "9B8C0A7ABA719A1449B3A2D02ACFA0877E81306179F9AB717AC" "84819029006D73D48EE55CA13A3D39ED293AD0AFC8EAC8F8D41" "971242877788EC1286ED35F06330683FE33042A6255835CD54A" "A07C0166350B851F98F2AD2A06FDA56B180F11B9616BB51ED98" "A2FED5BC2F9EEF7046A38754B91543EBE97B8375A81B7FE9CE5" "8DE4DCAFCDF8183541E44CC96F855CAD024C24EA87313DC05EA" "A1D933D6E238E9B3A0B9628239344E8E81B5341D615B63D881F" "FE45")); test_xof (&nettle_shake256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("3753866FC2D045059FA925412D3FF0FD1254724DEC38E00F109" "6AF36D0A7603903089900F95CF9BCFECEC4CEA14B7D80CB324C" "56E60569AAD9E0F45D3A726F87E6F18559701EE6AE0E7A8622B" "45DCC6991A1FF15DE6B78BBCB96F976089F26A38EF190EE0C60" "9DB54F443F5F1014762F336F62EB5F7CB7B102E99FABD87F36A" "ED3359EB0DBF739DF4EEC4AAC458546C00D16D412841142ACD2" "E08CAADBDDE86843ADD14E3D28426295762E564E1F4854E7C61" "7F48EB6F2FAC79FFA8CDDB09FA09A8DD73EC389285036A52440" "41DBD60AB71F8FB59EB73629BB4A827A7584B20C12B96FB1F0B" "950BD3C87117DA69C7EDA0C1645B6C8C81DA8A6397DD821A983" "DE84390B1CA902F135160DB58F9F7B7AC9D010CE8D6BF713627" "0FAE0D3994F80612BB12916993AA73F22FAE642784D75E1CB5A" "CDBCC20A3AB148D6F3F171402391121BB404F8F576EEFC9ACD1" "903BF9AD2CD4EB1208F143DC84643E52570D406BA31F8DC9F32" "83B2691F826C4ADBAF431EB2F1DE1E860F9B4C0153C9F002C80" "9822875F915F7131EF63262ABBD8BF4A5D9D1699D893435C731" "DE48756C8D03C94D11D1D484DDDBC5C35660B3318468FEFD827" "78CF907FF52D652BCDF68C20349F64006C640E7A544DEC1FE17" "09056FFD9EA7D41590F84F653AD4F7474D008765BFAEFFBA015" "DE99D523A56A6C989BA11AFAE097F4D5FA63F04AE0917212E4E" "AF48")); test_xof (&nettle_shake256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("2381AA1E335043C1F7360D64C703FCF6190747A616C550F787C" "33A573B2F9E83DE427AD8EE50610A2FBB07AC92E4F912B3E5C1" "0001044FA2CC3FF1C2182C672BC03183AF502D6530443D890AF" "4571611DF65A2FC50879D08E9D664D78D5F81D74957D38726CA" "EE5451AB88DF8853CC4A034065C532346A4F0D548D65745AB64" "9683CFE185C649CEEA12D79E0904E2C059549F895DCB1ED12D1" "CDF00D530D4653B56EF9FCF8D3BCC70FA91397B87F34FF839D3" "C0DEB053D46FDFF9262219004961AF9D03F50E1016E737605F3" "5EDED16ED51F4AA8FFE0A253AA21011DC002C5C0E0B1AC706E5" "3DBFDDCB1B02C0148C3AFA9D69B6CF7A72B1F793EDAC9A99ACC" "99F988EBEE210EE108093CE8EED146FBD98436299B159760EDF" "3D07BFEC6A9C1D844E98DD632B1E773D93B9604CB635457E33C" "063991D2A6D4DD8AA72883FDD742E34ECA12975AFDBFA2EB997" "609F91CB4BD53CA40BA4793B9849ABD509A2B6C01094400526C" "493FF33E0F8F1908BBF783E0DFD92105830947338537C9F7B6B" "2D193CB2923F95CAF113C9248C601EB39147661F7C639FB0528" "1E0728B916C59D98F36DAEC1F61FAD84E7292B6A5821009FCC3" "0EE7267969243B36134675F3C8F1F18E9C341AFEB5377426BB0" "4517D1498FA7A271029936FFBBB4248A786EAB072387B991222" "017025BB84EB4DC084781F21251CD8D8CCEA15EA2C37C89632B" "B67E")); test_xof (&nettle_shake256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("325A6883E6918057ACC4D7E6863D245ED59957957AF4E8E59EC" "6ECA35EB380641BD39550268A68EBAD703A51F9B47DD05CA256" "81BDC853EF0897CBD4A0DA6BE9E911C26E801DA8F5360140FEA" "2EE9276747E1AD0879FD741E52A7DC8F0EE3CB199826F9C1D39" "7E150641E8EC348300BA4F7EA7746ED0E94520577FDD253E04C" "47223521661A308D1C996A90DF8A9AD18418193D590E75F0F17" "FE0443B5B130C1AABE9F60E538E6193A19690368A2C17516D7F" "EBC3DF95DED8445ECC260BA46156C88B5218E582FEE9EBC4F28" "CC4171936F7C5BEF008D7AD76A70BE3CD3F0701791702A23716" "0798223EEFBFEED7BC108E9C793CC42F93381BB9D5F97103499" "BDA63610303A55088FEF10FEE330C4F35D0A4D0F36C1CA06CD0" "8496DB0D06553BD612848212539DE0D698A530DC287F2FBADDE" "DBAAEF0195E050E3968850FE8E1C72F8E3F11F24BCAC475593A" "A28AB2CC69C3FE6F3ED03A38D8B278FD678697A3F6DFED6CD52" "AFA4E9947CA56D1CDF10ECEF90BA6EF87D9C2765F2777C14323" "25C464C685557129808CE3B91310C301547B673D498A4105833" "4562074A3BD3C64FC8B02BEE8EA642B12783ED71E990CA90B95" "B7020D5458FFAC57BD93F882F3EADD4707C98591CAA667BB0DA" "EE9880C3549FE9DDF7C9314387A85D308516C64FF98CCE50E25" "3CDC710927DDA784DEEC547C4442A0818045696F4D4BA4E0D72" "9D13")); test_xof (&nettle_shake256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("0E479E6C1C78B597DE67FF30F0BE1D251DC86FF0AB0F4D5C6F6" "4BDEFDCD6A77DAF29B772FCAB3EED9344D32BC3ED616C10F69C" "F4AB3B34709F3941F3951FCA1A173CA2CD707FA41B8E4586343" "77596865BEF5CC8A3CF52C0ECDA7CCC0DFD8AA8CE0CD7CC1917" "A7BB9A3BC9084AFE456E5DC02569B3FA4D9B9DA03B8E4B223F7" "CF033C1A8BBD6002B3A457C0DE35A222A30A0E86F3EF9C9F255" "D449CE4EF5AFB51577391574F8271E07EA98820E0308EE56B1E" "EA91B35058030AB6AFDE356CC83D526BDAE2E55B1AD4E4D8016" "FEF14247BC7D95C34F06DAB7D9FFD1A9FEF761AE01F8DEE1D46" "75172C1F0CA15361CBA994EF062596BB767C52A275792F48B19" "1B1078968C1793A9D274166DB592267E1822585FCB1A9734D4B" "503F5E1CB0754A7D9F47359CC91E0646C4A2E754A29584363ED" "4C8C806797FD102D6220DE1814E665409104D32BE7A346D3B12" "6FCD51F55E5625A6BCAAB74F0E69BA1F75A4D5C4625E2F5AE12" "4CEC4EA6A702858A3B03CBCB0B014D3D841CD7A87D02C622F96" "AAF3AAD96A62939602A2AA1F9D88DC555038560217BAAB657EE" "87367E05345E1612532F9B6D83043DB59837E1F75D82B8149B9" "3F1105BE13BF51E20F18CECD5DF87067A0716D3F860DE8C998A" "487C8A197149E7C8AF4B414217B8579C314F698FD6A3B612B2D" "D67FF6E3471856FD9F66799FCEE14627293EA94D1C32D915CB8" "1C5C")); test_xof (&nettle_shake256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("0A5995025C3DD9437884196FF09C0B92B5B0B51B59D0C3C9041" "AB172A1685DDCB3B0324186F11E2D7DCB6851F888ADE6805249" "7BD16C4F1D98DC468D833E4AFDD2A9E3DADCFD188C9B1E35BA9" "FB9549F88C8C7C74352A7B420C1019D2E7CDF02601E5609635E" "AD96CC57FE29A5AD98B2FFF301B3640BA441CBBED877477C0DC" "1D6143454456C0EFEA8C4038281E97C02774A7ED709A446941A" "2819F3372E18BC1A6C119EB24CD16A623CBF91816CF2921D2FC" "65DEAC91F3E0EF24F97CA518D167F295454AF8208AB25540228" "A9AB1BFD0ED0C8D09AE579B7116389B9BAA6EE388612F323D1E" "1627D1667F4E524C562B0993A807BAA0E81D02241049A4C0BC8" "EC95701E9CB045A91C4340D8C3067686347867D4FD94D48C566" "672DA8C89468D71B488F7D5E1409B3F1AA17B019C57D5A94C01" "53A887EA366253DAD36E9ECBB20DE67E5F09F4516DAF9376170" "0BB4E094B88ED56CF935F9D0E5454D2168FE5F5CE0682838386" "AD55B4C664526B48138EC270BE30135ED84A63FE04CFB99DBCE" "6B70CBDB32110F954491044970D3AAFB62B5123F2B43F3B8275" "CD2D1034068864A94A1B63532F31D2E65B9C197E13199F86638" "808D17DC9E3D914AC6E078CDE60A1EF9DB9F94E56C29F385418" "AAB5F5D5CC324F0B1E2B9F9CC9259971FC57A2BD18686045E04" "A3A74C3606B8EDE2E2E49E2B3F01CEB4B4516E695388AE331CE" "C186")); test_xof (&nettle_shake256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("9FF0E63D6E1BD2C9B671298EF08FB86024EECF3A41662D465D8" "011E44C55E4312A2F4680A92984471B885FD730A3C3AAA6329C" "CC06E9684350543475D8CFE2F18079DAFAB03B9AA1368AAFD26" "5C5ED3D0D160EF317BF5CA211642F7C86D4C59504C8E6D8EF5D" "52C7770659C91AE1121EABCE4318D58F2644DF56D18909EC977" "D75D27D25D291EC706A39A3EB13E49691F6C3188C300B827E3A" "D1F6F8088318DA476D07666AE4192C08D4AB797E53445239CEA" "485704F0266C49ACD7ED67D24DA7333AF799B40B301AAD88837" "03F03869628F8F1513629FF0888656782C23D43D435962A022B" "D19FD7E4AF8BE40CF34ABDB1D0DBAC698079312CDFD5B01D166" "E6933DE574914A62472C5B2954740A5A26217E9A67329CF4720" "5701D8BAF5E660E231E16BB87EFDFCCA4E982F44CAD53B2893A" "83DFE251ACE8C49B225C3E929221D4FBE452CBBEE2F6E59F786" "8F876E20AF55F8B1DCB4AD5CCE9F0B8966D51128D08698AD8FB" "267D3164023985F5F5E48A237F4B638437E074FA4CF83030DA5" "846E64E03A23ED2EE12EE42646D1075B8F91B861D6DAA8BBDB0" "7FBD56AC72FE8675031C1CD0622AFFDFC9227F4DCBB642146F8" "7D2930B859181CF5AD7D6AFCC87BB905AD387AC8B8A7DA70CE6" "26CBE3E13E115572780D38DCE4F3AA6A95641842109B9750AD3" "FB5F711E1F1363119BEA84B4589D0B7287BB4CD094564DB6325" "1CFD")); test_xof (&nettle_shake256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("9EC7D516BB276EE7BE68912E86FCD71EE08EA4BCB5A44B9520E" "84F7433811160E5A742BF8E444329F4FBE22D72F002F82459DD" "538D7C26401399B8882463CBCBF2457A7080F8ECC02A05F357B" "AF6BF8DE31984ABBFF66AD082CB995A180D7455BDFBAFAA83B7" "4CD95488CD8F5CFCE16EBB2D9F08E54BA341345648D0FC55700" "2487FE6F0D0418858698CAA9FD4171CCF3880FC0A9E751BFB56" "6BA907E13BB78A19E7D0CC543F9B7303C74BD957149BC505530" "B246A8D41638023B83B84BEEC79A91CD21D3982B7E57582780C" "92BE8CA813218B287C280A42E73DEB3A84F1027010F79EA2CE9" "D4EE57DE696DD1D4A13F099E4E1CF4BC7CCEAE2C7A454775628" "D09FDCDC55C6B38F545566682D3546A6F6AA8B57D44EDC36B0C" "4B9C1B92CC2465B6BC7091EB78CA0030DB7D7E31805AB459040" "494DF1120307A2DE8315C3CE802491EBB0FF3F83FCF2F99D9F5" "69D3E3F32F0CAF2D7D6057FFB6183D274919B9D4B4CBEB125C9" "002A816A83941ABB5120AD9AF40A76398D31B07E464482FAAC7" "67BFEC63CC221DB2A54860BED4D5E9405821CB176B47838249C" "689FF1D9990CB3CEC4EF1A0D9280F35E8F23246537313B77F26" "D517221F0A21E7E6D4D28D88632B44D7F1C381F8E7442A71C0B" "0473F7BC702326364489A943B6A0CD0A8B868F21D7F26A1AA3B" "8C7A4C7CEB574FC2B266CD8067D83A53AD469DFFCA9088ECE43" "9207")); test_xof (&nettle_shake256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("045E2BEF203B8E72121FC29E68F01176B8AD2E0F24352FE555C" "9F0B70FFB38AAFDDAE1B2FA04C3BC2DABAF4BF3BACDF7658A62" "3446FD6840536572EFF9393F5AB66C080A68D2341AF34AA2A13" "B6EB57D8DC6CAACCABAEA593970B4D91A3B861AEE0B6E53F326" "3DA68DDF75CDE76E5BD94AFB4AC78ABED89788BA89804D6F199" "7684CFFED40B3761A782E3EC1F1A1FF12F8151E91A935A088D2" "AA2311C43FD731CEF31503C775781EF5724508B910976DD89EC" "BFE79B17F1813B01B82B6DCCEAADD6615CFB8D2EEA27EC7377F" "8911A39E9A15E622F3A91F88333811CDA86007E57EE652797BF" "9177C898CD8951B8C123B8188BDB2E60D32493F4E94C34B9FF3" "A00893795AE0028061050E9C03A53AC787787A332DD4C75FECC" "1B7AC1E6DA30E69A46DC94C87368C2150EEB3717582D5E5851B" "B5695CCB416E4D8462F0448E0D711B42F1B6FA0DBAD40E96C6B" "69E67BB1907B460DC319B8F01591867C73655F8A28F594EA245" "8E163EF0D562B36580AABC8E9FCCE61D09CD83BC4DEC826C8F7" "DBD76028588BC905777AB6B5A5DBE81665971B23C94DBAE8B51" "3AFD7DF0B6C83469ACD22CBEF596359BA0203C6F320983A5527" "4812B49E7663A6F48B420748AB10062EBCA4DCE4440D1EF9B72" "BF4E121B76075D209EB82DE30C074CFFF86CC28E464A6959691" "C66DB995C279BF50CE2ABECB94CBC850A33315E4ECF650FFC27" "1DAD")); test_xof (&nettle_shake256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("7FD29D970989B8F0DAD5286CD8CE7F5E793B80EF8F62506F75A" "119FB3ACB39D726CDBE6F4914F8A5930D30A0AC1E36E285AED4" "90CD30FE63A2713AB0DD473A7A764A19A70BBD9AD5BCB2B2A0A" "D63A84FAD80466D1C9F513D4336E3D6C7F93645C3FA30AC5A54" "B46205322265D3EDBE4C8C58B5D8AEA1856D2FA81C81E12F27E" "ADE6958F014ED3FA3C844A65321EAF484A2E7543D362627F2CB" "C4A83415FA3CA616B9CD7EA8CD1724F426C0161AE41CE8175F0" "598FE4AAE91A3F12D6C8659B063FF5C64FED548C206329F0C5D" "A4AEFBAD704D16A1B67A38D807E64F03A3A9DAE4B464C78462B" "842B0DAE0036EB466AC7CBDA234F2DE626D14764F6F49A8AFEB" "062402CC9DBA983268333225A6678D2FD9E506ECE66135E6AFE" "7A9DC3A16295F71440ED04E8E391EDC134E91C1699F0D31F81F" "CA6105F485566C13A93A2DB218DBE8D64F4B2E242462A67FE3A" "98A785BF276E510ADA824E88C5ADBD9889EF2857D5347544E43" "1603E717EC7A7D17C98A7C326C0A4A83955C7EE31379B241C2F" "2ABE038B2357D3A9D940D875F2A5634CB47255DC92FF11AB7DA" "C4D675E13134C24FF7B058C2F99C985840287CB3009B6CC3D75" "AA5E79C29C68DFFD9D95E37592B6036A4CEEC5E34EEC8DE7EBC" "A4B80F0E103CF07D46E73734C831C0CC2B6E31C14F304D88D77" "D433699FFEA902058F8F4ED0FC7AFBC4874CD6786E6D82A9689" "3A68")); test_xof (&nettle_shake256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("EFA2939B59DC8F3527C78E384B1CF12C7E184687A0C3A1FD9FF" "B9797D72F13DF8E199B2916A6BA82FD7A914703687EE707C6F8" "7845442DECA59F08E1D5DEF48BCC43BB1A64744D4DD020C8666" "27AE212E5FF4EF9F63C14D2D1CFBB404E03573F9D110001ABD1" "56754EF41A4C48E664E31B5922A27BBA26D2B3AC79F57720A41" "90AE55A5634AF6E43CDFB87450EE8CC690749A45367250A44B0" "7E54FC1CA8EC1CACCC979751544568F0117AEBBE6F5415A3524" "4A9255FB023E7C30B013D6C47DE992141929F25B3A43DA91CF8" "853EC88BA42DA3B17CF27351785BB16849E6BA680745F0294A8" "5601D5A08CC924BB962CD8B67EE0667AF1E118E2E5144169DA0" "FBF03C974ECB202FFC473315185723B57521737CDFBCE99DDB8" "1F88D81C71C5F02AC5DB801437D46DAF31BB9308074A21DA98F" "6899F6280E449C1B55CEB3E04522D038307AABE964B720AB331" "A172A53CCEF174A82F046F42820D11947D1B316EDF390C86EAB" "E22408E0008F396A0E7F3D51B9988CD2FFBC49869FE0EC03A33" "8A1A8E0A663246A37DEA111DE5249196114996102223D628AB7" "0FB7F53B842B60F375DD6779D9426AEBAEE547662B6962E3610" "09C83CDCEF6D8BC6311CC1760E784CB3CF6241257EBE14FD955" "0EC8316D95508390909BCD23EF9F78CDCB485E4C403671E5F20" "E7EAF4E0C06344D54E157791FC1B581AAC0C4EF947ACCB642E7" "8CFB")); test_xof (&nettle_shake256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("97922E827163B8869D9A7654AE4532EA26F9895625152012F14" "7BE1E818DF802689D96B469C8B0E9010D0423DA90AB6EED2C83" "5A01CA4C386C630A22D885B511F12799EACEA96D157A4432A32" "0F3EC1CBBB6B8EFEDE3E92D99B1E79389B93AF7ACB27D7DC97C" "F88485DE6C85400A2DD88ACA540B3C921180002847B34A45446" "5D014F4742815EC64F5FBFED6229294BA5EA89211E35327CDBA" "C7CE85565EB8F23C4154AFEC0DEE188E9D854ED56BCA174E14F" "EFCD0ED039B8DDAC3A3242CEB72D9116482F8B750A126505397" "ED261D7CDFE88F8E2F4E4A80628D66A7676E28D4E68C3E97A47" "C3844FB06692E5F4664B8A583A1836ADA9AEC095D011F12B3AD" "6688B0039B1B74D016F1BD477C932DDC1944B5F301F4D5690E2" "12E45D26908BA09C52D6CA22098B7A080B0056F0CB891411D0B" "041CEA27030A2F9066AAF58CA5357344DD9AEA0B0D80932E98E" "205EE315312D19413240B2EC4B854C21BC2DC16040718D25095" "15BD45B6557083677C1882D48F687EA0EA86B05CC3F5E330DD4" "BCC17E5B4F2CC4F2C64773EDF3045FA48C53081929ECF31E84A" "905586D3AFB3120031FF75ABD8CDAD7CEE66386A7A718A90B98" "EE970864A167FA48BB7A3F78ADCC2105E0FEB27414B1B6C59C7" "BE5F7509E55D561C32523FC8C1C12628EE642D9A69F7D300B49" "A5B6551B487655B21FDC690F865196A35F138BB8E69571280FE" "F496")); test_xof (&nettle_shake256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("289C52C39044BCE5CE8D320E2AC43DDF8DBB4A5E6698D536E30" "4424CDDC251F7B181F58AD4948360972835CFA265E9B658F6F7" "D4B7BD92D68E75F0DA84F47C969C7F12CF5170117B7EEED8B77" "E3AEF06E52ADBF8F0EE6AD01DE3EC5E726BAE631A68F6FF364B" "AA1754D928386496010F0EE59390E041CC0A6EB8F3864087BF7" "BA5A57A116808BD496632081400B89CCB2A8A8EC795BF07C609" "51B46815E6BA72DB555B9CC03CAAC4BB8D60BAD5EC6C5E48D66" "F4C5B2D1669115E0F0BC80106EF06D48BA29E2899C0EF4D5C5F" "4E29CB29C8F578A824CD462A4018E889B67DA31A90BC58178D9" "04C43296E4D3F4977F0CC1009FE51F37B2F8979C97DACC92C8D" "0E0FC45A004928F96260FE2A6F27DA15307AF55EFFBAC4814C9" "F4446253064897FA1E1747FE65E4C406A3879F8E2EBE5CFDE37" "65F2D7A2065A6E0D38B6B6A5F9FC3EC3CB1B35D33386EA75EDC" "E250D5917A17A6CB9D1517684472FCDF27D61BD03F4BB43C3A6" "359286E73B67D1A618A75EFC9AE2212BB507DD1BCB12D0B11FE" "2030BAC84DEC40D04324C8354C3F3C6ED79D7257B8A189C565A" "41F72AE3585A9BD91C9FD43184814BD64F7303607CD02B6613B" "E736BD13B3AA8C668F91F398A8F5AA6BF8EF4D9058637FAA3F0" "F0710ED60C2FA0F6DCE8EF0675EFA719EB03FEA27ABDE60C5B3" "81EF4026FCEF49AC245483DA8B9B50DADCC310CD15C61E7A0AE" "AA6F")); test_xof (&nettle_shake256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("03E492E2E4C353A74245745981AEE10CB10ECD72015FC37621D" "2E07411AAB55DAAEAE78EC376CB20F268FE40392876A29B4163" "C3F1732FB58FBE26379F88C4388513C9E65DFB7A4B76DBA139B" "28673EA6691096EC526DE0084FBC516360B07ADC853A690264E" "C8C6E7F200D71B593FAAE6723C0A08B7CAC263D7F7DC5376B51" "A2C7C640359721FA93A950A7A1F07F366B0FCD5C79471EE237D" "11936B763840173710FB8CFE41DA287F61D13FBB174B451F30D" "A1A1FB0F02C2B34689A725B1F86A96247E6F48897E524E84D91" "BCC9F08DEAF189EFA84AF2A32DA7480ADA982E579A832FC3CB1" "FED55E8D0D4AA710EA5B0B779CF0667ECBE9F5827FD0ADF6FA6" "D98DEFDC0A3F3E84D5AE28D676CE703E1F060E4BAE4C0D931F8" "4A76C2777D71B02F0DFD3DD00604C6EBB32642A9EBE9D34601F" "B78AE60145E32B6AD2A362BFF609CB2EFCDC66781B5AE2976F0" "249FDA97DCC06A8F7CEBDB32A2849B61142A7E55CD15FF51A82" "1D233B3C35D9F69D47ABB6D2B55169AEA211A67475FD48D39B6" "863EF6E4ADAE89530B0A84F6D6AA9B0475289C084AE2E607878" "5289E03C6440DBEE352B9D39D11C9300730E4D224FE008696B8" "F27F6A9261C30C577B48401B2E90ED5830BD38C13416D19F9B6" "EC96F235F7A0571961F18C0F3A977740E9F5CC9CE62F695F9A9" "F797A33A2FB247A62BC635449E4FFEB2F24298BDB152E777226" "0F9E")); test_xof (&nettle_shake256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("6C937D60095B762B69A69116DDE17251B6FC76117D2173E0702" "408BFD8A215A057F25D720FAB9410BF39EC033D68CC87572C7F" "C8B3C920C720C0A34FF468711F32753E8E6813D9D8ABC30AC3A" "5EA3F6509A22E01A389399FA09052465316BE70501B70CEBC21" "B5CE57FD935F7A265FB101232E95289E4234B43AC0BB45BFB8A" "29489E7C3410F4A64028CA7BDEB97B327193A30FCC54F1A9835" "E5BF497E0BBDE269E3F01BAD497AC3E09425B7E4D5D5A345B9C" "DC256683C3D73722B6B33F525DFDF21106574ED3A1B38990C0A" "18AEAA51621C6D603D58AAE2B1D89F57E802E66F8A7122BF4C4" "C1DF38FF9B147BBD4D084E119298C9C4AF1BC6390AAC20BD1DB" "5E68EAA7361601A40119A51EF26E2328F6CD52874E6F24B3460" "A7D531DBC5DE94B0D62C35C6F56D4E8984B20BE06A248E59754" "3E29C314D67DB0B112E158321E6BC9494E14C9E33705E678AF9" "A6DC44BB567146E6D03AE590CF76C76398A4D5BFB9F0F12CB70" "7EC79BB52B5488DBCF1A19623C9777F30F153C3E71E5F9A4841" "E1F53E88421947903C9DBB58CDF75CAD297755B704E6919F25E" "BF43520CEF6D71FD41AAD277AAB2BBC86B997B6A35C4C1A8B8C" "04E6C7741E88CE198A650841997287E53CF24A2FD939F1AEF79" "AC90DC787789AE0B344B658BF493F6DA6EF59112EF76FD39A8E" "0CF7973E002FC7AC455CC4FD98C0030C7C76178D1EDD1AB12E3" "493E")); test_xof (&nettle_shake256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("176C854006AC910006248F1CEFFCF0BCA14015B7939B0065E59" "A838F213B9ED46C68A377AC3110DD08AE358D4C3C926D262A49" "06C196822D2D2031990D1F02B472B635EBD7B48AD7469671EA8" "5683328A949C4B01E9AFDD0E780EC10F2A6EECD0524B77E6C98" "93416EB73C53286CD52DCE11550E96B70154F0A06521195B7BF" "6B260AD67D85FD2D3BA79D96B3C84D2EAF96350342FB33CBF5E" "4DC12D7F7B6C5AA0F82AE2864A38026B6392DEB539637D323C5" "A246EBB7A87EC7048DFCEC1DCA98D3239FF560598AC31D0E722" "9EE0A36BD7500B991BADC5F7275BD650DE740DAE8421E1A7230" "13C9E52AF448E21919EC70FCF5D4C5FD888B96676E65B6C52D2" "353FE5D3D1423A73410234A2FF632CB09E922656FC233BE050F" "BAB499D3B0864439F79B56DF983CC67FC460B027AD14B8E112F" "898771545061DDF52652DD14AA034137764DEE5F896E3FCCA26" "F70B63B37CD8D8DF7106876F4EAECF211875D4A3392E09B8E42" "19326BA939DF7500183C3F039D1586D00BD36FBB97835FC4C73" "845DAB9639A0231C27E3C3815B4478780CD646F1157BBDA4725" "77FAA829F8B13E2C8DA1F7685719F8B979E895996DD05D1BC5F" "0ED8F8F302E38E44A0F5174FCEB3253EE9CEA73315A1DD655E9" "A6BB59A3B67F5F15F41A8E483D8C98733916638D5E8EFBEA8C5" "BBA2000D2DDF330EAF3DB1E9A6072E5BBFDD5FD201F8A13800E" "7719")); test_xof (&nettle_shake256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("F59CA6ABC514DF7EE5AF9B918A5355CAE65ADDCA95C80866EDE" "16594F5147DED549BB9187E4F51535D3EEFC20F59703E1EF74B" "86ADC45F8DE3265207B5A3B4223C3B70E9A9B24F08C2B1F15F8" "58763381C89F2AB14AEC657E7E4CCADB9EAE9348B26450E9CAB" "F9B54A56893796B2D4C04AA2B3B741D6F85E9A8CB6FBB0DD91F" "FB91E9B179D5692F9C689C4315ACE33C2E7934D49183A5305B8" "F50051242D73A225C557D787BAC8894D5987C8B4C91502C295F" "DEBB492285561286262DA7A78A87F068E07B4CBF82344E6FBA3" "C8B70A7CAE9023BB004C18A446DF8432C895A531DCAAB8D910C" "5623651A362C4E2034A314F00154A421DA604CBAAB56B40F9F3" "242E8F61CC9A9AB4C91304588AF9805180C8ADBFCD727C20D38" "F2DFDC24CC1A84FFFF83CDE8F94359AC5D1848D3385B419EAFA" "F09EF0317F99409F732EBAF75A7FCC74A4F0B7D038626078C8A" "775B1EE75591C6CF99EE2754EEEEA7DC9FB382F25F55D030293" "D53ED2F9D9DDAECB41172387FB19731639B37E3A26AF58B033E" "850880FFCA4EBACB945F7D445983042FD3EBF4F70DC2BF0E95A" "7CA9DA3C8F094BC937568A03486EBC127ABF44D150AC6DC0B70" "80A41884102172D6E6B6D819AB088CA55287D6912018B5D7F4C" "0C2A6973E532B40F9D0402C1525B2E7E11A948A5C833EFD7788" "B3CDA4501DD7884AEACD53B503313500C3D4ADAFFFFC69A2EAA" "EEDC")); test_xof (&nettle_shake256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("A8C3DD2CB2C0B8CD01C2550A1C20308B3A4280AAF80447484DC" "DFC69B5C2C2FBA310272E606D1CFB61D078E2D860F1A056A3E0" "86AF9D7485611D64D1CE5F850B91920E778010A23390033DC15" "E372AF077611C9B5A945981CD27801C9B701D892143DA0F882C" "5D8F7F06B72B7107FBD22A4D890D1B00857FDE7E9B188088CCC" "9A67BC12B0A496F3FAC72789E7E52ED7CBF36BC7B846F0B4D3A" "221A8297A4BE76A1658A1547B32F534FD13C466BF1803C13005" "93F8C53CB5530632DABC03ACB369D7E87CDD61EA7DB6D5980C6" "8F00AD5D28F50B5B499A373DAE132811C5DAFBBEDCA231E7461" "0271BCD0E733A59D5ED6A6EE77AB4EE0D64CB00AC7EC586AD30" "F1F3BF5066268519209A9EE408B0DBB1E6E7CAFB63BCA7742A5" "A7C78D7933B30CDCE0F8B502E3666FBA0C2CAAB6CB0826641A7" "4C02E5F9DF0616C001273487487C2EB693E8818A281CB58D10E" "0F911FA8EDA5DEF3CEA2136197E79A17F58E56C4262F3BDDD87" "D9BD40AA21762C43F7091659693D2BF5D8BC03632EAD0C680B6" "EBE53EADFED63727143FE47684188ADA6391EFEDB6A59770DA4" "06B00905C124680B3B23D54C0255967C3BA8722DDF064F10F32" "53972C0A4FF5B1BA17F8B9247E2D81FA1E4F7E3BD064E71A3F4" "F18858D040027B45CBFBAE7CC6F04C125B867CCF3513C40F008" "C2C961020B597F864BFF2347B8ECDCBF4AE460B1915A5A5EB98" "AD31")); test_xof (&nettle_shake256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("066F28311FEED21D06D61EEF566DEEC1F88E8D99DA9F6AE33E5" "0321FBF7C1C458DB1E0C85C2685E806C583336F5620F44FF355" "96A725D37B1A7F149B30EEE6EDF2C46EE8F7FF1B51D5ABBC09E" "AD9AEF74188FBA0EFEB82DF86C304BF505FB02FF05B1797A7EB" "3549EB9E74BF685B15FE615BC7FAB569A2E8EAC5136F97E3939" "7E091F97D7C11D8E6B6390961C0A1A08D2A75D00CB679C87087" "9C24A4AD0FB4EEF187E60297668634F06B7F2D98B85CDCEEC84" "2DB321CC7B7823D8F332FF5AB7C44D9F862B61D3423ACA66392" "9EEA2B47C9C78F890D50A4FD04079D4F77A9B303FBCA8A852D5" "CBE0B09DF7DCD2178C8450370F60CE76AFECCFD3B4B346C7963" "1439D879109357FAB4ADE37832D42D70B6390176FD864251FC6" "5B695DB788F535B76077E3F69B1B2BB2BD26BBC0D1273109F71" "199A58053A8AB6D33C9A75B8C7D4423A330D03C5BF6A2B2CE43" "F27536AAC58D9D7CA8397BAE7C6C96D7279C19ACE6F7487412C" "7370992FAFCE97342E145795D7CD22F2135D627F5BD528FA351" "1B3EFCAA28ADA12B8F229BB594E802615A213D21CFDA091B736" "DAA0B18D9E77E9AD98441F23926F6C06DECA62BB91F6430352E" "857AA1488B82820F3624BE30E7ABD2785E8E9D6A3CBA0A926AE" "425253E1417AD70F80C1CFE49C730E1B287EF47FE65255AAEF1" "408C66F622CD1B6484FEC1675F1A74AFCC349EF4746B4468DAB" "F577")); test_xof (&nettle_shake256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("DC2A3560C3644C4ED659240CC9B275B7163F5C88B28839FA74F" "CA4A055B265E8E8DE186EC35097511D12F125B9EDAC4665EFE2" "E41DEFFFD4FECA65386D9A5B06DDE6B1AD1F70772ECC871C445" "29D413C603D7D8BF2CFDDC72C11D3B9684CDF4696EBEE1A88F9" "39A997802AEE46BBE7ABE0915C4DF68C43EB06A1412C690EDEF" "8FD21F94D16EC47D42168C30B8A3C2A87E348352200040CEC76" "97835DD66A8E0596DB943ACD2BA8424A7D031C5AD0322C913AA" "9B11C4C1E09ACCF8B941FDA2CEFFAC3F38BD43FEB3E67D002E8" "D45D9C091D287A5F6C4B70A58129867C46FF1E98D402202C27E" "088DA5063157E0BE4A7C82638EB623947A59D15B1FBC965A734" "49711FEEEF521B61C4F94B7AFB015185BC7C696200F10C2657E" "233F643C0B20A72EE57E7E17EC806B0B4A128F9F0F6BAF129CC" "D82B19FCC72F62FA10456CBE37317BDE49BA0EE9FD83559E322" "04387CBB5D26064127448D2F2702CB37C3CA5B49989C7B90385" "4907E1A748FD9E589A01EEDA6FB374178CE57C6027334399A78" "96C91FBA3F8C2EC917F2FDE3942D60FD37BEFDA64909A34F5D8" "BDEEEC6DEDAD93894E9C6A894637B8193895973C5DD8424326B" "592723C06583F683281AA90C3FB3A754AC8AEF614DC30DC608A" "D26EAAB42B4899137F4D42E4142F93706F88C8C98BB6B15E099" "2834785A27FFCC9FC2037A3A3B4B3C262ADE59E3A6718C79A8C" "0C82")); test_xof (&nettle_shake256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("5D5AE597772925F37C5D78176E15392BD53FB65B2925BF589DD" "F97D92EE412F2847ACE1B5A4A22515C910A0A7479AD4CFF5948" "C4A736EF021F062850383EA778389BF5F33C5357CE1D11D11DE" "27BDD076720692737E5887B0FC6B8FA46F2675650072848E26D" "94D596B921280649389A9C1621037AE9D91D460BDA8FEBDA762" "7C181F8EBB77F43DE66F9D64EF1D7CB66622E13FACEEBC7AB34" "6C0C71A1FAA0DF2659D980AE4ACF04317379B81DBF8E9206F66" "7EBCD2A8D736766D2FC64EA442A4BA0E331E7D3EC0AB1618BD9" "0A9B97A4AB6556EB09DA3C551AC3F2714BE4CB094AC454F0DEB" "D1964ECF15118F677464C60108A87E8895046269DB21168E35E" "C4DFF11487E93B49A8FAEE8EE6C3FF05394D1D0C9030123CBFB" "9576C9015C30F9DA04331C995101F4589D27CE664D2D6928C80" "3EE6ED655B661F286F12499427B0B3D4C19A870CC6065528D0D" "482FAE121766275ACD12731B127C454D17BBD32F779BDFD59D2" "221CC923764A023D48A109F259C2C4D9213E35411A7E4F03C18" "78E576F9AF4B84A983F64ED1255EE7CA9A4696762701950C97F" "374F207ACF4023C0E42651C650C330EBA2A7773AF833A9A7B1C" "9360BEC7FD788DB63AF83B699E1BAC014A86AE976F15809E4DF" "C8EB8225DE57C97CCCD0683ED0BEB67B752A6BD5EF128D9BC6A" "D343B04AEAE8C76D7A24E3025D436ECD9F03432991A19D1B164" "2AF5")); test_xof (&nettle_shake256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("B34E968BDD16E68C71ED69202A38C554F8362FA382F1DECCF89" "536B0D2FFA7CF8725CEC1D2D7AF57665496B643E8206566F8CB" "E4CBC42DB65481750319BBF37D9DEF13D050B2DAC53E163AC36" "5E81AAE03BDB40B67D0786EDEFC2B339FEE7176DEDC90C92B16" "A726E61A3E4AB5B29741869A4E8FF254D335C62053EE9FCB5BA" "D309B11B916EDE9BA5D1594B0ABBCF73A7A231B4104037D10C3" "2433F99DC35A356088F90298BB9BD150FC8252017BECF06111D" "AEEAC705BCCF25E8098995A8F7EFCBB10FD2C443223325FAC91" "72BE8B5FEF5FBCCC8D9361DEB61B361FBEA3D5CF13F4731E8AD" "4F567BBEF2655A79213193131020123E5FADC2782E8224208EB" "98C736FA9AF25EA3D00CAFDA04EB8F0544B58B29DA5D438A969" "14CA1D47F2A729128F60E56F5634A73133C1A0435A40FB7FF6F" "88105BA307B4B6479D0DCBB80A5F1A71954EE049E99B944E41E" "E89DE4B78A78786660A1516A3BF64779DF724BD82045245413C" "D82890340D29D07879C000934FBE4B4FEDA2EB4CD795C528E83" "BA11A92C9476E3273DD5D4553798489B8FFE76104EF154FECE0" "5E4BE9775256F278DEB61552266745FC21DFD699DB5A34F4DAE" "4FB3E23146DB6767561F15EA776B67240C92C695EC83EE10978" "FCDAB7A57C692861F15E5E6AE0E3DC2C58489445DEF81F884A5" "0DF8E78CE67C23967B27B419F36B905DC2D9EF1D27BFC94B456" "836A")); test_xof (&nettle_shake256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("2D48CAA033F0273CEE712401A35D143C7E91216139682A77CA7" "75F08BA77620DD02EA885667355740363D95DA3CEFD3E9F8D05" "75A41213C1E7F2A6C4B7212DD617C9B0A41D48674B6A19C63C1" "AB3F2CE7F1A0FA694CA8401A0121077F281CD5D6A5424AC1D3A" "11AA97F88783722E68ABDD3684907F63EE045D7F3E10545F33B" "84C30200DE3B135B4BE5033B854084E5912F17B14F2AC16D027" "FD02FCFF1AE096C983F0F4FCE7D6B641D2280DFB90D8A066D8C" "F53E2A5A1620DC50008CA375743C416C379FDC5AED3DE23244D" "E23AADC33BFD9609702DA4776881A1F588EE1FD98602FB831C8" "D857CB73DA50C99ACB34DC79D0F32FABE25FEFB54DBD494014A" "24EC55B4D4ECEF9D4B7A98A8BDE06E324E6B2BDBE7BEEE6A45E" "4FE8948D331561090B737CE14D302C9CB1D7EE3E78D0B7CDA6F" "D12CF038F8B92E35F7BD6E1664A5F4F75EE569F67C41A434330" "DFC06F8C6C7156208A11BD6708B22F3115E5D4D99F54451D967" "BB7935FC937AB2EE21C3DA93B1A3DF94DDD600D6AE8F43A35F8" "5794E3BDABD82D4ECC923B0BC91EA85C3A2599F492495E8AAE9" "70E1605FB642B6B93E3947B45D78ED6A563FA9D10CDFF934C61" "D78B46AEB754CFFECF00AED06839365D1A4B7D9CC5852A4F755" "F01723C8E3961C92F320A43EC23D8292C4F44336E78424A4E65" "0D74BC47EC05EA8D692560206B9DC2310C893598370E5DF5D93" "ACB6")); test_xof (&nettle_shake256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("6F7549D58E91D97F0C1243C519EB6AD2CD72AE27E3C5DA2C6B9" "2407823D1275210ED93B95692880015BBC14E72892A36D4D492" "4A48DBDD2E774ED36B739F587D200D9A789FF56542061AB4DE0" "06B08749C31BAC057DDAFA581C6F756BC3FF23BBC43C1048BD2" "848204588C89E6C3199EC38DC9F4BB10BCEC5A5D236AB28113E" "4E43D529DE8424F118CB14A5FB02BA721BA4650CFFA35663820" "148E00A2A8C0B8F4C20DBBE20C146E4B5294A17C99C2DF7EA62" "F9107ACD5FEEB01ECDC064F2911A466BC1024B1AFE10F3DD784" "3BDEB8682339A95F7A0E615A216C89AE7E8A688926884F82BC2" "A487CB2695C658DB670EC286E63AFB5B244950497BE33081CCA" "0FD14A4958AE4EC94B642E3A9BFECA9481FEEDCEE34B6C13F30" "1CFAF882105C14F20679B5E7E4263C29397F62B094490BDE56C" "BB1CFFEC550819E0ADD12DA85935AF2A9C08537ED3034D39933" "B80471D98B1562BA12C9B98A462093E79D247BFE4EE59CDF9F6" "533DAE9C2ABB66437B90D845B16C5318D0D12EC5CE30AA63B8A" "754CA93F04A3E3013A197A34DD8AF463A7AAE48D51C7EEEDC45" "B5BD4F9E5BE06D47C7991956E7BD828DEE21A4C4A69C3BCBEB9" "14FB93832BE8A986A077FC3A990301532CEDB59CC03A0EFBE5F" "F88413F0DB07481D134B77200E05341C21C43A7FC0EF20F254A" "4438F9F49C28136EB7FF5D64E8812D4137CB3410B2482D3289A" "CC07")); test_xof (&nettle_shake256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("2D534DC9501C6B18F9662128E227E3C7D8BC7F6773945B8CA65" "3BF93F9B07BFBAD84F195CCFEAF35FFE97E1109212DDAF5701B" "F2F81A72B51A66FC1590534823172927BC3EA342A96DF9B0CF5" "952690804C37814BAD3A41849D71AACE71304183A4477D31365" "4C731CB0A9AF39CAC8A8E4B6883AF7C4F94720A5919C2371C1A" "E472724F7062E47754066976B583CDFF98CB41796664C9B0C76" "3C4530FB62DC22AE7B3C6B4DB593942F6144DA79AAC3F3CD53F" "90B7B634CAB679ED27341C83A3F9DE8763A0D083C4EA4EB3B8C" "189967E6970178CE26A3F2D43D1A62E4D26D61636257DB145A8" "9EEEFB8C38AA9D69F0630B99B4FFAF9395A6AED9C63E78A7F8C" "EAF4884E4663E7C9E39F737703F5D1C73B2E846FA5AF03528C7" "F1D1378C9AC7CE02599278455FA6E1B7BEDF453ECD680A89A8C" "77FB727A688AC573A5ECB545218F5DDAB304DFB786219451467" "4A52F2F0EB2151BD936974FB5B677F621FF9E92A10C76E3B6A3" "4E4279BF2E395743EC8FEEE4F4BB1D951AF744F9BB923A13C1D" "6F159F96B90D0371B135A8F64351DC8C9DFC0AF38098D3A8583" "DDA8978103B25495BFAB2B144E4D82774C06C4CCEBE085A5B90" "2DC391B60035F4EA929DE8A56DB1EFECFB928BE97C23E6DACC7" "9EF2C05D5C08F2CB3ECA5CF7626F13A95F29239AC8F457DCE85" "815BA83F099B1DCE79A32C6E04280B8CEFE8EC213E2375553D2" "214D")); test_xof (&nettle_shake256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("4D0E55472FAEDA7E9F092EC4A561E835E261935BA5E6D115E9D" "4C4021725E7831C5B7F102F2D1494B019FFE9BF5525822C4978" "83F0E5194B0B0989DBDAC834CBFCFDD31294DAE5752ADB56C23" "D45668F370963219D3A9BE504D8E93721242DB7D4D1CCD22F84" "687E3945E2037BA24670649913712FE6B5D99BB6C8492C3B853" "E481CA9C32B3E601D31C60D6B5F43A240B0711FDFCFC0AAC6A6" "E5F881B2AE1123F7568663D8415DB5ECB3000AAB268256888DD" "47C0FBB5C95AAA9450947244EE4CBCFABD76326D2D079C9F1BC" "4F3D43AE1D01028FC1705F74CD16132C79D3A43539D2A842DF2" "B69243CD37491CDAB57AC7E4E00350F8C08737B6CCB8A7C48DD" "50365A85C07A525C15AF65EC3B2AC1C73AA6B3433483D5EC77E" "D832B73A30C672E9DBF0778DBC20BA5A3513EC93B4165A60E68" "717AAABED5041D9EE445611EBDDC8597FDA3BA05245228D7C56" "7BE1CE5D2BA75A256361E8259F43F3402E09B96A14014389B8C" "E19461A6512A4DD7F866E73ED26B1C454E014F901DD313D5E72" "14CE7A62C476DD28E4152EEEE89F309161C8F494F0BEE613B72" "696F496BB41659A3804683729B40682DE5D0F17AFC0FA9C27B2" "C96B55A05C536D283957783BB93C8F3E021A30D6051C9839DC4" "8A70C127611449823B06F0DD460CA1DD990AEBCF3FCA9732D01" "2E9650907BFC44729DF2827AE4055FCCA246ED3D75DC3B69DDB" "3666")); test_xof (&nettle_shake256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("C7EAAAE0CA10AA1CB0225920A8F2288EEC0E5889ABEB096A983" "10782D918AF4CB8C0A41384D8E0C408950EEA95DE8CA6EB87F5" "E86780FB91293C5D14A798DAD9B77EA8A5B50E17C19EF37ACC5" "166A74A1B37712290CFCF98AE6349DBD4842D8ABEC6735ECD39" "2D59591824963D403B2804135BD46D17E26D5C498FD7111BF27" "82F758802A20AE6A169AA65CB0D6640396E982E30126C37F68E" "19CAE5FF9AE3743E38F902D306D8FEC8042DD914003F960625E" "8F2104C369CEC0CB8D3847C28D050802EEB53C5AF08D70EC029" "79019700E182B7127661DF869807C16F309EB08F376C5C30B01" "89F1B4B32423BE060402C1EC9B1E7AF2432FAFC09E4EFF7DC6F" "55A52108C5599BBD5A07F433B3EB4D439D43EA79407FA711132" "CA9A5E2F528E18821F38B894F624EE42400832F8C85AAAD0FEA" "54261E2B55647D9FF5F31AC212E7C38CC96689C72A4F543A256" "7D8EA79913727DAC3172F69CB16694E5D4EED7C16494A297C87" "6C73256F6B30F88B6E180E8E62DB68458F2CA416C4A0317F70A" "3E2465BC543FB07AE518B6571664FE9C2E49E2AAD57AD933869" "C04A1CAB60903F9AB1C14E4FB3B6502F387B30693AE4A85A172" "FE6813C42026DE57291B3D854A191F553893B3D4A79C84B08C3" "7E80C1ABDF03FAB58966410C2B8B950A275F68852F006B2B38A" "49E09165AAE5BA74B934A6B7133E431F01099F930B5FAD2790F" "126E")); test_xof (&nettle_shake256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("CF55585AD2CF64217E5CA23319EBA00C4EC74B7B9A453D1D7C1" "44E8B68FA8EAA16B853344ABC905EEC90B35B681FD8A4A52460" "999BEE62489C467151EA5C0D7C8EF2B9959FD44D171D530AD4A" "576A0C76B147127921817B167FB43050D7F2F552F8E77ED5161" "AB00907599AB80FC546C859DBDC04F2CA3E38A7593DCD22EC89" "E73C4924152C7D1B5281699154A3325196E97E73DA29251F60B" "C68706885462002C126517E00D02DA6A23B0CA9410EB916C19F" "EC76DE9A907447A8DC1F8304EEBB6E38D0694821EE03865A5BE" "DE036E01AD74AB397AFBEF6C62C5DC211A47BCDCDDECB48B17B" "F5336FF831DB7EF9CE7643B285504D495161D4E864B6FEE67D0" "EFAD2888C04A8992F019E52A6632F72539FD65271E81537AFBE" "9E7795C658AA0C3B2C64EB34BDD0E5F19EA217B6EC9520FCDE4" "46C2207C9AEE94A6AAFF4F1F39A91927DAFDC37BCA8173034A5" "4FD535BF03212995975240F3002446DA1D111C0F97C92E395D9" "6E120B958F643CB4EC52C6D2C148E6A0A497323565500AB1174" "21C4A0CF0A055DC8B4D287F66FCF7EDAF931B614589EF6C6F46" "84A80A9DBFBAAAD85059B9399CE2617B55E04C2112B32A210D7" "530A3C58678B1D48EF24E2FB6B6F90D4FC605805B903085198B" "2C50432D9A99454B68AEF0C9D0D81931123D7D14C0DCFF84A54" "F3D4DCDC9E232BED26E2EF3334220F7B39EFADAB2CB9E247EE4" "E880")); test_xof (&nettle_shake256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("85225E389DF45458881A78277858D3B12EC5527BEE0D03F41EF" "BA24671F1C245EF33BC8CECF3CFB7EA82263EF8F5F4E2C0D033" "D1DF6AD35F1ECAEB2E40F22ED9F4CD0D1B9FB1FF5AFC3ED6054" "9F1836E325AD6641E4444913A9AEACF36067A7E6EAFAE4F5D17" "38F4B42F5185AF334FEEE2838FAEA6203032F3C5C3D22863C02" "783D1562E12B0C73DF3098CEC208BC855BF84A9C231021AD5F1" "FBBE51A21E2BB66BC555612500822F43DB5594D0D60532B726E" "3A430C26D9E5BCCD57F83CD1CE3A5A31DDCC21DFD8A76D03A10" "6FC77EB55EDF19A46023B5D70835C865952C463475769067FAB" "2BA2A11FBF7F29D6400D10A34B1DB497B5B1D8D8A30A5C4DFC4" "0EBDD1BDC992380074ACCAC904DC24F22547A99E7F5ACC53BB8" "3BF94A522E595D9AB54C4E7EE052ABF95FC5FF52967CA2FBB92" "7ACF7127349BA7FD26AC820C380107B0E341866A9F57852DF4C" "E28C2989F04A40FF14033B3D36AE7D24A8E377AA40BABFB8502" "B0B9B12DF9B42C2A9982AA29697A2ED522E344814E59D91132F" "39AA537A521BB4B781CBCB5E1503354FE6A25072A52C54D248E" "13F8253FCAF93E849597C23F6952D0F7F38D1A4E7D08FAFAEF3" "ACBFC4371779C6795D1CAC6BF86C34FB227AAEF0AB51C480C45" "10C9F1F463CE311CF931E8219D71BCD3FB55D3A8E9A6C86710D" "18F9FEF6A00D1FB878069AD4A4E32653B0EE15866268D5772BD" "4990")); test_xof (&nettle_shake256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("561A3E8D8D57E0E32D7E9EA8AB6F58AEEA509CCE8740FE54E8D" "B9AABBB14AD782BA33C7F9A5007796CA2BA9089F525BCF80BCE" "DF4C09E24E8D14F1766AA97A82B807FB1ADF65430BBF5F87AF0" "A7FF26578C97AB50148B6B15711311FEE962A8B9C3D1ABAF624" "41CEB100DF3A8E588DFE3F6A356B348E312CA017C94143B3DF1" "7F255DFAD5A7341B163C0562D24897FE9E4B99262FE5BF6920B" "79ABBAF856CE38AFC756A77F2BFD5C3A039C08480BAC81D641F" "8B955B22B66B455BC0637DD49A1218C4E8CA73BDB68B8849D21" "48C021C75BF8470D36167AC32FC88128C4E0568724BB2D631E7" "FEDFABB91F0343D267BF3A57BBCA57C21D56E339CB13DFA5E56" "F3A90F0241DBC0D0D73F40BA282ABD5E031364ABAF427713463" "EC5072B7AECCA62E074097BD0CB3169DDC06243F08B62527921" "F5FDC9332E99B2E6903D65BF809DCA706C5C0F93AF85B9BFEEA" "40504A3DBB390C6A417203979687A7C86CFE5AD3F0737DA1B90" "7F8F941EDF44F8367B65EA8BB92B5285A3ED8E1F7EB0FC00536" "C15005E4F6D9F2969AD96721BFE7A6A4824A37159EF08B0FC60" "C68518FD4CE54E4033C41ADE6CB218CD7DAEE76622B711A1609" "168BC115AD4F6219EAFBC492E35BDC446E866433C7446506692" "94E8D1827A2500F3E30893C14820DC24E36B3B451E9459BFDCA" "E62168706228BCD9C3EA22C4F1D0286367C7939DF31E28E7A2B" "28CF")); test_xof (&nettle_shake256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("3340B37AEDD2F0C66F2483ABDC66C97B45055275231F1C7A925" "687B946C9135BB75AAB2D11E6463073A1A8CED0EA83A42736AE" "85D1B99D1D2EE9AAFB6FB9F4E7ABACB39BC9F6D59883A9D1B0D" "F86C259394A05842684E8A4573F1A3CEB46ECE59DF77259A0B0" "25B831C2CC0DAE259551C86DB7DE0C434FCBC35328810201903" "B92802CD5DACF9A6F4ADCB05EC5E0629A3FA99BDF2A5CBDA2AF" "81CBD1438821A319408D67E5995342BF9BB4DA85BDCF43C5A2E" "AD9CB4FA26542EAC044DC70857FF1B1CF95026B6464B96A46F3" "A138FCB26B525E6A09F71ED05E57ADF4A3FAB611CD8069E016F" "ED7B9F2F14C38102612D66803EF0854B2C7678E870AE7BE6CE4" "3EDF447E476C0AD407F0D1AEAE1265521F43AD6CCF1F2E0C82E" "5395ABFC41E08AAB436A806083E246CAC452513BF8E9C9E47DE" "645055AE184D988D0D3CC1E5DFF6AA98B3EED26E788EA342C6B" "1914269113248B15D0B79A6BD71EEA6C0BF9D89698A2B943AE2" "4F843B00B34620DEE9DE5AE1FA1E00677D8FD9716CF43EA1EBD" "BBFC2984FB1B27D444AF3B2D01A86412A32090A45385A912F39" "4373F0610AF7D3C06D8564FAFAAD3B88C70196A1DEDF247AB51" "5E5FCC8490A889F974E12D8DD5FDDDF8DE55500CDAF60FF2B70" "E7D26B481389C2232FDEE43AE99B221893FB7CDB688C0648657" "1A09B9A9B5D2DAC509BA166D0C5F5D8EAC363324234C657678A" "0CD7")); test_xof (&nettle_shake256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("FC9C58940908E1F78AA90E888879C9EF903CD450DB94E5BEE0D" "8ACF6A4E453A32A610C6209D9F5A44ECABD634D45D04F5D946B" "CD388E2943D00AD8A6C4682D985F45D796ABEA85F419D3990BB" "DC5A21294970FD42B6D06363E18EF7C00250E96AA96FF730DE2" "D92E69BD19C2EC40BA78F94B7D120CECE0B0A44890CC17529A0" "54EDC97C25BF7AB6BC3C955466F656FE450BB25C34997DA9425" "8A4473128DDBBF6EFBA41C1843F69AC2B86A5F13EA652EC19CA" "A10FD0D605B4F31CE170F9FF1D6C7DC064EB4106C6F4F54C88A" "463EA9B97206E567B370DCE4DCA5B998831362DE38D8DCBC0FE" "04E87BA9EC6CA571E6A3BDC246D316A55FAB5CE8AB0B71E0E8E" "DD9790B26E3482A95C732A304C1DD48A3955ED995DDB86AA7B4" "E6406D08E189596BC8C5A5F61A2AD336E39D94F6188DA5A1E4F" "2CC9593E92B0D89E12CB4E6FDF89C5C24ED83D66F5AC6BB0A6A" "3C88B151C35123DE2F3D2D18D8D302FB10299F68F65C9EA2E55" "21AED6CB9FF5E357DDC1B9D4D5BD7B13DC9B4FF63941BEC300C" "C787FA6DD0BC617F5389EB6058D05BFCAA16F08393F4F1DC5FD" "4226542F49F771E5E93D87E06C4E663ACFB2CC365F3F7901635" "6656F92EE52DC6DDE14482E2CC8A9EDA71189E3C5A431EFE0A8" "768D014F05D45685E472BF22E359B8A6C8429D8F048314BFEF4" "9AF2637108E774D5E41D6B38FDA700FA2145B0235E1DBA03BC8" "DBF3")); test_xof (&nettle_shake256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("F723334037CE684CDEBEEE3F14B0D109B075EDE85C489EDF798" "1B3BF88B946E2851C9453B0E891349080405BC3B16A99879FD6" "3AD7314FB7D26C050061D3A2F971E2A79C4B23338FC92E21466" "C27BEABB1FE045A0A10F33516BD77E7D87C49003F1CC173B61D" "4ABAE5151D5A723C2E6571B0B7039FCFDA72C149744512D5FA2" "0DB8C736A70FC009211FDBE0D7245C5C26DD878CE52DA760AA9" "0D45A5501EFA74677B85A736B2860876B23424D1CC47660040E" "919DDEE1F67314FD902A1D5C1DC69B70BAEA890B5691322C81B" "210DDCAA3CAABCC770E68B1BBA5B08C3D7676771608924A853F" "D770B2AEDD8D42B1E7CA6CC0499E22646732EDAEFB94761405B" "76C3A58D5CDD1439ED1BB06CEDEC79DCDF38E373ED17798A51B" "80665C026DC2BBA3EEAB43CB9024FF6F04B371C07423CE2D0B2" "E2A800B213D9FE193403FE868180569EBD002591959B8687E09" "F81C9B2B8DE7672D173F8EBD0794ACD309A2629ED0AA7E14B58" "635115A58CEAD5BE08D3105E2E65429D1F7823BD8DAB99084E1" "D63BBC637EE37AD4627E57E15DE35CA52FB8407760BD2AED167" "B6EA65B0C72B9B53C58A16D030A227CD92F19F14BA5AD6BB00A" "5775E4A091D7844AD2DE44CB9D866154127CA1B1A2422483A14" "6C729AEB85E67D597EC6F700C9DC615F2BDFA6A1C9AB038B81A" "D0307DAEEFF021EBE7ABBA47BA002C27C2A07611027FC69C9B6" "3992")); test_xof (&nettle_shake256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("37A534CC68DE78F87B85212464858780E143A5E0DC7D46419EB" "17E45E1872186DF8051353A6AF703C167B9233612ED68E95352" "44DD99A613FB43F277C833588F7A2ADF2EAD15ADA2D6ED7CCA6" "AC786741B7453EED605C7F8EA3A8E2AA8D5688D72EDF964C085" "42422DE589D402DA18E10E7ECBBD132A10FE382A7EA0A94C9E5" "C7F31C7BDF018F44BB6693EC64B266E1AEF1A3A941E336E479E" "FBE2BC897C93576F5F1BC9C6D4F6E948A14464287D1E82DFDD1" "E0CF0A68E9FF696B5D5392F4C46845DF19AD5BBF2B158659E85" "6BBF6732A9AC0ED722BB5EB2C25D35FF83B892DD30BB01FE20F" "49A28C52B6F28550FE56D176790AE2D96648C66E389569BC2D4" "7D0A5775E0F6F1B7AB8F999415B3EEE8AAE8A3B663F13E0EDE5" "C81CD001307FFB5AEA2801CAFCD1B09D31182220F52D39855E1" "DF732F1CF2671538AE37726B3B47760830B391EDBBAE70B52F1" "F2116762C685FB8523742D90A427C991F80DB823E3496994566" "10720744BD2E4FB9C40D1371DEBDC7D01B2F5BE45C0231D297D" "E09D66616509BBDB854D84A2D7C140E8489884794D3679FF8E2" "4F7F04CD72058EC305EC21823AB5A47AE9AF8D10EFDBE2642A9" "7DADD44F174622597E4BD88698FA75F24314E82ACA60B42F66F" "84602C831FB9FA73E95955151F931841F1B9DE7C3F95DD78689" "3B45DDF66045AAE6533AAA59060B415FE392BC585EB4C39115C" "C163")); test_xof (&nettle_shake256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("60C681E527396D6C9DC1E5FD71842F760F9873621A9BF2B9B98" "C5DF450DC7194379991D7A94397A206913AE1821259D308A5DC" "4D53E552DBF2287B8694F0B6184B737D5E32E1258CD7FF58E5A" "A9B5F37571413395B833CCC5620E37B0A64112968D4D7ACFFA3" "A66E044C36E23363F1A09EEE48EB6713FBACEA29ED63AF0DB94" "ED2BB22CC01B89D05391C1BC8844BE8BF105448925AD2373D46" "D3417F920046E8E4AFA0C11A8057B4A42FA4CAFEC592F8C2F8F" "1E2D603612FA38DFC3D3FD768EF7317802342E76E70D30745FB" "AFC0BD007EFF874CB32761D700C88E27DBEDB57CBFEEA688E0F" "06801847C1046CBF47E2C12EC0A4016D5E8238916DA887DEAB8" "25F965F936C79A7316465B48A2B8BD5889BD04580FF7DC91C50" "DE8EB60AF74E74BB4F896FF73CD3D1C55948C19DC0ABC841D7B" "C3384AE4D60BD855F24BD2E402FAF5E47D66DDD2F0533F9A73F" "D483E3965E967C979382F643CDA535C4AE3AECBBDAA51CD7A89" "C8B2D9EBC0B7F9CC1C1EA355F9FECCB62345BE39A7D1073CBA7" "C5C46F2163DBC1E9A6190EF620D6053B88586E73B18E816206A" "72F297EF946C8B302A6E3FC92A3E7A9AA87E26C1466251CE1BB" "D204BBA7D08FEB28F99CF27BDB3E8479C9C57FAB8F00797938D" "471D53A1666156B66853C067E64695978D2E9AD5250FFF6CD14" "91F7BAC09B77ABF42249FBBD63DEB5919A1FC96A4E26DB9D789" "320A")); test_xof (&nettle_shake256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("D8EF59E48FE97B07649929B9194BCC57EAD8E0EF010FD65031C" "18B4CFCC0933152054AE17841D06C36BC375CB1F98D83E2F9C3" "DFD54B88312AE71D7A00590A759E4B8D524124CF480BCEC6816" "FCEECABC9E13356F99ADA2319C3EB0CC9E3BB504EDDCF7D3839" "511BA0B412A72C3A8C49F7964A4F2EED7B814722A487E3EA6E3" "47CDC2585090130B4DC535C3FA98E085F107FA43222B167EBDF" "2BBD65ACE691D8C23D64DE52F966983A3D4479CEAC8AAB17794" "7079656A454B7BA4548BCD5762974264C7BEB17DCB4FDAE572B" "D67067F304990611E7C7F4D50BBD2B29D19C02D51918D5BE6E8" "56BFD8DCECEAB2EA9F82F5BE53E57D4B00AC371436EFF3898E9" "30193DD1A21C5B54506C6C91EA665D0D9992BE999F1DC434BA5" "87DA4EF05BB296087314C4408CE0C5851660D0B5D1746232E03" "1934284F85B7AA38420FA6EB469171FAABE88F85CE64A7FEF84" "20ADA1F9BAAA4BC93D779C5A268A3F1F8A57CD2FD3B19CDD4E6" "48E622552C1F16455F32631A3D91EC2F7A882DFD0EB13C4B85B" "0A23E2477B53E0FE5E174F058268F6A24BA3CFA38D090AE6088" "339957863733E1DA245432AB0394EAC05ED82428C4418DDEA00" "C45E57A1719C7D2D04A781F8D0187C7C33117A3FF5473BD5C12" "11476FB4EB64AEDE5A9E2DBFEE00671E7A9CCFEF7624E1F688B" "77CBC755B95B6EC391D8E9DD0B65CFF4E1FC22F566F0B598BF7" "ED6E")); test_xof (&nettle_shake256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("984570A811CB6B53213280F8C06C69FF1D17E767B163F8AFD76" "674AC018A1CAFDA4D94B69BCF58F3AE8A53B107976ABEA6C616" "D85AEB98BC10F29177A3590BFE943F53D2512323E5E79D64F9F" "1319D47D6BA84C7EA37392BD15224D94BB16D99E0E1E7062FBC" "3EDD7C81418D816E875FBC9D7434249D89A6002BB777E367F79" "219BC7FACA03E1B9488307DEA98F304258FBCC53C58A483A6FC" "C78D9D9B28D99DB3709E32C1EE91FE305F72B041933C8CAE6F6" "8C6229658D591CE9B1100D6974706BC21A45224778D12DFBA63" "CBE9A1A3FE9680A34771D9BAE39B4DC9C191C0A4E092F8EE92A" "F2A02C95242CBB24580E04774AB41B07FCB6F61ECC6ACB2E48A" "77E544AD9F25EC0ED7F440C26B8C9D25C7CF4494AF0802C4B48" "2DA80251F7D1572DAE337725B9A976F70BB70B5037F333D53BC" "3C252AD9AA13EAA7C9DE1AE4B24F6C91D17A489AC9D392038B8" "0EF7679E75CA6994821F153C62D6CD7EF58927636EDF95EF6F0" "5520025C4BBBA23685A862F244AB3802AE1D842184A5F5F344D" "1193E1239990C331488C1A8B98F1707C389C05AFA919F5C17EA" "C158064350ADFB9532EB0AC9111E256251B11D082DB28206AF2" "AC514707D956A35E26495EDE4E98C2578427B48BC99B9AEB29B" "0FCBE44A0E51CE9BB37864DEDC30BBB5FF9A055423D8BBD453A" "65AB54E65CDF773CA695303FFD4767193D65F26706FED1CF35E" "740C")); test_xof (&nettle_shake256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("2C2E6AFFFDC10D54F74AFAAD553CCA0DDA3AE5A5EDE3BEB611E" "4C1441AD4E51B67EAA2306ABBB39115457FDF15FCE9607EBCF0" "537E4F9AA2703D222A2B5FE602F87F6B54CC7A9427807A10E56" "BE5B29BC3DD91FED0322F291D87F563BAF5B705534AE8BAC35D" "4AF68A23963C040F4A1AED9B3E51124303DFEBBAEDBAB35D7CC" "BD38D482EE45E261BCEFC53D0A25DFCA5DFB60CB2672D34CD41" "54873F92B33FAFB8068A95458BC1166B36C3977643BA159B655" "654D1755FD5E396AB9690718266EF6AE670452FBE332BE84750" "BF7A26778E555FDB59AE0F48D6EC3FF4A1FEABF2FF7F1CE4DBF" "3269DCD91E3CA9962D88DB9C527874DF15F7A6DB9682B1F0D90" "4AA875D29A8885AE63E90461C69B688046FC771321FD6A61A6F" "1A93FC95FAC72BF86ED76EEBDFF0CD6960D72FC460753ABA032" "4F2D7CD7372F413D4A49E761CADE4F5911D18F7C712F61CE1A5" "C9F07ED2B042D5C86B4DB97E1B7ABA57E2F2DB98CCB4041A16E" "E21E08ACE213412C6D61CD3C42BB5D8DABD7B5A945FE512F2E6" "4C3B1817D9BC5840D6E16F7E5E2AC36585BF8107ADDD0C269B8" "510DFE11222DE1BE13CCC2A5BA8536887A11A0A733EB81D9372" "9D487481655F531BF4AAE624918401097EC0951F7FC535CBD85" "691E0E0EEEAC4A5848A61AE8D6D6121D3FBCBA345AB755C4E84" "41ED7853FF46CAA48090728A7AC39496C3002BAA99DC90F049E" "FE4C")); test_xof (&nettle_shake256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("E36806AC60D67682D34D80AD11A1415901FCCC216D7548DE3F2" "428B1963023A9394BC0E1766E279AE3509AE85D773D11DC8F11" "AE65C5C0D6401575CB33835081492C2B657F34514ED6B0DFCC2" "639FB758B5FDDF638576A64BD34759D629FF133112CC5200267" "D8C9997E1538D602CA356E821F06EF84C3125D8466673312C69" "03CE166FB97FCB3EAC9D30D61E13A1DEABB922DA6E5675DC897" "6CD4426EDF7A7A797DED8936E0A3E721DE5C4D956E8287C4B05" "D1210BBD36CE0E36B7F2A31945FCA6BAC1CAAB3C46D4C8245E3" "E589DBDDBD00A3B99D8DFE33783235026C1A990F1C383CF71C7" "55446D8F5DF4A114B9004541065BDB81AB81B98ED47A1D05595" "AD5E168159EC620B1DA439C6CCB6C4D57A2ADB33A0E113FD0D8" "ACBFF5C759BFFA29B36E8416EBA1B8F45285EF3F496F6946EE1" "DDE798CF8F5BB78900E59785597101DAC9EC5E5F5CE0F0D6B17" "3B6418A75BE30A84140FAC4899C4EB8DDCF87A0F78F22E23780" "6E0871CDA9976DA0E7E42C4AD73FA49D3F9C257ED1CC6C38980" "6BB2C32B1F7744DDCA53BA515237F1588F5FA7C636360B6B8D9" "8DAFA7175DB320A1A3FD1B3A092D9E8A4466971B87E5B051898" "29AD8D3B407F3C5E4265026C8B801C391BE0F9C9DBAB2F56362" "F820384D859EAE1ED9B291F5F03F14F12D0FF8ADDAC128988A5" "9707FACBE23814873246C99DB793099E6DC79712C612D41302F" "8B59")); test_xof (&nettle_shake256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("939F4A4B5E37B675450782B0E8554BD6A2821EC805CE07FD4F5" "A3BC3816A2305F2353FFAF15883E760A3DEA064DF1583CFF5ED" "83A97A62DF9D174AA80958E7649460FB4880DFA21DD7C00F373" "AA9F010EBD1DE7E1AA73F51F84DF36BD2DCE6B37D7A1112C6C6" "9EFB734CCE2AB12517FAE38F0F3592A4693251CB4F41AF7E820" "F1E6F432CB9F88B82FCF579B2A5FD0E9A5B3C28542ABDAA9C65" "1EF1A05A385051682B3238262475AEEB53894B8274EF37B223F" "66A32C0D3DF45F3F191414FC0E8878E3D58852B4CDBD826D236" "A7010CA49C43095786CDE671070EDE3F5BB74F34DFFACEEE281" "042EAF3D2B39E53C25A61F3B0B2D79E4305B9A17C47787747D3" "CCA46E88BE79464BDFD16BB44EC7D862503077D3E4E3C55BA1A" "1FCDA217D53F5C22A35F883FBD0E786AF38276B341733F82BEE" "BC4118D486C32A3E7A460E24951BFBE760556E36981805B40B8" "37B514FAC3E8213937ECB018449319AD3FE1C0EC19B502E8E03" "99398F3F8C74601F61A9BA3021F153ED45A99BC150AA886BF09" "0B0134DA25B2740EE5156CFE28151EDA24A2C758303F505E465" "F9D6A409651D4705A80B3FF660B2D66AD061960A3C6B81FA8D8" "31659830C5243AAE26334917660FFFF3B977FBDA3730313753F" "ACF7E319CDFEFC064F2072AF7195A70EA74DB24E5FBD36D6FA7" "8C0D0D1085D05E81A62D3449F16007D3CCA29E4403DCE5DE01D" "579B")); test_xof (&nettle_shake256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("3C78C3BD49493560231A71A867BBB666536B22562F150224599" "1E3FF28E6F058264B382BBD61F9A16D4DDA0B3A72F84606F97E" "7CE53F4A57C132A920FE738F818E987095C1292D9873A772E12" "F74BF42EE1281F408DC2ED7BCEEB2FA6FD856B7A01A95535058" "2C111B2CFBB65E26B745939E1DD4781A0265EC5AD4BDAFDE1EA" "40AD504EFB0E9F34E15E1526B1873F251D33C280F9CAD71BCA1" "7C4925AF9C3DBD4C6798BD393625017C5D3B03666FBC3AEE276" "AE669AF2E9E10AE2D608247F3DCE876A8EA3BEE6EE001C3D5F8" "47FC92A2A9CD0FDDEAD45C1F92414B23722005AAF8A7A0159D9" "1B77F4A0E44DEBB9A0967977B04072633B4588DF0D699C8F990" "D60FF5A2E09690A624DBE88B998424620B5634ACDC02C75DED6" "DBA9431AA7A0FEBC01CC5DAA3094CDC818B2A6CA4D808901134" "08565A714558B6BDC3E1735BD1FC9FE84210D7D78E0C50E8961" "C39725F68F083094277B7B7ED3300A1FBF42F72AC9A79FF927E" "4F76ABF0BA233A9E82E535C32D7054078A6A4A63F1EA454C6AA" "33C5A2299DF7BECB5F911C25BD74532EDC882FF4312D2AE0ADD" "4D0F67958A520011851988F9D3846C0100B4C119EA818062A3C" "69401344CF94F49AB995C286F441D8241F60A73863628AD8AE1" "CC780EA99CEFF0DC18A3D85E16CA00756627F6A1B7546359451" "20890313EE136438E01A41593B6EFD26926F48309122CF1DD80" "6C8C")); test_xof (&nettle_shake256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("1A73A838FBE2AEAC592433B7CAABFD17068510B165896F00217" "A1F9E2093591A77330E656FC53D1223BC9446C11D329673B418" "6A85DC6091140C070843760EFFA56918F414A9C6F2D198E7D0C" "19F44AD19D1E89E25365CEF40890987D255A616524AD68574C3" "C284825A48C3BCB0B48D41EE284B53BE97127DECF90402E8FE1" "317263D179814177B79DF92B9C71EFE9C3C2F3CBF8329BD9711" "E6393457F076C8BCF16A70E854DAF7BCE58C31F55B4D0E9681B" "39FDC19D0703A795C234016C5879857F25A64EAF0700C681E59" "0B6D29605311F1BDBEA47762BBFB012BF103D34C2CAB53D53E1" "962BA6850B779B8673BA280B0FB79CC387E2559105DDBA2884F" "E493B85EE0F0747436013CED0ACE7280854E9BED8A42FC98DCF" "1AE5F845B677F4B802D01AEF9529FFFB6ACFBA047429D4DE318" "1FA959A3B74AEB5934E3F25498CCC850BFAED46738736DB5E5B" "DA73AC03162923D310A1F91658D15CFC5268FD5BCD9AE6F9D56" "52558F74C1DD85696233AB9EFEF5CEEE75F0A3489F46867B0BB" "1344CE24E5BE88ABB706CB49A07FEE3DD5911DCC0486B58FF2B" "024F844C3773A1C03CE35F02256157A6A2E6616569FB751ECC3" "E4CF01EF99BB0EA61E4AEFEBCC65450EF2999505427B23C7CB9" "278E27AB58C5FA2D5B0A432A6172CB1C23DAC420C92631495DC" "30DBE0AF3B6944F1E101D1566F0A1F4BA06B82C36A7CD068864" "FD3B")); test_xof (&nettle_shake256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("674343644B198DA1CB0709F842239CA1559AB643E48F8EEDB37" "3671473CA24A99A74E20AC6368B661BA1824AF92985B3E7F957" "F9C935C715531703A6B8B5113A364F52C7DF7C5488997A3FF71" "873FDACB1A6F4AC3B631A3341BC36CB742F8100B28029ED6C44" "FCB41E93B6F171A064B0F13B2F83B1790330DEF22A387C52CEF" "7F16D1E398123CA0231B76494D708CC694A28E281B34ED163B7" "931312DAA56752080C4966F8638134680CB96C4F815AC678106" "FB243ED3B9C9A5599D3851BF3D89CB7BA463C71A868F74D07F0" "C6F9C6F940F53D88E18892EE6CFE5FE9C17B92569E5C1222FEE" "87792987663757459C35630CB355F445630826807909BB5CBC4" "F5C8E0BC669BE6C705C12BCB2B39552D4AF42204D237FAC5BEC" "56EF9AE6F60BA836AD865983DF2F25A1F8C3F5DF93F87EB7647" "2DBEBDB20FDF894C0167287EF1A6355040C4D4A6949F4886974" "98529217E4532A445CDED47687CFAA14DB98260DE9321A16FE8" "4E4D82D2B1B0C2EE639B2ABA48D85E4D06A369CDD9B03A0A846" "EBF83ECD5ED257876BD5E3E7838108FB3B86B6558F8BB454F1E" "76FABE18F3B66CA1448C1B02DAB1BCD485E709CA800D5271952" "602E9B1BD585F61936D8DD678C900407892756A08730B891C15" "4B33D83BCD1B2F441F1DFA79AF235316BE9A3E20ECEB4EB23AB" "76D9E9564C367BC27424DAE397E35BA16A8CD4BA15CFB7D9EEE" "2B82")); test_xof (&nettle_shake256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("791BE2551F426CD350322EB1AC0E6902996546D446C229E03D7" "4E25CDFCAD06CD99BDD3658026EDBE8708AD18DB91305770245" "0BAA457EE767B7F6085B0F1D35A86D8C5C62A35E5A11B81D409" "C12C8AD5777E245ACC369ABB5EA9D8D9517AE7FB4033EFBBBCB" "B70FD6CC1E55187AA8A27C75E5116EBA46DE2C8378997504A82" "390E6B085A45C5FAE52FC314E876DA7A7F90226CEDD3C4E9858" "87F162513BDDAC323E85737F3954DC58D12E986BB1840D0EB04" "6102C01381DB2915981B23DECE4987661B41B56D30C35A13DA2" "1C6D2AB0BB7951F04804986DC2127F7F33C4937D27427C7B706" "2EF7EDE944EFD0015681C2FA0C115B67652A7EF1AAD03C0FC45" "42BADE7CDA11F0AFC57D8E2C6DF0E5BB5440C2B3ED2807C2798" "CADC6F371A2D6F2D647936B82936BA4B19A16F599689814AC4D" "E20CC7CD05A3452D9286B345037ABD23850F22A56BBA707B1D9" "CF299ED3EA21943882669735F69D25F240F87F3B34CD794B0C6" "353681006AAC5AD75CF46BC6464579BF5B715AC741CD1CC06CD" "CA6E8D579F2FF839E263C94588CCD268B1D375E5DF5BFC8B7A8" "9FD72CFBF9BF5400EFEF53186B50497D942963EEDCD6A742678" "4F38F8808C50F867D22C10FA4D7DEDB4F5354FE1EB1484C9F64" "5397582838F1C78076891C5E1E44959B5C74E28D7BCC3F6ACEE" "4E5393A5CE24E97CDBE1B22AE853C567068ACEE03CDB3157A3E" "F657")); test_xof (&nettle_shake256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("7C0247B191C924335D843B81614C0F1A6A9AB1ADB6C28692239" "7D8C1B26220A35C13C7151E35FF9B3653A086DA339EA1F05881" "F414E7A16C61B1453287F924C48EA933995000A9C9B0EBD5E8B" "EF2C92820CCF9BB6CB0F465AAC124B5E794FDBCC60584B05CC3" "BAD06D41CF9DD5D3D3B7FE1CEF634DE558B6642E591BC2F69AB" "EAE61EF5DA27BEDF291D2A4106B3DA946FB57328E827C8D4EE1" "C3665AF79F96CC290F924348C30205D75B01BB05AA9DFC317CF" "DDEEB7E3764589C003E2AA1DDF60A3C98ADDE4517E40D08CF80" "646205EC9FC6E9A3E1B64B2EAD561957C3E2710DFF720BD7E58" "41481D9E1A048D1C76A3E1A08BF010428C8FD2A6F2DCA4FDE7C" "8CF59C826E6DF246CDE77D5823DD1E0C0759AF8356E89ED4C03" "276A37EBBA73DC196E7915B57BAADE13A7A276AAA4456E23E44" "54D44260D9EADD748D4E7E1857B6D2D9C301AF6118270859ACC" "43603C79A2F6D698871FD5384DAF43B16FEE4ECE1146ED54E1C" "A28EAAF2D94306383609BFB26D6634DF00198E0D19500215E17" "8D77329F7504AF80DC6B727EA7791305FB38FDDB1CEF7F626A4" "9AC6E34C3A6ED630F9310F890392704A2CDE00CC850FF7CE9F0" "E1F0CB4B1D0C161CA3B812309CB3C9E9D071024D61E5265A71E" "7ADC58A3D47A567F5B19F9E13FDCDCD34F3DEB12DA3151FE817" "E5844F5FCE12805B064895671F0C3767AF5A3D203D095BE306D" "4A26")); test_xof (&nettle_shake256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("73F5EDF85CBE959CDFBEABBE2A96A1812134EC9D3CCB72D6039" "D4FCDEF0B57BB72A782B76963C97AE0C2713CA657B9424851DC" "903CC0488A169538A0DB3EC58E67C4EEA1C18ABDB2036C79381" "E76F5C9F6CF1F830E0DAD77D2EB90F120EFBA42B20B15B8C8CE" "8532C5B668464AD4986A281E75E4FB2CBC59ABF886A8540622C" "2458FEFD190908A09FCD7F16B6E5BCC7E950917794FED485C82" "CEEF7FE0FE4665E0922406AE1F8D34E5F77BFC0AF8B4C881BF9" "F76C78A233898D120981BE96F67D135723407ED252432928C7F" "2580FB80000CB51E3EE8DB02D4EF4FCDBABB704DB0CDB9E31FB" "E76930D285702D91A74DB806DACCC01A15C0129A7F7D4712668" "ED633462A6A036A9EC2C4A7E4AACD4D62DF9DA1FE959DB9ACD0" "FB6F01A75F95CD9768F408AAB1760EDAD70E936EEC344E9506A" "586B9D42DB99EF828E58D281128FB0EAC1185BE704CC9D16E35" "9EE3BC1361A776DE4803132822F99F7E477764C9408B0457451" "50AB8A7481D266995C91EACA7A9497F4CA1848828FB5ED127B7" "A4A5FA0F23614165A8E4DE1E619A40D4E55AC28075AB2FF1BD4" "2BEE19F2F9D63630CAC85EECA329A0A1877E848FB2A64176411" "A7FCC2DD63D6CA19452780BBE4EAB208B0FA7B25F21F17BE1CF" "7C5415A04FCAB687B7D4BA2F657E39D5EFC17F36A1A0E3DE461" "0788ECC43CBE70BA2DDC33ABF4C335940DD53891FB6DCE20DD0" "39AC")); test_xof (&nettle_shake256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("9F303DECCEA9369400C533CE2E162818957E18F65C05A675404" "CF8637FDB57F3251FDC2844CA194ED97CD021416E764E072598" "106E9D97D420087087DCF5F8ACF1047A7B4518E683E5AC6DF1E" "F1BA7EC7A418F12E386DFB7A4A5EDD9898CAE54D645AB319398" "2F4363DA670F1FBC7AAA1194A03BB76391A78DAE7E4FFF733A6" "F19393E9C4CC5EB3F5503D8B1CEFEEB7038B0565F29D6CD4460" "090FC63E3C4DBC7D5D3D107F8E905B21CC9B9EF3C535AA0D8EB" "CF787631744F80A05CACA3E50968A05F85E9CB0D775DAFCC714" "FD6D93C8B110E58F9AD1F8077CC80427515FC5C0CF081DE5FD4" "CFE6EA6DD2F33A2DF212918A3F86BBB8ABA45D808BBC2CAD8DD" "09E7B9AF1C33B0E58B988268DB39118B2B2090EABADEC0B84FD" "836DB6944E8E27B5F4F3B2876077D52B4648885EF55DFFF266C" "7264C46EF5A3CB63588D1A86C82D19449E0C93D968619CA4D33" "BCADCB21E6787A5E41F0D4E95E2B47E422FCFE5BD7EBC65A302" "3479330E989B3EDC8320EDC868FB122DF078470B0373732E187" "110D3964B6E7757E84F177106C2BFAC5BCC43A13DC40BA8AD5C" "1E772C58DF0F32FF0F10348686CF0662F2F30D41BA48B121E1A" "146C70E6131E13080CD8B63AB79869AF74E64B9899855C81D20" "F753F22C67F1E4DE2450740944CDF4FDEDED59927F92A9568DB" "95E5B8515C07BF4E9ADF952D4AD498F3DC19A2205640A8378A0" "FD5F")); test_xof (&nettle_shake256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("1CC30597732904C49C0F6EAF777F82B1C33B4CF00FA720C7DB8" "473139266E7304D81999F322AE6803736D242E7408DBB8955D8" "F1C0B14C6F7678CACDF2F3CC2A17208033E8C70BC5141A072F4" "1E759AD8EEDFF745DF0162C2EA877A7D673BC63D80C0F1DB765" "F9F5CDEB2EFF214411F95AD7C3C41F6AFEC798E001D31AE2243" "2A54BADC751F7F713B4A3693267BE3CDD3A1DDE1A5E638143A2" "FAE59A2A359E197CF4E5E1D933DAD9F99773F164173E3E81898" "7F19D122AAB725AF24497CA116EC201B2482F0539EC454292DF" "4D018E286247F8C857B53816E9623D580D69FAEF60009FE72F2" "5B4609E8DAD73A06C006280EDB0137A25D5462368B18B8F3752" "5C2C74FFEB4A7942683B86ACA6FB1D773E9C92311C4E197C546" "6CE90CF01C661EC2D928EE0D35A2FCF0EF1A87FA7D298747E44" "DBAA4C90C655348B8C2771F378FBAF0702EF9CB4B42CD5B2601" "6D8F5FAC1B79A49F8022A180F04F8988B5895822404D346A036" "22A5DF8AD2E3F6841AB14644F6074A72DCDA253D7C9423DF9FC" "15D98F49E3B2A1DF2011CEAA61BB7DCEB3860B9B66DF3926A1E" "79E73EF6C4429AA9F344ADCE7D9A7451AD97D0C9653B916B029" "C4971E6756FBA775F191751416C3B0587C2FC5043F38D2B6205" "804C47DA3E85A99B47F1AAF42D9C709F21BEA94B8CA7340FBB8" "B262DE6C47B79DE5222AFEE7B1C994ED526AD4D5641136F5227" "A5BB")); test_xof (&nettle_shake256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("6D96D224006DFBE8EEC28892FD2BF888FF543501F2F8AE5B6BE" "B67713173C88671E4B3804D695730FDD0CB04FFD873B0E40110" "3DFAE8F014FFB0EA382333E33985D1037403029F0C642323183" "AC8668907DE791BDB0BF7112FD2C8BA5D3B933273B51082810C" "7515C78173DAB93C7AFC48B0A76D5488B76CA0E5DA2226B669A" "2EFA56F0A2041CC4A60212B2B4F4B02749B211856839868CCC0" "A935DB1F7305EF356024FC78795690B69CBEA01EC0B5AA8B3C4" "AC2D1815176B57062DC4742DEFA68081F21384FC875339F4098" "5E85DEBF3AE9EF80CFCA746375492614FE5E76A96E506403FE2" "CF5BCB43AE6E4E697E86237E825BDB16087EB32D3DBCCF2AF2B" "624ACB4A960E0781E7C686B0B3A8A0E4BEB1F904E0D84B00038" "788A02CE66BAA59EF185E2678598013C60208E5CEB50B701BDD" "2694A24837F786931027AC0D64A229400B5783BF29AB39DF9AE" "CED0CC8B9D6FEA52DE3E9220575B4F3AF6E2DF155A20D87FF3F" "5ECDC0437CF7A8A648A0BE9C81F0EC3457BBA5D5948149C3FF2" "411053549AC24DFFC65B54BB89B227499E35226FD9E1A85EBF5" "DD534852921BEB63BF850EDB495F9DC1876C6A481E9B774E6D4" "368974BD5A7BA7A16E90D078BD651F128CA7AC160EEC05CB8F3" "AE3CEE4BF998579B84418D7A70DA95E65E4DA9933EF8E399359" "D6D1993E5D9753CFD1B10737F6930FF0CBA3510D3BD9CF78F5F" "79DD")); test_xof (&nettle_shake256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("E0335CBFA877DA0DDD79072BD7F46EA6313144E633BA2C207CB" "D6948237CC32A39DB06F951A1A4B9B0B91011158D38938ADC1E" "42408A2D8A95C3EAC579C922943155624F6318E12BE7EB6A836" "79508E0910FB6E85A84998F0FBE06B087EFC6EC91EEE277B48D" "289DD6E12C820D0909E206750C82995DB86031E71B0D005CE89" "8F1CF7C782F10B8CED5370CF27B74C6822910B653BBDD328AE5" "A4921478A4072B8C7C89B446E057F6DC4692186CAC39CF08E3C" "3F0C9457FF44DA73B88CE131A1E2B4C6A235DD464E4777B069D" "39A9EE2A5877E07E8669B0D610513102B00F8E2A7EC210C403F" "2E398EFF22E193A66376D0D08AB3013AEA4D508EE88EDD361FD" "A5AA4E17BA899632CB7222EDDD5B320AF686C80F2777D94FA2A" "3428A47AE7340054D2DEC1C42569A5EEE01759846FD10AF9D2A" "D2AE9F6FADFF825D184EAF7E8AB9D7C7C64AE07CD5A95F2B24C" "C3857BB239F5C0824EA7CA0C84CCCD9601580EA7A4C89370086" "17468B9122B466624D51AF29AE1B66D14C332F2535BD7C3603D" "E07A0B25C6A260E9E70EBD2DA622ACBCA660D425DE2E44B7E62" "42A83077BD24025ABD5F0F2F21743F80D9A6F1552C3957B2200" "88D861F3E25823548BDCB448D19B3CFA14FC8F11CEAC5BB2623" "64F100655D5099D564041F113503AEC817BB03CCB9A6E021967" "06FBB836C28421AFE0AB276772150FD0677ACE7655EA6214F61" "D2A6")); test_xof (&nettle_shake256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("74B8E6A2245E18432DB073B046FA0D6F63C85A05B9FB3B3098C" "8F2AAAD938CEC8A8232AC2CC4CD7EA85A29BBB4A2D03311CFA7" "F1ED8107DA574E659358408C60B1CDAE6A4BA6F3091574DFF99" "8C97CA31E410B4132013AFAE543076BACA1989E7B5DA17E654E" "664C856A00D7DE43EB3A2C5B8E347EA3B18A94D534C0448671F" "E2C360034550F145F911ACB7C245A99FE37CA167EB8AE0FF5E9" "D0B65F255D24DE4239BA87C2E8B757192020B3A28D53861D29C" "845D4E4A21604ED2D5DC8E4C107CD47501847B50CE2452A3168" "5012C5949E0CB630088178AAA5C9B0EAA6394E00096CDAFDC78" "1833F37C64EE2955DB09F1C3B3767A0F0928863567513D5B02A" "3D24E66A79EA590D5DBEF5E8B5D9953ED9F72610C0D4F5EAD67" "B3421E90710138E09BB15959DFE9AE408AFA9ACFFCA19DD083B" "DF508D8FBA9F75A18F6229A9850DE36653A0A39987781EAE3F7" "40E2CE387C004D47811E3F8B5F8DA9ECAFE90C5AF4ACE449FF7" "AF57B271B0C3059AE42180A1746EB3AABA944DBA5BF3946907A" "18B1D94DF4819872A24DEEDDA3AF7A3787AB6B3D5F128D0C3CC" "AB6AD0C34371BB76DAA321E36F6FF935FD58B590858F894B54B" "F9997DF8B73939919AF342D6593F31F76C3251AB3812E27F00F" "3AAE0C0535A8CBF9C6A9D20E26E619D6899ECA8A46526D7205A" "3F2F3971C60E432CE438F40C2CBEF0F2AD7253B18AD53C3BD8F" "108B")); test_xof (&nettle_shake256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("10B27D45E1E91C3568B990F306D4D0338380C4A24C543DB7905" "AD8C20B9C469A79E50F7FE705C03D2D1CFF9E2C35FCE1E6E203" "5D3F464B6D2861EED223C32E960BB223F21193CD4734F36422C" "1DE6F0F81791D6A5E9DB7BA8C2CA1F2B7FEF2F94C5392869591" "3471B5E1B02B75FB9B0DA1FEB46520F3E8558E03427BF371180" "EBACC91F3989F849B4EAB233C529006EE02050D85B548344C09" "CC7A6C6C40FCE5C55348E1BEB801482BA70D6CC5A24B3B0C9A3" "258B0934C3A41FBF07EF50460E2BDA507711954C83FFB91CF2B" "2827D5FCC6DAE70DF5882689C573F159A9B45694458D0FB8A50" "00B109BEA868160FCA781F50DB7B5EE56AE55BAE1FBEABDC155" "EC46C0EB16314851FE0446AC2BF171D99FBCFBE2ADFBAE4A638" "7B42FE41C5EE8E2AD1819D7F80BB1B4EC2DAFCD1D06C2C9750A" "600EE6627F62089B2EE59EA461E0DCF47188D1A8DC80B029447" "9C7EB03953C425D6EB3CAC6FFC34E484A35127B605CABFA5971" "2141C4FA0840FB520A1D0A8DB4B298D24DE2A7246F28E036B51" "1DB91794E35B75DAEBCB3B8833794B764F936200E7784348AE5" "0B95363C027F3AF85762F3B8E6F31B7C2D8BD18814A723C0DE5" "17F7B3937AF574A3FB5F52DE8A10A2055E8EB4281D383797DF4" "B8D5DD5266C5D438A10DE4BAD00E4C0B252110CF368707AA2FE" "785F518CC2F3DA5221634B52118348F231AAE0712DE096D70A4" "3929")); test_xof (&nettle_shake256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("69304677315720D586605521E24D32745DFAB082D2BC23A3165" "C419831C19468A088D972AC672D7BAAB907005A0AE3910D4F06" "F0BC5ADF6AAF9E1D8CD7CB85DD166D0FB9703CDC7D45DAFAC48" "05612137D4720FB3FCE90D69864403E6C456FBD87677312ED7C" "AD9A28F7A98753265294F4820FA50868CFEA157EBA50DC5763E" "223238FB2032DBC6DC00C3710B6976F16034A9D851CD1BADDEC" "6071CADF10C8F9FA123FC0EB81ECAF4C16B8D52A6C1FFE330D1" "14D71CEADE28BB0422855AA1E7E838A93523315BD0F8384361A" "58529A2264D66D65806659C49B7F80D95474A7965A0733D3DA4" "FE317C5AE6180746BD8DC70589F97B15E0FEF29D34D6BE4416A" "CB3F9EBA2F3E34F8E636A6B111DFD4ACEB2C9DE051B942EF021" "C78E0671F771058C4B59D34991DD2EFC6943C6E0156CC0E3FEA" "D10968F77BF4DA82B9FD3AB73B43E2890BC8AEB02D7178FAEB2" "FE1A0A194B1581F6322D817AFF2DE7DAA96F4A725EBBD8C9FC9" "C815D0A8E9FAC425F278F121084AD98AF9BB119235FFFDF1751" "AB6A805FA80F43A5682C2FD5BF9241FCA866DE6B5EFD36E6923" "13F51FA8DD64B52DC2FC33C56687417C942680676143A459068" "401690DF9213E18604058E74011B111F1410531FBED32567AF7" "A0319B5A4A717F580D16D9E9341E78F717E27258A84A2CDBBB9" "CA118FD0F81568639F40176A1754C743B4B5E377DBB0175D160" "B414")); test_xof (&nettle_shake256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("B32E9585694532B1018B05B9DFDB23B8924025786F5733769B4" "913B73B0FC35513D4C0FA1A1A5019DB5FC807ABADCD4589B4C5" "658A854FC919105A5F08799F7CBA3B8DFE72DE84027B341CB19" "46D6A4A907D6FFBC15B6A00805ABE25047476B99D53A6AABE9C" "758B3BF4476DFEFEF2E366617A1407853B0D0278DF42FB7003B" "B1610DA2AD52422A0ECCC74818EBB4DF264D0ADB9623B9EE0C5" "371E9F0E73D7FD31A2B41F9DA8C9955310166FCAE6BE9AA75D3" "F7C532F1502BEACFCD81A034B5D4A87647A5B9E2C49B7BF055A" "0F4BC3F555FEF5147BB7B9BD75772878FDDCFFD58FF2B09A61D" "6067C0F3498EFBB5FCB736813F798E213102E47A3DD61A6BF99" "DB2834DB63BEFDA6E290EA953A8B96FA37650DF510082294891" "C86892215850A34AF1EE0659694431DA636C9BDC854AB98FC79" "6C28BD6272C9C5DF1D199CE9F55BB575786EBCD6851DAC97924" "AAFB102491BF4B80351AFD26EF027C745F98607C19ACF96B66E" "CFACD4C512BCC9A8E609DE5FFCDE0DF0E77760D8D44F1230133" "6247F53CBED8894831765D12221C902127B65DD549E6C32124E" "0CA555586FCA8043097B9AE3D9BCF899FA06EE5D0A17EC0A2E6" "57E37CF5D4A55CF4C99E9F10691602412D27F9B8DB5C4C2644F" "C822E11833B32168AC89F2D591748D12B527FD5EAB2291F2015" "79A48AA9C370979DC2265B873AD65266E98FF668579B0F4274C" "73F9")); test_xof (&nettle_shake256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("E6BBDDC5B154ABAB888F4E00C2BFC18A200DB6DED8EBAD70ECE" "03D10D123C52D4B5124CDFDE2D5A803B8BE98C646E29F64F2BD" "D55492531B2741C6040FC51F7DF18106D9AAE62F1930BAB26FD" "5167D516C4E4AFD3035D6AFDDD06DAA59B56BE3F188CBC11529" "909F6CA0618C321349B1B918C1CEE491C8D7996F10B02E0A085" "CE790648C586710D4916A528398FAC1E1FA71971EC85B203B83" "721AA006D7026C2647CEC53296E80EE3FBB6B880BD296D6B9DF" "FDF40C5537551EB0DDE86E85A72FD280888C08D67A9839EA618" "49B47FB010540BAA15530495CC8BF941F82B4B3114F6AE055C8" "52B0978ECAA67108AECEB12E78C339071CA058FA4A534558899" "D71ED36C2164DE0C92612F07CF465F92C0A1987F7462AD303DE" "358DC9C9929AC205F366FE564C0B32B1E4D65EF4E0B45B2AAEA" "6A93C5626ED40C597B54A2074F255FC6C33F7DE535B5041F320" "85274EBDE9D7ACE9B458E7E7CC47193428A8873560C561230B0" "3A72D993100B73FDC24231A39C227B05630B328645349E0025E" "F02002C34E6A7EF07AC5F7E299CFE0ECCCF01E1DFBDAC9BBC95" "B09B2EA505D8E74C85B9BC8E939363F3F062260711C44C132E1" "F3663123EC0B0A253DE7DB1DC2A08481571F64BAC3FCD9EAC73" "7BDB42AA4D392DDF9547126191DDCB2F88A5705BEC9BE7C8D88" "E9521EF7BF9753155F6F3A75ACD4C9C913785CBFF81761DA8DD" "73B8")); test_xof (&nettle_shake256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("F40B4A6A7D88482C5BA65D17038D68184E1AAD676D340300301" "7A4348A7E3ABFE89804EF65D96EA5A467CAA938702071918452" "8944AAD358960B66A0E78F2E4C19F244C82CB0D10BD1DF49CFB" "89C24FBCE8AF1DC6B13DC61F40116ED3D1B51B80ACF08A7A9BA" "DC6318DA75EB4CABBF4798923D639C2C3C24778660089384DE3" "3F0EE7F957C78D4BF8D74EE1E3EA5E330C350584C319298166C" "DAFFE0C7ACE6A50D1551B30FA386A0ED5C20DA31DC35FE2DDB7" "FF030AEF1C0F2ECB0C1915554722DDD5A38DF758E321048FC46" "43FDFAF54AE558F9B40EB38DBE516256E8D97701022B68E1F09" "83A14D7DBEFB59DAC5073062DE8698BEB9C94DAE0A49FD51A66" "1FA6AA84FE1088EB4E0F964953625A898B03993ECB248EFD5E6" "6380667C2ED185FC568AE58E15B5A57ABFD84966094EE5C8528" "4F3248C92E1300DB80CD6AE08662412D01503D598A1FCDB0EF8" "CA773EADACE543B867BADE24EFB25518E59E27FC921D8DB6D3A" "C286BD1ABA53D48983DF63D493F95B88610CBCF6DE2130AD63F" "B9860A839C3F98F5532B90225D1ADAD79B478F5C9D836435A9C" "9C0EBE229FA494B5F4253DA92C7382AB388C4F052911E9FF28C" "C43415C8A82065433D8CDAB9152CC13191F1729EA95693B4BBE" "BC3B03F298EF6B3739A0F34A545198FF5D2B4292AA8D6A04271" "463DF95145C99EC769167761690C97361984A665B0D5C2169AD" "DED2")); test_xof (&nettle_shake256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("92951EAA72195331ACDD63572FE112E0DF4B43CA1B67BA5C918" "4DA5667A8439E3AFD8784461010EB80178B07F278C0BD52582C" "EF5B4D869D77E764342651ACE52F1F5DBB5316A36CBE2D6FA45" "5403A8FF0480A5DF002396B8E444B9005A9A97D301529F5FAEF" "77C0FC04C3B01C7C4907F197927904BC56DA2F850A0767E91C5" "B77D8A41CAFCBDD5CC768E220E844786093CE425BCB3BF6CF3F" "E9CCCBF6A5CB84D46AED8BEB079AC0F12F68836A71D8C9D738F" "9BE5A8311299EEC2AE86AB774D0D8345C6FA7A341223A43DBB8" "5AD5274806B23A3BBE312723BED548F4C64353EE2875A44A8A3" "7153DAFBE98E96EFAA402E7A68BCA09EDA8A744C3BB8FCDAEDD" "7EC54CA4066B69B4828AFE6285B6909BC2AE96CD62F3A523898" "7279F206C2593FD2BF4D5A643484A5155FFF290253650387C7B" "DC0B3FD749EB1A84F7A11790AFCDD3FC72FAE3BBB1C55596584" "B7246E77D0712562AEAFF1C5316A698DB9AA3524DC4AF4AA461" "9C5F9CBBE41AA1FF2A0BAD12F17ECF7C90E6FBC20EBF374D633" "5EF245BF449E3EE5870651587727D35BBED64885A8D375E43CC" "350E398C3D5DE83CE92354C08E16A6AC69AF10EFAEC2F0268CB" "7F998CEB45DB988B193C8D35E89A387DE6C212A2D2D5A9FFEC3" "D4DFF92D66992563C85E4E707730BDB669783357E5ED038ACEA" "7D8214313FC027733D51B2D21F47666DAB6C6F3E50A335E83C7" "2ABD")); test_xof (&nettle_shake256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("9107BC54F9AE29BD282C37CF4BE15D2EDC4B5A20FCD8C131620" "CEE6C9326AF25896BD25550CC3B46C19BB58D825A7156A4AAC0" "AE72E38601AA6AAEDC4DDC578D145AE8A0AF4E630914B49FCD3" "9C41924A19ED6E52EC150D1BDFBFE2717B9B46D6BE9BD637876" "1F167C1133EE31981F9B681D674E267B3A01B0F455F9A0C86B7" "E6BB3EDEDC2DD86C8EF6F6BF736BA9CFC4A20E602779F0CC626" "E0F3513807C8BC71546DD1E0E5210A6ABDBDB284F90EAEBFAE9" "70CEE9EB8C58A5F0F197FEB3292AA8EE814DF5D86D6B1F43AD7" "87E82AB6D1C01CF44F3B32522609CC51967FA9D2417A8B91461" "B41A5390BDAEE3763E152A2DB2E8B7842A73F1E05A05F7A7D19" "FC88F576B049F87E85835EA4DBED141AC1321B47AEDBFD285B6" "488B7613206E483559A8B0725D3091A04F10736EA1920FE2346" "58AEC2A5FD0F85F50BED9EEA3E5513EE3B45F0CAEE09A1CA3DD" "8E96EBB408EC6A31F07ACEC024097C20038A6DB8B5A10396C6F" "3532D8B356BD664A9C3C153D2248F9D8587D21AD3ADB20D06C0" "20F5AEA40E96C776202A17740F59BAC12195B49E19ABB87F693" "BA0B1B414C4C83DD7474FB212F0F8015D0019D33250BB890079" "278E027F0191B1A92FC40004050C4E88D1CD3469B656A2F6D1A" "B9E49118B18701FA85A5B1497F1FD0D3C999567F99D05CD8F20" "DBC05333F547598615FEE2452861AF0CDE27ACC4D763074DE84" "0004")); test_xof (&nettle_shake256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("02D21B8FEE4BB59B4D39D88DF91B675762640994D3A300BD725" "9A3E97DED831112D27339FC4F59C7F17DABEED310EE901D829A" "2193421C4D828DF1248A68F6AB928EE87AFD727DDC2766DE071" "103B144040F9EF22592599A0FA6CEDC2FCD9A774BEF862D2D51" "C8E2538D1DECE789A6756A1F9034C0949C3FF13190A141F3DD4" "F015A89DE643D65E5EC4AB25300739892A81911E3C48D8A5823" "9203C7E828E8867230E46BB8BEFD018E9ACE92061E2BAA09B0F" "B8C0CFA7FD5024CC65826AA96BDDA6E21ECB7D0D77FE651CC25" "EC260C1C41F4D0DFA82963A2EEEF0AC0C6123D9726A02396A06" "12E8BA6CD4988C132E7CAB1B5097174B6BCA798C7B04E5F7175" "A3A5BFAA9D23DFCF5E531557BE9BA6F4B5D806287BCDF1CB503" "4FF94F709544E81D856CD8A1380774C5361710460D52CDFEAE9" "AF4AF3E9DAF7E6B679A6B881A378A1254DE7105396DB2449737" "3430C36D24BD49425E7613FAF651747217EFC4E24A761CB4694" "A2AB3E0B43A8A4CDA5EBC9D7299B27EB600122C7EF54703E48F" "51DB2A5A8F3EB59A2C174DF966AD728DF0BC2E94418775E0186" "D3A527F86547980C8998B32F0365D9E430D33A92CF081A15258" "92FCCF3D8FB4DB1E0A728A856F2E2CC8EC4A08FEFF53DB85C66" "20CC8B57106097A96B668F97C3BDE8CFDC9600419B46EA24839" "D27A574BF63147A97B2B48CEE1C6FDA32F3B945E36FC03EAB48" "5B4B")); test_xof (&nettle_shake256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("76919B60D28A57717EC190FC9990E32020E6436828D90D8A2F4" "A7AD21F18A4F5F1CA753ADCB0AA010D40334D1E58B8BD165B01" "51E631925055F4800DC01D466D11E88AE945545365B7F6072B3" "6E11CB6F15DA6BA3B53E12473BEED09C5AA275CAD795E03838A" "EBF74A6B1A3371344C1E3104CDE3C768026963DE2ACC8935F51" "62D1D09C966B5FE2943CC723E8007559C0537126400F1A4C3D9" "004DF88126A23F9051630DE9FCAC524BF4A109CCCF5CD7F7972" "B64FCB5A8E5A78A85EE82FE553AB90754CD12EC77E2E3CC09AA" "1F172963DA44D29FC7F95F0C7C1207BDC858FE8B9785EAB55B6" "EE33612863FCFD1668A2FB13715F7910968708F22A9A88D97F8" "4EF4212551D8FCB05992670AAFC9EF5CC34F0843246241C9EE0" "11470131E0E6B56C9EF6A0E38423943BA502EC9D08C39F70797" "BD85F6D9207684022CADC282EED833B43CE450445075013F1B3" "270492AA6E412CCE8E9D9534C0A380B45CAD9328610EF3FACEA" "7FF5199F1E4D0342163B16961B0F98E46E8615AE2CD74D92E2D" "F30A3DF00BBBA2AE43A67F51EC52CDB37E00D979ACE6AF3AFA3" "4A58B8CFC07DDC3C98FBE4A5E18539D03ACFA18152F4CD32CBD" "84AC30A99C325EBD57EF2870F36C711900CC23539BE7C19DC94" "F75457BDFF28B9B5DF876B5576CC37FB30B291DBF44904B36C3" "D96747DCD92A1550CF9323F358D15471FDFD35C2F4C4B104CC9" "1FBA")); test_xof (&nettle_shake256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("72A343DF2C1854005653E1EC9C8F9492AF9EF7FACF46DF729AD" "910FA3A8B830971D22D5E017ECD515C0E972197C87968FD05D5" "9C570634A3864DFEA159229746A967A2847F0F4E3C48DBDB21E" "BFA400E18BF289A2B146758EAEE64AA200287F7F55E57817ECE" "0470C35531D35BE824AD7E825E7A1FCA07CE5325DE6E27D6C6B" "F1602EC1069117E230ED9A0873D6538881992FDBCE93A4E1201" "3A56F4D22F5846B4E04BD15E9AE9590C703EE7AE346B860D1B4" "B181A963C1DCD36AD485AA484CE534138789C2874AB5888B70E" "278E30534ACDF0D9798A44E1701D9447B5D6FD212344603A269" "A9D2E0437304F5153FBEB7BB5A1E437B63014ED6F01D4F6135E" "F189EE290E30C25DC2F63B7D8CF19E9D7959EB2F61703842E0C" "89EA487441B9C17FA6800A63C411F1D3FF4C35F1E89BB820D60" "B25CB1AD71E6583390E753934759A5467680405B1C9B6E391D6" "DDC4510FF24496559FE2604C038A5DF6638FD7F7880E0847B88" "0C1628F47BEF49689D0C31C4867BAF6FCA08FEA898056DCB171" "6C95341ACA367BCD9BB372A93D2FCE947B5CAB707E744F15FBB" "85230FE7F86A9EF7C36069CA79D781D1CC76193D423229E51CE" "0612A2D61680D35CFD5AA482739442F94D205D72080BEC7A259" "B23B8D9B4F76F2A75235CC3BBD6738FD870905FA21BFE1315B0" "C678D7DB5F4DF36F5D43D04C11F3BCE3FB71B3B7AE410AD51CD" "E033")); test_xof (&nettle_shake256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("AD4DD99AA71DBDEABF22FC7C82BB839F910A22E4CEBF8317899" "D0AF87279EBB321C442DFB9083C4676C16506C4006F18E8BF84" "EA9024B1DEEE4ABE6F90DBE0EFFCEBF4CB7B94D8A8B107C5BC3" "198277BEF87C9760AE2BEA86AC50C39A666AB09F276F2FA4C1E" "B5B8C37ADC3B4C9DE4BDC28074FF4B997518B44FE49B0D4E4F8" "3CFE9E12EF7389625766A54BEA82DB3FB57276F47C418BDD5F2" "0C8146C792DCB8E42C7ABF09331F599318265776CBB19C65BAC" "6DC4A683956C052AE5CEA02F1E4EA690F9E5D3BF3A06A726F0E" "FB6DAB5350753FFA7ADC477E9AE454C5E18F9D64EDEF0157D1F" "01FA78BF281468F14D79C39405D2B5B604C0EE116731C52C243" "2488C45A3E56D3F999855631381B5EF3C99A0352C16B92812A4" "889C1B8A72C84273A90ABF29C7EAD82F2E7C6DE67E7369DC02F" "B0F1D62BB8D245030A6D26E930476171547F33B9C9DBCD542F0" "4C97B0A278D24E2BFEEA0209FA83D634AFE65EC9E7A5550774E" "DEDFFA36250DC5A400AE5FD6696F20E5FC6AFB15F54C7240A24" "CF11BF16730B8E676F948304D3EABF315E95B723FFBDE6D931E" "CF3BE6C69D8CC82F31D1F499BBAD8ADA9654630E7185BF6C1D8" "82DD700F7F1B1ABBF384F58994D55C9E831ACA847B8F654B070" "F424267685103BB339A4CD43DF94894E912B64ACB15AAC65FD4" "96424FDF02BE7A96E161CB6A0034997DDC918F6FB604D6DD55B" "4D92")); test_xof (&nettle_shake256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("7623AEA16ED0AC8AF23A7911BE015D44F93F3329AD1C0023BB9" "A6E486477D9CF5307B358527BF479FDAA473FE60CDCE59C33C4" "D1DB930057438CACB4006D2E6C327B3FB033BE384FF07EB40A4" "4AE4D39EA9794C29C9F3A91F679EF4690C41422B193929654D0" "0D44D06FCE9B35E5FEEA5C20CC02FD104A74764F3BBFF273086" "023AF4AFB3A29F9F9836C17C5A883BFA0FC4D8FCC9808FEBD82" "DF88F7DFC3F715C8B07DB1F2B61403CB6F4F7B18F898FEF9741" "E016CA0CB3A4B8F54F57DB2F2BB63289AA38A7A9FEBDE32089E" "4B479D9CF184F7D1C418B648CFE7E6079F7DC1CC35F22E31E62" "0704736B44FE1E3A677CAFF61FD956883E6F6CB278284A05BF2" "B4CD9B832DE2058FAB356052C55B03D245BAAD53B8641444101" "0767ABEA201E26F270649EA35B0479A66ADB9439C57A77E84B7" "54A7E328E4AED0618742CD49AEF0AF116462F3A5B24343E141F" "C51F6B9FF376A30989B17BF4CA9DC2ACEBD4F22D8EAB082E62F" "FF99CFC55CA5E7C4B86613356F1CF05A9A3E8FD79123FB19627" "A75810D3AF44213DFDA590245FB22B48E8EC5F58EE1D51BEEE4" "D6BE0BDF7E8D18AEB37995D602E1EA1FC25D0D47D64D8A88B27" "3FA8CC649C017A63F34C140A1D801F2558C8639FBEAACD1D961" "893E111450B85ECA907CB3B66027587FE9B39D635D01C4C3695" "89B9D8907D54A9B73FDE7FFCED9FD443B18892F29FDEFD7B3E7" "17B5")); test_xof (&nettle_shake256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("A2CD7AE2955E2C2CFDCC374AD99E46F29FCE072E2C085E0F022" "81A4A85A822A2424546410466299CCA501BA5A86C12085320D2" "D0116196CD31E67E175BFAB909E279846C8FA2CDA475B0C9D60" "4942D6332F3ED46E81D3DCA880527DEBABE55BCAE22C98EC428" "22BD1874561E7F8E8CC8092DC461577F2AE548580FAAB59AFDF" "EBF359847DEE5271C2E972C12D13424A50A9B3DC3DE5FA6F5B1" "90F3DC060481118A595A8859ECDAC8C57FB16FD4DB9802C7BF3" "44A68A0A91CA8629DD0A8FBB26FBA0E21C4D953626F66C0B33D" "30C2569D73BBEF7ED708212B2F66DDB9AEAC459A11C9862CB56" "74885619D240BABE380BBF23564F6D946D03AA544E348943A48" "8C0FD223B36DB5B0EFBBE5C4E1253C3FF6C058AA95A80925523" "749BD228D89BF99F5CC681237FDCC8C872F652DAE6306A20D94" "22818A8DE2FA68C5A334EFE828A20A48CBC49EB6D7ED779B00D" "F50751446D0C850FF1F096FC50A03A8C407B8362CE03690D2D5" "699C70313B4F2D39E18ABE998EE73DE38308DCBACA27B8F6CBB" "3305B35C98B620A811C94AAE44B5DFA2F8664FB678FB1D73DDD" "F9FC27CF693DB9D5CF3B46C185B72C33E3BD0F6FFC01108C8A6" "5772ACFC13DEFAF21596F2C9B9512F369588F6F8767FF61436A" "C67ECA3DE25D6C5A9746AFB3B3464A49F3A583740C432ED806B" "FD16EAB27D59A12975D7D09F7ECCD67C2527333FA95509F7209" "DFCC")); test_xof (&nettle_shake256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("A74B8704CCA1F4234742A5C8AD6B138E58D56281C98D95F76BF" "C0A0AE309D3DC227543F9AEE711C85021B89F259D002188F4E7" "53DDDC4340DCA27B84445AFA007A1E502A1903A857583796BB1" "24DDFD64B5C91B69CD9B230F27DFA5D22A09B07FCA1D860DCF3" "16C22E57DA3589FB0F07ECF671DCB150913CE8606DA9CE39A58" "57B8382853056A5930F25E3647015B77B2DF4954314F1F8B1C7" "74DE0BCD1842CAD3BFCAF5DAE8AB9D77290DDD2112AB060F5B0" "17630C318A1A3DF5C15E6F8AA348EE3F3C171C4E8B98CB4A295" "6FA240EB289561E7CA30EEAA9CF79683DB7A2B0F28B3B1BF30B" "D5A62C96ECC8BD74D1F2D131295597C668838A8D3B20CE1A4EE" "4D1103DE547AC21F6442DF2CA10181319C76AE5827FD60EABA7" "C788CB369591E429B5DBBCD95049BFEE2A5829FFA0417772DB1" "BBFAC2EAF112B9712A02C1ECE830E17B22696AA6688E08BC705" "EA7F7010684D7006BC0A017BBAAB1D6119B1B589B326F1936C8" "2C470245298F2167D884398ED408814323D369BD1126031DFEB" "56A160F90359054400DB3B3D267D42FFDA5BB710643721871DD" "4DE52446004AF00BA55706C93BEAF01F8D77664AF27AAD65C6D" "61FAE24E65FEB4310AFE6CA5322EE4DD2A55CA5FD7E651AC8D3" "118C0FDDAE4B2E42862AACCD8CD2134340DDD760BC7918A461B" "16ECABB601861B58EDEE6E78AC3FF75055997ABA8C0C57878AB" "A5A7")); test_xof (&nettle_shake256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("4E12A03995768C80408869A5C45B174783EA2FB5E4C153A2C01" "4A3FB8AB968D74C9B835D9C4C5FC304B5E68CF9AA72C2ADFC2D" "E961CC9A90E1D515A3234BB79DA1D5FA330C03DEFF46D304F0F" "0378324BE4FEC285758B2DE3788E71EDCD05754366C71B783A2" "6D105A48BBF51C4F4E769BDD19CA477D80FA55695A04B06A097" "0B98BE48EF1E861F17B9540E63F54B6156FC2996B2D2CA69326" "E0CB7A4A5761B39FE089017322BF23B7B5DDBA1490541843BF7" "03508F5512117370253248F23F30DCCF27061B8F81C1090CC8E" "D866263FB50AD6F3A027EFBDAAD7760EAFCEC0928BA40173A50" "C61596B75AA4D72986A8BACBA61DADDA139374D17843735136C" "8DC0E14C2EBCBC9EB110A682CB77A72E790C68E11848431441F" "F70CBBC513A9D389D349A63AAD6A948A42DD798F1A576DF57ED" "0613FFF5F569CE5D24061A386B2A5B4B1FDE6E3359CE4125241" "628B9A882CCFD34F266BD8B7806392D52DC8CCED80C52ECB632" "1CF3B3C911D206809FAF8FDA3F918F93FF507089CA4BD647AD4" "B5498F0FFCC7563FE5DB7BCD613B84EDF4A95A4F8D29E3ABE0C" "39C8A76B6FB5DB51DB09A21A48D3E2C0786B6A13351715F8DCA" "25EF288C46631B25D55A7473E5059D6A16661F948D8A7C1B4D7" "A21B531F915FC5A18305B6FDAADBC1F201C9A09DE221ADA6DE8" "BAEDFA4614E578156137FBF43896CB61CE38EF386FB68D55311" "C63C")); test_xof (&nettle_shake256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("8BB1E121FC89EA0F3D79EA823D876EAA74B6CCFAB369E7E4783" "CBCD3701875F1BE59B0F8B48C2587E7001B6E7ED1821E264906" "9E84201583B2562E5945AF5CF734E2F0C6090DC8281969CC95C" "861ECAEECB1CDA78E8FE119B60B05C54484BAC951B7784ED025" "FB878E29215916C5886B85B24BB2521FEEBEC3B8766BA14FE47" "EE0E81DAD68B238905377AFDBD55E41364A12181D46D2E272BB" "F1FBF41A83C29ED88361435396614A23730D84684D3F5A622A2" "33FF1AD5583FA707DB008E3EED5A9716219EBF3571FB1CE9842" "D4A37B519767B7392F008193DE676F0CD192CD6D0CF651EE5F8" "331B0982F150A7DCC264C1465177AB98CC590BCA81E981AD2E9" "8E47D2D855C0A74895970A96994700A5D55CBBAEA2472C4160D" "A0EF3AEDE987A99065948ADC558E7CB9A952495F70CEDE70CE0" "E3DECCB798EB58941F38C4B13C28B2E5CA4FE3A7CF3C973EB33" "91B705B9E9E7689E264F878396F438C393EB49E70D6A2BB0A6A" "92F80FDC2C2F70AFBB2A1DF1EC4634BC0CFDC9D1239182DFCFF" "D30096E11FC4A32BB44CF510A44D35EC3CBFC354E088E0B5393" "2D0DE4DF83A963D902971392B74D95C475D26184559F6F9F5F9" "1502A07011B9070F8E9BE5F5D1E599634E3BCED756A49AC7CB2" "73396F7ACDFFB3BE1E441E8D8ED0588D0931353736DC1D9E889" "650B503A4FDBF5DF7B5708D4218404306B0E11AA08067B7DBE6" "3E8C")); test_xof (&nettle_shake256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("1887576149594F7FCD27145B5F535219BBC4313E62E7ABB6393" "D6015E8E45B48A211300F8303FB9BF370FE0A117D268624BB74" "1E0BC343487015872E14F84B1EC1E2FAEB828F521ECE9E7E5EF" "B281DFEF05D86BD8EB0B51CF4C46D94EE0AFC72DA29C3D77EAE" "E07E24035A68792E8EAB1E0B96282E1D95B1B9D36B09D6A2E0E" "DD37227B0D29F9E490F1D6156DFCE1554E69A49B7660D288CCB" "6FAEF9A40F656A90A825A07C5EE0730926CEE14FF2694A3BD10" "5D889C88A8CA1D271727DD0FCC0DDD1CA2EE955D02CF8CDA7F9" "E3A00B4362C69AC631523345DABD396354AD862458736D1BEFC" "4BC35EF4775F02F017BA2EB9FFF9229292432AB5603BA20342E" "627D380824050FF61C23B5E789DF2E835FD56C65FEBD001EE69" "60C782B627F90A7087EE24D32A85D0D780A8911945F3719C5CE" "EB9C7024DCB112C0FCDD72237040C5E964CA57EE504849E3015" "C200C44CA3A0EEC097BF718F6959C4D3E39455976F98DB5FD84" "F01EACBC1B2B57B6483C9E3D58EF76E18F8FBFA341E6399A3D9" "86834E315A2762D239DBB6D1EFBD60BA4EE974523D2EC7A9F0A" "171484D3F09D59019FCBB6A480ABEBFC06A21DC5AF8FBF1B538" "8278CF84311E56329A6FC3A9426517C3CC581C8C8EADA1C656E" "568BF108F66287FB66A405EB307EDA530C18DB2CDEE78D8DE9D" "CB8E93F195F54086F875935F7736C7C85EAAC106F00D28D6753" "843C")); test_xof (&nettle_shake256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("EA520B7CEA0750C8F1AE4D7E5C80E95140D5A980D68F48807E0" "408A0D17DD084575191EC17A8D5B3D7A458774C453124509AEE" "866183DFCA7636D743B6B5798C4D62951D7DB5640D1F4467D87" "03E08411270F3493241AEF38FB757F00F0EE6A66C732F138294" "076DE25F0811E8E1BAF602E9F38CF92E96ACF630EBECCD62C28" "37DC0F361C014698B3CCF586D372BB0591AAFE68D138E1FBF05" "D205A6124B0AE5F483BBB429EB1BD517C799FBD2B9A154FDB7F" "687DD320106793D95D2ACECFCB4811C627B3287490116C5F5A3" "082B0C2BB3B703FB2BD92B65E1CC07C61E1AD67C0F5B45C33C9" "81E56CEBD6C12D00D9D33C5DAC18A41C1025AD24798DE28518E" "5FAA6CECA295CD13254367F04CAC72FE0A0FE87214103FBDCD9" "AF3FDE362D6B7C0997B86CDDAB824210D1896DEB7C75A3EB92B" "E415F450CD62CAA1FE4D7A9DA2E8B57F2C31999F81CA8A22936" "684133DDDE9FBEC522C92B928191220E75F8FD20C29A1DA6624" "55FE7B94A2292006052B354DB4F03375ACB65044C2FDAEB977C" "A8E81318D2EA95C3981CE76DD9292678BC5F05351D2B4A4A410" "DEC6790DCFA90AB7D9F8D7FE71B1A1E22BFC3EF06F21C7C99F0" "1E11060ABD9122DD3FFA6F0C2B402D15C6D4E8F8524A5AE6F12" "48B6878170F8B4A7D95C85B04587066E340156D80B20E708F54" "70801F4A5F46A74DEE3332FB0ADF0472CCD592B2462EAE969AC" "5140")); test_xof (&nettle_shake256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("AA38A2AA24D83C0055C05A4D8E5FD6E538DDECDDBC6876D8169" "00F4329A5E6D00A25B14CA626F3C9185590A151E438CEC7164B" "D7135BF60AFB78AA0C4148FEBB606C50A0449360952C1BD6C46" "54804102521315E457AFDFA185565D96B6B230A4B36E0DBF215" "B19FB9B0BB3CFD6A8CC2E4ABD6A1A50D978EBB5D351F7A65D39" "855E9AE57D7343E8FF7EB6FE7974791EDF14861F30A428CFA9F" "A08E3EC4C4F1C6C5CF29A06D777459AECC379BF17E89A54B753" "FCBF3846835CEE9FA834CB294AE3699893ADC7DE63D96F1F7CB" "60739E7D672A9D70078F9903F6617EAD83EC5847424EBDB89B9" "A07762887F3A4CE8B7A839F0FFDEE21822DDF92A73E85F112D2" "A6E023C620056E97E3435CCC172E768A195BA50F0238AD3A474" "FDDAD6ECD5B90262170DD026826F69CC2ACE1D7D9AABA9F14C7" "3C6F114ED5E5F75679679B7A2ECC81432BCBA993C4E1CAAD6DB" "7D9908B56E1404EE5080641A4D261D488457A1DA7D5E1F09BFE" "9DB23E3CD4BE23B8FA84C93011958D57588A06D8DF433428AA1" "3CEFD6EC348A52E0076564F0DC849058A601137835F90478B41" "BD58D24ED9B5E4EE5940A0963BB4FD7A2F5817BE1903AB7D960" "F58EF88A310675AC0452AC6D1EE0CD65E2114865C4ADF78B983" "EB7E894F28A716ABBC766A1BAB1858641C8CBA3A18BA55584A1" "FDC2F80A61C36A9A56CD0289257CA0402ED99BC680AADCB2928" "7119")); test_xof (&nettle_shake256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("42DB17A940111F1A93B0D583F6173991252286BC5098E136D27" "196697AE45B878767E17AA8E826DCDE186CD76F2024E6772A0D" "EC4C4A8DB71959D75CFEF0F20CBCCD85F15AB5960C0CCDA5F14" "BA0F02958752A0494D4B50E2CC67C554196BFC061F651440C68" "12CF5319639F93DF1FE51D1511DF6A3A6AA6538F46EA2D00A3A" "0F64B25CC9EE8AD05E321649987C36387E2D31DA77EDC1AFA96" "32D77EE2D4ED54992BD51490A34DD743DCEC567DE957D55505D" "1D8DD43BE3309F25AE61275203BD9743F3027B9F34B34DB7504" "C2D7FD1AA99B936E7284F9E252DF2E3359D868C0C83AB140E14" "C01B4B650D99AC6DC54AB35DD825116EA96C5FE88822B2D7182" "FBE9B3F3CFBEDEE129EF0814C171A207FC9793E1EB72EDCD605" "C3E3B1534106093AA550BC8CFF8DE3C5D7152F18C87E161DA0F" "C90594161F03B0FF9F9EDD41F360DB7347B067D8FE1E901D78A" "77F1EC44E33ED7AADD463C7D676E50B03A92B5417628CF986D5" "F93197333BFEB5D7B6A7C7863707B7EC032E3F5C62CA6A02938" "313140E62479842F4CF68A54A14AE0AB35538025920F3170391" "69636F35F02A8E05C344E15492EA02164C62392B0795D4889F7" "AB68AC969B3B096C21CFE179833BA5FB857751C4713FC928B46" "23DB593C9458AA36BA3B3693E07C3C5C84470F77E5CBDFD9770" "877A0999DCF8FF1AE27F51B65AAEF9754E8A71739AC00BE0F94" "58E0")); test_xof (&nettle_shake256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("82F8C16B8487E008284598FED9C5670C86FE35C8DEA51AC59D3" "8722829C94094BB2766AA4CDA3139A15DD2AC0309253EC1A15B" "2969F84899637D3E2A5D55ED1E87561A546A2A7C190008BCF3B" "EC233EBD1DD55242D7FAC3A522C6016E62670F66EDB6290AFE8" "01630E2BCCABB450E4D44A9BD8F63D4B04E9F280A2A0972AB22" "9351906F5F32DE714867E8F04D276488F2AA5E62DB8B6342874" "04A73723ABB7E152107A6DA60F0C7EFAA953DB706398A09835E" "5EDD99393DB5A162FE3E564298395FCDAAE8FA7E7A9081B8E14" "FA0E99E433E0D44326DC2E9E33378EA719EF780D303589F0A63" "841B5D5D74EC6E2BB073B55287A6419BC6AF759D13F8C8875C3" "72C12D392D7F80608412EB9A92A786048BF9A6F03D11C48F48B" "96FBE8BBA329268242A5463C49B112AD71B8EC42A9A7F272F25" "819509E5C7A10D9C9F1A386E034BE2A89AE28917CF014156211" "C795D9D6EFB267D8F2BC48B5AA767CF8269A6E349701E77EF69" "F03FBB56C8E2A0C90905F1FDA649B75D716C67894E932C63B13" "911C80339A1DF4B7AE2035C7572BBB599E66E7CD9CF447F4F1F" "1DEB63F64508EBE19485DB3EB98607F3C87DEA60FAA331310FB" "4BA5730CE4024E07B4B134286472BC7B6C816C3F680618941F9" "6539B81DF82CD15EDD426206F363A9E487C9FADBBB9DB90DA8F" "2D73E940C515A7B4FFA07443D35CAA0C89EE9E511D66C2C8FE2" "F0FF")); test_xof (&nettle_shake256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("706CA15167517D46C47844D044D0FC94CAC5D23B90BDB64CE0A" "2DF052AB37C967E57A476FA23C4D3C160C47371CBADC07A48D6" "A7C0E0B8CE8B337CAC62E74E10B68C6FBB109B03547CE998780" "B605429D6E3061334C702B218C1D6686E3E8C7FCC2C4DEC034B" "9FE68572B45E58DE9661216D6A232D13A0EDDDA45892A4ABAB6" "66CB528694DE50A50D1368BE99D257BC8C245429FE55000D3C9" "CC861FE9228E6EBFB7DDC53148B530E2FFE153B8F40007ED321" "B4464C0BD5DE00C9791073B199AD57F6C242F7CB772FF05A06D" "010D156AD35DD0ED74C9593855576B1C7A4360770AA88BBF56B" "65395B163471E4057D27B59B554EECCD9AB8F24F457E400150C" "5F83B55D703620D68ECD7A01A9B3FEC468B75C0F8BBBB083883" "18D50D38BECDCD30F8644A2EBD11FD8E1D103AF5F9B64D92BEC" "64FDDEFFC73D9932871CCD1DC62515F0EFA438393109C638F5C" "11405FD923D784B217F3417BEC855A7CA290253CDD902802EBF" "400015CC2AF646AEF63684ABB39BB98AA598AB767AC4DF96CDF" "631D0500BC61DC822F2C54D761F0C926E023310AC11F3748E8A" "75564FBDB7039CDD3A42B601339BE64BBDA4B3F70899700FBDA" "55D1337F5E33F5B00DF97E6CA218D212EB771ECFE27B265A8EE" "8AC9D9F34BAF279C49B318EBFBA497CE77233CAC4A9146EF5DF" "7B93672A553A3EC46DAFE8B7F93F233161FB91F5BCA89DB4D5F" "2C42")); test_xof (&nettle_shake256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("A90A149C4B7BA649888F90721E9FF91CC3589E2094B07909959" "C9A15FF010C610824F7A49AD3CA2864089E93AD7075C1966033" "AB55E9263871DDD56943D568FE0867221034994B74A3F855544" "E77E313A29EFBA367F309243DB8A3027EB4DA5371439CF39C21" "EB57823E1E6C73C0707356B68828AAC6C8FD05F222F4C58B33C" "EA1AA6344DC33FA88D9A5BECC263B7CBF00045378910814C77C" "2224E56D913D2CBDC48EA6700DE0E0306B499A3888F53527406" "9E7ED493C12D46D23B7344CDC11B3433E39ED9CFAEA6787704F" "FD63BEE0072BA60F526FB52DADDB41EC7E8216AC2A79BBE27E3" "15A2E2824E1DD0BC2943F92393550AA6DC75F1C9755E5D8F811" "CEDBC2139805D5599C1E1F6D4F56AAD38E91FFB529A4820F260" "D752A93D7BE57BC2F75234FA615AC72AFEC7619E0F26071D8A3" "C90F1FB486497D5AF0EE45FD9D0B4AA0E07201B9E5F277E73D4" "8EDFBF75DF8C3F1A635A733591615C392CE37738851D2AE847C" "6EB9AB5D91DCDA7E953041CC6CF02F0E6604E8AE5756DE52864" "5FEAA0E8F1C5F6F0C53ABB72F84D0397A39A7FA3C7E8BC72B23" "7E0D8B81C91ED18E09273CA20B763D34B779BB79D95C3749AAA" "703DE53FD7FCFB361E2D3E13068FA076021C1373CE99DDA0DDF" "931D2BEDD095A3F95E41A0B09C56D01253F29558348D6F84190" "8984E3096A7A0DA6DE77A5DB124AA442EDC394126C2F67B1B4A" "0DEE")); test_xof (&nettle_shake256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FCD5FEF0DE750C6BE7615BCB850676E9E83299C522BDC14FBAC" "162F927B0AA4EA6DD76E43B1500C72BE0D569566B57054B9340" "216904D518ECDB25EF39A62891290A1034F262A5E2C0FB37333" "BBD24323730CFD40FC161EDC37EEB7C69769D3AB1F1454560CA" "78FB96CF133689EF8E75F57C2442E2CBAE4F5C648666BFC7FA5" "DA87E7C0DD4816292DFD56B2BCB383B3FF971185B724430F959" "6F3509C767E159873614B1D4EC45FA8586EC2321B791560785E" "5E3CE13AD5E8E1550A3290175ACF2D78CDD17C0EA205ED7C139" "6BF9DC0844168BA3A66B4CB01C22629C80577DE68D72EDB44B4" "19B13A2DB6D67877D9CC0A0201C14DAD69F25C88C3418AC45EA" "0D7ADA58A02BB7DD0C276DFAB29164E1844BAD901ACB6374AB7" "5E21BFE2F3591B2C8F111A4606C8C52D85B4C073FDBBF25FC81" "758214CA172FBFE1C6B14476532F35F981C312739CE435F7AD3" "D0785DCD648E2A5391B64525A8785F3E06446C6BC1E09BFA19C" "7CE52651BFE1A2E355CD7C1C9CED6540D33194A2212B2A8768E" "7347042B560F68B4E22E42ED8F51C38375F9FA45C133A90D4F6" "F17CD5BF19DC9E1035DF78F7E0077411BFD0FDA23E6759388AF" "C45485BF271C8FDB316A32B898C3D6DCC0738B3AA043ACD1848" "FB7C6FE86A844FC764953D392569520E78FA11BCD6B0AF3BE8E" "7BCB0006F56881889CDDE27870FE7C9E703F57B6CBE0D6372F2" "322B")); test_xof (&nettle_shake256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("D4C1F39098D123B0DD88504FF6AB424E31F5D3726EFBF86500C" "E730BAE87EC671C97F768F9593C8411B57E306B0CB394F33B86" "6493BBFC3F089FA4E875858FBCE814DEBB905FA7249F7DBE737" "F5F6725CF76D2A50B319D96BFCD55E03A6E923B01003E6D5976" "A66AA5250C337C9C4C402B9733C8F626789FB23FF1043494A73" "960297CA9110D23DEF1D72B601F6C42CF83938003B3A386CDDE" "D4A70B24975C958597894FD6E2C412CDC6E32EA7F398242F84D" "4F4BD469DEE9AD10B717EBAA26F2481224F47135219231279C3" "6867751A476AF60AC4AF8F151F301CACF5D7890D62A135B4414" "9CC7405208212B7547EC0617ABF96A7741EB2E08D18AAA17357" "B4F2DDAB92257E893CFCB91BDD73DFF3F8E6C28FDF38DC89094" "C719E69508AF7ABEE4D1403E0F139348632A45708AAB27D4403" "F5D5B85A81AC72EDE9E2448F1FB87571CCA3631BDA9F9D0DC06" "0000B03450FBC7D98AF74F0B0A8A1BBDEED01C4C8300B05E05C" "F7AF7824B246666EB53119FCFAAD3C7AAEEFE0274A55ABC01AB" "F0A38189E46CD3CE56F0A4DB8E9B498EEC68E03DB7FDC917723" "0DFC72F45A41A7064F42F3C527A5E5473B2F68D1C8BA960BD3B" "458BE2BEF2C3623B38A66266EACEA3CC93C09F4CF566327E78E" "C39CE5541E48142FEF380AF5161ED9C63724FA16384F574B1D1" "CBC3F1C852028CB9A8D1F411D6AC119E11E6202E566B49341D4" "0D19")); test_xof (&nettle_shake256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("D6FC1E61D2BC27CA5DD5ACD290C2831070E66C38F03D2DC9118" "4AA9EAEAF03A28E009A1AE1C775F4274B3AE6B5491C9B0C838C" "F90D185FE94C49EF46ABABA62D6ED1F550D83466EFC6B97789C" "A36AD1A6A3E6703A5DA9764E47F29C8096E3D317FC7AFF0B79B" "1C278610AFE3F5E7FA7FD52FD36CC9E7000DA809346281EEBA1" "EE9BB06AAD61F3E02CF4A5BB7B211E2437ED21437FAE78378F2" "8B14184B7DE7E80E845837A483C0C6DF8E233687F71F0F9745D" "585411F103356A0C474F9238403E40960F63A3418199325EA6E" "8EADA31C94F78CFF1B83A2EFA4E49045E0CE34A5C6102539932" "8CD7F79A1E4CC792D8AE9F1AA954235B515158BE5F4064B889C" "14A3A83AB59CF26945DBBF70F3A5F3BDBE8674546D6DF384C40" "D56B286D309A114871BC18E144D2334C88C32F141F6DFA70859" "A9FF7D4996BD3FABA0299794E861DB8BE8A324822C4B1DFBFA7" "0F8D9149C3DC01E0E556DC744C98FC2F92C8600C856BD174759" "AF467D6618C4347366CE04D06A0EE4FEB9A27B79BED01BEB7DE" "E41859C1306939D55B0E319DD2E0E001F6174361CB804CD3AC3" "332B8D8A1D8204D5255F81FAA0BDC29AE71693586C987E35C81" "E314A3848B03CF7B37EAEE2AD6ED4736E1F20A098DDAEC612AE" "E17294313DA16453D7901CF80FC729962206AD4820B00E8EF0D" "999857832256E5B784E8A89DFDDD38F6E15DE081A82E19A2A05" "D417")); test_xof (&nettle_shake256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("F61115AE2FD5442877D08E39A57DF8D4A5F117D57C2688617A8" "DA64F9482F5A817E0D3DFE41A9CFF331F4D5E3240DA38E43B7B" "87925FE378512CD83172FC3CC2396A8ACDBF5010CA576603581" "BF7DF6D7529423709B30DB81620B9F660B5AA82EA6C98656DA2" "7B4709DA85D364EC015C2EAAF2AADEDA2C040BADFAB16F7C2AE" "39DA6A1691057301B7C3252884CD9EE079E68857D6D3B7F4F85" "556140DB03421F09E98B80A8422500A349B5C0D8FFB25433A41" "21B7682F8517500930E5F2766C687846553C9F76DE38A0EE41F" "76D3A22696B95774BD5EB747F6445D8044147EE38B127892F4B" "0B1932470B454F8F1BB697A2F6659AB13F3E2003C97D292A787" "8E12CE47AA9619FCFE2135D8890710B2733DF40FC75DAD57B99" "042E4F54AEA9332ED52CAB8FFDE5195EDA05368B09E9FD55731" "DA20012A7D255AAA33D74E22917E58BD546EE90947A16044B14" "DFFFAB05916C382D1F038B63D2F20DC09C117C8724A4DB3970B" "7CB143B1522D010881FE6663410DB3400DB33B62A6E70DFD48C" "2FE773054E1494944B60FC5D3BC803027C4B12E6A230FE41CA4" "D072F3628D20782CD7DE4E98A29DF083FEF503E46EEFA787F8B" "0E9B1E7C884B9122977532BD71FB63120C1069156516D265FE3" "559B18965E968B9BBD653484866847E76262D0CCBEE8FB0314A" "8C40B8C35725337CA4A241592E47D5B8981D3212C62AE7E25F2" "7495")); test_xof (&nettle_shake256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("3BBF30FAF9241C9E3E27EC2C17AB24AA3673799371528CB98A6" "D9B91E553553680505D7CD6590377AB54E5DC7D7C72035300AF" "651AB0EA52ABA9FE1D490EE5C95B146138F61F957C5CEC8D463" "3175C99A00590DDB987D2E032547D99C691B32C12D7392742A5" "AE47D03B5A08A544548BBEC45B9580DE1CECB7B9F06A88614DA" "A116D7200DC8E81EF3C7C5A716044133D2A66FFBFA35E1668FE" "D9C1045DA77DF92564F60087D173F71B75F040BC6CC14923465" "9C1213BEEF18C53CDEFEF2FF466A2F16823D7659E04AD61F6B2" "3DDCA8BF35AF892BFB8A952DF4ED254FFAC52CF71F4C872EF15" "EF11FAE9967FC8F1C218E7CABA5382936F4CBBDF7F41AA2A239" "BCF36FE158B7D771BECF8981DDAAAC31F744D949396623CB3BB" "754189FB5E78DD94171C1BD6AD3953DDA6D4DACD3B57D37B1B7" "3FAB0D2CAA0B5B3F6A2C9F324F4B93C912991E50F8872BC2764" "51969FF379AAEFC3C710DE16128136AE0D1268D106BBCE2AA4D" "2DB0C5EDB171DFF104DF4F7D49FE017C82083DD1E9F7DEE489B" "B38CE091C222C3A0898F17A0DA1D4B2830C7B7C3C372FDF2A4E" "9CD7B468107513D6E3ADCC91F662218A7364A7340966A4D692C" "F394443203DCE8B33503AEE6C1259BBCF36351AF93EF01764BE" "4863759ED0ABCA9E59CA6004F2E5738AF7EFC7BE8F9A1E10655" "1B77AEFBFF9DBE99ED5ABB12207CF38F7FB9BA77D776FA0DF3B" "FAAC")); test_xof (&nettle_shake256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("32FFBC063291BD2C957DCDC76632DD1BCE0DBFCAC549228D277" "D81B6ABBA904D43330EF8081E164D8FCAF520E12B388C401682" "95A63D365B57A7694D4C50812B99C86E036116A07F0164B7088" "537688D4BAF1E0FCDC84C6DA8D92789466A606F1EE25CE7461F" "A65DF04BDEBC24A3A4BAC3B02B469C8E85F53D9481DBE244DC6" "7B8BCE84CC7175113D4D7B2413601E9140B7802D9FB712938E9" "C5034CEEA753B7C77C08BC1C03D511ED0B4D5007BBAC38EE76B" "675B73AEF8623CA9CCD579E28BAE7D695BE25FBDB673F3401A7" "5D5A57D142034A7BEE554ED30CC7F03CBB363C10A54F818937A" "E468F5845ADA4F9A2A1BF6887105879DA745AAE64D87F26F489" "A622370405ADA3D3688697DB8F04557736C51725ACA02E4B76F" "6A9E88DC6D52D5A63806BBA1BD687FAAC522D7B5B0A8D607328" "3659056E784320822EAF70666180ADFDBA2675B4EAD6F6B2EF8" "26E7598BBD8C1956A15C1864D249368900D82498297C3E77A19" "EBE20A111D13FC03CA88D9332F919EA4AD15BE8E397ABA0A4E2" "BA85F3FA5999EB553780F0D2F35D76A63B0106406FC3B455047" "6572E1464C986870027849ADA0F164B48B839ECD3CA9AFEADEE" "3F63AA6CA06C635990922995DB0BB99A4AC4B7F3AAC52069F31" "30660AE0F074FBAA1D103A086B59AEE4DA3188CCA3227670FD4" "3597ABFC1A2F6CFA67FA24EF0B20B4AADE9CE8E68CAB34111D1" "0464")); test_xof (&nettle_shake256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("BA2B1CEC1BBB46EA19AF7A869FDC73CB3791708DEFDF530DC99" "99E9510FCB02AEF571B3C5E7258D86DC80EDB53B71644110B9E" "82C239FF17EF523840E6AF4D597D814D4E5EC2EA98E451C0531" "8402D5BFF6E6E573565AB640E00BF6F8C3646B3F6656047C60E" "D43393AF7F2D8DF8915A0F6F44D69FE193DD5617FE39BDA638E" "4DDDA771B0E771318A53ADECBDBFF07D6CFEAA04A837034C6EA" "0E70C8FC244304804E0E890F31F951007A2F897BF3F00221B63" "EA3DD8D9D1DD3608596EF7817190D56D36EB99266F83B7F1A20" "80F7A5405CDE86017948BF977C6CC78565B3EEC570B36FC0656" "6909951F31CAD6094F296F759E858BF7AA9298B2F4F7F5C3167" "C145EC126C40F6E5DCCD87C82489400FF8B9B79B19E47259661" "8EED3FBC6FE5545BB3276ED710CA128A3C2FA9B831FA6FA3B12" "6380C4BAED23D9186FAC830891F98C81D401A6513E139F6546F" "065E8AF6E1A9595218A025D8292176F8ACC4ACAEE6308C08DB5" "215FC0064D7279FF6165033E0946FB7C10BF5DEC2D26950B2AB" "DF71AE2B5BAB856386A25117214D5830B7D5E250FDF200CC5EE" "A0085648FA2AAB6EEC363DA41AFD82E14EDA957EA3AB7C65100" "F4A8071ACA6F1891B5465B7C46CAA9612CCB0875369CEC4BCF9" "D99BE35E03AE57C83FC80903AFE25ECF23D016CF6989EDA5B90" "0EFCF59C529FD299CF155A1310B239CD364301F520D16C74E27" "0D0D")); test_xof (&nettle_shake256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("481CF76E2ED1A1EB74050E9632A3BCE4913D2D516E251816A2D" "55706314D6483B955B87B0A6EE013F248E2AB4517B800E23C8A" "D85926C36EABAB1F2C36625D0492C7F001760E3715EBA80AA91" "2F5E3E1A7918D1EDE2FA7FDCBBAE23FF75ADB2BD88527BCE6F0" "2FEF73175487781F26C7C7DBFD04143B70D636217ABF7EF6936" "4B8B7C493C64434DD1CCB523E5CBCC81211A64FEFA9F41FFDB3" "8D9D8D5E0A9E51BE38DCCE5225652CAB5A0EF8D8EE7DD175B92" "9ABA19480299176D7122CE1A763345A091AEB8C5DF8AB37CD4D" "96C3230E8EA847C1D28986D3398DEA80F2C48C3B4406524BCD4" "850DC02621B470AC7DF27372D95822795E8A2D81AACCD72F535" "110FA01FDF0CABD7D848960603B80758406FFA78FB6C68DB4FD" "F40C146318C2D296CD1A5BD7C1E11EA967B72792A3A7FBAC908" "9588D3FB555F122F7AFB499AA3B3C43E07BD3D8F9FE980213C1" "74D37DB9FBC8ECD318CC207689766A327614ED6B01BB0A5A2CF" "04F5B54EDD97BE72E5F894328EE86A1C9D2FFB65C9FD0FEA4BA" "865D0EA4F16DEF67CE1D6D42095C1C8488376A4326396FE3448" "484754153B2D4A94C442BDE7CF67E8B9994E958D3CC17D5B0FD" "7A4F203024EC29CEBF40B549F2936CC6C196AB83EC8C4585D28" "E31D3ECF5BB59AB24B2CC6908E51A9BCD5BBCFA92C02E61B08C" "A7E3AAAED73C450909C8B9BDB422CCAB0A86C5A5C3C10A634B1" "7332")); test_xof (&nettle_shake256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("47929C7D0C4DB7F9EBAEF5EA93BBC7B255C8E249EDF893257C7" "AEB996CC8EEAB1A6CA4520F4D4257144CD5A9A850A372BD00DC" "CA339C4781479E976B7508688DC63783CA9EC7A9FB8196721C8" "C24AFF5BF9385453E9B85A1F7FC75A029E09D45910DC24F1304" "D1E51EC702E79DC731B6120596BF3DF30DC0F756834AC0BB94F" "99243EAC8910015D10DC618252A77D8B900C4141CFF2461C408" "C19B978D1B58E690815C0C07B901137A45F045ABBD85428ACF5" "1410135EB27128EC6725062665D1E6A6B8EBAD3B81D36770B0C" "D14303B9264D25DFEE14B27798E22B46A77ADF456FDAFEB6D59" "7F7E3152AAD40E29AB7E7808A4E46F43E18856518CE6D716062" "029024AFE0EF0A7F3783F755977F8B10EEC658AABC20B2EE0E8" "D3ADE73E2A7E78E4CEC3C09ADA3089247C678238580891ADA46" "0D60DA297A4EB7DDBA67D117E21E7461BCE7CFC7573352696B4" "643D6D9C9EC97EB431F6159AC438479BC6547BA04552748171F" "4AEAAA2EF0DD7ECCB4ABDB2E07AB536F0183516B1DCBF0E12FD" "134F9AD85B854AFDCCE14C1C52D0BF1EE1E52A12FDD63632D9D" "F1B78E7899B03527DA8597124AE3C8797E6832138508AB89069" "BF692A9E5D102CA20807A4BD5033D7BF7C918998D3D52B240B8" "449D12B402EE7F50B211F597F1BD39B69A4DFF9A0E6DBE347AC" "1137B3631DD15F97217A5BFE2C6579BC3C44F8789DED23EFEC5" "1A64")); test_xof (&nettle_shake256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("401A2897FCA682A6949D88F939ECF943140ECA42F90D86D2DC3" "01EFEA2DBD4C03998D686DCEC124334F0C5BA7674F25CDBF36F" "B9480E8DB2111BA4E78221D1855893A526F97535936AAC3D88D" "8908786BF5A9334EEE1A4D9B346A95573993DB7C9C7A75CE692" "DF5118963083B778865396501845E12E4DDDE82035B03A6C436" "97CDB2B1C5C4EB24D0D484ACB105549290B9FCD5C8B4EE31D4E" "B542A2C9637D8E34687B18AB2DCF92A826877F9F1766ECBC43E" "3879E481C4B6AD994586F110818A20B6F93C8CED8C1FBC0B545" "72714EF722E83046A93CE23D118E494969D5BD1A9E9C744C5A5" "6D193D2BC7054A4A0BB22987AA2CA672E69C2B733C860F292C4" "F218557B7B921C4367B611E1D7FE30CF454EEBF09990C5ACD7B" "43A174A92E0B8D8180DFD409261274FF09F55013A7F58242D29" "330426BD4D8EF8365E4DE86469C436FC0FDC3B858EEE3E29C2E" "D6F650266A7B34D2A0E5ED438E60891DF92FE6B950D95BB99F9" "0344FC5EF5B210692059E9F859A476A3AFF4BB478F5DDA80629" "E236AFD3742E35F46046BDF1522590562C8337C39FD38B8F57C" "EDD49198F8242D951330FC4D0BDF5413345BB7315EEB67E4B1D" "561D185FADF23C0979B036D885391643D7514B3FABCD16382CC" "C49E6B7C0707B90AC0F86176DCF9D7F1DCD270374D2AB8E1E9F" "AFB7DEC0F952FBD4456C9E7FCDA80CF0A46CE98AF6E9B588A37" "0741")); test_xof (&nettle_shake256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("8E756B09EE1679DFB957AEBC5B55CCCA4414AEAD58229106040" "A1A58F4768D241A0869A3A7D682DD937FB13352F635EC3D5783" "8469BA6AB93A9DC86EF3598F53E044FEA98301971A2182A1725" "C32BF5529FCE04665C9F2C1275D484543E038E964D855E1D919" "83EA34F7D66E19E27B6F59B23E9690C291432793167A5E8A9B4" "4AEB9ECBAA500E2616AC32AF6B6ACFB6C2B4A485BE4FE5072BD" "1F0E08AE343BF0C5CB241111F894BFD4BE6A26DBC7ED352D717" "44BD9A4D51F149AC4EA5AD323B063D93E56AE12B81D88EB0830" "24D3D164C0FD7B4BCE8A800F69CB7C66594D7AB20818DC79F01" "853FEE81B345210CDF2964C3A25A0934ECE6B13029B5FDC3B78" "0CD85A46E54495328F0BAA63078B3948172443B57D8571A82C7" "17A4D93A6FD9ADA3A1EFC41F3697600D02FCB555EEF1D5162B3" "46D892EABC60251B048979F49E3855FD5A49520A60D099ED2F5" "A5C8764875A4EA242407856B5DC393BA1E71FD04C53181572AD" "90E0184934D7B65E0EA56A8521A284E6A5B98BC704AD92E658A" "8B4C64CF67157AC0673159B9E2A9EA9D94C6FB3E5BD963DFCAA" "D484CF06BE75E3F23A11287B82BC6618B6EDA760D29D1D8400C" "41EC3B42A24EC1E070BCE0EEC7DC6C6F19E2A6BA7FAAB72DD81" "F31814A18CE984C7AAE6D9CAAA800318418F56871C8CFD8778F" "AA7DAD3426849E10B041D6190EB445410F5F5E476068579FEDC" "5869")); test_xof (&nettle_shake256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("8A5199B4A7E133E264A86202720655894D48CFF344A928CF834" "7F48379CEF347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA" "03B9EDB02B9635470AB9F1038985D55F9CA774572DD006470EA" "65145469609F9FA0831BF1FFD842DC24ACADE27BD9816E3B5BF" "2876CB112232A0EB4475F1DFF9F5C713D9FFD4CCB89AE5607FE" "35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B6096E2B3" "FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F3" "9F99B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB" "5663727AAC34A401247FBAA7499E7D5EE5B69D31025E63D04C3" "5C798BCA1262D5673A9CF0930B5AD89BD485599DC184528DA47" "90F088EBD170B635D9581632D2FF90DB79665CED430089AF13C" "9F21F6D443A818064F17AEC9E9C5457001FA8DC6AFBADBE3138" "F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F189B5" "34E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73" "FB1775B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA" "77114A16C15355B42877A1DB2A7DF0E155AE1D8670ABCEC3450" "F4E2EEC9838F895423EF63D261138BAAF5D9F104CB5A957AEA0" "6C0B9B8C78B0D441796DC0350DDEABB78A33B6F1F9E68EDE3D1" "805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9096F2EDB2" "21DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39" "73D4")); } nettle-4.0/testsuite/siv-cmac-test.c0000644000000000000000000002127715141166425014470 0ustar00/* siv-cmac-test.c Self-test and vectors for AES-SIV-CMAC mode ciphers Copyright (C) 2018 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "aes.h" #include "nettle-types.h" #include "siv-cmac.h" static const struct nettle_aead_message siv_cmac_aes128 = { "siv_cmac_aes128", sizeof(struct siv_cmac_aes128_ctx), SIV_CMAC_AES128_KEY_SIZE, SIV_DIGEST_SIZE, 0, /* No in-place operation. */ (nettle_set_key_func*) siv_cmac_aes128_set_key, (nettle_set_key_func*) siv_cmac_aes128_set_key, (nettle_encrypt_message_func*) siv_cmac_aes128_encrypt_message, (nettle_decrypt_message_func*) siv_cmac_aes128_decrypt_message, }; static const struct nettle_aead_message siv_cmac_aes256 = { "siv_cmac_aes256", sizeof(struct siv_cmac_aes256_ctx), SIV_CMAC_AES256_KEY_SIZE, SIV_DIGEST_SIZE, 0, /* No in-place operation. */ (nettle_set_key_func*) siv_cmac_aes256_set_key, (nettle_set_key_func*) siv_cmac_aes256_set_key, (nettle_encrypt_message_func*) siv_cmac_aes256_encrypt_message, (nettle_decrypt_message_func*) siv_cmac_aes256_decrypt_message, }; void test_main(void) { /* The following tests were checked for interoperability against libaes_siv */ /* * Example with small nonce, no AD and no plaintext */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("01"), SHEX(""), SHEX(""), SHEX("c696f84f df92aba3 c31c23d5 f2087513")); /* * Example with small nonce, no AD and plaintext */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("02"), SHEX(""), SHEX("00112233 44556677 8899aabb ccddeeff"), SHEX("5027b101 589747b8 865a9790 d3fd51d7" "1f259d40 5bfa260b 9ba1d60a a287fd0b")); /* * Example with length < 16 */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("7300cd9b 3f514a44 ed660db6 14157f59" "f0382e23 ae0e6e62 27a03dd3 2619")); /* * Example with length > 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("020304"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("f1dba33d e5b3369e 883f67b6 fc823cee" "a4ffb87f dba97c89 44a62325 f133b4e0" "1ca55276 e2261c1a 1d1d4248 d1da30ba" "52b9c8d7 955d65c8 d2ce6eb7 e367d0")); /* * Example with single AAD, length > 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("85825e22 e90cf2dd da2c548d c7c1b631" "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" "02cd4883 2b00e4e5 98b2b22a 53e6199d" "4df0c166 6a35a043 3b250dc1 34d776")); /* * Example with single AAD, length < 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("15f83882 14bdc94e 3ec4c7c3 69863746" "cd72d317 4b20a1e4 a0894fb7 cd78")); /* AES-SIV-CMAC-512 (AES-256) from dchest/siv repo */ test_aead_message(&siv_cmac_aes256, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "6f6e6d6c 6b6a6968 67666564 63626160" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff" "00010203 04050607 08090a0b 0c0d0e0f"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("6f740b42 1e2972d8 5e76189e 99842843" "ad9e6ff1 4ea97c32 ab315e67 464c")); /* AES-SIV-CMAC-512 (AES-256) */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("c3366ef8 92911eac 3d17f29a 37d4ebad" "ddc1219e bbde06d1 ee893e55 a39f")); /* * Example with length > 16 */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("02"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("bbe4751a 549d2fce 410c2efd e0df4d13" "1a6eac0d 030028f8 dc16b6c4 3a557d4e" "3e846ad7 52c5a030 c75a85ff 8b07ff10" "71b133f5 edac3c60 8bb6eb13 dd1fd9")); /* * Example with single AAD, length > 16 */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("5a979b0d a58fde80 51621ae6 bf96feda" "50933da8 047bc306 fabaf0c3 d9fa8471" "c70a7def 39a2f91d 68a2021c 99ac7e2a" "24535a13 4ba23ec1 5787cebe 5c53cc")); /* The following tests were checked for interoperability against miscreant.js */ /* * Example from miscreant.js with no AD * https://github.com/miscreant/miscreant.js/blob/master/vectors/aes_siv_aead.tjson */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("10111213 1415161718191a1b1 c1d1e1f2" "02122232 4252627"), SHEX(""), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("4b3d0f15 ae9ffa9e 65b94942 1582ef70" "e410910d 6446c775 9ebff9b5 385a")); /* * Example from miscreant.js with AD */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("85825e22 e90cf2dd da2c548d c7c1b631" "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" "02cd4883 2b00e4e5 98b2b22a 53e6199d" "4df0c166 6a35a043 3b250dc1 34d776")); } nettle-4.0/testsuite/siv-gcm-test.c0000644000000000000000000005453015141166425014331 0ustar00/* siv-gcm-test.c Self-test and vectors for AES-GCM-SIV mode ciphers Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* The test vectors have been collected from the following standards: * RFC8452 */ #include "testutils.h" #include "ghash-internal.h" #include "block-internal.h" #include "aes.h" #include "siv-gcm.h" static const struct nettle_aead_message siv_gcm_aes128 = { "siv_gcm_aes128", sizeof(struct aes128_ctx), AES128_KEY_SIZE, SIV_GCM_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) aes128_set_encrypt_key, (nettle_set_key_func*) aes128_set_encrypt_key, (nettle_encrypt_message_func*) siv_gcm_aes128_encrypt_message, (nettle_decrypt_message_func*) siv_gcm_aes128_decrypt_message, }; static const struct nettle_aead_message siv_gcm_aes256 = { "siv_gcm_aes256", sizeof(struct aes256_ctx), AES256_KEY_SIZE, SIV_GCM_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) aes256_set_encrypt_key, (nettle_set_key_func*) aes256_set_encrypt_key, (nettle_encrypt_message_func*) siv_gcm_aes256_encrypt_message, (nettle_decrypt_message_func*) siv_gcm_aes256_decrypt_message, }; static void test_polyval_internal (const struct tstring *key, const struct tstring *message, const struct tstring *digest) { ASSERT (key->length == GCM_BLOCK_SIZE); ASSERT (message->length % GCM_BLOCK_SIZE == 0); ASSERT (digest->length == GCM_BLOCK_SIZE); struct gcm_key gcm_key; union nettle_block16 state; memcpy (state.b, key->data, GCM_BLOCK_SIZE); _siv_ghash_set_key (&gcm_key, &state); block16_zero (&state); _siv_ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data); block16_bswap (&state, &state); if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data)) { fprintf (stderr, "POLYVAL failed\n"); fprintf (stderr, "Key: "); tstring_print_hex (key); fprintf (stderr, "\nMessage: "); tstring_print_hex (message); fprintf (stderr, "\nOutput: "); print_hex (GCM_BLOCK_SIZE, state.b); fprintf (stderr, "\nExpected:"); tstring_print_hex (digest); fprintf (stderr, "\n"); FAIL(); } } void test_main(void) { /* RFC8452, Appendix A. */ test_polyval_internal (SHEX("25629347589242761d31f826ba4b757b"), SHEX("4f4f95668c83dfb6401762bb2d01a262" "d1a24ddd2721d006bbe45f20d3c9f362"), SHEX("f7a3b47b846119fae5b7866cf5e5b77e")); /* RFC8452, Appendix C.1. */ test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX(""), SHEX("dc20e2d83f25705bb49e439eca56de25")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("0100000000000000"), SHEX("b5d839330ac7b786578782fff6013b81" "5b287c22493a364c")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("010000000000000000000000"), SHEX("7323ea61d05932260047d942a4978db3" "57391a0bc4fdec8b0d106639")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000"), SHEX("743f7c8077ab25f8624e2e948579cf77" "303aaf90f6fe21199c6068577437a0c4")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000"), SHEX("84e07e62ba83a6585417245d7ec413a9" "fe427d6315c09b57ce45f2e3936a9445" "1a8e45dcd4578c667cd86847bf6155ff")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("3fd24ce1f5a67b75bf2351f181a475c7" "b800a5b4d3dcf70106b1eea82fa1d64d" "f42bf7226122fa92e17a40eeaac1201b" "5e6e311dbf395d35b0fe39c2714388f8")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("2433668f1058190f6d43e360f4f35cd8" "e475127cfca7028ea8ab5c20f7ab2af0" "2516a2bdcbc08d521be37ff28c152bba" "36697f25b4cd169c6590d1dd39566d3f" "8a263dd317aa88d56bdf3936dba75bb8")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("0200000000000000"), SHEX("1e6daba35669f4273b0a1a2560969cdf" "790d99759abd1508")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("020000000000000000000000"), SHEX("296c7889fd99f41917f4462008299c51" "02745aaa3a0c469fad9e075a")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000"), SHEX("e2b0c5da79a901c1745f700525cb335b" "8f8936ec039e4e4bb97ebd8c4457441f")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("620048ef3c1e73e57e02bb8562c416a3" "19e73e4caac8e96a1ecb2933145a1d71" "e6af6a7f87287da059a71684ed3498e1")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("50c8303ea93925d64090d07bd109dfd9" "515a5a33431019c17d93465999a8b005" "3201d723120a8562b838cdff25bf9d1e" "6a8cc3865f76897c2e4b245cf31c51f2")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000" "05000000000000000000000000000000"), SHEX("2f5c64059db55ee0fb847ed513003746" "aca4e61c711b5de2e7a77ffd02da42fe" "ec601910d3467bb8b36ebbaebce5fba3" "0d36c95f48a3e7980f0e7ac299332a80" "cdc46ae475563de037001ef84ae21744")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("010000000000000000000000"), SHEX("02000000"), SHEX("a8fe3e8707eb1f84fb28f8cb73de8e99" "e2f48a14")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "0200"), SHEX("03000000000000000000000000000000" "04000000"), SHEX("6bb0fecf5ded9b77f902c7d5da236a43" "91dd029724afc9805e976f451e6d87f6" "fe106514")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "02000000"), SHEX("03000000000000000000000000000000" "0400"), SHEX("44d0aaf6fb2f1f34add5e8064e83e12a" "2adabff9b2ef00fb47920cc72a0c0f13" "b9fd")); test_aead_message(&siv_gcm_aes128, SHEX("e66021d5eb8e4f4066d4adb9c33560e4"), SHEX("f46e44bb3da0015c94f70887"), SHEX(""), SHEX(""), SHEX("a4194b79071b01a87d65f706e3949578")); test_aead_message(&siv_gcm_aes128, SHEX("36864200e0eaf5284d884a0e77d31646"), SHEX("bae8e37fc83441b16034566b"), SHEX("46bb91c3c5"), SHEX("7a806c"), SHEX("af60eb711bd85bc1e4d3e0a462e074ee" "a428a8")); test_aead_message(&siv_gcm_aes128, SHEX("aedb64a6c590bc84d1a5e269e4b47801"), SHEX("afc0577e34699b9e671fdd4f"), SHEX("fc880c94a95198874296"), SHEX("bdc66f146545"), SHEX("bb93a3e34d3cd6a9c45545cfc11f03ad" "743dba20f966")); test_aead_message(&siv_gcm_aes128, SHEX("d5cc1fd161320b6920ce07787f86743b"), SHEX("275d1ab32f6d1f0434d8848c"), SHEX("046787f3ea22c127aaf195d1894728"), SHEX("1177441f195495860f"), SHEX("4f37281f7ad12949d01d02fd0cd174c8" "4fc5dae2f60f52fd2b")); test_aead_message(&siv_gcm_aes128, SHEX("b3fed1473c528b8426a582995929a149"), SHEX("9e9ad8780c8d63d0ab4149c0"), SHEX("c9882e5386fd9f92ec489c8fde2be2cf" "97e74e93"), SHEX("9f572c614b4745914474e7c7"), SHEX("f54673c5ddf710c745641c8bc1dc2f87" "1fb7561da1286e655e24b7b0")); test_aead_message(&siv_gcm_aes128, SHEX("2d4ed87da44102952ef94b02b805249b"), SHEX("ac80e6f61455bfac8308a2d4"), SHEX("2950a70d5a1db2316fd568378da107b5" "2b0da55210cc1c1b0a"), SHEX("0d8c8451178082355c9e940fea2f58"), SHEX("c9ff545e07b88a015f05b274540aa183" "b3449b9f39552de99dc214a1190b0b")); test_aead_message(&siv_gcm_aes128, SHEX("bde3b2f204d1e9f8b06bc47f9745b3d1"), SHEX("ae06556fb6aa7890bebc18fe"), SHEX("1860f762ebfbd08284e421702de0de18" "baa9c9596291b08466f37de21c7f"), SHEX("6b3db4da3d57aa94842b9803a96e07fb" "6de7"), SHEX("6298b296e24e8cc35dce0bed484b7f30" "d5803e377094f04709f64d7b985310a4" "db84")); test_aead_message(&siv_gcm_aes128, SHEX("f901cfe8a69615a93fdf7a98cad48179"), SHEX("6245709fb18853f68d833640"), SHEX("7576f7028ec6eb5ea7e298342a94d4b2" "02b370ef9768ec6561c4fe6b7e7296fa" "859c21"), SHEX("e42a3c02c25b64869e146d7b233987bd" "dfc240871d"), SHEX("391cc328d484a4f46406181bcd62efd9" "b3ee197d052d15506c84a9edd65e13e9" "d24a2a6e70")); /* RFC8452, Appendix C.2. */ test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX(""), SHEX("07f5f4169bbf55a8400cd47ea6fd400f")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("0100000000000000"), SHEX("c2ef328e5c71c83b843122130f7364b7" "61e0b97427e3df28")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("010000000000000000000000"), SHEX("9aab2aeb3faa0a34aea8e2b18ca50da9" "ae6559e48fd10f6e5c9ca17e")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000"), SHEX("85a01b63025ba19b7fd3ddfc033b3e76" "c9eac6fa700942702e90862383c6c366")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000"), SHEX("4a6a9db4c8c6549201b9edb53006cba8" "21ec9cf850948a7c86c68ac7539d027f" "e819e63abcd020b006a976397632eb5d")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("c00d121893a9fa603f48ccc1ca3c57ce" "7499245ea0046db16c53c7c66fe717e3" "9cf6c748837b61f6ee3adcee17534ed5" "790bc96880a99ba804bd12c0e6a22cc4")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("c2d5160a1f8683834910acdafc41fbb1" "632d4a353e8b905ec9a5499ac34f96c7" "e1049eb080883891a4db8caaa1f99dd0" "04d80487540735234e3744512c6f90ce" "112864c269fc0d9d88c61fa47e39aa08")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("0200000000000000"), SHEX("1de22967237a813291213f267e3b452f" "02d01ae33e4ec854")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("020000000000000000000000"), SHEX("163d6f9cc1b346cd453a2e4cc1a4a19a" "e800941ccdc57cc8413c277f")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000"), SHEX("c91545823cc24f17dbb0e9e807d5ec17" "b292d28ff61189e8e49f3875ef91aff7")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("07dad364bfc2b9da89116d7bef6daaaf" "6f255510aa654f920ac81b94e8bad365" "aea1bad12702e1965604374aab96dbbc")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("c67a1f0f567a5198aa1fcc8e3f213143" "36f7f51ca8b1af61feac35a86416fa47" "fbca3b5f749cdf564527f2314f42fe25" "03332742b228c647173616cfd44c54eb")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000" "05000000000000000000000000000000"), SHEX("67fd45e126bfb9a79930c43aad2d3696" "7d3f0e4d217c1e551f59727870beefc9" "8cb933a8fce9de887b1e40799988db1f" "c3f91880ed405b2dd298318858467c89" "5bde0285037c5de81e5b570a049b62a0")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("010000000000000000000000"), SHEX("02000000"), SHEX("22b3f4cd1835e517741dfddccfa07fa4" "661b74cf")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "0200"), SHEX("03000000000000000000000000000000" "04000000"), SHEX("43dd0163cdb48f9fe3212bf61b201976" "067f342bb879ad976d8242acc188ab59" "cabfe307")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "02000000"), SHEX("03000000000000000000000000000000" "0400"), SHEX("462401724b5ce6588d5a54aae5375513" "a075cfcdf5042112aa29685c912fc205" "6543")); test_aead_message(&siv_gcm_aes256, SHEX("e66021d5eb8e4f4066d4adb9c33560e4" "f46e44bb3da0015c94f7088736864200"), SHEX("e0eaf5284d884a0e77d31646"), SHEX(""), SHEX(""), SHEX("169fbb2fbf389a995f6390af22228a62")); test_aead_message(&siv_gcm_aes256, SHEX("bae8e37fc83441b16034566b7a806c46" "bb91c3c5aedb64a6c590bc84d1a5e269"), SHEX("e4b47801afc0577e34699b9e"), SHEX("4fbdc66f14"), SHEX("671fdd"), SHEX("0eaccb93da9bb81333aee0c785b240d3" "19719d")); test_aead_message(&siv_gcm_aes256, SHEX("6545fc880c94a95198874296d5cc1fd1" "61320b6920ce07787f86743b275d1ab3"), SHEX("2f6d1f0434d8848c1177441f"), SHEX("6787f3ea22c127aaf195"), SHEX("195495860f04"), SHEX("a254dad4f3f96b62b84dc40c84636a5e" "c12020ec8c2c")); test_aead_message(&siv_gcm_aes256, SHEX("d1894728b3fed1473c528b8426a58299" "5929a1499e9ad8780c8d63d0ab4149c0"), SHEX("9f572c614b4745914474e7c7"), SHEX("489c8fde2be2cf97e74e932d4ed87d"), SHEX("c9882e5386fd9f92ec"), SHEX("0df9e308678244c44bc0fd3dc6628dfe" "55ebb0b9fb2295c8c2")); test_aead_message(&siv_gcm_aes256, SHEX("a44102952ef94b02b805249bac80e6f6" "1455bfac8308a2d40d8c845117808235"), SHEX("5c9e940fea2f582950a70d5a"), SHEX("0da55210cc1c1b0abde3b2f204d1e9f8" "b06bc47f"), SHEX("1db2316fd568378da107b52b"), SHEX("8dbeb9f7255bf5769dd56692404099c2" "587f64979f21826706d497d5")); test_aead_message(&siv_gcm_aes256, SHEX("9745b3d1ae06556fb6aa7890bebc18fe" "6b3db4da3d57aa94842b9803a96e07fb"), SHEX("6de71860f762ebfbd08284e4"), SHEX("f37de21c7ff901cfe8a69615a93fdf7a" "98cad481796245709f"), SHEX("21702de0de18baa9c9596291b08466"), SHEX("793576dfa5c0f88729a7ed3c2f1bffb3" "080d28f6ebb5d3648ce97bd5ba67fd")); test_aead_message(&siv_gcm_aes256, SHEX("b18853f68d833640e42a3c02c25b6486" "9e146d7b233987bddfc240871d7576f7"), SHEX("028ec6eb5ea7e298342a94d4"), SHEX("9c2159058b1f0fe91433a5bdc20e214e" "ab7fecef4454a10ef0657df21ac7"), SHEX("b202b370ef9768ec6561c4fe6b7e7296" "fa85"), SHEX("857e16a64915a787637687db4a951963" "5cdd454fc2a154fea91f8363a39fec7d" "0a49")); test_aead_message(&siv_gcm_aes256, SHEX("3c535de192eaed3822a2fbbe2ca9dfc8" "8255e14a661b8aa82cc54236093bbc23"), SHEX("688089e55540db1872504e1c"), SHEX("734320ccc9d9bbbb19cb81b2af4ecbc3" "e72834321f7aa0f70b7282b4f33df23f" "167541"), SHEX("ced532ce4159b035277d4dfbb7db6296" "8b13cd4eec"), SHEX("626660c26ea6612fb17ad91e8e767639" "edd6c9faee9d6c7029675b89eaf4ba1d" "ed1a286594")); /* RFC8452, Appendix C.3. */ test_aead_message(&siv_gcm_aes256, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000" "4db923dc793ee6497c76dcc03a98e108"), SHEX("f3f80f2cf0cb2dd9c5984fcda908456c" "c537703b5ba70324a6793a7bf218d3ea" "ffffffff000000000000000000000000")); test_aead_message(&siv_gcm_aes256, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), SHEX("eb3640277c7ffd1303c7a542d02d3e4c" "0000000000000000"), SHEX("18ce4f0b8cb4d0cac65fea8f79257b20" "888e53e72299e56dffffffff00000000" "0000000000000000")); } nettle-4.0/testsuite/slh-dsa-sha2-128f-tc7.msg0000644000000000000000000002466415141166425015717 0ustar000E485811C6F54218 91E965C5543BED8C D169FA52C4388CE1 A4558F8E130A6F59 606D0F027CE6365D 922E8C582E65C79C 3C75F51E98B9701E 4BD5F7FD52D5471E 41932B1BD82A02C7 87930C3456D7B69C 52E2635A28B0EC8B 89E72D7EADBEF09E 62E230E401197FA0 D01DCF8545F90578 53A5BB4374AA0071 782C3557CBD3E557 18512E5B500A410E 25D805292264B8BF 3EF951921508F091 3E80EF4227A479D5 47F1EAFDB94472A5 37D04B643B3FF267 6F5DFB45A82C4802 4FE79FC3B078DF71 3C406814CC271D3A 3EFABE5E0B3F79DE 449FBB0715B616B0 06B625D67EB0A0F6 2F57A4B41D36072A 6410FBBEDC4FB975 BE1E73506F0EC8E1 F5864BD352814A39 B99BADC5B437FCB7 F02B15DD970B3652 8A7858C9EA5991DC 1C59EB1AEEF7557A EE92CA13A143ED16 E75EAA01EAE53BE1 A139CBA8FB39CC83 AE4E09A24DE4159B 2C00C3D2ECD88B55 205402B6DD3F2B25 FB39FF0493827AB2 65B6EB2D990E6AEA 148841160B371AA0 3D5E2A76EB323A99 7BA2B0B7CE2A236D 16CE090778C9B44B CAEEE818D9A7C8AC F0CD2EB7EF90806F BD63F64E5934D8FD A11ABDD3E30B6E6C 1519076CA1F8FC72 F009ECA727C587D3 A1ED12E635CA65D1 5A8A11D519B9B6DD 75567C7664225CD0 492C18BF053387B2 F0D78C99E8E3C291 906B8EFEC9469F09 C8F1DAAF7777AB2E 86FBC9F85CF63CE9 88DA1CB9C27FCE50 05F3EE0F51E3CB13 2574B5421C108C0C 904F18B733C8857F 7BE0E29459C47D7E 34F7C003843B7D9F B2FCC0E175B7C96B 6E767D3FFD0347C6 F6724BCF837D10E5 552AFAE67CFA820E 8E15BA7A8E7BF2C6 AF65126AAAD2A92E DD3CFE064A0CB56D 774F5C677E78D080 E02812A6322502F5 7995DB38EB8735B2 92795E4C7B6236A1 BCEDA090706B5C8A 9DFDF1DF853BA73C 887A6981AD715A17 DFCDD3DA036E7ED2 0797E2DA618B6FE2 1789AA459F158065 5462BAFA353E389F C7021CDF4E731447 4391F405A1FC9E43 749EBFE6102119FC AD214E18B5C164FC 9D84D600CFE381D6 70BA67B9112E86A2 7A70BB993BD6239D 02EBC3CF4A8502AA 4B0533289E18B430 37FABD33BF1CE771 F0989DB86CAF02D0 AC74198313B9D12D EE26D6F89F773B17 2827483DA6CF121B 6ED7881CB2F1D121 FED2A0DA30DD5880 376303D138554879 B550A93DD100A34C 4E49606B390991F2 F80E4DE8F1F067D2 65193D4A1C6165CE 43C22644E4C92F4C BB91CA97B0BD9975 AE20339D248B3BDB 948E06004C5EDE19 E11029D37E3F122B AB72732CCCFB606B 1A89A9FA7B46DF6C 95A484F6F5DBBE2E BE96931128B4FE57 1AAEE304F7D08018 84FCDC0A8D9CB074 2151877D972DD98F 766BFD4C13E567F6 9336972BBB01BE1D 211B24CF6A359ABC E3A7F690AA928EB2 D99F05B6EEA233A9 CB46402758941C18 E2320F26E0B32E7C 21EBEE478F333CD4 5EF0BFD71AA14F31 41058298B1BCA8D1 EF86C4E766EDA299 761F573DD375AE4E DFF1E400650B9FA6 1A7513824DA49C78 29C1BD3E811BC643 F125E2B9476AA655 87D03D4D35D193AC C545032C3093BF59 D99EA77ACB361E1C 3F19D2F9B864EC1E A243160CFE7517D1 3C88759F38055CC3 1F9B1D338848999E DD3BC34DA3D0353A E43C328C57DEF4F6 D230C364D5FB5803 6675C9EE9ED05AD4 D06EEBF36CEA01FF EC4A9A9009C239E8 89BC04E21D690DC8 2E2F37A5CF22857F CC3B4F91C77EB3D7 13E0CDE2C487329E 1B99102350270F20 FFB2711FC215E0BA 2D5F173B6154829A E0550A2D890C7BA0 4EFABAAFDDB2DEE4 76B1E64919932D1D 0D57EF3F278199D5 49EDD62F0C86D1E5 FC8AB3EF32EE111D 9E3FBCFA2ACB88B6 8416B35AF2772B02 EAEC9EEECF7D2432 AB1014A14AB134C1 B2E2B7538383C2E7 DCA6AC31B97CF610 2CFDA166AFC3FF56 933F7DECB2655C31 476DD7E88857008C 534EB2CFD3B77229 FCC606A6E37C2E89 CB40AA830F15358F 7580E92BA6F2D732 A485E2DE4DCB963E C28D02E7F4D2B131 987DDB608AA41136 2C009A69F635B6FF AEFB7995ADC707A7 A03528214C629010 E9DF615DF1862E1D 1A8FA655723673EA AE4E4985E29B10FA DACDE6B9C22BC6D3 560DA06920654DF8 815C30BDC2E27487 EEEA4C1235E71D8A 4981C23F7EAF7A4B 4D6838E7BE62D5FB 617F6C0026597B9D 0D65693C76133C8F F45ECCF661AE78ED 5C57163D8082EC57 27C325727612E915 7723EEF69DD6A263 A6B869AABAFDBF87 F1E213106FF3C1FC 5B06131977E2475E 0987F3203669D070 678531417E475E3B DC9D55BD71F39C6B 4424606D4709E9D8 FAE8F218389C2446 A085030B5E0620BB 735A2260BB4247FB A02BBD5AB070F56A 9190479F03D296FF FD10FFB9EF3D9601 7E11DE3D737B6842 87F5EBCE9B2256A0 3EF248F5079FCC51 9895DB2384CEF18B FA587C0710345CDA 854F3ED0242E95D9 338488E0C8915AFB 18EE71D055ED91C6 C60FFC30FB8A24C6 D31186619AE54009 6631101695B79AF7 88789135FA2FEB0C B1D9B56537FB0B43 9A1D986388E273AA 246C0041F943A07C 74342B07CEBEE36B 740E440E90657566 730A5935330F2BB4 7F60F4DE9B601AF6 E745CAAD617F4EF3 52CC72B397F30A18 4B9BA2143988C23E E18D861CB23638E7 C2DC019A7DC00215 1E93BDF64E0D4106 7CA715D448DDD2E9 E0476E63946C8710 C2C0C0D9F986BF60 6FEAF10B71A28650 F11B893947FBA883 B5FB213D2172FF10 9F2F98D45D332105 E05CCFF06087E502 848FD6947D263F5B 951E0C1B8CA0BD3F DA519356A40AE0C7 AF066086563DA1C2 17ADDDDEB1DA6232 853DDF3DFAD10B41 E3252D0149FCB062 6E876EDF58C59974 5C07ED97E1A16508 53DD53556D4E4F1E E5B84CEFB1FDC904 45BF7F16E2B510D9 924C8C49F0F0FA30 15DFFF1301F521EE 9D5194689E2BC0E8 51DD88DBD17AE753 F1544A8E3DED6F7A 21EA1B72E51BE2CE 9A5191C909012DDD DAC936606A1C1B30 51E52FE4C4BB3F2F 1A9D6ACC099BB288 3EF3F7ECAB383820 390F4A7C1C8A188C B7240D97A421C192 3D3C02412167EC24 4653EA83A8D2555E 7DD305854E7C6B1D DF8B33F6BFF8DB28 769FBE0197B5F33E 9498F987A8F717EB 1ACC90804A3832FC 3D9AF715A681BC40 DB937ABFBE702B0D 534FBE8078A9B8D6 A0D9777C38B6BCF1 5F7C71C3C3468E53 18723160CEB8C592 49C93606299178AE 5DBA5C34D4D5B20C F34878830275D68A 55E712F1581591FC 0E4C52EBC3B03AD7 0073389AD1E43A2A 6489765FB4D3DE9B B4FAB66469792296 542D180FFF16956A A82D57E1108B840C 4B7B6B7BABE52927 5B5202581AE20557 54492555F086A6CF 042244DEFB3AEDB6 52D0466FD177DF7A 820996A6E69A8CED 0C521BFE41D7DD92 EA3CF28B5FAC30F2 F8E8F3A6CF11AA6F 47672CCE19910BF7 ADA48B2B2CE59F46 7716807BE727E1AF D7AF37F291399197 7E47E4E11D54A86B B8DAB2405C08A22F DA85DF61A829B72B 484A22C1FCC4D25F E5E734CE157ACB57 7729A49E5329F9FA 7133B66499777EB2 15F95BE9AB1F945D 79056A5503146391 E979D827DCCC25A4 33CEE190214B6550 3D37E2780BB5D04F 51806B78CE2DC953 C4D7AFFEC7BCEAF7 72679E7C6EE5DEE5 7E3882CC67276999 779FE3C6C4970BD1 4B5076FF31E389C0 04499F744E48EE35 473010D9FF14A33A D7E0E2507CEE4112 DCECC45D1A25168E 1282E10B61407A59 EF60B506A9E7BE0F AD912547729B42E5 5501B5C8A1DE95FD 37BAC1BD2351CBFC 2854EBBED4961391 B5663BAF224D49D3 3F045C2D3CA2AEDB 1E899DBD787475E9 404794BC6F81EAB1 2FF16A50B9B387D4 783A31993A0C44BC 105B40BE48438220 B6F563A922C10E71 9D973A805FBF365E 48E601FB942BDEA4 F1B67E7DF387496A 71C90FF011CFBB79 35C6C419B035738E D8334692ADF4EAC5 E67479DD3B443762 B0EBB6D24D0F928E 78AEEF7EF0C5186B 93B9C12BEAFA5527 9C5D00A35D332825 44B5DEC9A007489A 5F308C021B8622E6 18D71063697C178F B457D996A9F2BF04 B10B0413AB3142A4 1D2BA801890A7E76 F3A9951D38D93149 C88AFBE2AB65C508 32160C9AFC1590AE F4493D9BC5E01AB0 3A85FB6EFAF11BBE A601283BE036ED5A C66DE1A4BAB8FCEE 18900E5397D74AF1 C6DB1999C08B7514 BAC753F804A83E02 9CD57210D1E08B53 1FBBFA7006D585FA FA2CE41E388A2F39 7EB384450C1BAA12 0014281DD2451EAA FA5224F0C4F4C73E 0C5F14AFBB3F17C5 F24555EF8B85A543 ACBF64CD1492590F DC9F5E504F227ED4 A20FCBB15F56D164 E23CAF2B54FA4A58 A2731243C8694ED7 1173058DA3F902A2 71AAE9D5DD48B7BE 022D3762696B82E1 2C014A51C4EF7E8B E5A8F91615D49119 9F1997D7DB775AEC C5D73247F534800A 8A1B613513A1BB08 81C54D37347D9634 742C97EA750DFD8E 375DF380F7005032 E02E93AC09064637 030CE4D905914AB9 572A48456760391E C76A3C59D8BE1566 9E52C97F36EE5EBC 72FE4AAF2BC5F873 B7CC3E0C67EE85A9 AECA9A68C3B8354E BC109EFD05018596 36AF34EC0AE7E861 D2FF110E0CD1763C 50CE81BC84956CA6 EB55971426CA73C9 DB4BDDDD2BD5782F 861EFD305E21A353 24C5C878CB61E214 8D60C182176F80CF 2F7030B0259B0118 474C1D67A9FA06AD D7AE83A79AA3390B FB02782DEDC07CA4 85A72A65CE7B02A8 6C631B056CDE1706 8DAF43941406775A D5FE2B27436E7C63 518A45C101945D1A 4298AE12FD0F0A27 2ABC9C6923CE2ECB 682BF92B9645401A 751914770541C229 19666243D2E085CF 2AC16C8389F17C66 014A03C4BD7681A5 DB80F283DF35E896 40255BA03530166B EFB7A217EA1B9B67 9CF3ACEED8034F75 079773E84B7586CD D9579F2459195AAD 39DBC70DEC893D4E 683DF86502C1EEDF 4AB5B98FDE4F47B6 C48FA1286A03A594 59AFAFC6E3992AC1 275137932C4B5C7A 7F0928FFADB35DE9 A2AAA6174B64A0A0 D124B05F3C6DE972 B467433B38EA616B A6EC8C0AA477B80A 0EEC34CC0CDF296B 8C707D8DB602660C 14CC7666BE6BD5D7 77B2F774CF2C114F B16762A379FD3F2B CE01A60EC1D81D9D 605C37B5C66A7170 8FAECA4B0BF76C33 7E3F65D4A0C7694B 813CD02FDC658541 FD026B3C608F8E16 3B026AE249C1689E 31827347191B9FCC 9997455480AC72FA 91130C73969EB6F2 867FF03F9402E3C7 9151DC4E5F17550A 7502DB178215962B 42FFE52C88F9F00E D1D35E6F2615CE74 AFC76916D8B5F976 40946D86AD88C5E5 EE16556377928EFB 68B503598E969FE3 89889F47FA844197 625CBF16F458C3D5 2CEC05C5F857FD4E 0E649B194C5CD3FF AB62DF705EF1D2F4 DB4EBB74E19C5F04 CE50B661964A4568 F9FD39CC791DE51D D1A0B3545C9226E2 4E9C0F3EC0F64C47 311536327AA5A05F B63C0384D42090EB 8C7B6B2EE4901905 83300737A9FBA5FC 820DED0A0872993C CF98E47698A91255 D3B93965F3CF551E 1F3FA413E270F79A B39B2EE77663A5C5 E15EFD39AF394528 43E9A7A1965897B1 F5646EAD387A9BCD D193B0DDD2563F7A 5BCFBD8A804A838E EDDC8E7D3DC92E63 78003DB6DE00959F E97E8432C73205D1 67E46AC4BB10B232 1A4CAECD19844B55 C6770FD727A65FC5 94799B327D9EDA9B AAA702881FF4DA88 D8655D3DC62A1884 B001D0A2CDB0796A 6D89B996998A9878 8A74F83209FB5796 19DD87A111CC4F4E 1034BD15166410A3 DA0C84768BF46560 076E09167929B96D 17E607DD535476F1 00448BFEEA9FE693 8A725BC3696E7C20 BADBF587BD4F939B 33A7B5FCF89B1536 D0EEE40715203BFD F5C7660CC4ED15CC E3FF78698B46DFE4 4CA11F269CDC5BF0 7E20B17F3A5F2033 4480CD9D34DF3D53 CE52D8548B945781 6D1F673654807DC3 659AEC0140E41FBB 5304FDE2C74D04B4 D774A71AA0C08B6A 22F2635A1B743842 6395EB389314C775 6D781417FE7A73D1 7983AB8CC3E15950 D27F1608598C3468 1BFC5C3A1F7D3782 006AFCF9105EEA39 FABDE750DD543EC0 D00AB6CB97C8DF6A 722575E9B36D8E61 D488E102A1295A89 4BAED039F6A78D91 E510A8AEDE0C0AE2 6C9E236BE736E7CB F6DEF76AE524D179 B895D7A2AA4C0895 905C1F9B39853FCC F2C72673A3131E23 507B85FF3D1EEE04 ABE2341ED8FDA992 11C67E055938477C DD3588D4287C5BEC B3B09F54DF195C0E 6279D380021C017B 9B4EF0FE00D1D4F0 CF6519992D517D7F 62363BD97944E101 C47ED72D2817E1F6 CEB525A5FCBD23EE 8A1899C01B218D3A A7FB97E413CF31C0 F4ECBC23C05E0969 2534BABA8B247AFA 1B4EA9AA05D6ED81 A2978C3180072B89 70B0CA77B83E3D33 C39E9609A22FD233 2C17EB3F59A271BF 637462FD92CC07BC 3D5DEA5D57A71207 8E024C779550F504 951EFD88C369E65B 0D221ECA45CB3610 162B5A983467512A A0AFA840FD7FE181 3FA8C9C9DC1EE797 F61FC5A9D2B2B636 434AF676D235AC5F E7DAA6AB00DD7AD3 CBF07DFC017A5A0C A12CCDE1C7390446 5AA91D7752AD72BC A4CB43362B89C4C4 008CE3D7F810DF60 C2492345F1512A2A 11D134C5A17A5FAE C8760DE1DA1C56C5 72BF32F16316178F 6EBEF2B15C3B32B1 AC1D53814F378332 7D47ED10A04D1FB4 FB7F812402D74864 5283FD25ACDDF6B5 87AD2FF9D05145F3 E434C8AC7A6A136B E39F8F52F1B95EDB 1723D2942B686746 F3687BB3B902538A D272DE61B25F8825 18288D1423E91E02 60E8FC24DB1765C3 967B0B038F2B9371 B3B23B0FBCBFC413 47AEAC912BFDC1FF 6B0BDF4D74063C0D 819A217773D0D3C4 B9B912E4E88A0D40 36702B1825E75EB7 F27FD362F04D2BC5 972499C9FFFA8472 C6D1788AB5B37E3F 6DD09A9FCCD4311A 642071F843999632 43C89867C97B10D0 10F7EC5702C2D863 7717FC877F6F8D30 8B62440FCB956AB2 287B4C8E17F6566A 571A0E5A04BD7DA9 303C8DAE4BBEAD90 56B05D20E567EB1F 52F014806B09A005 C548452DFFE4E0E9 832A77B7B4BDA33C FBB797B8FC1CB29D 470E3FE5A601D3A8 F3426BEFFBA848EE 685A3C9704332D92 D5BA813EB1944731 3741D547D24943BF C27CEAE14F79F77C F6494C444DE9DE1D 55112EEAC09524DE 23BB68F2243E38B4 9E8A81E35182A304 A442D4D6726BEC9F 33FA860AFEE24A43 5F3C64F37D9CBECA 20BFAF3A891218DB nettle-4.0/testsuite/slh-dsa-sha2-128f-tc7.sig0000644000000000000000000010673015141166425015706 0ustar008640FE92D4E79AED 24513955CDD0D30C 527688A9D878F6D0 C6E114CA62C47338 3C162FF7041E10BC 90B0240237BCB218 36C956D6AE569DF0 CD1871BCB19AB004 6F8457CA4F826F4D D21CD93D61A82400 3F94785B0A59F3AB DABC3A316EE77ABF 7551A6FDA8404ED9 577FD0D22A33221C B86D0C8932751472 9E9F335B4DEA015B 730D0680C8BA84A5 B5AAA2F0B839E061 E2853DB793CCD5E5 7CC74CE6448C8AE6 8CAB16C77710F223 379A9AC40EA41CB9 4C8733C9F13D237F 66D2C2A5FF15A5D4 3ADCD430081C4397 961C4F5739E143D7 6B0C2AA676556638 CCF856D25211356C 39A6700BB0F70F45 67BCAB9C6B001C55 569F8B20AC220EC8 71C05A18960BE76A 3E5B8F0834214C11 E3B25868132019E7 FD34CD0E8BF7B545 8229487A04A481A7 5324F8614CDB1601 10F6E204B327697A 358EECFAEE465B72 ED368F6891791D66 6D207B2EB4625D08 4126E5A876413764 3BF35EB5B61B735E 97A5B06CAD2E5D7E FAB9BC6AE66496AE 9EB526F755BABFF1 50E5721E528286B2 7A3C0DAB74B7A094 42A7CE71E71D368B FACC0F27427B38A4 5B9421CA86BF90A0 AE53F5028DF0485F B3654A1214CA0A2A 4BF89DF81B7CD3FC 0CC15DA65569334F 65E217A44E6831AD 9003BE9EB8D37A6B 250CFD19C638327D B1E28A2C18452073 5E926D3D61582186 5D5AE63C75C7ECD5 ED6FBA61087F6538 FD8FDC6E77FE71D1 85DDAC08C85649AF 258DC4EA4A3FF00B B5DDFE20C6AFDA1F 901948D359B1E74D DAC12BC604ED7F33 85DB8EDAB2350466 B72668657412D5E4 A3D76378DCBD6DE4 D811BB6342E8082E A26FD7C78A5F7486 9C66D5861F132F87 495690C6267DE456 F58D80421CA5D755 E00C9F11F3F03D52 4F7ABC27D5F1A4A1 56B77B7EDEF90AB2 B1706653EEEECAB9 8CEC87C2ACF71214 A0083D7777B4FE7F 3DFC283CB574A47C 4EF945C053D68181 DB0411059D1EC58A 0B67BFE3AE05E714 4102AEA00DBE3F61 E98BF5187DC511D7 DB14B0B3FA15CC57 F87CD8B82910ADED 794679FA3C787E0B DA8FB36B9B75F69A 650B55F9648DBC64 A918F5CAC3CF8189 85F1BCC51168964F 80BFD31D854CF3A5 ED96D03FF2AB666B 2B79034DE1153DE5 2CE835A5D2FAD5EE DAB78F9C5C99D730 4EF81C1BA3D3F485 5661EAE4AE8D24F7 2CA44A164A1B25CB 362444E7789C0144 D0A42D586EC76F40 2BC47A577661D5A4 C841388FDBFE6D1D D8F0635A7F58BDCC AED437846729CA5E 89CC715038EE5E55 3CFFA3D945639E73 685BF3A00AD69FF0 49CA8BDFB1DFD28E 1FBD3508137CDF74 475AEBBC60830ABA F1869B3DC50A8BD3 94F118A6160C2DEE 09B250FF042FEA36 44585EBAA7A259B2 014C4049D44DBBA7 09D9E1417FE38BE0 73810ADD66CFFE93 7E43808C497591B5 DCA3A0815843B96F 2893991B0B614B53 B7B5B2CC2B17309D F73F4626E76671B9 24FB1CDF2466CCE3 72E9489A9D120B5C 50BB35773470EEF2 FD4CA05DF9885F1D EAA42D60108C6C48 DD32509B6A57DC44 F1A37F8163CB3DF9 63BCA3120237C34D A7709F216F3BD438 C256FF909E493F6D 9B59D24218831978 4B15E408EB20F9C6 06847558C632572A 86CE8B8F019E244A 417F4F2E801BEC25 C5A71E53C5605AB4 DC686CD7C37D5FFE 55B20A5E3B6C7B4E 8436276D4C66DD60 CD696E0FCA795123 FC1DC27B92FBEDFB B8FD52D6410CC9B3 A8DF20B71EC60ED3 7DAD357B976F6CFD 00D5D4D4DDF74E16 AC7B25B4F51224B1 721FE53F9F103059 BA561EC542BCAFA1 1857FF53734DF626 878EB6F966AF5EC3 E8EC9B5E963BAA21 8E48752658B7784A E66E1A77FDD748D3 44CD5E3C59B986FA 3DAC5202BB4C8719 7F26719A49027023 8597C43DA775CE05 9A22C684DD4A64DA F32FBB51644C353B 7678D8A81BDBE6CD 160A8CC15AEA602B C58C81799A52B489 84F6B12ADB84CB7F 3025A76F2516F757 1B839FB4B514752D 3827E36045441C08 01BD587859B0BFB3 89105D25D5521563 BA5ABEA48BD515B1 2B34074223FBEACF E94AB264F96D5B24 8DBCE17984CAA449 AAFE4C69A3809A5A 70A486CEE10A40A8 C6664A61B51BEAC9 C51D4A533C99ACEE 542A99297D101166 39F453BCAA73D939 6E15E521F3CA942E 2254D4EE41350A78 F2D4ECE26B2B8BFA 2ED95508476359C1 DCD84D570CA88E42 188F37C2402ACB90 0D8654DDB1AD4EBC C805434249D46FA3 8609AC5BB15147BC 562F2AED6D989242 66C14064C07978A4 35DCD85570E8E6F2 ED9284AF63D071CA F77D4BD2A44B8330 C8FA859508711D8C 814669822BCD6271 799BA8C47793BE48 343CC8CB9DC13728 CEB9A0F0F76A4BB8 D0DBD91115BA1C7C BA7FC303347DB5C7 802201D6B4A837DE A71505539D69AE1D 9F663B1ADAC79A07 21800F32D2587A54 4C61D679E740785F 47179688220D7CBE D462418CC254E498 BC2012D2A68A9041 B670CC8BABBEFAC7 85C63B4639E9D8BA 4F74D1FC64BFBE84 85786690AC499594 31C6E900B9E0680F 8C950FDDE96F6E60 8A440E1B1E14CD99 7BA7EABFA654E921 E3561F10A4A1C0C6 BF6238EEA3ECBBD5 41F49844CF07C1B7 A5E6AF1620500F72 5C76714C3A708F34 B51779A45E684BE8 E92E2EACF2DEC9D3 8B6C349AA15C120B 9A1490C0DA034F9E 6B3094EBC8A6A246 7C2D24C0843B2113 1D671AC6038FAF2E AACB4C1DC3AF8A62 D7A7923A52E2FA92 AB1C21594A9B3F6E EB4253084726AEF9 99EBB06EF8E5D053 DEEF0E69668E624A 249B7F714B822379 955CCBC8773C04FE 230B0E88FE3598F6 4DF291E280ECBDF3 2DD1F61F43876A98 400DF1C8FC6DFD43 CFD53AA8A9E3E0E9 E4F0F1BEAF3E3CA6 0B53CF528193C15E 3A97DD005EC2E16B 54C0F1ABDF85FE94 8EC64944695D12B3 7D1948AB1A2006F7 7DBFDB3030AA6FC4 92A56717F62E5C5A 119D779390D4226A 5DC9784A8B482108 6C7083C99B1DF1CE 3C3A98C6C8716D1C 55254603D6E6BDE9 6636EB347EB15871 A4987260D3FFA85E 9954F074039EEC01 6C194F442D8258A9 7E9E875A6623FF51 2177718812F810B0 832BD7C45C793740 2FD90F5E5DA8D40D 1A0D6CE2ED3707E9 70194ED1CC8BA92E E86792D498BD9332 E58758ED7CFD2524 CD3C57A6713A54AD 81C7AA008AD67582 7AEB627717CCC1BF 7AA5F7C0B94FF577 D39415FBA3918D42 CAF781BF40C352AE 486AAAA61791EC76 5B4897B7191EED99 16CCEAF7EB59F09D AC54D00238206A44 912CACF748D3D2B6 53F3FDBBE1D7757C 5638872F1224BC49 C689CD8C1F30A89B B544715FD8B77C01 A762FE20AB4254A4 DA9101E86C14B76B AEF7D776EF7901B9 BFE5F1FD6448E6BC DB772DE1703C6F1D 5B7D22D2F9B96074 E3680DC5996D8A19 F1D2EF6EA4C8CAFE B8D76EC0CEB8075D E001AF35209D3260 CE81F739455A9CE9 33310B3519775275 E2C30E94DEC8EBE8 4828C3D9EC88CE6A 6BA76184AD0B2348 DBF06C50A9142FD2 8037D851E7E51F33 067DEE3EE7CD8A3F E6738BAABCF21899 B1B54A6D88D2118B 4DCE566F18F4A61F 6F4FA0F201402AAD 71B2DD404BED7D40 3507EB2C917A04F0 86EB4B71E0DBECF9 DE6EAA462EECBECA 3CA102E8833FDD6C 7D97FBF5792231BD B14A01301A895AFE 72175EAE5E50763F 4B6C3BF6691247F4 866C4DBBE2F77C16 61BF5B880DB08968 C1CE6D5DD7CDBA7B 682EDC5299BE4934 DBDD5D27FD9D4760 DE5FAC21E3C8E7E4 5E4C90B068C3F996 CCDFF9AD5B2995FF 5D80B9B44664DCD1 C37C03CC79F28374 BE0ACA53FEFB21C5 9EB76C50A5457707 C2A8E9807049C470 AA6CAB3AA2218823 8C24C21D81414813 07298B6F559E4992 C0F0B9A407716E04 D33A95FEAB04AAD4 599E70FD23E8FC87 59FD28062D8B8A7C 427962D92E5413E6 1E35CFC7BB55E5F4 51D88DADAD33150B 32E65D5A73C9AC69 90EFE584D2635284 50B9BEE689E87C42 42326FA744963FBC FC66E1B40763E426 BC72C25D4A18DB6A 3FB312C9D649476A 2A70B3E01DB8DFA5 01C39E150A040747 8F14B18BFEF92626 EC7BC2BC8C6CC8FE 3A7CFA6312287277 569C37C4D03FE6F7 F5895E7D6A96DE46 9BF12D9712882668 107F53BB7438F454 863916FB8D01662D E3ECF6E88EAEF9EC 7A2A1B37B7E2E225 FFB98188B2A33287 59F830FC65655BB1 19A086FFFE5EA323 DC603C43008603B0 9E88312AD0867E5D BD3D62A85A286538 9CBB40C4C321E4C9 363A6A05C0A66351 402C5E919D1F16C6 2BF06B57C38361AD 8BD74AFEF92DBB87 2704F9BD8FEF4D93 40F9001FFFE76A33 2EF6C08703D48771 48631FD2EB84EACF CC8A22A73A883133 371CC2328FC9C14F 7B6B8C396A13A752 79BDB33C3D5BD379 EFB5C93A990A8219 965EE7229C2B5879 13730F26E1532227 65FDDB094A4CEFEA 11D4C2EFB260736B 6EB809C3C35DD1F9 9B9E9E7593B1FF20 AFF832588D5963BA 64009E6BFFE7235F 12F54763EB7704D6 CAB240741B7C7AA5 1E6FD02D0148E28A 9330D432824C57D6 AFB1FEAEA0265FF0 DD1095E4F418735E ED97E3C398534706 81F88CCE59040724 9F84AE1B0F4DB6DF FBB40A9B611099B0 970562A32630FF0B B142A6182939F262 AF05C94F5D51F4D9 BD8003F00C3A5CEB C6F41F2B8C730C68 34AE8CC477890A44 88A57AD2CD66A6C7 5FFEFBA93A003D82 8F490228AB791367 4E4B84B9E919ED10 45FBA64C7098644F 6477E68F9C085B93 47C66E27F53FC32B 6084AE7C8729643D A8C022266CB1C0B0 DEE09639B86D45E0 00D86F2A1C17E932 C141C2B32D2D32B2 812E4C7FA0F99B56 701C469845B8447E EBC83C04257943C5 26CD4547093C40B1 96CDBADF17657AD3 E06680F8C02FB6CA 17F2305BE232814C C3B63F97A44F963F 2EF5A04C38996416 C49A9E0BC8785476 7FB61A2089142CD6 B585C73506735138 0DCF1B76C0E81903 D16BB65E0E2C8431 B9D916587D398AB6 292A52A5A598DCAF 4AA697786E926E26 5957E76526999891 AD36F04A194309B7 33F6FC4C3EE2CAF9 81F97160DE42C7C8 ABC4A4FC6DF86737 BEA529A5DEE3D8B9 10FD56F4FCCD2FEB F646429DF54CAA8C 88363D3C74DB6D1B 97CB045633FAE504 0422A6BC2FED7581 2BAB179498D4F3CE 491BDE0DFBD92A56 3E89C830C898774F 24E802D445FFF7A7 325DD94120794002 7E390DCCBFD6F1BD 03DBD9E13ADC1424 7A168F42E760F198 FBF475224CD609B2 04459964F5E57683 B50897278188C75A 2A2B7EE739E28F73 1A56B537271A3391 E078F6D08DDA8AF8 22C5A21189A5DEE0 4350B722F1B33126 ACD3942223D31035 26E7C103031C3E27 9D09352C1CCDADA1 771C59912D4419F6 82D34B5BA1E81964 C3F93F3C6DD1848F 28973779224F1C48 E86FB5C2E31138EA 39F621026FB7D0FE D6D96B6FF240CF53 B33A56409BEA3F95 0F26933BF8E8B667 0CDCFE19AE29EBC1 FBBBA18539B2D980 C7ADBA798C5271A3 8E5C6141C75DD0BD AC95BA864C267027 DC7F6CCADC7A5C28 2C4CE15335D5011F FE208CD18843D78C D7D63CDB58F2462D 2E8B1B1E7596376A 8872D7AC16092F84 15E6C033948AC7B3 9EDBADC5EE4FB8E7 63AA3ED9BDDB4451 E78DFC54F199FDCB 485FE2278339A246 95BE5080947BC6E7 A0E1865B3DBEBE72 D22315144DF71BA1 2039909E2792AE18 00E27817BE863A5D 467AC185220243D7 A6685840A723A144 CE20AD340B2DECCC D009941084ACE076 2F54B53375D2A5C2 EC427659C06507DE BD7B59E402FE50D1 1FAA96719CCCFBD1 9F3EDD2A1C948B30 397603EF2F8FAA30 7CF46DC191A5CE8A 068DD474CEBE4433 CFE77A62E8DF8293 7CA7F200139B042B EEAD45A113B22EB0 FC4151C2E3E4F286 602A8CB850AA90B9 E2328E6495559A7D AEB873FDDDC5A8B2 5C3C89576CF6CCF5 32E069A5630720F3 45473695C91338ED 7502BA6C73D3BC70 F24FA1CA10B3919A 1C5BEDC0D9998C66 45234C77D7FE3309 43F7521C882FA370 5E4B2297CCBD5420 488A6F5DFFCF99C5 A952C0B15E10BA66 6F75318D8F767D45 865D9778DEC1846B 3CD6A7AD3458364B C680E3EAFB1919BF BED8A5660BF2BF70 18F8226066748456 D0528586B62BF870 D78F4CE2A502E493 92D41A4A0FB3A93E 72C3F7D8A88A63C9 DEBA4630D3C8C907 B2DB70804C6AB523 D99239ADD3472BBE 72C98A96B1BB3242 B75EA9E4ACA3F178 B27E3939DEA24EC5 028BC250EE17EC88 2B22A7BCA45A27A2 1C14D183170E1EA2 99BECF1E5E2D2027 130C5C18813B95B6 DCC22A3C37EA3CA2 2F2C198F33883EF5 4D4A44A34C5F946D DFB54061BD854A7F 4AE56FBB638E9166 2A14E6ABE60EF33E 08BD5E20F1827026 53B677EA5E436638 B77118B99EF157C2 2DB8D1715C83F0F1 071A939C0396D883 52FB90F88FB2C4CE C97E26219F8BC23D 5CAE229CC6737996 1B4AFF2F5867871D CA491A1841C00C01 1F2D45358D12E34A F38D36ECFC2BDD73 E64C3F2367F8558F 178AE60A39572CC1 890784D45CED174F 81E7CB7CDC6B869C D7ADAB95F30B4165 D910A573DA37310A FCC683AA4E4C29B1 02D8D14B7A218D84 0ECDEB48B947F58E FE02992FBFF83CA5 0BD1F001390524FE 1062317AE2D1C1AE ECFF66FB5C06AC12 CCC9E0696CEAA9BB A61F6946F36D229D C18AE91DC30BB1F8 162CCCD3F30CA0DF 93ED20B9B2EEC827 2496C22CCDCB7150 2350C47831D0F143 AA9F4DABB678DC0D 746CDBC3CB5C3DB8 09E9DBEB91CEBD42 005BA51C3E9EF932 F6CA0C0A4964385A FEB1E61206E27091 5224E7D0A1C02A3C 82BE28C09CF9A3E3 27AE5C7922B2290A 15DC51C3DC7EC2F4 B8207D5112605167 A4F8B8498332098D 1E962384AF500F46 1658BC575C587945 AEF82E017D264739 BA8DFFEB8DD6C511 6DA8314F97B9655F BDC49CA0A9082EE7 B1347B44A377AFCD B4B1E7E9E77351F4 B3F54A22FC1E181A 493837655F6561C1 16A37BE1BB3E0DE4 980DE5741CE7A236 90E44264A7FDF277 344D5F99D0A2BB29 63A1D5A8481F1712 45BAEDF74BA92B60 90A48C7473921E7B 845D59A93C984E4A 4BF626D027CF3FF9 B5E902BD2B184520 9569714988C4CBEE 14BC26BB8B05314D B83BA9C3A1923CF0 A36A823C0AEF7C3C 066CF72D827A5EEF BA5B7BE614C72615 C8284E7184D6BA37 546675D482D0A8D1 7A14B8B98FD9B9E2 398CCAA0A865941C 678B4D579F023621 B750A44B54178D09 7BA87F464992E0DB 5B04F95D39D2AFEC A5F3B8F7BF6518B8 0517EFFFE8CE771C 993EBF3284C49774 57341F7A9DACBF3F 5C58965AD51DADAC 129E77F7B5DDCAFB 926C84DE37EBF585 F3D643BE862C7EAA D5FAD7A9BE656737 47D7C40BE9D875C7 E152CFA17BDBF582 CEB35CA2DAA235CF 130C5CCE0EB8EB3C 8CF33ACDCBEBEF27 263027747FD078C6 07A98844A84C1C05 4739AA2FDF533FA1 26E10257575F872E E1BBFD52B1EB70D1 7755F3B44C0061E9 31D51959395F9253 ACFE63DFA8AA8C09 981BD8A78114BC5B 481AF457CDD37B4A 8AFCA2CE5F46471B 0BED8227E2A59E71 F64C60DECB26D7DD 012EA8F84A15901E D6B6CE5C7967F90D 12EDD923535DDDFD 406D90B7127688C9 C735F22A0D67FFA5 D0D94C3065C45AA3 94E14BA83B673DA6 1B20DCF8DD302CD7 E2E8DC34AE7B6A20 B9B17EA8E3FF5B2C A544EF4D8D49C86C B0C081429CA099F3 C9F52112EC5E49FA F62C1E2B2DEA90BC 0668D5C57497C66C C41E5D2690ACDC2F 3197C7F250DD1933 41CEAC388599C2C8 C739EBD3F70B619D EE5A9F5928078208 E489191FCDBD0AA9 7A2918CD07FF8956 46B8F3D83F93EB16 7CD4A66F1C63BE0E 13D6B5F9CEF5D7F3 8A4B200B50B46907 32A03B0D8BF2DC6D 8B403BAAE95FE036 2BFCF4A3BC1723D4 3EF4E574A270712B 99E7FB7404443BF6 BD78286236920B28 DBC8FF3B5D6CBFEF 06161FF98D327105 B36C58D2D416A8E3 05E1BBF1C9478A22 82BE06D62195995E 3BC86A16234DD9D8 C5A1C879DE681DC4 0290DF526AD544A1 A1D00145309D421A 5774739FB8EBA18C E4266C018D57E331 4000B19179D2D9A4 888BEFF0C8345775 B7839AB0A8F6A92C 33B658E7A03C04E4 59518ABA55C02421 E5880AB889EC4D12 6082840CD7E1855D 38978699032436FE 4535B8E855A12FEB 02551F5F8FD5E2F5 BCD65BC5052BA5A1 4AB18FFCFBB3BD16 4F11C10982508D17 AB259C3EC4573B9F 93EA27DE3F772F9B CC8BB0C5F64DD8D0 77DD6FDEE0FDAB0C D16E9BAE5AF9ABBC 189FD53AF55C2681 9542A5CE22ECF3BD 769E6DA4EA6E0E16 0B0CA0AEB942967D E0F92C1598C9B9ED 9FAF7210FF715C50 85C2DD21AF912E77 0719BB8B31286A8A 03105FC1FB5AF17F 5CFF200849B445CB D36423F6C0B6B036 6DDCC47B81D94B04 7A710A4406491616 2BABE8573D3B7135 29E736BE3B9E6D4A 6C987F4440F58E57 2EA90BDA23F67E90 9ACC5D4BDD3FBBC6 41ABE08BFB47553C 9E5E2E501B5B5DAA A0E5524636E65D52 7419087D49760EC0 6E61D450E8C562A5 7BE8B0789D62B678 221886D5A116F538 9343DA584B4579EB D488AC17741B4BA4 D8D731C91D01EA65 D9C254437FA4694D EE95EBF5D7963155 BB775507026371A4 F6BBA27399312CF6 EEA17325ACFE392B C58EB6F04B220B0C AF58A5F2E923FBC3 3F3DE03DD3B9C1EB 1D78E9E4D397686D 6B77680BC2BF70FB 69D8E62A880A00D6 880B0C955B805F86 491F4BC7C4D33923 97A07150857A6D85 9B9316097155BE5F 2044CB1B8EAE97BD C81FE4285BE84160 F436C8768EBABF51 C4835515CE269D84 8E2BCAA6963C66B0 26229AA5CF5854D1 FD8CB7B5E5DDE718 9B88169DC082F07E 25CAAC7AF290E066 9FA4A95FE999552A C9B92311B902DD8C C3192B6B7148726A 1324FADC49C342F5 594DF3E743B98877 A0154B34F125A28F AFDB4516E6931359 963978BA3F5D9D32 55B7DDBDDE6898F8 175EA92FC450AE03 E527FB12FDB4E178 9D37DDA9135E70B3 B1E8EAFE44FDC6E6 704DCF1C43C048E9 02B33883E0477066 F5D5B1D9F77DE80C 94F05E60DEA0D153 DD69E38F5AF366D2 31390446A1400BCF FEDC42B54142ED54 B9DC011097FAC01A C0D4A2C76CF4B8D7 FD66129E78C188E6 2D3B15840B4F095A 6A7C06D6F033FA9D 2654DCAA4873AC74 B6C1E3EE2111D9D3 9095EC5C12A64CD6 5EAAB9D7B74A018C 012FEBE85F5F1B0F 734D2B43447E05ED 3E1577FE35D8AFE8 9C70A534E6F2D1A6 AC2C41ADE67ED473 8D77BE13C0C1AFE9 E1C783122AA649E7 F1C5A5EC11EF3BBB 9F01948C7E9607D0 A278438FBEF52450 44072E11FC6244C6 9E84B5FCCDDF5826 F6412B07AA489BA4 E24D3EBA4A3EDF24 6A11EC45773F8653 4BC8E282EFF063F4 DEF7D77F7002BB2A 24DD1ED5F86465A8 F6FA169D06E38C92 8D2978842F44FE20 37E225567881B781 31D40096C3BB05C4 DA6DFC18134D44BF B5BFF925FFB08201 64BDB946C55E9E42 293ABABDC77BBDB4 F86E324303C5774A 22EBE6EFB998D8BA 148F2899B589B745 DE3DD33FAE37802C 92A9D4D7F4FEFA0D 79521E9593F90A61 95432E43DD434B54 109E178D5FEC9E84 58FEFB1123825213 34AAFE212DDFA96B 5D1020E658DC6887 B64B8201F3CFBB92 126C563EBBBBE5BF 90AD56A9535F980D 40C9D065B4CE28E5 3E543D2303BB2A87 D2BFF24404E6852D BB4B2755653D6EDB 1D5FB315ECCD3572 0A6D61111109DACF 47A3C9D68837E14A 4F245374D8F72B04 2668415F110D3C07 8B8E24B4C8052364 535595C7905CD563 1DB5CE784316433B 010BBC0F7D54D53D 1B4542ED6B8A2C66 36A31D2C0BC680C2 87B902BB1B35FF14 6DE9AAD6429BA246 22CC535C45E58EBE 34DEEC255EB219A6 19E21A62C7922891 89FE6BA80B89797E B3486C679E1B5108 4AF998849DF9E692 EA6CDDB3D64CDB06 37A5DF5D4DBF7AB3 787621D0E78F19C6 0BED44B9058BC06F 22DAED5B789252C4 A6CF630074576228 81D20BA3914B162E 7C89D55F431B3E95 546F34A8964AD07B 96306697D6C877DA E29A854761201737 D903AB6533FA0F2A 9C03146228FE97A3 2DCFE1C607A0EBAC 5A059E7547AAEB84 D17191BAAEED7CEE F406F3A95527DCE7 65DEA77E6081A94B 377E74AA5FBDDE4B 9F91606CF7AB8D6D B67D5FA14E451848 125634AC0B8582EA 42FC03CF31E224AA B9D7D1472E000275 C0079A11D3E2AE6B 39E392CF857AADD0 4E4DDDEA5DEF646E A96ACAEC83B320D0 B273485EE7A20C03 051B26EBF1632F5A 98C19FFAADBCDE21 72477166FFEAE317 FEEC5EB853770F7C 251CA7B4BD953BFD 74765E7A8693982E DB6653C32B85D553 918008AB16EF59BC C74C3D7A23FA650D 7713B24D31A61179 73EF6E0E6EC55E92 CE981EB668F7FE3F D577CA3B46CCAD6D 94BD272A7F3A6491 7AB30738C263348C 5FE24E8C766138D7 D426AD2B390C1171 314F7FBA26F1503E 43342DDE11D1F83C AE10EEB9A2C609F9 D5B3130F7E8D1DA6 9BA531B6CDF53F53 C4FD28BC5698249F C5483C6A15429628 FB1F5BB3324EB9F2 E1D22F6F5B20FDE4 C8CA7E3D2931D514 7C17A5DAA0126ECC 1CC0EB7D6368DA7E 5840919DAEAB048E 160B9C19A7BAB56D 26CD168974729A98 F259BAF2977528FB 9A925264418A3542 D3D9B188F375A8BB F000620B7C572814 8735439F2681C995 D9E8E9A0D3116704 B3EFA661C176754D 828C4BB2D33FB640 BD24BCA64FFB7193 D2E214F7C1F152CF F4B06BAB728EBD4D DEE5CED2234F66DA 7E3F9588C70988D8 FEA88FA06219BC49 299C561AEFD46C9C 81293650EF77637E 09210171C00B72FF CA1D56C4CFA71F76 A022F42BD43B88B8 008FF636C5650849 2F8C5A7EBAB3F186 39614A1ADD31F225 B70A7FA48AAE1358 A4905F1DB3B6B08E 57C09CAE22FEB155 01BD62074AE50FB3 6231CF1911C95D37 8B0A127A8D7649D9 0D0B9DBFC6A3859F 2FF2F71B3EE5E6AC F32E55B3C3B139AB 84D3FD00A213260D B4B1E673F3CB5DCB 4C151D60BDDDFAE4 BBA312532C5058C3 6AF46A9833DAC552 636166921EFCD0F7 8F2040EFF91CDE9C 0FBDB1EC604D1FD9 1A411B92FDD9E1DD 84491A55A293E72C DC817F19CCBCE453 C1F19BB56F81475F 7C9931B1EC04AF17 64E87AAC38069462 51F3CF8DF68E901E BE2ABE271CB57199 D2CBF332F489375C 949F9DE6660F685C 023759132A50A6D0 B52D230B71C9091C F7A827BDE1F37BC0 7C7DBAA6327CDB00 53653C7031CBAF92 F0822A65345A9ED3 CE4F3A5F49C9E582 24B20913D0FBF3E6 E136FBBE77FFF24C 30C2844AC35C15B8 CA12CCBE887C3FB7 A29331047D1C6F68 19E33108D7F46D66 8DC318DC2375A45F 86C6E0BB4D622E9B 822ECEBB591B5137 A10299311150F08C 8964E797F2E9F0A9 024A4183F011A390 88FDCF95EC97CBD7 EF467BAAB483F194 6D272E93836F9381 10362279EDDB18FE 8BF30575E73F25C0 528E625DA5A990EC 01EC500377F93309 7D9885FA3C698CBD F138566280A35A6E FF27E902AA70D36F 9F342A2EF366B4C0 4CE2F19D42B10205 7AD5A0EEE936616A F3F62BFA6BAF44F1 B73F8824816573FD 80AAE346F6F41638 DD557AB3CC7540CE 3389A146AE380E09 60EBFEE6D9842C46 184789B11DE9E95E 30015C2B2D0D2D54 6A697D523D1AAD74 D8441E7FCFFC0FD5 2ED017B6E25863CC E034A58532E0D2FF B9993372295A4438 A0FB43265F1FC0A8 FA4B3C09C663DFFC A8C165F9D7E30BF4 EEB545143A0385BB 8A7DEC425EAFE8EB 129A280390F94BBF E6BBAEF59DAABD82 75F5BDE753A28965 AC7908DCFF547BCA 3CEF96AF385D0248 4ADE6903E359B1CF 531CCA5B4FA6AF13 D101E0DEBFB6130F D85E59A1392A62DB 04171A6A087A99F7 E2B8322944F5F0A4 54EE487B4C8520D9 F29D909411808C70 2978EC89E16E772B 53812276DBF7AC84 2837F109B09F3E74 D1534670EACDBE9D F75CE9DF81034402 A987E25A23EABCF3 CCFA5BED380CA2B9 53B31D003C6F6BF4 509D926F8A07B110 5D748D7371D73EC3 CFEBA8032F94B4D0 922D70ADF2938FD2 2F838D5A0899406F 012EA566AC4B6B34 1B00BB32DDF29719 7A790F376163AE3E BB74A0DDC88D5272 1F8F4EA76C5BB405 48056E1688884B47 4E427D99E158F5B7 441721DF6C734382 EBBAC41326D2393F 5B2D6B51C71FD1B3 0AF0DC0B06CE4767 5DFC30B0A2C6C213 2607EBF858D12ED7 B38D59C98A6A9963 A6FB77CCA77DE867 3EB251DBA18C1951 F7E419EF63267015 3E095C60150CE19F 479287150187CCC4 8D823F108CA3EE1A DA2BA5151F2429C3 3B2E5199DA409AFD 011A7C9D9F00B923 EB4EACA9DA67840A AC71C0370ED37C2C 6DB6789578647687 292AE72511AA4163 57F2B408669C86C3 E25D4417F4F520AB A7C97569AAEC3E19 B8E73A227D2B5041 4B6DDF34BA2E3A2D 3C209AEA8AEA8E5B 11FBC72A940E10C4 96298B149A3DBF36 70028DAECBC30D5F EDFF914187E1EB26 B6A9DA4D0B8507EC F62F6D7EFFB325D6 FBB6EEE1027672BF 0F07CC758CCA75DA C6514CE0F2BC1118 2BA82E5FD5FE20EE 48A7B02AC401856A 338C3362FA02F175 FB364B563102119F A5BD2F90108F9C4A 94308A7A84957289 8F7A5AFCC91C5D94 643E811ECB3A3901 3CD51C1B7027138B AE0A4ABCC1F9CC43 33019E41D3C5CC2C 1A76110EBA10CBAF 50905EE671E7D2AE 9625302ADF884CD1 9EAED972CBDEB91C 9229FBA502B159BF D24161C7F369C959 24CB13FA6CF0E619 5FD2B1EC4EBB11CA 63646831F19C15B3 6DC4FBB66CE8FFAE C3F4599B2CB41FD4 41761049D4B6DB62 3FF154AFE5FAFDAF 92A7C5A2A7C0B918 B85E47240036E864 9F3B7CC375195B06 D48B1FE4DDBAB09D 9739A988849ED976 BA358B0FBD5FAEE4 62C6E142F1FFE735 B27A3F61C7F48F96 43DD73E94AE5F5B5 BF8A7C491B25A697 E4C6174731CFC224 2591DC712D4B2FFE 6690AB9A516869AB 075FD7F5FB3ECBAA 3EBBC047ACA7B28C 8FE1FCE3C08313C4 451B4ADE50195EE2 D2A32F7F21434C19 9781DAA37EC3C7BD 26E9B477BE59B23D 008FA9CDC0AB4BCC 448BE2C148EFE961 BD699F59E2CFD512 210D67D817364013 293E5B50A4FB4B13 C466CA50F3308694 669452322406C85A 63F3CED288585724 9199BBD121878B32 1CB91358D2E996B6 ACF47CE73D7DB469 BFFA25C96C40B891 D56C202A3F32B44B F99E162BCB5F357E E6C4CA7998757631 FAB4627C7D1E3949 6BB92CF7AF520CC5 405A3F6793D44BEB 988BB172E2DFF596 3643EDFA3066F892 71E38BBCA45E714D 7374B242427E416E 507AA2CA12DF24BB F1E0ABF053EE3907 0563184B6C8CC189 059D3F7C08008EF5 8BCC7852139BD299 CFC5161D1D082432 FB4371D71FC42D0B A3A99763898E93C3 BE5A665A3AB1A214 D55A03B7495DCB7A 72D0CA29743C2402 CE64692BC26DE77B 8788CF7C5381B1BA A0FEB6BA9F7DDA14 F093722CC528A333 F24391CD529AB186 E9297EF46CC72371 09AC277ED19D2089 0CF26B92620FDB03 F2910D79BD20C2F7 A75FDF56EA8AF9BE 3B072314750F3857 1F2CD2293C1FA552 677688EC8764F7E6 55C709EC66F987E6 BC85EF60E18FB192 97291C2CE94265DD 676F9E782ED716E0 F5CCF3610728C8C0 BFF027E2354ACC8C 9E5B0F9337F51C32 043C231A3678D068 555ED4EE7A61BD8D B7A30252B5FBCCDF B2502FBDF3914686 5394D9E03C425FF0 8E31482F3BDD5391 E53F0C92F39B79C8 2CA65E44F424C3B9 5C290FD99E60B512 821ED0216CB71421 4928D02868CD6062 38093BD6404F1817 5B6BCA214AA6F22B 6E5690243B9F6A6C 2953C1BFA155EB8A 7722B6D368B5ABC3 2566904D102E3191 B9598243497EA415 D396F4A80CDD9C07 9C7DDF086A5E51A9 BEB86EF8E0993C21 159FD7D930F3E8C1 ABCAC43CFF7A9F33 018CB44180D3337F CDDE8E193DE2E57E 9E8BF39B216CD7F6 9E792BF36EFF7B29 9A5724206037CA82 06F72BBF80504EC0 197548AB63D1CFA8 905AC1625D3420B8 E476A84C886B509F F45160E2853C5F22 1FD71363C5D51D3E 6D1635FCA43B44F8 52135725DA8301B4 EADC9D0C2A8DB9AE 48D2D035BE918A14 B63A10157A04F062 BC970AE18BA87B7D F169B931D4786593 228AFE33C3B30443 05EB6AB8368B18AF 6B566862BB056A0A DAC46DAC4C274C40 132F25E7C6B1FF86 C193C943188422D9 62D2733455D59CA3 0F62C78C434E0C08 7BBDF15E1FB3F480 C9F9262B89DBCF81 47A69C00C20BB2C8 30A5516795744B2D 1BAE141D0FE2774C D4D949C65158A801 9C3EA060A6A3A384 CE40FEB5ACDB3A04 7F6CDF99DF3A289A B226AA9641014888 39598B7A01F81741 F28DA81565616F0C D557D696DAC69B81 91B12D3DD8BF4339 06ACF5B5FC6F73B4 19B6C0EA275F5581 F19514BEFC1BEE23 897699F9327CEF3A ACFAC0B10DC95E6B F1E7A6DE999CAE34 6AD98F94DBD0335C AE12BFB689266EB7 E1D51AEA724DF1B0 BDCA68812E97295E 67030ACFCE44C809 7F6E917BEE8A3954 544A547A03D89671 02324B85EC98570A 3E6CC743FD2E3CCD 0A220197B17A9CC0 79844DCB608D56EA CEE18F3C737FEB8F FA0DD99175A60109 C9E3B9A46276A59B 37E283116960404A 033781535AAE7330 08715EDC5D8ED191 4401F59BC3B7B25B 41255BC377B131DD BEA25F4C52ADAD0D 3BF7531475BD14FA 7A1461F5AFF64539 1E15481CBAE311F0 A7B8C12790097E20 61B2B7DCD293DFC1 BC8D25AE2C958824 ACBE3D704A1117AF F9A2EF26871B5A6F 07A3A01D587AD4B3 E188DD54052EF9D1 88E529E805BFE1AF 731FD6BE79E8B8FF 0EB20B34818DCFA1 D7DCD5AB0CB85834 9A05EED81EA1DFF4 603C4B1191E4D0C7 26C42A28A0BC87C1 8260EBE58E9D2A76 337B20B1F5CAA04D 532410698E1C2992 BB636C78BB8F6868 920A251BC125C45E 12B636FDB273CA4D 4A967700B6519CB7 70679F9B4BFCB313 E45E6B953F190B13 757728440E9B4F44 197A0EE52D6DE9DD 22D0B6499381624D D90455E5A1BF666E AB1D1DD535308C04 4A55EC5CF5559CBD F7C0B5A9216641FC A6A88A41CC5A27B2 FF6910BF96B7D9CE 557FA3D6E0340999 A03248A5B89970B8 ED64799C944B9CB5 50FB5FA281588F55 B04135830A977477 416FD0B8ECBEB3F1 FE97CBDAA968AF5A 6890091D0D2E8634 06DE200454BC2E65 686973D4E8235C8D 5627F9DD52F77A72 E348D925CFA87B99 147ED63DA9F3ECE3 2685924A8AFF6727 403C91EA7642E12D 25EBC1989DF905C5 C1A4913782A6C371 B3C44399F0C3D945 9EB0101344C3AFE0 C273CEE2A72D1661 615CC05DE82B08E8 DCDB0EC158D4A490 D7A874D3E9032707 39557DFDB50DC5BA 4FAF25460EC5948A 300FDCD7D5E12F55 619DFBB2F4E7F262 8D518F1501977120 7DFEC95A69FA6693 4D619A09E1E2FA69 3E924250C7F084C0 8F6F1559E8AF9B1E 4626BF5167216DF3 9508F61B906E8091 9D9ECFE142B2EBF1 2222E833E23ACB6A 9EC10EBA304A800F 5D2E3407A021F366 44EA0F6D99CB59CA 6B03037E0BAF80EA 1CEB4621FD1C62AA 4972CC0C9CA9C34E F1435062303D6F9B 73BA6DECB5FB01AB E01FC6930868BD1B 78DF7C97E713C418 B67A72260EF1E374 01E3546C5D8F3177 40BAEC4FCFA80753 4EEA8B40FC24CA26 E568B47309F3D1EB C4BB8928B3487B56 E08FBBD0415F2CD3 38D1A8ED1805112C 544DB3DBB5CDAA92 ACBC0A48683EFBB6 EABBE391FD569EA6 9D96C6458C4B4B7F 78770945A3B4E0D5 54A057BB7BACE329 B7D6D32C0F59FEE9 855F33C42317C522 29325310BAEB68BE E880C04DA44F23DF 531FF3F1353DF6BB 83F33C63C342CC2C 1AD7361300F1BBFD 1762A5D670F71E00 42DA535A71F28E28 A565A93C4CF9EB9A 770C3775414F2998 B3F70A2A55BB28E0 A00B9AF48280F314 3BAB7EAC368F135F B2E3922C2ED550C6 8CB4B21CB00F2410 887F24028DDD0B3F 2EDADE07C696C09E D51AFDD5363E6F41 CC38BD26B9F7265C EA6A868A7D403688 12647D69BBEC5366 BAFF9C41061C3835 9E06C102758DAFFA DABD750AD1EA7660 F8757A0AC943B51B 82968C0058139F55 4149B88AF763EA84 BABCC07375DDAA08 69BC0CE4A0B7E6D7 47830B6573CC76BC 47C55756223066CC 79286BFB1FB968DF 3DD64DAAC615C90E 06F7589FFEE6B7F6 5916ACF932C8CFA3 8F593913BBD25073 E4481E85D3A725C1 0F8D14F8894D5F09 3103C59CD5444DBD E3456A34172961E1 86D8869E2B14B0C5 D02281B5E19E8B79 1E5FA94B4A46898A 3256322680A233D4 9F535FE8BD7C22E3 D54D07BC0C60A4F4 E00AC7D3098F1FC6 C28C3F38381CA08A 123BA69C56C88BEA 8741B2328339582C 5B7BFC5DD0F5BE91 A2BD4A617F9A2902 C9EA189C81B7F30F ACB853F4F0F4B8B5 FD5FA8678429894B B7FFE4B9AB72F5D4 2AB54A55A851B50D EB2E59E0E22BF576 8D5304A9D14AD71F 1DD586AB77F7B369 C951270EF7FE4E2E FD63D90E8B4FBE75 072CD59EEE1D3DEB 38421C7B5AA51EF8 340B0890F6DFA36E ABCA4DAB67F899B8 CF1048BFCA1898EB EAEAB0889BBCDDCD 755C7603DF92B9B2 362175D05C1A754F 9B898F221EF77B4A 050A82406C37094F 08B72112BBBA4147 96B9EBFF8EBAC132 218D0E5E9D0893F0 55BDC2BEFB78538C CD4B54243DBA8990 DB958138F4771832 F48D72FDABED5956 7D43D5BFC83A70BF 3D7F81C4A9ADAF94 70E293B03CCFA921 990D8CC9E5C06C94 1C0D2E59B5CD83EF E94ADE51574687AC A5361D2EAAA0D5C0 4C8CE37BCF254EB1 B26B367874F62ED0 DA5C44255BFA6E86 5B7E22F15DD310C2 FCF3B64164C7A3CD 657C7732A349106D 6D95EA56041EA3B6 92CD3CCFCB5C7A8D 7F7104A1E7004881 BC934CDB1CA6198B 9ECC0793A2D0E914 5B06F13E86665CB6 65E3D1B20113CBCF 64D3885C9C950D87 8135815B5A532DEF 703EFB89B86463BC 61CA3D0194C4B702 E090DE447020A68D 04455C009161B362 CFC242DEB6D10FAC CE51EC124995BE65 92FAA229F5D3CD16 9E26557C43B42F0D 9EB6336954634CDA E106869A71202477 B5FF6EEB1D40D26A 21E221CF14D436BA 6F1B0373B390ED02 13CAD867C47370FC AFA95630265DBDF1 2815CCD0782D8CB3 933C8B3CCEDC6E88 B89E1BAA5606F9D1 D844DE90004335D6 EC69679CE33EF3D4 5D6EB9392C19BE20 4EE4F83015B5EC54 26B9B7805641DCE2 3E67CC9F5CF93183 E27BA722AF340111 A8656FCE18F6BAEF 2C145DF1B58EC111 884ED0C66AF94931 9E6192B085B97635 0B686812468E929E 8CD8E9346B99913C 803C19D100538427 2AE73E7B53C74B60 BBFE6A88603E4CFF 9B4A17576D3D3CFF 74CEC296F48658B4 46C0CCB0FB90A333 79C9E36A17D9997F 4B96FB6C8BAB01DF 2D4D2A5B837FA750 3B3694F4A06267F5 E94A0A4885A98666 BDCC75E03F8AA192 6203DF1190C4E3A5 8536902FCC8978E7 FF6B16D59F67F87E 5C9004C88C52D24F 0D2E5906D9522ED7 3652D289A44A0A4F 195D48955E815E04 4A83892CF2FD3E97 F0C82E86931EBF92 A1C6B71F115B271C 4F08CC9393626122 74A71350FC013AF6 F5987CFDBEDC9A04 E02FD0ABC9A2E6FD 4C98C008309DAA60 E26A9326D52DAA4C D3A496820D9ADE83 0A4FEF991D1DEA1C CBEA5E35931761E6 B47C47F07E051A14 A0FD6EA92750466A 1CACC8B28208528D 7EBCCE6B12289199 EB731D6F195D1021 860F664FFF5BE8A6 F06C78D825CD0607 7A6A0BC6B25516FC CA46013455C3C02B ADFA962B4EB7DFBD C06FE83C22BC0844 8A494441ED1EA70C 9D7D02A5DFCABAFB 7C18265E36CA2B77 9A628075199C37B7 43B84B9C8612A29C 3BA825E2CA20240F 6355F932BEE548D3 80F39BC8403318BC 5497F59DA3C4A01E F960BD1F9F8B6844 5E15449007C0C2DA B59BA33C56FD947F 7103EFD345FD6591 7711AD5C4CB4F85A 51689C7A19D85B89 ECB65BEA43127925 18CAD9BCC88BAAC9 228C8A5C869E1C29 2FA423D8A8CEBA95 76B8D86F1811F259 9798A61C97F3DC92 635A3228F1E27177 722E78C69B66F36F D0B92FC76D3EAE65 3A71F3D07B146A6B D8DBAE275BC0C158 0DCF99DDB8F5C01F 1C8C1835F8FBBD21 CE4DD700E1995DCA EA36E40C2066ED28 B70147B84E7F522B 87FC6D4DD5DC5580 3537739DC8ACAE49 B6BC345219D22054 9A72481E7A53A953 AA18D09A7044347B 8AA8DBACB8E00B4A C140D300FECB4E03 C687D0712FE6D18B B901E9B8454DCC35 8FA7A5A03B8DF924 C7B7479EFD344FB9 1BA5AEB2F434BFAF 20B3457D99CF2CE0 56966B23467EFE59 57C866F59B4231F9 435F960F6606EA33 BB2D91ADBA8EDC48 95526F0393DBA081 15234E70099E4D4F 6D391665797273F6 A0A596232D456460 D56569B370DB8BFD 064072F2E6EFC13D 489E5A2686283608 1EF820E920346BF3 D6AA03949C00851B CC142862F47979F9 0ADD5027CF4E8811 C35C9807A9EB276B 5E27A7A412D4D151 0281BCDE599815AF BF30DD68A26420F7 C84A0855450BDE2F 52B854BC9307EFC7 AF066B03B6C35417 9279E871F9AB8665 6409EB0A21AF6DF8 2549E68E726F3BA6 24945CA3F566758A 8628951423FC1A18 0E919065C3B03D66 1460A1FD0D39705A AE0273F820CFC91A 419E11F294A7B0DD AD0D33A189E63937 6E3548F470B01557 35D4E6D3B1B7C0F5 9CCB87B90AE6D4F0 F6CE1FCDF90F6D90 E387915863BA5E0A BBB90BAF109ECD79 E3FB594BA02DCA76 E18B54541E1C7541 B80AD39991664A99 9F23C844414F3BFD 7027F59AB82E2FB1 A591BD1AA6452287 96585CF93BA82209 1938B08F62820416 DD277B385C50A218 DF1836E88E7A5AA1 D9837EBB532F1444 1B94531D143CB116 0C76F60AF02FA9FC 716D7D9300ADDA11 27D26B49EF9E454F 18BF427A07C1283A 8EC769FE8DB744BC 8346ED3C3883BE25 4DC45499B4BA3CDB 2121A8BA3844BC70 098DFFADC8931C7F 958510B304F19698 6A88BD6E656D5081 3085564D2AA47532 BAC747C18FBE43F3 969EF67B23682290 6E0EE14D40031F33 1CC03587873C6712 B8F8E9A25F62AE8B 0E726335474AC011 2422015F496E8A80 0AB5FE385637A914 56077C3CDFD015FE B255054D62B61570 6F4D3F11AAB55C67 F74CB245850DB54D 9050789FF3A4DE8D FEBA52CB610D0E01 03F63785A5A75316 1B80D042BCC0C185 6BD05777E8180E53 BF6D0CD26681ACEC 83227433875063F1 1F2A9ED63A788979 EBF3252F1D32D5D6 FF348845AD646665 0D5FE3600FC8F1FE D8D6641DEC3A5456 E809A84D597EECD1 3B05E7A46994C7E4 030DACE88166ED59 5E290AFCA4ED37DE 0CFFAE24B9BE6AEB F846A25B23A9F7C3 F6DC8A4413B6B586 F459ECB8FF711FF8 B182EBF797824FBF D58172F39D2CF20E D3296598CE6DF6B8 74214D6251841274 80A4ADE2376A05FA 6A1DCFB29F948A66 65E42EF376284D9B F2F7B91CE8A70B49 E5FCFA1D4287285C 30ABE4907942DFBC B0FA80BEE784F0DC A0B55C0BC4BD0FC7 EB877D64223BA393 C6082B36B6C16A62 6F3B89C4349B6678 089D2F9EBBEAB09B D4C46BFFB4F6CDF9 D769298B57699384 A633714E1757739A B810A0744F7F93CD 4BB6D171DEC2FAFE FFD658887C185413 C7EE8B0921BECE83 6572049FAAEF868F 285297D4CD08805B A95BCAB87149C62D 69C7FFF3BA1BAAF2 0F4A9BF895ED46BB AF1DD4B097C597DA A224850C9AF75B95 60509DE312E84F8A 84AF376E7149B1CE ED0A2803084BD7E4 076F7630328AB282 9ED808296AE954DF 1898E69F2735C08E D158BF4F5B0C5789 F517B40637286FBA 62A25D6217A9C7B9 5EDF8B74ADF0403D 21569EA894DC2B01 E9E9A4E6AC8D4B68 A3D65F70A75C1F5A ADB75D04EDDA51DA 045F9047BE4F3EA2 9F86B3B81DE9E859 A650F85ED5BE62DF B973B4431790C322 8C9D8F600A41B725 0BF2E3984C6B706E 316928E99BECB319 2AA182C4A7C3ABB8 FEEDFE3A6101C960 4B742482BF0ADCC8 FC136D8802401A2E B981E6FB5BF1FD8F A169FDDD63CC21C3 B571636C69BD142C 5EE3E4B5BCAA88B6 C2B73A3474A91715 227925E9A7BC649B D94CDC757968DC9C 607BB91486946617 E3EDE0E463883CD9 65819D1DB5F38D44 4CD8A5F7B5F5F3AF C81A3806CEB6629F BCA9549F74E22193 A3E856EE4D1C9090 145699A8DE259987 6DE996F7A42AA56D E11CE830CE888E33 A115F6C7CD4FA2CE 5AA31AD09749A2EF 8B0A8F1F5BDF3E82 938CEB236A19DE2C A3647D7995B003FA 20BB6D9634075973 BA8B6DDD4A5FFB13 C792E6EB8843611A C544B8E011296EB9 E5FB1004B6899325 4FDFA6F92F81A7EC 7710938F445686F7 088FB41B3AEAFA86 5086EEA403451810 3F512EB3790B229A E33ED9B3C1AD706C 8DAAC2107EDC487D EF9F08036CF9E6A0 4555AADC7F8A493E 01E923E58C601762 88D0198622447E20 A8E14E6332937FD0 3ADDC940842AF577 A62371EAF62D5BDF CF7EC37296D96651 61F9567A74D46D05 CB50580E052E37EC C1C474BD716E9D7D 64F43B5DC6C5C2B6 4D30A8A8142F86B5 0A0B228BD55A880C B86A60B5D3A45B1D DF50D51ACE968DDF C926B0DE7F33C672 4534008D06F980F5 C68B08A63A768116 4D2A6334BDB0CE4B 2433AD747831A3B3 5C7961A813E61DEB C3588B404A17E4DD F8E3F3E67D1B01EC 7FDDFE5B319E8A8C A05BACD0B6A843A9 12F1CA95F9B47176 46C50865BDDB668C 743B412F3688C52E 8E3CBB92E683E768 B9042DFDE2E4B45A 39313B6F078424CF 030A785FD6C6B170 F17D0BED1DB95D99 B89BB914EF137ECF 025059B2963DC0C5 CF3CB55BBE32EC33 12950FD660C1F0FC 621F7D93B712032A 67C293F45D1C28E7 DB43D74A0FF64F62 B127A0DFCB4CCCBF 75F8B298E5AE5DEC A101AB7487E52A04 EFACF8F2263A8BBF AD20F50739A5A1C3 A0CFE7C053E1A4B2 DE26235198C968E7 4A151BEA66DAE65A 4339943067700F23 B28C4A5E01FCA39B 936632832315C5C2 A4368E31B8DC72BF 86B00D57826271B1 E59EA823DC611516 AA8C6E722C9508CA 00D84B09E55CA55E 92692964AF5E91D1 400C6295E69ACE18 70C4A0C6CF7C52E5 886AB7089A5C765B 7B7AABB26E71E1DE E32933C1830B4464 E4803519152FCEC9 93CB7A7C122A1E0A 8DE7CF3470DCFEF0 4F7A34327184B2E7 1A184AB099CB2F67 109C346191AAA007 4DBF918C58AEAD10 28229A236F793E41 7DAC163631785B5D 0CFEEB96BB7B1B37 11DC25CB050F8D8B 2CA1E54C9EE051BD B24864468370884C E3F9613543F609F6 ECE611C98B1C4129 D5F74E887717A830 291B027B7425FF92 D66D6CAD309B94F6 10B1DAE6F6F737AB 303641A8EB397B9B 65CF9306637A7F9F FF7419740698EC4B 846CA673DDB2E89E 694679870D8ACAAD E2C422F558047785 ADBB20B8FA76097B A9B0DCB6EAC3CE22 9AEFF90A4B35EA67 6F3CE96B7A9FDAE4 A7830E2680341275 9EE2919E6467F85C B5DA82D27DC93790 41E168119CEAD455 1A92106D745E0BA3 8CE5B9885463FFE8 80EB6866907BF67D EF9C9CE4F7F10339 24FE54D1A3952582 9C53BFDC14CE712A 0797D781CE0E94D7 D0B93CB4210EA989 418BD464D4D0DC3F AE3A27C9A8FABA77 0A886D1C7FE29A2F AB43091536742BCD 595E6C57C3504F73 558C8F53E849053D A6D5130EEA3FBD7F F8F265E7A46A0CA8 5684530499BADA18 6880F3382D6E284C BF1B5F540055D093 598335D46043F66E 5891420FED16982F 4C4C189706756492 3635F2A64BF61C54 F8B6267626FE7575 BDB479A5AB0A943A F2757531405D8C24 2D75EF487DA9C655 8E3EC12B0E59B230 1C7C3982C9671703 97A4325BB3F5AF62 0BCAE624A56F4976 2542AB28436C8A6C DB8882EE22C4C3B0 64F4F0259C770649 660E72AC6DB3892A 29C54CDB5E664404 DD3F38DF80AA532D 23154E0416BE9FFE 15098F8674473459 7C673B256BF337F8 C48C659ED1806271 7E13916E951FE60B 909148A1339803A0 89E9D061365064E6 8C6C135D235D3D0A D987E981BB835673 D9A51FFD23F26D1A 24C1202AF2F4A69A B3A19934C2A6D90E 631FB15242364372 99D45F68A3A47ADF 4CD5393A03293564 1B619CFB9F48AEB2 741680ACD79F7981 432DFDDDB99E1EDF 9E1F4C1BBB91D158 C0BBC4840E0A97D5 6DE41A7035A9771C 38FE62FC7B1E8EB8 F1C1CE230D14B4BD D284B18EDA473661 80BFF9D41FCEF815 FCDE19CEF373A3D5 0563CD087741CEE9 CC59DB2AC8F38107 96C792135E94C07A 3AA1A7F1EC8F7490 7FE1768CA82D196C 2D07BDE44DABE4A5 094D00E7C76A7E2E 8BBBC84C8372D12C E7C2B8B1287D76C1 8BD71B872347152B 7D217D06EC8282DC E59592D13A97751D 0708B3F78205EBA9 19278C2C17BFCF92 DB33231E49D4439D 60D4E3A9C9A77338 48D8253041CBFE02 4BA8578FDF71D645 0D7BBDAB8B63F237 0F272D20B74EA2F0 8363FCF1A015F1F5 5132E8159DD29415 85F5292346933A3B 82CD27E5C32AAC46 416145AF03E4400A F72F84E9B25E5A8D 0B6C62B4831DA48F 14795F8B57D7D628 8220B765EF459CFA F87AB658AF9B9EB5 02CEC64B0BAEE87E 8790E8069FA1979A 6B413763217B8E7F C3F52AD32635D439 3B2079E707F6259A 76BFC58E6F09C8BF 172E8125D3E7C338 A0D4E53C91570F94 FC97E05523518A28 1BA4893F4FE9CCB1 3A91568004D8E218 53943BF4F2601EE9 592B3D2997DB3348 F7E01BB47E220B7D 2C35841206020892 E3E0C0514CA1CBA9 BF29FCD0A52EDB2D 0535CB1E249236AE 116CF178FE7D91A2 FCC03861E8FCAADE 85018CB4A6380DFE AED2499E45C7381F 176C5352623133BF 40E03A77F3171C4D 76F160CDB87CED97 73DEC40B659B0389 29BB5C19A83B22F3 49C3FC2C92D53AA1 A3B8C85CE40275D7 F5FC57B685517E98 9C8AA545ED146A42 5BD55705A6253BFF F051D3A37D664D6A 4D1C3BBB7FE89589 088591960168DED8 2F6C8F95A7744A1A C2E3557F051597E9 81989308397C302E A52481710C3C470E 05B6608FA6CFF816 36418F4D6B297B12 73BF2D05912C3B44 41A04389E18338A0 B2AC8866279C26EF 456FD0B2B703EB08 EBF2C3E733EA4260 31747591CCB15B7D FEF67281AFA9EBC9 7C9675C37C0D5619 D94A46862083954A FD948680572E4B83 0FB3F2D6FC34FCF0 01944222B5DEF253 D8227F11EAD928D9 CCCA70296B170D4F 59677A2DEEBFC347 9DC04E44EE1EF2E3 3B8A9EBF755B76A7 44D584C5ABE64D62 C70B68C1C5EA283D 5784B3344C2C40EC E704F7EF05F355DF 20508A506659AA6D C007611C72C7A784 AA7ADC93BFD874E5 7AD80E2FF4E8C8DE 8710447CA1701067 0C5D75EC673695F5 CB2C14B7FE12C83C D9AD85CA0D8158FD 6ACDE123B2815FBA 194EC770491857B1 6DE9D21F8FAA7FE3 3F8A2313FCF8ECF8 93EBF1C90AF6E282 39DEBBD340E772FB D4E80BE76D6374E7 9D8FEF72EF5D8B9A DEF04A7843D2D5B5 4776C460272A7F4D 454AE93323B5D49D 428A7CBA9D1F5C2C 2D5292CF05A81347 E0D7B84D80F014F6 5F8C186A04480B52 4104690526D48E56 2274AA32B106A799 E47DB28A745E58F2 AE10DDAF3A384A8B 62A7CCD436C26D18 2242F8903A3FB514 6D86CFBF8C70BFA7 E1C9678A985930B6 CF467F71D792A396 1C76F2E335D73D86 D3C517583635E7BD CA89F0467892BC02 ADFE9E4F9ACE506A EF342ABE60E67452 6652C04939E18A28 2D97E6E20F5BDDAC 6683348205BF9C1C 157966419E079586 4E398F2794C8BE0E D656AEC28EBB1C0E C724EA12066C95BC 34B3BC815451153E B72EB5CD5038BFF2 3240C5D04465B0D7 BB3DBFD5532EBF1E 980BE0D61B4714BF 0A4E3ED0381CF185 8A99D70F85DD4585 72AA5A63A03BCE53 0F937BEA00A1274C B7BD333F39590646 693C99EA1FE0409E 77FAB130728BC060 A50843EC2FB03BE6 9A3095FF517C458B 544DF33A103FA23A CA992F039BA5B696 9EBA940567FAE110 A66BFD16A9246486 211A05F5EBBADCE6 44ADE368E337755A 953A455FBDE17C67 A37DA6B3D911BF04 4B9E7A68D842ABEC 1F49203ECA854AC5 C9BD2F04BC859C1A 2F6A41A72BCCFABC FB21474EEECE8960 57DFE60C0CC48F92 CC0FD910A5D07324 BC7F8BD9A732F449 5031B3F0271ED1AF 873D86260EE22785 2299D76563272A5C D5C91658AF2A5E39 5090550BAE4392BF 48325D362F6CE39E 93DF78C2C7E3E581 04D02DC4C7165226 E5043460C41463A6 07C627565AF9979E F3C3BE8E81D6611E 22C5E340BFC75C68 216FCB41A58914AA F537829790AFEFEB FBA5C1A229B47BC4 F8D1BA83BFF46BC7 4D6014B1C5F5FAAC BBDD37E2FDC20BAE F1C5C12B0E3E8AB1 6C7070D2D5271D4D 0B6802B6ADBE3D5F 17819C7A23D608FF 03047AEDC60DD8C2 9B9C7398B82A9358 856BAC6EF70999A8 22DD84A7DF48B783 C52CBEAE6DC69E64 607296DAD5AF9263 23FB659C04C29CAE 3B329F1D7572294F 5A28BB3D75484188 1628E0DFE3DB695C 3FC75461BD03E1E7 F041589272E23B80 E445E1F4F43A7143 E7C578057B39259D 28CB5C718246E63A E35D567DB73F2ACC 01986017E35BE549 4D4770AD98E143AA nettle-4.0/testsuite/slh-dsa-sha2-128s-tc162.msg0000644000000000000000000002766315141166425016100 0ustar00C0666252089B9E46 9F0EE398B8C1BD89 AEB63EBCB794BC68 DE8738A93804DF48 E8CF6CF936ABE1DD DB02178F0064F8E0 6EA827A79E6EE02C 5F98FDEA797948B7 9EE4FDB1A12C31D5 5EDD2B98C11C01DC 71B12381BC7D2CE6 800D2667813FBA07 9AD9AB01406A9192 2AE324CB54603A86 007F2A3481E3904A E53D1C33BF5BB982 A880F8FBA2015B9C E6A5644CC712239C 41E5C33AC2638893 D44E039C0677388F 2FECDD78FD7B6BC4 B9EC9709766598E8 D923ABF7EBE86F85 F9F6760EC514897E AEDBB160FBFDBFEC DDAE2331E981894B 5DC9B08FF5E66AE1 4CD876BD674973DC 1E808AFFB0F5B18A B3A1DE55CABB5E6F B3DE5739F1A7FF39 DA6256AC88728DBB 04EDED47F13C2AB4 02A237F5204543A2 85FE2FF50477C90C C87C3CDAAAB32CEA 96FE9A0E5EE36EE2 D35CB0BBB4C7B516 3D0060B45D23BA9F FB4C2A5F1FFE10B2 5DECBCD65C80A3E6 B38D18BE16C558F3 DB5BD9BA6689D652 D4F68F02C92170EC 1AC7800DBA917216 BBC73E34768F958A 4EF4818FEA2B7ADD F97768CE965EADF2 C18F4DAC50A7E75D EBC3E6E067D0C93D C526607614327C68 74D1B4A2EE5DDAA1 A8A60440CC5BB0AF 6B95C16794EEAFAD 19562C71005599C6 D01A08015652F2AC 2B7ACE177EE393F1 9760CCADF84C827C D20BF4E10A051B76 BD82235F4D470F37 42BAB4166A81B90D 3837761CCC5749F3 7A554966893567DF 90399837F0CC290D 7C98044140FCD11B 717E1671E4ACB056 BA142C76558CCF47 FCF4133C9D2A8C4F A85BC87CAD0308A6 CB9EF3597C63D3A4 7535627D1BD16945 14B14548A29DBA64 D893D5B851258C1C 914748BFD2E4F941 3CB6D9578F64E27E 1419A1392099ED14 5DC53D75A5105A4F 8DF1E2FD507D5FB6 EB65E28FB2182A15 097AC8AB74190D73 45983C329AE4A71E 468B6FB97AECF8DD C516532E0D32AC9A F7D75A4C2FA0DBFD AB5CEA485B24CC3F 93F0C25EB321ED64 C7F84B4F16B8D02F E1985666243B0F08 EA22DB6850BFD510 666AE6DE618E324E 3E7F883EA8C62086 C53B08303532A97A CE24EDE6702BE34F 36F416363F956AE9 C88C98CEB6DD2CD7 094B94340F0C057C A12673CC77FBDBD6 4D3E1CD59E29D259 6F173D3AAE4AA142 F064E14B02318E52 C9B45F11EED90105 C7471857201D3CEB 9796659D5FCE3001 3762A67901A21E66 963CF2DA1469F0D4 B59C09DF4BD8A596 DEE3EE2097248FBC 8F747ADEAEB7A2D1 266430C5B41ACE85 B7FCC2EE8BBF75B2 415530A37444CBC6 01A7F5E2EEA8D178 8A959FC18AE6EC0E 87626562EB906485 566886802F2C66C5 25BBACA02955E71D 5FAD7FEF45CB1BC8 D560D0DA0AF181AE 471F38D5C5312609 85E48CA6AFC16F57 3D70536C3EACA58E 3E4CB15636EBAAB2 615B6299AD248EB3 1ABE9BEA5A5A1587 B707C6B4A4E209AA B9E5FA54E441C720 CEE700C549265E03 25F84F48565E7439 A19697FE0C789A61 21ABC00B28B4AB6A 06F248CE93B61D4E 05D32D3E442B557A F1220890ABCE1316 B6937B677564D753 369373ACD8655CA9 2643CD208F50F49C 1236700007E1FE7A 9E2134EF604492D3 F3BC8F39C768B061 220F71AA49B138EA 83DCAB0837CB0FC5 CD3B1589C67FB998 ED16D2C73B7879BD 3EA7CB16A7CBB6B3 AAFB6F1ADC80EAC5 84CAB14126EF09EE 261975FF65E2E5F2 F68788219193907E 7C3B78CF6DE0B163 1637A9216A6F45C7 C95DAA374A33EF22 CBDCFA8EE400FD2D EC1CB06CB6D24BD1 51BF335404B0CFF1 156C228EC17C9A2D A82EA2B9B203234A 8CAED239605B34EB EB6CB4E46097516D 95AC91074B8ADBBE 5511C7EABE373D05 A494EC561E659EA7 746D199D3AF03F6F 1960F0EF08C8DE78 04F09EFE02A85905 09EFD59F076BCE86 9C99CF2903E0AFF4 10CA93173C47F579 34F3C1ECEB3A4144 961C7DE9E54F3AAD 782D36FD42126CC5 DD8A3943EDF02187 D9BAEF411846B3D3 97123B6FA68C7F4A 0E80085DCECE3323 35D9339F0ED856D2 8B23766499482D80 8A05CC7535A29F10 2A481C43C2ADAA4F 1E898A46C73ED864 887112459CA9922A C3CA0A791E52ACC0 20FADEE73DDE439E 69130D2B73F14B95 7EEAC8E263C00B08 2F5921054B14622C B5FE3812D4574E50 537506A8B1C184E5 D0568D807E62BE58 0DB23E8C2E96146F BBBFEDF8D71BEB0C 6B4644221818BA6D E6509C60841EEBA2 F60F2DBF63BA9798 981EC16C2F6A366C B6129F6A05B5683B 72A146C52FAC8E7D 2C1D630E87A21E0B B149D780542D0F2C 16CB0C139B18C059 1EB56181C548E270 9F159A3F974D37C3 253B82C50F86F0D4 230B0E111C2D92C6 5CFA5CBF65434633 0FE7074401323824 DC29402DDF1D547A 74C7C50B7CF157A6 599B72CF7214EC66 6962E36300659BE8 178A0274D4EC62CE CACED451AAAF95F2 4B08AA9D1B50AEDF 9D141A42EC1E4848 186FBB11E3A2AE03 398D1F21F38A7A83 A4CF8249AEB458D3 9CE61782F09B5CEA EFC7DC24333AC1CE 51585173234AC5B5 970ADE48083810F5 94EE4CA570005C8A 01436CB83F118D82 188B81BFA9ECC2E8 8B88834C265D2D5B 801C36C1BCDA59D3 17FB60E533503D1A 5604A636939111CA AF097FCAD4748661 289F097D2CE487BF C21550BBB771F10B 5257C0ACBF56FA8A 9963A544991CE868 B71857245C907217 B1668D8E1BAB2E55 4D19E6BDDC3D7980 C3660D9FFC39254F A36C67E5C73E2539 149CEA39D7BEF0A7 02A27DBF6B8CD41F FD1E6381C987B49C A0644C0C5230F8CA D85249B05D779F27 E8D626B0D5C5B4F0 78BA16BF09FD8B5D 4D47B176E5D87E28 5352841F7C4CD913 DE6C7F55E401E451 DA32E5D1594B1D5D 72C5FD378B7E9367 2B0BB2B9178F235D 8B6F0B265AFD234A 7E3CF4793FAA3306 0C9CAE9FAA6583EA 92D952084C638ECF AC257B8C5129F921 65A79C0E6826407E 13FE1DA55ECF8206 FC5D4F541F89F21B 4B5D9F8029470529 410D6F2D6C7F47E2 2D72923E7EDA2C4C A5A4D456533B2ED4 D5088EB0086EF1A5 3D9C7F8B1B28AAD1 B4A38F4D5EC724DA 0DA8EF1AED42C6C1 988A561750FC85BC BFF006A3B43AF494 BEC29919FCC75F2B 20DFAD8E2BB09643 3F34C510BD69934D BD8B14BDF344BABB 371ACA838605F55E 9B1380E44A4348D4 ADFAE86EF52BAF88 45201FF225FA3FA0 C3F7D17385443E27 A3BB3B6CF2D86EDC 7D3AB833E57EB208 8E50C7C42D9919D7 8072BCB81FC60F66 2ECDEDA8343DD90D E54D8B3FD1C01280 AFF13A94AA6CF590 6370AACBE6532909 798AF4F8FE62FAC8 E4723122297D472B 3DA30B49CF88F122 C5EB0A2E06BD7F16 70B4BD19EC5023BB 3A091D9B8FBB7C6D 9EB188666999BD36 A3E148221D34D201 0DC1DDA5EBE6DDC6 0975E38DBF94040E 0E2763D9BF8DD74E 5AA8FFCA172C301E 97DD3094C98A9501 8A48F341E718DFA3 AB604F4D5369DF3E 55A72F80E8680FFC B6CBA59F38B06E5D 75B6429ECC2DF589 29E7322629E6E93C 7C694438E70AB8CD E7BF6EDDA1088BDD 8678343CA65BA799 DF178BA035F6BC25 A847A7C38EF5D6A9 F2E9FA73C6D5A0B4 88681DE60B928324 2DD22DBDB3AAB6E1 3334B242BC1346A3 5F40CE297FD46B0D D43E4BECD8F0595B 8A64D7D49935E9C1 137A4831E275F2D3 55F6D665ED0D8804 A6C6F39D6CCA5C7C 6695B8AFE69B9A36 A5BC3708D912D4C8 DCB7B6356CC0F142 13BE6F336B8F7D4B 822144B63ECF8A0C 2B4326DE509CC216 FA5F2CE915DF9DAA 4CF67E71A7C579CC 9A88A49C28CE2708 A0CB14096B3D3992 3017F8E55B18D327 BD6C8566D72BD83F 4D921C8A2FF32DF2 448801E8075B17D1 5D569D7F05C65EB7 12D48F55C16C90A2 B41B65820F96E8CD 96FDABBACFE6FB4D C246D268CD8C5BB2 152C2117C0C4F0F0 42D1CE02A8D91830 BE6A0C607873E433 EB5019B15CD27383 1E0D5C28C6A638A2 5D242DB41AE79DDC F82F3B411079BF71 54E7BEF9674E1470 85E9EA45B5105FF9 AC1CD938E5391BAA 4981007143F96C09 52113926A0E4BE37 5D13ED3692E65DF9 A17E3A7C8212828D 0E5FDD2686718373 1F7D2B12090177E6 985C4B67C62A0926 A787E3C66C8B867E 23422718CA5793A8 7AB4609C0D048084 45A7080891A6D036 77A87D1A1AFE277F 1938168A86BC8DA1 64DC0E976080CF24 A1FDC5940B9FB73A CCADD458F9F88489 4CC11CDC2821820A 3B14A748E09DE44C 0076129F87734136 143FAB08C6C8B50C 25EF3545CDCF9BB3 9C4C084CD5CC7978 B69B21AE04AA7881 06EAACC4D51E5643 607D155A159AE822 25174900F54720C1 0480271D0C16893B 494BDFB5F2C0CBE6 4CFD94F58D7DF8DD B92DC48EE5C1CCE6 9F9E85A005A341F5 72A3D70E78A150E9 A52FC2C22DBF5F89 212CC14D0BFCDE21 5A585742AA71150F BFC2B4ED071A0A7B 7BD08AC3E3263EF6 E130121AB300B727 90DF29831DCBBA30 F2A5E86CB540BA33 46744EC2236E0083 DB740E65A108B4A8 2E6A2DC14E51F0CA 93AD32E3A91A6AEF 95B42267A9E592BE A177D40D964DDE25 899286203050E769 DCF8A8B52CA1FAB0 81A4B2802D3E3BB5 8A5E1235BACCC23B 635F85A4CAEC9448 344FA5E59A1D1CB3 AC8FD9588941840F 36510CC5991CB882 DD43D24955A73F5B FD3BC1B14D720697 23AB52734EA07F35 A8DB4B09489284F5 01F357A1B4405FFF 0228F908772CEA82 5A54571D12BA7535 E4878AB4A64284F6 4439DE38F460EC7B C9642DC4D563BD32 90F14BCC89C92FDF 2B4B01A1BC286330 EDCE6C345F7B73A6 21E1E74199A080E6 2846DD097271C5B1 6D3DB367070E5DB0 A5C765564AE5796D FBBE3E4E7A9C1CDE B309AF19D808F752 24B71AD8E96E6560 2F61DEB67F34EFD8 5FB6126AC4E96888 169CD66C6E8C1183 7DE58A3ABDD9240D 290337E325337B8A 761DA6EA8C7537AF F1D8B20D7C8E6367 4403E9FABE65F506 A09FDFFC985960C8 AA52FBD1F4568766 E0499FB3DFC5AD09 00D03C85FC25DC71 EF9A4113DC17F891 8C91D22997633781 89E5209BD7E5A1E2 B3BB1490EAEC5A7C 7C93352CD7104C00 E5779980A760C414 61277256A2590525 C718242818DD0825 12798A5C7899A8FB 3CC2F4DD0A68FBD7 E42D6EF3126DF606 F0AEC5800C89C2D9 54A4E9A238A942CF 1B85C3985FF5D38C 9930B2DBB75DCAFB 1BC206BA68C48100 5A54D2DEF5940796 082551DC6912C8F6 692D448D891D2E27 82DE363F404AF46C 612DAA28EC3CBADE BD3CF9E5844CDA52 0146055D30E32D05 7DBE1BB073C4D201 0BD6294365CA3C6E 8A7570B723ABE59E 8EAA04134C00428B 7010F228AB45542D F31D916AEB69FD06 59525D736E9E166F E7C7F5C8F2C61F9D 4115AD62D096C0E7 E9DE55391BCD6584 72F6D96B9D83A01E 72C3BF6C2D3E0C48 56AD3850EE6FFD33 BDFAF70FBC8833A7 332306FE0F764A79 659BD2CDC97EE2E1 EE12C24E7498A779 F5E8E1E7FD06BA45 9089EA0F1FFA5B19 FBACE996E9F21B9F E1F41577CDC4301D 3226F96A8F46264F 31BBC0E51DC4D603 899012A4B6DA9FEE 52712D2356EC0051 6E07D4F6FEE5AA0E 519F7088E16E100F 186B63CE159E2507 1CF74F395577EFA2 43A1532DD3EE6FED 5F2843DBE1BCE5A2 AA829B458F44F2C2 35A8E46DD3093795 7B5244C711BB92B3 B1F21308615BAF01 6423428C0D6AF488 6865E966A120E072 30A53690BD4AC5ED 0EA8AF83CD5B271E 0E868EB37B673AB1 E30112D7A8A15B61 76E063897ABD87F3 D6BEF3481CD78A7A 3C9207FD82575394 2EB04E453E9CAC02 F0CC5B57D664B016 83110BCFFB696231 46507455A34C2DD2 383AED2BD30B04E2 8DEEB17E09D1CBB0 E7AB49AF2A8BCE1B DB2250437F3AF1A2 4A6528A11498C1CD C0355AC9843D5397 93F38F94EE783760 DB01C394D8C518E7 B836BC5D685FA376 3F372761ECA91D9E B729089721A9D806 C29100B80E0004E8 974673A2DC0AC09C 8AB13DC67FFAF2DC BAD195DDAEAF2E2B D8996829FB2E277D FEA65CDE86D7704C 06B64650D4B1A02A BAFCE6367E028FF3 25F9794D57C653D1 0112771F25ADD8A0 0713DF3DA3532552 E6BFF04EFF299075 C5818C5F777860E6 F4EAA3FA0386EAAB 4AE55F0E785575B1 58F1C5B7AC47BBA5 0D7BA50F58238667 22589219047E44AC 779C96BBCE9DF16B 91E482FEDF823E87 03A87847326247E0 A12DAB6AC00795DB EFA53AEBCEBF4E85 C3D771A0042795CE C253209A5A3351B1 88647A1D23B44303 858725745001DA24 43D27B8414D0451B 4BCF1E030A1B6315 198BEDA9E391583E 5C86704A42E09DE1 572BB5BD486B3C75 0E5EAE7BF39F89F6 D26854EDE3324FF9 90C4EF51455479F9 4A12A39411357D6E 78D0DB328AE8034B D7B69FBCD9E7F3FA BFC7F3C6DAB545EA 903964F6EA60AC71 242ED5D62C0FC083 8AC9068B3F0A33AE 088DF5BEA6A29D4E A708414B6B8D15DE 41DEC70D96FC88B4 8599687704ECF3D2 85CF84FF3EEE4FEB 3B6BD2B5C4451DF3 400B7832DDB87E8C 8D34ACF68DD9B97A BE0691888155E9BA 10A4C6148816E931 90F650BE66B1D816 58055528A8609002 7F5BCBAD77ADE991 C9DEE3B6CFD792E3 5C55561EDB39D589 B308366AE7B298F4 5A95EB1AFA4587E7 142BF73C3B8C1F8F 6F3CDA4154EA976B 76C6F2FE94FDBCC1 1B1F42EE66012037 96AB0872A54C50A6 07CB68A373B4139C 83511C1A7D1D921D 9D9C898B32265AD8 E04EF568871ABC93 E1701C271A5A5DA4 AA7415C0DA01868C 13908D62E0311624 F283FED158BD1198 11F71C03AAA6AD2B FE69BC484B4C5BDE 204E2699B3CE8AFD 73C7CEC8855C0D67 BC600D35E0A6DB3A 2940306A2E89EBC0 4B832E6624CEF91F 2CFCA985E0D76B2F D4EBD1370DA7624E B44B67ACEDB7FA1C 4CAF9FF18CE1528E 971ADC42F58F8591 ED1E2228A53870EB 74BB48775D913909 3F9E156568594EF6 14776F7D92D70AFC C2C43D27C039BB62 15084ADBD8660607 986F1AFF8C47552B 46E362619A85F4BF 9620DD6398D27859 9DA1ADBE8595D976 D80A038797A11D9F 27D6FA39935904C2 C6CF71B1DCDF119C F6B1A0A9E77D0141 1CF5BA9E47BB8F08 D2BA42AA6E6F0B3E 4B943C87D7F66B93 A94A4226A9EF596A 8069A99E974F5602 5648A74872BBE639 D74A9941E882ABC5 9452EE9EBEE6507A 02B56555A9E388E4 D5240982BCFFE597 E9000CF9695C1FE5 BF528120342C2760 CA64485752D039E4 43029D08686A1815 7223CAE5461ADE4B 0DB826E2C7CCE773 2C71ECD41557BBB3 E5531447A82C9DE5 3549EC1C9F53D2B7 385EAF0E841F3858 4A463506504D5F5F 3F6A3918D116A9BC C6AA02002432B961 783C2174B7FB1D1F 6CE65E52E9649037 49114E58B54AF45A D26609A23EA43EA8 981E6AE084A8708E C2EE62C5717C23D0 4C40A462DB5180E2 1DA61D2789E00ECE ABCFCF0D34DC78ED 7329AA362D1100F0 8E93834C73EA7867 2C9FBDFD96E3B86D 258FD7716DB163CF 8D174C53B9AC82DA A3B40B414E335E83 413CBE97AC0505C0 7D64E3AFEBA4A499 D4D180D16DB9A3EB 3769039CA435D208 3FC216114A38A10D E9B90D5D98B944A6 50AF76203B9D4558 4E09D04E13EE798A C17B682F4BF5484B F2BB6FB212F2F507 B8168B1DBF9383A7 F26207938393C959 6C1F4F8DC0FCBDDB CD36B4BF4537BA55 9D53E2DD48E6A911 08292C09D01582A6 7BB5EACC47925B9A F4D30469A58CD11E 6BD7A9063A440E57 EB961F1B97B1AED1 9F594B1756252C46 591C22573D95A828 45C3BB7FE72200C6 CC41F174D9B5B716 2A41FF4DB416E226 5790283A0BDB98DD 0BF9D14EC8D9139F A6002D394B84D782 572D32D673B32116 128359FAC1A6C6FA 7A3DF8B0370E445D 187200D62DF4A9B0 8BE9E1D2D6131B04 A9085D0C362B11A7 D65A2DF534626B38 0008E98EB7CB1E70 908F26D24E9D55A8 332D13A247456601 01B8A14B653A3FB1 BB2F6F2BBB4F31BD AAA5519C2D136077 A6932F7414276870 34A4DEE988C915E2 2C53E5AE15FC3B63 A227C9AFB59AA6DF A12A147B1C6C05A1 DE8527F7B2D3E473 550737D3F202A2BB 0E4CE119C846F55B 9C90BC6D3D6BE963 26D8B0B7B74AAF83 4192F6ABF642705E 9752E606D02C7A8F 3CDF41625626064C B22D166261390DF5 52B14543D5323BDE F2139443B79C913D 3B11F1C53F023487 D5CCDD312062722B 959EA26169B6A02D A481648BADDC1890 5F37C5D365A293F5 12AFFA7660DF5F57 9F411FCF2CF07401 E55668D3F74736CF 423D1080BA126DB4 6ECF nettle-4.0/testsuite/slh-dsa-sha2-128s-tc162.sig0000644000000000000000000004046615141166425016070 0ustar001BAC90AB7E6D50F9 567F015164EF5B14 1262DE517969EDC6 938943BAD9123BA5 A31236E9C99E6470 CC1BFC44EDCED879 EFE625C50F8D2CD1 17192B84A7FE9A3A 5753806774ED59A7 C91A63A96888EF51 91FAC1E293017DCB 40BE1F48C538EFAD 2C058342505A906E 7577227F2B003B59 7D7DEEE3BCDEA929 2550CDCDADDEE7C5 F38322295FCB0E98 DAA4BDF4F250B877 14108432B2DF23F5 EF7AFFBBBD71677F 39F8923531BB6033 2E78DA03DCAFA853 95B82FA4699DC4B1 952EC8BF58E6ECF6 A40591AB1CA423BD C9C6C63128ABC968 B61C88590F5FA3BD A9654BACA75EE119 2D9E77649F4AB344 D9E1643983A41B75 1E093A402B23C434 B99B1692D8525AA0 6250F199CE369F32 35D5E2521176BDA3 A3E514AF3B69899C 7DCE41FB6FFB4ECC B4335FBC71E1316A 1CB9C112EF62A7D2 61DE37BA47115C1B 5A9576C33697EE24 AA218E113376275D E3D87E9107F8E4F1 0AC21334A03203BF 1729944C4F3F2249 2A3FDBD9620259FC 44008AF6507AE751 6421E228031637C9 1A1969922A4FEA0A A005E08EB26740A3 F39778B207A4D0A8 3ABF211D5A311FC3 F96529A587A9EE9D 2CBD484D210AE9CE 401873A4E8CA4F91 C006416964138A2F B08A53AD58E1B7A2 7EE2E0A40F2E5F92 F365838E67D2823D 3D60957909D78552 000E4AC78288E665 A3CC97B4C9E7DDF1 4067E63916D305D8 A0ADE48E1069FD65 23D5D4BDCEAF9752 5DD0169BAEC2C53B D58C56CCFC7116EB 79BD6C420962B266 7BDBD4B27857DFB6 513145E0336B5A4D 4976FAC5568A64C1 2BD2844F7250ABEF 88196B1FF02646B4 3478A613A58377E8 35DC19660D7CAC97 B5B581E1D99414CB 2211D2AD205EB40D 77AB4EBDB8A8E36A F955FC62D6BA5BA3 438AC55ED7910ABD F45170ADA52143A5 6E2D4199904187C7 B51A073A6AC896C0 E030A1F0701EB853 22AB7152B2B08E9C C39A9C4BF104E86A 71E82B487E2ED3BC 235C3EA274F4FE4D B4E8CC9DBCBD5B80 77EA4859D7F81E1B 4C4C2539EB587009 8197C71DE4FA9A92 FF54733F4C6BD383 5A2922A9858BCBF7 92D6ED77204B7298 6983F0F88324EE99 D8A3F110BD94D7BF AD2F89D8FB192D74 6DF1E4FA1384ED8C B1B2411DFD3FE886 FABF3CEFDE776F02 51AC889AC6596F37 7277C1E74C6939A7 A675DAB42CB9AEF3 70CE078D19061778 D1098D783F6619C4 E199128504BA2F02 BB142CCE9B079720 5FED1516882E2F35 FC6D4B2875CD5F65 2B5338620D1356B2 588AA9A3A71E4C88 8174E402B626EA96 49734F157A17BEEE 0651694FEBFF3203 C37703931304D1F9 5B4A993ADFB332AE 34834BF942C03593 B54D9BB3BFF31C85 2B5E8F72538E29EE 4507AE0F5260494D C53A814B655002A0 8A5EC8513922DC22 DE3D85B7E381B795 60D806861DDD0392 4A5C7972ADD7B12D ECE20533A77F90C5 D2D8FCE4CCF833F5 7509D29850A93DB1 416A145EAA6C910D E596282A7CBEAA91 1DE582078B6BDFDA 0678C4AD31ED76FA F04D770D5A60F730 C6B5B27DAC7E9939 270C239EDE4FFC5F 21ECAD060274AF57 4FACF24A951B1E24 AB0D60B90FFDB90F 9539016128761143 6E3F73BE9F11069C 01E67CF8E48B1CD4 556AAC7BA1CD7E7C 038A1DCC7E1C0FB0 AC9505998AAD9AB7 4359DA64A3A8BCBD 229F61AEF207A546 F1190D798B2AF941 ABD7BE06F60F4062 91F14AD2EB0BDDF0 C5225FF9DC75D5B2 E762A4A7CA07227C 0641AB6D2B58759C 93838D3AD7E2502D B56CE75471CAEFA4 3EFE435A75056FAB 3A4107C58C2530D7 F78A58EAB6AF1AEB 4622F42DAB230C09 F31A9EBFFD910A75 AEAE9CA9A6559DC7 925666D2C63EF2F2 0ECACD3AC4745F1C 4AA0064E6EE3AC40 C8C1B6B98A9980AD 9F41ABAE9F9D7D2D 52BA0B39041AA909 AE045878738ABDE7 87A1630AEAF22D2A 73EEDA1DD3733356 D09D256759B298DB 98A300E21E8FD13D CB1B81D725E38FC8 74EBB53D58D7943A C0F20907B4A1603F 7FFCE22339CECEF6 0ACCFA91394BCC49 5A9A2DE88F999CBC DF14EE756781C5BF 68FCA81C28CE968E 07BA84C8A615AD31 0215B4ADAEFC0706 B16A88EC127B9F70 F739770D0D53FDEB 9D376BFA7CF0F629 9800ADA7A9C697C4 716872C5FCA02734 E0FA7D8872389A31 4E1EFBF7C449BF37 A90AC2A16A6FEBA6 0FA21327A1B95C9E A134E38625B9F9A9 B7BB60751F79DF2C 5B4DEBA4CE74586A 4D66782F75DDE07C 22ADC8FB01C3A83B 7CFCD53C988FF90C 59B3505FA7733DBE EBCD72EDAF815431 D21499D650D90804 24CAB6C01CFEFA1D 1754352CEC5875F6 5D80C5EB8F5D4734 3502824C6CB84F0C 50AFEEA2DAF72E16 B79146BBCBB3B151 1EE327DDEDC4AE0E 88FA0A184AE23ADD 39CC5014AAEF247F B2DC846C088EA44E 5C066140AD9BFA32 DA47E4DC294AFE11 E9C949DFE29C3672 BB8A8C6E37C49474 7AE3B8D551C602A7 C971835FCCEB582B F6DEE85A998BB1AC 08A040D8BF90F7DC 4922269DBF441841 85111B922F751013 AD4A902EE2F853CD F4FE50CAE3A742A3 5E5CD3753AA709D7 C7BDD3538F0075D3 D18B90919F5E40BD B8020B22A9E32D2E 8FB254692DB0D1B4 D4BA9781C2E50DD9 EDD75059B203157A 938FE233FB967DD6 D568EFCE66EF2DC4 B2B3FF0CFF6ED510 1B146FC828E56980 CC2E0EB510F13CFE 62DD896AA66C3D7E A34FCC88DED688FD 4918E8EA9F4D5EEB E22F837164834B5E 979FD4D0B2D97AA6 101AEBE4521B9E3A 9200B8231476A37C 45D3D4B20EDEF0CB 9E049B671ADAA9DB A965AA210DC6CDB9 5BA12CF335CE9619 BC90C0E5A9C147DF A8F2BEC0DD07A3F0 D9D1004ABABAD4AC CD9BAB1C11C3E474 457F258DBD544D9D 835AC4BA9FB2A153 9C6EA6469F2A8D38 21672554188D3652 205EBD1EB55E8704 380FA78B732AA01B 3AB096DCC063DF73 9E67B309F616D570 A08B6756F6DF7CB0 9EF95A720C6CDF65 E210845D065858B3 58451554AEDCB6D7 4F5FC441643027DB F90449087A0F61E9 AEFC09C95BBFE3D1 6E1A4C8F2D5DE2BD D1242854229D0978 EAEE295504AE72DC 310B8E64D8AC0CE9 1EF46E4050B12F71 F5953EAF80A320DE A58B99FEA38567DA EFEEEF66AC16BA1B 3E8F39AFEA623CB6 3CC99E9D7ADBF575 DAA61B355BC85104 276436C9A7C6B306 D1937D34084F0645 A2D62C08339773E7 CF8DA3A8C6F81F93 EE0A1DC8B28898CE 2A76C10879E03F6E D4712EC812D0605B 365397524E957630 C0760605EF11EEBF B1178C9B295989C3 79817A92BB869BCF 5C61CC3763CF6CE1 C3E9322D85E50C8D D117BC1929F3B978 93C83B004C5A739B 38F478DF458B8EB7 CAD667B76C15013B DC85C19C9ACE0D64 75E2E03E0A76B4A4 DCFFE6ADFB4EF39C 1E13EDE2F53EEB0E E6EB58B420AB811A B154A63541E8EBAA 57157D97AA2B61D2 9206C73FB7AB3ABA C729686494A34898 C7F522985B3D25BC 56FC1B46B5E05545 58EAB5E014FBCE93 C62AEE3A73128C3B A387EF33C10EEE20 FDFE3062C47B3ADD 94C3659C2B7595E4 DCE9199496DC4780 98B1D589F9D4EE03 05302E212DF042B1 BE5D35659CE575CD 894241BEFDE9E256 7A6909CCC3D57616 4704B752D9E71FD2 83348F272B1FC170 C6E588D50BE98431 1B7625AD451C7057 663D03C773312081 F732FA2A96EA3C6D 92CBDB5F6095ED32 2FBF4B809DF811E4 BE50BECCD3F7D675 018AB932C23D661F 3BE515F08679840F F988B98C090CBED3 3A75EE079D0B06C8 B2CEFCF4F59B1F02 8ADFCB21A50FAD66 7900538452FAB52C 63D6C2B633859B2B 9426EAC4E2563DB2 3C7B92AEEADFC83A A04F9CC812BD5211 771C879BB7D44ACF 00157D6359A7554C A29EAF255678DFE2 649F4E3A4A07DAC4 15CB67C1763354D1 4A75910E688B0C0E 75E39696333CC959 7764FC190D5E7924 A8891CB6AE7B0FED 7FF1468ECCD3F5A7 E4A955C12DF22438 BF8F1C52CD2411C8 ED5E2EBD1887A3B3 3CC565354CC1A3A3 0706867393C219BD BA6C60BCE984A3CD 084E51C50A05E006 FA26D4E5789DABC9 B820E59D9A05CB0C 3AE294009059CA1B D10732C4A6EF4A09 4D6AD3B8EDE1C404 9FAD9DBA92075BC2 F5491040C7EB8974 AB7B5C412ABF442B 033D4330BAF8E523 EF07541C62FEA80A 4BEDB99092851B16 C36BD7B5FC7D95B3 9D4D9C720F8D99F0 25865F49FB2F364E FF6D8BB03ECE1025 3E1BAB2FD89E0B28 5D69229FA1185613 80F7E4FD6322ACD1 0795D46B983D07C6 1289F98E654F8B96 2B3F389338835FA2 40CE686CD7A061DF D914512632C448BB 3B8A430ED5137326 134305F3292EE7E3 EEC82E324816863D 2F384F0777C3EAC0 E65E7F5D7F4F6D46 05DEADED5B069F59 EF790996F1D30A9E D2EA121DE1EE3CB8 2A438E5BC81174D8 C0ADC968F3EF1CF0 47F36FCB4A488EFF 4FDFA6E8B7611E57 272445B435047071 1BD8FE884C664672 E295F094477BAB5F 4E97E14CE5E1B5CC BA84BD85CF14B306 712EAE2EBA9372EE 44FB524105BE864A 2105C1EC5DF84067 CA2517CD6011C65A 533BF56CC7DB6D3B 0F211C8049CD34F6 92CD4FE189B8DAA2 B946C00874F6DBE6 64794D8CC1139F66 BAB4EBE1572AA6FA 2EA699D76765A197 78130A2B1B3F6D02 3FDACDD7FC2026CF 14D24DB7B3EA0611 54B5A51A0E7ADB12 10CCEF08A57E67C7 964D084EFC747764 B7C39C8AE52EA437 C4399F6ABF27E40D C4A908D3C07B4012 BEC9AAED0700D7D1 1CAFACADD37650A7 5A513FA52CBFFF63 2AA707948AE75968 36AD1E0EE39C069D 0DF4B25496619A07 5E12F15A49A65909 D9ED702BAB5811B4 214956E2CFDC5AC6 34BF06369017095E D29A0918DF87EE25 CA68AA181A47FA02 0544EA62F153B4FD D5513F8955FB8DF3 AB84C0302CF9E48D 87E2B7D916223C44 69E5B44B6572D2D6 565A349427B7D606 10BF50313DA25DA6 AE1613A08515768A C2933FAB753A1563 CD2A5224B7E8988E 94E8269380C0256E FA7D40921B8A7EAE ACD06DB1A94D41DF FA4EF8FE62481FD2 D37827B577E4C9CA C4CE740B97971767 FBA90F2705F491E6 97E3A315FA92389C 6B639DA671974F9B 2093FD6BA8CD6BE4 52343268B4CF0643 AFAAD3FA20AF818B 524378512704F2C8 BFDABEB444DF9E2D 3B7F0BA8A7A335B6 0F91DAEA15FC5098 4281172089CC10A2 5B590034A81D3962 154E240E9CDE26C8 9E77E36715D9EFAE A5E15A3D65EE7505 A278D131F753C312 D3F7F61FAAB70C3B ED14396C47608AA7 781975658294B779 EF3ECE395CED7CBF 3B6D267D9A664004 8A6441FAFA8E38BC B1401E015CE114A6 6130F2BC42F0BE2A B37FDE126D2A59BC 39F69490B2327573 9485B4E408CB64E4 3543E1030863317A 60E6E60D9E144A47 54D1FE6DA38A0BFF 9FF8BFA099A25F21 A0D4D2E5F97B4778 A507E4F2B87CF6D4 DB2C0DC7E0D30670 4AAD29AAF7A794E0 057B9DBAD7F13EC8 B082C52F97D31C72 D5D48D30CCBE0803 A633ABCF5CA9AEBC 6123A62C8E18EEE0 814B2747F969DFBE 1D38F504E5B31754 A6882F7049268351 D93D9CF6EC2E7918 83A65F1DFB73344F D83FA15DFAB48881 8B2CFBDF321986E5 12422315C2F1966A 08B6D885511E1962 8C26BCFC9D08BEC8 6C7666EDC638D0DF 720E1B47C3A1E1AD ABEFB13E8CC6CB2F A8101C770E212A5A 99D3BABCFC24970F 7639718132D58CFA 859640BA14C13DFB F759FE2C0EE26AAD 56A1EE4298820D21 5F6CD969F891D049 ADA72AED65EA8863 BC6CB859C91F5ECC B87A21D680137BB7 447063908E6A4F8C 979C1F7D467B5997 503A8E61282F08EB 99B8F6CE1F5101E6 D8FCB2D790CC9C44 3B031B7E71CD20B9 1B849FC3D425D5C4 D924611999966FE0 F96A90011D53BD0B E140D78D6406E01C 53B7C86BC796ED0E 35EAB658178B811F C4D35EBD2B4B8090 627092BE464247D8 8BBC202645190AA5 BA7FEB893BA426D0 750F520620400025 3C21AB4746E8487C 4C8FB8E22A493A54 E2645346C07A3325 799B2B17535765EF FC6FA8CB3F7F04EE 9658884201933B3B EF8F718A07925867 AD5FA32A5942DF40 E122625623E6084A CDFDB5DEF0E8CB4D 53786321B6A70C48 6F3BC6BEAF009720 9D0A7EE682365BA6 078EC295ED3027D1 9E0DB6AB59196ECA 6E22B845FAC233D1 36E31FF258DE58EA DFEF5FD45783A2AC E044C29CB8BE5715 9584F9D7B9571A7E 4D3E7D258768BDF3 10823934EC51932F C4C7EC66AA661138 240ABF534E63673A 2324B439AAABF1B8 3815D70D1F1DD51C D502A8746F10447C 122D82027C6C0283 E02E1FD83A9AADCE 0DA8D87FC513DB2E F82A721AF1991216 F3179591D09B41D7 803E071F22D28B37 8E10A69EB72A57D7 DB60149BEDF130B8 69357AD24FCDC219 97DEA759C5846E58 E28116467C4FEE76 CA7E57662A378F5A 615766C7A6D38C89 AF8645747555B54D 2A790922C2FD8F9F 1F3070DA84772A5A 3DBAF5F54BD4408C 8DA0E465C44FBEC4 BD788111529F2909 28DEE69D6BB72761 3E5C5EF222C41BAD 1841D8CCF19914C2 70D37E529EF0BCA0 CD921312D5EE8371 B65B3C83DD6AE0A4 F75C4285E81A8C6B C83D935F58AA6581 BA061625A81AECE4 775D5CD5BCD2F0B2 9BFE351DCA928FD9 0F37E731D5FFA744 C028987C97D2D040 F0D6F20C6825D16E E79980A8797E3CA9 24A6F53B48DFFCE5 5B8C809D2727638A 86149207FE9432EB 26053820F8D65C0E CECFC9460BB967D2 7753CF2AD373336C 38F4F27527C4D834 8523BA56E54961B3 93277AFE7C86ACB8 0EF89B3C62C05C9B 930F06C76FCD1FE1 EE6F7A6CF97B7A2E C0C1806FD3B616D1 9AB4C748FC142BCD F6D338CB22C5A544 3DEE31789F7E5655 A02750318A851EF8 B3080358E36F72F5 371B2E57F90BDE3A 68BB4C4AA5C9E973 7D121F854EBC4466 BC683FFAEC2DF62A CE60F188DE5A4037 E64AEC5D59B31E9E 75EB0FFEEB9BAE28 1FB790F4BA3CD758 15F8F292B37AAF73 AB10148408B72C28 F0E9CBF910C20AB8 6764429777196BC0 F80147945382028A 0D358AA6DB3CDA35 C539994EA3E2BA16 7131E0802E84146B B75EFB55F7F6D6DE 2BE958A4F045BFF6 26281EE0CF015AD7 EA26F3BB6B6A0EA5 3D70B69721AC6BCD D897270938C27E8D 37BEFDE444F9AE7F BB8921FADFBDF7F9 46420FE3223D1D55 364D7FBF913C3EB4 6A5B0C8898150F8A CEB0896C804D94FF 8194FA3F5D5D6256 88CCAEB8DDB9C4CD B33AE4530E3AB22A DADA5CC9D6BFC837 1350107CC142F801 391E6F375F80F45E 6ADB59E4288A210E 402AA0901FFA8DE0 3B8A9673E36FF0D9 2940487C4AD3FEB5 79B6136C8BA82911 1410299818CDDBC8 1ACE1CADCA73C83E B2167081E28E0FEF 489B42338B69E100 5779579340FEC8AB 20E75EA7BC707B96 93F4B25EFEA6F181 2E13BBDF1DBE095C 08ED818F87AE9941 6213957E81FD3F0F 2803CB317AB9D63D 2C256E8A16CDD3FA B509FAAEB9BA2FF3 8AF68DC468AC85BF B97531DD0C644838 C267054D5CEC54FF B650DD9AD87CDE7B 822DE425C5A6A578 C8E85D7D0E3E8C1C A0E5410BAF766AA2 D8BFADB6219B2282 98342B32BB5C2301 89603CAA5397510F C91932B7208C3137 038307D3B6BAB737 0731A286C05419CF 2B1FDA06A1CA54A4 BF1612FFE10814ED 2D17052466EF9C3E 594B5A5121F0BBAD 98335430A25019C1 A8FCB2B1626EEC0F C191719902A93E5F 5B49E5932D8AF391 8F65ED043A93EC73 7B47DC4C654E2C25 6EB9EA1F054EC384 28AFC553AC491526 2DC16409B5242EFD 18B57452933466CC D738D030664B6A3E 5F30EEBADB29BEF2 166817650D811F7B D57A5485ACD87857 23C4F47AB6F1AC6A 5493C5C3074BEF70 33E2D9F58F57B082 A711CCE4F06D4F50 4619FB9AD1824EB5 B0FCE0ED84DB1632 519F6CC0AC12569F 13180B1DB3762841 803E05718DD21D4C 84786812D7F157E4 8B96E5E7946759E4 A400A86662F7CA22 D19E705C7A70EB79 D863AE3E63708FC7 9D664193035DDCE2 593F5B2398075D7C 82DDBC9ED596BBBD C28CE2A25048A162 D46C99C4DE1087D7 063BF436414DA8F3 F52873F66B853658 F95A9305CE622FFE A72E4122B26C49D7 540CCB99254EBB9E 43036B1BFD661B78 C2E0E220E8E74689 6271B5501901EA34 658FC19570F3B3A7 0C2D6B57D9403B65 2E8BAF79C42AAD07 7B3CBDD9EF4D65CD E865744C9DFC6185 65DE6538CCB3968E 0FC77BC0147632CB EAAFCA903361D0FF C4D76AE4C184E0C4 F86A9187D4C3DDB1 64DC4196D09E68B1 6C841B5768411174 D54CD9466313BA61 7B2880AE73505358 6FE0D9576275DE87 32A7BD938B40654C 700503B7EE5722CC E0BB1644357123D5 877B01DF4EE19ECD 66797BD41C623241 6914CD4A35EF6933 0C5279BA214A78A7 DB3A800C1CD6D6DF B31F8E8119892886 06EC467AB9C98790 93EF1B67807FF5CE 5B502C2EB8C99E8D 99CA63B3921E53C0 4EF6DB94F0A2DF0B DE1332D1592098FF F590D6ADD19A2EAC 6A74563BF51E2F6C 6E6A97670FC1E58B 3C4AD3B387B51EAE 84F1E63A6100EFF2 9FD394F7FB897595 012F384EBA7E4338 2C3859873A77F22D 62893385C724AD29 126A66F235FB2864 B0011095D322B849 E2E919486D1E3AB2 C9DAAC3D2A0BB609 F8AAEB0C20FB169E A89CDD979F44CFF1 A51280982ADC594B 74CDD211E044721D E4BD23A3FDF28F51 17D9FFBCB4F7D0CD 379D19EA6647D184 91CB04FBF8E16BDE 9D11E7E66CFE50E4 DC2BEC9172401FC7 6C358B4752815906 310D464192BBB668 4826D921A25F890C BB857BE2E32B313E 96E2BC6CC330EFE6 203F2476B6038A6E 48091E4DBC4DC5D1 D7B7CB9BD4D41235 C9FFEDC5F2AA57C0 04BB5756FA359469 16C388E26F3DF804 580BD8307771B804 5EBBC04C6E6ADEEF E118A9743ED8581E 5AA72682D7010C3F 4C414F27360D7A6E 3FC50670D811E65C F4ED4472665CDED8 E0AEF0D0B5F315E5 29E85FEE87072FBC A4B8F27B025A5189 F80EEC7033533D0F A11594CABE096FA3 37525AAEDA733053 D0E9459E4DEA33D4 B2AC91237495A2EE 7696225EE93E6358 A6FD2FDAE1F56696 287732CE7AA7F41C 11D6B513798D4DD0 BBE4B055C09B8371 612AFC3A49752277 6F7909B71C6AEF75 373D969D71C0185A 8146A096D04357AD 3245FA962ED918C1 64995DBFC385FD76 4BD95F211B071D18 4E2544F889E21544 76051DFCE9279919 756C098A2D2C07F7 0DC66FD6A6FFB3C1 34B2FD8874844A5F C5E0D15F4D6C7197 D4677EDC88342674 8D452A8DBADA7962 CEFDCB8DF1100162 261BAE5818B91BF8 2569F31207684840 A573568D1E889B84 248A2CB8EF9FB82F 621AEF2FA6F47311 58169572396536E2 67B6DBFFB525B8EE 9CB501EFCA266557 50549E44B92A8A2C 21A48695A307E793 FD57AE844B0C4F5D B1B77E8D7819F07A 94235118B8B645EB C9F914603AB92561 468D0B493AF3FD99 63FB1E2ED253408E 6E43AE796B8F7B8C 6592B5AF82B4AA77 2B3220E49D66926A 9371E20DFE0AAE5A 50B43FB6A4C418C6 93E03E19624CFB3B 6427021D54519561 0352B4B15248CEA6 BD320C4A5A8A0319 56B051F29F6E6DCE C1EF9FB92F68EBA0 B5340B082FA51BC7 3122DEC7B5A987DF A61A73464C5839DD AB7C59A222E31312 3A9E10163ACDA402 85AF47955E366456 7896D8860D415980 3C97C206DFDC468B A85BFD85DB132C42 4771706E0E268010 54C477FEE733FF59 501ABC33F0D58FF6 7BF5D9B010307C46 8C1F3ED5641BEAD0 829F0473A786F80C 112DDF0017E7E859 BB7C7AFEE95FC815 AB880F94AD43E251 8D18047EB83D1D77 B9D42BEED20D3E35 7C79867C56D58477 0FA0F7974FF83EA7 D26CCB6319A320BC 3E763B332F62680E 4FDAD9B22C17AF15 4FE1183A732E5D4D C084443B1097703D C7640DB74C595F3B 6D0F1986502F49B3 CE72694E95B4C48F 7B8C3DC1C4544401 D22E5B6733DCA273 D7743CA177161A1A BE2F0880B9A1407E 71EB67296B7892CE B435D2BE6F989DCE CB4874FD73A49275 7404DCB02BB4704E 908B0D5A4D7F494E 2711E2C59A454EAC 15183082EE6090C9 0568E966D7BB1D4A 55127F996FF64A0F 3FA918D3E5A2C0F4 B3F05A7C41039E5C 850A3EA9AE0E795D 507FA82CDB4169C0 2DEFF2E699053970 4CC85AFA2BC4B7AB 3861049EFF0F2D2A 8A1D5584391E91B9 F99B0F7A5046FB8A 6E6C00973AC9C3BA 053C35C0DE582045 EA951164951DF02E 8B5155FDCA9AF868 A1F76E9BE7830F56 F1DF755375AA9E05 D0B4182576BAD750 B22DDDBF9D9F3948 EEB3ED52B16ED121 3DB2DAF16AC6E068 4EFA85B41534DB03 57A2AA51A858BDEC 4C78F315BCDF96EB 8056D797DA4AC1FB 50FC05698CB64798 231B0ACD7536EB8A 3939867A5F11F4E6 EF82C75892A7CE74 D29D5199F2545462 9965F4A1215E428B D02FF466D7EDC79E B2B4AB2A978A9F09 A94BB306CEBF9783 DEDFB497A3F0E1F2 4086847C60B25687 ABC853A2806FA70A A04DC6839285CC36 0248A2A990C5C1AE 7E3D6CB10BC08CC9 59E552FA671C033A 7081D7BAA23E193B 917EBC6F837C493E 2785AE4E4BF549B8 79D4F40CC1CEAB28 AA2B14A8459DECB2 D00BD554B5CE6E9C AA9212124FD9B1E1 6E057D4E17DD7705 6C188E0DF53EA2F6 79994325706CF440 E49D80F5150D8191 C53C2638C2B35892 B8F66F5DFFA1506D F4665513D2A8B000 A931610BF695CEBA EBFD80CF2D6CD225 FDF6515E5F5D8BB3 F3DA49C88797812D 1479255DEA2DC1A6 63586DF4A50B7600 357A671650624F26 4BD6EE7A31EF1FE4 C8B7A902813413F6 C9146B211B8E32E2 ECC50EE3825AA035 15B3BB171338A5B0 DD618BD4B014ABD5 B52A08843F84A6B0 4E551B40EDEFD7DE 45C071988BE1F50B 71ADF056A461FAE7 B5CCF6C857CC85B6 27E327E0464536E3 B4707D95FDA5217E 14CB8B022A5E4001 33147608421C1B1A AA62424CE7B1F4A6 13D371910B92E36E F5FB7A051532B6A4 8F51952EC39EB917 3DDC90F29776BA1B 3EE2A7EA961BD2B6 C9A1329DB9E5EF03 15D8D8E5629469FA 7F2C7192816D2EB0 EB7BEC2E325E64D2 DD0782C0BBD6CC42 DC728106814E50B7 ED5B8865D1A1655F 7AFD8CE0BC7E8EE3 163527BE41808421 64673503E7558231 BB1782F35A609758 92E627FCB3C777CD 8A2A5099BD21F9A2 DC335517621316A9 CACF5F74739DADBD 90FE3763215AC754 915CEBFB2BDB1151 1BE0CC362CF43900 5A00D50886F04FD5 488B61013C59CF8D 2B8FB07C17E79EC9 3BF09886A9474D5F 5111FDBFF6C13735 6BD670D75D72D53A nettle-4.0/testsuite/slh-dsa-shake-128f-tc64.msg0000644000000000000000000001135115141166425016225 0ustar0014AD3E6BE94E5F92 6241041A9D7F9889 BDFF5BA185052A6D B3132990E37AE6C6 0390B0A2BA50DF65 9F140E1A2EEF2C83 D8FC6AA0F6B707C4 50F9BCC8B4FEA771 5C320AC902708527 9F52598CCA7A666F DCDE8E8BEB42F90D 5AB21240787EB8F8 A1D995955F086166 8755E2EFC5627762 3A34466CF7494AF2 C869D263D60D7D81 421EEE41DDA1A422 4A85D43534C1762C 16E94EF500FA1690 1A7336032BACEC5C 8B17B13C8E8D4C88 2A46660ED96465FE 6CFD0FC3690999F3 5A7DCF2929CE69B1 93AE9A9AC0E32A26 ADB8FF99ED710EE9 9D5FD2945D800A25 B2711FB9B4F94029 E0547FE84E035E3F 926D44742F4B647A 3783236AF8490613 96E89E1E23BC94F1 2C2EE552EC456DC0 CACADE6394A10E50 90427548EA6D57C5 A66B2DBCC4280A70 D1D8153D9CF4BDAC CC0ED7500FAC7FC4 A462472D2D65C942 6C8146A9F23ACFA1 1BED101365B3B3D7 70A3AEB4AFC446ED 1520F693C9255EE2 EB7BF14FCC2D507B C28614569A94E49B F611528C48B5BD5E D013D642B691272F 44ABA84A4FA9E9C3 2FF76A6C221701EC 62AC25F155A38D94 C541F8B5F07F722D F2366E9B8047471B 02A82FD549829FC9 C9C7C228BF1966B2 46299297C4EC6B5E CDB4EEC1E1CAB325 D5E40BBC55D4BD57 D8BDA15BDE3FE1E1 F84F65346C1D000D 6484AA07DA77866B 23A068A0FB5F02AC 5DFEB4C5F9D0E377 BBC9386835D6C53D 85061B57801A568C 829B2CC1B79CAA31 B79B0B325A851480 DC2A21300309064F 621F3CA590BA4769 300F4A0D51C0A1DD FA3C713C26275DC1 ACAC11C783879BCC A97D815879A46D29 D73259B847C02DEE F2A5B89ED6B0CDE3 78B64AFDE31E9B8A C791CE7EAE9483B2 DB48ECF30BD678F6 AAF5E61F11635E77 FC30EDFC564871C4 26648FBFB7D7E3D9 C5C9013528C91465 B3A14655E3C1EF56 518555926D487CDD 7D15BD1F3C2C98F0 4ACAE000B9B0FD51 C25B45D325EED9E3 84CBEC4FC82DA3A5 CABBE5261BD6C1F8 746B43BDA473223D D51EC011ED469862 3BD8F5FD250D5C8E 878474DCEED27082 6C3319BE5015BB7A C8115D24BC2A2A3F 97D3F88B582D2B8E 2A94D260EDEA4F32 427C3B1886303534 634E2A519B86225A E562C73E04B2FEA8 4BA0EE86491FC8F3 63F8AADE840FA15E 11FD3D57D5772E18 1B1C7FB6DEB22BED 5AC027278F4732A1 A5FFC8CA9F3E7664 18A5F0309F596873 C77ECE7CC06EF32B C34A1CFB74BA0402 2DDDB03EEAF697E9 984025D1DEEE3777 BC9CE29449607E56 3EB3C136270FA43E 77CF1FD6D0250FA9 1218DC3FC431DF84 80440B18F87BD14D B48163FAA0AA0274 7FE903BD73B8BCC7 B5DA0F1BAD33D7A1 AD61E12A8424287A 8D928F8DECC48422 3489739CD28CE662 6F8F3D20F65EDF43 0E4FBE25CC36FDF3 86D64A591A2B56F2 FB067A8C76E6F16C 86AE608117AE50D7 ECA9B943B78028AE 15EA82C4F96C10CF 1155CE4736CCECC7 9375A5F5E413DD08 9A43C62AFA6847CA 4DB15963AD84E22B A34595F4B6EB1BB3 D3B4ABFE4A75606F 4D3048DB98B314A6 498532527FC07B3E 74EF6B45822A38E2 1F5FDE0F0E914F7F 03D92429C2571B0F 8A181FEECE3A13B2 C3BA9099F5634872 590B32B4C29FBE69 73008C93733FF805 8960A8CA9D91EE52 14A1AECDFBC37F90 6C9869BB5CA56F33 E2BD80BC8C275372 888B5D75F4B40AC2 C78F5932D2A126F4 BD19BAC6B28091E7 D69C7FA854B5E16E D3816F21B73DAA27 5E1B3CED8C46D062 66D4726E9527F3F7 AD15B29EDB69DD03 7DE679A2048CC92F 8850EDA6783EFC88 3B5A1232B95F544D 2374AE816C33774C C1B42C88CF0BBD78 072BCEEA74176B5C 961FD152B69FB8AA 6F48ADC105D05B57 3A62BDE49A92A80D ADC9D17109C395D1 35B451C78AB2AE7F 99C71B77186A41D8 9DD7AE09E9A110E8 E65C05651E51718A BFC62C47A8F82EE8 6BA685AB7B8E69B2 2EEFC37B4E559861 FBFAC0B99A1A251F 739605821D70C761 53FC5F81030CE2A6 159F7F4470E421C5 484AB7705A82E5CB 2888B85D357E52AE 33345F701BE0ACB3 6B1A3B80E54EA72B F43B00701EFB96B2 6D7A62AFC04EC150 2065921810160149 BAD56BF03552458A 3878ABF6CF7213C5 4D70861C2A6789D7 0B70D22BD8E0A4A0 32CFE331C0E423F3 978C164925CCC0F2 906BF8B4B633199E 072CD45846DC174E C1D1C39065A43046 243D5043059003DF C81807F02E6671F5 5F49D5F12A4731E7 CF1BD929AC890B98 5B271A282978E8DD 1EFFA077C4E76A9B FA6F19713C8B6D3F 6579BCED6D22DE68 8FCBD798016C6579 BB127D988796618C 09474B8BF29B6432 C01C948FF2A3EF9C 97270D257373E346 FB0B0DA0BE2D5CFA 09AE905DBE76909D F04A0CE5B26084C8 B33BC6E3916A3A9A A50A018239557CCC 0146F0766BA3D85D 0B9F8FAE0E8850FC 8D46F63BFA5E40F9 25FC0196D39B3D80 F81A6E025D120FA9 77C041D2635F97A6 A1D51D76D575E76F 494D887B4C4F1E4C 71F30EA52FF1D2AB BDCBB0E2CE8A47AE 774EE6F2E8AE7307 C09DF32FBDCC7528 A30F5CAA0E0EF487 C70625497CA80D3D 7D4647C277C15CCD 9D1CB3247899B1E2 142D8ADBC7C5F4BF 105DB3457B112374 C16CC96FAF89562D EB237002CE05E47A 4BA15AA01CCFA947 B5F74BCDEE48F10D 1E82295C14FD836F CEA6AB700CAAB75C 2AA28D6D1F42F6EB C9DD6C33F924D496 947CAC85610F1DD9 0E7AE212BA732422 2B45F1C2DE858ACB 078A6C31D692E9B0 B966E331CCE2A11C 656CF2A90DFD7635 0F43C5E2D48DFC78 AD7967022B824500 23F01031A83365F0 28C550DBFD37456F 8D98B31C920DA0C9 978C6532D3C9E2B5 48F0E1536D03CDC2 5F58F07456930412 AB3ACC0D378DF105 437D3576F6C44918 3AA66F024AF1AA59 A6EBAA8412E347CC 035BF61CE11C5CB7 F32B44175D73AE09 DC02589D60086EA2 57AE2A9345E43088 9592EAA5CE251B93 44CF0BB8930108D0 7FEF68436CDD5FEE 01C541FDAFA087FE E4D81965442DF945 46C47BBFF66F6799 ABDA34CCE21460AF F82FD3C76A6157BF 8F0128FB9AB3AAB4 BC4A58CC8C571DD4 8CAC5F076016FF0C D3B419EFE1B58F9F 9107171444F4450A E195E2E221346312 1EB57DFA00E9C7A6 156CEFE0BE8C499F 2D7901F06A3B8909 A75FF028BD1578C3 94D77B2B54BD1893 F78150CEFDED6AD2 BDA0F799F8F8E99A E0D1B7197CBF2865 3AEDCE285E063F25 13F9E853D66ADB5F 796CE7E57BB3B063 00DA3194E22B8CE0 D52638D84CE3 nettle-4.0/testsuite/slh-dsa-shake-128f-tc64.sig0000644000000000000000000010673015141166425016227 0ustar000F38CC7ADE876B45 7F320394A92FF67C DDF11D943F3F82BB 68637E340AD3B4AB 527CA5BEA54635B4 48D276149AE6ED58 E800F544238A355E A53C9206D10C0DBF 11A7DFFD2F573291 B71D9C8820888CF8 B5384F2EC55496BD F2629798A3205816 55B050F4A4639EBC E2EAC4ACB68C562B 55C38A219C0C1BE7 DD1A258A93580C22 B29CDD083117ECC1 D941F76A83292412 9F8257225D4FC7A3 F0764B6C0A373E37 25BECC287038FAF6 29C3301E249E87CB A6BE61E6B61B55F2 08736402275B22BC 05344D994D54F5A6 23D16ABDC24F357A FA284436B8B3B541 1AFFF41C08D63793 23748E062713ECD8 E58B48371CC93F8E 6F8DBA23723014E0 52967A9FF627143C F67F90ADD6A74096 BDE443EFDE017869 EFEA20650C587A38 14B2005657C3A583 9FFE956E38A8DD8F 1D75A8110D855C17 D4A8860B70D4F180 6677118E6F8DF193 B61F90F1DD854331 D6BD84E96037F75D 311E2F46EAEB93BD CB0A857A92D7154A 4E297D100F994399 5A0197F2ED97B0F6 EC4BAB2F6D0273E9 290CF61FA966FE9D 59044896565E8E6F 4F8AD5450A853D5E C69FB6317B50A7E4 AF91991FAE7BDBCA C5E0AED8A2F1FEA3 C692618EF0FD541B A22A9E47D561AF4A 80FA584E9EC86E29 ED619448AD7CB66C 76547AF8013755D8 334B7B61C720729D 4404FE51A299BC7B 28F46EC7B3161279 46671160836272FF 44865BD8FD03F594 4BAAB493C30095D7 DF7B008CA5CA0172 6EFFACBE63D5A887 1A158E3E95ECF469 2076C5F7CC96DCB0 3BD1DB90B4B50CA4 60ABCF9647B238B6 F81B4B2BB5521A56 1CAC9E6EF256CD09 1A3096C383679440 4AE110AD65D4B6B3 E9872A01DF798F25 CE3B58BE1D84A4F1 3F7240AB5299523F D06F835B82F024A4 68B8B7CC58DA0017 69F4C92581C2D24E CAEE03B7F4532F1B A552D4911AC71595 78F8D8E3466F35E2 80E7DEDF075A9CDC 0685262F57DD96BA 3414FFD69A94712F 2A35CCE8D8C3553D 9CDA268047BF0C3C B9746E859185DE87 125D518AFC98EFC4 C70466683A3E4F2B 9AD2F9BD426A8CB8 06FC43F84F353F56 CA50919CD84E1163 057B6C2222116780 EF4961EE97753CF0 D8969BA19D0DAC7D CB6E4A4DA1E95640 2C8BF5494ACF77CF 56AF6795F3FD916F 103D2E474CD2F9A0 F45F39A943564EB3 522C8D16B8BC275F DC964E3CBCAA78E9 90751B862332935B F2384AC1ECAD7246 97F1437A16322BE9 80F8F6D9399D93C6 F689F8D441037910 1163E7255C93C4F1 FD63A0A7FF4FF6F1 6ED409F20502A435 D2F6F23C5D4314A8 C822800671EB1BE2 61C2EECAF648890E 45162EB2AFD0FAA4 70A1C6876275860B 09FB3F756E9BA651 D09997D1D532F780 97A4798BDD4E73A7 9EBD4A08E1F174C3 DB7D84FB5D22ED8E 64760EFDCB621C8E 290633116DB1B89B 0EB0862B56235D0D CA56F38007633650 10815249D12D7D3F 4F98487374565636 E4A66AB60622F2AE 28879E2D36222FC6 82DEB51A81796E6B 0C347D3282E840B1 A1E24590321F33D7 26C63013EA9912F2 E1D61E76901827EE 375D2128460278A0 DCE34A5C295074D3 B6658F4A754B1DDA 07E9DF63FE037ED2 B32C1EA8DB8F94DA 5437D66EE738AA74 F6F1365E2C571943 CF1719CD4FC3E2B2 9F8963C79E2DB105 F933AC3FD132C23B 2D7F20F0BF0F73AB 3E6C40A90984BE32 48806042D414F536 A32FEF91E8021FD5 4657E70C64F41286 EBC8C52DECAEE002 7DDDCF7BF9BF4E65 FA425231EA9EE534 8732CB34D981398C 1523B184BB56C41B 3E959FA9443742F4 2E17BCAC777EF383 D17A185032E88F91 8A19CDFEF32C5418 B5D541F36C13262C 0DF6A7A704D4CA10 D4EE49B811EF9440 D3AA99F6DCFFEE49 4539716044ADE2ED 7718AB8352A840B9 974DB20DB7B024A5 776CE032C6CA088F 6537EEC291DF4F8A 039F8BCAFB3D2DCD F7CDE3A8A76F0127 5A1998A99DEDF69B 5A49E5F0A048677D CCF6C22D63D1A540 441D9FF47568B45D 064B3A892673BBC5 7A20ADEE921F7657 A4AAAEDBA3232242 6AB5E38BCCED5CBE D3F95138727854F1 5092F107C3CBB07E 6C44D4476F6595F7 D4D82E0D98CC86C7 7AEDB47FD3E1A171 5641F48F5F666D7B 0E2F764E97A489BF 010130D1E9ADC5BB 195761092011E1CB 931DA22A02FB36FA 7E7F94544A1F1EF5 275C95B675ED4022 6EC75F6E76CF4958 609956ECFA34F60F DB06E093234CDB23 24D553BB46BDBB8F F81DD5C576CB66DF 74DD7B57AD23467A D439EB98EBBDF589 5B54A7F21A9CC3CB C9AC384E9B6E80B7 9E794FB9A46BE308 13A027B840F73BCB F5DACB9D7C0C9F47 25CF8547496740B5 C659AE12F2FEFD88 846F925260D795FF 8BFF64B47AB8B40A 20AD1E52852DE61F 8AEB2D2572B464D9 83EF2EDFE05D17A5 E72145E56D881BDB 5DE580DA47FDF6F0 765D43FD33D46FD6 EB1866ED7EEEFD3C 4F7D4F6E0C7AC77F F2278BABD2A6A04A 90F48CEE61DB7BA9 78EAAE6BBC04290F F32A39535A92262A BC5599024F2A38A5 4B3FCD444B73B356 C2C14FA46D75788D CB0D01272DB6EA5E C3EE0CCB5F1C5621 D6FCEFD1B3E9B986 95E2DC5A5FEE6598 C504903F4F0E541A A602DD6B59207E90 C6EAB28348AD2731 5E0855D51D6AC6D3 C78DD9D2597C643F 3C05D0AB9F237A13 0E45B8E53D4138E0 719A1DF565CB3485 08B39CC70978A48A F9AF8245729DD3DF 14E4AB3F952EC8A8 13851E13BDF70922 E5184222A3A04266 FDAE1E6E8ACDF6C5 EDF13F3EA5440953 A6EBFF8E9B43FAFC 0D5CAA46322CE172 C776090612355CF8 A9C70EED0BE44608 284C4CF48729EA50 3C97B8707612B782 95D627EC4A332B14 38DB5FCAF2292CE4 0EE0F93CAD597F06 206354B9178AD47F FCD0E5ED829A48ED A32F3F3EFBC756AC 52844A64972B0635 A824673215BB1A22 8F1BFCD1D97325F9 A4307519296FBD36 45EBFB231AEF8232 D8F71059350C8C9A 6ECCA270B76A0D01 EF1489FF0A9E2D85 CCC48335551AD008 41E086935B9829C9 CF9830CE7E4445FB B4A20BDDACDD5026 5971A4851DD2BE7E 9DBC779A529ADE38 C07BE7BC8925A15B EF234A368A17377C 120604045302EBD7 E5C6C9177D2D1F84 85D28705CE74D43C 95326ABA51572B40 6A45D4796A746162 BA1528409433E5C4 567FCA58EB1B94E2 F6DF50BA601AFBFF 92E7A66710AA964E C1057F616B9EC5DB 4A320D050CE8570E 3376217A459C3075 BCA9D4463923A214 AB40B9C6DED96AA8 CA6C2DC4D2754326 D30A0C3BFD24D6E8 A4870C7636FDE263 727DC5544A8E1503 17E17FD153697CB6 0E70549FE990745C E163137AA746AABF 3E76E991EDC1393D AB591AA4E7343A3D 2124BA40D5BC1280 FCEEDA9B1DC4A394 064E332BE317F2A9 9C4E65EB0EF62D31 F764C4881EE7CA78 84863FD482B06246 19B113AE68EFC6DC 410098DE2CE30F89 C330A3E6A24DD89B 0C240E2BF704100A C0CF4A7D98E81E77 E9F987D69FC013D2 87CCE854EB5655BA F3AC439758FB2757 332AF52252AE90CD 0FEE40A78EEBC12E 149E129C5A3A1B0D C3F90AB93E171974 6ADCA04CECFCE18D 03ACD62E4403EDB2 CA3FDBBD30616E1D A0BB1EFC1CA91C79 09CA79E4008D45F6 4E25A345C7908581 D65B2900FFE91479 EA3F50C6C5DB110C ACE1FA3382D39788 0216FF4C30C96E22 EC7F08F16DAFE374 726D2EF2DB70F1A0 E7D3FA436D3CBE0F 2A85094113FDEEB8 F7B430B8C36304D0 1AD89353B616BC14 1C413B924D1567F7 663364506D943FDC B3F022297ED6CE92 553EAD49985F9F6A AFD2C28D60F3A99E D513BCDCBAEFD19D C711450B4D43988E 3CCA06F5D70B9760 FC78AC37A598D383 A3F483E4B6CB2B6E BA4D5F03CD6EF066 DCEBCB6C276444C4 6295A453D093CCBD 5C0B856B513089FB 9566E125D356231B F34CC67B0ADD2A54 13298CA2839DB005 64EF98BDC1D63F64 0ED8EF268AF304F5 0667CE7C82720EC8 B25EDE12A323CFDC 296ACB4F67201C75 2DBE248269405254 B44A20266C8970D6 230ECC0A87377B3B E7312D8A9E89B745 3C01E0ECA98AC2EF 6F10CDD23F8037C1 EF8CEE1A1D2727C5 AA3A3FAEDF691CC5 D3CEFBCC24D45EBE 8EF93909C1D675DF DBB974976EBF7565 B6B041D6EF3C2761 BF969D9F3C7911F0 24292414A5C3042E 251A22FD8BA33E0D 6BD34E4E07E6A7F1 2240632C0EFD6627 D26349613208DD70 D9305C439692FBD1 DE0805463025573C 11214CB23D0A8D6D D19D7A0E3A0E7394 AD617679F17414F8 B87EFA419397F116 6D86B73BDBB34946 444EC1F9CE55489C B958FD10AD3DC535 82EDED6C003709A4 41FBEFEDE39A04C0 93C0C7FF4869F2C4 D12CD5F46C70D499 5786C9B735341810 ACEE4902E13322C2 E14BF8FD418B8B75 1ACF9D5034B3E560 1CF9290D63956CFD 017C8D672BC98ECE 25C0ECE8907C032E 6F35AE96F00D4204 22D68FAF4F91D4AB 828C55EE618EA64E 95BF08948E6ADDC0 2D8592D3BA481712 294C110E4AB9D0CA FCF753612831A538 B0DE1A02DF51306C BE1969C076E52E87 CB4BC5B9D79A8B29 CF00E5A0088163C9 CB539D1C9741561B 620CC859CF74B18C 65DF29D7D0A06726 2C5FCAFF43BDD220 1FFD7E56383360FF 239394135978E26F C8728882FAD6A9EC 56A9673FC3C0F9DB F7DD1E5A39880A82 B28742733BA77B68 40F0D9ED641D3F01 0A17ADED75467E4D CDE0A492E091FEE0 191CA1CBFD56F183 6A67389FDCA16062 543528E78F07AB40 EFEB333B606A86FB CEF53FA1F58E036F 4B86134B58A81EF3 B20408D3DFED9D52 71CE26F9261A6BE4 20D97889F567C6BA F4BAE0ED0557B8B6 D0ED96499CC05E52 0B437102F5CB98BD 8EDCF4856B248165 1796E45F2BCBC159 468CE9803BAA76BE 16CE3436B4AB01C1 A15214E46BF200CE FF583AAB584AF0F2 C7230E868C8051D1 6187D30B97EC71C3 D2D47DA9227682EB 01459548051B14CD 8897C4B366B320D7 63EBF2AE7326F4F9 0EB94E19DEBBA2C7 B26FE3E572C961DD AC24B16CD7FBAC6A B4D7903BB5A4E040 B691BC2A76F1D44A F5A2E40D43C8630B 7ACABA3EF73BF71C 83E3996092804A95 231FD0B3FDE8D60A CBFAA07D89D44709 C4093B12E0FDD250 4D994687398DE6CB 05E46F15F26E6717 CCE265E27E9AD891 CE9CAF13B8DD1FD6 33FA9CC00CC75259 C4B41B2E639BD489 32F40BA13E1B4F5A 452482EAAE212F09 BEA6B8334F11E1C9 2FE27E6A1D2206A9 4074F4AA751C3517 B3A16696A6C19678 4314270CA8EDE719 3912AD43224A81CB 9F1FC452D5122C7B C11A4F38DC2BBB7C 39F548D867149E8A 5876F760BF713905 10EAABCFE0A87CF9 F8996BAD2939C7FD F86E6CE3170F932F 84925312603B1E2D D283D831473FA068 7D5F407F780BBC4D BB8A3CFCF0FAD516 7AE338C79DCE4A7B CE16DFD274427333 3298D7E5815A51D4 308F00878722D57A E56E5A683C806198 92A6584A4A8212F5 5F376DCC5EC57645 4AD109684D7E9FB1 73B68D809387C7ED C54E35E2DB1E3654 BB55CA525430F1AB 4733075D9A953066 4BEA4FE550C8A438 C38BB0C71CB30C10 2192B2869B6CDC3F DEE14E670015F686 5EDBDBC1A9284CA9 A9FE6E4A6271B010 09F3D6B417D3D14F 6B622ABC3DF5EAC4 16F2AE2E015478C7 2BE5B2444DCFE52A 33646385756BE1C5 2B02C2F9E0C41D2E 060FA524FDB94EC0 385D6886EB54F3D2 B92DB084EC3BA614 C0F1151E8428A7AB B6B850056611D1F3 FFF3DFB5DE2DE608 4A8EC1EDE17E8914 446DDA3AC44F0BD9 80412A8ADF90B17A BFF212D7DF3C1DD0 4E7C613C9028D77D 82C7C65C0DC21C4B 2178C35A69E0DB21 9DD7169C20B9C2A2 2E166AA73AEB7355 9397742B806A4626 1273DF9797E867FD C4DB4F02B8E589CE E2055F407E7B1D78 4CC2B15ABC9B9405 4D1A0F763E3E5146 08E5B94D6EC7D1EC 46BBD778E52B0F8F 4F8A94C92AD17B6A 2DAC56E3990E0A15 433FFD23CBC43FBA C71C824A067F0CCC B72769ED43B86953 984712C4E0BF8DA7 B5E2DEC500AEBAA2 DBEDA0CD74DEF3DE EB99BF1ADC37B058 4C8A724EBEC83CAB 0922F540F9352906 A1054D89A2A8061A 103B7651FD06FE41 9A502E3C6A6A0368 9434E7113076940A DF9EDB1FD1E9AA51 8FA707FA0B155ED6 DB50D587E32DD4B1 E17ABE7DBE3CCB17 B2ED0A25DEBE8A6F 39552C810DF1D33C 75C7DFA208BD6832 ED3C4363077E99AF B300CEC7042E3A91 E39454234341C36B EE01FE7204E75DF4 C885F0F30CD373C6 795FB69FA5270D91 1836A5B02AB74879 B06A3706A559B8B1 85D3F0D57C771912 85379E94E5D4006F FCDA367F9ECE0BC2 D9AF84C84E22ABED 8F95023648FDA58F 78A3FF3C2556F6AE 1ACD907DA444DEB2 27E4D58F1C5D6777 84E80D4DD3ED5AFD 8F2D239079FCB1D1 8544AF85E28E448E 765794DEF6933144 1A4BDB63E407CE48 87C9A0D00B9A0A5D 546E771606644C02 E2AE6EFF04CDF653 8EEF15FA9B4910F4 3E9B3165330EB5E4 DEF3397A5641DCC3 526DAEEFC9330618 E4C4DCC90A3F92AD 477645E51304A6A5 494DA2B0AAE3316A 5AA9EFED02489412 70215BABCC9A7D59 C56AF674FD20E58A 8AB3B67E4318971B 5B4FDFF2299FAB10 3EE2632D5E9A9A1D 5D87BFFA6596E85F 7B08F0097351B8EA EC812323CE7A4EE5 48184F651A47D7B5 AE0F802DB172DDC9 A0BC1F8C4709280A 8775C7F942D1A72B C810D571B628BFBF 67A52E21D8399117 182B8A2D2FD959AB 94965EA7DA607D4C CEB200350922156E 4D524D2162F95492 EB698AC06A8EB93D 082675BC04C4EAB9 E2205A9E5FD29B34 D8F2B049C253B479 72983681600899AE 8AC14689D92151F0 205165194F956048 65961EF7209484E5 ABFF0E4F7ED2A627 555905A75F8400BE BD2A4A387B56D365 0629CFA917EB9FD6 28F66C0F7BC1A2FB 733999BE8B7384E0 EEBC1C611F056D7F BF28BD0A2AED5D87 DC901411310B3E68 C7F4E746C99D63E1 214E3F7621E1522D 3A5B81A08BE889B5 18BBC6E4619FDCAD 88C70FCFBEC2B5A5 F7BC2C1F894AFD46 39B7C0762C7D8892 00CBEA2A4F668BEF 6258A3BD20DA069F EB6F876AC98260DB 9BE52FB5A7EF6971 A42768AD18339C8D 4E5EA9D06D443A1F C291BB208805EE1D 237274E3A518E1D1 EE5425CDB1E4B06D 6F1B6A7D37FC9705 97BAA3C913934862 662DFA14339CF0B3 599A79C9BABBCE76 007CE4B931E013BA 1F07C9BF8E76E67E 6FC78248E2130071 EEAA92855870E4FF ED50D2258D1F0E6C 72854E43D9E4AB39 A65DA5EAD6A920B8 878AB5E9A5777153 1491C0B9E0886364 A090188AC39B3203 CDA07CD0F3267AAA 926EC147DB272146 DF69853E336CA652 13268B1668D0E05B 13E14C1CDB7A7F37 EC626001B617EF93 F0D4F84E8C33B31F 0DEC7B76C9DEE410 917EAB47D5747167 CC5FF97C73E1E516 9522E47CAF372ACA CA6D40FB8B94F61C 6D3EA8F4FD05581E DFC035C665816307 52C92A034286BA2F F61CC0E29D3D7D74 7710BBAE0B45C82D 5F2C4DDB29955A7A B16E5B14F5FC1328 E5B9612E1D21BAA8 671D74FA3EB629A3 2A26CBEEF56911D7 72CFF13583D98B62 53CECC52DDDA9F61 AD19D1241B26D42B 0A1DA3956E47F45E E1FB62A8239ABEBF 8BD8BE95E315BA21 2BF15DB0ADF22740 1005451E146CCD82 9E3047DD5388B9C3 9D772023DF0F5754 7902A264441C1B6A 566E268724545483 D92201D5E3C5E3F4 5DAB300C536FBAEC 7AA243573DD6CDF1 1230AC2C49CF5C18 48DA61410255FF88 E706C6246C91F15E 7F408DDBD064B01B FE3E9E2C60C4E22E 02D3B54D33A77FB0 2E3D5459212E6A8A BCBD931C37F9A84C B2C2AA58904333F6 9A8511B04E1695C5 9959E83233305316 A6F0DBAE6913CF38 6FC900B879F1D085 961FF13AC981BA12 43304012AAE8862E D9BCF79052881146 005DBAF4A2583CAE C10D9C5243481AF2 C71A096731F0276E E092C9CD9000B787 C5963E7BD96E96C2 38F9A7EAA68A4119 72170D43A7E3C9C2 82FF27553C9A1D46 566CE8882099B1ED 9E09903F291DA882 19D6EE166DCDC806 FFD572C05C26945B DC9F733B12908870 6255801CA29C7C92 BF27126A0507E420 95B5CF3D445DE321 E466BCEDE5985B27 111BB9A8F45FC084 5FC0D432FC03B0F4 B94FB48EEE855B0F F01E60A379930BAC 4CAD273AC3AE9602 25AC1114A01724DA FCA0E843E813B5B1 E7C4BC7C55456194 A41582EA4B274B65 1500A9CA54542C53 5CEB08197B6727D7 213CB1158744613F 3208AD498B11EC8C 8D0D0721A37F6B6E 0787D396B2B9EDC1 9714C542C2A7ED28 30450A9B142C2E1A 956397859E6E75C5 4613790334B52DA0 D1238E68EC3B204B 91D8F4801FD8C6C7 7728403485D1AECF 289ACB7EE6DA064F 1FE6DE85351F5987 077E1D1AECFBF35B A6515A77C81F5907 3FFF7A502F3A38C7 7E05C3F4ACBD856D CFC560C7288A03E2 5EE7EAD52CD59E46 EB8ED761E92D59CF A19908172DC55BB3 95C2C60DD928243A BB54D94E03424C6B DE7456140D9EEB2E 58F890AC0995CA91 18CA4AD7F3FDB056 7B676CE5D629238B 10C47E50723B3A5C 486BBAEDCB7934FE F5FC231FEE0C5538 9585223976F91FC0 03C2A4CE4B51D92F B57A44A254F6284A B24FA2BAD23340B8 3B1EDA3A57436DDB 6513474B8F7F61BE AA0D55708EB7473F 74452E68EBD3DE7D 9E17E3B8B289655F D6A195FD9D3D5D62 406FBDDE5812DE5E 1C3CAC18858E1169 C53EC741D6DA3F43 E7D77AC9C42D783D BD0B14FBC3EB83CA E937ED685FBC350B 03FE2496B51B9DD7 5A70F67F6217D38D 304840A85ACBAC0D 78C1AE0D54823F9F 62AD711A5C0970F4 FAAB32702679B040 3B010A2ED0AF1D10 88EF5B1E0E3B9D48 B02DB7A0C3CC900D 90BB58CFC917651F E08787B2907192E7 A2384887CF94A309 77AEB8A624D3E2E7 DA911DC69391076D 7E508608C34E4FA4 4AB674A7D155A3C5 AEC3B1116C036591 7628E1A419FFE625 92C6B9734D7E4163 1CF671446346204D 710C23FB5CD9199A 8113A8F57C7312AB ACA5BAC4EF5C8AE4 9055D1DDC56DBB49 20EA7CCD6205956B 5B31B045078DFD04 108139CF522E2F3B 0E4F6D2C644E1FA8 0A4152F4F9740177 F8B0DC20CA49F531 DB6FDBA37CDBA0EE E6B0D8EE9B78E18A 4DE91823C672DB3A 6E3A3420CD073CB6 5D3028DA03B930BB 48FAD1C4CCB1B08A 854F1EC4AD8FB5EC E619B313F377B2F0 D5B13BBE6EFFF453 AFDCE2399A29DC70 710F2B9E70564090 058FD79378002F4A 7A6402F689EA566D 6974877C8274D535 D9767F23D884186F DED30A619F05BE44 48F678BA92BE38CB 80B30950262D1295 28FA11BA650A1DC1 A9DAC8AA0EF9C14A 49384BE64D054F5E C60D4987E5900786 26D8E8C7D5AD2F19 85A245F56971574D A87BDD1444CEDD9A 43B920DB8C32F1D8 D45A5987BED5537D 81BE28EFA067DEDC 37D2803D2E7B935D 99E1A512502DAD9D B516AD735D91209B 3A977410DBD0D1C5 09D5627D57A9BBB6 0DA1BAE98460EAF1 45620802ECBA0466 DD375DD02A495D6E 427647D9E32DB59B F84E2290E9E2E3D9 F11518320999FB54 C91FD2D0A27BCB7D A4F8BD379A6D13C0 919C58E87729121F 2F62B01725569ED0 2A40C4DA407EC987 648845A7B6B4106C B703DEC1E2B4E8E3 E4642EC866ADAB26 A54C4FE1FEB2903A F0D25475ECB5918C 0D073096CA6680EA EF170A1522AE4CCB 6A110A75DE4EFEF0 FC21250049E7F048 2788A7099E1B0EDD 3DD6F791BCED0B94 B077FCAF89F67E4A FD36AA3688198580 4A2D5C5058C73949 6031335A073637A6 711DE822D9800C46 7E7C4EDE233083D7 829E6B15002E3BA8 D71297651B305BDF 9555A01BB03B2882 E28B5AC723CA6F36 ECFE37F7AE7DC698 88942A80566FE993 CCE805FA30DF05AE 330DCDEBE40080E5 D0464A937BCAF441 7089FD18BC725D99 75EC6A0BB051D882 33AFC32842BCDB19 6957AFEBDE379642 9628DFD988858894 EDE2C27E760B84F3 E69FC85AE1C510C9 FD509EC78D5379DF 42FB8CF0649B8A91 8C2A72AA41E21B3E 0A32C41600D1B9B8 25625AA3B04ADD77 F6A7C50AA0BD4D79 7927FB53C68730E9 DF45B22608B6A84A 917F72B8C42BFAFC 7E4D5A0924016D9F 3C122D30BD775530 2277148A52CBA3A9 41083DAC7F61ED93 B59FFCA444EAC2DC D0968F7218A368A5 2EBDCA0B2DF1C0DD 800F90BF0F45EFC6 A5BBD1B8D1AC9EB9 77CE04F1D67C2D5E 572704335D76B7EA 79813D04FC5A1631 7070AD03ECBA641D 2186DE6C73CF42A2 3D00BA452B9CB2E5 7B47570BDD26D0CD 73A887611B23B461 8D45C40742355D0B FC9565769562F90E 9CC807461745A76C B1D6ED67089B51B5 90865DD1711E7F7F 239BB58E126BF69E 04FADBC5CF0EF7AB 60BAAD72752E0867 FF60005C4B804CFC C296B49EE695FA07 1E177F728C177DA6 C97BFC78355219E0 6092282B287307DB E830665AA28C9841 21514044FC3AB9DD F445DC5C20EFD597 4AE9599A798DD941 3FC9C4E604A794A3 9EE7138F0CFC841E BE236434AFB307C4 470F77405A9E90C8 A44444ECF6C20654 C28CB48CBF03FE94 DE19946F5DD853BF 6BD5A844F70A2F70 073698001B05C878 06E3C926D76C706C CC6070ECDCDF6A55 E65A6AE7540C0B94 E191994A13CCF716 40A98905C28E6EDA B2BDFCDDF4820BD1 D8D32DB587449FC2 F4C10AD3B02B64C4 BB817769AA96742F EE3EC141EF6A28F5 675119D4A50B1E0A 7D949F7B382555EE 229B57E41A208355 B08A5095FDAC54F1 0FA3E14AC598A3D0 10E8C0317230EF39 D14064482055CAEA 18C924CF6A678A48 71965E21DAD99B34 98A05A46890C2FFF ECD96120BB7B1788 E5417FE71DCDD81D 7E9440769772E5B1 1461E53FE7F33F21 D941B69C5F4046B5 53EB66C96722CBA1 D98A7F91CDFAE7BB F95D12EA241BC91C 73E674B4C09EF0F0 DD9EE9A72A276EFF 4C5829F52BCED28E 86B3932037C33216 77545D9DB71ED098 DD0A9A9BB76E153F D129322075B9DD3B 0CA8DC307B768F3E 82A3E8ED447F0DA9 1162DDE9F8E63E4E 9986D0C3E7C04F0B 677963C05A391586 1617AF42A4CB81B1 762A246DABE70B9E 876507DF6DD1AEC0 096C339A06BB7320 F32EF5A89B4177CC 7F2A91D1D71E58EE D9CC770681C7A7A7 538DB77134BAFF39 31C6344F19B6F97C 8B7F36939441854F 81C878555432D584 326BE02402C7BF62 7E7B81AC07F3DFFD 1FD6D8BEB8D589F2 EFB717CB15497FF2 13E5C5C487AA029E 808412170740C00D 2D27383797F8B62B 3024AC8BFF4BE975 61A468F6EADBC2B9 7790C468D7606035 38B431FB3F1C845C 43B4EC51C308D5C7 55AAA3FE1328C15C E15835F8E100D35B 1262EEA0C138542C 9CFA28125379DF48 9B573C98A9527512 1105052E96114673 44442254FA3E8EB5 E18E5CD30A573F6F D0C8FEA7B4A2728A 9E85E451B4F0183B DDE2D9B74B3DE935 35003456857796D3 1DAAF8663723F26B D125E41E1060DAAA 6CC0F8F445554AE6 9FF2D1542F31CA44 B5E68240F41D555D D2C0C205769454C7 052BB3CBC4041A4D CC928A1D3CEB1BD3 586C31D44C489BDB 3DBCFE39B5A2B731 22EABD3CF5E65804 49573B10714A6BDA C0DE6E79BD43993B 895527E9165F7302 66CE1089EE92505E 99448737A7F0DFA2 BD6139299307F7DC 00DE7AF6E1B9D445 50D9D867464A63F6 FF9CA2825BB940A9 5B1C9364DBF50181 310295571EE26E3C 66934FA871137189 2EF695B0944B86D2 CB317EDF6AF8D455 B12B7F48EB4C770D FBA58D1FB606922E 4B70060ACDF352D5 B3D011531E641267 B76B8E1D71372494 1920D850D444D7CE 3432CD777ED994A2 F22DA07672D7B33D 98BF095A200812C1 8C77B4A33B18ADF7 0523E9660443AA53 9F0E29F5A8725496 102A7DB2F99CA0A7 D3647025D12F9EDB 0FDC5CEFD02053A8 11DCA60AB46C4915 FF5A664E10351469 3A73ACA609FC019F 810B606911CFC010 BDB539281885A39C 97D5FCCB2C8E1F11 9C426AB6DC6ACDD9 E9D6D8C11676181B 65243751415C1F65 5714271A3E2FD7F3 AEB7CCB1E6C5CE4B B1F84AFEF486EB3F B40FA7BD1A621E02 E999B848ECA26D25 E9E5860568E78DC7 9B51D86C00F648CC 4CBEBDA205650B2A FA52B2C53C1DE15E 83C5E16E55EFBC86 7F8EE0C300E35FAB A13760830AB6C7D1 092BADF3FA097A1D 606D1776AB594ACA 8D8BD12D33C7FEF2 F008131FD2882412 90234ECE160B7E0E 91D32CD24BDD7B82 4B1A35D0C3E38E60 EA9E19D5AFA614CD 47530C79A0DF79FC 672ED76F21F37EF7 6DBCD246C92BD65B 386959F7D8FE3A05 79FCB4937642A433 B4F201B3A11602E2 8DACF28026FC8BCA 38FDAAE4CA527C6D 3374D52363938179 9B810A214FB2581B 5E44357C7DD4F8F8 95A3CED6210AC099 7272B2D6EB4A2005 BC433478A9612055 3A7889372FCFB9FE 3FD676ED217A2D6E D3C058E349A5462F 3FD23DE696E2477B 87435BDF61A27BD1 6A5E962862D02771 A8C6ABBF9F7CDD96 0B675349F58313F9 45AF84EEDAA7C114 B133E9F489BEB781 67F860A6154012AA 40DBC70D66AD0B6F 5B317C4C8B3F4A53 F7F099059FCAC290 7476E34571AAA3D0 BB83A935B47A8674 9FB735F8B35F3724 DA8C672F168D18D2 1D78C50E38A9F218 414A438CC7067EFE 1EA228AB6A3EF653 A9031A1708942B2E A98217BD1F7F760A F70E2E62FCB45B3E 1A196F717D53F548 10100518ABCDA865 E56285D298845A6F 0E8DD4CD5BCEA73A 9FC33AA15B6DD43D E4F97F01D657EF63 1C5C4CB1CD00EC01 DBBC3792A8C1CF13 0F4062DECAB080DA 0ECD6697531B3A7A 83FBA91F581D3229 98370A819724B22D 2DB2C75592E58BE6 3523E7B966C460ED 3058246AE78849E6 6B8D4431D8E33472 DD06EC4DFA6796EB 1521455D4C93491C 3B70D37D3B1109F2 513FE738AAD61370 9D1697E77CFC606A 56A0A83482E5390D 685486EFFD2E3D04 958689281B7DD84A C6358BA7539FA31E 77E736B0C96787D6 5F2D65BDE5777FC8 210B4BCBFFB66C8B F6E0BA4F5A3093D0 B8AC0EF120B90914 0296DAA3F5706E19 D5789A49AD79547B 8814F69A2D0AA1C7 1BCABD9033C047F6 BA56F57BAB2507F2 7F9D3C2E60F43559 32CE3FFC220AFA76 10ED015502FDE996 1945FB9B0CD92E90 A3BC603278776D7A FB03439F5DA8F38B CC944ED5629FCA9C 5249E1EB651B8DA4 89852C6AF857D4CA F1541AE93EB3B774 E3F46F3BB64B181E C2F395F36AB7D0EF F9987652C7C35C20 433AF37E8BE1E630 C32EC4226938B762 C09735BA402A5D15 E0EACCB3E958DF4F C9311DA2B0061199 5C48C02AD6E09EDE FB40D2DDA174C7C7 5C5BE6FE956D0EB0 E468A8358F5CE601 2EC8E2C88FFB793E B753D2B942D58CF6 2E0119F9ED825F04 EE11323A270921D9 AD06A701BC1351CB 781FDCB59E1AA236 76FC0D924962D0CF 18C5E3DAEB24CEBE E3C94D0B89438EAC C8686AFDF4035192 3D59E3453D0A6C38 800ED3A49FD33889 E7DFC66BB2C17C5E 35F10775520818B6 133CC0D7C3C7EAA9 16E4C23360CC6B18 9A27CA1FDC01DF85 81257B7FAAB8B796 C55048A47FB8629A CF2D22D65E000A0E DB1C61A57B1C782F 2DC521B673067FF6 C1B1944128CBEE1A 2A32143694FED66D 62FED4F10ECFC31D 5E6D1F6647897A94 CBF70D604FF31EC3 A6C00990DA95CD0A 82BBA1652F49D18A A17DCBB53E1CE969 7F43DB29FE6883D6 26584C2421B17D2D 4C1327F5AF191951 2D6CD7B6BC009AD1 EDA1113B5AF9B1EF B9DB30AB7DECC04A A3F36BE49E6AD400 3356CAEDB7EECA92 D00315CA3C72E017 E21D381F4A7ACEE9 5DF85D281C46BC46 72546311B44751F8 A6298CCF170E8C92 E51F7716D1E73936 C6B8D0239D8E79A1 0FE49CD51AD268C5 06B503036804A60C 7BCE14F365E03676 0A86AA1DE846F70D 2835BFDB91F77799 CC04C80D5DE37A73 BD77E977CAF7C913 BDE8C2A296953563 B9D9D246986E5772 C9554206AAC9DF09 8AEA20F76972DAA7 E7EAC56B084CAEE6 72DF58B6878E88F9 4A23203526FA6435 5B255CE22822F1C7 EF41053F0330ED02 450D63FB3BA1F233 F3EEA4C13768C32C D30B0FAF2A1E0E55 E5FB38D0E8EE86D7 0C87992AC3BE024E D490C35A85B4048A FCB55404B04AC2CE 1DFC90D2D367E47B 17AB0C4F3CE09861 4802763F0E07DC73 0D46E7BDCF258F43 9BC5345F5ECD605D 9B126717DF90A34D 63CE1CEF40A82CE9 5D7DF7E37947B06E DF4F5A5565D834A7 20AA0DF46F59BF61 3BB937ECD00A12AA FAC088BDEAA75475 898ACA5054DA40FD 339866CBB7E9577A FCC9302CCA22B3C3 5CA8CD81E17B2119 3DE53D9294C75A4F 2D5DAF6225247F70 70AF2B01D67A2C2D 0BFFF7C94800FAC9 ECFFF2A4F52519C5 E0350908F98A8263 01484734BE58B270 7C66CD338BE8B00B 41BC0224CA66FD31 DEBC0C548F2D11B7 7E872CCCB2C1C4A8 877DEE6D92D3C6A6 A890804C62A583B7 7D537B9BCD09B372 9EDFD5509F0055FE 1C94BBB080331941 82BAE8DAAC51B293 2F87B5C18AFFF66A 6FC73C8E244EA8F6 B30E9277B1DEBE39 3739D7D0A98840E6 095C9046E189EA3C D0B23738CEDC2AEB 6185F9256753B7C8 D289DE6BF1069C70 DF6981FC59B774BE BA1BE7BE4617A321 67E530E6161F365E 4CA7C2BFACD3311F D8AABBA2C8E45F58 1AE7F6FB870249E5 3B697B61375DC865 D5E193D0A56A11FA BDC5E1ABF0565B8A 3E62F0D17F26CF28 94CFC25E7FBEB9E0 CDBCC29A687E8FD6 C022A1F0EFA2D7B4 CC0310BD38D12074 4D362AD6BFC94136 CFA1E615BE0AE582 CB011F6E4F9BC232 F505AEC809D581A8 FF60BB5C7A91C414 77257BA0602F0FCE 384D28BC527CDC8B 535FEFB67B39EEEA 5EF211590288A0FC D2AD9CC30B162CC3 22CF062EAB60D519 B9CC4105D34FE120 CDD6DD285985545F A1B0C803D37E8E97 6BB19B0FBFEEC525 8FBA117CC554BA4D 28CEA7D56742EB06 A4DDA0A165D94A6E 8E5FD864D434D501 4C8CC9FB757CC71D 870A23E762AFED8B 003AD08BCAA2E31E 6CB30D7593D6C273 F80886EF7AC8A3C3 DAFE3970ECF316A0 92DB4DE3B974B0A4 C6EE44AD88D1CE18 A2929CEB51BEF6D2 4E14F750B71E4294 9996FED74C43015E 2107475923210D31 07A506AB9A8022DF A63E093F0550E038 5878840114EAD1DD CA5D8AAAEEDCE118 D42E8E005979D99F 778FF62B119061CB 332742B4946A47B2 40151AEC15D6F3FE C2B87015986DFDA3 268AA8516A95B052 9C7C7EECC3AC80E1 B195487FF16B534A 3350862A71C04FD8 5F0DB8890F469FD3 FB2299B907FAE756 BC8A06008B2A99BC B9F2AF1B5CF99649 81627492F47DB587 FAD7F0EFFD51247E 976A4FF06644237E 11E4D4B4E6CD1F7A 6527A6F889EC2D3A 574B4F6726454513 FA9FECD9E362BDD5 5DC967B5368F7E92 D6411380D9E2017D 5A8A6722AE5B392E 04681564AF93390D 8E7473A3DB5C22CE C2305746EDB9E748 4386EEC834167833 13B64924D4B9D398 F68722B6F752D17F 5D5BAA283D8CAF38 B1271CEFE61837AE 7E76E860E28C014E 046346EA76702DF1 F0E3891930582DF3 BDB995A2AB95864E E0201D9EF3052968 39227B2723A1F1EE 8B48E971AD568A79 9B7E2B0A4365F685 6F44E6A1E6D09332 226CB2DB7470104F 0AE8041EA13360E0 E3D053FD760B1ECB 1C605BF1D4C7CB85 3C4445DA050F1E3A 72F104701CC9ADF3 C6348D35643F2A98 912BE8916680F223 F60CC47DA31448CF 61074B036AC90CF3 BEAD963E8F1F6CB5 75696C83A614C871 412733AF29300BB8 ED40DA54BA1755E4 DAB0419C18174415 7C989EEE88F3AFF5 D1B7303BD301344D E02C64F24D7E6D88 C4CB9FDDC5107ACB 9C9076AF94675174 437DBA2357AA9673 BC26E3BFAA5938BF BC517AC8E44F0015 BD60D4E49F7AB720 AE8D3047C53B033D 514C7E5A5E665E51 5A0DF2CB9881589D F4FEE41634AA99C3 A77A185528C204A5 B840D0CEB8106CB6 4616367F720FC5D8 C9D4E1C945CA78D8 E691167A62F2F573 424D9021D2D34F11 E66C4F1FAF3B346F E96D2190172E1051 548994CD171DB7DC 6BF7E494A4E7BA96 2396F9F54499D0B0 4C6871A7A01E1964 DC9DDBA169FE7CFC 601729A9AA734D32 789CEDF0562B020D BB1DC89D5B02A0D9 320ECFBF5F59D7F7 2461375CB14C232E 0C504E28E01B4BF7 61E0445D2959CE9D 1D4D918B43DC7120 A873079550231C0B A658E87CA6AF1552 3B028E285A7A59AF 51E7124A9B9A0EA7 0A35FFC784CCBAFC 1594FB7A32275C69 5B7319D6AED6C6BB 8C652426E9582A8C 2BAA83C7662282C6 8D5FA5ABF5F311D0 FC76C545775B8991 9355E4398A42F478 3F9C2F198CF28713 7ED3125997378269 85CA820D750DBD96 369EC5D99105EB62 BDF686C05EE89478 66AB5B86BD78D1C8 B9784E382323F6E3 D9765070685EBF2A 3AC16212EACFF1D1 5629E61266288436 85C82CE350D121A3 5C33930628652D1C 2424DBDA800C1C58 C0D8E69F0B8918D4 C34C614F2DCCE947 C3ABA60ACC4D50CA 9978BED41AA50580 5D0CA2DDC26B6FB8 15A34CFF368EBEC9 4B12B3138D0B4192 40E2A0006B05910F E3E9C1743A0F5628 DDE5E95B98861689 77E0794FC1DC71D1 6CE78ADC864F808C F8E995D127EEB303 BA7EB37415CA1F41 22B557AC476A4C4C F013E74DE75D4142 0C52ABA83ED03F75 71EC38621A6C4D9A 70F2CC5A4D0E49BF 423734D79FDAA68F 0F3D6DAAE8926103 3F6544BAADE76891 05921EF8B1DC93A2 9DF38E674F84552A E16E8A06FCB8F972 63F9E856B16EB486 39CC06D6C824DBF0 42902CB3DEAB5C34 9706FB251CE9E565 60F03838BB101392 C126730BAAB5AF33 F5C14EA193009EFB E0822C2329F109B2 E7EE7D67AF014F65 DE3D95EE420B47BF C0A8932CECAE6837 D4950E73CFF0FAE8 7227DA3AF7E84C59 1C5A4F5F019D7F43 B1690148776B2D77 8F4413B49D46D673 156ECABD34409214 F3FC40E98ECFDA49 027D56ABEB6EF50A 5592F8ADED7B6E85 93FB94293B930406 1946E6D747C9DC6C 4E78BC9FB3A7CD90 358D63FA8869DE31 382BBCB2C52DF264 B61CE641E0A58A3A 0848B63F5E1B1EB9 A0FB1ACF4E061B5E 5A846E3B740C2C18 8BDFE7E589EE367D 8C6E5085DD461464 2F76C606E7D89B1D 5B53A5BBD03208FD 215253A99A51659E 391C97B81B609D48 87AEEE3FAB1DB3AF 656A584C0B59772D C20968187FA1883F CF60CA21E9D5B111 00B5B50B9D49CC9B 0DD6DEC01C3B9BD8 07E03751BB0B50AB F566F50957F72169 20831AFAC6214E1B B7B88DAB6A4E9175 7E5971964E44BB00 3F66519B26A48844 CDF9DB144D406E87 B10DC433B7BDD71A 21C1589040AB466A A7FDBD70BA8C3284 7D31F7BAD5D376B2 FE7350D5E5021B56 487AC15FDA42727C CDC78B1363860B1E 17871901B46AE17D 29C92EF97F8ED177 E9E01C3EBAB43240 A5A7331F879A43E1 D8D7912089E9ECC0 CC4E2B4B6312897E CE1BADB19A7F76CC 4CE3B6CE3E3563C8 146EEC3385D1A5FD 751FB6051ADDFF64 AAE7F6E813EB8CA0 B3CBFC3CF6249409 4147FA78F3C890A6 40DC8B8E07B92B6D 3D51C799732836FC A2E001C149EE99FF A884AE72A2CD9333 85EF9FD75A0BE015 F26E66DF42ADFA58 ECB9957E1234B0CF 60C7FA5ECD74DCEE 918F2FA284B7864A D51C849D9CDE8BBD A7FF47B57544A6FD EDFFDFFF6B62427F 69FD262B5D2FFD8D 014134C9AD38F600 749237080856F695 E62AB85CAD013D2C 863D9BE9A17FEFFB B41712A8850DFD39 91730BE847371A9A C8F46E0B9DE3FB3D 3E6165BC2ACBE48C 5C32456F5B492687 AC8A7D00A341684F 040E574A4F0EB5C0 33B8492E2AF4F252 A2DB05CF6C3FC85B 5CC24C865957481E E002AA49525E03FA C8F7DA262CE2AD89 D7DD507AE52D5FFC 22FAA19512E891F2 9514E21434F410B0 89C32B6A4F01BB1A ECD169EF5F6FB2A0 EB3ED83160901237 D9008F6A06561536 F754550F09359DA1 4535C6BEB8E53D2E CDAE99385F3633A4 1CDE33CF662A1C08 23C124D3A9042BFB 050A68572427EB32 DA2B7CF2B1C6022A 67FA2275EA6A0479 244533AB000073C8 028F173514C2EFDE CC8DCDFCABCB4579 C17ECFB83BF79907 E1D3B8FA59CD37BF FA58EDD088426037 25D606E360AD4732 9F4732F7D9C96B19 7749C132205F5A51 2991CF2FFDE076C6 8C2539AD3FD62174 CF200969E4417410 CE72D8A947E9C122 DC93F31289C70FE7 3D1EF77695DA8D3D 8172D37683463EB4 B67578898AE5800C A7D92BC7C9106BE5 CF5FA9C9C3451DFD 2697A0B443193686 F32D73081CAFCDDD 5B64D07803308282 F8F12EA53B79A5C6 9AB7BACF82BC4AE2 2E41135FD38A8597 35B4143AA2C4DDCE 7B331F990F1E9BDA A8DAC0B011BC685C DF618A4E94707531 0D909E5E727178D3 77EB65EA912A9954 9C19903B7B772752 7A576CCBEDAEAC47 A3C5A4F04A6F39A3 A6D646B35F0AD5FF C29CEFF45C3EFF4C C876CE7F38AECF58 B2E471A4CA4135D0 8D6F9FCC63F771B4 6097BF0D0C478760 C3D822BF48208731 F14113E984ED6135 2E1D7EA9C577C9EF 912FE6FE33AE0486 F634B1D70F5A3734 639F459A1DCE49C0 49C689130796735A D5281499A111600A 180AEAEDA2DFFAA2 C3CA9ACA45E6E485 2E6F8B20234F8860 9510740FB697277E 5D52650DF855E05A 077D525066C999C2 D7B4B4AC5D4372CD 34AC82949CE27BC2 141C6C671B56518A BFFF30D159EDBB73 9D33954E41CB1680 9E981789FCE36F4B CF76617FE31177BC D0977F8143129967 83387732A0E9D1F6 E6AE9A669C0C6CE5 B54D0E7BCEF899B4 D52B1C43D789BEA3 6CBF6A76C43881F3 5336A0D79B9DE725 AB30F59362CB2A80 FBC3BD1B56C6BB15 D3D756C0E83C6FE0 BF62559D030DEF61 020336C8F8D4D5FA 05DD100E584B850F 8BC602D7D7AF5529 2B4CBBE559F532F9 6C4A3925C1D3B8CA FCCFFB5338691770 404FCB05F3FA3620 5A393E5313E2B4EC 290E13FECBA12F5A 944240DE8391E102 E3C09928A3B53754 6E40751A262AC659 D5E1B49CDA73A18D 022081500EF3438A A4EC84433E3D3021 841E06175818F36D 37EF279B34E3D7BA 938AF83FB95FF0F2 DA5A3495CCE026C2 911752932B1435A0 672C8DE0B41B3EE9 7AE30DDD86F659F2 006870184FB18CF3 F3CB91B50347CF00 F6009F203DA2C202 F67EA57A2A56651D E5E73A110184C38D 3A9D74AC7558851F 37ECFFAA092A78C3 AC252C17085BAF4B D29E60E3E1DE6FFB 3109C098B3649CEC 21C2009EA15BC447 93B5BBB5383E2D0A 40C0FC19323724D7 B69699572968632C 9BBEA21FA1431838 30D97977A9DDFB6A FFF068B17F5BD6AA 10A6F14B7498A73A 406E8F926043C46D 5A7649D78AF11192 1080BC3B4BFD58C0 7F09C81A7F31A221 53F5AB24FAB5D0E5 D8C047911DF88F66 73B20D2143164E69 D03363D8DA64E738 651C39B8CE83EE96 C1ACB8EFA78A056F 6CAB0A4B2B95DFE0 B5078066BE5EEEBD 746ABD0204B1AF20 452779F6A847DBE9 B9A62E9B42960199 66673ED36B1A6C3B 3D822B25AC4D735A 47B244F721A218C7 9D026CFDDB094EE0 08AF4DB2A50732C0 DB09FAD330C4EC09 9B07DAC70FF7EE39 0FDE994D1503B555 5AE4AB5FB43BE3A4 E266C82BAF2BA2D7 1BF7F9F7E6C2E676 47C28C69916668B8 EE2DAFCC6647B1FB DD4E06F36A02A62B 50E8F3C5D192EC8C 2074FE0F67D3A579 C8C9C36C03B46846 13C65737D88F5BF1 D787D8AAD7825DA3 A4952F0044921D28 E118BFFC3B93389D 4C9802FAF435DE3B 9F27163FA5D6F3C3 03AA96D42C297A06 96019F6320066053 95F00499AEBF068B AD27D008A9A42B4C 15B90578F3080DA9 15B21FA504C4CA57 6F669C32D9B7D9C1 C42B1365B6E0128B 978552913D09A5B3 F38EF7E8A35C116A CFDD9673C6F45220 0B4A3A934AFE8894 D1516A40526662B5 7C412D237C2412DA FF99F87517D4B1C0 22DB6645965BF018 680AA3340E6E5A6C E3CD8004E6930E4D 0A34372CC3AF7189 71B727638FD6C401 F2E731C4C6AE1C23 70B0881ED731C677 98CA21E89FAFF0BD C672FD8FE306483C 74F50192105B12A5 1CD72AB7D384143B 0C05F0C3F1589A4A BE4087C65C7F2277 6AA1B1DCB527C134 1E77A8FEF1B9ECEC 67BB926EEA488871 36EF55B177B732AD FA8EDDB87083DD30 1CB565D17CAE918A D494A5F6CF532FA7 0DD90A509639DF87 BAB1BC0BF6DC7D6A C65A5C4AC489B47E 46F022DF0272E5E9 9EC17C0F4D794151 732845490617D733 94612F6DEE4961B1 F79D41B3ABF4DFA0 D9766D465AD648DF 4EAA6200AF6AC5BC 64C32AA69526CCF2 B4F20E2746AEE8C9 0FA235E59BAB18EE A158962C8C2029DB B11414F3B8E8F6A6 AEE9DE9A4ECDA95A 04A480584E7D3332 570537786AC51549 0508771EE40898EF FF6E20E51E030E1B 625227B1ED135F28 62D85E2CAF059044 8FF4C3B2DC383A1D C43B9A0E0D528C2D 7EB8F3610CB6BE38 20A9CF13C64C6DF7 7790F9EDC4EE2C99 541938EC1F3A6D83 C333C426BD4E983C B998D9CC98144AC7 BB41FAA73FC73B4C 2FE95C8959D0FBF2 765EE5E5043F998D 845903DF47689C7C CB01F128A70F25F3 C4FF09A220D7634B 7362DAE362C66BD7 99472FA8DEDBA36F 00648B9F015111B5 4F5A0DEFE0D4F980 1747506D7672CE02 3F359EB2D4FEE09C 716DF1E9DC548986 AFFC6B9506895BB9 12D4061700EE3F1A 1741DF444125ABD9 9A8168B5DD3E643E E835EA1F7787E1F5 0D32869DC598EC4C 111984AC16396D99 28C639C3BF65720A B9260D5A9C49E014 A3715412661ED355 4CFE3AC19F9B0499 4F8DFBB3703D7A33 E2E40258EA4749EF 3647DAE1D26C0F1F C9E5B077EEDAFC98 F868871007ABD86C D6BCB8A867C278E0 3E1D77E460D92EB9 64F4F8383B527DAE C4C5952E71E6CB6B BA36BC3A4EBC4E10 0CC2878BCBEE9106 13BD3C8384201666 39B295D6A687E4F2 B502E52253461C9B 62C441FEDF60ACC8 BB58FECFF39A1B25 5A757C1E6EDD4FD7 6A45BFDBAE34D975 5227E982A77D01F9 ACA8ED16C1F48E4F E9A783C56352B263 4422080B31CD759D 0B0590FC175D72D5 42BD027D67559D71 6BE1014CF846A333 0C6087D7BEA4A7DD 4E4EF4D1B99FF746 EF12A017192BD542 A8F57025AB74A192 A06CB02C31B9D258 25759F3DB5758825 37BA10630728BBF5 8CE74287A2F379D2 ECA4E40A463E668E 10AD56A8A4CBB10E 1A38B4544C2F642B 0243FE3D96FD6D23 8B2394CB9CB59DDA AD7EA1F682C11D1B 24173685A2AEAB04 BBB037B37E2C97DE 1D4E0B1D7337D3CD 5D4B18613FF777A3 8C2051C738906E94 EC4B7D6B2C0A6A1F F82A50F030F0D1B0 BA9905F27E1190F9 F633E609CD992C13 2C41BE9074D7D55D D9575E60E1357101 B59AFEBE752793C7 9439BFE982941A06 80021BE84CDC39E6 4280C9CE3F25D16B B4C701224EE3F926 712957AA730FAD1B 2801066A0D10FC41 7F5FB3FD4DF53EDC 42D3BF5119924392 B8BCF1B520BBF85A 4B7DCA115BA78D25 1455788E16E33F6F 6455C5B34EE7D7BB 37124D9F9B4A18A8 52E9696DA7EFB94C 2129B942066ADA64 70BCB3A00B389D46 5E9277E07A533CA3 3F0F1CA9888AC28C D059EF5EFDC0926A B0946A5B51ACA4D0 36F5AEBC0C5C5AB3 EAA9F2785360FDA3 06EBE8D9F2CAAC14 6332513765DCBBE2 B7A7AAA642A7CEB7 70FBA06E47DBA76C 17D3C8B75B58271A 17A43EB2A3584B7B F34E458D616B6F93 C24DA72391C50CCA ADDB692D0037809B 90088ACC6B85D19C 3D0D0639DA42C0A4 5FD56A363984CE6D 97D78FF806EBE19A EFCD4D9DE9393E11 47108CF7E7557444 DDFE41183A59524F 844B9EAC510D0847 60606A7E8A8E2F2F 26D4D56C398762F0 BC318997F0BB4B0D 67DB0D4205B0A47B 938C17EE2E21FF3A B049B92AE9EF5884 3FD31236233FE13E CA49721047055C5C 430099B73E853F43 56B30D0346613FF2 EE5C4CF29A3D4BE7 87522B1EC2229DF0 8433B364FE2D43EA 853AEF0C601E1E4E CE4733DB53023EF4 53CEC1A7965F007E 6AE8054A4086B6E7 4441BCA5F779C06B A433744A117A38AA 87FFCFBAF0464352 A7C5F36C9E8BF430 F09101D4BB8092E4 6A7CB9288AAD8F05 91E3E9A055716D67 244D699C95262EA1 F52877A822FF9475 CCA9229C0E2E06E0 17CAD892B486AD95 6148D58043C0A8B7 C3A842AC83035512 F1E429D9D0E658CB 77C44E80DA58E10D CC8081B76C0E35B3 DF7FF78C6BF4BC20 B088D32A98D6D808 36B94E96A5577FC1 6E0F5B2D6B60F103 D75E8325E69711E3 933B864412A19590 1D461BAFF315583C 0ADFA1E38B434BC1 F5B4BA76CD4B108C 633A917D15CBE270 594FA0961AB6811E E34A64CB61C7C799 849E31B0D8493051 030D6AB773F0F39B A00FD558D1C0ED97 629A628787A7751A C933A196E5BB4E0E A3AAE2E165B563EE 49A658AADF0309D5 D63471CEFB8E1C29 918D29341CC3F7CC A5929E4A82834629 66AF91DB0EC9103F 94F6CCEFDBE1FFC8 9764DC96E67D1101 8AC912537D958F09 574449A41C25EC73 D70FE3E5A759AEC0 7376802DE1B5A09F 5A9B2B35094CDB54 74D990FBBE496AC4 79E6A8A38AF57773 663082EE790EC375 339F4B714461FF63 94B7A57478773BEC 1AF54402789A90C6 27B5ED80328185C3 19500BF8F20AF5BB AAE7193D7F813495 17443B9CCBD8BC5E A10D71652235875B 881EF6174845343B 369ADC2F3C3EEF6C 30123D16A9E81759 207E2BABA1E8031F E93C6F2E9EA6CC1B 620042FF8829B19B 88E69337EE52ECC6 A5D31A6EFDDD0509 4FA77DA39A325DE3 FC0216E4FC86A046 A17106302B53C95A 2863ADEAE08369EC C507D3BBEE30ED5E C16B61DC6F8B0C00 7B11CD25A7299EF4 A1DC1DC6C0ED885F F1CB1619CF403823 C85A72EB826DBFB9 93C48F14C0DA87A1 EEB628576F4BB181 268F7DD050A6CEE1 9468BDE85C0A7E81 08D467631431CDBA 2C74AF3A300B09A9 4416807BFE116A95 27F3A12A32BDEF8E 08505B388E460CFD D0E86EC78CDC0B7E 7E93FB05C2C306B1 65127D00BF93B48F 0DA5DA5648076EC4 FDE763EA26925591 D1C70D50C96EE35E 42A7F533DFE91521 B7F90C30ED2F0140 77E31394A9AB94F9 8D708D7D12D18102 0D5C732675E3382C 72D9E3011639348C 2F3A159F95A74441 A1C49BC6AEC54986 E25156CDC6F9311B FC985987C962AE62 61BAE92C133CD7E0 A662005BF62055C9 90679967AE5AF1A2 D58DACD223DEE0D0 5DBB3022982E9C75 7A6BAEC0E62ACEF9 C97A30AACE3EE19E 6E6B09EC6F38CAD2 917D183472D535AC 5B463291E14BC38D 3D89F968FA015F47 61C57611C88077A8 AEDBF9CE5BDBE1DE A21380B90878BDA3 58EFF42CBC2768F2 BC22FD5C8C38279F FA4C5BE0740C3BD2 AC839CEA447E068C 7003EACBFBF59D4E 2410E8B1B538EA29 CC35FD7D91D4FC2B 4A0B4FF1373A5993 E3773040CCE5EE7C 9ADCD6F2F218B6B0 ACAE7F76CC6387A6 6DAA3A2A7C2147FE 43460A6D94FFAD67 55C3AA0426E41186 1FD19A98896C661E C4C535CCB77C1896 485100AE23775E43 E641A510E51C7A49 92F5336B8F070A29 E13367D0EA9D30EE B63E9851FF2D9620 7B37096DF34148F4 20ACAD5227EE274E C3D9238CEBB03776 3D92C4FC6DC4B0B1 BBBE20010C688B37 F8FC1E332FF431CC 0701AE223F01E7CF F93B99B3A9474520 89F4A15156B4C27D 1F45CF780D58B56B 1881D30150D16A6E FFF4DB6BC4363494 F821F249754E8684 5F41004C569CB1AB 7E10CB6829752A63 EE98E8A37EA10D37 0FD480CEC6CF45CB 0E4AE24725AE2E4B 492229EF3F551AA2 0DD08CA6424FC271 8A7DD88EA1956DA6 0E7C3E1F41181036 5EEF58B6E1A63B7B 67D4D0E1AE1F0E2D B0220ED20E390921 38FFA1A831A46D77 07785DC120B3B4E5 4B7E4FC0F69562C2 7EF1C760A13A5034 3ADD9B002EFF5510 40D95BB139D80F4E CA9CD2E01853265B 508EDA82EE5ED0E2 441B9A9F3E26BA45 B46C51A7ADC80F4D 069E9EA3008F26D8 78D317EB706A25BB D66AE008318E56D4 A1057696B2AD1D13 1F8ED17724389CB0 28296DE133566BC7 34E7D4818FA6A3E7 A72880C6A3DF5C79 58217C6F23E06BD3 4EB3E3826E63AA12 6B546A139DD80C28 C08411D9ACAF6EBA 8AE1FDEF535F83FD 055B1D79643C049B ED15568AC6FDD70B A6930E3555D93072 7C59F90882329098 46D874CD9C012604 ACC54D816B8B88E8 67B3A3AFAEB446B0 B787521672791635 C593029EF8F9E334 9153D633B0BF3445 A33EDF4DD71ED24A 17E25235EBF38C84 287023D3C0191AA4 76AB7DF167159BBA 194C13B8E10A812E 6AFC8CBD6420B7C5 7A579AC52F13D23C A582FD27E6E92B15 FD5436E97ACA71FD 8E28E6811EF73069 6BD0F6192D9754EE 384E1763CF64F08A 9276264DBAC52380 8E388FAEA9637414 CC22B29B9935A63E 85B726F9D1B42EFB 4363D81FDBC202E2 6EB3F8B06101CDAF 5FF15501B92D6582 B89243EE9AFE68EA B22FCB0ABE1A5F2A 515E5027A31BE7E9 F99BC785C4AF173E 42839284C15C72EB 3C3B031BE2126AAD 0FF303B0447A06C5 21C5A3595A4B1EB1 8EBB576007E0494C nettle-4.0/testsuite/slh-dsa-shake-128f.ref0000644000000000000000000010673015141166425015443 0ustar00373c73945bffbe75 0f03acb9e5c6bfc4 6d797df8895e06ed e918aa6c036d4318 37a89af35fa93b1d 174d1a2a580ebf09 bce3ce5fc3d9b7e7 ea978266a5ed558d b88812db900001f0 54ca435f84e66c7d 266c9f7573081488 638b3187d11cce09 ad1643b08dadc8a5 94093e9942b788d2 ec9877c43783e47c a6f82f63764b7559 ae96d4fb8afac807 b29f61fef83efc5c 986b100de9f380e6 8e927530f6df7e99 f0dd7f805c32ecb3 01e396328a4bb913 af856bfcbb7e685f 5e8237e9a2c3c8a9 550afa9171705ef9 7239f1e5ed9ca259 db5a807f5a662212 aeb7c6c255a4b4a4 daa30596bdf3a47b fec5ed2a1fc3b936 5e35f2f0c98cc290 4d9df60d117adc9a 3debdfaf9e2cf950 c8fcf81822bf0516 fa4e1d219b9350d7 01e1be5fc400eb9b fc9618ad97b2e705 f13d25defbae8722 729df3fc9a85c252 b584a94215381e4d 04e35b5a476ee340 63496da221a67428 9b30957cc90912e0 9f116f931c58a0de df0260e09a5be963 8f20573f7ecc8b1d 040f443f6079450d dd198f3a92ceb92b 7b389bfedeff041b ced0f72647add382 c8fa6dc3f4993129 c601393da193617b 35f32ded870c4ed6 3cd01ae1755d2787 86d3fda4958a010f 2a6e0dc2c8e90f33 678d0c0a957ffcea e196c221cb3d33a4 0bb6f3d4a3f23f10 33d8dbb2fc5658dd 88621b970aa50e05 68e01f844172ab78 a3a6d2ddda40a39c 53560ccabcaa0a83 0c1a72de0599750f da0a823a354c81e3 a883fcae221b89c5 a1d0f1ec79ec5b8e 8530fae3170267e7 6ff2500cbe04196a 8aa20e5061d68478 e2d4a0469782e8d9 a8555435e4edd8c8 f4b82432b7ff638d 9831d636f9e337e0 fbb8ac745aab7f38 5a56ee06891e3adf 98c6a470c0b65659 58a700bc6df02f3c d6c629c08210621d a76e8d13129c5649 3abd6ca9133a6aa8 a07baaef3b468bc3 f6994ef9cb18dd95 787c92811495f1ab ae6eb713ad64a1cd b0cb0b6e6026c382 720c3233f58d17c8 e0959035dd82bcb6 cd9e812cd95ed268 33c50335ffc2d762 f6a486b6154158f2 58b58991a847c622 9688f45ecc9031a2 d6a06a3c898bcc54 8a4cdab2064e3083 a888024812555029 223106aad833e285 70d47aafb04f59cd 39d9cae3aeb6d8e0 79d1f3166dabf784 1fa27df0df53516f ee1529ea1dbd71e9 0aab3d8ad4fe8287 0f4c5b8e35b9cbc2 4e87791ec2c7bee3 2b3251ab68ab674a 77a78d1acea108b5 562231dfb6c50a1a 00d8fddccb5e83b5 61b3b5f598fd192e 3c2a130d631192f2 b931fdb086a41882 911166fd15ca8396 d95277fcfd22bef3 0a2452f31e17ee21 b0a27e6f63e288b5 b086166c5373a948 640abec8db6b6316 3a802dd30c2e84e8 c7d6f67eeaef4709 82fdbf75909b1139 b7544d72384ae29f 9ba5b15842ce7d9e bacd1331b4b22897 5c615464357b0f90 9799c319e2b0f2fb 087587a600bb6dd0 185a45cfbcc5e05f 99d830941d5f9c68 91cd491f0efa32ba b6a475c9fdb25e0e a5ff01ff795eafc6 cbb408f3d802c887 34030194c110d28d 0886abb0d29629b1 213e9fdc537c8143 632e2057be16fe0c b6e0c16ced62636b 5fb29fc0464c56e0 39845faaa1ef9149 629f5784a406aee1 965abb96cc92b1c5 d1b44ba6067e82b3 faee9a72425dba82 394c960819c866ad 5035375b7f020568 49596f1460954d58 b4af0362b606c328 149da26213550af7 ee9ce6b70dc62972 528b59a419a8ca33 162da0dddc90f33a 9f9e8606ff1a6350 5f9eb6aacf043894 ea07f3db1811fcef 2c4be5593104051b 3b483c070bbf1495 e9aa6103c0271e8d 906643cd5e11ea27 9f0f1deb96a62106 376c0492d4aa5fa6 1545f75545035691 a4c033fbfc42ba4b 3a8c67b0bbc4dfe0 1ee49aa8715f5d05 34d730d00cb4dd3b c7d23f1e32f01ae5 5c9e6f7d5a5fe1d6 e6dd8466ac989af5 2b76e35890c82c07 7a083f05cfc8810c 70dbd1a5b75edf70 6833edcaa9971b76 8e9b29ecaa1a5e09 ea61ee9ed84cdb13 5472564f31d69dfb 32d8f1f8702cb027 bf66175a7fa9ba78 1759f210d99c30bf ec511abf3ecc6598 42122b55db6d3989 6c4359d7576e83ae ba097ce8c302b8ff 0638900638d842cf 370e3d6bf29e8157 32cbfb6d3b444ac0 74948d634481f96d a8cac548d577e8e5 ad59ed5c93d86d25 0569b3827b354bfb ce07e83a0911e417 aed9c2fb94e0a9ab 23b826a5b690daf2 57ae14e0af3820c4 87e36322d7a5e310 46545e97953ef883 f2304f34c555fe4f 224a24698f9f56c3 0ce95597f8c68268 808de01884101001 95bc46e5ec2641ac a0315f2f72d43ffd 6e4f3803422dd2d4 8b3592da29de7d98 3539024309acaf6b fcecbc80aeed5ecc 4d8339e9a13be272 b6301cf593fe86ac d6ba94d87d596b24 4a7b875189486c39 08f344c83f24d701 2a1918890a3dde78 abbabbec63b97ce7 70311dc46b6b8503 a4bae496101b88cc e76cb8d9df99cf45 f89b42716bb07491 34f1643f82485805 dc9c836a79de2682 4ea02046863a570d 22fef883fe218360 c3a7a597a7bea3b9 5b0ab45dfd9eee87 8f5c8b17c22b7996 02051193c7a270f9 729ec9ae13d51131 834e3126a6bfd6b2 11f2434a0bf2baaf 8d63e3fc47b07ca9 5e7f307b13ac7724 41f7a7277e6ea66e 41e46f543ac8f682 f80900cbbcb5a91f 47c08f88a027fbad 25c186eb8bbd8fd0 d939694e8c81e5fc fe475adf5868bba3 ada914a96cee5479 d2a5dd6d14fadabc 20a6b2763b790c03 9578bce010d306f5 89d1684b3f71fb16 e061624ecf094f7d 04378ca5a32fba8e 117bb733c21c3d4c b7efffdf29a144d2 e6156c09f58b8eed de63733e110b0b36 a77c8393d9db84b7 100abb674c0c50f7 3569fdd3fcd0eba6 1924a93e867fc170 acb866be73ad14b3 42bd698ba5d1213f 2b4917491abf2ef6 a86d36ea9a87cc14 70de776e2f818332 dcd47f4440f7c818 2f14256df3dc707b 10b88c9e3d1c1513 d8d9c508072bd5da be232cf19f8c4719 261b2cfb5b3e7680 211a130afc6e1f8c d61ffa17857136ae 3c91bc273003e37b bbdc2b270842a73d 67f3e560d0a4277c df77c49997ebc8e5 e37c614ebbd3b97c cada3c3bcf87a38b e9eacf31c7c820cc 7289d7f54427a8c0 e42c951988339a5f 90579642a1ecc091 d8c191526ae1140d d655851a7f01c4a9 78f41d6ade9a78cf 1363a964815ed086 48c0a5c8d86273b3 7e2935fd27761cfc feb5316fd4902849 acaa9a14bcb05363 1d97a7b73928300c c06abb288f555659 d283f0f30bd037a9 bcce81b31db323a7 90392ede4b07b5e8 93a65d8a02b2968a dc9ccfc7b7941dab 6310e997afc7adfb c3486a5ff3c5dcbb 61d304950de7b30a 31fbb38e2ecc8560 07d9e3d4e1b234d8 18cccbbdb3af2015 b779ed69e0ecd8d0 d514c9f0265f250c d5f0c04015e20af7 161e35c4f094908b 4e340518ba793908 e713f002136b39c4 14a1bcb0b4d08643 4c9df712d2a4dabf 66a3ad279fb15055 57a4b6633f459290 3d2d110c93f85e18 b736964bb8292524 49c27419617469fd 91654af55c948948 880cbdfd5c841ba6 d517460bb07d27c2 3b799c4286c66564 289ff4ba52873912 6ad751f5b5e1ee4d 43871ec0d98d7a22 c468c7d1e4363b80 aec981364c34781b 709f61eceaa27e10 d46cfde958411a04 41b614c0170c90d9 382d391d91d78e3e 57d23de844b1f0e3 0a18f51e463c25c2 2478b61f56fc079f 38a63411b8850230 f6144cf7731cf295 9b2c142438abb34a d8f7d28e10259125 df9d71022c751729 8ea83bd068c59e33 16fdb53f402e8d1a 569ac5f073545e4b 972490fb27ba0697 1b273ab1e4a9ac5f 6cb9453eae431005 a5bdf34891f872f3 c3ea3927fd67f8a4 3f6dece355e67b26 c22913b657703cb5 0e0bddc604cc9bc1 7c1bf2a09481467d f712d0404cf44a16 00f77a68fad39460 6b52d5d8f07fa64d a0991fb7a0f7a7e3 d7cde7083f69a641 7018a10e9319b0db d1fbce53fc2269ca 504b6d2a6a6a8baf 4e85e4e56df2c52a aed8dc36936dca55 359ce40d4f155747 cf311fe8a4e2e013 0b87899b3e48bab2 f56d67c774dde599 5f159c582110cbf6 8644d0cc51068e69 699a0381cc917dd6 433ef98575ad4662 bc38294685668e2f 74362572b268d31a 39087dc4d487da2e 65716029ae25274f 6088546882b86b51 2a7e958fd1c6f92a 9fdc44c6200c2c10 95b88ae0e0dc4d0d 08b417bf3aefc7d0 c7c5cab3066bfec9 07f17b08a81e8afa ee34fcfdc5e301d4 4c4eda3e05af5d12 10f15b8de81f244c c468ab8506fb2980 37500091a52886e0 776928451270e3c9 83ed6f61b7c4f861 f689a72f52607860 92154f99ccbb5b82 65c7be15dab096e9 7693fe35b2f797e9 2936ec9a9e26fa86 abf49a2747301244 fb884e679dd970ba 34e3bc035186fb3b 619a60bf6a19bf6c 4c4c4e2b01c6fa70 c0dab8466c8f41bd 449fb372c52eaf71 b1445e315845cfbd 696cec5eb9bd4628 2b6ccf2cb43a3b25 1d2ad6249d76f1c9 a0963fda7c520635 1e57227263658b96 5592aad8ff4c66ec 59288af76e381b1b 9412250862ec3f24 718acc97c16c44a0 83924e5c9100dcd6 8c780d29c4e0ba42 1c265d0f8715f9da 3d7ce7645bbd2e47 51d1fe85d76fd522 d621624769fdada1 928f61fa9e5714ea 1ea5f8d50f6b753c f232045be399ca8c 04069596ba33cf26 92e64b124c74aa3a 4eab8170d1476d2a 8be18f6dc4352135 da13d3f02b97f7fb 5b90e89c359590ea 64253db7647a02ca fcfebe03c20a87b6 992e48361f6e514e 640e99449496000b 084e637d4fc5b948 590febecee89b455 9386f4c17b5f01ad 913e6dfcecce2cc1 943c231342136c06 39c7686bc6a1d22a 1cc655514800c1c1 80c30f59b5ae14ed c614510ce7bb5aa7 9bb35e01889bf8af 804627e7980f3b4a 5bf84af4cdda0444 a2f82b07c67e9c0c d09ef2cfe8a831a9 9b94b9487a1658f8 cc1d237b2cb71256 8caa2f8916cc39d7 6ed5e4b2cdeae42a 50c674890384b47d 98fd11049677c984 8d544e7a03b54c8d a7a46a86ad77eb12 fb932a37dae72036 4d5d688b2eff4ffe 6467c0fda2003f31 d93fccd02a2db8bf 36c14d2bfe9c9626 19b198f9420aa606 cfa8bbe63ef333b4 9c89c283ce1ad568 59c5cd0758885f22 23e122e1939503b9 02bf8ff9625c4430 f9cf55e377258e86 2a7ec3903d84b3a8 cd51588435fc38b7 1667337792eea9d0 01e2f1f2562f3ef5 375c47f0d079780f 7dbe99b4e7939437 17564da171027fd8 6b1c9dac0819ae29 9eb53ef03e32a802 64cbedc10fdc2a40 e7a8ce56ee788b2b cdb676fad13d4b41 f227b47b41d198dc be8a662fcc64a718 20c8be1036138732 ce9454fd774b9041 0714bc940702f4e2 4faee4f2ffba35b2 9f8922dabd5e6d46 55758792f60bfe8c 50adb4765f5f3311 911ec61c3ebd1663 ce79e4262b487a7a 14ef3b21a854a022 177236416765c229 34a3e8234fba3b98 b36694a2efdb1a00 f56b82f92ddfd310 c2ee5bd148a4fc89 e760ae08cdecca0b 8b526fe62f5ec793 918b8125a7aa4718 22ce67c0fa1940df 95e004d7446e207b 75770d19675f4c61 30d87017b0e42570 8ff332430f196d10 c985a28ff17eb5fd 563cfc2281caa946 8018903630e912a4 4423beb2378655ac a7fded077af2a0f1 851d552bc6596f36 6dc49501bc082372 698fdc4cd6330a37 e2b4a29a4c191848 27248b2ca56a1ea9 9a619c886db41f19 928d134cdaa392b5 12aa149ca05fad3c f8973185312c529f 9f585201ce8aeef0 6a3b76c548e1ff65 2d8e6de6bf4a4f31 acfb12aa6b8648cc b9e47a2bde555893 ba96d8a59251ebee 38ddb859808675f4 8993b354b44872b9 e39cf6e243bfa670 1e9266291cdc1741 f99844ebec232841 0363105a345e1b19 d04c0952b7d2344b f425dad14631e14f 6a595efdc8da63ec 66fe90643e85e411 8587534cd6fe9c2d cfc119e8f0c4013f e6a262fc5ce4418b d872aff38511b0e5 b4cb452293161fe8 d9adfd9cab8da4bf d3f23027c75b0358 dacc903d3b4153a1 fd880f439ac1e02d 82ef3c4b06070c35 df253afc2b267a92 eea2d5111261e3c3 4529d2bcc5f5cc89 2d6596a4ee5b7208 cfb98c9405b94744 cc7c077a7e22ddc5 281fb0d9b69a0467 4b4f0d6c1a70ccac 0c8a89eb1d04b19c 074961006b132716 fd55f0b5c9b2303c c663a1235dac9773 073e5e20f9368cd2 1ad21baeeafa2b27 c35e95499252b339 d82f3142db10e1e6 7add6e0d7ce0372c f439fd78904a7e7a c95a0a5c1496edf3 1e3ba67ff8600980 717d999e0ee9e7be 60a535a21ddd20ac d2eafcd448d82971 e61cffd82217e9f7 281b58a1b8e42ce0 60d4dee8ca438e46 26fa3f9298e438ae 8157dec5e5979c89 7911db73e85390b3 af4e5053b316890a 95fb92172c1d02eb 4dba03a26dfd23a6 d557e79e2fab9cf8 06fff00ac1a517bc 8f8760a93d6421f1 96608fa7107641b7 63ee06d3d097bc1f 5b86bbe6221fe0df 56efc71dbd7e5918 492ea597322d8b20 e104e821d8a82601 f2ac6577617411d1 64c8d76be898323a 89523a738276f4da 246b673fa2729568 ff6fc03328aa2a6e 66aea6fb70afa4f9 62f3c805fd3c66e9 e52afb0d9d7bd476 38ef68f2b12d6922 a1398cba69383dc9 a32906a0acd4727f bc91fa5456d14319 57a7f9060359d9f8 87611ee0a6a1eae6 c644240abfea9e02 774317f934d080c4 fcb98905ff5f9330 bbdde48a32877031 f36bfc66e7caac9a dd5c3d210ebd1382 97d59bddb605aae0 5310fd7ed728300c 8e3c8427800019c0 cdcf604c4a5f07c6 b01c39543ae68155 8082762a005b3680 81a248703f872c2a dd773a701418f645 4250663407c0dbec f336048721a72bb1 3a5076923b16437b 18a69065d1b38565 b95b181abf13be0d 7239fd3c39f083ed 186e3bbdd5441e1e 11fb70ce58a2a792 a66c2af6fad18a58 a9c56729901f9cec 45c3203932d5dacd 66e96d623e4701dc 1edb43f2267b5cb4 a438e3e47622ea7d a841c9ba6bc54b5e 83e7871ec89a828b 4d65d0f26a0e9b7d cf880f28ddc1d159 454559e1385565ca 3ab6633cb04ebe92 c484ce9278800449 7d74bebcfea361d2 f3286565b6e33591 79eef768c859379b e5cc3903dfc9ed77 3f9973fae7cb311b b907726e02acca9e 51cd4f4de0caf25e 14c881899475354e 8678ac94f73aa3e1 1a27bd9367e531a7 dc0369ecc1b3e094 eaae23f342942ae0 9e39c0bbf088e260 e923d6489f6fb8f8 36fbdbd9db7d3adf 8a74407516a61cc4 998a6c14e54c556a 8995d630480e9cd4 d616626364444fd7 c6f059ca7312a61d 50716562239c9339 e224e2fe6999ffda 833cc486260685e8 4090cf59b8ca018c a0e3c4bf2d500716 40240d9ffd128619 ab62ae5cdb8bd9f4 728c877fedf63e12 d08d4759aa3a2d44 38aac1613fb2d5bb 0083f151073c5083 6b9e8ef95ce0182f ff4205c44b4678ba 5bee877246f3d6b5 85cf0c160f961b28 ee583488fd42d12d a487a88dcdd62ab2 a3cf84f5503df200 5db4a512ebeef9ae 2610f93d818d1b8e 61142cc89fd11a25 be8f364e39002486 47550d9835d8bfdc f1476993cb1ac130 e35bd3dc9688840f b4f178c0180e3e5d 68dee6147dfe387d 3bce676bbb0043c9 40c5de76a270e9c2 32f373bdb54c78be 4b8b8c5e7843e4f6 9fbf5a6ed0133528 1e368720c9b59d1a 1940b25fce29b802 c5d6c5f24865c545 ae21ee34b3b6a530 0d4fa2dbc6b6aa89 aefd501e525e44c6 c6a6563369768bb7 7aba7b9d091ca135 636c5e12372e2527 fb4cddec2252d926 4d0b3be0bd218b10 b33a65a03f373946 1fd674bc2e0cfb68 e3ed70cbf3655344 0868f94fa81ec1a3 ca4c63a24d57e90a a4c475003f4ec1db e566132f352a65ea 464a019a565bdb20 5862028134dc9f0d cd4386ccc7858c3e 7d41bb8187a9d541 394f0b1b43a52765 d09a35f536458d69 b1a74284a5aeec9c 2bb6eb6a1e605f2e f04d8526eb5ddbfd a0e2e4cbd36636c5 f7bf8b47ebb63776 bdeb6b3879ed5bba 56e02f074577032c 192efb8d2aaa1504 e52877923a064b20 86fb946b92d52efd 1ba0768d0df6205c 2996c0a539772f15 45648f0fef6d3367 bf6a9a0d1f1f8656 d37801f13909cb00 de7dcde257b8e40f 7c4b0b0088d78212 b9cbb3c05af420d7 0e10f900e79af787 62f3d917ac034e28 e7e477bc8c189d74 191de97d23f3ed2e 200c2ddf168666c2 9a61296d3d9ed6e6 fd40fa11da4135e5 b14f521a1b478975 7ff3bda98486a102 e81656a5a714a7d0 13f145e10d2b25e2 385c6a4c8b883114 79fb1c5219a5d325 b78e59ee1db88068 7a0fc2b7067c53ce 2b0b0e6d77b3b064 376e4c1b32ccbd7b cc148b5bc0e7bd00 728c858842187d7f e1be370e305b2f43 af3176615b9f684a c107bf87e20b080c 14d08e75306767fd 650244af3bb06fae ef9192429b947984 d138904cb96284c6 5c8c71720b2e8afd 708933434ba9fb4f 2d561497b9f275fe 68c1cbe982794ed5 aca3fc35c7aebf2b 1a1c953e6a093f13 9794faad63bd7e18 caf6066db0403e01 43410edbc4acfbfd 059adabcf07f6187 18cb6f20b240335f 77bff262ee4f0486 292f5b00a1f50d27 e44e4ba44d456db2 6280c4142f20d9e9 27b5e192d0f2d07a 5d43949e5c5684ac b4b2518739e77172 b13391d67ef5d181 b6477381886c2644 f5326b42d570f531 0e0cfebc61bb059f 862764a25650af8c adfce093d19d5457 20213e934a0d7628 dcab66c4e1d73dff ec4c6eff3848f5e7 20e7111ef8b2acfd 3d9b1e50c07ed4ac 8081c3fc383b71f6 78113d5759085126 77c985a2ba519611 ec2af89121aafa1f fbb57f47f9eb6b31 7e9f4b42896d4e82 8302cc197cbefe3f 1ea041311010bb89 d7646db41d76d33b 03dce6289b6f0978 a99f2537a9379396 6cf9cf2449557215 5357d3a54de59b6b 8df39fd9c27d7df2 c941422959a4eeb8 0b4e38f95a90607e 0a1045a5f68f76e8 eba838d8ab00cc95 702787fc74fb637c 6719cbea33c37602 e22a6bec533f8ebd 4615cee5b60fc281 441581e635b1ee76 d424007cf7d8058d 1464d356beb625bb 4753c05e30192e0a 13253c1a59536325 6a77d653cfa8834d 1e54a0e3e605dd3c bc83e197db186d68 d7c7b07bf060a581 4c3f17ac2d409e50 698428c3a02d1317 a340d4bb51272460 54a6ebd8a6abd2bd b8e055e988ea476b 434a20e42fb9ff13 5b7112433eca7c87 bf66cf844f204c70 be681fb623b8a86a f2ab7ebbc489dfef a75b7adab59e378c 7d86523462617b4e 3f4a66dec5bb55c4 c4b32675176d8594 a0d7ec1f6e3d4d93 83013b6db6a4dd2a c470c1d213686f13 da74e074b926b402 e1bbebfe60be58c6 6a3c1e589dc8551c f66248c70908f358 4cb96780f746f3b2 3ebe92de02dff2b0 f17a7554a7aca4b4 392a33ac86ebdb86 1565c8597dc3c0f2 2b09f5a3ea316564 822ebebd520d418e 17a538a056d88593 15b47fbd2f5f9f06 3e64305f27d9014b b7e04431e6beeec9 6aefc68dca3528a7 fab15e7394d1d45a e6f5000f94039020 4e336c0ce77d95d4 7a4fb5894b2edf4e 97e55b9af2458fd4 b4eda67f09d80ef0 c88db87416cbd51d 2d912d0a8e820a13 8306394061e588c4 e681015a6865d434 eca7494824c48b7c 047af2ef5f808336 60e5ebb9b210a2d7 d91da16c03f642b2 e881d1c048a43098 b8013bde949a784a 348abdb26e9cc049 c6ab85895ecb033d 4aa3219d58b4ce5b ddf0ccee32e35a4e cd7eedf82dce36d2 316064b9014dc404 eeeaf6342b63f0fa c299df1d914afe6b f03ccb7e67d0cade 35e4bd207f33adb3 d302f23eae2e32a8 a6e0c68fc7d90423 43444d130d424777 d3b265c35602e6c2 681aea5f48643eec af827c6054c56353 4a6afae872d86541 8816137b5b6563ed cf7754a3f1b7600f b7c328dd9c7b93e1 efebae36ae36a157 8244f7b0d1d66fa5 04835b28935d5a9f 7af834cdac4e0661 b2e276d79a7941ef e5dbc26d64293c22 e6972fbe4a8ac01d 30a70bfb21e19e62 9ce2682fc74c7bb2 b99f22c779f7022b be7aca0b6eb9ee3e 019ab2ab023ade73 112815bcf129f4ce 650b2050bc523fa0 254f8a1cffbc121c 4cddfa33a01065f5 5df1eb43f66e6278 c4926dd5bcdadefd a8c99932175f76ba ece263ea4434c177 6f635ee548193759 2b1177e67b902fbf a3974ad2349a729b f2650f850e422f57 191554ed4244c8fb 5e73a4c2c92f7218 be17d7e689b875a6 05ea6bb493485bd2 1920e6cd02e4dbaf 8973c13cbc6197e5 adb915137cec79c1 14be4feda0c434b7 29acaf9b5eaa97b0 b9f6917cc3e707eb 43a7e3ecf7adb52d ce3fc73d3dd2d860 862348e0313ec4ca 7cff64c9b6d3de14 6b83ac35fabaa2c4 353327e56db1218b b1cf4dca9c73fe88 9302470aca92ecae f7f2456dc2f5380a 7a1346af17970ac2 a42d7487f1a90811 1480d7ac5b8f4404 eac4a8bb3a0fa899 c7251c8bc58128de e488b1f850d41c1e 533ade2f210e3f6e de45d49ff6134287 7e72fc4d45c5603e ffe3f4acc8b4ce78 45f0878b108baf94 94e9bd18e7c799af c8c94b1b1bbcb1fe 07973446b0084161 bc0f81036f8c3755 bef04785d9d87b89 075d92f9d20562e4 7cb8bf658e9c70f8 adea0d29f2042afa ec6da2206f9786a3 8e68b220df028afd 5939687763e470c0 610d8ce1abb3c92e ad114a80bf1a4a10 08f9235262d3da86 055ff6e4c98376c7 212aa582191cc1c0 7b443b98fcce9318 acb6ec6475543663 2d14ea5a4a9c8c2b 812933c5a893e733 71d2c70b86885a4f 1e4cb29e708186b7 f2389758b59dda1c 5cd89e43d0de02ef f558b03984287abb 29f5fd2f22837d3f 3ab0d23e52462491 e0a0127bd4daac77 7f601e562ba7df4a 443fcb000c2f85e7 6c46347ac1882f7a 86e9777d1515b8a7 32bf000bc84e004b e4e882b3692a20d8 66d2e15390472e9f d7ee9740300eafbf 0b828561e1f93907 a5119d6af0cdc982 eea9fdf1e940a0f7 4e556e613f3c15d5 aaa4d39a70cfaa2d dbb03b2240bfbf94 49d8a427078a584e aa1b909b97064531 b01797e48f2fcf4f fdc1b65aa9f49888 20ce2e6ed671e3ca c854ebe0da73a8a8 6e586eecc327a0bf 139c248afee28282 c440613a521a37eb 8ecdc229621e9240 eb8eaeac8b4aae97 4be6f11d70fc7509 0f3ee4564c113b20 14bd4ed820d436e1 666ef9d6b0569644 b0f01604357dfff5 8a686905636badc0 4b6f16545041aed7 3e7e166fe553b2c6 beb6325598ef2cff 23d903d90e8554e1 61a73bbc85d5f1ad 95f3df0fa227b78f a526b3d21ed6b374 4df956a9cd45f006 276a280c3540e4ce b58bfa59acc42f64 81f68ebe0e390fdb 6f35c4e6fb5f6548 f6dc7f03558534fa 4079344d1c26eb37 7810924dc26e0797 3b9ea5277a99e58b 8594c52b6199d3a2 f3109d1e120df14f 916357e642d47f5c 2f7d8546ec485b34 ad87e1796de4b451 cdedd4408ba91350 0b91c7e697192dc4 8569e443a3fe945a 7396e36fe7b2cd23 466b462315ff7e73 d1c8be52c9e79e39 c7423aea069d3ee1 19320575f213fdad 0cfb1307c6f7b32f 5e9949363073f4c1 47ae298535a0944a 97dbf43d8f4ed7ee f02a7377931b71c8 6421728b7dfc2d5e cd2e6cd3932219c2 42ee4b7a27693703 0340b47f4ff1ea62 5e19df8695388f69 ba96c8e7d4097183 39fd65e6ff7b5167 69617a36f4b6f9e4 c56402119e53d006 03b67e4b023689af 37e61aa4569c4051 7b877e15bbcdeb2c 09d60895f9299bdd 53d1f1a2b7338f22 ffb3fdb8869d6629 bd030e4b32764f90 62e110ff9b6e682b 04f765e13982d752 22933af5e07d0615 7e9b5a0727cb25d1 9b6c48e9a20e6b33 d8dc217769b9154e 0ddf7cdef6efc998 f9765e62ee5df89d ceeb3865a8a857fc 73b5bda193c0ed37 33d3db379582ab25 79898a99d0ba8c8d 4b718fd52a70ea62 f3dc6b3bd39c1b27 a7fa660de83e64f2 f94bcd4ce60c555f 63b0698f83782e36 a29ef86a2ef2b811 e2e1b5526ea90de0 b0d0320ecf209579 1da1a318562e324a 430084468d583d9d ba21ebbc79a80d36 e93bcf2cd8b9018a a2f3aacb529dce30 3033598bd4921730 6dcfe285dbae0f26 b68f27e761c3da58 056e1f590f406ab3 09cac9e06aa74e5b 127724c0ce198ecd 4b0a2ed54dd6bd45 4b57072539330a0a ec211293b957ca8e c0e08ad3cab30773 8d72fc130a351681 04f65e1d483103d4 92bf6dbe34347284 d0790e425b657790 70bcf301139a0f6a 9f38b138544db5af 5a5175143ed2871b cda4c261f472b877 c5a108da9cc87cb6 b8f84d2f3143a86b 8afd2a0b8afca2f7 39a214a2bb625882 1e2c605acac65227 0aba7fbe7a756342 c4b329783c8536fe 417baf3e360a4fc2 aef068b11c43be9e 9f14899c58a6633a 7b20dc48691d26e6 2fe45e25aea6a5f7 814132c9e8792f81 a79a4ac13a0b759c 820013dd775abaa3 b3e6992e9e52bcf2 ee4ee6ef65aadcc6 1700896438e47217 4a9eea12b61a720f 5768e56fe2cc2e12 965de68024bc235f 90a34bf3867f28c9 888d9ef36d27de3c 9714f2663349f8c8 5c521971bca1a98d a63b6378dcd7360c 4d7acca1fe174ece 5b08428768cd4a5a 651d9e70fa4cb5be 5e5f3dc619df1e7d cdddf484c43742d9 1a4bcdd09d902ede 28066bb1d18cafb6 1a3812a9cb3deb24 4cd9beb6df09dfdc 0b7973e1789dfe5d fd9bfb3c81025dbd cb0f8b002390b1c4 423c4f784f28ca8b 63b90500d47821bc ac5f5176b7c8afdc f5fef9ccfd573f2e 059a4fe3c91678b9 80d675a7150874d3 af65ef2ea6a6d65f 2684cbf62a9e20ec a8edb6325762fdec fd4d87e67681cbeb edba2395aca7abb9 aa350ca32ba415ca a8de9415043c08e7 041860a200076916 4e8a9a765796e983 984b764fc84b0ca2 bfcabeee0ce1828c 5deb573e8902bc67 ee6dab04efcfcf13 7eb35d020a71a947 de5e2ffa64b7e9dd bbca88348f7342a3 aa092132f9034e4a 2f8eb2c139be93eb d0812a2ce6617cb7 5e04964c05fb6bac 756ce961f9790e5c 669975c8b038e8d6 35f464f07bfb9bc5 8e2688fbe0057d21 5b95de585ec9b4ff 1f1f42c5c5bff19f fc8ebbfc9ff27488 dc7e9135579689a6 1350219598b8521d e566262ead6822c6 03bb498e06f490b4 a25115f46d8f9c04 2c2fd42dc2854ace 7cc3cb3489c226fd 6d9c88c7baf8b17b 22ce5d68d4e12892 6898475ebf8ebb53 b43a5c6f32a7f074 416423027ba27ae1 c99bc3b5e3f9f5d9 f9e0bd83cdecf949 bc97d04d73f5fb3d b778a82d21402f65 f03623ee7496c783 c77297057c135a3e 39dd8b425952f15f c4208c7d4128608f 4182c8202c717853 cdeb6f4f77c4cfdb d05d622918ac33dc 5d15600338d34d6c 71be25b40145d171 7f576142daa51f31 503a7c4eab101edb 11c220ca400c8ac9 9ef6207c632a9a2a ba5dae4b41540a2a 95899bfa4caf20b4 01361429cdedb990 7afd2135491e4b7e a47b64b2419eec34 e22391667842d56f 15e26d273a08f4cc f48126cc1748c92b 47d0fa42ef5d0eb0 038dec4bdf81bf39 e168b577db0f6ce9 4553938de6a1e7af 381821a4c369429d 70fb0f4dedef4e55 099471dcb0fbe7df 443508913a5aefc6 3869206335a7b188 56145d5ad6225bd0 60916f21b766773e f92c55be896b50f8 aaf282b43ded8440 e6784aa62314fcf4 20a9a8e473cd1f5e a7a29ca9e3861724 26e3927b7db0ae40 9049a4c21a5c7725 90f15e794f231e5b 8d7514363052b3f5 45f055fab47a4de5 812c826f543a533e 1b29e35ef8ba9851 3f9f9e04b1b0fe6e 49c46af6c41fae85 02ab8beeb775c92d 85ce1f32bcb46032 541b6a99ce75bb95 b1e6715f2f767884 7c0870506e7b1ed9 5f54271683de11eb 0566375ed98f3792 b2d0694ce2a8d1b2 16f6e6eca2f288dd 63651de7d28da1ca de1b2ce691c14708 0c6c16c99b5ea5a6 b2bc88cd25ba438d c9e33b6456f8bb6e 7dc53411e6ae3d3f f4bc4b2294086b08 da2e94427f1fa36a f98c69654b423869 4e0633f9cdf3df81 6f5ef5dca5d895c2 756dcbf498ca02bf 5328dcbdefa7bc04 6631cb6fff68c7f5 b113b2ca90c0cfd1 7ed18187f79aad0f d920a1a0f593981c 13360733f9a7b63d d6dce0831fb7a59b 9a621e829b72b513 7a986fc40bb31219 718880d4e8f3dcca 72347a22eeeff333 fb32b6b4ab65262e 11ffe64dd87bc138 6352bbf05ea058fb 797b39db60eac203 2911a26779410a8a 267bb1f674ec8a4c f419fc00c6fc10ba 4eb818e463eff790 0d9242fb76400468 46ff3de6d090ec09 55ee43386783cffb 60241e906addf8ae cfed1070040be90e ab174a7844931ad6 546ddb50d45bd998 00e9170fe860c6f3 22ddf623147dec86 1dfef62642a99971 d2066567a16ef36a 843edd16275767ed d971f79307b50fd0 9381daf0c2996f69 92f0f33104c4e320 5e33df46b0548660 5770264f41a7169d ad04398ff18abb32 e273c2588b12bda2 a7ff5a5b95c6099b d7474f43a92de26e f0a03fc51959a52c e653592f5c904782 1e488c33bebf28a3 56479a5b2683da63 acb3c940be37ce34 b705972f2ec7de94 463064209898fdfb 547e82adca0147b4 d4fac25a975b68c4 711f41e31e981281 af1c933e13a4185a 8223ef7ea46284c9 c5edbd15c92f58dc f6b9d12137f40cd0 21af47bb5ecf49e4 11c55750f59e4d18 daba15971b39538c 113fad64c2763203 2e6c40a8640ce610 7f72cad30e8eb1c8 ebe0f799f80c073b 8d901518d3677bc2 3b03debfedbc96cc 246973dd15d49f24 ccf8e5aecf480fa3 3521513b1e58bf3c a43dfe7908729cf3 5d728b90b45879d6 db9a0c6f9186af19 00f7205f33a90956 bfca4f386b88f702 991914b639dcc25c 8868da385ce06687 a52141f8ae7f76dc 87f9f75d49b55548 4a796ea4ca33152c 865650e60e073034 1f2f8a3181256e4b 68e3943c2c563047 d9f33583fba05fd6 45c68d4c7b80dd0c 33c57f416ff9f43e 3ea7ce20f38374c3 fa40d805c9b9399f 51664c76fcd502e8 0410d53f1991f8d6 c4d98bd7d01cf288 81a4c55d12781cd8 d918ecc341f1c011 43a2b1a48d101f1f 2c307b6cdf80c645 62f3128ba30bf025 95bb934c080cfb83 c3d9dc1ccb8ee12a 150efadeb21a558c cd0c94f606463405 3c84de6bc30aa171 e91437d76b9f73f3 ea2744df997c35ad 50f68876de350b3e 18029409573b6726 0032529820a69fb0 85c2199398b72fec 18d0598be1f1190d 7c8311ebbbd770db 7202b2a76acf8f4c 409a253dbd1a3662 8f90dc62d737ad82 cbe22d208638a681 ca9a7f17e95a2d1e 145196c319d10c53 de7dfb7eca357840 7c0d907c1e6a8fe8 82e195b9f86fa8b6 c21633033dad6b62 ef0ec45b96ced9e1 a73f7f31d7e03553 9b5247d24c65ba1c af506a8b1e0df1d2 57816e3249731940 935a88a7f00173b5 058ad62cf8c9be81 883e63e2bcd28409 26424c77e47d4420 398811d787c52adb 01db8319e935b80c 2ce3d3d9c21270aa e73b331fda5b5527 3719dc58a0acd85d 72f36c4cbc2c141e a4d8b17a14824d8b 602a5719f4908fda 04442229adad582e 9eef2690e7a74518 5753787a865a2d57 5cc22b4d5b8bca71 6e1318bec3087b54 89f0e1600e58c5e5 8e908d70db59612a fd600d5168b572fa 137dfbb5358f6aab 025dbc6b7c0bd37a a094d8343ccc060e eafcdc010cdb2768 7a16cc5cc5b96944 5492f9bdbf4fd18d 5caceff19439bd5e e65d4fe0505fe05b eb9dee41c558c53f 99b5386b870afaf6 4670a189843dbda0 0d9f5b823012a46f 6258cfdd903bdd6f 941e6c797c4097f9 c62b96d875c2f1d9 c29ba54de5058768 831a1430747c5e54 c0f41bc3cb46620f 2f21b1bd957f3c29 36e53e8a621c8ac5 40a6f5f4177eddd7 ab84545ff14f9c59 7be67c8c5953693f ba43635e8bab6f0a 3282568edd00b746 6b341557322263e3 e200832b7d454337 98d64b4c898cd5b2 75e0ec9f349e6bdc 31c8ab282ea4c92e 63cbb7daba8657f1 81d2c6ab7b822028 e974a64a8d3b751c a58dac1eca26378e 3a871e26ac7797ef 4521ecb5d2095552 faad5b8b41b696c3 aec3b98796e375d6 9866c77a5f8f9246 1b03d5d85cd87c42 8e21ef6f6ae9a0e4 41d55511136fcc98 82713e1beb6adb83 f6dc5e161fc244c2 e85824e182f74667 86c4f52b81ed5eee 6dfbf3efc42a2284 0e52e4ffced6cdcf a1d6713bb671b106 cdb49389725006c0 467ee54e51311393 111c8cf5cfab05d6 a437bbb4ba76f98c 80416bcc82359a60 1d2ce4c5070fb6cd 1dc46ed342f3f9e8 c6025e7e4a395e6a 76d060028fef9f19 50a88be11945281b 7275f95525f79572 d3077753bb302552 591ea9d6c636688c b3ff90038c7b97b0 110007c08e4eff3e 98d7bfb617094c96 42cdd08964e1c8c2 9065f8d0b386f1eb ae5d73a5bba76baf 2404d2a836d6eb0a a404154a5dd3042e 3fa6b845e991a9e7 98e81dd520482b5c 01c4c997b734bc98 09b456d29a7e1a4d 7c4cf16391346bd4 7c20462840aa5781 0b495ddc301c9a56 f9a9ef3558ec4a40 33f96efaa68caeac 0b6c66c676dec0b7 8738ec87d57fdfe3 d8c6dc5a282e303e 976af0c3ee948256 2e1d9c1112b169a2 5ec6b1c410805da0 d2ade413deb66bef 1ce1a44ab8254594 2f1f6d5ad30d2541 6a467c3c7a61613c dd0039ef2433a6bd a882c4e5a9d9d173 d7b19fdbf385864e c2da55f539127968 26a6b2a1e7ca5a0d 3254ffa47c419b30 15f8c1ee773bd25c fe44fb7cffaac50f a691633d4cdfd322 b9fe79583627eba2 9b83c1fbc2fffd97 fcad6f19f1d963f4 d8c9b593f76c90a0 c15e2b04e3a13c49 2cca8348ca7187ae e4702f164af524f4 65b0caa881cdd5e9 43ffbec7a5f3df0e 2236e646ba799e63 9237b14c5c412f0f 1afa9d041efa510a 082a884f485ad938 08ee926d1ce8eb38 2552ff58b76c1ac2 a4b60545802d5e98 ef7e36cc0396a928 7a461dd52e99fe8a 25ae3e2d388bc310 0606d0e8bcba7122 f741866430e3ea51 4bf00ff2fb16e9ce d5ab58cee24b8c71 5be8e2c987f06b37 fb4fc89e2f9bb90e d7d1a196847b78d4 1ecfe9523f62634b 34f1706e57246008 6eb7c99d5b2d17df a9dbf4c333e3decf 53dbe80c8bbcbf2b f66275777508856a 5a6b527bde8a05a0 f40b524f86ea5efa 284e54b9c35c9fa6 3e2b730eefba13c3 d6acc68609c01b89 c13c538916934150 24271f84bc193f0f 9c8337bc099b53f7 00edb48b92acc9b5 eff1eefd87f022ad 7d57de80b8441d13 2393af7f80d3eeec 79f90e3ff4b6451e cf3a3b15265873a9 f98eb8ffd30a4ffd 0e6317ceca46ca16 23a7ec8729bcb804 4981d1fa251ea2a1 e4647e10a65c7d1b 7facd035f1b7802f 5e2229d691655ad6 ce37d918af1f7759 4787594f100a60ce 6a0ec0f214bc596f 4f09d29368eb6ef4 efdb98248565a8a7 90b575ef86aa6898 8c33cd98367ee770 07423010b3a026c4 4e1956f0d953e3d6 de4ff60e1b0f56b9 460e2be1bfa305e7 c4f3f4c292f0b021 36fadc5102c5ff6e 03107c897e21cb42 0a27b5d8b6ea23bd f79c306ec254f274 2699f0165533ca99 54169a9bc9622952 94103dbd1d1a3d8c c52a193ab2d25dad c2ca1bafb21c8402 9f5fe9376eb23810 d935fad2c66791a4 13ea77e3412f0b05 057478d9043183e5 d4a903b70fea59c0 a774563fb379e162 dd1fd1ff7d49b24e bd724258986faf61 6db3bc0ee988398f aec61d3984fe745f d076cabd2e765280 8886f749d486b047 8c02c47c21ef1fb1 89909d41112e4e13 21581886fcc64918 7ffa781ddaae5674 36f4a0de92c83f8b 2c48d7634d4af8af 0834bd4fae5bc957 2b06d74780609f6e 4df7477262a7596c 85a0598c4f4a4f61 24e9377bcbe08fdb 90a46a8974395459 58c06c21661bf2e3 c3796f9900b03e72 221aa304cac54f7e 8372eeddeb03a98a 416104ff41d9493a 292e91a0fc699f59 401f485aa1dd08d4 00c52cfc3317bd95 3d2e4bb5382682d0 60d38fe0655b766f 9b3f387270e06205 34b79cc2203b46cf 7d26305b665d4e00 4e8fb87e0f2039f2 ed95d8ba96be209c 8e990786030c7c16 c314161356fef810 49723fecb8524a5a 19ea4a568e0ccad5 04afb30efce7cb37 a0e132e80318f75a 34ef386f70611ae4 9302c83781d7b632 e24be3b3ddce08fb 3a3aa310e8891244 76d76f62ae0a57b5 d02fe060da05ec63 85a89dee4eb9438d cd7d857aa714348b 1a1152ab79bdcd0b 1c1445a51eb302e9 3f3b8ae8f868362e 6bcb85605dcf5990 cbdd1fb35d980643 49f66b8dfa284466 6264a9ee90346a0d 6c123b6d1b0162b8 7dcc46dfe66fafd2 ede2393b3840a0e5 67bf5d45d38b3907 716ec14143a3f113 dd796780a2feaeab 7fee5061bb54b790 eb538a8697fca062 5131f91789ef015d e88091d418837260 f0c68b767603296f 3d0806de6fecf3d7 127fd6b31507c65e fb42e5b91d45ed0c 0a3830a235d9c53c 89a741a1afabb041 57f356cbd5dbdcdd 22c287d414a76a44 88803642c1d3df55 af35361a586ebb0e afc5ab8b48af41e9 d14d6fcd5a2d33b8 a4c3258df8b823e6 428600d54a49d4d8 63c0d55d02ab77ac 80da940afc174586 7768f29c08d03449 6c40bfa15df8cdcf 045b01777cc626a4 1c1273ff87dbc3a3 d0980ef772158e21 6c5142fc2c425327 3789ee114bc1dd0e 87b6ff7d114332c0 cc041bcca402c3ca 84fecae50c061692 dbc42de706ad6a5b d3dca9c86821917a b1f2fd6501c1777b db76a66e8cd5cf3b e43839428147a161 50b5a3c60537f43b 9f6bb486232e92d7 60bfef25744d13e6 5a52d9625f97006b d1bdf41c0ee1835f 33762c6cd97bcc92 e7cc64d3c1c75e32 4519cf0fb9da46db 32099af6979d0ba3 8067ca9d0bf011b9 4ae7cf68c19377b0 2ea034b753cb5984 0b27ccabcc2c8056 570393be9df5981d 26ab652ff4459229 b02fa35a8e41da66 b7d036a093b08d50 14bb73c28376a369 47156908cb019ea5 3abedc86bc72886c 42e7f2cf632a375e 2f76983d2bbc5f64 697af115f35a8bdf bd1669dc32ace0ee f603202dcd6cb0c6 3a92a981edf60196 bc9ee7995323aa4b dc5e2eeb1ae7caf6 a2af066ab8bf2587 b1cf45a3fcfc05fc 9918ccf74c57e0ab f0e19b37acf644e4 cbf1f8a941619fe4 0598d356b1d6b9b6 f9638f716fe8a033 ce73a0b1280272ba ede41ff30c8eb15a 5e8309f6599a8506 21049ee745f12b26 2e04d1ccae97e6dd 60f4ccdb6da01313 ed16c65ff69ba197 d072b35ea31c4695 b0dd0c957334faa9 dd9b92b3a48b7f3e 90053ca6e70c59db 4763b8318c7e27a5 9c73eb0b0e98b53e fe7a27379fd4e887 4e3661f806fe110f 87f503c7ce705c12 f9c7e0b0b75d4166 06271f9cb85737f9 5cc5a739972aa7bf 44bd5f79eb9ddf91 99e869a4adac9456 709b7ffd04123159 59a78bf52204c393 c029ddb13ac8effb e808e1b002447334 e3e464a06465d979 6d0758a1b2496f85 42dba228f57442e5 17b9deeaffa7eb7e 689abf16c5ee284d 1e34dce084ccb593 50ca420ca2dbdb3e d8c384e756760bc9 05f8a61644963ee0 c722820cba30d336 84629f5a9856e82e 3c648b4293422f51 f9708f22c6edf4f7 d2d2887eec32e871 652f0b6d6dc0b567 6052cd09d80ef7ef f86b0ea1802beb05 89bc9f3350031424 23138712ea46d9e5 d44cba2b65543732 bb7a3930bb4ee7d7 c23ecc118055b559 9df03ea3281a5f98 36eda2912cc0aae3 166c70d4953205de e4dd89457171c3ea dfcb4ed63c5e92d6 ce38bf00c9f33ae1 16b185e51e3eb665 4b55e4a17f584183 2f0f8ef7511f2b08 b2b1aec967544b29 64a20ec3748076b4 e8f772119dd47de2 59a14cc6ba578511 4070920c3eca3aaa 35dd4f23db00e733 496aed0d09aa11c6 165b8ed0c1639ef9 15ccba3241777c6d 30edbb8decb34311 a8ec847fd5475373 1347d45a10a80e69 32edb35e9a2c95b5 9541394cf28b5ad0 53e6db854049ed48 cefd5ad1494dfd85 663f88215a5123e4 8bcfebbac76cc0ce a01208c1e907dfd7 b051ae0bc0804a1e 3a42b2b8948ddfa4 1caaac64a3da1c69 270a485524846848 fe291531d314197a 8381482e6909844a 69c69740815c9c64 6687e4139371ee1c b9a635997a070152 89ff74788e43936a eba2a05340f61625 82061f8867ded0d9 1851f7d526a0915c a59ded312ace9bd5 930fe1bf952f127d edccb9b676ed1580 6dd428148989421a 4ffef2306eb0c7d5 ddafb8dbd6ba8cab 7f1d73685716cf8f d6d8bf4bbb23b99d 0f2514f56a7f29bd c8568d2eceb314cf 5246a0d410704ddd 369fc55053496e28 8f54b922cc0d5253 ffd8f54ccf7d1d79 927a9805007ee238 0a9679aa35203d61 d50e7327cbd5d09d 00af0531e4194a4a 80608987b185bb5c 0addb2743824dc23 3734c865d95374ab b68d8e2fd7bc6482 25ed1dbcc5701088 a24a2505f2e878ff 6a53694b84b331be 213f82204f3698b0 a89d2d763e501d8c a2207517e2cd9dcb 02daf804852a1cc2 2091fae7476ddd6f ce95b96b5d21a545 36e4e852262b7247 4b0660ca9c35aa1e 5bc2855600d11448 02f8ddb2c9855ba7 749be2f8a90295f0 68f7594f12237958 092a8166eb851a4c 73dcd4ad98c65310 53a785323f850edc ac5bd2c6d57c9fa4 e04ea2d62e948ac9 ddd93cbddecaa187 e13435420cce4c97 31fbd964dbd620a1 28aaa00ad54e2907 751edf3e6608aafa 5fb38743231f88c0 fb9275fd680eab24 fcfde7570d0d0cf7 c11bf19eb4be4e77 ba91a7e234b0972c 9657b3632d989404 0d210752d807eb25 d5fa4b5f134e58bb ccd164124d564cd4 948c7c5804a6cdc4 e2f529f53ab6c54e ebe94713cdcdb729 f60196e28e896d0f 92bd2a26aac1c47e 2b1796e4bddbe36c 96f2d3ac642031c9 a78e362fdb51bd7b 8ac0673dd3cd7f7f 6a636443bbe59821 5a000535b8277b95 e8ee0e3eef722da9 c5534024be37f50e 38346bb40801f6e2 f1fd8ec4dfc88484 9bcb61076d50f543 28a95e152ef2229b cb2d72beb3c778f2 a5af8add8036480f 7434c7ca766e4cca 7253c87cac6c38c8 230907135ef9adba 815f069cf369ebee 81e89fae54b94128 cade70570873a2ce 8687d306eab3506d 7cba9629604cf2ae 693efc0a6318b22e a5cbd33ddcb7a98c 7fe2beeeb93adfc8 eb974e22bc9b3988 27939e007820f848 4ac2d2438120757d 9984bb24ae349e39 2db4536d06441da0 f319df609cc1179b 80c8d82c13bd740d 9205812bc447a668 b45a6538bfa1b618 01ad2bcb8cecd031 08478ff44b1b3ba3 2a02f3ce2e4bcaba 2e73d43e60a1ab51 21da0ce5bea16fbf 9e4775883fbaeb40 fd0382e5f54c7195 6ae8e7d0a48c3bff b92e5b7de9d4e33f f0cb858529b56fcf aa750077d214e5e7 417bcd9e4d3e2ce4 8b5ba8ddd8e04b0b c894124e591db44a 7eb8d3b17aa80421 358cc7ab17782960 cb1de8ef4947232d 151d6f15a45effd6 c1aa8934d235ebff 43ac35f42fff5d88 ebe053ee39bedd04 54334ad1850290f7 ce840196833c2297 7be9b3aba318d52e fed5618cebdd4ffb 7a5b2f634f7b3711 c516166e636efde4 1541fc58a42317b1 8da16e9780ddbb7a e08f01d3f7dfd2a1 23d99f8fdd08f93e e76cb43d76110c8f 12d898eb4296b502 872fdd8aaf83622c 29bc9cf5ea979044 392e4c0dc81b4d04 5f86c58988143b92 a1ee68152861d162 c118c8124a1d81fb e7ec8ec0ab2a1c2d 6e636b9b6d284ef3 0bd4d0f2bf75cc0e 2aa27ead27276ad6 bd5da58d210179c8 991820c307b3ee28 0832aa236dafd0a1 118983581b213cf7 2d63bb92510708e3 ac18c947d083cf38 d44a45ad90360858 51d31ac8b7f9ebf2 b8b2d6df6ca0871d 8a1a5a4747a0eef5 772f79fb11e3d0bf 4080529c14d133cb 1ad8535d63f3a1a9 c466c52f27d287ec 4c32cf3eb5ba19a5 34836810de3c3061 ed6c546f7bcbf2a6 6bf8df8f1d8e81b4 44cca8144bfdf61d 52ff3b2652583d96 0592cc63c873426b d21edab31bb9f84d 04bc774f4272e446 2fce018c73fcc356 bb329a7fb23fb3b5 185014f14df81e6a 670b98778e8f9505 107c6bd3f87e477a bff01a5bcc2c34a2 03155fb2243ce21b 77378ec1b801f8ad 20570f1f7c3421b7 4380fed97b2bb74e 8432479a9a33925f 9ec5c92e841a7357 b32690624e9433cb fb705b04f965dc3d 7c230521e7a8a2a4 69eae7ac990d062a 7f4993de3ccd15c6 00c8930b96480077 e1028ebff5ab2eb5 08e419e652d5bc22 f1bb85fa3bdeb249 460e42a918086a20 cfe6f3ee22d9be98 2d86ef588d92a03c 5dfac374b34234dd bcabc7cb18ea1a6a c9307949d5475535 5018e844757ebfaa 0f1b3c70a8462424 c48b1e94e3b692a3 31171d8ba4e7bfab affe4f9078cd0723 b095fd2f0616110f 8646045489e7100b 45366b676fdf5f31 2bd11999c4a7dd71 e64c2755dd06a48c dc4f2301ca5a7730 0cb14c2014bc2041 e7434a93d5b2c418 57236a97aa822a79 978266302a2d9463 126332b2d0f5445c c23648700adde567 2b4f2f55d72a09c8 fd97b66f8d6a2b68 6f5e288c009da8e9 dd9a3c7612a777e2 c4113258950bc17c ed754bf8cb77a9f2 d1fd33d241fa4278 09cef422b5dc1e53 60eab473decdd7dd e262fbe34f0c61a3 5668a89972e15903 24bc21d052e49897 6e562d456ede24f4 66f5d1a0cc050b20 26faf20c32efd009 b05665b0698b3e48 2df144aa1aafa114 dc0995929b1d15df 594e2c088ecb88cf 50234622efe69ddd 78448efe147cf189 f8181fee349a17df a8686d130d5e6fb0 fc14e7a1107aaf9a c82329858e17bd3c de6c217951c7849c 370ffb3e2de92aa2 98ea2326464166b6 d2f4acde7e190622 d8ab91cd3c1a57c5 f8106f95e6a02980 b7bff80cccbc953c 982c5c76cec0e92a 50e4d9dbd6f4c9e5 5af22555a87e1108 da9493e1733d68d1 24a0806887685850 21f45c0c1c861657 625d8334d5a6527a bab1691401a09f4a 5984ae0b26bf76df 9bd983981907ea87 da86150ca0044e00 cd8b78a31cf4f775 e9b698156a2ea874 a855b5e78d8bbc22 df80025fcffce42e d1226d15ad6542f9 154b1abb9a719020 2129fe4e75c97f3c 015f037a11a50146 9d7d6ffd1308012d 822eee54eda9b1a2 39363ce4d4ac3160 78dabbcec96e2cde ce4e7dcd36973336 f84eb4cefd2d9c36 d2a7ee922d424602 44b18661c6645db6 ea5ad18a693ff704 07e47e63bdc6fab2 b6b9bcf17e66eab4 5815f7cc49df86c6 95ba6194fff7a21a e666049d481d7f09 616cffa95483e792 28ccd6dd5eab65f6 937c4f4882bd6dcb 8f23d59db737bb75 c69521cbd8c823ba aa967c24c9c075fb fa6c5f23d109a88f 0e4bfb3f4a168a00 39c7b4dd2366a7e7 24aea80088e7f426 8ec05f44db8c6ab1 2dcb0579f564e78b 9631b75ca5b7d5e3 d07ce04dc1137188 98473c5025374cd9 6e1005e52aa10d25 0fb67e0db5286a09 b27c4daddeb00044 0751a1f2edf5b22f b6e9268ed0e662d6 b8bc853dfc3b31c5 58638a6be19f9b03 34ca8d825c44c326 43220aeb512d49b6 8db91a7f0b65e2be 8e6da818679e4d46 121754eaf3ff5fa8 7d28510536dda9d4 755ddbd324337a8f 58bcc4b7c40f033c eca67487207b230f a5d8f2b5904e805f c462db7709d92c3f b82cc42f8bd99511 ddcfb69992118172 28fa16e6191b6596 b8f210152bebdb3c cfee9cce3f78b9b1 11a6132d7e8e6ce2 0052cf3546b614f4 e6a713bac09b0351 83ae11d86460c51a 5d8f408a2b291f3c 036e85b6033c4ec3 42d1460279d19cfc efb645c743ff3b9f d631618da013abe2 4ed77b38ad4791e9 206cc3f31c6fdfb9 f2ed2228aee0a05f e00a43e1d1048ef7 ff2f2a93f533df70 4b993b15673fbd93 f747429822f809bb cd3e0df4d3fa10b8 f40feb4648fcf6d0 f695fd9a2d857888 7bdd2ff2a3a5da2a 607f6b201d5615d3 0d8ebc1fbcb058ef a88e562543e861a9 c10b4abd7d42374a ac946abcce92ef4b 75b095879f418b3d e8a12c61ec6a3bf8 cf9e8c4d3a3aa63c 36866f38b5b42b42 dbffd5ad6b4a566b bac3044cd140bfbb 9eb6cf6229c192cb d62d6f078b6221a6 278df3c018a41d0b 2e1317f71f8ae001 c18d802db638e873 6ce225bf6f0ae169 3c7d8b27c1350a88 80ac7f1c09b319ab c7a0217802fa8824 f8b9d38aec542570 c2451f742f8f51aa 98afcf08455d6765 5ce1ceed690a71a4 7f3bb14ea9b4c998 c0f76c3c637b8cf8 72196aaca7d2e9ea 1c9f81394af9e3cd 0509149383f64d30 31bc50240211ac62 9c722ccc2e7c4b6f 6f0b94d84b4a0eb3 9984172a7381e50b 38b89945bceff0a3 604d875a6ba2e836 defb9b2ac716c646 e28497b4e216fd59 f5830aca13349684 8eb3703ff06f2c1e d4830a86eaf73770 873ae9d2849ba615 eb46d7b0ee036f2d nettle-4.0/testsuite/slh-dsa-shake-128s-tc215.msg0000644000000000000000000002624315141166425016326 0ustar002C44957090A80E5E 80211F485C69B504 64DABC318A9731F1 AF3B352C068A2264 4CC00EC771C9A333 D2A24079674F89AA 2F9A0ECA7472DA3A 0C073A34DBE100C0 9B8798E613E59F73 A431A465D23DF8EA 6F110E074ABEEBE4 A621AC103D486477 0713B76039F9BB3D A259896056815CB9 17777C405808D352 E7D1DFCF2241CC2D 91FBE72FF61061EB 5167101E10D2B686 F1CF520976F572EF 42AD709AE40CA4B2 7799320D074E886A 81F235CBF7160057 6CC3DCC7F444C7C4 08EE7D7F7AE2DD86 320735112A2349CD 97464E3DBA7ADDC0 2CEB7DC293D6B9AD AB5D30511C1FB0CF 30EF45D5D72C42EA 86709EAEF1722138 409A9F2BB10D7677 DC0C3D6D0DD03E35 F53FB0DBB31E5ACB 162FD00A4E96B9E8 CA3D215A55A60FE1 CBF9F332F8591956 7AED45AB5BEB7662 F4F4D1C1EF4170D0 3E36C62626B9223A EA0CC729804FC0E8 F0BF4CBF67F71F91 63481478E0FAED92 227481B9420A15C7 ACACA27B7CD9AA08 6DB2BBDCD39344C0 EF09303C80CFE68D 8743032A582D9AAC 9C2053ABB70E9A94 849447C78875D626 9EDAE6DDB6B1E7FF 585A8A176E2E9DB4 794352AAB9E39AD6 E6E6ED67CE3EE711 5B7159F6E214F0EE CA0C8E52E5817B71 FC16066F873197F8 D0C9F1A6A0B10CE7 AC6F98E9A099CB7F B3DADB51DB6BA0D7 8D8D19DB259481F3 5BFA90AE93A3C8A5 5D6ABD855808FF15 F12B040825F3F260 77844A68576A5169 F5F1F2A0AFBDABB7 E30144CDCB185CD7 F6704577FD76E54D 9A3F6B3F5BABA6A2 38899DB5E0F68537 A3017F0A408CA0E3 C3A514FD0C89F293 A6D29635F44EB962 0C845A6CFB207D0B 6E5201F00A8C1F30 745F8D150EB22792 F599D55D01F389A4 F2899660BD154351 BA22B0341CE72C7C 2F98287DF3ABECA2 E518813E72382E1F 861DD836084FC99D DD81C0FA550CAA76 D848952F120FC2CA C09FAF86B220D27B 1D0640C75E05C5C5 C83B8DB576AD4294 9E345F45B34C26C6 E5373BCD1491D96A 3636A798A049AB37 8D497C38D6A801FC 6DC3188C8B09B2C5 9FE1110A3C520E44 74635D77A9AF58B7 C0EA4E6612C5A7F7 41782023D54ECD94 AE5148F8016B22DC AF8EFE7D9F42758D E6EEDA599E6117E7 D912755F2FBED273 E1FDBA1E3D3FA59B 44EDC729AD810AB6 D74FE1A7C1AF9268 708637A60766C977 B7ABFFA9F94CDDC8 969C0830C9876E11 B97CC5F936891FE0 A7B36B1B073B374C 1E91B11B93C4339D 481831E08F391CDB A13FE23EB2E70868 C7936E2DE926E1C7 7D986AE66310519C BB78E13FF2E67315 E15541E803B5E488 77142BE460EF152A 5724C7034FFD31E3 28E5F39770807DF3 77CE1CFF5038EC45 9CB9E394F37982AF 0F51BF6FDAEBE3FD 549221EFFA80415B A81F5EE29E257B16 94A1EF32FB857649 D5ED18B1DC2612D6 B1BA24CC4F80E78B ECDF1A6AC3579D28 039B95ECC295B879 5E7070E10C2D3AC3 89223A3B4D7FB22A 8EB1C7B3FFD5BA46 CF25DF16E99CF9EB F6724B02AA753DB4 92193F7E9D6C4DE3 B27F89BB80AEECAA 721B574AE2CDDDC8 A0D8A79B6265A917 6D4862EB7F2D6126 6FC1E4C66499C49E 0EAD67548DABFCF5 05BEABFF93BDA597 46ED55444DFA57DA 6FE5F5DEC3E3874C D73B5807FCEF05C2 8DAFE6D707D00B65 A0A7A9ECE69BD966 B46344936D8AA5EB 95B3CF9F22453EEF DA3BE026610C3DB3 78636968CF1DFFA7 DA7B4D3ADFDFFD6E D647E3458384C80A 0F7809E642B3E201 9E23736BF87B3379 F85323EB504E68E3 2123DA430EDCD7EC CE62E30296F8FAFD 669D8948C31F91B0 8BF2215B70976CF3 7B9FDE3DB1499E28 6B368A8A2CBE6B1A AE9482BC42E38200 608B8DAD04432259 EC10C00113A992E9 59CC2B451FF13C18 9F269E93F058043B A1F1E64432F8F497 7CAA7C68D60B414D 287315461F24F246 CFC0A6F8DA9F0468 78970C54F6BB5C6F 124B6A11380CD845 1F7932F4C17DD3AE 46DCFF8F6706E3E6 BCB474AF5060C65B 67D7C3F3D23823CF 4F0DFFBE85C01DED 465DB4BC16C446D6 3E3C4A5BDB27531E 37B8B5DF6A1A0BFA 981553ADDD212306 1050D6A37EFD141D B62E0DDE33BCE5A2 BBDCDFA9C72E3E1D 0133BA2AE1FC044C 1A7D18C0CA0FFB17 627D0DA9380D2D53 4035AAE26E3E8429 11A1B37914769AC4 D746EB600F25D766 BE4EE74B574FBEB4 ACCFA17CC0DC9306 DE27E6A275B96549 C865F9F7C1DA22E1 B16BBE01446250F7 4328337AC06329D0 3DAD3B310789D17D 502CADA84702DCE0 4961DFEAADD0B319 58ED2B4636B57676 0D40F99EBA6B4390 556CD2F87BA9E56E 6E6A3036D9371137 4BF59D4A1927E922 2429512C704B4A79 98B822BE08FE0EF5 38456D20D89B9F5F 6D6AE905E5DB4978 2ADAF78A9F1DB4DC 8A08D179967EA134 FA8226639F13FD1B B3F04A2427D5816A 32B93CAA3309785E A80D34D5B6534FB7 8F11DA66457B3167 852B94177B5DE9BE DD88CCE6353145D4 E86BDFD17B824747 07C58111935FF3FF A072DB79DE61CA88 DEAF58FE9B577C11 226EC6397AD1DA61 A5727845E5C86E36 86683EB2426843AF A55AA255E3ECBA80 0B67D902957A67DE 241EE221106FE281 053CEA55D88878FB 705CB3E1B0FF7F87 9488B5C74A747270 BD173ABB64B30B58 3C535463734E08C0 2E237708EA25F55F DA46D51CC71ED55A 9F5DA4E148A71FE7 649E06A65E59CD6A A47CE51FCE12CE62 F88362839B70F643 FAB3BD40B9AD3C14 42451AB987EEE23C C9718CBD61CF0D5C 9E5D8E85BB622D7F 578E94419697DB31 3946EEDC6F6CC086 081DE5C9F04DD18E F453D895DF765A31 2289254875EB5AAF 3B7C0A325E02B076 F26EFB169450097D D6092CF04717AE44 794DDE1FE2B3F504 337919F9CAA89821 431FAC8DBAD47E01 A908FB6AEF8E2954 76D5DBF723F3959F FBB6EA1251B286D2 731C7E706B241A54 4402137852F0BA1E 8C6BAC517A0C3DC2 9017B2D429C303BC 814E5AAAACB6BF23 26560360B625B7AE 8B14D5546F0720CE C62B272B4740AB47 63C99D099F463262 C01B589BDB04EEB7 43FA15D40A66861F 57FAF0DF19803E7F F1DE64A5DDFAA9A1 E8E0BBF52678C9B7 0B40AB86C09D26C8 6E7A0448E71B437B 117F14A4BBF9F8EF 81D671312EF59A5C 42D8FB5DFB50FE06 83209ED5EA2A775A 12EAEBC0D50C9006 9EA7D6BFA3A9E90D 50EF735F755666FC 40E9B04C00969758 9515DB1703EA4BB5 3771B3624C3FF033 6D9F6C82820C6FED 02EEAB20C1C87751 0923FE93DD56ACBC 71F56BE54368EAEB 0A721478E8A17B93 A8B86EB0A7BCABA3 56F7CA362BFAA582 175423FEA017A570 9E52DD6D6BCE48D4 5A298E82D8C41194 F30CFDE9D9883EE8 DF80463175D5BD36 3B4674B8519FB054 E0A4BF69E385025E 8598D35D4EE0B712 0B2F0C1B22297819 937108DB22972DC7 6A4CCA919B4917EC 9C695AEEEF50A743 22964F7E661AA0AA 355AB3FA729FC7E0 87C3AEF624D9A95B AE7336C2D4AE7446 6B7A7AE977B48A18 42EE6A44A5C55FD2 2B2E9C649713BE9C 80C733F032E299A0 9F58C0D272F30F23 27450AE3762922E1 6468A56E4E139F2C 4DECDC86D8B15D4D D2E16EC7A7C43BD1 9CEB7737400C895D 4E0BA290306C810D 206796ADC4AC0E9F 7C4AEFFF8771ED06 F9D5DAD021C093E3 9AA132E750DA97C1 E1F53994CB35A776 BB99F7D4EF23FF81 F3F36BC82D630259 FC61E26C22CA3874 1EDF2386F2E0FA64 9E0733231A90457D 0D55B1894EB6A005 7B2B74C599457EEE BC116435A10DD7A4 7CB97ECE687E8571 277CB1A1B8F58583 14C593C984771E1D D69BA19F016DFABF F7697ED439B5CA0E F4F93CB762558A5E B165A29BCCCE0DFA 8EB884338C7A6A64 3414F7425337E8B7 6160989272ACD55B CE2E196BD12ED4EF ACD20B226D2B6E8D 8CAE6338B0588DCA D174CAA1BDBACD99 DBF15EFB07F61397 4DA89BE002B92B2B 01564C3F45B14D2D 292062E4C6219747 B30DDC995770E3D8 EEA9E9FD86B7EB33 5990C2550180A7B8 8AB66BEACF014136 A62197EDED84BBC4 AB4EBFED69D7E395 0B31E607583D694B FBCA1D12348F27AD 9653D56A4CF7653F 981B926BCBA382A8 C8A07AF7AED88A7C 8BE4E552C454DF3E BA8A90EB80AC3685 2894E0E2B9F52FE0 1CE26714CDE13727 3E5616837D8ED378 FE4C60FA849E8A30 B548D8E6FFC8D2A2 6862E097CCDE8B1A 85148A0BDCECCD01 7ADFAB8C989843FD 7933F358FCBC3BC8 62F3704A8F4E58A9 D8F893C79C0463A8 A0D5A33B913596D8 AD70E62487631318 DB261040956ED71D 1B3DC12E70F06E60 587ABC10D517EF73 3405B9666C73E69A 2703B70A65BC235D E5785381A9CADE66 D752976EFE3B1C93 3176FCB9CCBC966E BE6AF94E5745B3EF E9BA4BF1AA21E930 BE852302E1A50520 520E5018AC0C1831 69FDA392FB9DECFB 557814035C6EA182 8EA8C6E4EE006C62 FDF4EB43410868FD BEA85F4CA378D985 6A11024D0702153D 529121150AD6D9C9 4A470BD522570D58 C61B0672ACF414AF BDD0BBC7C9B6A908 C90E9A4E612F19C4 1A0B40B728975525 D9CC04B00BDF4BED E08244239BF3D58B FE336C787CE625CA CC1251F7E1F43202 F456BB9F42A73C36 86173586FAE6D76C 0322AB5A994A7C95 6C46584815D20515 083E09725FD8AEAA 8E06C2F97C911125 5A67C9E7093A41FE C91B78F052CA3C48 10B1170B0B31D3CD 09B594DA4845B0E4 37AB12521B16C620 4A15A333A6B85F23 E10B3F2D7549D06D BAE4FDD05A8B146D 4F1EA9B2ED1D5450 DE8D54DC9E8EB207 85EF665CB30002E0 5D00706F66A5AD9F F142C158BFE51247 68F22D78292E6D2A 546375082B05AF11 7668970065BC420B 057E0B0BB8066AFA F8926263117949F5 00D52CA9B0B31EFD 4E7A5F2ADF0AD9CB 553EF172246E0080 0D25BB4903FE8BD6 92770B3F87984AF6 F12F79B8877720B3 DB65619D4FDB6C0B 15B442FAA90F2CC8 33E6A1FFBEB530B7 DB404E907915344F 2065582FC6BFBD34 76C9F4B85025373F C0F3CDBCC7411834 95275C0C10E3D509 6D9220E14FECBB00 A36840D7E9C6DF38 4D5E744E1EA2E141 46A71C82C0609DB7 A0DD7F2F5D859E34 42EC5EA8825FDCB1 AA1C6CAD9B75E7EC C17E66ED21FEED01 11C336C5778954BA 0C0FC4068EA3BFAD 953D80AD61AF7AD6 A3F6B8B23FAB4407 F2EC4B410C71EE2B C9CE5D154C8BE37A 30A6986505DFEE5D 04423766B41E8969 251191711DEF532E A2868D500C7F19DA 5D6DD0C914691983 5E69315FA091B157 1E6995666541E800 6FADCE1E634DC736 A2D7F86675A8D3BA 78F7B306F0C2DC71 A5F19DD3B5BCB256 D44571E824917B11 6F22227D035748BC 3D4B231897BC46E0 96F2B0DF5F3758C5 55FCBEBD6410069B 0F4AC237A3726455 D0FC0B0E82075292 03D5F92A2C8A5C32 5AC6F068AD18B848 59A520EA4E4AB58F 1DDC69BB69B28B45 656BD61C595F402F 341182580281323A B774C10D4CB7FDDA F1528A6CBA9043DC 1FF2EADF536FBD1B B36CA24C25A7E2A7 48244CAD8FAB374F 4B298C177BF39CD6 5DA700E4297B5E03 2250B9840748047D 69055F5767A0841F D6135AB173DF6C6C F0A9952A254BACA8 7BB44E13CA0E63A5 DB00F6E75F8D80F2 D22530D523DAB770 6483926AEEE07E60 ECBFE4E893564407 E97E8C2B4FD0EF82 13830AA3AC996860 9CE16A0E154C2468 2B46B74E109476DC C8DC6F8C3A5351CE 92A7B71248AAA6A4 0EF47C0A330CE359 0AC77FA19E812ACB 96534D533E765518 EB9D1BF9A62F2FAB E856D03A5F0D3015 30AD02906C3D6BAD A05D4178558FFBDE 2FDB17632214070C 57EBDF0A2FCA28D8 CBA3E2395484F303 003D0DAD3B8697C8 61FF0587E6FBB812 E7571460416CEBAD 0A7DFEED575CDE34 63FD5EDB26EE646B 4C21761A783356CA 903A9633B957015F 18349CA0F2E3E9D7 197DBA3DC5484C7D 8ACEB742CB04E1A6 1EF1D04034F8B21E 3B2424736CEE3A03 64411E59DA74BB61 7ACA2B6C753C833C A7088E2CE74D1937 D795B181A9C748B5 3A2C7F4F4089AFAC 1EB88E4E2F8AB3EC A6CD3BB4A47430E3 915FE38921D91908 185BF628292A0AE3 BD33A11730AB97BB 1ED35BC3D0601130 55A8794B6D6DE0BF CFBEF9C745D2C001 910C15B5A5868C0A AB50F70199E8C711 223BFBEA2B9BEFD2 E8479DBCB6420B15 D5F5AB9872336C50 92A5E75D3FC9076D 7BAF0951E895F63C A487E811D71EB092 AD36CAA05642C02B 8CE38022D89459D1 5974DB66D5B94CA0 9501DB335EF93412 C8C0F1999A60E257 15DE0A35368C3E7F BA470A0B3178539F D06501389AD60997 18B6AF1714141963 800DDF28581D0596 3A750968904CC977 D705ADB4C46264F4 0663523C2378F4C4 B09B58FAEF2BA57E 19C59BFECB10FA6B F2D29009D8CAFFD9 08CF53FE9B1F5CD5 74D5798BB7BB4A67 0F867EC33B6DC35A 61EE5B7F4E689929 2610B63A93B40498 88D76B8F6A5C594E 52DF7271F426E9BE 09E6B2A0B8E5ADDF 64E4E711099C4781 F772E9252BCD4014 8E1364FC48FE0E0E 21BFD6DA35FC0A72 FC975CAB70E862B7 DBBB6F02340B7EDF C0E89CC257AA77C1 9058F96B54223C67 741E30AAAC01FC2B D6BCA6C0BF9E671B 2B2AFC72637F902D 4209AD6D13387381 7B2FA09C26A90ABD 5AFF42E8D7B9CA3D C50CA4C7A4B89615 BA5654B7BE572B18 A47D7A8ADB2C27CF F2A02AF9944B8396 C06CC43E5118FFF5 B97CC94D79FD5D85 F9D6335B508BA989 4BF5E0A4AE4F9283 A4CDB41CDC24EFD8 D8CA1585B672C4D2 44D84926CF286475 88A06340F0D8C0CF 027FC03ED0A25E43 FD0283B401322AAE 35D07C6E1E940365 0C85BF3A68ECDB5C 7E17B7E121FAA3C1 4668BBD38D70FB48 DBCB2DCB343EE6B9 61E1397364A4ABB8 D61024FC7A057A63 9CB1AC054E644745 F823DF14A5B16CA3 1332E79B5E3F73F3 6D0937D4B6F36CBB DFD27CA1E1FAEB48 7D97B2D79819C10D E4DBF0E6C05A3618 538EFF39ADC4DDAB FB772D67BF517E04 18A8F59458C6826D 43E598939F68320D 3A3BF360FE04F072 2B0A9E1A8604F37D 6E8F4EF367705446 EFFD3E9D3609B69A 92B46CB2CEEC9367 9C5D05AC0D716A81 83CF9C5502C5C2A6 EEC14D916B8CCF31 B7AC8BF186764C0A E551B92A1742083C 8FAA2A063A6D461E A6F2281BF778B855 871CEE15ADFA2BAD D5D6C349E3689916 DC440A23E2574DA6 C139ECB22321E1A9 9A9D93B059E5819A CE0C5D8714085792 A54C3CD82252F21B CC48FA2E95F9BA32 5DD8513AFB3E6219 1D2D76D47219EEBC 6781ACDD533F81EC D78FEEBCFE9FC745 E1CFA102C4BF1451 2A9018A33FCAAABB 04F8CD5C3E9B01FF DA15F9108F8DA935 D0B69F1CD5F2B435 DEEB79553E5C02D1 9F7E49A8D498FB80 EB76F579F4F33CA3 E656FF419C49394D A1A2F4391BED75D0 8FEE03CC308F8CCF F73B650F4055D8D3 259442B42C91C0A2 4A7A386167F2BB50 8535CFCDC6613828 0A2BD25CEB84C7D9 035C2CD73EFB055E BBC92D69B896FBC9 985093082FDC3051 6C80AF32EF7C6B78 E3F0F763BB53A119 3DFEA9F7B2A4A9BA 5EC1D956FCABC9FB C0E82BDF15435C65 C0E00E62505A8B71 A790B3F8D7F13997 60C4754BE12C58F1 5347BD47C548A9F1 F781E8EC3C0A7ED3 0DBA83559D1C437E 2FF027BE3453E6A9 CD4A6CCF2D992C2A E551151B6F698787 83AA9FC8D5263CBF 17EBE0F1728F420C 9C5855C391027DAC 83587BD9DC5A6A10 E1 nettle-4.0/testsuite/slh-dsa-shake-128s-tc215.sig0000644000000000000000000004046615141166425016325 0ustar00EC05CF2F20AD5120 CBC0D76A2DC35776 F0CB66EE5E957D99 684CEE3E20E40F71 DB7F084B8CD5D17E 2D8FB01943B5B665 4D944255FF18DF17 FEFDCED047AC0BB7 B6BD643975F77490 479FB404B3901C37 EAD64C45769B77B6 5BAF437C1905059B D52EF67DAAE4081B F63EA79A6BFFEEFD 2B0988A2D564DD47 BBCC710E13838AC9 07AFCCDC7A36DAA3 08144AE2DE131C96 98329FF102DED179 27351DD0853A71C1 D3C1F43813DD037A A77BD15A80DC2096 36F1C731178304F2 EC2DB62883FC45CC 2EA85C5A27C9F2CB 30FABC1474BED318 F834125C71D59085 4B0965A7896F6B4E F03BC5835BB95700 C004AF78F3CFD5BD 1772F645B11B5E84 B176E81522B22900 23BA386B439025DE 5A72A0F3F20E1A56 3F0BED91A94256C6 19E2B213C5D5EBC1 6EB1C387F0EBFE5D 1A0F5AD70A5463D5 F2D8F184A371132F 68F3DC9BB11C9461 339B282000B0419D E44C5005D57FA44A 4EB22FF11A9A3B09 8350C9D85C5646C2 68ACB6752F958AE3 E3DA87B7CC59280C 750EDAE217444192 0A20F9D90CF84FE4 78FB376A610C0190 61ACA014C6761883 8953F40A61AC32EF 9CB7B295E69322DA 4F79BB85305CE1F5 1077703182500A42 C3233C723C0DF971 1A45BCB740387A23 CC3BD1FB3B9895CC 204403C58DCC85B7 66E6E0F402D43356 C8BA56F863C6435B 16311A6AAF6BF0D7 3EE556BED9C75F1D 2D43CEC3D2ED4984 B29E67130CE1E5F4 11DA8764C9A49BC9 5D4EB84854737CA9 3AD32DF3AC4BFABD B1F41B87D203BEA7 9BC00C7FC54129FE F210A54382D8A78A 271014E2023E1231 DDD8707058C5F206 9B759ED79CA57DC3 FD379F390F18EF0D 3CDC3D5805C82FFD D6DF50138987DB5D 31308C42CF7F32BE AE2D07B082D37517 6E951DF6365DCF84 BD52E0463015BCF9 B6EDDEF826EAEE37 B2B7F6AC11D7A1FA 0734D564CB0D956F D0F3F9EC308A36D3 0D22548EBC600826 BADE1CD54C5D1BD6 D9BEFA6DC0EC74B5 B3AC37E148B58434 8619C359D051231E 31A33102C7D42084 CB4ABB62801E1C20 C90D8B75D0108C1C 140B8D44858A8E07 38AFC66F089B5E90 1B37EED4C13D887D 0FF2395798849AD0 AB82D0889BB04C56 368A0764131CB221 5BC5597DFA88EC5B 6C587A09077C5066 89DA0F822D14ED17 E00C971BED9ADD8E 520CCFC555ECA1A8 37A08341EFBCD9D5 D4743EAFE3C257BB F7DD431EA36F01CB 0B7425AF69F38830 3A2A0C98FF9709E0 89759932A5DF5DCA 6D56723F9A889CB3 FE801F324E4DB625 6AFBF9873E699E2B D3269648D8ECDFDD E1613293ECFA266C D001C40722A86F58 C873358F4AA62CC4 DE38D1EC76252664 29114491A5F6FF41 EEE4652B3B163752 30D7B5443642342D BAD17CDABC2EC4ED C672F009BCB0CB28 0DBC9315496719FA 8401869C81BBA095 BBB0FFB79225BC5F 4C604E06DB2BA1F0 556046A28C26B301 22027DE2ACDA5C09 73B38C72E5474199 81D8C0B298E98F46 5C3DA44F9EB0627A 4EBD5143833614F6 30DA7113AAB1DC8B DCB3CAFBA1173030 22DAB7C28F5DA20E C9A12AF892EFA73C AE6D04D277933D41 F881D58F06B53A9D 728CF34A0D9DBA7D C0830CB9C202FE0F 91C459B6F588D570 7D1833E1BAAA81BD 6F778250BC449B06 5F769971830A600D ECA2068ACE817A0B F75AFACAC1C07F33 A8A662618C1C5D2D 6C91CC6D8975BFA4 35887F083DC3E28A 97B5F37977820B1C 64E36B44774AFF8C ECF493E9D9C4E757 ADCA0408E88AA160 D95ACC51ABE9A5A5 6CC9010F1447BFAF 1DE4FC110D0D364F 4A2C946E08D72C10 7A7F705CC12A3FC2 D0468B58C08CDFE6 B1BD37778F39506B 45C8975CF0D88549 3EA44580A13CEFC5 74A4C708ED7BAE60 F3473F26A13C3002 4BFFB4CC469301EE CF422C7D8DFF7B6A 4CA964BF31FF8080 9DB11F097406783D 298F0BE8B00DBC25 68010411EF5A7742 0947B63E69DF2611 E13CE3EA79E8C49F FA2835FBEADB33BE 2F499FD04CEC72B4 008E9672B1233336 105BE3B90D8F886D 5A7104F9CFA02522 1B993DA498FC7322 2812AA0B2C979EF0 9D6D2AE396290B52 85C97491379DFE92 F19B8055120FE664 9B61BBEAB81F78C0 8FAF0534E70B8D5B 445DDDC7730AD683 8494A66645901937 CE98692FA21B0B69 8DF860CFDAE516D8 594193F9CD4BD7FE 6A67BFE46DC7D8D5 E07CBBD6F303C18B 42BB783DD98BD04D 6D4D87A9E63B49CA D882E0A5090450B6 CDD3F1DA88F7AC34 CB858F51D08042E2 C790A17AAFBF2272 E5BDA5533DC9B1FF ADA0A6E1A8019997 F814394BFC82306D F795D9A5E14533DE 17830E5DCF2206A7 4FE969DF9B92C76A C8276E92E06030EE 5851892FCC1B867A 459E101D4AC1C4A6 2A097E2CF3BC125C E134774EA8F87BF3 181F0D15200148EC 69E9A03E75785609 078C8E652957921B D32129B18B944CBC 8F81306B61CB5338 978412699FC498ED 9B405E34F36B5898 265E1484BD72CCBB 62B5B6B81D2368E0 6F8379123B43D5F9 AB57D50FFFB816CE C6942AEC9A8E68A1 E5236366049EE7AF 840ED6AF2E422A77 E7D868D38F636F7F 2C9D8BFC323F8C35 3F2CF09F10A5F0C3 C3C4BB34CE797640 0F49E985609AD994 C241F6E072AF1FC4 EC1AD0D8CD197A8C 27F3E9A0D74A6FF7 511A20CFB030DB95 784857C17B7DA4CF 82D92C5F9AB92AB4 E71B7515F3A7C5D8 A2EDDE281C30834E 843BD36866976EE5 6D4A5AA80F6A4AC0 3E48D5BEC86F98CA 6D48BFA649D2EFC9 04F9411D2D8D1722 1488F2F27FA0CBAA 98ADCA7B372692FF AB5C326C37939B52 B44B7347F09DE1FD CB8B521E4BC2DAA3 90F8CE0B0BF14F41 5B1FAF3D7A22B70B 91F89BD2FC1CBC88 F476B4CCF003CA11 E7F435349EB98FBA 059F8E5403EEBAD5 CD5380356010824B 4009C54B1C750350 A88BAEEB82A01E3F 093157B434337385 1C1CC17F28E810D3 220B2415A9A44092 F1424B2B842F4938 24CC48148A836132 047B6F6B37F2399D 87CD2E0112C752A8 78F1923303040987 3AB8243C96EC0439 C1C8221AF5FB2C75 8AAF83F0C0CA7DA2 FF36D3CE3232A13A 6CF5B73E0F256FBD D1198191AF68D86D 3BE5D3EFFDCAC0F5 A82D07C3CAE9CCA1 ADE3E79535D1C702 A65B2A9CEC9F1644 4A483BFB09E858BE 8EB9A9CF1D6D9B5B A8E31775B4AE868D 77314754124E4CD7 CC2A8A2FC03B8F69 CE5A4A7D962F967C F276CFB99ECBA695 AF50D9F06C026E8F C2FF826BEE4AD762 8156C8E78A3B5368 AD421E624C5B30FD E76075499DD11FC6 CD14E29A25D0E9C1 00E7A1DA917DD90C 2B855EB2904FA816 343F44DC03D5844C 13916181975854DA B75CD1173DC55360 F789E9777FFBEFE2 588E7495568A9FC5 42DEA478964C1B06 B92083C2E1601677 A93CFFE00AD541DF 6BBA279CD1DC7912 448997303AF1BD71 73963010E58C35B4 5054E8DB28C119A8 62D2740B67A35787 644DB2DB2EB2E151 A0217FBF47C25EEE 66CE0FA8480C536B 36BD3528127BE3D0 D109723D22E9BE7E D05F94EA31E0D17D AC6679543417E2BB 8D33B3B684BE88EA A6F617142FC8077C B78485691BBADE66 5932A57EA82D3B2B E371F60830284DF0 DDA56DD929DE9FD1 E2C7D9F2B42784D3 FAD345E7FB996C0B 9B590E8754BFD485 A1E140A2299BBC93 B8262881F018B88E FBC26146D79DCE45 FE8A8E66A88596B1 279467ED16D4EEBA 7A141C2A89D80AA6 566DA3D512C9C08D 4EA7539F0032C1B1 6AD87EF57BEF0B5A D33CB589EEFB9442 5C5CD494F8337C45 D3ED37E9A100A3D9 C8E4449DA61A83C7 A633B422745F726A F580E7DA6F63E724 3705DFE0757DA1B1 2B7B7DAD0CBB8C15 FB15C0B0DD645D3B 0AA89A11738CE85E 3CF48AA5D74AA78A 0D056B4D0D2D7411 D0BA6F04494DD525 EC5918CC106D8B44 0760F1FCDCA828A4 527DD9EE9BB99B94 919896AEF265FC28 3F6F414FC1411CA2 4B4793BD47EF0AD8 8C5FF5EA4403A95A 2966FD801E5B2328 5050DDC3310AD383 7E3D2C03BA7BE437 9DFE50F822C23CF8 3B1F1E786F4913FD 76A9B857FFB1DF01 6166A0577AC99CAE EBE75DDEE09B0A6C CA94924D9684CEAE F1B1CD6771B627EA 8E0B6D2BA107B09D D568F218AA453301 BFEBE6E8D99BF610 F6080072D068A815 3351DA8F1C094FF7 23AF0BE51AFD0B6C 04FD2DC52634B5BD 22211B965374FDE9 75AF11D07AE00040 24C6842B7AF6E314 68D953C1D54B693C 5ACB72CABB210626 967F8D17A22A0BE9 D64ABFC21DC125D4 13F44AFC8104961E 23468BB65C24C509 10C4426852492DA0 639EEFB4DF2D40B6 5DC3D1012A6DCF84 E0BB5B9582B94684 E0E5CE6063457CA0 1F4E61426DBCBCD6 41EC0F9C1811E56E D9B758E328F07BBD 4E12FCC5C2382CBC 189FAE8EC49F9B0A 5694CD9DD4121C9F 2F35602A419AB963 BB97AAC580F615CD B02613804D2BB48A 825707E1B81087FD 06A601DE6CAD86E2 A9A066EDE483CD16 3CB88D83922CFCB7 FEC0D783608C7B6A F06902FAF3CAAFC2 20461A11A6E84220 7F28436FC3BE57F8 B432418616B79A53 10890EAE143C7AC9 28C73BD783BBE910 B75E790E87AD055A F45A7226C1AEB159 5CFB964883565714 036097625A65C834 BD51A1C5AAA589AA 87822077477AD5B6 327919F1A1D02653 591188845959C387 955D3C042382143E 15C78005AD512BC6 89B9882C471BDF84 7E0E1215B688A04A 7132E878B9850D9E 6E2A01BF59EF865A DA260F6D594671E4 FA9AAC5C2F1DEF8A 4896A7C6E1D4F469 67D42C87AF8E6F50 C78564CCDBABD804 B88F4BF0583767A0 D9F14D9A7BD2B8D8 DF83A776426F6504 11500AA8E3900314 D084C397D698CC53 CA2E61B17145B0A7 9770995A42870BA9 40FA5D4D4CAFDA7D D17CA23134B4A9BD EB2CE339FE0954EB 0FF35736319C4547 6ADADFBC08CBC3BA 460501480665F1F6 B47CA2EDD0752E25 A42586039B20ADC9 7AC6E6CF3F2E2567 94978FC90CE21EDD 48AD92E897ABDCE7 670484D627DC5411 B724841057D0200A 03251A8C866D0974 6588B125748C6DE5 2287545C8D29BE30 4D3F1B2CF3FF9F29 22EB51FA0A6084A0 BC8D118AAE7F7267 9130BF04CA84C8E8 86736B37E32E6BD1 723D3C292ECE66CD 443C87EA88E95FDF A067A0A25CBE24C4 557BF3271C2544CC A6871FA072B129FC 6DA02570520A3205 27B5C415A69DAE83 C210BF00E486092F 927D27163166FC36 D0DB68B378E998C2 BCEFC5A51B51CBC0 5137C852EEC1E579 E09F09C6661F4135 9C98A85A92E5DD87 C5683626D403B5F8 4455EB981E347B64 682B34F7701270C0 152C18BFC152113A 3AE77CC11DE05136 24104F9FD70321D2 A40CE0515C0E2907 A106831B00AA641C A0FBFA6C5476ED06 2F231B638541611D 2429A1C6C2254FC5 71C8A3E6B4DC35D4 E12FA01257E9C821 5FC9F7838023579B 8939EB1EC332CD20 D51077D1819C518C E48C34F52F51A69A E484AD9C24D506CB 87AA0F70CD7CF7F8 09BE6565931040F2 D08DEE84A4EE7FAC 72205C0AF6CC598F 2E4F6BF1CF77BABA A618DCC73ABBAB38 F6ECD3A74BA3B699 DAEE6DFD0E4CF7E9 76A964520E9074E1 5735A8524BBF8111 3D9E5F4BE0EB94BA 495AA9F7476C8329 F80BCBAE5150F962 1209A44ED3CC2EFD EAD0255443062D2F 7ED3AA9EB07D65AE 9A50CAF90F2FA159 E94E3F3556812D0C 906CBD81A1954343 2AEF48D3F7456BD8 2FF746B7CED6A79F 4BE5C609C7916408 3103F1CCE81110BF 0D60D94A51594D18 F63950B974F3EBDB 6651CF99D3D66334 9457B4DF2912DE6D 76776AAF92AD63F4 E0BC6D5BC7001A70 FE74F2B499897635 4DA9A0CAEAFF6303 51FBDE5F6210401F EB927B76D23CD7C2 A352BD1CE3542A16 89AF1B5B7057AD54 D4F825A39CA752F3 0F8553F08EC389EC 7CA7370D2627CEDF B13E3DC34FDA3959 97531C68AC790387 AF31E070366DB7B1 80D6C8A19C6A260D 184DA6D363600955 366FAB2BED82E708 3163D59F192A3E17 EEF3807ED37ADAFA 3689AD9BC135B2E6 035251CE69BDC3FB E1BE9FCA9A92CC90 80974FE9ABFD1567 79F348AB0CA45412 702390950C3DB6AF 1010B908CA9B9E5C 9071D78D25C6ADC8 444720629EDA9343 402A8F49B9842E28 A8BD3705D9391DE9 D49E79C25FE862B0 13B9C938652008E2 DBF17D074A36E179 548F29CECE6EF258 3FFBC966350487AC B51444730689C528 637CA9F93319E7AC 65B7B1E65E628703 0E9E0D5E6CAC906D 9857E5BB4510CA0F 51870CC9FC77C3D7 8328A034907F60E4 9EA189A0968138A9 EF662461DD9D7857 DCA980467F72EEFC E40B4666B7C49D8D 0B33BCD12573C4B7 B1C3EDD69D744A05 01092851FFB38A9A 743F2969BFCBA15A 9D1EBA3B3BB6F09F 1C8C5241202EFAD8 4CE1D986E7FC1A72 78864D85387187DC 1E03AB02A62591BB C96FD6237F9C3B80 FF1DC915FEDFCCAC 3A7D47D647977574 5151B3F90CFB02B8 942E1DB62626C2BD 5378209A8E969EDE 1A3C18BF4240C151 C44A36A657C86CF3 2AB91B8D3A95A86E FCAD66BAC6E6E145 2AC1E9EAF0C2B230 26CE6FDF84BBC823 C9CE1307DC362B9D 572B6DE0BAFDDCC3 69EC554E4CBD845F 0E19C3ADBE04E05A 4E71C3482EA8FC7A 724BDDD0DD985E61 D2417B5E15595049 B2E609D517426D88 205B5CC6045BC66C 5FAFE7F733CC970F CEDEE3C0083AAAF3 419ADBB5BDAD84FA B94B426440BC4581 F1CA5636DD97EB10 0AEB019735590A09 C663B1C45F82405C FDE78C9DC8CA4DEB E8556B0493311AE7 483C4B2586AE08AD 7D22964523C25D6F F44BC10358352A2E 9C082A0C64ECA890 69190C8FEB41A4DB 9004C620521C1D15 80D80E2697EC79CC 8E5D6AA218F164E7 773A6961393680B4 1E1C1E55CEAB7DB8 83184DA962211FDE 031F5F6C92C5E2D1 928ECC2503F9BD95 BCCAA522EC86BB45 5DA887017439131F 81A36245EF6A556B C9D26A74D9303B3A 9F9EA9E76380F1ED 778083DB19DF0635 020DFEB596E22A1F BDB03DE20B35A75D 5236D998E6C465CB 42D6B54A34BB7238 DC004FAF4D6BCC31 0C091485755D238C CFD226276BFCA0CC 786BBD51F92979C3 FD0CB104F293DD1C A5BF80082BDA375E 2ABE3F564B00BD81 088B487D6654F41F B021953133A0A6CE 24A7E1A495C0E62F 54C81D4266E7A04B C9F2F7FA882634EB FBBE3BDB0CEA10AB 5B11B977FFF3B6A1 DA666F882E8ABE3F B6F287939773F22E 9C5D2ABF86AFA050 69C2DA14EED66002 A0EAF9488D8DCBE0 6D69E473F40CBBBB 400E31D9CA1C336C 7B57EED8BD9BAADF F1C700E36738A735 3C219B3C9B546E70 CCA04C738D177CE0 0F8A4BF9BD31291E 667CE709331034A4 21A382621448E259 4529730CD390C855 C12C95CB1ECA32C9 1D61458456A67C8E CA1C05E0E72CC416 523231047F5FAD87 EB37B2725B7C09BE D82713845B72CF84 F31EF02034D16E26 B6514261654F655C 3812FE9E5D558B93 0D4469324918E6F2 A5369FD8CDD7B912 F11DBFD709D4AAA4 9DDC184B78E05B44 120050860205A924 A81DF62BE4192866 52EE0206060E4F73 C0E554CF54FFBC00 98D5A91975F0E3DF 3C2850C3874F130C 5081E26003AFB01F B2D8C3F6BC49FF5C B5F328D38502F729 6245C8A3887776ED 3EE0AF3F74A38E15 83CEE6FB1B582685 3DFE010276331068 28E1720F954DDA16 145D3B2F522F8438 11A1120C81C3EAAE EC879222F01EFA2A 4036C9092D02EB46 43AFF3D429A16B66 43446551EBB7CEEA C528325517A55416 A1F246890FB9CFF1 8B8E8CFD513AA6CA E709EAB8177BF3AB CF606B300F38158C 07C46955A65E641F 17246235CEBFB628 A1468E3A85999DD8 BA1487834034D043 692D2BD411E8D3FF 0218256DE4CF41F4 6689B18F8C759491 82023558DC3AEA20 98FAD949DA4703F8 6A552B2E10F7D524 AD6263EF7F85488F F8AFE718000F7DEB 7A29C0170D436CF8 4161202283069FBA A37F345ABF310D59 7B49620FCEC633A3 505ADF966EE08F01 8A5AA8E00C1235E7 728F1B832B89081E 28B7A7C4B52447CF 4B2BA9FB225C4BA9 817E81077690D6DA 73408FC38A829125 5D5D079A719EB784 0BD0DCA02EABE360 DEC3CEBF3CE1A6BB A36B284EE7C6B711 3BC75EE5C4C77F15 98E5D2A4942C1813 BB8FC1951A13AF68 70FB8A61977D541C 8F1D4ED649046AF7 9347E164B6A275F8 4508D5553B264178 FA957A9F0B306597 EC2D98C3466C5EB6 56F65AB1983F749F A189E5D68C83A4D3 394E9D963625F3DD 671D2D6B54297DC5 94807E82C4B40873 85A0E365BB61EF36 15F14B48F2833BAA 0BA54BD584227714 E9E48AB4236F45EF A2A7116F76A43001 298455B5AB1322C9 33F37A6AE31E23A7 97763497827C1043 A9851AC9F743A3B9 8695D0C128BF5D41 B8BF1190773A6F2E 23B970F0D182AAA2 3262F4D5013B7A13 DAD6CE1F7A926E53 C66F6639C809BA58 9A775C7987347BB3 1ED9AB9C31485EE6 257DA4F258146661 F459411BC43B4B37 B11F6E3CB879D23F 81D3CC4C49262353 92F2BC8659DDD9E7 DABCB3478E52397F F17351DFCC8BAB9A E1F13187F5F78A6C 20F5F1722D9977AC 08BD6BB4300172A5 15624E3299FC1F39 1699B9B094EDD863 CEFCD59C07C5475C B765D859EE747165 95C6EB1E6E7C56D2 4A3748DE4D72C9E7 53A055014EBF40BA 7AE26E2DD5A246AB 0DE413295A0D23D5 1D28EED96A89138C 3D54FA40A5017D93 3D88775FD5CFA5DD AD7EBD70B314C80A 922D7E50F9AEECC9 71E032059964142B F32AACD86D6917AA 36B6AB906C7289B1 A09DA9DE85453527 16F5CC3643A480F6 6A1FDEDC4AA05827 E3C545D1F1F8E52D BE4843A5811DE115 981CEDDAA0B30E39 CADC31EDD9C70334 030E52495121B8CA 75ACF119AF3890DC BA370C4E4FB062C4 69A8117561CD7364 66B6380C14E51697 90A656DA6FB67A15 97ADF28268B20954 6A7082B0574F1D42 9931CC240BEE4181 E063171FE8D628D8 D12F2AE792D79294 66E797461CBA57FA 6D9F467D4C41518B A8C443F01FB12512 511F8A5414168F6C 09CF3DEE4BE1FAB9 0120CCFC434567E1 BFE0782C87C18C28 8100BB364160A150 E91EA92BB7CC6105 F9DAB46D7BACC1DD 527799E2A0D01EA2 EF4EF4C9ACA86ADB 51A38DFC6E471E15 DD0DA2396D0728BD E3634517D6D51E98 523968C919C827CB B1D395192B1BACF6 69A94D6D4918A3EF 667B716376974871 DE3F8908B1D36FB5 3E11E232DE64639A A0569EBB95EEFC64 E9580F278D3CAD1D C0EC908BDBAE21FF B36B726F779D8797 2EEFDEBA77CFEC02 7A9E94E8A8AD3B1E 1F5A84B257961F4E 8F8658B407C0A3CB 37B5193986F6A5CB 2BBD6401A51FBE44 E797142CCBBE4128 B3ED764B1A57283C 41D48A93AB21E048 571680D7180076FC 11FCCB4ADF936F66 3A9D903F5C3D3040 00577B22223E00FE D51B394D7A24CE89 BE322C8A7E03F87A 73DAD8830855D920 22E87686EAF4A8EE 5057A616961F8B25 9453C3BA659ED679 E0E0A5AD7C955DC5 D995220DD76BA72F A231E01B8CA81466 E7402616E3C982A0 537D79B6981F3BB0 54BDD4A442C4082F D9D2184F4F5F5F55 B39908A2EDA5659F 7C0FC8D53A942985 226CD312BEB50E60 EDBEF228F2CE117B 33DC4BB9B84A0E27 02CE5D685D5FB5EF F2933EDFBCD8847E 133F56E0D28F5555 5E76FD2C955361B8 BE0EEF9EC29652F1 9CF9B26CA8D5A52E E221ED9886C21793 61FF720C425D3CAD 67033CD0FE3AE487 C9FC511D36005789 D4D534C2A6BADBC4 4F255F9551F60B11 118378651784C9FA 8BBA5CE29984DE1D C63A45CC2F4B09AB 43165F543A855086 4FA9BD1EE1A6D449 C1BAE4F710884124 C96272918313C081 EE4F2D1FAA439C46 7A42D223BB347A40 D6F2BA07E845BBD0 6564D48DAC6BFBC5 7BFAD2C5E4C6034A C973B66B611950F3 EB9137535F5A6AF8 37A32B18C026C3EC 9DC09BFA31A2013E 7124DAA8E512BCC9 B03BD5CBFACE8434 423246BE9DA38B23 4E4FBAC11C0C5312 546E08D671C6C057 5EFF6CCA57A9C5A7 70FEB7CC3E6507DF FDAD7F455B47DA69 B5CF09BD8DFEA121 D197F5B753385B9D F41411995D8946BC 10F61B1A09846756 B0CF5D7B0F54A93C 71C95E2BA1BD8249 64570D50EAFB26C1 55E10CF2A2CDCAC2 E5680049094ED132 AA031BD9A0600CDD 7290634255510C06 7D9D95F4728B9E0F 4280C1A74598F101 AB04EA73768CC77E 7578B23BD084142B 8E86B00542AD939C 2609EEAF247E381E B8DFB7A8F840014F 4F110AFBF12C9126 6ECB2645C596FF5B D1B71E603C491CA4 61CF4C2ADBB3F52E AA53B3BC9C374AC8 2FE978DACF9B38A7 A890890F52A86D11 074411C04E1F56CD 5D24BF3783A7945F 51DFBDD57DBD158E 74CEAD4ED159F85E 34773AB2A75F725E 054335C1577BE821 870E0C964A88D3BB 65DCA668F58C725F E0DCC6C63575A3D2 291F1DF6740CF886 E27FB054749E5775 4AA1D68C216EB27A F5007844F369765D EDC952D76D335F1D 590F15A2D5CD831D 06C3C49BEA0209CA E698E283177D2197 3439F29DD6445627 825499FEDA114BA1 032D2A9B56BE300F EBCF6AEC1A623C5C 5EA5C01694992F8C A9531D325EEC11D9 A65011A00D34C5B5 2C3173739BAD9D4E EFF54403DB9EA948 5AD94658EB672B23 CF4DF3985BD93522 0B5FEFE1337F3548 73AC388EAF502F00 DC21FEB144E23B6F 0CEAEAA76BC802F1 0FB2C47CC72843DB AF0E0E0A8EB713C0 D074BE86C8DB0A9D EE4A02CA85FD5525 E3F91F583168FD8C 6E190593A87B4A05 FA6A8B273609C84A 697B99683548132A 6B5337A8DF678F0A 9ACD66092A7A3409 E25D7D68FA14DAB7 A02D329CC1A8D187 33ADFE0824EB71E0 47F982E5905C1332 68F4694A137A9BF3 9F3A2CAD1255F21C 0AAA6F77D0F77513 09A2335D21206978 5EC2AEB90CEDA800 F4212529703375A2 075464E3405945EA D04C70CE6CC6D876 7F5C20D66A884097 4D35FA9BB16D4E50 F6C489F05F793ED0 1F1DBC0A444594C8 686DBDF13A7AE771 14B49C944C56E8C2 BBCC1351A070F412 83B1A2923CFC0DC8 AE860D7E31480CF0 48670CBE89CD29A2 FA63034A407BF8CE 9F6D54B4CC42B71B 9E4C528300210118 26C4BF97C6189AD5 91583F5F21C0A719 D140D57B3B1B97BC C6C658A4FBEF2874 3F4AACDBE9505D37 3A617A5DBC385CE4 999A9B867DDB9EDA D0BB20950EA2A19E 83C1D42C1AC6DC19 EAB97D8951254585 ABE5A699CBB55542 0FCE39444BB44E5D D6D495BE60EED01F 1FEF88C1F804D349 EFD82F102F9EE150 E101A6F9670AAFCA 243FEE3B1075FB0C 76CC03B59C7103E7 nettle-4.0/testsuite/slh-dsa-shake-128s.ref0000644000000000000000000004046615141166425015463 0ustar00373c73945bffbe75 0f03acb9e5c6bfc4 6a18de32418675a0 b92e0309a54f6cd4 671db880b257ac96 f4af40eb80575aa2 f4fbcbaa9578a6f2 60882cf0ad94f907 310bfc029afeba08 10dd859c275b5b28 ed08b97031cce361 ce4888fede45215f c2b59b75bfb82df7 0b21fe09f2a21ccc 2bfce1ceef91ff77 da219eedefc16f3a 4b94fb931062b24c c1c7517d29756e81 148f9071a81b1980 5694fcc93edf05f4 c804d3d99c5b9d3e d25e9999003d36db 32153553a81f9d0c 80b78cb4a0003998 5e5e2ee71bf4b8e9 e4abd07a9c49d0b5 310ac46f2a4af89f c52d4eb41cfff58d 5369c6517fa11745 1eb4439a874fbb96 daffd185ef27cc65 d3d67f06e7a5eed2 32913e61ecce42b5 623a156cbf16ed9f 7a280403a247b098 380567ab9309b0fa 8d4c3ed2d646344f c6a4bf1bdc68d161 9f29737a4d2597e2 b421f611b7bf464a 6824045f9c058b5e 39a591a40af4da11 75874e7ee287fd4b 1cf29d35a2652c42 663be06b06df5b22 c484989916feb133 3ccaa2e20d389baa f62de05537cb4f63 e1bc00e1d827d01b 6358c19f677126b5 1a7e5e6be0180009 deec05f4d66ebdd7 8e576912c869b592 0ffbcf25e37f8eb6 dbcae3e8a2c97e73 1860190a2f7ef9a7 8bbd5a36d7516882 7b299ef7580eac6f 90c6cc1ea68f27c3 d2835622d7677618 75d9f385c4d6fd43 48436cbea77f39b8 0f16196dab3030e9 cb61e15511b65016 f4115fa3921385fe 203ec3127531e2ca 26616e278e4f5f70 e621fe5a18353fac ce683794004557d5 732391afc53cce77 44ca92811baeb824 e5e46dea2720d68b 1910307b967059be 7583adc9ac8d425f 998861e765cd8ec1 c474fb3f631cafc0 90b202f9b9c1596c 5ef21a2985642bcb 36056aea784226a8 a490a4e4ef9783a8 fb77eb2f4e10e3f6 d0a62a6a6062f6a8 991d5ecbddb74f86 a02c54258e29d10a 86b756885721175d ecf0077a66f4b3fc 592ba9fa5e3a0fa7 1eb808e5e944ffa2 5e377cfb8782b2fb f93c5abc88fe8b83 1148088836aad27c ccb8aff0bb9e4308 f485c3473824ffb0 30e51cf613671dec 7bcb4dbb62c7224f 2dc63fc2157bc59a b1242f460f8ad6a2 3c20fd27e280776f a180b31baf6e204a bad44cf1a645ab8a cb811c0f08a0b019 45116e05a5bda4e2 de18d7047157d2b4 b76805ac222a8e75 745dc2443d14a43e 21dfb39ebb6c14fe 42b002b62cfe4808 ce0a6c3ff2401fd4 8c047e654ac98dba a5e0f621620c34af 63cdfeed579b7c04 dc2e3288ca684081 4ed30399c25c840a 0dd471d46760e40e 8448529112e68c54 65084b1be7eb3818 c00c3fb3365b094d f1b03d4f11887868 6bd49fa6618a0a42 bace7865caafa963 34afbd686ae8e957 ec206aa03de1b2ab e0ef1e933eb8cf15 7a64c52b285e97af 9722ef435dc8f982 b44194937d6826f0 a1ade35632e03bdf eb1bfad881a34fbc 809354630edc6437 e947c965b128893c 7fb7e2e2e2db7ce2 7b8a54fb95b56ccf 96f901544d056960 ec9c8bab5ffac52c b6f98b9431a3770f 7053457993351c19 cce355ab749e32d2 a2c56910e9475811 8835465f31eae203 4d3728e376f193ab b567ed28dfea4cd7 efdb1f35847473db 9483c8344904fe50 95154c9f56446440 815e6669c7fb8ac3 87af71803ef5a616 74112b8d4ea8137b aba080b98956dcf1 9d19558acd69c715 04bbd291410ea1cc 5a8b62f025bbdef1 39f8cb7f65594cd7 80f6ba44c839bda6 755fc4a2ba3c925d 7fa1f05b954171b1 6d5ffb607c643081 0be371dd52f3d888 aba9038f2320732f 7403bd541a7eb7af 93703dea45e02946 8f57ee3bfd74a67c 4feaecae0c1786b9 266e52674de811f5 6f657b1bdcd5aefb 30f924c2495357bb 70037725e821a5f7 7690d21eecc5b77a 1777123cff4c0b15 52f1dbe08260bbed 0d5ac3cfa1450030 6b9564de6135d1d4 1c52866d0acabb22 157c712a37972b47 15a5459c4f30fef5 5a2a396a9d78dbfc c06ad406f4cfe1b1 120537abc51241b4 59153167bea44afc 9d7efd91341c7fd5 5017effa7c687f67 ef4ad278c1829b7c 073784ddd0d64fbd 90869a3724ba1d1c a05bde1c669fca54 8b85d8bd574d0703 c42fc2c1180aa171 93faf9e55482558f 54905b9c9b98d99c 001842df9c942d4c 36bbd4e60d571b19 84421b90931b916e 6f57a17781b30db7 f09a6105fab7f1f0 d6dfc72eebc30a1c 26d7387f404e0c12 9168e7e246a73940 8c0eb2ceaa07c48a 0a3cef36ee60535d 2ad119dc24285323 00ff025fd956e621 9ca1e2df05bb00f2 75477db356190d84 b14f3e77e9c669df 825885acee76ab11 518bea9753fa0504 7f1828cc1ebc207a 796d40490ebb4934 06acb8a8f90081dc d28c5bcf4f7d0a22 38eb1f6ebbbe02ec 17808173042fd209 bd81ce50cc245c25 e7ae1990db628667 c02599acf12085d8 484dbc84ed0f8908 13e4e9232db6cc1d 6d028881abc8ccae 1a7216a5e97cd4fd 848ea80984e0bd4a 8e5ad4e23e37b61b 626dad1d36ba7cb1 79b17b1f417f1b04 a16e315f2405526b 04b40c9375acbd27 1ce0a02dcb480adb 1fdbfa1accc079c2 51dbdd354e0b405e daaa87d0a2bb6902 d12f3ade5f8588e2 02218b859ad5eadc 5f186f15a87cff3a 461692ffe0921073 6ee053b200fadf4e d6c5d2ec302a86e8 935afb31780b035c e49154dd9decc7e1 55b8b27a8046caf9 3cda59190128fd74 d5cc56046682b4dd 3824ed44c91accb9 67ac2304b682c477 0d8bfa0cce4b791a 04b7b53c3369e463 636d6908bacc2e40 3a0422e3cde7374d 1c5a6afe599b341a 7db6bd2dbddbfb5c f9c85ab10637f32d 26620bbee639fc57 6819baa7a0552436 99a9294917af1a5f cc14ac5d04229b6b 0b115d1f9dd983a4 a5117f9549ecd7e4 2db3b8cc33d767c0 9283f258fa845c43 419bf7b437cb0ac0 3d0b255dce3ac86f 495b2e1c8deb916c 9afe1564181a201f dfc5495585ab00f3 f344cf5e1e510a53 b183d1100b347a15 e6df9a57d9702de8 46c5a5cb55410139 433ef287786cb596 d6738995f23b6332 1b07e8f7848f5315 8e5f2b260e797dc6 cff9812e5b8d39ae 2233d87bf240dbeb 54c137b21ab8f51a 859dd2f8187e04d7 6612f743a1a8d3a2 409e6375e30e8a28 7a07f65415b82588 10f27f7c2bb5cf65 1860fb1b26a4f35c e4870226d3dbcd5f 54f603e7c927c73c 2604fab51c6c2272 0315f70c4cd14f74 44a1a4c9be0511e6 8c2247f22e0051bc 132f0dcb0cc387e4 966bdc386cc7623e 8a384b82c7e6406d 61e4bf3532c7a755 cb58a80d8ef30412 f8691a8ac779ae54 81daafc0e26b4bfc 7eee57c75c52b8f3 8ca6d97bdcdbb366 3a80a5ecb4e5f5a1 4b5aff54897f09c7 0e926c264bd72851 826c3772c2a24206 4a0a0b4b38792890 62efdc6fbb20984e 7297e779298c7dff 91898d646083325e 9cb981eba5a3515c 4aa26069979e3cfd d5da15be8e8615dd 0410d914312a6b1f 6844d42c43b9f65b a93746903f52cd27 c0d4482c920a0bd1 942189359c6cc639 b9e899084962fd78 f219ab8dc39a226e 4701ceee6a689343 836a7a4b2b72a874 2cbc7a10e34860c5 aa8b5936db7ec269 b57208cf47f02f2e 5d06b978b3445ae0 71d9fd313375199c 618efcdd1f66dc29 9c781efee5caf209 89f3ae515824f77d edc21edfaf4cafef 79e83523cdbd118b 04ee628dd0eedff0 f771c09ea8930dc4 d4abfa4748a568ba 5d9ba5ec63991e9a 5cd0fdd560a2c99e cf5d44fe62aef6c7 1c07ce5e8dc72caf 653817bc4819ba54 4d713e2be7028fea afc3455fab2bde23 52b8ae6417a3b131 b1fc0922d5751498 48b62a4a1a9b26f5 c12d7c68e004e445 73ef48ab562d0072 e04202ea1f56eb1a 0cb8e2306b87fbed bd5ac23cf212c620 68afa2fd30358774 99309658594e947f 26d81a8edad1413b 792a5c35d5680ccd 6f2eb81e412dbba1 c750ad2ff6ab3f93 5c8d18e8759c0594 39d9efb1a6f1d011 6ec5e35e83c4f4e7 7d3cf696ffc74e0d 07e8d6347369b63c 81cdbed36dcb07ef 77f737657e278a73 39e55cb7274a019d 39d92b651e09c0d5 d654d4ad44291a36 b42e0908505c4de8 7d640a00c56d5abc 2a994701b2f0d2e9 a4b1a030476e3506 8850326022e5edc4 d621de04dee0eac6 de4e51e2b2f6fe7e 07b464baad97a19b ceaf083ec5152e9f a0da7ecfb82caaf2 f163c3709f6c86e7 cbd5d338b56a284d c8c8497e5b5d9206 beb8664c88f84280 8f19f6425c86d32f 1af3277e9783c5e9 ca0ba31e0efa3017 5ee4422efb4acc82 0998a4e19e0f124d 04529a95a7c4c880 a1b468e5ee8541d9 9d07cb2a46c5f21e f67dcfa5858d41e1 b140749b04db5433 4e95a4c3a9385d2b fd53685c859e31a1 904f4b3fbbc5a74a d0d5e222d4a5224c 4f5605851603911d 2f908d20d40d8b37 106ae45c381f6aa2 d5c89c7148d80943 1fd29e6a85ce6be9 eee6602372e504aa 4487d1c6023d6b3d 2f79718dd86ffb8a d2edff96f28b4a95 d5107430372d59e1 afdf7b32bcab8648 ea8c2f4addb40d95 91cf58fd95d04c01 557e6d8b526efed0 cb5607f5b334529f acc4c52bc7e4f238 c9a0461ca9580df2 a46c91a74bdb2149 aa207f60d28abab0 d18970af2fb6b3c1 64af229faa6884a2 1f645eae16091f48 f859f96ffb169886 ab7c3b8f73543dbd b09ed00db65dd6ad c06c242a5d8373cd f0a93be9bbbd63e2 99084a5cd3ad6a77 f7bfa5b09136abe6 934420b5fa5f7bbb 165ed99c472c136c 1d679150a9623626 1a3b9bb8e581724a ea2208ac72a8160e 672510b73d9b386c ec83dc2cba9c29f7 fa997748de75bd9d 0c21e2256175381a 45b03b3dacbc29b7 d5494fdb921ae780 4d18dd023b78e8f7 df965b1fe3f36033 e8d20f3a436adc1c 5860951da02481f9 c8fa05bebd131b3a 4207be917e217660 ba91ae83a35d7741 0b1c0a3cc8652329 4929924b95e8021a 0d8bb5af959a54c6 63b9b6d5149ccb6b b0e5280adecdce1b 7229e817ad6ba08c 467bd3f9ed6537f5 e7e8c949d2d4bb7e 3f0d4b42adf32c67 42b7666bf0876e18 51dbf5dae1eb4210 f115e6a5afb2e5b0 5db56aa0fd56f752 4f1da655a7851734 2d55900dae39c326 1e400de0abd76eb3 c173406514da6fa5 4d81838a0e1761cc db1a7d02416dde89 10492551d64fc331 0f89627657b88159 2a3a26b466f6dcc6 6ceed88dddb3ba60 3ebb4055f6743887 7c0bb6b011975c6d b15a896b13d91f53 d2fad4eb9eea5c21 2e2784fc30992d45 d9e43e2201814159 c87058d35d76137e 3ab78d93be20e655 d6061d504f9670f4 2da359d408f7b791 bbe6bd509cfd7b53 9b382ce7a356e8f0 fe54a907560f75d2 ad1f59b83fbda0db 4a1cc4d18ea6cfeb ae7bd14fb6c7f8a7 72125032f9c3eaa1 ba175042ca35ea0b d483992479450e37 b52454e44a85af85 3907c50f1ebbd69f 2caacf912fecd431 7ce04b5a28664721 6686c9318c2278fa 45343eeef2cf4dfb 5eaecb0aa20422b9 715960b9c7ea0b13 3330c62ef1f615d9 2d283c95102a79ef 09d152924ce15c5b 1aa893b9be2d8427 89b1b29e2d05fb4d d5a2b486d0be0696 d73b6925107ea8ab d2a71d0dad3d7a76 71579004a46afdda eb08a357271405d4 e183e790d5d2f854 8d8da51e28243c25 4e0e460079dea68f d4410d50cbf0e9bb f96d3532baab2bad 5e81f359c5839526 71e90601e0bdc325 740a42f666c6ee86 8b68e1298e625f68 6ef0eeee17c45a81 59ab13c794cf224f 4a2cd0efc5ea1a3a 368a4e6cc80ad464 6cb3f6dcf45ecd23 7a6ba15df7193b91 41d2520d77bae9d7 d8507c3694463456 8005bb5df947096e 548f88ce8515a0d5 f3070a9ad32dd656 36e1a4e91caffc00 8bed45094e6f664c 3b14461277653538 ece57b5705d66437 67bb2b0c49530cf7 d142d0d14f00c6de e3e134292dc0ab81 a4d675a041fd9d0d 41dbcfd9d234a145 7a7fe343a6bdefb4 cb1a48fc1aaad3bb adf0661b6f15a291 ff11666a95be8b7e c55a5be147dfd7ea 639e95353097ad58 df3611890367b580 96a2ffa5bc5a2bab da709fbf59f110e1 1573c6ebb9c68359 5ea71f53901ded68 1517d7acd58db8d1 417d615313a32daf 4dda30f5f0257b37 29afb59c8f95e3a9 7c8d35b09d212bbd 94b49abdf6e50b6a 57d6a488e4f9446b 96a67b0357764b01 ff38be4744f692ab 9fba6f8bb24c5318 75d7f146fb46b46e 0d6021a0f9ee1940 928d05dccdb48f79 26ed0d0b01749ddd 301958d08524f924 5f7951665627ee19 fe9ef4a1f884a311 fa7d3b398a0d0faa c9e18caf850f20f9 3a1f1c6288477192 1ef22596705aa9e3 b86df8e0b1ce071a 79cb80f8674fd162 bbf128d897892820 9d02c68998669edb 100131822dd455fc ff708ace30e3dc80 4efbd9d2a001da20 e4d17cfe3206b92d 25edda5fcaa37395 a4dbb15383bccba1 0ba80f8fd66c14da 2fbfd1850ccca1c6 617b0553634a6e9e 7094d18f385bcce2 16fee3e2f4d827e4 563393018fa1b350 341016e7ba78a6b1 5ae5b0685417af24 22a5efe51d46dccb 236dbab0dd0e13d6 21231632396abae7 b737106146a00d50 965db987fa75371b e865134504c7f64d af9b188eb4ac894f 29c4e5568688913f 362aefe8fbcf2dd2 ea12f3ea4e1de149 55d2dacc6ad5b4e5 d00f78161a67898f 96b64cf5f21a1713 38a94284a2b180cc 5e2b2b03ee6e6d58 bf3a49558aa87a9b af0696bb28c96fca 9e4a4321e13b1ecd 7b172d27d2e1007f 3aefc189d51b23e7 573ec280c5131542 071c27aa22f57034 5f3292be4dab04b1 a9c5dab11bee3e65 78768b6f1fadd532 7cc09cbb4cd36063 aecb4fe42f3b4a84 de7ad0d2b1d72ee6 245e82ab60cefab2 0e779148280502df bf6748d72adb725e 4836c68f08cd83ec 0573078320c936d5 6b0edf049dfa8d2d 684078a41e80a3ba 5246293063c86a2e 4c32963199c056b4 f7780079208306e3 7c6b4dbb70b1e186 be3517a797869e09 577c1449412d87fc 31f901ff65ea3400 99d7a8bbfdc8c441 78a113177a135c10 6dc898a7b0a88335 dcd1019360095b8e 9239bea63ca9b9e4 f097200e23d86064 99f7748eebb4b598 4a3a872f154ad47b 04c480c14d46e5fe 01e75a53329cb6a0 2b973fbd5b0dfb92 fd3572825cb170ce ab96955a7df816b8 fbe549572a5ef399 26c207d78deb6ab7 2a5ca66e77ccbb5f 758f29b038ab1909 5ca572dc1a13101e 633819b29f8b6a4b bafffcd390fb8ef2 351522e72c9f09b8 2df20d11435996df dcf2f3a5595217b5 f02721c9d515bdd4 d71abadca7428f12 cccaa766255da4df 18c9dcbaa4dc4150 cf6c45a41664a642 74fc66929bd1ce07 058520c295ad5db1 1ebe965aea245b56 74fa1390a4acdca4 507f4f509c0899f1 bd46fc3aa1f7f43e 882385437c2d92e6 43b222f1de3733d2 ff5b246aa379cb7b 2309ff16d53aea18 435accd18c86c740 9ab1fa1d20a62bc0 73e47aa944f63175 5deac3cd3fc3f552 a7d043e07a337e21 ac1343a0100d8e74 386927b6335125ba c5809e09fc25810d 949d5bf4e6ef4af0 08a33c4aa136f700 bbc39b7e7130e73b 4aab82f0f8e2cd4a 4160882684ddec0e 1d2697bb8bd999ec 04bf7eede896d4a0 89179356adaee823 398aa1af27c65e61 dd5a47c1aa7778c3 3ed0726710eb053e 583988d8c1347b30 358f7df216c692fb e67ec05087840869 7d37e0ed298f357b 33f0dae67e665bcd a85fc71cf91e155e f412378d81fc6a77 2a382318af8964c3 2a3337de70b4ae7e 8fa50f2246f79de3 4401e734750ca311 091a621abc1f7819 f74e16dcfb5aa398 248f2f4b5795eee8 8fd6757314d79b76 b85685448e6ac531 2a321752ddbaa0d6 e33b7bd9c6190df2 c0495a632a364655 5faeaa9d2bd04d66 bee9a700af0b75fd 3b7fa4944ad43d9d cc291e493297cb01 6ab1ee25e1613165 1106f954f576d47b a14d6239d8699882 e222956a2b53f470 4d38de97acaa75c9 2c6097384d8a70d0 b17dc04659ed206c 604d60f0463f4714 a43a53f0b5a02685 f1751faf492a48a7 e07e6b9946ad28b4 15502949ac793aab ba8f41e060390732 63878d212a262d49 ec51ff8536aa1c02 16c54ce2c4f1f7b5 c88bafe62874e4d7 e54b0bf068b714a4 453a509d8909a338 24425567871a6328 9a418b6f12a7db7a b11d3f98fc4eb2b3 a4b7cb059f8c5140 d3169fef3f4a8591 398a46db9a246ab8 73ca741436ec0bf7 e84940c594c15c12 f048e9e22289ab82 808a4d4ab459254c ee928e01502b1f30 872ef8bcc0d28f35 c62460fb2cf5840b a160dcf1dcc87282 292cf70f662f9682 2efe7794181d67c1 86fc38145c7e8170 eebdfa9856483b73 417c6ae5e035972f 6aee1dcad230d14f d311e68a931d9202 f52ea2bcf2d85f61 8ee90e1bad0df934 b4ee13faef044493 8684f7ecca17c19b b17787e88f7db0f9 bc00bc22f4aa8a02 358d46ead5ae4f5c 06d1815662f7adf2 dd598acd1d52d83e e995d6273fae0c34 3388199eefe80fb6 9689f4ccea58044c a02702fa6c188e6f 572f699a067d1ef8 2e41386f54d90b9c 94a6586fde4df772 2e04de90c10c2dd1 09d5f2583c42eaaa 123e8b47b9513845 48407df213b95965 6bb00b50b71cf2f7 eecfa6a00d3e364f f3e08a765024b54b c12491bbc6bc825f 8530528a11209560 e5bd3edb5499009d 869d086123c2f05f 40eac28946d0dfb7 68f5e01cbf42dca4 cccad733c444f533 902019c33af6d535 6690c6bbb4116db5 d25576cb2ff56289 f5b238b5ba738b38 498b5cd67c5394f7 4fc9fdb77b71b0ae 322bed1fc8687d1d f7e987e2154615e2 c26c2d94d337bb9f 77cc9772343f480a 07f13b455392dc26 436efe56ac1ad226 a98ec9b4fd2f5e37 e42c93c0da8c6911 7b67627c0fef6fe4 131186e7a517289e 2b46e7b2405e9c9f d47cb9f4d6772722 5206a133aa154762 918618dbc8016c5f 89d723800c01c5d9 98b7fb5779a687ba 0511432eae24d16a f333e88f7f18b173 af80567847a609d8 68967df6b1e68f64 9fdde21a141235ea e6905787c0ee5c79 ff52bd6259f055a5 cc457b5624094d20 4b3240a56040b9b6 14145f43d467d26e 5f74b85d8986b169 4dc8e20d2ddd600e 60e576d148af560a 4a72ce4b968672e7 1373abf6c0f47569 0c3446f9109b3109 501b5776e4df13a2 48b344fb9f416d4c b5e38cd44315011b fa0a96eb86537a4f 0634dbbe42050cd7 430f630f87bbb958 beffe476ad2dda10 5856c24befa48154 36d46395faa2797c c3ed908dbd2c9dd1 053d2f7926d26d67 a09e0147e261e2b0 3864350945652e0d 960631d360916e6a b61a5c9d3459dbb3 820212e5ef3241ab 5de63ea4150e4d7c bdfdf071addda34a 4bc53a7fcd169821 0f9c18c4fa4a36b0 e6b61cb3720d3fab b913c337f9294afd 2bf279322f15344b 2365893fdc31cc4e a8b87fa582d5a074 34f7fb57df95c706 f508826d90fa3bcd af75ff59a7fff497 432c32f16225319a abdcf1f6d174fe58 4ad2697a8d070423 adaa1f5662b97a08 001cd48c33e34e8d 48a2779df70902cd ad2ecfa26d94d3f4 1f9e937f71f6f2ce ab1fa5aefe5813b1 1a81df48971c7e0f 23e68437008ba0c4 eec536d4a090e3a2 2cc15a726299b01c 236a1293084a3ccd 22bc2f2f46f45817 29e55d822b34b7c9 b7a0d4714ad72209 f1f81af845683a04 2c6e977e45e9cf5f 1030262aebfb7c76 04d3eae79300fc18 eb9bae0c1db704e8 736c225c03a4db78 b346a1d016d658a6 98291dc838142838 6cb4e164a4ad7493 b2a76b436cf48e07 1c637107300e294f c61b660791a6ce2e 99fedde9cfa1ac62 91c9bcb9f14e8aba 85e898b532a3593e 555395011e8876d2 38caa1848e232ff5 74e50c7c55f6a643 3a0f9eac55f3f93f 4ac293109f3c1691 faad822a2ad13c4c 8d4817280df581d7 7b75ff33a8157c8f 6804c3156bf2898e 881a4733a695f622 24865f354a3cb960 e27cbe33b355c770 650df31567e58fc5 f2fdcca4dd6baba1 1b9fce458156cefc bbfe83192484a292 7a41835cb120d779 fb9ddd676a6f3071 0ae18443b759c8ed 4977675b90e465b3 3eb76d9db8d5dc1f fd1e6f1ea0474e25 13be36a5bf36b4c4 690e16fea2a89981 68e3b6473fc5d078 700d3dcfea0612ea 8802d6d214f03d69 ecad474084721d08 96008adb378d9a4f 09a895e4e2062ef4 571c8f88b6b0167a 3577652a9c5117c9 0dbbb81512ae7586 c660034831dacc7e 6d807af3a397a442 e2d61faafd2eda60 61b9506cf0252fa4 36f1eb5d35e96f4e ae80376a42073e1d 1a85dfdf086a4bf7 62b74d3d4e667402 ee5f59d36c7ac624 87a65de64502751c f6fe941e20ac694d 70a853f9869b41cf b46b2869878fd260 498f6a3ff2156144 c63585772e402fde 2eef7466931514ac 22d707bf6b4f118e 7bd9fe13e8b90363 96ecc3127623e13f b612f9c4d60700c2 9b802fd741bb99c6 357f15f760826fb8 226f51a3f2278147 2def7d6f707e753b 171a496e6ce99c64 da1ee01ae949394d eda4f3dbe8980338 bcf150c839ffb4df 3043d1392f53f9d5 e9d571774b0efbc6 09ea772fd481dfa3 93b73e1035532801 455da7d830901a1d 2502885cd6d74b9a 2c2dedaf9a9edd43 a021def1aa51333a 02e837c01da65f6b fa45dc2abcd2c0bd 84db2d91b6d6e6c5 673f09175050cf70 60b505a03db18f49 29c1d4eba35e9694 641cbcf58050709f 13272565113f1e8c d904aa967f0f7855 0dde0cf6db44fcf6 87bbac7b39a4e21f 36513c12d761bb7c e663362b60f4bb4a 5e9a1ebb5d057224 5c563f7528aa5d86 f6eadbf5f62ef61a 349125587bb444fb 98dcfeb5e54981ce 4bf11f1b55be0bbd b609e57f0a5b1a78 2ac830f31db648c0 d632d20daaf84fb7 1a02467612630d26 3dc0dfd65943f7ce 95c3f781c959485a 0ff28a4810ba87d0 b85be2499ca35f7c 099f23f2300b0f26 eaa0894510d28bd6 7beb619086cb61b6 ef0eea3cc71e6ed0 743b7ac3f9d219de 6886f209d134355d d1f7125e88c25972 9d0a0b3f633707bc 02843a8e259fa9c4 e6ab58d9c9bc8e8c 0504010d5e2ac224 0bc4c1e5eb15ecb4 2875fff48bbf182e a8ff1041cdc59c8a 506471f66ca8a713 a27a8aff707361b7 632b4250ca3b32e0 69def84ada576a1b cea10c1398a66361 cb4f96de45be2454 db7ee6975e47ae95 222dba6a40683225 4e1f05a4d3db0a7e 17061b18213d6bbd c66bd61b29d1ea53 nettle-4.0/testsuite/slh-dsa-test.c0000644000000000000000000007027215141166425014320 0ustar00/* slh-dsa-test.c Copyright (C) 2025 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "base16.h" #include "sha3.h" #include "slh-dsa.h" #include "slh-dsa-internal.h" #include "bswap-internal.h" #include #define MIN(a, b) ((a) < (b) ? (a) : (b)) static const struct tstring * read_hex_file (const char *name, size_t max_size) { char input_buf[1000]; FILE *input = open_srcdir_file (name); size_t done; struct tstring *s; struct base16_decode_ctx ctx; base16_decode_init (&ctx); /* This function expects to read up to EOF, and fails if the amount of data exceeds the max size. */ s = tstring_alloc (max_size); for (done = 0;;) { size_t left = s->length - done; size_t got = fread (input_buf, 1, MIN (left, sizeof (input_buf)), input); size_t res; if (!got) { if (ferror (input)) { fprintf (stderr, "reading %s failed: %s\n", name, strerror (errno)); FAIL (); } fclose (input); ASSERT (base16_decode_final (&ctx)); s->length = done; return s; } res = s->length - done; if (!base16_decode_update (&ctx, &res, s->data + done, got, input_buf)) { fprintf (stderr, "hex decoding %s failed (possibly exceeding max size)\n", name); FAIL (); } done += res; } } static void test_wots_gen (const struct tstring *public_seed, const struct tstring *secret_seed, unsigned layer, uint64_t tree_idx, uint32_t keypair, const struct tstring *exp_pub) { struct sha3_ctx tree_ctx; struct sha3_ctx scratch_ctx; uint8_t pub[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _wots_gen (&_slh_hash_shake, &tree_ctx, secret_seed->data, keypair, pub, &scratch_ctx); mark_bytes_defined (sizeof (pub), pub); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); } static void test_wots_sign (const struct tstring *public_seed, const struct tstring *secret_seed, unsigned layer, uint64_t tree_idx, uint32_t keypair, const struct tstring *msg, const struct tstring *exp_pub, const struct tstring *exp_sig) { struct sha3_ctx tree_ctx; struct sha3_ctx scratch_ctx; uint8_t sig[WOTS_SIGNATURE_SIZE]; uint8_t pub[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (msg->length == _SLH_DSA_128_SIZE); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); ASSERT (exp_sig->length == WOTS_SIGNATURE_SIZE); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _wots_sign (&_slh_hash_shake, &tree_ctx, secret_seed->data, keypair, msg->data, sig, pub, &scratch_ctx); mark_bytes_defined (sizeof (sig), sig); mark_bytes_defined (sizeof (pub), pub); ASSERT (MEMEQ (sizeof (sig), sig, exp_sig->data)); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); memset (pub, 0, sizeof (pub)); _wots_verify (&_slh_hash_shake, &tree_ctx, keypair, msg->data, sig, pub, &scratch_ctx); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); } /* The xmss_leaf and xmss_node functions copied from slh-xmss.c */ static void xmss_leaf (const struct slh_merkle_ctx_secret *ctx, unsigned idx, uint8_t *leaf) { _wots_gen (ctx->pub.hash, ctx->pub.tree_ctx, ctx->secret_seed, idx, leaf, ctx->scratch_ctx); mark_bytes_defined (SLH_DSA_128_SEED_SIZE, leaf); } static void xmss_node (const struct slh_merkle_ctx_public *ctx, unsigned height, unsigned index, const uint8_t *left, const uint8_t *right, uint8_t *out) { struct slh_address_hash ah = { bswap32_if_le (SLH_XMSS_TREE), 0, bswap32_if_le (height), bswap32_if_le (index), }; ctx->hash->node (ctx->tree_ctx, &ah, left, right, out); } static void test_merkle (const struct tstring *public_seed, const struct tstring *secret_seed, unsigned h, unsigned layer, uint64_t tree_idx, uint32_t idx, const struct tstring *msg, const struct tstring *exp_pub, const struct tstring *exp_sig) { struct sha3_ctx tree_ctx; struct sha3_ctx scratch_ctx; const struct slh_merkle_ctx_secret ctx = { { &_slh_hash_shake, &tree_ctx, 0 }, secret_seed->data, &scratch_ctx }; uint8_t *sig = xalloc (XMSS_AUTH_SIZE (h)); uint8_t pub[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (msg->length == _SLH_DSA_128_SIZE); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); ASSERT (exp_sig->length == XMSS_AUTH_SIZE (h)); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _merkle_sign (&ctx, xmss_leaf, xmss_node, h, idx, sig); ASSERT (MEMEQ (exp_sig->length, sig, exp_sig->data)); memcpy (pub, msg->data, sizeof (pub)); _merkle_verify (&ctx.pub, xmss_node, h, idx, sig, pub); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); free (sig); } static void test_fors_gen (const struct tstring *public_seed, const struct tstring *secret_seed, unsigned layer, uint64_t tree_idx, unsigned keypair, unsigned idx, const struct tstring *exp_sk, const struct tstring *exp_leaf) { struct sha3_ctx tree_ctx; const struct slh_merkle_ctx_secret ctx = { { &_slh_hash_shake, &tree_ctx, keypair }, secret_seed->data, NULL }; uint8_t sk[_SLH_DSA_128_SIZE]; uint8_t leaf[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (exp_sk->length == _SLH_DSA_128_SIZE); ASSERT (exp_leaf->length == _SLH_DSA_128_SIZE); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _fors_gen (&ctx, idx, sk, leaf); mark_bytes_defined (sizeof (sk), sk); mark_bytes_defined (sizeof (sk), leaf); ASSERT (MEMEQ (sizeof (sk), sk, exp_sk->data)); ASSERT (MEMEQ (sizeof (leaf), leaf, exp_leaf->data)); } static void test_fors_sign (const struct tstring *public_seed, const struct tstring *secret_seed, const struct slh_fors_params *fors, unsigned layer, uint64_t tree_idx, unsigned keypair, const struct tstring *msg, const struct tstring *exp_pub, const struct tstring *exp_sig) { struct sha3_ctx tree_ctx, scratch_ctx; const struct slh_merkle_ctx_secret ctx = { { &_slh_hash_shake, &tree_ctx, keypair }, secret_seed->data, NULL }; uint8_t pub[_SLH_DSA_128_SIZE]; uint8_t *sig = xalloc (fors->signature_size); ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (msg->length == fors->msg_size); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); ASSERT (exp_sig->length == fors->signature_size); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _fors_sign (&ctx, fors, msg->data, sig, pub, &scratch_ctx); mark_bytes_defined (exp_sig->length, sig); mark_bytes_defined (sizeof (pub), pub); ASSERT (MEMEQ (exp_sig->length, sig, exp_sig->data)); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); memset (pub, 0, sizeof (pub)); _fors_verify (&ctx.pub, fors, msg->data, sig, pub, &scratch_ctx); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); free (sig); } static void test_xmss_sign (const struct tstring *public_seed, const struct tstring *secret_seed, unsigned xmss_h, unsigned layer, uint64_t tree_idx, uint32_t idx, const struct tstring *msg, const struct tstring *exp_pub, const struct tstring *exp_sig) { struct sha3_ctx tree_ctx; struct sha3_ctx scratch_ctx; const struct slh_merkle_ctx_secret ctx = { { &_slh_hash_shake, &tree_ctx, 0 }, secret_seed->data, &scratch_ctx }; uint8_t *sig = xalloc (XMSS_SIGNATURE_SIZE (xmss_h)); uint8_t pub[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (msg->length == _SLH_DSA_128_SIZE); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); ASSERT (exp_sig->length == XMSS_SIGNATURE_SIZE (xmss_h)); _slh_hash_shake.init_tree (&tree_ctx, public_seed->data, layer, tree_idx); _xmss_sign (&ctx, xmss_h, idx, msg->data, sig, pub); mark_bytes_defined (sizeof (pub), pub); mark_bytes_defined (exp_sig->length, sig); ASSERT (MEMEQ (exp_sig->length, sig, exp_sig->data)); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); memset (pub, 0, sizeof (pub)); _xmss_verify (&ctx.pub, xmss_h, idx, msg->data, sig, pub, &scratch_ctx); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); free (sig); } typedef void root_func (const uint8_t *public_seed, const uint8_t *secret_seed, uint8_t *root); static void test_slh_dsa_128_root (root_func *f, const struct tstring *public_seed, const struct tstring *secret_seed, const struct tstring *exp_pub) { uint8_t pub[_SLH_DSA_128_SIZE]; ASSERT (public_seed->length == _SLH_DSA_128_SIZE); ASSERT (secret_seed->length == _SLH_DSA_128_SIZE); ASSERT (exp_pub->length == _SLH_DSA_128_SIZE); f (public_seed->data, secret_seed->data, pub); mark_bytes_defined (sizeof (pub), pub); ASSERT (MEMEQ (sizeof (pub), pub, exp_pub->data)); } typedef void sign_func (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); typedef int verify_func (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); struct slh_dsa_alg { const char *name; size_t key_size; size_t signature_size; sign_func *sign; verify_func *verify; }; static const struct slh_dsa_alg slh_dsa_shake_128s = { "slh_dsa_shake_128s", SLH_DSA_128_KEY_SIZE, SLH_DSA_128S_SIGNATURE_SIZE, slh_dsa_shake_128s_sign, slh_dsa_shake_128s_verify, }; static const struct slh_dsa_alg slh_dsa_shake_128f = { "slh_dsa_shake_128f", SLH_DSA_128_KEY_SIZE, SLH_DSA_128F_SIGNATURE_SIZE, slh_dsa_shake_128f_sign, slh_dsa_shake_128f_verify, }; static const struct slh_dsa_alg slh_dsa_sha2_128s = { "slh_dsa_sha2_128s", SLH_DSA_128_KEY_SIZE, SLH_DSA_128S_SIGNATURE_SIZE, slh_dsa_sha2_128s_sign, slh_dsa_sha2_128s_verify, }; static const struct slh_dsa_alg slh_dsa_sha2_128f = { "slh_dsa_sha2_128f", SLH_DSA_128_KEY_SIZE, SLH_DSA_128F_SIGNATURE_SIZE, slh_dsa_sha2_128f_sign, slh_dsa_sha2_128f_verify, }; static void test_slh_dsa (const struct slh_dsa_alg *alg, const struct tstring *pub, const struct tstring *priv, const struct tstring *msg, const struct tstring *ref) { uint8_t *sig = xalloc (alg->signature_size); ASSERT (pub->length == alg->key_size); ASSERT (priv->length == alg->key_size); ASSERT (ref->length == alg->signature_size); alg->sign (pub->data, priv->data, msg->length, msg->data, sig); if (! MEMEQ (alg->signature_size, sig, ref->data)) { size_t i; for (i = 0; i < alg->signature_size; i++) if (sig[i] != ref->data[i]) break; fprintf (stderr, "failed %s sign, first diff at %zd\n", alg->name, i); abort (); } ASSERT (alg->verify (pub->data, msg->length, msg->data, sig)); if (msg->length > 0) ASSERT (!alg->verify (pub->data, msg->length-1, msg->data, sig)); sig[alg->signature_size-1] ^= 1; ASSERT (!alg->verify (pub->data, msg->length, msg->data, sig)); free (sig); } void test_main (void) { const struct tstring *public_seed = SHEX ("b505d7cfad1b497499323c8686325e47"); const struct tstring *secret_seed = SHEX ("7c9935a0b07694aa0c6d10e4db6b1add"); mark_bytes_undefined (2*SLH_DSA_128_SEED_SIZE, secret_seed->data); test_wots_gen (public_seed, secret_seed, 6, 0, 0, SHEX ("38c9077d76d1e32933fb58a53e769ed7")); test_wots_gen (public_seed, secret_seed, 6, 0, 1, SHEX ("a026afacc77c7d97eebe6f88c70fec2d")); test_wots_gen (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, SHEX ("99747c3547770fa288a628ed15122d3e")); test_wots_sign (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, SHEX ("3961b2cab15e08c633be827744a07f01"), SHEX ("99747c3547770fa288a628ed15122d3e"), SHEX ("e1933de10e3fface 5fb8f8707c35ac13 74dc14ee8518481c 7e63d936ecc62f50" "c7f951b87bc716dc 45e9bcfec6f6d97e 7fafdacb6db05ed3 778f21851f325e25" "470da8dd81c41223 6d66cbee9ffa9c50 b86aa40baf213494 dfacca22aa0fb479" "53928735ca4212cf 53a09ab0335d20a8 e62ede797c8e7493 54d636f15f3150c5" "52797b76c091a41f 949f7fb57b42f744 1cca410264d6421f 4aa2c7e2ff4834a8" "db0e6e7750b2e11f f1c89a42d1fbc271 8358e38325886ad1 2346cd694f9eab73" "46c9a23b5ebe7637 bfd834a412318b01 188b0f29e3bd979f 8ae734acf1563af3" "03d3c095e9eaeba3 5207b9df3acf9ee4 7da5c1e2652f3b86 41698f3d2260591b" "07d00565e5d6be18 36033d2b7ef2c33b dc5cf3bba95b42df 6f73345b835341b2" "50e2862c9f2f9cef 77cfa74cfb04c560 d8a0038c4e96cb0d a2b3e9b2cd3cecf5" "22fda0d67e5f62b2 ee23bd42a61c7da4 8f0ea30b81af7ccb 6bb02cde272d2574" "1325e9d91535615c 0184f2d7f226141d 79b42412721fd345 61d93663650b3c1b" "6901872bc4c0bb15 bcd9038950b7717f 7f448b6126592076 a2bad2d63c55399c" "243fdbdb0c8d676b 2ae455e7f0a9b18d 3fc889c43387f2cb c4dc73d7c85bfab6" "b4b04463a3dd359c 3a8f61bfa6c4b042 4aeba4dd8a95ec12 43b2e36c29f82e1d" "711281599b3e05e7 5492ae3425eaa7f1 4ff8c6a9630bba6e bd236f195269a481" "e87eb3d444825ba4 424ee5b2d9efb595 d5a338f4c253f79d e9d04535206ca6db" "c2d4c9a1ec20849b 0db3fbe10c1446d5")); test_merkle (public_seed, secret_seed, 9, 0, UINT64_C(0x29877722d7c079), 0x156, /* The message signed is the wots public key. */ SHEX ("99747c3547770fa288a628ed15122d3e"), SHEX ("1be9523f2c90cd553ef5be5aa1c5c4fa"), SHEX ("612d5bac915a3996 2cdbcacee0969dcf 8ecfb830cea2206c 37749c65b8f673db" "090b1e2ade6c2a2f 349b5915103a3ac7 8482c39e99ffc462 6fb4cf4a116804ab" "9d93d7104660fefa 0753cf875cb22fd6 0e55dc2f303de036 47712b12067a55f7" "a467897bbed0d3a0 9d50e9deaadff78d e9ac65c1fd05d076 10a79c8c465141ad" "65e60340531fab08 f1f433ef823283fe")); test_fors_gen (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, 0x203, SHEX ("1ba66d6f782bdd2485589ea15d2b8ff0"), SHEX ("4d9783fd544a53ee7a485ef229b35965")); test_fors_gen (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, 0, SHEX ("be19da5abd01818bbcae2fc2d728c83b"), SHEX ("40b0edc79104214adda356341b3950ab")); test_fors_gen (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, 1, SHEX ("ed98099d2fd9d94ac48cae4c142a4c78"), SHEX ("64fccb8a3cf088faeb39353aad5f624c")); test_fors_gen (public_seed, secret_seed, 0, UINT64_C(0x29877722d7c079), 0x156, 0x4e1e, SHEX ("17f55905e41a6dc6e5bab2c9f0c1d5d3"), SHEX ("15325ef3d2914cbd401327244cdb633d")); test_fors_sign (public_seed, secret_seed, &_slh_dsa_128s_params.fors, 0, UINT64_C(0x29877722d7c079), 0x156, SHEX ("2033c1a4df6fc230c699522a21bed913" "0dda231526"), SHEX ("3961b2cab15e08c633be827744a07f01"), SHEX ("1ba66d6f782bdd24 85589ea15d2b8ff0 a00c06eaedc8c22d cb86f3df8b52a3bd" "144d4ed6f1167431 a95dc6018879b6b0 f9813797204ec2b0 558bad17b32e6dd9" "88086a032c0acbcf 2c1349ffc16c4af7 59365ff74afe4b8d c3fac5b2cda7ba65" "6c36c086e58468c0 1eddfc959fbdc853 2d75e79cf3374756 cc0491cfef555921" "ec8567bff0b6f216 ac4a4f200da63b5c 6d3a5c3273aa7a42 66adf083d3126103" "c73fe63a6e05e47e 8b9a520f00f32a69 7d0ff3a5ee840931 3773188f300b39e5" "b4967febf77c0f23 226785ee9dce335c efb1ce84b0673058 1bcef4d45f24aee4" "96a60bd4759b7b20 692241850eae1de7 0c7c4287b9f3b962 a66e0f23d1301b84" "48bb3dc545be0ef8 d0ec0be045d33ae4 b2dc0c5d002c2699 e8f49bf3bcb13676" "beefe11186a20a95 7027ac48ee6dd33b c0895df9847fd1c6 7a753777d21ac464" "2751139061cca836 99822c13567833b9 41fe5954bff0969a 4b20e0829d77e24e" "d0e02a00a2ce9f7e 64923fa61f0da1af dc5978dc063afeac b7108ee08aaa55b7" "11df00bbf1c71d69 8b389e6ad0ee2af4 fad1d8f8c87d53ee ac1f82a162a95cd5" "cce6dfc9908a1de3 3a2b26b41bbc4ffd a8e136879f10341a 713d62c107f3238c" "38693aff2e1fe15a dd8380671b2fac8f db3a4ffacd143f5a 00e21caccbe7d95d" "4c31c4daf7110529 de599fb6e8aa4f71 8c6172f4f10c4c1d d7310f8e44d18fb9" "bb6b906ae7ce973d eadfc82d6704762e d61165f6ca118313 4b6c834bf6b4e4ce" "19700bb54fb2d0f2 82b11ee5b7f68c72 cf32ff9e7d1356bd 53fdcce0d03c43d0" "ebf6f7d8841a16dd b49944d01374ecb9 45e6c5f0659d5f51 de0b27a834e2e7be" "a78a609da75d7f2c 6a40ba9110a2c331 9db7775bf6226b9a 8e324dc4411824a8" "8db95cc2fd96e4bc 24f1ecb6ce2b9293 020c28deacec1eb3 313d4e3dfd24b403" "686f16272cac3aca 95080257071a54f7 45ffb4708ff2d02d e94d7e9bf8d45f64" "5917c7135d6bc0a1 ca0a99bc4e33a689 07aa65a58b586c56 e1d81af6cb57fa5d" "56b3567687ecef53 2bb5aaaf2041b510 1538294296ae4c11 89a5100eb19b5531" "2016c575cbbb688f 20ba186dd48e4161 64c29b2eb7b59979 814b5a8e76553997" "99bf79eeab3ee76d 4c97df282265564f 2fa8971a1ecca0c4 6b59cc6ba253531c" "17ab7125cf2aad60 a120c7d4b631b1ba f187182c7d7582da 3232251215ffd6a2" "a55c627ba8d5cafe 761504d8341f293e 713987d6e0ca2eab 373c5131c2d38051" "c35b17918937b9fe e98382c277640de0 ccec45ba22d9d189 eea505a21c8594dd" "9b12e69a7faf58ed 269b718abeea4621 391d7fb4c6e0037b daf4a9ac73191674" "9e2a17d704cf5616 8d97c17b257e2483 16aa9da15d822ee3 c325bc0519173641" "7007ea82088618d7 531ffcef255b2de2 bf9fcaeb29d83e56 7a08dd3d3c229209" "af96ba71d8274fda e324702878d99ac0 5e990e0d6f34c879 d19279f57541f294" "96645cad4a636793 385b0a5dc21d5659 37fc36384dea4beb b5746c10748efcbd" "6b1925a74e3ac467 d7af456e0ba1e47a 2fab24e8311c14d8 40b499c9140e99a4" "993379b9b762b3ad c9499d5c86d07bc6 a159876a9962d8a4 43514e812f75c60d" "c50028388c627329 6e7208a3fa618256 2d10d7142a99da06 86ef8f05e564446c" "6bb32ffdee9edd13 aee58027d29e7195 48b67d75efe9581a 3374c66f65a1cd9e" "f9e98e6b57c40321 2739df6fd2de6c8a 39decc7cd33e37db 3a0f43296cb987e8" "756d4b29dc227733 bdee1d2f01679dab 92ce506e2fc77a70 798787b2e95be8e9" "bf80d0b64af8eaa6 ceda80fe85a0ceaf 81f335b99a1899a3 d9d609e7ba606eb2" "ababf2bbce1bc8f9 9eaf6074cf1c7e07 9896eb09827c16d0 cd4833377c46a337" "a7950b31b6566624 02e8ba838668a315 ac531315a9a56af1 8729ee25f53711c0" "9d25c173aa0e4d2b ec72db4b9cb4210d 52a8fb2f8b2671b1 ec711a4da8a357df" "bb0d2ec9734a50e1 db92352ace0f26f5 0cfb76fd17a08dec bb19c2417a9dc719" "f2ecac4a8e7c4827 5533def5c08788dc 4b47ec81960b25a5 7dba2762f5a07003" "7c50a4883fe902eb cb1574998dd5e8b1 e34ea5aea20bbbef fdb5d6163688e4e1" "bdc9619f12b78d20 e8c073f81da8bbe4 8bde8934bc7186da 9d29d1f670a322bf" "9febca92915e393c 1878895c04b8c365 e4d399ac551a55c5 4264e3fc6176cbcd" "101790863cdab395 74a4dd5c9edd69a0 1df20a10e5abff31 b4e204f5cf7e1dc9" "a27626ec3bf06d28 fad08c10674830d7 abc54772d95ace66 765757340007a353" "63d270f410a6bcf2 0f2ca54dfdb00d9b e8fa7ea5b79bf818 2f16b95f9850ce4c" "acff1e66bec202b5 7b85b37cdd2c3900 1d2950666368afa2 1de5ce68f54833a8" "8da17b49c4e66243 560ec61a6efd5d3a 2966a76df2dc08c4 e5f02f8b8cd71b90" "4ddd4bfd73a5c848 9b7eb813ca3da6b8 dbea536354e01428 dd6dc42db23257a2" "0e322f685bb82b20 f0edc48351c22b75 e0aa8adc567f172e 654360e094c19754" "2f39965bd9004621 c9ee3297870ed818 f980a71ec4a8f818 1e9be5be1ef6a660" "cbf68637e54b5afa bbc5f9dc61933014 cb52b4d2624a24ac a3c6f5ca80dd5aee" "93d0155af703c0ac a4a9266cd9b56f3f 152fc4fca8e7dce3 21a188682fb36e6f" "7a736fd4e9972a9f 71f11d50c351551e 3c455f1b051befcb c1fd83239b748951" "f7e18c2027627339 712df2772dcd57de 9a15f218e25a4493 ce20d039e2880881" "69445f244f14d56e 6efe9ed005094333 1a4ef297119cf5c0 e21e2bbc535daebf" "3fce3caf9d86b62c 37a4c9bd8991b8ff 01e992f26a77e987 ca8ddf6cf47d47d5" "439eb6622b241172 a8d5a251dcb5d4d2 26a68bef9d2e77df e4db3ebd4342f49b" "ee82b28fc35063e9 36589f86f8ff2db0 f2a7fcbf0d461484 184f64bf18e5bff6" "84545e6112f87662 60987bcfe76bed5a 17dfb88a9b7d7cac cb4283afb4ee21ef" "b43d698c413de813 48309bc1ec10cdb3 3a7e2e4aaed41cfe bf808b08e7f64f8f" "6f250960375c3a3e d0617000ac6e54a6 12727861daf4d893 7ae133a5e99c607e" "09e8097f876ef8cd 75e244b78eaabf83 1db9efd0ba405b52 715825974579a627" "9f7775ab87de6e26 9979530e3fff6d8f f6421ab3ba1ec61b 9ebc1a2a7aa59002" "ac916c26f55bc369 b2e11030f3346548 28285930228ad081 2500c822bd41ead4" "80b530331f8642f2 6d5454fe75cc3870 d807ef92496b27e0 45b3317f10e98533" "59875ec041117f3b b37d88c526ef1a34 2b6ea289fa69bc91 4d8fef84a27329f3" "0a7326c84710f972 5432a525f3bf9af3 d93f9faded5766f9 067a5b1b7a0dac92" "75207b6776c404b1 7801a7372666f153 78cdf91bb4c29d6a cf79eed16918947c" "769283e829ec1e97 cb90630473224d88 95f2a0219d309507 173f42594372696f" "6ef8468b843d4ad5 81ad78c221bbb877 0ca2323858016dc6 f9c311bd451a5b68" "ce23c6feb8c1f543 82a8512d286e6bd5 62ada1c6c8c7c46d 7a9722d7a909b7cc" "fce3258bb37b78c0 d076e4bb587bfe05 95257c988543edeb d2f24f9e124dd0e3" "35ea2add17201df7 f2e68fbcc02da7d4 3b7a9a8f83de7375 be2c61b4c2b872bb" "de25ea659a59b1a6 3cbc9c5efb6c449d 9818245291c6c232 17ae6cb018cdf7a9" "a49240f37a484361 b450ba8fccedd4f4 556ca8423fd1e907 6a876306958ee264" "4646633c2777280a c7a82e441d79b556 c629d7c97b4c7895 4bae0e76cb4ab1b2" "0b51126ac8f125e2 f01c266df31b2ae6 d50eb02f96b39044 81a32254799bc233" "88f7d86b6b60876d 20cf9e8a4468fb3e be4883fb90765a50 5d6ae99827a0ff96" "d5eb284ac7df815c 0fd5aa2bdffa560b dc37beb9a7a6a4e3 fc074a9f812132a8" "6be3a1f73433a198 0a168bbe54910ff5 95a47b6747f43a67 8fe5a7c96e636b4b" "874f348d24b79337 db4315cb10fd0e56 2431511c323353cf 1e59fd5a55357e5f" "6b7cce60f1f8211f d1f5be68f7c8bd70 c29f03c0a6613c64 dd10a65db5e0c546" "f5382403ff8ba36b ad49879231912a4b 219a08a19858b12c 2744fd65603775b5" "6bf4459512e79188 92da55f87d7cc02c 6885c0ec02550b60 9e3fa7d9fb0d13ab")); test_xmss_sign (public_seed, secret_seed, 9, 0, UINT64_C(0x29877722d7c079), 0x156, /* The message signed is a fors public key. */ SHEX ("3961b2cab15e08c633be827744a07f01"), SHEX ("1be9523f2c90cd553ef5be5aa1c5c4fa"), SHEX (/* Embedded wots signature. */ "e1933de10e3fface 5fb8f8707c35ac13 74dc14ee8518481c 7e63d936ecc62f50" "c7f951b87bc716dc 45e9bcfec6f6d97e 7fafdacb6db05ed3 778f21851f325e25" "470da8dd81c41223 6d66cbee9ffa9c50 b86aa40baf213494 dfacca22aa0fb479" "53928735ca4212cf 53a09ab0335d20a8 e62ede797c8e7493 54d636f15f3150c5" "52797b76c091a41f 949f7fb57b42f744 1cca410264d6421f 4aa2c7e2ff4834a8" "db0e6e7750b2e11f f1c89a42d1fbc271 8358e38325886ad1 2346cd694f9eab73" "46c9a23b5ebe7637 bfd834a412318b01 188b0f29e3bd979f 8ae734acf1563af3" "03d3c095e9eaeba3 5207b9df3acf9ee4 7da5c1e2652f3b86 41698f3d2260591b" "07d00565e5d6be18 36033d2b7ef2c33b dc5cf3bba95b42df 6f73345b835341b2" "50e2862c9f2f9cef 77cfa74cfb04c560 d8a0038c4e96cb0d a2b3e9b2cd3cecf5" "22fda0d67e5f62b2 ee23bd42a61c7da4 8f0ea30b81af7ccb 6bb02cde272d2574" "1325e9d91535615c 0184f2d7f226141d 79b42412721fd345 61d93663650b3c1b" "6901872bc4c0bb15 bcd9038950b7717f 7f448b6126592076 a2bad2d63c55399c" "243fdbdb0c8d676b 2ae455e7f0a9b18d 3fc889c43387f2cb c4dc73d7c85bfab6" "b4b04463a3dd359c 3a8f61bfa6c4b042 4aeba4dd8a95ec12 43b2e36c29f82e1d" "711281599b3e05e7 5492ae3425eaa7f1 4ff8c6a9630bba6e bd236f195269a481" "e87eb3d444825ba4 424ee5b2d9efb595 d5a338f4c253f79d e9d04535206ca6db" "c2d4c9a1ec20849b 0db3fbe10c1446d5" /* Auth path aka inclusion proof. */ "612d5bac915a3996 2cdbcacee0969dcf 8ecfb830cea2206c 37749c65b8f673db" "090b1e2ade6c2a2f 349b5915103a3ac7 8482c39e99ffc462 6fb4cf4a116804ab" "9d93d7104660fefa 0753cf875cb22fd6 0e55dc2f303de036 47712b12067a55f7" "a467897bbed0d3a0 9d50e9deaadff78d e9ac65c1fd05d076 10a79c8c465141ad" "65e60340531fab08 f1f433ef823283fe")); test_slh_dsa_128_root (slh_dsa_shake_128s_root, public_seed, secret_seed, SHEX ("ac524902fc81f503 2bc27b17d9261ebd")); /* From https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/SLH-DSA-keyGen-FIPS205/internalProjection.json */ test_slh_dsa_128_root (slh_dsa_sha2_128s_root, /* tcId 1 */ SHEX ("0D794777914C99766827F0F09CA972BE"), SHEX ("173D04C938C1C36BF289C3C022D04B14"), SHEX ("0162C10219D422ADBA1359E6AA65299C")); test_slh_dsa_128_root (slh_dsa_sha2_128f_root, /* tcId 31 */ SHEX ("A868F1BD5DEBC12D4C9FAD66AABD0A94"), SHEX ("C42BCB3B5A6F331F5CCE899253C6D9E2"), SHEX ("B546DF247BE4C457F3D467CDFCFABD39")); test_slh_dsa_128_root (slh_dsa_shake_128s_root, /* tcId 11 */ SHEX ("529FFE86200D1F32C2B60D0CD909F190"), SHEX ("C151951F3811029239B74ADD24C506AF"), SHEX ("0761F9B727AFA724B47223016BB5B2BA")); test_slh_dsa_128_root (slh_dsa_shake_128s_root, /* tcId 12 */ SHEX ("B64302C8D20FB89AA2414307D44E1F9C"), SHEX ("D3ADF41FF57EED108BEF2D8733F4C2B0"), SHEX ("6EFA39EBBA94B0633C900644B81DE2B9")); test_slh_dsa_128_root (slh_dsa_shake_128f_root, /* tcId 31 */ SHEX ("56505C229F4E7FA6B201714C7DCC9DA3"), SHEX ("3956AB391B4D22FC907AF0740326D061"), SHEX ("66578F1F24C3FE371C97C14CE0E79CDC")); test_slh_dsa_128_root (slh_dsa_shake_128f_root, /* tcId 32 */ SHEX ("F8B2314A9ABB09E72509F14A742035BA"), SHEX ("57250E2880AF25BC0D8DBA76A8FBB666"), SHEX ("6B5F4A0CC172672BBE8DF3F86CB58F51")); /* If we mark the private key for the top-level slh_dsa_shake_128s_sign call as undefined, then we get valgrind errors from the branches in wots_chain, when signing the derived public keys. We'd need further instrumentation to make such a test work. */ if (test_side_channel) return; /* Test vector from https://github.com/smuellerDD/leancrypto/blob/master/slh-dsa/tests/sphincs_tester_vectors_shake_128s.h */ test_slh_dsa (&slh_dsa_shake_128s, SHEX ("B505D7CFAD1B4974 99323C8686325E47" "AC524902FC81F503 2BC27B17D9261EBD"), SHEX ("7C9935A0B07694AA 0C6D10E4DB6B1ADD" "2FD81A25CCB14803 2DCD739936737F2D"), SHEX ("D81C4D8D734FCBFB EADE3D3F8A039FAA" "2A2C9957E835AD55 B22E75BF57BB556A" "C8"), read_hex_file ("slh-dsa-shake-128s.ref", SLH_DSA_128S_SIGNATURE_SIZE)); /* Test vector from https://github.com/smuellerDD/leancrypto/blob/master/slh-dsa/tests/sphincs_tester_vectors_shake_128f.h */ test_slh_dsa (&slh_dsa_shake_128f, SHEX ("B505D7CFAD1B4974 99323C8686325E47" "AFBC007BA1E2B4A1 38F03AA9A6195AC8"), SHEX ("7C9935A0B07694AA 0C6D10E4DB6B1ADD" "2FD81A25CCB14803 2DCD739936737F2D"), SHEX ("D81C4D8D734FCBFB EADE3D3F8A039FAA" "2A2C9957E835AD55 B22E75BF57BB556A" "C8"), read_hex_file ("slh-dsa-shake-128f.ref", SLH_DSA_128F_SIGNATURE_SIZE)); /* From https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/SLH-DSA-sigGen-FIPS205/internalProjection.json */ test_slh_dsa (&slh_dsa_sha2_128f, /* tcId 7 */ SHEX ("0C04FABC4FCA7F356AC36C28B99D7A1FCFEF78F38B167CA9D0AB8772910C3945"), SHEX ("704555B4E5DD1B979A4C3B7A0A0E4EE241D59AE0779CAF0DF58300F21066DDA7"), read_hex_file ("slh-dsa-sha2-128f-tc7.msg", 5024), read_hex_file ("slh-dsa-sha2-128f-tc7.sig", SLH_DSA_128F_SIGNATURE_SIZE)); test_slh_dsa (&slh_dsa_shake_128f, /* tcId 64 */ SHEX ("C9A7900E931AFBA2B52A5BC55A2DC4D12DDC9BF8E0B2ED0BDE83E674F1ECE7AA"), SHEX ("0E87FF20256E0E499A53B52DF91467C01F0431C07250AFE93DE814117B5D66D3"), read_hex_file ("slh-dsa-shake-128f-tc64.msg", 2280), read_hex_file ("slh-dsa-shake-128f-tc64.sig", SLH_DSA_128F_SIGNATURE_SIZE)); test_slh_dsa (&slh_dsa_sha2_128s, /* tcId 162 */ SHEX ("0FD12C3F990748CF9B1426413B64128EDF9242E50B9E29378BD24CAD4D547540"), SHEX ("438E444071BD643C2407BD9FEB0071EC21DAA14113518133D6161EF420EE629D"), read_hex_file ("slh-dsa-sha2-128s-tc162.msg", 5746), read_hex_file ("slh-dsa-sha2-128s-tc162.sig", SLH_DSA_128S_SIGNATURE_SIZE)); test_slh_dsa (&slh_dsa_shake_128s, /* tcId 215 */ SHEX ("DD286FF370CB50BC1B23894AA3F7025A534A788E697B94942AB845EFB753A30B"), SHEX ("4738AC60C561FFBE15AB96EFFA1A09291A79332E1CA3C38B2FEF40ACA7CFE285"), read_hex_file ("slh-dsa-shake-128s-tc215.msg", 5377), read_hex_file ("slh-dsa-shake-128s-tc215.sig", SLH_DSA_128S_SIGNATURE_SIZE)); } nettle-4.0/testsuite/sm3-test.c0000644000000000000000000000107315141166425013460 0ustar00#include "testutils.h" #include "sm3.h" void test_main(void) { /* test vectors from: * https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash-01 */ test_hash(&nettle_sm3, SDATA("abc"), SHEX("66c7f0f462eeedd9 d1f2d46bdc10e4e2" "4167c4875cf2f7a2 297da02b8f4ba8e0")); test_hash(&nettle_sm3, SDATA("abcdabcdabcdabcdabcdabcdabcdabcd" "abcdabcdabcdabcdabcdabcdabcdabcd"), SHEX("debe9ff92275b8a1 38604889c18e5a4d" "6fdb70e5387e5765 293dcba39c0c5732")); } nettle-4.0/testsuite/sm4-test.c0000644000000000000000000000100215141166425013451 0ustar00#include "testutils.h" #include "sm4.h" void test_main(void) { /* test vectors from: * https://tools.ietf.org/id/draft-ribose-cfrg-sm4-10.html */ test_cipher(&nettle_sm4, SHEX("0123456789ABCDEF FEDCBA9876543210"), SHEX("0123456789ABCDEF FEDCBA9876543210"), SHEX("681EDF34D206965E 86B3E94F536E4246")); test_cipher(&nettle_sm4, SHEX("FEDCBA9876543210 0123456789ABCDEF"), SHEX("0001020304050607 08090A0B0C0D0E0F"), SHEX("F766678F13F01ADE AC1B3EA955ADB594")); } nettle-4.0/testsuite/streebog-test.c0000644000000000000000000000650215141166425014572 0ustar00#include "testutils.h" #include "streebog.h" void test_main(void) { /* Using test vectors from the standard itself */ /* RFC 6986 provides all data in "Integer" big-endian format, while all * constructs expects the data in little-endian format. Thus these examples * (as the rest of the code) has data buffers reversed compared to the RFC * 6986. */ /* 10.1.1 */ test_hash(&nettle_streebog512, SDATA("012345678901234567890123456789012345678901234567890123456789012"), SHEX("1b54d01a4af5b9d5 cc3d86d68d285462" "b19abc2475222f35 c085122be4ba1ffa" "00ad30f8767b3a82 384c6574f024c311" "e2a481332b08ef7f 41797891c1646f48")); /* 10.1.2 */ test_hash(&nettle_streebog256, SDATA("012345678901234567890123456789012345678901234567890123456789012"), SHEX("9d151eefd8590b89 daa6ba6cb74af927" "5dd051026bb149a4 52fd84e5e57b5500")); /* 10.2.1 */ test_hash(&nettle_streebog512, SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" "e6e820e2edf3f6e82c20e2e5fef2fa20" "f120eceef0ff20f1f2f0e5ebe0ece820" "ede020f5f0e0e1f0fbff20efebfaeafb" "20c8e3eef0e5e2fb"), SHEX("1e88e62226bfca6f 9994f1f2d51569e0" "daf8475a3b0fe61a 5300eee46d961376" "035fe83549ada2b8 620fcd7c496ce5b3" "3f0cb9dddc2b6460 143b03dabac9fb28")); /* 10.2.2 */ test_hash(&nettle_streebog256, SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" "e6e820e2edf3f6e82c20e2e5fef2fa20" "f120eceef0ff20f1f2f0e5ebe0ece820" "ede020f5f0e0e1f0fbff20efebfaeafb" "20c8e3eef0e5e2fb"), SHEX("9dd2fe4e90409e5d a87f53976d7405b0" "c0cac628fc669a74 1d50063c557e8f50")); /* Additional tests to verify long integer addition with carry */ test_hash(&nettle_streebog512, SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "16111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111116"), SHEX("8b06f41e59907d9636e892caf5942fcd" "fb71fa31169a5e70f0edb873664df41c" "2cce6e06dc6755d15a61cdeb92bd607c" "c4aaca6732bf3568a23a210dd520fd41")); test_hash(&nettle_streebog256, SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "16111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111116"), SHEX("81bb632fa31fcc38b4c379a662dbc58b" "9bed83f50d3a1b2ce7271ab02d25babb")); test_hash(&nettle_streebog512, SHEX("ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff"), SHEX("90a161d12ad309498d3fe5d48202d8a4" "e9c406d6a264aeab258ac5ecc37a7962" "aaf9587a5abb09b6bb81ec4b3752a3ff" "5a838ef175be5772056bc5fe54fcfc7e")); } nettle-4.0/testsuite/symbols-test0000755000000000000000000000257415141166425014237 0ustar00#! /bin/sh # Check that all exported symbols use the nettle prefix. if [ -z "$srcdir" ] ; then srcdir=`pwd` fi : ${NM:=nm} # * nm on aix seems to generate bogus output including random binary # data. Using -g is a workaround to get rid of that. But nm -g # doesn't work on Solaris-2.4, so try nm -g first, and plain nm if # -g isn't recognized. # # * gcc on x86 generates functions like __i686.get_pc_thunk.bx in pic # code. # * LLVM shipped with Xcode/CLT 10+ on macOS builds the symbol # ____chkstk_darwin into the majority of binaries/libraries, including # both the libraries checked here. ( $NM -g ../libnettle.a || $NM ../libnettle.a ) \ | grep ' [DRT] ' | egrep -v '( |^|\.)(\.?_?(_?nettle_)|get_pc_thunk|(_*chkstk_darwin))' \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libnettle.a, lacking the nettle prefix: cat test1.out exit 1 fi if [ -s ../libhogweed.a ] ; then PATTERN='\.?_?_?nettle_|get_pc_thunk|(_*chkstk_darwin)' if grep '^#define.*NETTLE_USE_MINI_GMP.*1$' ../version.h >/dev/null ; then PATTERN="$PATTERN|_?(mp_|mpz_|mpn_)" fi ( $NM -g ../libhogweed.a || $NM ../libhogweed.a ) \ | grep ' [DRT] ' | egrep -v "( |^|\.)($PATTERN)" \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libhogweed.a, lacking the nettle prefix: cat test1.out exit 1 fi fi exit 0 nettle-4.0/testsuite/testutils.c0000644000000000000000000022164615141166425014053 0ustar00/* testutils.c */ #include "testutils.h" #include "base16.h" #include "cbc.h" #include "cfb.h" #include "ctr.h" #include "knuth-lfib.h" #include "macros.h" #include "nettle-internal.h" #include #include #include #include #if HAVE_VALGRIND_MEMCHECK_H # include # include #endif void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); abort (); } void * xalloc(size_t size) { void *p = malloc(size); if (size && !p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } static struct tstring *tstring_first = NULL; struct tstring * tstring_alloc (size_t length) { struct tstring *s = xalloc(sizeof(struct tstring) + length + 1); s->length = length; s->next = tstring_first; /* NUL-terminate, for convenience. */ s->data[length] = '\0'; tstring_first = s; return s; } void tstring_clear(void) { while (tstring_first) { struct tstring *s = tstring_first; tstring_first = s->next; free(s); } } struct tstring * tstring_data(size_t length, const uint8_t *data) { struct tstring *s = tstring_alloc (length); memcpy (s->data, data, length); return s; } struct tstring * tstring_hex(const char *hex) { struct base16_decode_ctx ctx; struct tstring *s; size_t length = strlen(hex); s = tstring_alloc(BASE16_DECODE_LENGTH (length)); base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &s->length, s->data, length, hex)); ASSERT (base16_decode_final (&ctx)); return s; } void tstring_print_hex(const struct tstring *s) { print_hex (s->length, s->data); } void print_hex(size_t length, const uint8_t *data) { size_t i; for (i = 0; i < length; i++) { switch (i % 16) { default: break; case 0: printf("\n"); break; case 8: printf(" "); break; } printf("%02x", data[i]); } printf("\n"); } /* Tries opening the file in $srcdir, if set, otherwise the current * working directory */ FILE * open_srcdir_file (const char *name) { const char *srcdir = getenv("srcdir"); FILE *f; if (srcdir && srcdir[0]) { size_t size = strlen(name) + strlen(srcdir) + 2; char *buf = xalloc(size); snprintf(buf, size, "%s/%s", srcdir, name); f = fopen(buf, "r"); free(buf); } else f = fopen(name, "r"); if (!f) { fprintf(stderr, "Failed to open '%s': %s\n", name, strerror(errno)); FAIL(); } return f; } int verbose = 0; int test_side_channel = 0; #if HAVE_VALGRIND_MEMCHECK_H void mark_bytes_undefined (size_t size, const void *p) { if (test_side_channel) VALGRIND_MAKE_MEM_UNDEFINED(p, size); } void mark_bytes_defined (size_t size, const void *p) { if (test_side_channel) VALGRIND_MAKE_MEM_DEFINED(p, size); } #else void mark_bytes_undefined (size_t size UNUSED, const void *p UNUSED) {} void mark_bytes_defined (size_t size UNUSED, const void *p UNUSED) {} #endif int main(int argc, char **argv) { if (argc > 1) { if (argc == 2 && !strcmp(argv[1], "-v")) verbose = 1; else { fprintf(stderr, "Invalid argument `%s', only accepted option is `-v'.\n", argv[1]); return 1; } } if (getenv("NETTLE_TEST_SIDE_CHANNEL")) { #if HAVE_VALGRIND_MEMCHECK_H if (RUNNING_ON_VALGRIND) test_side_channel = 1; else #endif SKIP(); } test_main(); tstring_clear(); return EXIT_SUCCESS; } void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *buf = xalloc(cleartext->length + 7); size_t length; unsigned align; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); for (align = 0; align <= 7; align++) { uint8_t *data = buf + align; cipher->set_encrypt_key(ctx, key->data); cipher->encrypt(ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed (align %d):\nInput:", align); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); cipher->decrypt(ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed (align %d):\nInput:", align); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } } free(ctx); free(buf); } void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CBC encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_decrypt(ctx, cipher->decrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CBC decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(iv); } void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); data2 = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } /* Repeat all tests with incomplete last block */ length -= 1; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(data2); free(iv); } void test_cipher_cfb8(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; uint8_t *iv = xalloc(cipher->block_size); size_t length; size_t block; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length + 1); data2 = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memset(data, 0x17, length + 1); for (i = 0; i + block <= length; i += block) { cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, block, data + i, cleartext->data + i); } cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length - i, data + i, cleartext->data + i); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 encrypt failed, block size %lu:\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } ASSERT (data[length] == 0x17); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memset(data2, 0x17, length + 1); for (i = 0; i + block <= length; i += block) { cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, block, data2 + i, data + i); } cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length - i, data2 + i, data + i); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB8 decrypt failed, block size %lu:\nInput:", (unsigned long) block); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } ASSERT (data[length] == 0x17); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } /* Repeat all tests with incomplete last block */ length -= 1; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB8 decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(data2); free(iv); } void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *ictr) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *ctr = xalloc(cipher->block_size); uint8_t *octr = xalloc(cipher->block_size); size_t length, nblocks; unsigned low; size_t i; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (ictr->length == cipher->block_size); /* Compute expected counter value after the operation. */ nblocks = (length + cipher->block_size - 1) / cipher->block_size; ASSERT (nblocks < 0x100); memcpy (octr, ictr->data, cipher->block_size - 1); low = ictr->data[cipher->block_size - 1] + nblocks; octr[cipher->block_size - 1] = low; if (low >= 0x100) INCREMENT (cipher->block_size - 1, octr); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); for (i = 0; i <= length; i++) { memcpy(ctr, ictr->data, cipher->block_size); memset(data, 17, length); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, i, data, cleartext->data); if (!MEMEQ(i, data, ciphertext->data) || (i < length && data[i] != 17)) { fprintf(stderr, "CTR encrypt failed (length %d of %d):\nInput:", (int) i, (int) length); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); memcpy(ctr, ictr->data, cipher->block_size); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CTR decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); free(ctx); free(data); free(octr); free(ctr); } #if 0 void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; void *ctx = xalloc(cipher->context_size); uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); cipher->set_encrypt_key(ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { cipher->encrypt(ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } cipher->encrypt(ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } cipher->set_decrypt_key(ctx, key->length, key->data); cipher->decrypt(ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); } #endif void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest) { void *ctx = xalloc(aead->context_size); uint8_t *in, *out; uint8_t *buffer; unsigned in_align; ASSERT (cleartext->length == ciphertext->length); ASSERT (key->length == aead->key_size); ASSERT(aead->block_size > 0); buffer = xalloc(aead->digest_size); in = xalloc(cleartext->length + aead->block_size - 1); out = xalloc(cleartext->length + aead->block_size - 1); for (in_align = 0; in_align < aead->block_size; in_align++) { /* Different alignment, but don't try all combinations. */ unsigned out_align = 3*in_align % aead->block_size; size_t offset; memcpy (in + in_align, cleartext->data, cleartext->length); for (offset = 0; offset <= cleartext->length; offset += aead->block_size) { /* encryption */ aead->set_encrypt_key(ctx, key->data); if (set_nonce) set_nonce (ctx, nonce->length, nonce->data); else { assert (nonce->length == aead->nonce_size); aead->set_nonce(ctx, nonce->data); } if (aead->update) { size_t a_offset = (offset <= authtext->length) ? offset : 0; aead->update(ctx, a_offset, authtext->data); aead->update(ctx, 0, NULL); aead->update(ctx, authtext->length - a_offset, authtext->data + a_offset); } aead->encrypt(ctx, offset, out + out_align, in + in_align); aead->encrypt(ctx, 0, out + out_align, NULL); aead->encrypt(ctx, cleartext->length - offset, out + out_align + offset, in + in_align + offset); if (!MEMEQ(cleartext->length, out + out_align, ciphertext->data)) { fprintf(stderr, "aead->encrypt failed (offset = %u):\nclear: ", (unsigned) offset); tstring_print_hex(cleartext); fprintf(stderr, " got: "); print_hex(cleartext->length, out + out_align); fprintf(stderr, " exp: "); tstring_print_hex(ciphertext); FAIL(); } if (digest) { ASSERT (digest->length == aead->digest_size); memset(buffer, 0, aead->digest_size); aead->digest(ctx, buffer); if (!MEMEQ(digest->length, buffer, digest->data)) { fprintf(stderr, "aead->digest failed (offset = %u):\n got: ", (unsigned) offset); print_hex(digest->length, buffer); fprintf(stderr, " exp: "); tstring_print_hex(digest); FAIL(); } } else ASSERT(!aead->digest); /* decryption */ if (aead->set_decrypt_key) { aead->set_decrypt_key(ctx, key->data); if (set_nonce) set_nonce (ctx, nonce->length, nonce->data); else { assert (nonce->length == aead->nonce_size); aead->set_nonce(ctx, nonce->data); } if (aead->update && authtext->length) aead->update(ctx, authtext->length, authtext->data); aead->decrypt(ctx, offset, out + out_align, out + out_align); aead->decrypt(ctx, 0, out + out_align, NULL); aead->decrypt(ctx, cleartext->length - offset, out + out_align + offset, out + out_align + offset); ASSERT(MEMEQ(cleartext->length, out + out_align, cleartext->data)); if (digest) { ASSERT (digest->length == aead->digest_size); memset(buffer, 0, aead->digest_size); aead->digest(ctx, buffer); ASSERT(MEMEQ(digest->length, buffer, digest->data)); } } } } free(ctx); free(in); free(out); free(buffer); } void test_aead_message (const struct nettle_aead_message *aead, const struct tstring *key, const struct tstring *nonce, const struct tstring *adata, const struct tstring *clear, const struct tstring *cipher) { void *ctx = xalloc (aead->context_size); uint8_t *buf = xalloc (cipher->length + 1); uint8_t *copy = xalloc (cipher->length); static const uint8_t nul = 0; int res; ASSERT (key->length == aead->key_size); ASSERT (cipher->length > clear->length); ASSERT (cipher->length - clear->length == aead->digest_size); aead->set_encrypt_key (ctx, key->data); buf[cipher->length] = 0xae; aead->encrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, cipher->length, buf, clear->data); if (!MEMEQ (cipher->length, cipher->data, buf)) { fprintf(stderr, "aead->encrypt (message) failed:\n got: "); print_hex (cipher->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (cipher); FAIL(); } if (buf[cipher->length] != 0xae) { fprintf (stderr, "aead->encrypt (message) wrote too much.\n "); FAIL(); } aead->set_decrypt_key (ctx, key->data); memset (buf, 0xae, clear->length + 1); res = aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, cipher->data); if (!res) { fprintf (stderr, "decrypting valid ciphertext failed:\n "); tstring_print_hex (cipher); } if (!MEMEQ (clear->length, clear->data, buf)) { fprintf(stderr, "aead->decrypt (message) failed:\n got: "); print_hex (clear->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (clear); FAIL(); } /* Invalid messages */ if (clear->length > 0 && aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length - 1, buf, cipher->data)) { fprintf (stderr, "Invalid message (truncated) not rejected\n"); FAIL(); } memcpy (copy, cipher->data, cipher->length); copy[0] ^= 4; if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, copy)) { fprintf (stderr, "Invalid message (first byte modified) not rejected\n"); FAIL(); } memcpy (copy, cipher->data, cipher->length); copy[cipher->length - 1] ^= 4; if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, copy)) { fprintf (stderr, "Invalid message (last byte modified) not rejected\n"); FAIL(); } if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length > 0 ? adata->length - 1 : 1, adata->length > 0 ? adata->data : &nul, clear->length, buf, cipher->data)) { fprintf (stderr, "Invalid adata not rejected\n"); FAIL(); } /* Test in-place operation. NOTE: Not supported for SIV-CMAC. */ if (aead->supports_inplace) { aead->set_encrypt_key (ctx, key->data); buf[cipher->length] = 0xae; memcpy (buf, clear->data, clear->length); aead->encrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, cipher->length, buf, buf); if (!MEMEQ (cipher->length, cipher->data, buf)) { fprintf(stderr, "aead->encrypt (in-place message) failed:\n got: "); print_hex (cipher->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (cipher); FAIL(); } if (buf[cipher->length] != 0xae) { fprintf (stderr, "aead->encrypt (in-place message) wrote too much.\n "); FAIL(); } res = aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, buf); if (!res) { fprintf (stderr, "in-place decrypting valid ciphertext failed:\n "); tstring_print_hex (cipher); } if (!MEMEQ (clear->length, clear->data, buf)) { fprintf(stderr, "aead->decrypt (in-place message) failed:\n got: "); print_hex (clear->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (clear); FAIL(); } } free (ctx); free (buf); free (copy); } void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(digest->length); uint8_t *input; unsigned offset; ASSERT (digest->length == hash->digest_size); hash->init(ctx); for (offset = 0; offset <= msg->length && offset < 40; offset++) { hash->update(ctx, offset, msg->data); hash->update(ctx, 0, NULL); hash->update(ctx, msg->length - offset, msg->data + offset); hash->digest(ctx, buffer); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "Offset %u\nGot:\n", offset); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } } input = xalloc (msg->length + 16); for (offset = 0; offset < 16; offset++) { memset (input, 0, msg->length + 16); memcpy (input + offset, msg->data, msg->length); hash->update (ctx, msg->length, input + offset); hash->digest (ctx, buffer); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "hash input address: %p\nGot:\n", input + offset); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } } free(ctx); free(buffer); free(input); } void test_xof (const struct nettle_xof *xof, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc (xof->context_size); uint8_t *buffer = xalloc (digest->length); uint8_t *input; unsigned offset, size; xof->init (ctx); for (offset = 0; offset <= msg->length && offset < 40; offset++) { xof->update (ctx, offset, msg->data); xof->update (ctx, 0, NULL); xof->update (ctx, msg->length - offset, msg->data + offset); xof->digest (ctx, digest->length, buffer); if (MEMEQ (digest->length, digest->data, buffer) == 0) { fprintf (stdout, "Offset %u\nGot:\n", offset); print_hex (digest->length, buffer); fprintf (stdout, "\nExpected:\n"); print_hex (digest->length, digest->data); abort (); } } input = xalloc (msg->length + 16); for (offset = 0; offset < 16; offset++) { memset (input, 0, msg->length + 16); memcpy (input + offset, msg->data, msg->length); xof->update (ctx, msg->length, input + offset); xof->digest (ctx, digest->length, buffer); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "xof input address: %p\nGot:\n", input + offset); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } } /* Test producing output incrementally. */ for (size = 1; size <= xof->block_size + 2; ) { xof->init (ctx); xof->update (ctx, msg->length, msg->data); memset (buffer, 0, digest->length); for (offset = 0; offset + size < digest->length; offset += size) { xof->output (ctx, size, buffer + offset); ASSERT (MEMEQ (offset + size, digest->data, buffer)); ASSERT (buffer[offset + size] == 0); } xof->output (ctx, digest->length - offset, buffer + offset); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "xof output increment: %u\nGot:\n", size); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } /* Try sizes 1, 2, 4, 7, 11, ..., and sizes around the block size. */ if (size < xof->block_size - 2) { size += 1 + size/2; if (size > xof->block_size - 2) size = xof->block_size - 2; } else size++; } free(ctx); free(buffer); free(input); } void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(hash->digest_size); uint8_t *data = xalloc(length); size_t i; ASSERT (digest->length == hash->digest_size); memset(data, c, length); hash->init(ctx); for (i = 0; i < count; i++) { hash->update(ctx, length, data); if (i % (count / 50) == 0) fprintf (stderr, "."); } fprintf (stderr, "\n"); hash->digest(ctx, buffer); print_hex(hash->digest_size, buffer); ASSERT (MEMEQ(hash->digest_size, digest->data, buffer)); free(ctx); free(buffer); free(data); } void test_mac(const struct nettle_mac *mac, nettle_hash_update_func *set_key, const struct tstring *key, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc(mac->context_size); uint8_t *hash = xalloc(mac->digest_size); unsigned i; ASSERT (digest->length <= mac->digest_size); if (set_key) set_key (ctx, key->length, key->data); else { ASSERT (key->length == mac->key_size); mac->set_key (ctx, key->data); } mac->update (ctx, msg->length, msg->data); mac->digest (ctx, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "test_mac %s failed, msg: ", mac->name); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (mac->digest_size, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } /* attempt to re-use the structure */ mac->update (ctx, msg->length, msg->data); mac->digest (ctx, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "test_mac %s failed on re-use, msg: ", mac->name); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (mac->digest_size, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } /* attempt byte-by-byte hashing */ for (i=0;ilength;i++) mac->update (ctx, 1, msg->data+i); mac->digest (ctx, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "test_mac %s failed on byte-by-byte, msg: ", mac->name); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (16, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } free (ctx); free (hash); } #if WITH_HOGWEED void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn) { mpz_t x; mpz_out_str (f, base, mpz_roinit_n (x, xp, xn)); } #if NETTLE_USE_MINI_GMP void gmp_randinit_default (struct knuth_lfib_ctx *ctx) { knuth_lfib_init (ctx, 17); } void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits) { size_t bytes = (bits+7)/8; uint8_t *buf = xalloc (bytes); knuth_lfib_random (ctx, bytes, buf); buf[0] &= 0xff >> (8*bytes - bits); nettle_mpz_set_str_256_u (r, bytes, buf); free (buf); } void mpz_urandomm (mpz_t r, struct knuth_lfib_ctx *ctx, const mpz_t n) { /* Add some extra bits, to make result almost unbiased. */ mpz_urandomb(r, ctx, mpz_sizeinbase(n, 2) + 30); mpz_mod(r, r, n); } #else /* !NETTLE_USE_MINI_GMP */ static void get_random_seed(mpz_t seed) { struct timeval tv; FILE *f; f = fopen ("/dev/urandom", "rb"); if (f) { uint8_t buf[8]; size_t res; setbuf (f, NULL); res = fread (&buf, sizeof(buf), 1, f); fclose(f); if (res == 1) { nettle_mpz_set_str_256_u (seed, sizeof(buf), buf); return; } fprintf (stderr, "Read of /dev/urandom failed: %s\n", strerror (errno)); } gettimeofday(&tv, NULL); mpz_set_ui (seed, tv.tv_sec); mpz_mul_ui (seed, seed, 1000000UL); mpz_add_ui (seed, seed, tv.tv_usec); } int test_randomize(gmp_randstate_t rands) { const char *nettle_test_seed; nettle_test_seed = getenv ("NETTLE_TEST_SEED"); if (nettle_test_seed && *nettle_test_seed) { mpz_t seed; mpz_init (seed); if (mpz_set_str (seed, nettle_test_seed, 0) < 0 || mpz_sgn (seed) < 0) die ("Invalid NETTLE_TEST_SEED: %s\n", nettle_test_seed); if (mpz_sgn (seed) == 0) get_random_seed (seed); fprintf (stderr, "Using NETTLE_TEST_SEED="); mpz_out_str (stderr, 10, seed); fprintf (stderr, "\n"); gmp_randseed (rands, seed); mpz_clear (seed); return 1; } else return 0; } #endif /* !NETTLE_USE_MINI_GMP */ mp_limb_t * xalloc_limbs (mp_size_t n) { return xalloc (n * sizeof (mp_limb_t)); } /* Expects local variables pub, key, rstate, digest, signature */ #define SIGN(hash, msg, expected) do { \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign(key, &hash, signature)); \ if (verbose) \ { \ fprintf(stderr, "rsa-%s signature: ", #hash); \ mpz_out_str(stderr, 16, signature); \ fprintf(stderr, "\n"); \ } \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign_tr(pub, key, &rstate, \ (nettle_random_func *) knuth_lfib_random, \ &hash, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ hash##_digest(&hash, digest); \ ASSERT(rsa_##hash##_sign_digest(key, digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ ASSERT(rsa_##hash##_sign_digest_tr(pub, key, &rstate, \ (nettle_random_func *)knuth_lfib_random, \ digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ } while(0) #define VERIFY(key, hash, msg, signature) ( \ hash##_update(&hash, LDATA(msg)), \ rsa_##hash##_verify(key, &hash, signature) \ ) void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key) { /* Initialize key pair for test programs */ /* 1000-bit key, generated by * * lsh-keygen -a rsa -l 1000 -f advanced-hex * * (private-key (rsa-pkcs1 * (n #69abd505285af665 36ddc7c8f027e6f0 ed435d6748b16088 * 4fd60842b3a8d7fb bd8a3c98f0cc50ae 4f6a9f7dd73122cc * ec8afa3f77134406 f53721973115fc2d 8cfbba23b145f28d * 84f81d3b6ae8ce1e 2850580c026e809b cfbb52566ea3a3b3 * df7edf52971872a7 e35c1451b8636d22 279a8fb299368238 * e545fbb4cf#) * (e #0db2ad57#) * (d #3240a56f4cd0dcc2 4a413eb4ea545259 5c83d771a1c2ba7b * ec47c5b43eb4b374 09bd2aa1e236dd86 481eb1768811412f * f8d91be3545912af b55c014cb55ceac6 54216af3b85d5c4f * 4a32894e3b5dfcde 5b2875aa4dc8d9a8 6afd0ca92ef50d35 * bd09f1c47efb4c8d c631e07698d362aa 4a83fd304e66d6c5 * 468863c307#) * (p #0a66399919be4b4d e5a78c5ea5c85bf9 aba8c013cb4a8732 * 14557a12bd67711e bb4073fd39ad9a86 f4e80253ad809e5b * f2fad3bc37f6f013 273c9552c9f489#) * (q #0a294f069f118625 f5eae2538db9338c 776a298eae953329 * 9fd1eed4eba04e82 b2593bc98ba8db27 de034da7daaea795 * 2d55b07b5f9a5875 d1ca5f6dcab897#) * (a #011b6c48eb592eee e85d1bb35cfb6e07 344ea0b5e5f03a28 * 5b405396cbc78c5c 868e961db160ba8d 4b984250930cf79a * 1bf8a9f28963de53 128aa7d690eb87#) * (b #0409ecf3d2557c88 214f1af5e1f17853 d8b2d63782fa5628 * 60cf579b0833b7ff 5c0529f2a97c6452 2fa1a8878a9635ab * ce56debf431bdec2 70b308fa5bf387#) * (c #04e103ee925cb5e6 6653949fa5e1a462 c9e65e1adcd60058 * e2df9607cee95fa8 daec7a389a7d9afc 8dd21fef9d83805a * 40d46f49676a2f6b 2926f70c572c00#))) */ mpz_set_str(pub->n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub->e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "3240a56f4cd0dcc2" "4a413eb4ea545259" "5c83d771a1c2ba7b" "ec47c5b43eb4b374" "09bd2aa1e236dd86" "481eb1768811412f" "f8d91be3545912af" "b55c014cb55ceac6" "54216af3b85d5c4f" "4a32894e3b5dfcde" "5b2875aa4dc8d9a8" "6afd0ca92ef50d35" "bd09f1c47efb4c8d" "c631e07698d362aa" "4a83fd304e66d6c5" "468863c307", 16); #endif mpz_set_str(key->p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key->q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key->a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key->b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key->c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } void test_rsa_set_key_2(struct rsa_public_key *pub, struct rsa_private_key *key) { /* Initialize key pair for test programs */ /* 2048-bit key, generated by * * certtool --generate-privkey --key-type=rsa --bits=2048 --outfile - * * Public Key Info: * Public Key Algorithm: RSA * Key Security Level: Medium (2048 bits) * * modulus: * 00:dd:ef:1d:66:d5:f0:b3:56:9b:da:2a:59:c7:96:e6 * 7a:c9:c8:13:61:89:da:f1:5a:01:65:61:ac:fb:53:1a * 09:49:41:dd:fd:db:6e:68:c4:3a:8a:61:46:c3:ea:8b * 34:5f:e1:f6:60:91:9b:09:ae:8e:8c:ad:fa:99:ef:2a * b5:7d:32:ad:cc:2d:4f:3f:df:21:42:b7:ce:6e:ab:ca * eb:a4:93:97:8f:55:c4:8f:19:de:dd:ea:0a:83:10:3c * 8c:5f:f5:ce:01:7f:32:3d:d6:f8:82:f2:2d:3f:8f:20 * 6a:02:68:a9:8b:0d:12:99:93:67:f9:1c:23:ae:5f:0d * df:ec:2b:5d:78:c8:14:ac:6b:e9:2a:f7:aa:3e:cd:a1 * c8:c8:3e:11:24:50:eb:68:34:4c:0c:c1:2a:be:13:95 * ee:a0:73:dd:09:f2:38:5c:58:a7:dc:60:30:90:c9:a4 * 1b:19:ed:51:5c:15:51:54:cd:8a:92:10:76:d4:19:88 * f8:93:ff:8d:08:a2:46:0f:59:af:c1:3d:4e:24:b5:e5 * 8a:8e:44:10:85:74:8d:06:64:72:b2:f7:c5:6c:75:09 * fa:bc:9d:73:5d:14:c5:a6:81:f5:2e:8a:2d:a9:aa:c1 * 43:b9:07:cf:77:90:7a:28:c5:41:53:51:d1:b3:6a:e2 * 7b: * * public exponent: * 01:00:01: * * private exponent: * 73:2e:6f:66:f8:af:d4:93:a5:8d:63:9f:76:cb:a5:50 * a2:ba:b8:fc:4d:4c:99:28:2a:43:50:9f:33:4c:9c:dd * a6:ec:8d:66:fb:e4:60:71:3f:24:a4:79:d2:a2:3e:9e * ef:08:5a:13:22:5e:81:76:db:ba:bd:6c:ab:49:8a:33 * e9:07:4d:56:03:49:f7:0f:39:b6:e3:a8:3a:9d:e4:51 * c9:f7:63:98:5b:5e:09:1a:d7:24:fb:1b:7b:8c:08:b0 * 9d:f8:f7:72:a5:6e:10:d4:29:e3:e4:06:81:cf:29:76 * 7b:4b:90:7a:7f:4d:60:f1:34:eb:ff:a3:b1:12:da:22 * 9e:87:c0:77:22:38:03:4b:80:ab:0c:8a:07:14:c3:c0 * 08:9e:2c:13:9f:74:f4:19:86:51:61:67:b0:ce:bc:7b * 8f:81:18:8e:3c:8e:e7:e5:d4:e9:ed:49:b8:0b:21:b1 * 2a:82:0f:7b:4d:8d:e4:f7:bc:8a:6c:c9:20:8c:4b:ba * 1e:67:43:9e:58:a4:e4:20:c6:4b:22:05:9d:33:d3:11 * 92:f2:94:88:d8:fb:c9:53:8f:9c:52:4e:d3:66:f3:2b * 8c:3b:56:a7:4c:25:10:44:a0:62:79:4d:44:fb:9d:0e * 35:8b:92:b0:49:af:5d:a4:00:36:44:3c:e7:31:9d:f9 * * * prime1: * 00:ed:6b:29:25:c1:4f:9c:df:08:4b:c1:43:e3:e6:f3 * d6:6e:1e:2d:46:d6:eb:97:aa:c7:c9:32:5e:0a:6b:39 * ac:be:2a:49:98:f6:c3:c8:d0:08:33:5b:75:62:f7:d9 * 7e:87:d6:90:2d:9d:ce:94:be:2b:ed:8e:aa:85:29:86 * d9:bc:c0:10:2e:95:30:cc:3f:72:75:81:d1:60:f6:89 * 86:f7:42:dc:29:8f:dc:d7:15:e8:99:1a:1d:12:92:89 * 88:95:47:3e:25:c5:f4:e5:c4:82:87:32:d3:d7:a8:ce * d9:77:2c:fc:87:bb:d9:f9:e6:a4:ec:1e:c8:a9:7b:0b * 35: * * prime2: * 00:ef:4d:b5:f6:53:12:9a:4e:3c:3f:56:ff:25:86:44 * 0e:b1:b7:81:c4:0e:31:40:90:e7:91:d7:e7:80:8e:8a * cc:99:1a:1b:0b:5d:9b:9b:00:81:fa:36:95:02:6a:44 * 16:6e:67:64:db:ba:35:9b:5b:1c:e7:96:ac:2a:e3:c8 * 7a:a9:de:1d:e4:75:54:cf:73:c9:76:92:2f:03:8b:ef * a4:dc:5c:4d:54:2a:cc:f6:c3:cd:a7:0e:84:ce:33:96 * 9b:99:68:e5:a9:cf:80:5b:df:2b:5a:a4:02:b2:d5:65 * a7:b8:d0:33:c8:23:ed:89:d1:44:7b:d1:94:99:9f:3c * ef: * * coefficient: * 5c:ba:5a:d7:98:43:ab:ac:a0:d2:9c:1f:ab:3d:5e:a0 * 54:c9:6e:54:19:9b:ff:9c:dc:05:75:93:97:3a:88:e9 * bb:1f:79:05:03:79:9b:b7:ac:07:71:bf:b0:a7:12:fc * 22:6c:38:04:40:2f:b9:0d:2d:0a:f3:b8:2e:88:3e:ab * d8:ee:30:5c:fb:dc:59:0e:d9:9f:96:cd:4a:4a:12:88 * aa:c9:f0:03:e2:01:df:5d:0e:ec:e6:ac:0b:f1:81:b8 * 85:9b:f7:69:b6:c8:e4:54:d8:02:5b:58:b4:c2:45:02 * b7:65:d4:5c:dc:aa:b6:47:6e:dd:1f:72:46:6c:27:22 * * * exp1: * 41:78:03:68:bd:dd:ce:4c:52:65:51:6d:ff:32:78:9a * f0:d2:b1:79:8f:5a:78:00:48:07:5b:34:43:7b:3d:f4 * 3c:9c:3c:9f:49:ac:c3:7b:5a:47:8f:38:d7:89:b1:18 * 0b:2d:47:a4:cc:97:62:bc:ee:30:1b:df:39:c9:31:be * 69:26:2d:50:2b:23:c1:ae:dd:49:39:fb:1a:d9:e1:22 * ae:9c:69:49:ac:ba:21:35:91:66:66:a5:0d:b2:0a:ea * f6:ff:26:4c:14:42:6b:f9:bc:64:bb:c7:5e:f8:d5:d1 * 71:e3:9d:df:70:15:b3:ab:be:5e:be:3e:67:3d:de:e1 * * * exp2: * 63:00:4a:5c:5a:e7:e2:50:a5:9a:2a:ba:a9:e2:8f:3b * 69:08:9b:35:ea:0d:34:41:fe:9b:96:af:de:be:99:eb * a5:17:68:c2:dd:fa:27:39:21:8c:cb:92:00:0a:c8:9a * 63:18:81:60:69:fc:0d:86:b7:41:94:53:2b:f7:4a:94 * 7c:bc:38:af:b0:5e:e2:e8:6b:1b:93:c4:c1:79:de:2d * dd:40:8e:79:58:af:ad:13:3a:7c:77:84:37:ee:9d:cb * 47:bf:5e:ec:4e:bd:32:c4:f4:21:ae:a2:b3:2b:97:bf * b8:b4:e2:07:55:dd:ca:db:79:b2:a3:f5:0f:4d:12:9f */ mpz_set_str(pub->n, "00ddef1d66d5f0b3" "569bda2a59c796e6" "7ac9c8136189daf1" "5a016561acfb531a" "094941ddfddb6e68" "c43a8a6146c3ea8b" "345fe1f660919b09" "ae8e8cadfa99ef2a" "b57d32adcc2d4f3f" "df2142b7ce6eabca" "eba493978f55c48f" "19deddea0a83103c" "8c5ff5ce017f323d" "d6f882f22d3f8f20" "6a0268a98b0d1299" "9367f91c23ae5f0d" "dfec2b5d78c814ac" "6be92af7aa3ecda1" "c8c83e112450eb68" "344c0cc12abe1395" "eea073dd09f2385c" "58a7dc603090c9a4" "1b19ed515c155154" "cd8a921076d41988" "f893ff8d08a2460f" "59afc13d4e24b5e5" "8a8e441085748d06" "6472b2f7c56c7509" "fabc9d735d14c5a6" "81f52e8a2da9aac1" "43b907cf77907a28" "c5415351d1b36ae2" "7b", 16); mpz_set_str(pub->e, "010001", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "732e6f66f8afd493" "a58d639f76cba550" "a2bab8fc4d4c9928" "2a43509f334c9cdd" "a6ec8d66fbe46071" "3f24a479d2a23e9e" "ef085a13225e8176" "dbbabd6cab498a33" "e9074d560349f70f" "39b6e3a83a9de451" "c9f763985b5e091a" "d724fb1b7b8c08b0" "9df8f772a56e10d4" "29e3e40681cf2976" "7b4b907a7f4d60f1" "34ebffa3b112da22" "9e87c0772238034b" "80ab0c8a0714c3c0" "089e2c139f74f419" "86516167b0cebc7b" "8f81188e3c8ee7e5" "d4e9ed49b80b21b1" "2a820f7b4d8de4f7" "bc8a6cc9208c4bba" "1e67439e58a4e420" "c64b22059d33d311" "92f29488d8fbc953" "8f9c524ed366f32b" "8c3b56a74c251044" "a062794d44fb9d0e" "358b92b049af5da4" "0036443ce7319df9" , 16); #endif mpz_set_str(key->p, "00ed6b2925c14f9c" "df084bc143e3e6f3" "d66e1e2d46d6eb97" "aac7c9325e0a6b39" "acbe2a4998f6c3c8" "d008335b7562f7d9" "7e87d6902d9dce94" "be2bed8eaa852986" "d9bcc0102e9530cc" "3f727581d160f689" "86f742dc298fdcd7" "15e8991a1d129289" "8895473e25c5f4e5" "c4828732d3d7a8ce" "d9772cfc87bbd9f9" "e6a4ec1ec8a97b0b" "35", 16); mpz_set_str(key->q, "00ef4db5f653129a" "4e3c3f56ff258644" "0eb1b781c40e3140" "90e791d7e7808e8a" "cc991a1b0b5d9b9b" "0081fa3695026a44" "166e6764dbba359b" "5b1ce796ac2ae3c8" "7aa9de1de47554cf" "73c976922f038bef" "a4dc5c4d542accf6" "c3cda70e84ce3396" "9b9968e5a9cf805b" "df2b5aa402b2d565" "a7b8d033c823ed89" "d1447bd194999f3c" "ef", 16); mpz_set_str(key->a, "41780368bdddce4c" "5265516dff32789a" "f0d2b1798f5a7800" "48075b34437b3df4" "3c9c3c9f49acc37b" "5a478f38d789b118" "0b2d47a4cc9762bc" "ee301bdf39c931be" "69262d502b23c1ae" "dd4939fb1ad9e122" "ae9c6949acba2135" "916666a50db20aea" "f6ff264c14426bf9" "bc64bbc75ef8d5d1" "71e39ddf7015b3ab" "be5ebe3e673ddee1", 16); mpz_set_str(key->b, "63004a5c5ae7e250" "a59a2abaa9e28f3b" "69089b35ea0d3441" "fe9b96afdebe99eb" "a51768c2ddfa2739" "218ccb92000ac89a" "6318816069fc0d86" "b74194532bf74a94" "7cbc38afb05ee2e8" "6b1b93c4c179de2d" "dd408e7958afad13" "3a7c778437ee9dcb" "47bf5eec4ebd32c4" "f421aea2b32b97bf" "b8b4e20755ddcadb" "79b2a3f50f4d129f", 16); mpz_set_str(key->c, "5cba5ad79843abac" "a0d29c1fab3d5ea0" "54c96e54199bff9c" "dc057593973a88e9" "bb1f790503799bb7" "ac0771bfb0a712fc" "226c3804402fb90d" "2d0af3b82e883eab" "d8ee305cfbdc590e" "d99f96cd4a4a1288" "aac9f003e201df5d" "0eece6ac0bf181b8" "859bf769b6c8e454" "d8025b58b4c24502" "b765d45cdcaab647" "6edd1f72466c2722", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct md5_ctx md5; struct knuth_lfib_ctx rstate; uint8_t digest[MD5_DIGEST_SIZE]; mpz_t signature; md5_init(&md5); mpz_init(signature); knuth_lfib_init (&rstate, 15); SIGN(md5, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, md5, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha1_ctx sha1; struct knuth_lfib_ctx rstate; uint8_t digest[SHA1_DIGEST_SIZE]; mpz_t signature; sha1_init(&sha1); mpz_init(signature); knuth_lfib_init (&rstate, 16); SIGN(sha1, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha1, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha256_ctx sha256; struct knuth_lfib_ctx rstate; uint8_t digest[SHA256_DIGEST_SIZE]; mpz_t signature; sha256_init(&sha256); mpz_init(signature); knuth_lfib_init (&rstate, 17); SIGN(sha256, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha256, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha512_ctx sha512; struct knuth_lfib_ctx rstate; uint8_t digest[SHA512_DIGEST_SIZE]; mpz_t signature; sha512_init(&sha512); mpz_init(signature); knuth_lfib_init (&rstate, 18); SIGN(sha512, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha512, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } #undef SIGN #undef VERIFY void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key) { mpz_t tmp; mpz_t phi; mpz_init(tmp); mpz_init(phi); if (verbose) { fprintf(stderr, "Public key: n="); mpz_out_str(stderr, 16, pub->n); fprintf(stderr, "\n e="); mpz_out_str(stderr, 16, pub->e); fprintf(stderr, "\n\nPrivate key: d="); mpz_out_str(stderr, 16, key->d); fprintf(stderr, "\n p="); mpz_out_str(stderr, 16, key->p); fprintf(stderr, "\n q="); mpz_out_str(stderr, 16, key->q); fprintf(stderr, "\n a="); mpz_out_str(stderr, 16, key->a); fprintf(stderr, "\n b="); mpz_out_str(stderr, 16, key->b); fprintf(stderr, "\n c="); mpz_out_str(stderr, 16, key->c); fprintf(stderr, "\n\n"); } /* Check n = p q */ mpz_mul(tmp, key->p, key->q); ASSERT (mpz_cmp(tmp, pub->n)== 0); /* Check c q = 1 mod p */ mpz_mul(tmp, key->c, key->q); mpz_fdiv_r(tmp, tmp, key->p); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check ed = 1 (mod phi) */ mpz_sub_ui(phi, key->p, 1); mpz_sub_ui(tmp, key->q, 1); mpz_mul(phi, phi, tmp); mpz_mul(tmp, pub->e, key->d); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check a e = 1 (mod (p-1) ) */ mpz_sub_ui(phi, key->p, 1); mpz_mul(tmp, pub->e, key->a); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check b e = 1 (mod (q-1) ) */ mpz_sub_ui(phi, key->q, 1); mpz_mul(tmp, pub->e, key->b); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); mpz_clear(tmp); mpz_clear(phi); } /* Requires that the context is named like the hash algorithm. */ #define DSA_VERIFY(params, key, hash, buf, msg, signature) \ (hash##_update(&hash, LDATA(msg)), \ hash##_digest(&hash, buf), \ dsa_verify(params, key, sizeof(buf), buf, signature)) void test_dsa160(const struct dsa_params *params, const mpz_t pub, const mpz_t key, const struct dsa_signature *expected) { struct sha1_ctx sha1; struct dsa_signature signature; struct knuth_lfib_ctx lfib; uint8_t digest[SHA1_DIGEST_SIZE]; sha1_init(&sha1); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha1_update(&sha1, LDATA("The magic words are squeamish ossifrage")); sha1_digest(&sha1, digest); ASSERT (dsa_sign(params, key, &lfib, (nettle_random_func *) knuth_lfib_random, sizeof(digest), digest, &signature)); if (verbose) { fprintf(stderr, "dsa160 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(params, pub, sha1, digest, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(params, pub, sha1, digest, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(params, pub, sha1, digest, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } void test_dsa256(const struct dsa_params *params, const mpz_t pub, const mpz_t key, const struct dsa_signature *expected) { struct sha256_ctx sha256; struct dsa_signature signature; struct knuth_lfib_ctx lfib; uint8_t digest[SHA256_DIGEST_SIZE]; sha256_init(&sha256); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha256_update(&sha256, LDATA("The magic words are squeamish ossifrage")); sha256_digest(&sha256, digest); ASSERT (dsa_sign(params, key, &lfib, (nettle_random_func *) knuth_lfib_random, sizeof(digest), digest, &signature)); if (verbose) { fprintf(stderr, "dsa256 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(params, pub, sha256, digest, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(params, pub, sha256, digest, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(params, pub, sha256, digest, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); uint8_t *bad_digest = xalloc (hash->digest_size); struct dsa_signature signature; struct knuth_lfib_ctx lfib; dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, LDATA("The magic words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, digest); ASSERT (dsa_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, hash->digest_size, digest, &signature)); if (verbose) { fprintf(stderr, "dsa-%s signature: ", hash->name); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try correct data */ ASSERT (dsa_verify(pub, hash->digest_size, digest, &signature)); /* Try bad data */ hash->update(ctx, LDATA("The magick words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, bad_digest); ASSERT (!dsa_verify(pub, hash->digest_size, bad_digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify(pub, hash->digest_size, digest, &signature)); free (ctx); free (digest); free (bad_digest); dsa_signature_clear(&signature); } #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); struct dsa_signature signature; dsa_signature_init (&signature); hash->init(ctx); hash->update (ctx, msg->length, msg->data); hash->digest (ctx, digest); mpz_set (signature.r, ref->r); mpz_set (signature.s, ref->s); ASSERT (dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad data */ digest[hash->digest_size / 2-1] ^= 8; ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, ref)); free (ctx); free (digest); dsa_signature_clear(&signature); } void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size) { mpz_t t; mpz_init(t); ASSERT(mpz_sizeinbase(params->q, 2) == q_size); ASSERT(mpz_sizeinbase(params->p, 2) >= DSA_SHA1_MIN_P_BITS); ASSERT(mpz_probab_prime_p(params->p, 10)); ASSERT(mpz_probab_prime_p(params->q, 10)); mpz_fdiv_r(t, params->p, params->q); ASSERT(0 == mpz_cmp_ui(t, 1)); ASSERT(mpz_cmp_ui(params->g, 1) > 0); mpz_powm(t, params->g, params->q, params->p); ASSERT(0 == mpz_cmp_ui(t, 1)); mpz_powm(t, params->g, key, params->p); ASSERT(0 == mpz_cmp(t, pub)); mpz_clear(t); } const struct ecc_curve * const ecc_curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_secp_521r1, &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, &_nettle_gost_gc512a, NULL }; int test_ecc_point_valid_p (struct ecc_point *pub) { mpz_t t, x, y; mpz_t lhs, rhs; int res; mp_size_t size; size = pub->ecc->p.size; /* First check range */ if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_roinit_n (x, pub->p, size); mpz_roinit_n (y, pub->p + size, size); mpz_mul (lhs, y, y); if (pub->ecc->p.bit_size == 255) { /* Check that 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (rhs, x2, lhs); /* x^2 y^2 */ mpz_sub (lhs, x2, lhs); /* x^2 - y^2 */ mpz_add_ui (lhs, lhs, 1); /* 1 + x^2 - y^2 */ mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else if (pub->ecc->p.bit_size == 448) { /* Check that x^2 + y^2 = 1 - 39081 x^2 y^2 */ mpz_t x2, d; mpz_init (x2); mpz_init_set_ui (d, 39081); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (d, d, x2); /* 39081 x^2 */ mpz_set_ui (rhs, 1); mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ mpz_clear (d); mpz_clear (x2); } else { /* Check y^2 = x^3 - 3 x + b */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); return res; } static int test_mpn (const char *ref, const mp_limb_t *xp, mp_size_t n) { mpz_t r, x; int res; mpz_init_set_str (r, ref, 16); res = (mpz_cmp (r, mpz_roinit_n (x, xp, n)) == 0); mpz_clear (r); return res; } void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n) { mpz_t t; mpz_out_str (f, base, mpz_roinit_n (t,xp, n)); } void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p) { if (! (test_mpn (ref->x, p, ecc->p.size) && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) )) { fprintf (stderr, "Incorrect point, curve bits %d!\n" "got: x = ", ecc->p.bit_size); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n" "ref: x = %s\n" " y = %s\n", ref->x, ref->y); abort(); } } /* For each curve, the points g, 2 g, 3 g and 4 g */ static const struct ecc_ref_point ecc_ref[9][4] = { { { "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd573f977a11e794811" }, { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd" }, { "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32" } }, { { "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" }, { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb" }, { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925" }, { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" }, }, { { "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" }, { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1" }, { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032" }, { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6" }, }, { { "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" "0a60b1ce1d7e819d7a431d7c90ea0e5f" }, { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e" "4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab425" "5ffd43e94d39e22d61501e700a940e80" }, { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6" "b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eac" "c24abd6be4b5d298b65f28600a2f1df1" }, { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d" "1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dc" "ed7387be37bba569549f1c02b270ed67" }, }, { { "c6" "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", "118" "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" }, { "43" "3c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97" "b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4" "bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbb" "b3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02" }, { "1a7" "3d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1" "ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e" "9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec" "2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5" }, { "35" "b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac" "8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82" "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2" "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" }, }, { { "216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a", "6666666666666666666666666666666666666666666666666666666666666658" }, { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" }, { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" }, { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" }, }, { { "4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e", "693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14" }, { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa955555555555555555555555555555555555555555555555555555555", "ae05e9634ad7048db359d6205086c2b0036ed7a035884dd7b7e36d728ad8c4b80d6565833a2a3098bbbcb2bed1cda06bdaeafbcdea9386ed" }, { "865886b9108af6455bd64316cb6943332241b8b8cda82c7e2ba077a4a3fcfe8daa9cbf7f6271fd6e862b769465da8575728173286ff2f8f", "e005a8dbd5125cf706cbda7ad43aa6449a4a8d952356c3b9fce43c82ec4e1d58bb3a331bdb6767f0bffa9a68fed02dafb822ac13588ed6fc" }, { "49dcbc5c6c0cce2c1419a17226f929ea255a09cf4e0891c693fda4be70c74cc301b7bdf1515dd8ba21aee1798949e120e2ce42ac48ba7f30", "d49077e4accde527164b33a5de021b979cb7c02f0457d845c90dc3227b8a5bc1c0d8f97ea1ca9472b5d444285d0d4f5b32e236f86de51839" }, }, { { "0000000000000000000000000000000000000000000000000000000000000001", "8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14" }, { "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83" }, { "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51" }, { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" }, }, { { "0000000000000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000000000000000000000000003", "7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4" }, { "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f" "4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92" "ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051" }, { "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba5" "43d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb3" "11d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6" }, { "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef25" "7452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850" "da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929" }, } }; void test_ecc_ga (unsigned curve, const mp_limb_t *p) { return test_ecc_point (ecc_curves[curve], &ecc_ref[curve][0], p); } void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { assert (curve < 9); assert (n <= 4); if (n == 0) { /* Makes sense for curve25519 only */ const struct ecc_curve *ecc = ecc_curves[curve]; assert (ecc->p.bit_size == 255 || ecc->p.bit_size == 448); if (!mpn_zero_p (p, ecc->p.size) || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0) { fprintf (stderr, "Incorrect point (expected (0, 1))!\n" "got: x = "); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n"); abort(); } } else test_ecc_point (ecc_curves[curve], &ecc_ref[curve][n-1], p); } void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p) { const struct ecc_curve *ecc = ecc_curves[curve]; mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch); ecc->h_to_a (ecc, 0, np, p, scratch); test_ecc_mul_a (curve, n, np); free (np); free (scratch); } void test_ecc_get_g (unsigned curve, mp_limb_t *rp) { const struct ecc_curve *ecc = ecc_curves[curve]; mpz_t x; mpz_t y; mpz_init_set_str (x, ecc_ref[curve][0].x, 16); mpz_init_set_str (y, ecc_ref[curve][0].y, 16); if (ecc->use_redc) { mpz_t t; mpz_mul_2exp (x, x, ecc->p.size * GMP_NUMB_BITS); mpz_mod (x, x, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); mpz_mul_2exp (y, y, ecc->p.size * GMP_NUMB_BITS); mpz_mod (y, y, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); } mpz_limbs_copy (rp, x, ecc->p.size); mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); mpn_copyi (rp + 2*ecc->p.size, ecc->unit, ecc->p.size); mpz_clear (x); mpz_clear (y); } void test_ecc_get_ga (unsigned curve, mp_limb_t *rp) { const struct ecc_curve *ecc = ecc_curves[curve]; mpz_t x; mpz_t y; mpz_init_set_str (x, ecc_ref[curve][0].x, 16); mpz_init_set_str (y, ecc_ref[curve][0].y, 16); mpz_limbs_copy (rp, x, ecc->p.size); mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); mpz_clear (x); mpz_clear (y); } #else /* !WITH_HOGWEED */ /* Make sure either gmp or mini-gmp is available for tests. */ #include "mini-gmp.c" #endif /* !WITH_HOGWEED */ nettle-4.0/testsuite/testutils.h0000644000000000000000000002076315141166425014055 0ustar00#ifndef NETTLE_TESTUTILS_H_INCLUDED #define NETTLE_TESTUTILS_H_INCLUDED /* config.h should usually be first in each .c file. This is an exception, include it here to reduce clutter in the test cases. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "version.h" #if WITH_HOGWEED # include "rsa.h" # include "ecc-curve.h" # include "ecc.h" # include "ecc-internal.h" # include "ecdsa.h" # include "gmp-glue.h" # if NETTLE_USE_MINI_GMP # include "knuth-lfib.h" # endif #else /* !WITH_HOGWEED */ /* Make sure either gmp or mini-gmp is available for tests. */ #include "mini-gmp.h" #endif /* !WITH_HOGWEED */ #include "nettle-meta.h" #ifdef __cplusplus extern "C" { #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void * xalloc(size_t size); struct tstring { struct tstring *next; size_t length; uint8_t data[]; }; struct tstring * tstring_alloc (size_t length); void tstring_clear(void); struct tstring * tstring_data(size_t length, const uint8_t *data); struct tstring * tstring_hex(const char *hex); void tstring_print_hex(const struct tstring *s); /* Decodes a NUL-terminated hex string. */ void print_hex(size_t length, const uint8_t *data); FILE * open_srcdir_file (const char *name); /* If side-channel tests are requested, attach valgrind annotations on given memory area. */ void mark_bytes_undefined (size_t size, const void *p); void mark_bytes_defined (size_t size, const void *p); /* The main program */ void test_main(void); extern int verbose; extern int test_side_channel; typedef void nettle_encrypt_message_func(void *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); typedef int nettle_decrypt_message_func(void *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); struct nettle_aead_message { const char *name; unsigned context_size; unsigned key_size; unsigned digest_size; int supports_inplace; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_encrypt_message_func *encrypt; nettle_decrypt_message_func *decrypt; }; struct nettle_xof { const char *name; unsigned context_size; unsigned block_size; nettle_hash_init_func *init; nettle_hash_update_func *update; nettle_output_func *digest; nettle_output_func *output; }; void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_cfb8(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest); void test_aead_message(const struct nettle_aead_message *aead, const struct tstring *key, const struct tstring *adata, const struct tstring *nonce, const struct tstring *clear, const struct tstring *cipher); void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest); void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest); void test_xof (const struct nettle_xof *xof, const struct tstring *msg, const struct tstring *digest); void test_mac(const struct nettle_mac *mac, nettle_hash_update_func *set_key, const struct tstring *key, const struct tstring *msg, const struct tstring *digest); #if WITH_HOGWEED #if NETTLE_USE_MINI_GMP typedef struct knuth_lfib_ctx gmp_randstate_t[1]; void gmp_randinit_default (struct knuth_lfib_ctx *ctx); #define gmp_randclear(state) void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits); void mpz_urandomm (mpz_t r, struct knuth_lfib_ctx *ctx, const mpz_t n); /* This is cheating */ #define mpz_rrandomb mpz_urandomb #define mpz_rrandomm mpz_urandomm static inline int test_randomize (gmp_randstate_t rands UNUSED) { return 0; } #else /* !NETTLE_USE_MINI_GMP */ int test_randomize (gmp_randstate_t rands); #endif /* !NETTLE_USE_MINI_GMP */ void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * xalloc_limbs (mp_size_t n); void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n); void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key); void test_rsa_set_key_2(struct rsa_public_key *pub, struct rsa_private_key *key); void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key); void test_dsa160(const struct dsa_params *params, const mpz_t pub, const mpz_t key, const struct dsa_signature *expected); void test_dsa256(const struct dsa_params *params, const mpz_t pub, const mpz_t key, const struct dsa_signature *expected); #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected); #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref); void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size); extern const struct ecc_curve * const ecc_curves[]; /* Check that given point satisfyes curve equation. */ int test_ecc_point_valid_p (struct ecc_point *pub); struct ecc_ref_point { const char *x; const char *y; }; void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p); void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p); void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); /* Checks that p == g (affine coordinates) */ void test_ecc_ga (unsigned curve, const mp_limb_t *p); /* Gets the curve generator, with coordinates in redc form, if appropriate, and with an appended z = 1 coordinate. */ void test_ecc_get_g (unsigned curve, mp_limb_t *rp); /* Variant with only two coordinates, and no redc. */ void test_ecc_get_ga (unsigned curve, mp_limb_t *rp); #endif /* WITH_HOGWEED */ /* String literal of type unsigned char. The GNUC version is safer. */ #if __GNUC__ #define US(s) ({ static const unsigned char us_s[] = s; us_s; }) #else #define US(s) ((const uint8_t *) (s)) #endif /* LDATA needs to handle NUL characters. */ #define LLENGTH(x) (sizeof(x) - 1) #define LDATA(x) LLENGTH(x), US(x) #define LDUP(x) strlen(x), strdup(x) #define SHEX(x) (tstring_hex(x)) #define SDATA(x) ((const struct tstring *)tstring_data(LLENGTH(x), US(x))) #define H(x) (SHEX(x)->data) #define MEMEQ(length, a, b) (!memcmp((a), (b), (length))) #define FAIL() abort() #define SKIP() exit(77) #define ASSERT(x) do { \ if (!(x)) \ { \ fprintf(stderr, "Assert failed: %s:%d: %s\n", \ __FILE__, __LINE__, #x); \ FAIL(); \ } \ } while(0) #ifdef __cplusplus } #endif #endif /* NETTLE_TESTUTILS_H_INCLUDED */ nettle-4.0/testsuite/twofish-test.c0000644000000000000000000000136015141166425014440 0ustar00#include "testutils.h" #include "twofish.h" void test_main(void) { /* 128 bit key */ test_cipher(&nettle_twofish128, SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000 0000000000000000"), SHEX("9F589F5CF6122C32 B6BFEC2F2AE8C35A")); /* 192 bit key */ test_cipher(&nettle_twofish192, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677"), SHEX("0000000000000000 0000000000000000"), SHEX("CFD1D2E5A9BE9CDF 501F13B892BD2248")); /* 256 bit key */ test_cipher(&nettle_twofish256, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677 8899AABBCCDDEEFF"), SHEX("0000000000000000 0000000000000000"), SHEX("37527BE0052334B8 9F0CFCCAE87CFA20")); } nettle-4.0/testsuite/umac-test.c0000644000000000000000000003750415141166425013713 0ustar00#include "testutils.h" #include "umac.h" /* FIXME: Missing tests: Getting to unlikely cases in the poly64 and poly128 operations. */ static void update (void *ctx, nettle_hash_update_func *f, const struct tstring *msg, size_t length) { for (; length > msg->length; length -= msg->length) f(ctx, msg->length, msg->data); f(ctx, length, msg->data); } static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, size_t length, size_t tag_length, const uint8_t *ref) { uint8_t tag[16]; f(ctx, tag); if (memcmp (tag, ref, tag_length) != 0) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %lu\n", (unsigned long) length); printf ("tag: "); print_hex (tag_length, tag); printf ("ref: "); print_hex (tag_length, ref); abort (); } } static void test_umac (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4); ASSERT (ref64->length == 8); ASSERT (ref128->length == 16); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); update(&ctx32, (nettle_hash_update_func *) umac32_update, msg, length); check_digest ("umac32", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); update(&ctx64, (nettle_hash_update_func *) umac64_update, msg, length); check_digest ("umac64", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); update(&ctx96, (nettle_hash_update_func *) umac96_update, msg, length); check_digest ("umac96", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); update(&ctx128, (nettle_hash_update_func *) umac128_update, msg, length); check_digest ("umac128", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } static void test_align(const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { uint8_t *buffer = xalloc(length + 16); unsigned offset; for (offset = 0; offset < 16; offset++) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t *input; size_t i; memset(buffer, 17, length + 16); input = buffer + offset; for (i = 0; i + msg->length < length; i += msg->length) memcpy (input + i, msg->data, msg->length); memcpy (input + i, msg->data, length - i); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac32_update(&ctx32, length, input); check_digest ("umac32 (alignment)", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac64_update(&ctx64, length, input); check_digest ("umac64 (alignment)", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac96_update(&ctx96, length, input); check_digest ("umac96 (alignment)", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); umac128_update(&ctx128, length, input); check_digest ("umac128 (alignment)", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } free (buffer); } static void test_incr (const struct tstring *key, const struct tstring *nonce, unsigned count, const struct tstring *msg, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; unsigned i; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4 * count); ASSERT (ref64->length == 8 * count); ASSERT (ref128->length == 16 * count); umac32_set_key (&ctx32, key->data); umac64_set_key (&ctx64, key->data); umac96_set_key (&ctx96, key->data); umac128_set_key (&ctx128, key->data); if (nonce) { umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); } for (i = 0; i < count; i++) { umac32_update (&ctx32, msg->length, msg->data); check_digest ("umac32 incr", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, i, 4, ref32->data + 4*i); umac64_update (&ctx64, msg->length, msg->data); check_digest ("umac64 incr", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, i, 8, ref64->data + 8*i); umac96_update (&ctx96, msg->length, msg->data); check_digest ("umac96 incr", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, i, 12, ref128->data + 16*i); umac128_update (&ctx128, msg->length, msg->data); check_digest ("umac128 incr", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, i, 16, ref128->data + 16*i); } } void test_main(void) { /* From RFC 4418 (except that it lacks the last 32 bits of 128-bit tags) */ test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA(""), 0, SHEX("113145FB"), SHEX("6E155FAD26900BE1"), SHEX("32fedb100c79ad58f07ff7643cc60465")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 3, SHEX("3B91D102"), SHEX("44B5CB542F220104"), SHEX("185e4fe905cba7bd85e4c2dc3d117d8d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 1<<10, SHEX("599B350B"), SHEX("26BF2F5D60118BD9"), SHEX("7a54abe04af82d60fb298c3cbd195bcb")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<15, SHEX("58DCF532"), SHEX("27F8EF643B0D118D"), SHEX("7b136bd911e4b734286ef2be501f2c3c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<20, SHEX("DB6364D1"), SHEX("A4477E87E9F55853"), SHEX("f8acfa3ac31cfeea047f7b115b03bef5")); /* Needs POLY128 */ /* For the 'a' * 2^25 testcase, see errata http://fastcrypto.org/umac/rfc4418.errata.txt */ test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("aaaaaaaa"), 1<<25, SHEX("85EE5CAE"), SHEX("FACA46F856E9B45F"), SHEX("a621c2457c0012e64f3fdae9e7e1870c")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 3, SHEX("ABF3A3A0"), SHEX("D4D7B9F6BD4FBFCF"), SHEX("883c3d4b97a61976ffcf232308cba5a5")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 1500, SHEX("ABEB3C8B"), SHEX("D4CF26DDEFD5C01A"), SHEX("8824a260c53c66a36c9260a62cb83aa1")); test_incr (SDATA("abcdefghijklmnop"), NULL, 6, SDATA("zero"), SHEX("a0e94011 8c6fea51 6d897143 db1b28c5 a75e23b7 44ea26be"), SHEX("a0e940111c9c2cd5 6d8971434be8ee41 c9c9aef87e2be502" "a0a112b593656107 a75e23b7d419e03a 950526f26a8cc07a"), SHEX("a0e940111c9c2cd5fa59090e3ac2061f" "cbbf18b799fd0f4afb9216e52a89f247" "c9c9aef87e2be50237716af8e24f8959" "d6e96ef461f54d1c85aa66cbd76ca336" "a75e23b7d419e03a02d55ebf1ba62824" "2e63031d182a59b84f148d9a91de70a3")); test_incr (SDATA("abcdefghijklmnop"), SDATA("a"), 5, SDATA("nonce-a"), SHEX("81b4ac24 b7e8aad0 f70246fe 0595f0bf a8e9fe85"), SHEX("b7e8aad0da6e7f99 138814c6a03bdadf fb77dd1cd4c7074f" "0595f0bf8585c7e2 817c0b7757cb60f7"), SHEX("d7604bffb5e368da5fe564da0068d2cc" "138814c6a03bdadff7f1666e1bd881aa" "86a016d9e67957c8ab5ebb78a673e4e9" "0595f0bf8585c7e28dfab00598d4e612" "3266ec16a9d85b4f0dc74ec8272238a9")); test_incr (SDATA("abcdefghijklmnop"), SHEX("beafcafe"), 5, SDATA("nonce-beaf-cafe"), SHEX("f19d9dc1 4604a56a 4ba9420e da86ff71 77facd79"), SHEX("9e878413aa079032 9cfd7af0bb107748 4ba9420e55b6ba13" "77facd797b686e24 9000c0de4f5f7236"), SHEX("9e878413aa0790329604f3b6ae980e58" "f2b2dd5dab08bb3bc5e9a83e1b4ab2e7" "4ba9420e55b6ba137d03443f6ee01734" "2721ca2e1bcda53a54ae65e0da139c0d" "9000c0de4f5f7236b81ae1a52e78a821")); /* Tests exercising various sizes of nonce and data: All nonce lengths from 1 to 16 bytes. Data sizes chosen for testing for various off-by-one errors, 0, 1, 2, 3, 4, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 2046, 2047, 2048, 2049, 2050 16777212, 16777213, 16777214, 16777215, 16777216, 16777217, 16778239, 16778240, 16778241, 16778242, 16778243, 16778244 */ test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 0, SHEX("3a58486b"), SHEX("9e38f67da91a08d9"), SHEX("9e38f67da91a08d9c980f4db4089c877")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 1, SHEX("d86b1512"), SHEX("fb0e207971b8e66a"), SHEX("ef406c2ec70d0222f59e860eabb79ed0")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 2, SHEX("1ae6e02d"), SHEX("1ae6e02d73aa9ab2"), SHEX("1ae6e02d73aa9ab2a27fb89e014dc07b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 3, SHEX("e8c1eb59"), SHEX("c81cf22342e84302"), SHEX("82626d0d575e01038e5e2cc6408216f5")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 4, SHEX("8950f0d3"), SHEX("aba003e7bd673cc3"), SHEX("aba003e7bd673cc368ba8513cecf2e7c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 1020, SHEX("7412167c"), SHEX("f98828a161bb4ae3"), SHEX("d8b4811f747d588d7a913360960de7cf")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 1021, SHEX("2d54936b"), SHEX("2d54936be5bff72d"), SHEX("2d54936be5bff72d2e1052361163b474")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 1022, SHEX("53ca8dd2"), SHEX("2cee9784556387b3"), SHEX("700513397f8a210a98938d3e7ac3bd88")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 1023, SHEX("26cc58df"), SHEX("24ac4284ca371f42"), SHEX("24ac4284ca371f4280f60bd274633d67")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 1025, SHEX("93251e18"), SHEX("93251e18e56bbdc4"), SHEX("93251e18e56bbdc457de556f95c59931")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 1026, SHEX("24a4c3ab"), SHEX("5d98bd8dfaf16352"), SHEX("c1298672e52386753383a15ed58c0e42")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 1027, SHEX("e7e98945"), SHEX("5b0557c9fdcf661b"), SHEX("5b0557c9fdcf661b1758efc603516ebe")); /* Test varying the alignment of the buffer eventually passed to _umac_nh and _umac_nh_n. */ test_align (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 2046, SHEX("e12ddc9f"), SHEX("65e85d47447c2277"), SHEX("16bb5183017826ed47c9995c1e5834f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnop"), SDATA("defdefdefdefdef"), 2047, SHEX("34d723a6"), SHEX("34d723a6cb1676d3"), SHEX("34d723a6cb1676d3547a5064dc5b0a37")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnopq"), SDATA("defdefdefdefdef"), 2048, SHEX("21fd8802"), SHEX("3968d5d0af147884"), SHEX("84565620def1e3a614d274e87626f215")); test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 2049, SHEX("097e5abd"), SHEX("ad1ee4ab606061c5"), SHEX("ad1ee4ab606061c55e0d2ecfee59940a")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 2050, SHEX("a03a7fe9"), SHEX("835f4a8242100055"), SHEX("971106d5f4a5e41dce40a91704cfe1f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 16777212, SHEX("7ef41cf3"), SHEX("7ef41cf351960aaf"), SHEX("7ef41cf351960aaf729bb19fcee7d8c4")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 16777213, SHEX("8bf81932"), SHEX("ab250048807ff640"), SHEX("e15b9f6695c9b441de035e9b10b8ac32")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 16777214, SHEX("ddb2f0ab"), SHEX("ff42039fcfe1248e"), SHEX("ff42039fcfe1248e36c19efed14d7140")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 16777215, SHEX("e67ad507"), SHEX("6be0ebda623d76df"), SHEX("4adc426477fb64b1ce5afd76d505f048")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 16777216, SHEX("42d8562a"), SHEX("42d8562a224a9e9a"), SHEX("42d8562a224a9e9a75c2f85d39462d07")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 16777217, SHEX("486b138d"), SHEX("374f09dbb0b84b88"), SHEX("6ba48d669a51ed3195ebc2aa562ee71b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 16778239, SHEX("850cb2c5"), SHEX("876ca89ed045777b"), SHEX("876ca89ed045777bf7efa7934e1758c2")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 16778240, SHEX("b9fc4f81"), SHEX("e1974b26fb35f2c6"), SHEX("2e93c8ca83b97a6b1a21082e2a4c540d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 16778241, SHEX("ffced8f2"), SHEX("ffced8f2494d85bf"), SHEX("ffced8f2494d85bf0cb39408ddfe0295")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 16778242, SHEX("1c99c5fb"), SHEX("65a5bbdda3b85368"), SHEX("f9148022bc6ab64f019e9db83704c17b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 16778243, SHEX("ec304be9"), SHEX("50dc9565fbfc4884"), SHEX(" 50dc9565fbfc48844a4be34403804605")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 16778244, SHEX("8034e26f"), SHEX("04f163b7c2d5d849"), SHEX("77a26f7387d1dcd39378a3220652cff7")); } nettle-4.0/testsuite/version-test.c0000644000000000000000000000247615141166425014453 0ustar00/* version-test.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "version.h" void test_main (void) { /* This also checks that we don't by accident link with a different version of nettle which is installed on the system. */ ASSERT (nettle_version_major () == NETTLE_VERSION_MAJOR); ASSERT (nettle_version_minor () == NETTLE_VERSION_MINOR); } nettle-4.0/testsuite/x86-ibt-test.c0000644000000000000000000000234215141166425014157 0ustar00#include "testutils.h" #if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) \ && defined(__CET__) && defined(__linux__) #include static void segfault_handler(int signo) { exit(0); } static void ibt_violation(void) { #ifdef __i386__ unsigned int reg; asm volatile("lea 1f, %0\n\t" "jmp *%0\n" "1:" : "=r" (reg)); #else unsigned long long reg; asm volatile("lea 1f(%%rip), %0\n\t" "jmp *%0\n" "1:" : "=r" (reg)); #endif } #ifdef __i386__ static unsigned int _get_ssp(void) { unsigned int ssp; asm volatile("xor %0, %0\n\trdsspd %0" : "=r" (ssp)); return ssp; } #else static unsigned long long _get_ssp(void) { unsigned long long ssp; asm volatile("xor %0, %0\n\trdsspq %0" : "=r" (ssp)); return ssp; } #endif void test_main(void) { /* NB: This test should trigger SIGSEGV on CET platforms. _get_ssp returns the address of shadow stack pointer. If the address of shadow stack pointer is 0, SHSTK is disabled and we assume that IBT is also disabled. */ if (_get_ssp() == 0) { ibt_violation(); SKIP(); } signal(SIGSEGV, segfault_handler); ibt_violation(); FAIL(); } #else void test_main(void) { SKIP(); } #endif nettle-4.0/testsuite/xts-test.c0000644000000000000000000001470115141166425013576 0ustar00#include "testutils.h" #include "aes.h" #include "xts.h" #include "nettle-internal.h" static void test_check_data(const char *operation, const uint8_t *input, const uint8_t *output, const uint8_t *expected, size_t length) { if (!MEMEQ(length, output, expected)) { fprintf(stderr, "XTS %s failed:\nInput:", operation); print_hex(length, input); fprintf(stderr, "\nOutput: "); print_hex(length, output); fprintf(stderr, "\nExpected:"); print_hex(length, expected); fprintf(stderr, "\n"); FAIL(); } } static void test_cipher_xts(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *tweak, const struct tstring *cleartext, const struct tstring *ciphertext) { void *twk_ctx = xalloc(cipher->context_size); void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; size_t length = cleartext->length; ASSERT (cleartext->length == ciphertext->length); ASSERT (key->length == cipher->key_size * 2); ASSERT (tweak->length == XTS_BLOCK_SIZE); data = xalloc(length); data2 = xalloc(length); cipher->set_encrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); cipher->set_decrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, tweak->data, length, data2, data); test_check_data("decrypt", data, data2, cleartext->data, length); memcpy(data, cleartext->data, length); cipher->set_encrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, tweak->data, length, data, data); test_check_data("inplace encrypt", cleartext->data, data, ciphertext->data, length); cipher->set_decrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, tweak->data, length, data, data); test_check_data("inplace decrypt", data, data, cleartext->data, length); /* make sure AES128 specific functions also works the same */ if (cipher == &nettle_aes128) { struct xts_aes128_key xts_key; xts_aes128_set_encrypt_key(&xts_key, key->data); xts_aes128_encrypt_message(&xts_key, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); xts_aes128_set_decrypt_key(&xts_key, key->data); xts_aes128_decrypt_message(&xts_key, tweak->data, length, data, ciphertext->data); test_check_data("decrypt", ciphertext->data, data, cleartext->data, length); } /* make sure AES256 specific functions also works the same */ if (cipher == &nettle_aes256) { struct xts_aes256_key xts_key; xts_aes256_set_encrypt_key(&xts_key, key->data); xts_aes256_encrypt_message(&xts_key, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); xts_aes256_set_decrypt_key(&xts_key, key->data); xts_aes256_decrypt_message(&xts_key, tweak->data, length, data, ciphertext->data); test_check_data("decrypt", ciphertext->data, data, cleartext->data, length); } free(twk_ctx); free(ctx); free(data); free(data2); } void test_main(void) { /* From NIST CAVS 11.0, * * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/aes/XTSTestVectors.zip * * Selection of testing vectors from the above CAVS set */ /* AES-128 single block - exact block size multiple */ test_cipher_xts(&nettle_aes128, SHEX("a1b90cba3f06ac353b2c343876081762" "090923026e91771815f29dab01932f2f"), SHEX("4faef7117cda59c66e4b92013e768ad5"), SHEX("ebabce95b14d3c8d6fb350390790311c"), SHEX("778ae8b43cb98d5a825081d5be471c63")); /* AES-128 two blocks - exact block size multiple */ test_cipher_xts(&nettle_aes128, SHEX("750372c3d82f63382867be6662acfa4a" "259be3fa9bc662a1154ffaaed8b448a5"), SHEX("93a29254c47e4260669621307d4f5cd3"), SHEX("d8e3a56559a436ce0d8b212c80a88b23" "af62b0e598f208e03c1f2e9fa563a54b"), SHEX("495f7855535efd133464dc9a9abf8a0f" "28facbce21bd3c22178ec489b799e491")); /* AES-128 partial second block */ test_cipher_xts(&nettle_aes128, SHEX("394c97881abd989d29c703e48a72b397" "a7acf51b59649eeea9b33274d8541df4"), SHEX("4b15c684a152d485fe9937d39b168c29"), SHEX("2f3b9dcfbae729583b1d1ffdd16bb6fe" "2757329435662a78f0"), SHEX("f3473802e38a3ffef4d4fb8e6aa266eb" "de553a64528a06463e")); /* AES-256 two blocks - exact block size multiple */ test_cipher_xts(&nettle_aes256, SHEX("1ea661c58d943a0e4801e42f4b094714" "9e7f9f8e3e68d0c7505210bd311a0e7c" "d6e13ffdf2418d8d1911c004cda58da3" "d619b7e2b9141e58318eea392cf41b08"), SHEX("adf8d92627464ad2f0428e84a9f87564"), SHEX("2eedea52cd8215e1acc647e810bbc364" "2e87287f8d2e57e36c0a24fbc12a202e"), SHEX("cbaad0e2f6cea3f50b37f934d46a9b13" "0b9d54f07e34f36af793e86f73c6d7db")); /* AES-256 three blocks - exact block size multiple */ test_cipher_xts(&nettle_aes256, SHEX("266c336b3b01489f3267f52835fd92f6" "74374b88b4e1ebd2d36a5f457581d9d0" "42c3eef7b0b7e5137b086496b4d9e6ac" "658d7196a23f23f036172fdb8faee527"), SHEX("06b209a7a22f486ecbfadb0f3137ba42"), SHEX("ca7d65ef8d3dfad345b61ccddca1ad81" "de830b9e86c7b426d76cb7db766852d9" "81c6b21409399d78f42cc0b33a7bbb06"), SHEX("c73256870cc2f4dd57acc74b5456dbd7" "76912a128bc1f77d72cdebbf270044b7" "a43ceed29025e1e8be211fa3c3ed002d")); } nettle-4.0/testsuite/yarrow-test.c0000644000000000000000000000733115141166425014304 0ustar00#include "testutils.h" #include "yarrow.h" #include "knuth-lfib.h" #include "macros.h" #include #include /* Lagged fibonacci sequence as described in Knuth 3.6 */ struct knuth_lfib_ctx lfib; static int get_event(FILE *f, struct sha256_ctx *hash, unsigned *key, unsigned *time) { static int t = 0; uint8_t buf[1]; int c = getc(f); if (c == EOF) return 0; buf[0] = c; sha256_update(hash, sizeof(buf), buf); *key = c; t += (knuth_lfib_get(&lfib) % 10000); *time = t; return 1; } void test_main(void) { FILE *input; struct yarrow256_ctx yarrow; struct yarrow_key_event_ctx estimator; struct yarrow_source sources[2]; struct sha256_ctx output_hash; struct sha256_ctx input_hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t seed_file[YARROW256_SEED_FILE_SIZE]; const uint8_t *expected_output = H("dd304aacac3dc95e 70d684a642967c89" "58501f7c8eb88b79 43b2ffccde6f0f79"); const uint8_t *expected_input = H("e0596cf006025506 65d1195f32a87e4a" "5c354910dfbd0a31 e2105b262f5ce3d8"); const uint8_t *expected_seed_file = H("b03518f32b1084dd 983e6a445d47bb6f" "13bb7b998740d570 503d6aaa62e28901"); unsigned c; unsigned t; unsigned processed = 0; unsigned output = 0; unsigned i; static const char unsigned zeroes[100]; yarrow256_init(&yarrow, 2, sources); yarrow_key_event_init(&estimator); sha256_init(&input_hash); sha256_init(&output_hash); knuth_lfib_init(&lfib, 31416); /* Fake input to source 0 */ yarrow256_update(&yarrow, 0, 200, sizeof(zeroes), zeroes); if (verbose) printf("source 0 entropy: %d\n", sources[0].estimate[YARROW_SLOW]); ASSERT(!yarrow256_is_seeded(&yarrow)); input = open_srcdir_file("gold-bug.txt"); while (get_event(input, &input_hash, &c, &t)) { uint8_t buf[8]; processed++; WRITE_UINT32(buf, c); WRITE_UINT32(buf + 4, t); yarrow256_update(&yarrow, 1, yarrow_key_event_estimate(&estimator, c, t), sizeof(buf), buf); if (yarrow256_is_seeded(&yarrow)) { static const unsigned sizes[4] = { 1, 16, 500, 37 }; unsigned size = sizes[processed % 4]; uint8_t buf[500]; if (verbose && !output) printf("Generator was seeded after %d events\n", processed); yarrow256_random(&yarrow, size, buf); sha256_update(&output_hash, size, buf); if (verbose) { printf("%02x ", buf[0]); if (! (processed % 16)) printf("\n"); } output += size; } } fclose(input); if (verbose) { printf("\n"); for (i = 0; i<2; i++) printf("source %d, (fast, slow) entropy: (%d, %d)\n", i, sources[i].estimate[YARROW_FAST], sources[i].estimate[YARROW_SLOW]); printf("Processed input: %d octets\n", processed); printf(" sha256:"); } sha256_digest(&input_hash, digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_input, sizeof(digest)) == 0); yarrow256_random(&yarrow, sizeof(seed_file), seed_file); if (verbose) { printf("New seed file: "); print_hex(sizeof(seed_file), seed_file); printf("\n"); } ASSERT (memcmp(seed_file, expected_seed_file, sizeof(seed_file)) == 0); if (verbose) { printf("Generated output: %d octets\n", output); printf(" sha256:"); } sha256_digest(&output_hash, digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_output, sizeof(digest)) == 0); } nettle-4.0/tools/0000755000000000000000000000000015141166425010743 5ustar00nettle-4.0/tools/Makefile.in0000644000000000000000000000613015141166425013010 0ustar00@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. HOGWEED_TARGETS = pkcs1-conv$(EXEEXT) TARGETS = sexp-conv$(EXEEXT) nettle-hash$(EXEEXT) nettle-pbkdf2$(EXEEXT) \ nettle-lfib-stream$(EXEEXT) \ @IF_HOGWEED@ $(HOGWEED_TARGETS) TS_ALL = sexp-conv-test pkcs1-conv-test nettle-pbkdf2-test all: $(TARGETS) getopt_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) sexp_conv_SOURCES = sexp-conv.c input.c output.c parse.c misc.c pkcs1_conv_SOURCES = pkcs1-conv.c misc.c nettle_hash_SOURCES = nettle-hash.c misc.c nettle_pbkdf2_SOURCES = nettle-pbkdf2.c misc.c SOURCES = $(sexp_conv_SOURCES) nettle-hash.c nettle-lfib-stream.c pkcs1-conv.c nettle-pbkdf2.c DISTFILES = $(SOURCES) $(TS_ALL) Makefile.in input.h misc.h output.h parse.h sexp_conv_OBJS = $(sexp_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) sexp-conv$(EXEEXT): $(sexp_conv_OBJS) ../libnettle.stamp $(LINK) $(sexp_conv_OBJS) -lnettle $(LIBS) -o $@ nettle-lfib-stream$(EXEEXT): nettle-lfib-stream.$(OBJEXT) ../libnettle.stamp $(LINK) nettle-lfib-stream.$(OBJEXT) -lnettle $(LIBS) -o $@ pkcs1_conv_OBJS = $(pkcs1_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) pkcs1-conv$(EXEEXT): $(pkcs1_conv_OBJS) ../libnettle.stamp ../libhogweed.stamp $(LINK) $(pkcs1_conv_OBJS) -lhogweed -lnettle $(LIBS) -o $@ # FIXME: Avoid linking with gmp nettle_hash_OBJS = $(nettle_hash_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-hash$(EXEEXT): $(nettle_hash_OBJS) ../libnettle.stamp $(LINK) $(nettle_hash_OBJS) -lnettle -o $@ nettle_pbkdf2_OBJS = $(nettle_pbkdf2_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-pbkdf2$(EXEEXT): $(nettle_pbkdf2_OBJS) ../libnettle.stamp $(LINK) $(nettle_pbkdf2_OBJS) -lnettle -o $@ %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status tools/$@ check: $(TS_ALL) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) install: $(TARGETS) $(MKDIR_P) $(DESTDIR)$(bindir) for f in $(TARGETS) ; do \ $(INSTALL_PROGRAM) $$f $(DESTDIR)$(bindir) ; \ done uninstall: for f in $(TARGETS) ; do \ rm -f $(DESTDIR)$(bindir)/$$f ; \ done # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d test.in test1.out test2.out \ testkey.priv testkey.pub testtmp testsignature testsignature2 distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -include $(SOURCES:.c=.$(OBJEXT).d) nettle-4.0/tools/input.c0000644000000000000000000002216315141166425012252 0ustar00/* input.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "input.h" void sexp_input_init(struct sexp_input *input, FILE *f) { input->f = f; input->coding = NULL; } static void sexp_get_raw_char(struct sexp_input *input) { int c = getc(input->f); if (c < 0) { if (ferror(input->f)) die("Read error: %s\n", strerror(errno)); input->ctype = SEXP_EOF_CHAR; } else { input->ctype = SEXP_NORMAL_CHAR; input->c = c; } } void sexp_get_char(struct sexp_input *input) { if (input->coding) for (;;) { sexp_get_raw_char(input); if (input->ctype == SEXP_EOF_CHAR) die("Unexpected end of file in coded data.\n"); if (input->c == input->terminator) { if (!input->coding->final(&input->state)) die("Invalid coded data.\n"); input->coding = NULL; input->ctype = SEXP_END_CHAR; return; } switch (input->coding->decode (&input->state, &input->c, input->c)) { case 0: break; case 1: return; default: die("Invalid coded data.\n"); } } else sexp_get_raw_char(input); } static uint8_t sexp_next_char(struct sexp_input *input) { sexp_get_char(input); if (input->ctype != SEXP_NORMAL_CHAR) die("Unexpected end of file.\n"); return input->c; } static void sexp_push_char(struct sexp_input *input, struct nettle_buffer *string) { assert(input->ctype == SEXP_NORMAL_CHAR); if (!NETTLE_BUFFER_PUTC(string, input->c)) die("Virtual memory exhasuted.\n"); } static void sexp_input_start_base64(struct sexp_input *input, uint8_t terminator) { static const struct input_coding base64 = { (decode_single_func *) base64_decode_single, (decode_final_func *) base64_decode_final, }; assert(!input->coding); input->coding = &base64; base64_decode_init (&input->state.base64); input->terminator = terminator; } static void sexp_input_start_base16(struct sexp_input *input, uint8_t terminator) { static const struct input_coding base16 = { (decode_single_func *) base16_decode_single, (decode_final_func *) base16_decode_final, }; assert(!input->coding); input->coding = &base16; base16_decode_init (&input->state.hex); input->terminator = terminator; } /* Return 0 at end-of-string */ static int sexp_get_quoted_char(struct sexp_input *input) { sexp_next_char(input); switch (input->c) { default: return 1; case '\"': return 0; case '\\': sexp_next_char(input); switch (input->c) { case 'b': input->c = '\b'; return 1; case 't': input->c = '\t'; return 1; case 'n': input->c = '\n'; return 1; case 'f': input->c = '\f'; return 1; case 'r': input->c = '\r'; return 1; case '\\': input->c = '\\'; return 1; case 'o': case 'x': /* FIXME: Not implemnted */ abort(); case '\n': if (sexp_next_char(input) == '\r') sexp_next_char(input); break; case '\r': if (sexp_next_char(input) == '\n') sexp_next_char(input); break; } return 1; } } static void sexp_get_token_string(struct sexp_input *input, struct nettle_buffer *string) { assert(!input->coding); assert(input->ctype == SEXP_NORMAL_CHAR); if (!TOKEN_CHAR(input->c)) die("Invalid token.\n"); do { sexp_push_char(input, string); sexp_get_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && TOKEN_CHAR(input->c)); assert (string->size); } static void sexp_get_string(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); input->token = SEXP_STRING; switch (input->c) { case '\"': while (sexp_get_quoted_char(input)) sexp_push_char(input, string); sexp_get_char(input); break; case '#': sexp_input_start_base16 (input, '#'); goto decode; case '|': sexp_input_start_base64 (input, '|'); decode: for (;;) { sexp_get_char(input); switch (input->ctype) { case SEXP_NORMAL_CHAR: sexp_push_char(input, string); break; case SEXP_EOF_CHAR: die("Unexpected end of file in coded string.\n"); case SEXP_END_CHAR: sexp_get_char(input); return; } } break; default: sexp_get_token_string(input, string); break; } } static void sexp_get_string_length(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { unsigned length; nettle_buffer_reset(string); input->token = SEXP_STRING; length = input->c - '0'; if (!length) /* There must be no more digits */ sexp_next_char(input); else { assert(length < 10); /* Get rest of digits */ for (;;) { sexp_next_char(input); if (input->c < '0' || input->c > '9') break; /* FIXME: Check for overflow? */ length = length * 10 + input->c - '0'; } } if (input->c == ':') /* Verbatim */ for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } else if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); else switch(input->c) { case '"': for (; length; length--) if (sexp_get_quoted_char(input)) sexp_push_char(input, string); else die("Unexpected end of string.\n"); if (sexp_get_quoted_char(input)) die("Quoted string longer than expected.\n"); break; case '#': sexp_input_start_base16(input, '#'); goto decode; case '|': sexp_input_start_base64(input, '|'); decode: for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } sexp_get_char(input); if (input->ctype != SEXP_END_CHAR) die("Coded string too long.\n"); break; default: die("Invalid string.\n"); } /* Skip the ending character. */ sexp_get_char(input); } static void sexp_get_comment(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); assert(input->ctype == SEXP_NORMAL_CHAR); assert(input->c == ';'); do { sexp_push_char(input, string); sexp_get_raw_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && input->c != '\n'); input->token = SEXP_COMMENT; } /* When called, input->c should be the first character of the current * token. * * When returning, input->c should be the first character of the next * token. */ void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { for(;;) switch(input->ctype) { case SEXP_EOF_CHAR: input->token = SEXP_EOF; return; case SEXP_END_CHAR: input->token = SEXP_CODING_END; sexp_get_char(input); return; case SEXP_NORMAL_CHAR: switch(input->c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': sexp_get_string_length(input, mode, string); return; case '(': input->token = SEXP_LIST_START; sexp_get_char(input); return; case ')': input->token = SEXP_LIST_END; sexp_get_char(input); return; case '[': input->token = SEXP_DISPLAY_START; sexp_get_char(input); return; case ']': input->token = SEXP_DISPLAY_END; sexp_get_char(input); return; case '{': if (mode == SEXP_CANONICAL) die("Unexpected transport data in canonical mode.\n"); sexp_input_start_base64 (input, '}'); sexp_get_char(input); input->token = SEXP_TRANSPORT_START; return; case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': if (mode == SEXP_CANONICAL) die("Whitespace encountered in canonical mode.\n"); sexp_get_char(input); break; case ';': /* Comments */ if (mode == SEXP_CANONICAL) die("Comment encountered in canonical mode.\n"); sexp_get_comment(input, string); return; default: /* Ought to be a string */ if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); sexp_get_string(input, string); return; } } } nettle-4.0/tools/input.h0000644000000000000000000000423715141166425012261 0ustar00/* input.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_INPUT_H_INCLUDED #define NETTLE_TOOLS_INPUT_H_INCLUDED #include "misc.h" #include "base16.h" #include "base64.h" #include "buffer.h" #include /* Special marks in the input stream */ enum sexp_char_type { SEXP_NORMAL_CHAR = 0, SEXP_EOF_CHAR, SEXP_END_CHAR, }; typedef int decode_single_func(void *ctx, uint8_t *dst, char src); typedef int decode_final_func(void *ctx); struct input_coding { decode_single_func *decode; decode_final_func *final; }; struct sexp_input { FILE *f; /* Character stream, consisting of ordinary characters, * SEXP_EOF_CHAR, and SEXP_END_CHAR. */ enum sexp_char_type ctype; uint8_t c; const struct input_coding *coding; union { struct base64_decode_ctx base64; struct base16_decode_ctx hex; } state; /* Terminator for current coding */ uint8_t terminator; /* Type of current token */ enum sexp_token token; }; void sexp_input_init(struct sexp_input *input, FILE *f); void sexp_get_char(struct sexp_input *input); void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string); #endif /* NETTLE_TOOLS_INPUT_H_INCLUDED */ nettle-4.0/tools/misc.c0000644000000000000000000000420215141166425012040 0ustar00/* misc.c Copyright (C) 2002, 2003, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "misc.h" void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } void werror(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } const char sexp_token_chars[0x80] = { /* 0, ... 0x1f */ 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, /* SPC ! " # $ % & ' ( ) * + , - . / */ 0,0,0,0,0,0,0,0, 0,0,1,1,0,1,1,1, /* 0 1 2 3 4 5 6 7 8 9 : ; < = > ? */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,1,0,0, /* @ A ... O */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* P ... Z [ \ ] ^ _ */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,1, /* ` a, ... o */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* p ... z { | } ~ DEL */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,0, }; nettle-4.0/tools/misc.h0000644000000000000000000000366215141166425012056 0ustar00/* misc.h Copyright (C) 2002, 2003, 2008, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_MISC_H_INCLUDED #define NETTLE_TOOLS_MISC_H_INCLUDED #if HAVE_CONFIG_H # include "config.h" #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void werror(const char *format, ...) PRINTF_STYLE (1, 2); void * xalloc(size_t size); enum sexp_mode { SEXP_CANONICAL = 0, SEXP_ADVANCED = 1, SEXP_TRANSPORT = 2, }; enum sexp_token { SEXP_STRING, SEXP_DISPLAY, /* Constructed by sexp_parse */ SEXP_COMMENT, SEXP_LIST_START, SEXP_LIST_END, SEXP_EOF, /* The below types are internal to the input parsing, only * returned by sexp_get_token. sexp_parse should never return a * token of these types. */ SEXP_DISPLAY_START, SEXP_DISPLAY_END, SEXP_TRANSPORT_START, SEXP_CODING_END, }; extern const char sexp_token_chars[0x80]; #define TOKEN_CHAR(c) ((c) < 0x80 && sexp_token_chars[(c)]) #endif /* NETTLE_TOOLS_MISC_H_INCLUDED */ nettle-4.0/tools/nettle-hash.c0000644000000000000000000001304515141166425013326 0ustar00/* nettle-hash.c General hashing tool. Copyright (C) 2011, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-meta.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define BUFSIZE 16384 static void list_algorithms (void) { unsigned i; const struct nettle_hash *alg; printf ("%10s digestsize (internal block size, context size), in units of octets\n", "name"); for (i = 0; (alg = nettle_hashes[i]); i++) printf ("%10s %d (%d, %d)\n", alg->name, alg->digest_size, alg->block_size, alg->context_size); }; /* Also in examples/io.c */ static int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } static int digest_file(const struct nettle_hash *alg, unsigned digest_length, int raw, FILE *f) { void *ctx; uint8_t *digest; ctx = xalloc(alg->context_size); alg->init(ctx); if (!hash_file (alg, ctx, f)) { free (ctx); return 0; } digest = xalloc(alg->digest_size); alg->digest(ctx, digest); free(ctx); if (raw) fwrite (digest, digest_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < digest_length; i += 8) { base16_encode_update(hex, 8, digest + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s ", hex); } base16_encode_update(hex, digest_length - i, digest + i); hex[BASE16_ENCODE_LENGTH(digest_length - i)] = 0; printf("%s %s\n", hex, alg->name); } free(digest); return 1; } static void usage (FILE *f) { fprintf(f, "Usage: nettle-hash -a ALGORITHM [OPTIONS] [FILE ...]\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " --list List supported hash algorithms.\n" " -a, --algorithm=ALG Hash algorithm to use.\n" " -l, --length=LENGTH Desired digest length (octets)\n" " --raw Raw binary output.\n"); } /* FIXME: Be more compatible with md5sum and sha1sum. Options -c (check), -b (binary), -t (text), and output format with hex hash sum, optional star (meaning binary mode), and file name. */ int main (int argc, char **argv) { const char *alg_name = NULL; const struct nettle_hash *alg; unsigned length = 0; int raw = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_LIST }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "algorithm", required_argument, NULL, 'a' }, { "length", required_argument, NULL, 'l' }, { "list", no_argument, NULL, OPT_LIST }, { "raw", no_argument, NULL, OPT_RAW }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Va:l:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-hash (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'a': alg_name = optarg; break; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); length = arg; } break; case OPT_RAW: raw = 1; break; case OPT_LIST: list_algorithms(); return EXIT_SUCCESS; } if (!alg_name) die("Algorithm argument (-a option) is mandatory.\n" "See nettle-hash --help for further information.\n"); alg = nettle_lookup_hash (alg_name); if (!alg) die("Hash algorithm `%s' not supported or .\n" "Use nettle-hash --list to list available algorithms.\n", alg_name); if (length == 0) length = alg->digest_size; else if (length > alg->digest_size) die ("Length argument %d too large for selected algorithm.\n", length); argv += optind; argc -= optind; if (argc == 0) digest_file (alg, length, raw, stdin); else { int i; for (i = 0; i < argc; i++) { FILE *f = fopen (argv[i], "rb"); if (!f) die ("Cannot open `%s': %s\n", argv[i], strerror(errno)); printf("%s: ", argv[i]); if (!digest_file (alg, length, raw, f)) die("Reading `%s' failed: %s\n", argv[i], strerror(errno)); fclose(f); } } if (fflush(stdout) != 0 ) die("Write failed: %s\n", strerror(errno)); return EXIT_SUCCESS; } nettle-4.0/tools/nettle-lfib-stream.c0000644000000000000000000000373215141166425014612 0ustar00/* lfib-stream.c Generates a pseudorandom stream, using the Knuth lfib (non-cryptographic) pseudorandom generator. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "knuth-lfib.h" #include #include #include #include #define BUFSIZE 500 static void usage(void) { fprintf(stderr, "Usage: lfib-stream [SEED]\n"); } int main(int argc, char **argv) { struct knuth_lfib_ctx ctx; uint32_t seed; if (argc == 1) seed = time(NULL); else if (argc == 2) { seed = atoi(argv[1]); if (!seed) { usage(); return EXIT_FAILURE; } } else { usage(); return EXIT_FAILURE; } knuth_lfib_init(&ctx, seed); for (;;) { uint8_t buffer[BUFSIZE]; knuth_lfib_random(&ctx, sizeof(buffer), buffer); if (fwrite(buffer, 1, sizeof(buffer), stdout) < sizeof(buffer) || fflush(stdout) < 0) return EXIT_FAILURE; } /* Not reached. This program is usually terminated by SIGPIPE */ } nettle-4.0/tools/nettle-pbkdf2-test0000755000000000000000000000130315141166425014304 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi test_pbkdf2 () { password="$1" salt="$2" iters="$3" expected="$4" # Relies on division rounding down; breaks if # $expected contains more than one space. length=`expr "$expected" : '.*' / 2` # Delete carriage return characters, needed when testing with # wine. printf "%s" "$password" | $EMULATOR ./nettle-pbkdf2$EXEEXT \ -i "$iters" -l "$length" "$salt" | tr -d '\r' > test1.out echo "$expected" | tr -d '\r' > test2.out cmp test1.out test2.out || exit 1 } test_pbkdf2 passwd salt 1 "55ac046e56e3089f ec1691c22544b605" test_pbkdf2 Password NaCl 80000 "4ddcd8f60b98be21 830cee5ef22701f9" exit 0 nettle-4.0/tools/nettle-pbkdf2.c0000644000000000000000000001163015141166425013551 0ustar00/* nettle-pbkdf2.c Command-line tool for pbkdf2 hashing. Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "pbkdf2.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define DEFAULT_ITERATIONS 10000 #define DEFAULT_LENGTH 16 static void usage (FILE *f) { fprintf(f, "Usage: nettle-pbkdf2 [OPTIONS] SALT\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " -i, --iterations=COUNT Desired iteration count (default %d).\n" " -l, --length=LENGTH Desired output length (octets, default %d)\n" " --raw Raw binary output.\n" " --hex-salt Use hex encoding for the salt.\n", DEFAULT_ITERATIONS, DEFAULT_LENGTH); } #define MAX_PASSWORD 1024 int main (int argc, char **argv) { unsigned iterations = DEFAULT_ITERATIONS; unsigned output_length = DEFAULT_LENGTH; char password[MAX_PASSWORD]; size_t password_length; uint8_t *output; size_t salt_length; char *salt; int raw = 0; int hex_salt = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_HEX_SALT }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "length", required_argument, NULL, 'l' }, { "iterations", required_argument, NULL, 'i' }, { "raw", no_argument, NULL, OPT_RAW }, { "hex-salt", no_argument, NULL, OPT_HEX_SALT }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vl:i:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-pbkdf2 (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); output_length = arg; } break; case 'i': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid iteration count: `%s'\n", optarg); iterations = arg; } break; case OPT_RAW: raw = 1; break; case OPT_HEX_SALT: hex_salt = 1; break; } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } salt = strdup (argv[0]); if (!salt) die ("strdup failed: Virtual memory exhausted.\n"); salt_length = strlen(argv[0]); if (hex_salt) { struct base16_decode_ctx base16; base16_decode_init (&base16); if (!base16_decode_update (&base16, &salt_length, (uint8_t *) salt, salt_length, salt) || !base16_decode_final (&base16)) die ("Invalid salt (expecting hex encoding).\n"); } password_length = fread (password, 1, sizeof(password), stdin); if (password_length == sizeof(password)) die ("Password input too long. Current limit is %d characters.\n", (int) sizeof(password) - 1); if (ferror (stdin)) die ("Reading password input failed: %s.\n", strerror (errno)); output = xalloc (output_length); pbkdf2_hmac_sha256 (password_length, (const uint8_t *) password, iterations, salt_length, (const uint8_t*) salt, output_length, output); free (salt); if (raw) fwrite (output, output_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < output_length; i += 8) { base16_encode_update(hex, 8, output + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s%c", hex, i % 64 == 56 ? '\n' : ' '); } base16_encode_update(hex, output_length - i, output + i); hex[BASE16_ENCODE_LENGTH(output_length - i)] = 0; printf("%s\n", hex); } free (output); if (fflush(stdout) != 0 ) die("Write failed: %s\n", strerror(errno)); return EXIT_SUCCESS; } nettle-4.0/tools/output.c0000644000000000000000000001605015141166425012451 0ustar00/* output.c Copyright (C) 2002, 2003, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "output.h" #include "base16.h" /* For TMP_ALLOC */ #include "nettle-internal.h" static void sexp_put_hash_char(struct sexp_output *output, uint8_t c) { output->hash->update (output->ctx, 1, &c); } void sexp_output_init(struct sexp_output *output, FILE *f, const struct nettle_hash *hash, unsigned width, int prefer_hex) { output->f = f; output->line_width = width; output->prefer_hex = prefer_hex; output->hash = hash; if (output->hash) { output->ctx = xalloc (output->hash->context_size); output->hash->init (output->ctx); output->put_char = sexp_put_hash_char; } else { output->ctx = NULL; output->put_char = NULL; } output->pos = 0; output->soft_newline = 0; } static void sexp_put_raw_char(struct sexp_output *output, uint8_t c) { if (putc(c, output->f) < 0) die("Write failed: %s\n", strerror(errno)); output->pos++; output->soft_newline = 0; } void sexp_put_newline(struct sexp_output *output, unsigned indent) { if (output->soft_newline) output->soft_newline = 0; else { unsigned i; sexp_put_raw_char(output, '\n'); output->pos = 0; for(i = 0; i < indent; i++) sexp_put_raw_char(output, ' '); output->pos = indent; } } /* Put a newline, but only if it is followed by another newline, collaps to one newline only. */ void sexp_put_soft_newline(struct sexp_output *output, unsigned indent) { sexp_put_newline(output, indent); output->soft_newline = 1; } void sexp_put_char(struct sexp_output *output, uint8_t c) { if (output->put_char) { if (output->line_width && output->pos >= output->line_width && output->pos >= (output->coding_indent + 10)) sexp_put_newline(output, output->coding_indent); output->put_char (output, c); } else sexp_put_raw_char(output, c); } void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data) { unsigned i; for (i = 0; i length) break; digit = next; } for (; digit; length %= digit, digit /= 10) sexp_put_char(output, '0' + length / digit); } static void sexp_put_base16 (struct sexp_output *output, uint8_t c) { char encoded[2]; base16_encode_single (encoded, c); sexp_put_raw_char (output, encoded[0]); sexp_put_raw_char (output, encoded[1]); } void sexp_put_base16_start (struct sexp_output *output) { assert (!output->put_char); output->coding_indent = output->pos; output->put_char = sexp_put_base16; } void sexp_put_base16_end (struct sexp_output *output) { output->put_char = NULL; } static void sexp_put_base64 (struct sexp_output *output, uint8_t c) { char encoded[2]; unsigned done; done = base64_encode_single (&output->base64, encoded, c); sexp_put_raw_char (output, encoded[0]); if (done > 1) sexp_put_raw_char (output, encoded[1]); } void sexp_put_base64_start (struct sexp_output *output) { assert (!output->put_char); output->coding_indent = output->pos; base64_encode_init (&output->base64); output->put_char = sexp_put_base64; } void sexp_put_base64_end(struct sexp_output *output) { char encoded[BASE64_ENCODE_FINAL_LENGTH]; unsigned done; done = base64_encode_final (&output->base64, encoded); output->put_char = NULL; sexp_put_data (output, done, (const uint8_t*) encoded); } void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string) { if (!string->size) sexp_put_data(output, 2, (const uint8_t *) ((mode == SEXP_ADVANCED) ? "\"\"": "0:")); else if (mode == SEXP_ADVANCED) { unsigned i; int token = (string->contents[0] < '0' || string->contents[0] > '9'); int quote_friendly = 1; #define CONTROL_SIZE 0x20 static const char escape_names[CONTROL_SIZE] = { 0,0,0,0,0,0,0,0, 'b','t','n',0,'f','r',0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0 }; for (i = 0; isize; i++) { uint8_t c = string->contents[i]; if (token & !TOKEN_CHAR(c)) token = 0; if (quote_friendly) { if (c >= 0x7f) quote_friendly = 0; else if (c < CONTROL_SIZE && !escape_names[c]) quote_friendly = 0; } } if (token) sexp_put_data(output, string->size, string->contents); else if (quote_friendly) { sexp_put_char(output, '"'); for (i = 0; isize; i++) { int escape = 0; uint8_t c = string->contents[i]; assert(c < 0x7f); if (c == '\\' || c == '"') escape = 1; else if (c < CONTROL_SIZE) { escape = 1; c = escape_names[c]; assert(c); } if (escape) sexp_put_char(output, '\\'); sexp_put_char(output, c); } sexp_put_char(output, '"'); } else if (output->prefer_hex) { sexp_put_char(output, '#'); sexp_put_base16_start (output); sexp_put_data(output, string->size, string->contents); sexp_put_base16_end (output); sexp_put_char(output, '#'); } else { sexp_put_char(output, '|'); sexp_put_base64_start (output); sexp_put_data(output, string->size, string->contents); sexp_put_base64_end (output); sexp_put_char(output, '|'); } #undef CONTROL_SIZE } else { sexp_put_length(output, string->size); sexp_put_char(output, ':'); sexp_put_data(output, string->size, string->contents); } } void sexp_put_digest(struct sexp_output *output) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, output->hash->digest_size); assert(output->hash); output->hash->digest(output->ctx, digest); output->put_char = NULL; sexp_put_base16_start (output); sexp_put_data (output, output->hash->digest_size, digest); sexp_put_base16_end (output); output->put_char = sexp_put_hash_char; } nettle-4.0/tools/output.h0000644000000000000000000000465515141166425012466 0ustar00/* output.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_OUTPUT_H_INCLUDED #define NETTLE_TOOLS_OUTPUT_H_INCLUDED #include "misc.h" #include "base64.h" #include "buffer.h" #include "nettle-meta.h" #include struct sexp_output; typedef void put_char_func (struct sexp_output *output, uint8_t c); struct sexp_output { FILE *f; unsigned line_width; put_char_func *put_char; unsigned coding_indent; int prefer_hex; const struct nettle_hash *hash; void *ctx; /* NOTE: There's no context needed for hex encoding. */ struct base64_encode_ctx base64; unsigned pos; int soft_newline; }; void sexp_output_init(struct sexp_output *output, FILE *f, const struct nettle_hash *hash, unsigned width, int prefer_hex); void sexp_put_newline(struct sexp_output *output, unsigned indent); void sexp_put_soft_newline(struct sexp_output *output, unsigned indent); void sexp_put_char(struct sexp_output *output, uint8_t c); void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data); void sexp_put_base16_start(struct sexp_output *output); void sexp_put_base16_end(struct sexp_output *output); void sexp_put_base64_start(struct sexp_output *output); void sexp_put_base64_end(struct sexp_output *output); void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string); void sexp_put_digest(struct sexp_output *output); #endif /* NETTLE_TOOLS_OUTPUT_H_INCLUDED */ nettle-4.0/tools/parse.c0000644000000000000000000001040215141166425012216 0ustar00/* parse.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "parse.h" #include "input.h" void sexp_compound_token_init(struct sexp_compound_token *token) { token->type = 0; nettle_buffer_init(&token->display); nettle_buffer_init(&token->string); } void sexp_compound_token_clear(struct sexp_compound_token *token) { nettle_buffer_clear(&token->display); nettle_buffer_clear(&token->string); } void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode) { parser->input = input; parser->mode = mode; /* Start counting with 1 for the top level, to make comparisons * between transport and level simpler. * * FIXME: Is that trick ugly? */ parser->level = 1; parser->transport = 0; } /* Get next token, and check that it is of the expected kind. */ static void sexp_check_token(struct sexp_parser *parser, enum sexp_token token, struct nettle_buffer *string) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, string); if (parser->input->token != token) die("Syntax error.\n"); } /* Performs further processing of the input, in particular display * types and transport decoding. * * This is complicated a little by the requirement that a * transport-encoded block, {xxxxx}, must include exactly one * expression. We check at the end of strings and list whether or not * we should expect a SEXP_CODING_END as the next token. */ void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token) { for (;;) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, &token->string); switch(parser->input->token) { case SEXP_LIST_END: if (parser->level == parser->transport) die("Unmatched end of list in transport encoded data.\n"); parser->level--; if (!parser->level) die("Unmatched end of list.\n"); token->type = SEXP_LIST_END; check_transport_end: if (parser->level == parser->transport) { sexp_check_token(parser, SEXP_CODING_END, &token->string); assert(parser->transport); assert(parser->level == parser->transport); parser->level--; parser->transport = 0; } return; case SEXP_EOF: if (parser->level > 1) die("Unexpected end of file.\n"); token->type = SEXP_EOF; return; case SEXP_LIST_START: parser->level++; token->type = SEXP_LIST_START; return; case SEXP_DISPLAY_START: sexp_check_token(parser, SEXP_STRING, &token->display); sexp_check_token(parser, SEXP_DISPLAY_END, &token->display); sexp_check_token(parser, SEXP_STRING, &token->string); token->type = SEXP_DISPLAY; goto check_transport_end; case SEXP_STRING: token->type = SEXP_STRING; goto check_transport_end; case SEXP_COMMENT: token->type = SEXP_COMMENT; return; case SEXP_TRANSPORT_START: if (parser->mode == SEXP_CANONICAL) die("Base64 not allowed in canonical mode.\n"); parser->level++; parser->transport = parser->level; continue; case SEXP_CODING_END: die("Unexpected end of transport encoding.\n"); case SEXP_DISPLAY_END: die("Unexpected end of display tag.\n"); case SEXP_DISPLAY: /* Internal error. */ abort(); } } } nettle-4.0/tools/parse.h0000644000000000000000000000363715141166425012237 0ustar00/* parse.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_PARSE_H_INCLUDED #define NETTLE_TOOLS_PARSE_H_INCLUDED #include "misc.h" #include "buffer.h" struct sexp_compound_token { enum sexp_token type; struct nettle_buffer display; struct nettle_buffer string; }; void sexp_compound_token_init(struct sexp_compound_token *token); void sexp_compound_token_clear(struct sexp_compound_token *token); struct sexp_parser { struct sexp_input *input; enum sexp_mode mode; /* Nesting level of lists. Transport encoding counts as one * level of nesting. */ unsigned level; /* The nesting level where the transport encoding occured. * Zero if we're not currently using tranport encoding. */ unsigned transport; }; void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode); void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token); #endif /* NETTLE_TOOLS_PARSE_H_INCLUDED */ nettle-4.0/tools/pkcs1-conv-test0000755000000000000000000000403715141166425013636 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi [ -x ./pkcs1-conv$EXEEXT ] || exit 77 # Private RSA key, generated by openssl $EMULATOR ./pkcs1-conv$EXEEXT >testkey.priv <testkey.pub <testtmp < testsignature # Signature on the data "gazonk\n", using sha1 and the above key cat > testsignature2 < #include #include #include #include "asn1.h" #include "base64.h" #include "buffer.h" #include "rsa.h" #include "dsa.h" #include "getopt.h" #include "misc.h" enum object_type { /* Use a range of values which also work as option id:s */ RSA_PRIVATE_KEY = 0x200, RSA_PUBLIC_KEY, DSA_PRIVATE_KEY, /* DSA public keys only supported as part of a SubjectPublicKeyInfo, i.e., the GENERAL_PUBLIC_KEY case. */ GENERAL_PUBLIC_KEY, }; static int write_file(struct nettle_buffer *buffer, FILE *f) { size_t res = fwrite(buffer->contents, 1, buffer->size, f); if (res < buffer->size) { werror("Write failed: %s.\n", strerror(errno)); return 0; } else return 1; } /* Return 1 on success, 0 on error, -1 on eof */ static int read_line(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) { if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (c == '\n') return 1; } if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return -1; } static int read_file(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return 1; } static const uint8_t pem_start_pattern[11] = "-----BEGIN "; static const uint8_t pem_end_pattern[9] = "-----END "; static const uint8_t pem_trailer_pattern[5] = "-----"; static const char pem_ws[33] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, /* \t, \n, \v, \f, \r */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 /* SPC */ }; #define PEM_IS_SPACE(c) ((c) < sizeof(pem_ws) && pem_ws[(c)]) /* Returns 1 on match, otherwise 0. */ static int match_pem_start(size_t length, const uint8_t *line, size_t *marker_start, size_t *marker_length) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_start_pattern, sizeof(pem_start_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { *marker_start = 11; *marker_length = length - (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)); return 1; } else return 0; } /* Returns 1 on match, -1 if the line is of the right form except for the marker, otherwise 0. */ static int match_pem_end(size_t length, const uint8_t *line, size_t marker_length, const uint8_t *marker) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_end_pattern, sizeof(pem_end_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { /* Right form. Check marker */ if (length == marker_length + (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line + sizeof(pem_end_pattern), marker, marker_length) == 0) return 1; else return -1; } else return 0; } struct pem_info { /* The FOO part in "-----BEGIN FOO-----" */ size_t marker_start; size_t marker_length; size_t data_start; size_t data_length; }; static int read_pem(struct nettle_buffer *buffer, FILE *f, struct pem_info *info) { /* Find start line */ for (;;) { int res; nettle_buffer_reset(buffer); res = read_line(buffer, f); if (res != 1) return res; if (match_pem_start(buffer->size, buffer->contents, &info->marker_start, &info->marker_length)) break; } /* NUL-terminate the marker. Don't care to check for embedded NULs. */ buffer->contents[info->marker_start + info->marker_length] = 0; info->data_start = buffer->size; for (;;) { size_t line_start = buffer->size; if (read_line(buffer, f) != 1) return 0; switch (match_pem_end(buffer->size - line_start, buffer->contents + line_start, info->marker_length, buffer->contents + info->marker_start)) { case 0: break; case -1: werror("PEM END line doesn't match BEGIN.\n"); return 0; case 1: /* Return base 64 data; let caller do the decoding */ info->data_length = line_start - info->data_start; return 1; } } } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } static int decode_base64(struct nettle_buffer *buffer, size_t start, size_t *length) { struct base64_decode_ctx ctx; base64_decode_init(&ctx); /* Decode in place */ if (base64_decode_in_place(&ctx, length, *length, buffer->contents + start) && base64_decode_final(&ctx)) return 1; else { werror("Invalid base64 date.\n"); return 0; } } static int convert_rsa_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; int res; rsa_public_key_init(&pub); if (rsa_keypair_from_der(&pub, NULL, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL); } else { werror("Invalid PKCS#1 public key.\n"); res = 0; } rsa_public_key_clear(&pub); return res; } static int convert_rsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; struct rsa_private_key priv; int res; rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (rsa_keypair_from_der(&pub, &priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, &priv); } else { werror("Invalid PKCS#1 private key.\n"); res = 0; } rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); return res; } static int convert_dsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct dsa_params params; mpz_t pub; mpz_t priv; int res; dsa_params_init (¶ms); mpz_init (pub); mpz_init (priv); if (dsa_openssl_private_key_from_der(¶ms, pub, priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, priv); } else { werror("Invalid OpenSSL private key.\n"); res = 0; } dsa_params_clear (¶ms); mpz_clear (pub); mpz_clear (priv); return res; } /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { /* SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters OPTIONAL } */ struct asn1_der_iterator i; struct asn1_der_iterator j; int res = 0; if (asn1_der_iterator_first(&i, length, data) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(&i) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE /* Use the j iterator to parse the algorithm identifier */ && asn1_der_decode_constructed(&i, &j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_IDENTIFIER && asn1_der_iterator_next(&i) == ASN1_ITERATOR_PRIMITIVE && i.type == ASN1_BITSTRING /* Use i to parse the object wrapped in the bit string.*/ && asn1_der_decode_bitstring_last(&i)) { /* pkcs-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) modules(0) pkcs-1(1) } -- -- When rsaEncryption is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST be NULL. -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */ static const uint8_t id_rsaEncryption[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 }; /* -- -- When dsa is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST NOT be NULL. -- dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } */ static const uint8_t id_dsa[7] = { 0x2A, 0x86, 0x48, 0xCE, 0x38, 0x04, 0x01 }; switch (j.length) { unknown: default: werror("SubjectPublicKeyInfo: Unsupported algorithm.\n"); res = -1; break; case 7: if (memcmp(j.data, id_dsa, 7) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_CONSTRUCTED && asn1_der_decode_constructed_last(&j) == ASN1_ITERATOR_PRIMITIVE) { struct dsa_params params; mpz_t pub; dsa_params_init (¶ms); mpz_init (pub); if (dsa_params_from_der_iterator(¶ms, 0, 0, &i) && dsa_public_key_from_der_iterator(¶ms, pub, &j)) { nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, NULL) > 0; } dsa_params_clear(¶ms); mpz_clear(pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid DSA key.\n"); break; } else goto unknown; case 9: if (memcmp(j.data, id_rsaEncryption, 9) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_NULL && j.length == 0 && asn1_der_iterator_next(&j) == ASN1_ITERATOR_END) { struct rsa_public_key pub; rsa_public_key_init(&pub); if (rsa_public_key_from_der_iterator(&pub, 0, &i)) { nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL) > 0; } rsa_public_key_clear(&pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid RSA key.\n"); break; } else goto unknown; } } else werror("SubjectPublicKeyInfo: Invalid object.\n"); return res; } /* NOTE: Destroys contents of buffer */ /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_type(struct nettle_buffer *buffer, enum object_type type, size_t length, const uint8_t *data) { int res; switch(type) { default: abort(); case GENERAL_PUBLIC_KEY: res = convert_public_key(buffer, length, data); break; case RSA_PUBLIC_KEY: res = convert_rsa_public_key(buffer, length, data); break; case RSA_PRIVATE_KEY: res = convert_rsa_private_key(buffer, length, data); break; case DSA_PRIVATE_KEY: res = convert_dsa_private_key(buffer, length, data); break; } if (res > 0) res = write_file(buffer, stdout); return res; } static int convert_file(struct nettle_buffer *buffer, FILE *f, enum object_type type, int base64) { if (type) { read_file(buffer, f); if (base64 && !decode_base64(buffer, 0, &buffer->size)) return 0; if (convert_type(buffer, type, buffer->size, buffer->contents) != 1) return 0; return 1; } else { /* PEM processing */ for (;;) { struct pem_info info; const uint8_t *marker; nettle_buffer_reset(buffer); switch (read_pem(buffer, f, &info)) { default: return 0; case 1: break; case -1: /* EOF */ return 1; } if (!decode_base64(buffer, info.data_start, &info.data_length)) return 0; marker = buffer->contents + info.marker_start; type = 0; switch (info.marker_length) { case 10: if (memcmp(marker, "PUBLIC KEY", 10) == 0) type = GENERAL_PUBLIC_KEY; break; case 14: if (memcmp(marker, "RSA PUBLIC KEY", 14) == 0) type = RSA_PUBLIC_KEY; break; case 15: if (memcmp(marker, "RSA PRIVATE KEY", 15) == 0) type = RSA_PRIVATE_KEY; else if (memcmp(marker, "DSA PRIVATE KEY", 15) == 0) type = DSA_PRIVATE_KEY; break; } if (!type) werror("Ignoring unsupported object type `%s'.\n", marker); else if (convert_type(buffer, type, info.data_length, buffer->contents + info.data_start) != 1) return 0; } } } int main(int argc, char **argv) { struct nettle_buffer buffer; enum object_type type = 0; int base64 = 0; int c; enum { OPT_HELP = 0x300, OPT_PRIVATE_RSA = RSA_PRIVATE_KEY, OPT_PUBLIC_RSA = RSA_PUBLIC_KEY, OPT_PRIVATE_DSA = DSA_PRIVATE_KEY, OPT_PUBLIC_KEY = GENERAL_PUBLIC_KEY, }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "private-rsa-key", no_argument, NULL, OPT_PRIVATE_RSA }, { "public-rsa-key", no_argument, NULL, OPT_PUBLIC_RSA }, { "private-dsa-key", no_argument, NULL, OPT_PRIVATE_DSA }, { "public-key-info", no_argument, NULL, OPT_PUBLIC_KEY }, { "base-64", no_argument, NULL, 'b' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vb", options, NULL)) != -1) { switch (c) { default: abort(); case 'b': base64 = 1; break; case OPT_PRIVATE_RSA: case OPT_PUBLIC_RSA: case OPT_PRIVATE_DSA: case OPT_PUBLIC_KEY: /* Same values as the type codes. */ type = c; break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; case 'V': printf("pkcs1-conv (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; } } nettle_buffer_init_realloc(&buffer, NULL, nettle_xrealloc); if (optind == argc) { if (!convert_file(&buffer, stdin, type, base64)) return EXIT_FAILURE; } else { int i; const char *mode = (type || base64) ? "r" : "rb"; for (i = optind; i < argc; i++) { FILE *f = fopen(argv[i], mode); if (!f) die("Failed to open `%s': %s.\n", argv[i], strerror(errno)); if (!convert_file(&buffer, f, type, base64)) return EXIT_FAILURE; fclose(f); } } nettle_buffer_clear (&buffer); return EXIT_SUCCESS; } nettle-4.0/tools/sexp-conv-test0000755000000000000000000000557015141166425013577 0ustar00#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi print_raw () { printf "%s" "$1" > "$2" } print_nl () { printf "%s\n" "$1" > "$2" } test_advanced () { print_raw "$1" test.in $EMULATOR ./sexp-conv$EXEEXT -s advanced test1.out || exit 1 print_nl "$2" test2.out cmp test1.out test2.out || exit 1; } test_advanced_hex () { print_raw "$1" test.in $EMULATOR ./sexp-conv$EXEEXT -s hex test1.out || exit 1 print_nl "$2" test2.out cmp test1.out test2.out || exit 1; } test_transport () { print_raw "$1" test.in $EMULATOR ./sexp-conv$EXEEXT -s transport test1.out || exit 1 print_nl "$2" test2.out cmp test1.out test2.out || exit 1; } test_canonical () { print_raw "$1" test.in $EMULATOR ./sexp-conv$EXEEXT -s canonical test1.out || exit 1 print_raw "$2" test2.out cmp test1.out test2.out || exit 1; } test_hash () { print_raw "$1" test.in $EMULATOR ./sexp-conv$EXEEXT --hash=sha256 test1.out || exit 1 print_nl "$2" test2.out cmp test1.out test2.out || exit 1 } test_advanced '0:' '""' test_advanced '3:foo' 'foo' test_advanced '12:fooooooooooo' 'fooooooooooo' test_advanced '10:fooooooooo' 'fooooooooo' test_advanced '4:3des' '"3des"' test_advanced '"foo"' 'foo' test_advanced '4:foo ' '"foo\n"' # Having the string end with a \ breaks with sysv echo. \x seems harmless. test_advanced '3:"\x' '"\"\\x"' test_advanced '()' '()' test_advanced '(foo bar baz)' '(foo bar baz)' test_advanced '; comment ()' '; comment ()' test_advanced '(foo ; gazonk bar)' '(foo ; gazonk bar)' test_advanced '(foo[bar]foo)' '(foo [bar]foo)' test_advanced 'foo bar' 'foo bar' test_advanced '(#aabb#)' '(|qrs=|)' test_advanced '(|qrs=|)' '(|qrs=|)' test_advanced_hex '(|qrs=|)' '(#aabb#)' test_advanced_hex '(#aabb#)' '(#aabb#)' test_advanced_hex '{MToR}' '#11#' test_advanced_hex '|EQ==|' '#11#' test_transport '0:' '{MDo=}' test_transport '()' '{KCk=}' test_transport '1:A' '{MTpB}' test_transport 'foo' '{Mzpmb28=}' test_transport '(foo bar baz)' '{KDM6Zm9vMzpiYXIzOmJheik=}' test_transport 'foo bar' '{Mzpmb28=} {MzpiYXI=}' test_canonical '""' '0:' test_canonical '{MDo=}' '0:' test_canonical '{KCk=}' '()' test_canonical '{MTpB}' '1:A' test_canonical 'foo' '3:foo' test_canonical 'fooooooooooo' '12:fooooooooooo' test_canonical 'fooooooooo' '10:fooooooooo' test_canonical '(foo bar baz)' '(3:foo3:bar3:baz)' test_canonical 'foo bar' '3:foo3:bar' test_canonical '{KDM6Zm9vMzpiYXIzOmJheik=}' '(3:foo3:bar3:baz)' test_hash '""' 'ba768b331fd86cec803be04e56ab2b3d4c0e98ef4ee4fcd4e72ad7cce61a1d1f' test_hash '(foo bar baz)' '8f881b925600176cf30cbec63a94087b4e13e6c04dd6f46a7d2481fe2a073c6a' test_hash 'foo bar' 'bdf3c778043c2b05b4c6d398ab924e747fee44055cd8048ee237c544945a8cb2 5dd05adb6d766bdde7a1f612d32e97ee93d2f318b01a90c616c06ff4c0d3fe3b' exit 0 nettle-4.0/tools/sexp-conv.c0000644000000000000000000002630115141166425013033 0ustar00/* sexp-conv.c Conversion tool for handling the different flavours of sexp syntax. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #if HAVE_FCNTL_LOCKING # if HAVE_SYS_TYPES_H # include # endif # if HAVE_UNISTD_H # include # endif # include #endif #include "buffer.h" #include "nettle-meta.h" #include "getopt.h" #include "input.h" #include "output.h" #include "parse.h" #define BUG_ADDRESS "nettle-bugs@lists.lysator.liu.se" /* Conversion functions. */ /* Should be called with input->token being the first token of the * expression, to be converted, and return with input->token being the * last token of the expression. */ static void sexp_convert_item(struct sexp_parser *parser, struct sexp_compound_token *token, struct sexp_output *output, enum sexp_mode mode_out, unsigned indent) { if (mode_out == SEXP_TRANSPORT) { sexp_put_char(output, '{'); sexp_put_base64_start(output); sexp_convert_item(parser, token, output, SEXP_CANONICAL, 0); sexp_put_base64_end(output); sexp_put_char(output, '}'); } else switch(token->type) { case SEXP_LIST_END: die("Unmatched end of list.\n"); case SEXP_EOF: die("Unexpected end of file.\n"); case SEXP_CODING_END: die("Unexpected end of coding.\n"); case SEXP_LIST_START: { unsigned item; sexp_put_char(output, '('); for (item = 0; sexp_parse(parser, token), token->type != SEXP_LIST_END; item++) { if (mode_out == SEXP_ADVANCED) { /* FIXME: Adapt pretty printing to handle a big first * element. */ switch (item) { case 0: if (token->type == SEXP_COMMENT) { indent = output->pos; /* Disable the indentation setup for next item */ item++; } break; case 1: sexp_put_char(output, ' '); indent = output->pos; break; default: sexp_put_newline(output, indent); break; } } sexp_convert_item(parser, token, output, mode_out, indent); } sexp_put_char(output, ')'); break; } case SEXP_STRING: sexp_put_string(output, mode_out, &token->string); break; case SEXP_DISPLAY: sexp_put_char(output, '['); sexp_put_string(output, mode_out, &token->display); sexp_put_char(output, ']'); sexp_put_string(output, mode_out, &token->string); break; case SEXP_COMMENT: if (mode_out == SEXP_ADVANCED) { sexp_put_data(output, token->string.size, token->string.contents); sexp_put_soft_newline(output, indent); } break; default: /* Internal error */ abort(); } } /* Argument parsing and main program */ /* The old lsh sexp-conv program took the following options: * * Usage: sexp-conv [OPTION...] * Conversion: sexp-conv [options] OUTPUT * or: sexp-conv [OPTION...] * Fingerprinting: sexp-conv --raw-hash [ --hash=ALGORITHM ] * name); }; static void parse_options(struct conv_options *o, int argc, char **argv) { static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "once", no_argument, NULL, OPT_ONCE }, { "syntax", required_argument, NULL, 's' }, { "hash", optional_argument, NULL, OPT_HASH }, { "list-hashes", no_argument, NULL, OPT_LIST }, { "width", required_argument, NULL, 'w' }, #if HAVE_FCNTL_LOCKING { "lock", no_argument, NULL, OPT_LOCK }, #endif { NULL, 0, NULL, 0 } }; int c; o->mode = SEXP_ADVANCED; o->prefer_hex = 0; o->once = 0; o->lock = 0; o->hash = NULL; o->width = 72; while ((c = getopt_long(argc, argv, "Vs:w:", options, NULL)) != -1) switch (c) { default: abort(); case -1: break; case '?': exit(EXIT_FAILURE); case 'w': { char *end; int width; assert(optarg != NULL); width = strtol(optarg, &end , 0); if (!*optarg || *end || width < 0) die("sexp-conv: Invalid width `%s'.\n", optarg); o->width = width; break; } case 's': if (match_argument(optarg, "advanced")) o->mode = SEXP_ADVANCED; else if (match_argument(optarg, "transport")) o->mode = SEXP_TRANSPORT; else if (match_argument(optarg, "canonical")) o->mode = SEXP_CANONICAL; else if (match_argument(optarg, "hex")) { o->mode = SEXP_ADVANCED; o->prefer_hex = 1; } else die("Available syntax variants: advanced, hex (also advanced), transport, canonical\n"); break; case OPT_ONCE: o->once = 1; break; case OPT_HASH: if (!optarg) o->hash = &nettle_sha256; else { o->hash = nettle_lookup_hash (optarg); if (!o->hash) die("sexp_conv: Unknown hash algorithm `%s'\n", optarg); } break; case OPT_LIST: list_hashes (); exit (EXIT_SUCCESS); #if HAVE_FCNTL_LOCKING case OPT_LOCK: o->lock = 1; break; #endif case OPT_HELP: printf("Usage: sexp-conv [OPTION...]\n" " Conversion: sexp-conv [OPTION...] hash) /* Always use canonical mode when hashing. */ o->mode = SEXP_CANONICAL; } int main(int argc, char **argv) { struct conv_options options; struct sexp_input input; struct sexp_parser parser; struct sexp_compound_token token; struct sexp_output output; parse_options(&options, argc, argv); sexp_input_init(&input, stdin); sexp_parse_init(&parser, &input, SEXP_ADVANCED); sexp_compound_token_init(&token); sexp_output_init(&output, stdout, options.hash, options.width, options.prefer_hex); #if HAVE_FCNTL_LOCKING if (options.lock) { struct flock fl; memset(&fl, 0, sizeof(fl)); fl.l_type = F_WRLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; fl.l_len = 0; /* Means entire file. */ if (fcntl(STDOUT_FILENO, F_SETLKW, &fl) == -1) die("Locking output file failed: %s\n", strerror(errno)); } #endif /* HAVE_FCNTL_LOCKING */ sexp_get_char(&input); sexp_parse(&parser, &token); if (token.type == SEXP_EOF) { if (options.once) die("sexp-conv: No input expression.\n"); return EXIT_SUCCESS; } do { sexp_convert_item(&parser, &token, &output, options.mode, 0); if (options.hash) { sexp_put_digest(&output); sexp_put_newline(&output, 0); } else if (options.mode != SEXP_CANONICAL) sexp_put_newline(&output, 0); sexp_parse(&parser, &token); } while (!options.once && token.type != SEXP_EOF); sexp_compound_token_clear(&token); if (fflush(output.f) < 0) die("Final fflush failed: %s.\n", strerror(errno)); free (output.ctx); return EXIT_SUCCESS; } nettle-4.0/twofish-meta.c0000644000000000000000000000320315141166424012353 0ustar00/* twofish-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "twofish.h" #define TWOFISH(bits) { \ "twofish" #bits, \ sizeof(struct twofish_ctx), \ TWOFISH_BLOCK_SIZE, \ TWOFISH ## bits ## _KEY_SIZE, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_cipher_func *) twofish_encrypt, \ (nettle_cipher_func *) twofish_decrypt \ } const struct nettle_cipher nettle_twofish128 = TWOFISH(128); const struct nettle_cipher nettle_twofish192 = TWOFISH(192); const struct nettle_cipher nettle_twofish256 = TWOFISH(256); nettle-4.0/twofish.c0000644000000000000000000003531515141166424011440 0ustar00/* twofish.c The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller Copyright (C) 1999 Ruud de Rooij Modifications for lsh, integrated testing Copyright (C) 1999 J.H.M. Dassen (Ray) This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "twofish.h" #include "macros.h" /* Bitwise rotations on 32-bit words. These are defined as macros that * evaluate their argument twice, so do not apply to any expressions with * side effects. */ #define rol1(x) (((x) << 1) | (((x) & 0x80000000) >> 31)) #define rol8(x) (((x) << 8) | (((x) & 0xFF000000) >> 24)) #define rol9(x) (((x) << 9) | (((x) & 0xFF800000) >> 23)) #define ror1(x) (((x) >> 1) | (((x) & 0x00000001) << 31)) /* ------------------------------------------------------------------------- */ /* The permutations q0 and q1. These are fixed permutations on 8-bit values. * The permutations have been computed using the program twofishdata, * which is distributed along with this file. */ static const uint8_t q0[256] = { 0xA9,0x67,0xB3,0xE8,0x04,0xFD,0xA3,0x76, 0x9A,0x92,0x80,0x78,0xE4,0xDD,0xD1,0x38, 0x0D,0xC6,0x35,0x98,0x18,0xF7,0xEC,0x6C, 0x43,0x75,0x37,0x26,0xFA,0x13,0x94,0x48, 0xF2,0xD0,0x8B,0x30,0x84,0x54,0xDF,0x23, 0x19,0x5B,0x3D,0x59,0xF3,0xAE,0xA2,0x82, 0x63,0x01,0x83,0x2E,0xD9,0x51,0x9B,0x7C, 0xA6,0xEB,0xA5,0xBE,0x16,0x0C,0xE3,0x61, 0xC0,0x8C,0x3A,0xF5,0x73,0x2C,0x25,0x0B, 0xBB,0x4E,0x89,0x6B,0x53,0x6A,0xB4,0xF1, 0xE1,0xE6,0xBD,0x45,0xE2,0xF4,0xB6,0x66, 0xCC,0x95,0x03,0x56,0xD4,0x1C,0x1E,0xD7, 0xFB,0xC3,0x8E,0xB5,0xE9,0xCF,0xBF,0xBA, 0xEA,0x77,0x39,0xAF,0x33,0xC9,0x62,0x71, 0x81,0x79,0x09,0xAD,0x24,0xCD,0xF9,0xD8, 0xE5,0xC5,0xB9,0x4D,0x44,0x08,0x86,0xE7, 0xA1,0x1D,0xAA,0xED,0x06,0x70,0xB2,0xD2, 0x41,0x7B,0xA0,0x11,0x31,0xC2,0x27,0x90, 0x20,0xF6,0x60,0xFF,0x96,0x5C,0xB1,0xAB, 0x9E,0x9C,0x52,0x1B,0x5F,0x93,0x0A,0xEF, 0x91,0x85,0x49,0xEE,0x2D,0x4F,0x8F,0x3B, 0x47,0x87,0x6D,0x46,0xD6,0x3E,0x69,0x64, 0x2A,0xCE,0xCB,0x2F,0xFC,0x97,0x05,0x7A, 0xAC,0x7F,0xD5,0x1A,0x4B,0x0E,0xA7,0x5A, 0x28,0x14,0x3F,0x29,0x88,0x3C,0x4C,0x02, 0xB8,0xDA,0xB0,0x17,0x55,0x1F,0x8A,0x7D, 0x57,0xC7,0x8D,0x74,0xB7,0xC4,0x9F,0x72, 0x7E,0x15,0x22,0x12,0x58,0x07,0x99,0x34, 0x6E,0x50,0xDE,0x68,0x65,0xBC,0xDB,0xF8, 0xC8,0xA8,0x2B,0x40,0xDC,0xFE,0x32,0xA4, 0xCA,0x10,0x21,0xF0,0xD3,0x5D,0x0F,0x00, 0x6F,0x9D,0x36,0x42,0x4A,0x5E,0xC1,0xE0, }; static const uint8_t q1[256] = { 0x75,0xF3,0xC6,0xF4,0xDB,0x7B,0xFB,0xC8, 0x4A,0xD3,0xE6,0x6B,0x45,0x7D,0xE8,0x4B, 0xD6,0x32,0xD8,0xFD,0x37,0x71,0xF1,0xE1, 0x30,0x0F,0xF8,0x1B,0x87,0xFA,0x06,0x3F, 0x5E,0xBA,0xAE,0x5B,0x8A,0x00,0xBC,0x9D, 0x6D,0xC1,0xB1,0x0E,0x80,0x5D,0xD2,0xD5, 0xA0,0x84,0x07,0x14,0xB5,0x90,0x2C,0xA3, 0xB2,0x73,0x4C,0x54,0x92,0x74,0x36,0x51, 0x38,0xB0,0xBD,0x5A,0xFC,0x60,0x62,0x96, 0x6C,0x42,0xF7,0x10,0x7C,0x28,0x27,0x8C, 0x13,0x95,0x9C,0xC7,0x24,0x46,0x3B,0x70, 0xCA,0xE3,0x85,0xCB,0x11,0xD0,0x93,0xB8, 0xA6,0x83,0x20,0xFF,0x9F,0x77,0xC3,0xCC, 0x03,0x6F,0x08,0xBF,0x40,0xE7,0x2B,0xE2, 0x79,0x0C,0xAA,0x82,0x41,0x3A,0xEA,0xB9, 0xE4,0x9A,0xA4,0x97,0x7E,0xDA,0x7A,0x17, 0x66,0x94,0xA1,0x1D,0x3D,0xF0,0xDE,0xB3, 0x0B,0x72,0xA7,0x1C,0xEF,0xD1,0x53,0x3E, 0x8F,0x33,0x26,0x5F,0xEC,0x76,0x2A,0x49, 0x81,0x88,0xEE,0x21,0xC4,0x1A,0xEB,0xD9, 0xC5,0x39,0x99,0xCD,0xAD,0x31,0x8B,0x01, 0x18,0x23,0xDD,0x1F,0x4E,0x2D,0xF9,0x48, 0x4F,0xF2,0x65,0x8E,0x78,0x5C,0x58,0x19, 0x8D,0xE5,0x98,0x57,0x67,0x7F,0x05,0x64, 0xAF,0x63,0xB6,0xFE,0xF5,0xB7,0x3C,0xA5, 0xCE,0xE9,0x68,0x44,0xE0,0x4D,0x43,0x69, 0x29,0x2E,0xAC,0x15,0x59,0xA8,0x0A,0x9E, 0x6E,0x47,0xDF,0x34,0x35,0x6A,0xCF,0xDC, 0x22,0xC9,0xC0,0x9B,0x89,0xD4,0xED,0xAB, 0x12,0xA2,0x0D,0x52,0xBB,0x02,0x2F,0xA9, 0xD7,0x61,0x1E,0xB4,0x50,0x04,0xF6,0xC2, 0x16,0x25,0x86,0x56,0x55,0x09,0xBE,0x91, }; /* ------------------------------------------------------------------------- */ /* uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) * * Multiplication in GF(2^8). Larger return type, to avoid need for * type casts when the return value is shifted left. * * This function multiplies a times b in the Galois Field GF(2^8) with * primitive polynomial p. * The representation of the polynomials a, b, and p uses bits with * values 2^i to represent the terms x^i. The polynomial p contains an * implicit term x^8. * * Note that addition and subtraction in GF(2^8) is simply the XOR * operation. */ static uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) { uint32_t shift = b; uint8_t result = 0; while (a) { if (a & 1) result ^= shift; a = a >> 1; shift = shift << 1; if (shift & 0x100) shift ^= p; } return result; } /* ------------------------------------------------------------------------- */ /* The matrix RS as specified in section 4.3 the twofish paper. */ static const uint8_t rs_matrix[4][8] = { { 0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E }, { 0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5 }, { 0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19 }, { 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03 } }; /* uint32_t compute_s(uint32_t m1, uint32_t m2); * * Computes the value RS * M, where M is a byte vector composed of the * bytes of m1 and m2. Arithmetic is done in GF(2^8) with primitive * polynomial x^8 + x^6 + x^3 + x^2 + 1. * * This function is used to compute the sub-keys S which are in turn used * to generate the S-boxes. */ static uint32_t compute_s(uint32_t m1, uint32_t m2) { uint32_t s = 0; int i; for (i = 0; i < 4; i++) s |= (( gf_multiply(0x4D, m1, rs_matrix[i][0]) ^ gf_multiply(0x4D, m1 >> 8, rs_matrix[i][1]) ^ gf_multiply(0x4D, m1 >> 16, rs_matrix[i][2]) ^ gf_multiply(0x4D, m1 >> 24, rs_matrix[i][3]) ^ gf_multiply(0x4D, m2, rs_matrix[i][4]) ^ gf_multiply(0x4D, m2 >> 8, rs_matrix[i][5]) ^ gf_multiply(0x4D, m2 >> 16, rs_matrix[i][6]) ^ gf_multiply(0x4D, m2 >> 24, rs_matrix[i][7])) << (i*8)); return s; } /* ------------------------------------------------------------------------- */ /* This table describes which q S-boxes are used for each byte in each stage * of the function h, cf. figure 2 of the twofish paper. */ static const uint8_t * const q_table[4][5] = { { q1, q1, q0, q0, q1 }, { q0, q1, q1, q0, q0 }, { q0, q0, q0, q1, q1 }, { q1, q0, q1, q1, q0 } }; /* The matrix MDS as specified in section 4.3.2 of the twofish paper. */ static const uint8_t mds_matrix[4][4] = { { 0x01, 0xEF, 0x5B, 0x5B }, { 0x5B, 0xEF, 0xEF, 0x01 }, { 0xEF, 0x5B, 0x01, 0xEF }, { 0xEF, 0x01, 0xEF, 0x5B } }; /* uint32_t h_uint8_t(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3); * * Perform the h function (section 4.3.2) on one byte. It consists of * repeated applications of the q permutation, followed by a XOR with * part of a sub-key. Finally, the value is multiplied by one column of * the MDS matrix. To obtain the result for a full word, the results of * h for the individual bytes are XORed. * * k is the key size (/ 64 bits), i is the byte number (0 = LSB), x is the * actual byte to apply the function to; l0, l1, l2, and l3 are the * appropriate bytes from the subkey. Note that only l0..l(k-1) are used. */ static uint32_t h_byte(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3) { uint8_t y = q_table[i][4][l0 ^ q_table[i][3][l1 ^ q_table[i][2][k == 2 ? x : l2 ^ q_table[i][1][k == 3 ? x : l3 ^ q_table[i][0][x]]]]]; return ( (gf_multiply(0x69, mds_matrix[0][i], y)) | (gf_multiply(0x69, mds_matrix[1][i], y) << 8) | (gf_multiply(0x69, mds_matrix[2][i], y) << 16) | (gf_multiply(0x69, mds_matrix[3][i], y) << 24) ); } /* uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3); * * Perform the function h on a word. See the description of h_byte() above. */ static uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3) { return ( h_byte(k, 0, x, l0, l1, l2, l3) ^ h_byte(k, 1, x, l0 >> 8, l1 >> 8, l2 >> 8, l3 >> 8) ^ h_byte(k, 2, x, l0 >> 16, l1 >> 16, l2 >> 16, l3 >> 16) ^ h_byte(k, 3, x, l0 >> 24, l1 >> 24, l2 >> 24, l3 >> 24) ); } /* ------------------------------------------------------------------------- */ /* API */ /* Structure which contains the tables containing the subkeys and the * key-dependent s-boxes. */ /* Set up internal tables required for twofish encryption and decryption. * * The key size is specified in bytes. Key sizes up to 32 bytes are * supported. Larger key sizes are silently truncated. */ void twofish_set_key(struct twofish_ctx *context, size_t keysize, const uint8_t *key) { uint8_t key_copy[32]; uint32_t m[8], s[4], t; int i, j, k; /* Extend key as necessary */ assert(keysize <= 32); /* We do a little more copying than necessary, but that doesn't * really matter. */ memset(key_copy, 0, 32); memcpy(key_copy, key, keysize); for (i = 0; i<8; i++) m[i] = LE_READ_UINT32(key_copy + i*4); if (keysize <= 16) k = 2; else if (keysize <= 24) k = 3; else k = 4; /* Compute sub-keys */ for (i = 0; i < 20; i++) { t = h(k, 2*i+1, m[1], m[3], m[5], m[7]); t = rol8(t); t += (context->keys[2*i] = t + h(k, 2*i, m[0], m[2], m[4], m[6])); t = rol9(t); context->keys[2*i+1] = t; } /* Compute key-dependent S-boxes */ for (i = 0; i < k; i++) s[k-1-i] = compute_s(m[2*i], m[2*i+1]); for (i = 0; i < 4; i++) for (j = 0; j < 256; j++) context->s_box[i][j] = h_byte(k, i, j, s[0] >> (i*8), s[1] >> (i*8), s[2] >> (i*8), s[3] >> (i*8)); } void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH128_KEY_SIZE, key); } void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH192_KEY_SIZE, key); } void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH256_KEY_SIZE, key); } /* Encrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the encryption algorithm. * * This function always encrypts 16 bytes of plaintext to 16 bytes of * ciphertext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_encrypt(const struct twofish_ctx *context, size_t length, uint8_t *ciphertext, const uint8_t *plaintext) { const uint32_t * keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; FOR_BLOCKS (length, ciphertext, plaintext, TWOFISH_BLOCK_SIZE) { uint32_t r0, r1, r2, r3, t0, t1; unsigned i; r0 = keys[0] ^ LE_READ_UINT32(plaintext); r1 = keys[1] ^ LE_READ_UINT32(plaintext + 4); r2 = keys[2] ^ LE_READ_UINT32(plaintext + 8); r3 = keys[3] ^ LE_READ_UINT32(plaintext + 12); for (i = 0; i < 8; i++) { t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[4*i+9]) ^ rol1(r3); r2 = (t0 + keys[4*i+8]) ^ r2; r2 = ror1(r2); t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[4*i+11]) ^ rol1(r1); r0 = (t0 + keys[4*i+10]) ^ r0; r0 = ror1(r0); } r2 ^= keys[4]; LE_WRITE_UINT32(ciphertext, r2); r3 ^= keys[5]; LE_WRITE_UINT32(ciphertext + 4, r3); r0 ^= keys[6]; LE_WRITE_UINT32(ciphertext + 8, r0); r1 ^= keys[7]; LE_WRITE_UINT32(ciphertext + 12, r1); } } /* Decrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the decryption algorithm. * * This function always decrypts 16 bytes of ciphertext to 16 bytes of * plaintext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_decrypt(const struct twofish_ctx *context, size_t length, uint8_t *plaintext, const uint8_t *ciphertext) { const uint32_t *keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; FOR_BLOCKS (length, plaintext, ciphertext, TWOFISH_BLOCK_SIZE) { uint32_t r0, r1, r2, r3, t0, t1; unsigned i; r2 = keys[4] ^ LE_READ_UINT32(ciphertext); r3 = keys[5] ^ LE_READ_UINT32(ciphertext + 4); r0 = keys[6] ^ LE_READ_UINT32(ciphertext + 8); r1 = keys[7] ^ LE_READ_UINT32(ciphertext + 12); for (i = 0; i < 8; i++) { t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[39-4*i]) ^ r1; r1 = ror1(r1); r0 = (t0 + keys[38-4*i]) ^ rol1(r0); t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[37-4*i]) ^ r3; r3 = ror1(r3); r2 = (t0 + keys[36-4*i]) ^ rol1(r2); } r0 ^= keys[0]; LE_WRITE_UINT32(plaintext, r0); r1 ^= keys[1]; LE_WRITE_UINT32(plaintext + 4, r1); r2 ^= keys[2]; LE_WRITE_UINT32(plaintext + 8, r2); r3 ^= keys[3]; LE_WRITE_UINT32(plaintext + 12, r3); } } nettle-4.0/twofish.h0000644000000000000000000000523515141166424011443 0ustar00/* twofish.h The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Twofish is a 128-bit block cipher that accepts a variable-length * key up to 256 bits, designed by Bruce Schneier and others. See * http://www.counterpane.com/twofish.html for details. */ #ifndef NETTLE_TWOFISH_H_INCLUDED #define NETTLE_TWOFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define twofish_set_key nettle_twofish_set_key #define twofish128_set_key nettle_twofish128_set_key #define twofish192_set_key nettle_twofish192_set_key #define twofish256_set_key nettle_twofish256_set_key #define twofish_encrypt nettle_twofish_encrypt #define twofish_decrypt nettle_twofish_decrypt #define TWOFISH_BLOCK_SIZE 16 /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ #define TWOFISH_MIN_KEY_SIZE 16 #define TWOFISH_MAX_KEY_SIZE 32 #define TWOFISH_KEY_SIZE 32 #define TWOFISH128_KEY_SIZE 16 #define TWOFISH192_KEY_SIZE 24 #define TWOFISH256_KEY_SIZE 32 struct twofish_ctx { uint32_t keys[40]; uint32_t s_box[4][256]; }; void twofish_set_key(struct twofish_ctx *ctx, size_t length, const uint8_t *key); void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish_encrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void twofish_decrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_TWOFISH_H_INCLUDED */ nettle-4.0/twofishdata.c0000644000000000000000000000634415141166424012272 0ustar00/* twofishdata.c Generates the permutations q0 and q1 for twofish. Copyright (C) 1999 Ruud de Rooij This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA. */ #include #define ror4(x) (((x) >> 1) | (((x) & 1) << 3)) static unsigned char q0(unsigned char x) { static const unsigned char t0[16] = { 0x8, 0x1, 0x7, 0xD, 0x6, 0xF, 0x3, 0x2, 0x0, 0xB, 0x5, 0x9, 0xE, 0xC, 0xA, 0x4 }; static const unsigned char t1[16] = { 0xE, 0xC, 0xB, 0x8, 0x1, 0x2, 0x3, 0x5, 0xF, 0x4, 0xA, 0x6, 0x7, 0x0, 0x9, 0xD }; static const unsigned char t2[16] = { 0xB, 0xA, 0x5, 0xE, 0x6, 0xD, 0x9, 0x0, 0xC, 0x8, 0xF, 0x3, 0x2, 0x4, 0x7, 0x1 }; static const unsigned char t3[16] = { 0xD, 0x7, 0xF, 0x4, 0x1, 0x2, 0x6, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0x5, 0xC, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } static unsigned char q1(unsigned char x) { static const unsigned char t0[16] = { 0x2, 0x8, 0xB, 0xD, 0xF, 0x7, 0x6, 0xE, 0x3, 0x1, 0x9, 0x4, 0x0, 0xA, 0xC, 0x5 }; static const unsigned char t1[16] = { 0x1, 0xE, 0x2, 0xB, 0x4, 0xC, 0x3, 0x7, 0x6, 0xD, 0xA, 0x5, 0xF, 0x9, 0x0, 0x8 }; static const unsigned char t2[16] = { 0x4, 0xC, 0x7, 0x5, 0x1, 0x6, 0x9, 0xA, 0x0, 0xE, 0xD, 0x8, 0x2, 0xB, 0x3, 0xF }; static const unsigned char t3[16] = { 0xB, 0x9, 0x5, 0x1, 0xC, 0x3, 0xD, 0xE, 0x6, 0x4, 0x7, 0xF, 0x2, 0x0, 0x8, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } int main(void) { unsigned i; printf("static const uint8_t q0[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q0(i)); } printf("\n};\n\n"); printf("static const uint8_t q1[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q1(i)); } printf("\n};\n"); return 0; } nettle-4.0/umac-internal.h0000644000000000000000000000464315141166424012521 0ustar00/* umac-internal.h UMAC message authentication code (RFC-4418). Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_UMAC_INTERNAL_H_INCLUDED #define NETTLE_UMAC_INTERNAL_H_INCLUDED #include "nettle-types.h" void _nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *pad, const uint8_t *key, unsigned n); uint64_t _nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); /* Equivalent to for (i = 0; i < n; i++) out[i] = _umac_nh (key + 4*i, length, msg); but processing input only once. */ void _nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); /* Returns y*k + m (mod p), including "marker" processing. Return value is *not* in canonical representation, and must be normalized before the output is used. */ uint64_t _nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m); void _nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml); void _nettle_umac_l2_init (unsigned size, uint32_t *k); void _nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m); void _nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count); void _nettle_umac_l3_init (unsigned size, uint64_t *k); uint32_t _nettle_umac_l3 (const uint64_t *key, const uint64_t *m); #endif /* NETTLE_UMAC_INTERNAL_H_INCLUDED */ nettle-4.0/umac-l2.c0000644000000000000000000000661515141166424011216 0ustar00/* umac-l2.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "bswap-internal.h" /* Same mask applied to low and high halves */ #define KEY_MASK 0x01ffffffUL void _nettle_umac_l2_init (unsigned size, uint32_t *k) { unsigned i; for (i = 0; i < size; i++) { uint32_t w = k[i]; w = bswap32_if_le (w); k[i] = w & KEY_MASK; } } void _nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m) { uint64_t *prev = state + 2*n; unsigned i; if (count == 0) memcpy (prev, m, n * sizeof(*m)); else if (count == 1) for (i = 0; i < n; i++, key += 6) { uint64_t y = _nettle_umac_poly64 (key[0], key[1], 1, prev[i]); state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], y, m[i]); } else if (count < UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++, key += 6) state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], state[2*i+1], m[i]); else if (count % 2 == 0) { if (count == UMAC_POLY64_BLOCKS) for (i = 0, key += 2; i < n; i++, key += 6) { uint64_t y = state[2*i+1]; if (y >= UMAC_P64) y -= UMAC_P64; state[2*i] = 0; state[2*i+1] = 1; _nettle_umac_poly128 (key, state + 2*i, 0, y); } memcpy (prev, m, n * sizeof(*m)); } else for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, prev[i], m[i]); } void _nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count) { uint64_t *prev = state + 2*n; unsigned i; assert (count > 0); if (count == 1) for (i = 0; i < n; i++) { *state++ = 0; *state++ = *prev++; } else if (count <= UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++) { uint64_t y; *state++ = 0; y = *state; if (y >= UMAC_P64) y -= UMAC_P64; *state++ = y; } else { uint64_t pad = (uint64_t) 1 << 63; if (count % 2 == 1) for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, prev[i], pad); else for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, pad, 0); for (i = 0; i < n; i++, state += 2) { uint64_t yh, yl; yh = state[0]; yl = state[1]; if (yh == UMAC_P128_HI && yl >= UMAC_P128_LO) { state[0] = 0; state[1] = yl - UMAC_P128_LO; } } } } nettle-4.0/umac-l3.c0000644000000000000000000000346415141166424011216 0ustar00/* umac-l3.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "umac.h" #include "umac-internal.h" #include "bswap-internal.h" /* 2^36 - 5 */ #define P 0x0000000FFFFFFFFBULL void _nettle_umac_l3_init (unsigned size, uint64_t *k) { unsigned i; for (i = 0; i < size; i++) { uint64_t w = k[i]; w = bswap64_if_le (w); k[i] = w % P; } } static uint64_t umac_l3_word (const uint64_t *k, uint64_t w) { unsigned i; uint64_t y; /* Since it's easiest to process the input word from the low end, * loop over keys in reverse order. */ for (i = y = 0; i < 4; i++, w >>= 16) y += (w & 0xffff) * k[3-i]; return y; } uint32_t _nettle_umac_l3 (const uint64_t *key, const uint64_t *m) { uint32_t y = (umac_l3_word (key, m[0]) + umac_l3_word (key + 4, m[1])) % P; return bswap32_if_le (y); } nettle-4.0/umac-nh-n.c0000644000000000000000000000444015141166424011533 0ustar00/* umac-nh-n.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh_n void _nettle_umac_nh_n_c (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh_n _nettle_umac_nh_n_c #endif void _nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg) { assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); memset(out, 0, n*sizeof(*out)); for (;length > 0; length -= 32, msg += 32, key += 8) { uint32_t a0, a1, b0, b1; unsigned i; a0 = LE_READ_UINT32 (msg); a1 = LE_READ_UINT32 (msg + 4); b0 = LE_READ_UINT32 (msg + 16); b1 = LE_READ_UINT32 (msg + 20); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[0+4*i]) * (b0 + key[4+4*i]) + (uint64_t) (a1 + key[1+4*i]) * (b1 + key[5+4*i]); a0 = LE_READ_UINT32 (msg + 8); a1 = LE_READ_UINT32 (msg + 12); b0 = LE_READ_UINT32 (msg + 24); b1 = LE_READ_UINT32 (msg + 28); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[2+4*i]) * (b0 + key[6+4*i]) + (uint64_t) (a1 + key[3+4*i]) * (b1 + key[7+4*i]); } } nettle-4.0/umac-nh.c0000644000000000000000000000407115141166424011300 0ustar00/* umac-nh.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh uint64_t _nettle_umac_nh_c (const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh _nettle_umac_nh_c #endif uint64_t _nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) { uint64_t y; assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); for (y = 0; length > 0; length -= 32, msg += 32, key += 8) { uint32_t a, b; a = LE_READ_UINT32 (msg) + key[0]; b = LE_READ_UINT32 (msg + 16) + key[4]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 4) + key[1]; b = LE_READ_UINT32 (msg + 20) + key[5]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 8) + key[2]; b = LE_READ_UINT32 (msg + 24) + key[6]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 12) + key[3]; b = LE_READ_UINT32 (msg + 28) + key[7]; y += (uint64_t) a * b; } return y; } nettle-4.0/umac-poly128.c0000644000000000000000000000617515141166424012120 0ustar00/* umac-poly128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #define HI(x) (x >> 32) #define LO(x) (x & 0xffffffffUL) static void poly128_mul (const uint32_t *k, uint64_t *y) { uint64_t y0,y1,y2,y3,p0,p1,p2,p3,m0,m1,m2; y0 = LO (y[1]); y1 = HI (y[1]); y2 = LO (y[0]); y3 = HI (y[0]); p0 = y0 * k[3]; m0 = y0 * k[2] + y1 * k[3]; p1 = y0 * k[1] + y1 * k[2] + y2 * k[3]; m1 = y0 * k[0] + y1 * k[1] + y2 * k[2] + y3 * k[3]; p2 = y1 * k[0] + y2 * k[1] + y3 * k[2]; m2 = y2 * k[0] + y3 * k[1]; p3 = y3 * k[0]; /* Collaps to 4 64-bit words, +---+---+---+---+ | p3| p2| p1| p0| +-+-+-+-+-+-+-+-+ + | m2| m1| m0| -+-+-+-+-+-+-+-+-+ */ /* But it's convenient to reduce (p3,p2,p1,p0) and (m2,m1,m0) mod p first.*/ m1 += UMAC_P128_OFFSET * HI(p3); p1 += UMAC_P128_OFFSET * (LO(p3) + HI(m2)); m0 += UMAC_P128_OFFSET * (HI(p2) + LO(m2)); p0 += UMAC_P128_OFFSET * (LO(p2) + HI(m1)); /* Left to add +---+---+ | p1| p0| +-+-+-+-+ m1| m0| +-+---+ */ /* First add high parts, with no possibilities for carries */ p1 += m0 >> 32; m0 <<= 32; m1 <<= 32; /* Remains: +---+---+ | p1| p0| +-+-+---+ +| m1| m0| -+---+---+ */ p0 += m0; p1 += (p0 < m0); p1 += m1; if (p1 < m1) { p0 += UMAC_P128_OFFSET; p1 += (p0 < UMAC_P128_OFFSET); } y[0] = p1; y[1] = p0; } void _nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml) { uint64_t yh, yl, cy; if ( (mh >> 32) == 0xffffffff) { poly128_mul (k, y); if (y[1] > 0) y[1]--; else if (y[0] > 0) { y[0]--; y[1] = UMAC_P128_HI; } else { y[0] = UMAC_P128_HI; y[1] = UMAC_P128_LO-1; } mh -= (ml < UMAC_P128_OFFSET); ml -= UMAC_P128_OFFSET; } assert (mh < UMAC_P128_HI || ml < UMAC_P128_LO); poly128_mul (k, y); yl = y[1] + ml; cy = (yl < ml); yh = y[0] + cy; cy = (yh < cy); yh += mh; cy += (yh < mh); assert (cy <= 1); if (cy) { yl += UMAC_P128_OFFSET; yh += yl < UMAC_P128_OFFSET; } y[0] = yh; y[1] = yl; } nettle-4.0/umac-poly64.c0000644000000000000000000000365615141166424012040 0ustar00/* umac-poly64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" static uint64_t poly64_mul (uint32_t kh, uint32_t kl, uint64_t y) { uint64_t yl, yh, pl, ph, ml, mh; yl = y & 0xffffffff; yh = y >> 32; pl = yl * kl; ph = yh * kh; ml = yh * kl + yl * kh; /* No overflow, thanks to special form */ mh = ml >> 32; ml <<= 32; pl += ml; ph += mh + (pl < ml); /* Reduce, using 2^64 = UMAC_P64_OFFSET (mod p) */ assert (ph < ((uint64_t) 1 << 57)); ph *= UMAC_P64_OFFSET; pl += ph; if (pl < ph) pl += UMAC_P64_OFFSET; return pl; } uint64_t _nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m) { if ( (m >> 32) == 0xffffffff) { y = poly64_mul (kh, kl, y); if (y == 0) y = UMAC_P64 - 1; else y--; m -= UMAC_P64_OFFSET; } y = poly64_mul (kh, kl, y); y += m; if (y < m) y += UMAC_P64_OFFSET; return y; } nettle-4.0/umac-set-key.c0000644000000000000000000000504215141166424012253 0ustar00/* umac-set-key.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #include "macros.h" #include "bswap-internal.h" static void umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) { uint8_t block[AES_BLOCK_SIZE]; uint64_t count; WRITE_UINT64 (block, (uint64_t) index); for (count = 1; length >= AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE, count++) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, dst, block); } if (length > 0) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, block, block); memcpy (dst, block, length); } } void _nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; aes128_set_encrypt_key (aes, key); size = UMAC_BLOCK_SIZE / 4 + 4*(n-1); umac_kdf (aes, 1, size * sizeof(uint32_t), (uint8_t *) l1_key); bswap32_n_if_le (size, l1_key); size = 6*n; umac_kdf (aes, 2, size * sizeof(uint32_t), (uint8_t *) l2_key); _nettle_umac_l2_init (size, l2_key); size = 8*n; umac_kdf (aes, 3, size * sizeof(uint64_t), (uint8_t *) l3_key1); _nettle_umac_l3_init (size, l3_key1); /* No need to byteswap these subkeys. */ umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); umac_kdf (aes, 0, UMAC_KEY_SIZE, buffer); aes128_set_encrypt_key (aes, buffer); } nettle-4.0/umac.h0000644000000000000000000001253315141166424010704 0ustar00/* umac.h UMAC message authentication code (RFC-4418). Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_UMAC_H_INCLUDED #define NETTLE_UMAC_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define umac32_set_key nettle_umac32_set_key #define umac64_set_key nettle_umac64_set_key #define umac96_set_key nettle_umac96_set_key #define umac128_set_key nettle_umac128_set_key #define umac32_set_nonce nettle_umac32_set_nonce #define umac64_set_nonce nettle_umac64_set_nonce #define umac96_set_nonce nettle_umac96_set_nonce #define umac128_set_nonce nettle_umac128_set_nonce #define umac32_update nettle_umac32_update #define umac64_update nettle_umac64_update #define umac96_update nettle_umac96_update #define umac128_update nettle_umac128_update #define umac32_digest nettle_umac32_digest #define umac64_digest nettle_umac64_digest #define umac96_digest nettle_umac96_digest #define umac128_digest nettle_umac128_digest #include "nettle-types.h" #include "aes.h" #define UMAC_KEY_SIZE AES128_KEY_SIZE #define UMAC32_DIGEST_SIZE 4 #define UMAC64_DIGEST_SIZE 8 #define UMAC96_DIGEST_SIZE 12 #define UMAC128_DIGEST_SIZE 16 #define UMAC_BLOCK_SIZE 1024 #define UMAC_MIN_NONCE_SIZE 1 #define UMAC_MAX_NONCE_SIZE AES_BLOCK_SIZE /* Subkeys and state for UMAC with tag size 32*n bits. */ #define _UMAC_STATE(n) \ _NETTLE_ALIGN16 uint32_t l1_key[UMAC_BLOCK_SIZE/4 + 4*((n)-1)]; \ /* Keys in 32-bit pieces, high first */ \ uint32_t l2_key[6*(n)]; \ uint64_t l3_key1[8*(n)]; \ uint32_t l3_key2[(n)]; \ /* AES cipher for encrypting the nonce */ \ struct aes128_ctx pdf_key; \ /* The l2_state consists of 2*n uint64_t, for poly64 \ and poly128 hashing, followed by n additional \ uint64_t used as an input buffer. */ \ uint64_t l2_state[3*(n)]; \ /* Input to the pdf_key, zero-padded and low bits \ cleared if appropriate. */ \ uint8_t nonce[AES_BLOCK_SIZE]; \ unsigned short nonce_length /* For incrementing */ /* Buffering */ #define _UMAC_BUFFER \ unsigned index; \ /* Complete blocks processed */ \ uint64_t count; \ uint8_t block[UMAC_BLOCK_SIZE] #define _UMAC_NONCE_CACHED 0x80 struct umac32_ctx { _UMAC_STATE(1); /* Low bits and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE / 4]; _UMAC_BUFFER; }; struct umac64_ctx { _UMAC_STATE(2); /* Low bit and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE/4]; _UMAC_BUFFER; }; struct umac96_ctx { _UMAC_STATE(3); _UMAC_BUFFER; }; struct umac128_ctx { _UMAC_STATE(4); _UMAC_BUFFER; }; /* The _set_key function initialize the nonce to zero. */ void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key); void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key); void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key); void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data); void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data); void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data); void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data); /* The _digest functions increment the nonce */ void umac32_digest (struct umac32_ctx *ctx, uint8_t *digest); void umac64_digest (struct umac64_ctx *ctx, uint8_t *digest); void umac96_digest (struct umac96_ctx *ctx, uint8_t *digest); void umac128_digest (struct umac128_ctx *ctx, uint8_t *digest); /* Internal functions */ #define UMAC_POLY64_BLOCKS 16384 #define UMAC_P64_OFFSET 59 #define UMAC_P64 (- (uint64_t) UMAC_P64_OFFSET) #define UMAC_P128_OFFSET 159 #define UMAC_P128_HI (~(uint64_t) 0) #define UMAC_P128_LO (-(uint64_t) UMAC_P128_OFFSET) #ifdef __cplusplus } #endif #endif /* NETTLE_UMAC_H_INCLUDED */ nettle-4.0/umac128.c0000644000000000000000000000662515141166424011137 0ustar00/* umac128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 4); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC128_BLOCK(ctx, block) do { \ uint64_t __umac128_y[4]; \ _nettle_umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac128_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[2] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[3] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ } while (0) void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0); } void umac128_digest (struct umac128_ctx *ctx, uint8_t *digest) { uint32_t tag[4]; unsigned i; if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[4]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; y[3] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count); for (i = 0; i < 4; i++) tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, UMAC128_DIGEST_SIZE); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-4.0/umac32.c0000644000000000000000000000703115141166424011041 0ustar00/* umac32.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 1); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 3; ctx->nonce[nonce_length - 1] &= ~3; ctx->nonce_length = nonce_length; } #define UMAC32_BLOCK(ctx, block) do { \ uint64_t __umac32_y \ = _nettle_umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ + 8*UMAC_BLOCK_SIZE ; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ } while (0) void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC32_BLOCK, (void)0); } void umac32_digest (struct umac32_ctx *ctx, uint8_t *digest) { uint32_t pad; if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); y = _nettle_umac_nh (ctx->l1_key, ctx->index + pad, ctx->block) + 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache[ctx->nonce_low & 3]; /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 3)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 4; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count); pad ^= ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, ctx->l2_state); memcpy (digest, &pad, UMAC32_DIGEST_SIZE); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-4.0/umac64.c0000644000000000000000000000746215141166424011056 0ustar00/* umac64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 2); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 1; ctx->nonce[nonce_length - 1] &= ~1; ctx->nonce_length = nonce_length; } #define UMAC64_BLOCK(ctx, block) do { \ uint64_t __umac64_y[2]; \ _nettle_umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac64_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac64_y[1] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ } while (0) void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC64_BLOCK, (void)0); } void umac64_digest (struct umac64_ctx *ctx, uint8_t *digest) { uint32_t tag[2]; uint32_t *pad; if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[2]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 2, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache + 2*(ctx->nonce_low & 1); /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 1)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 2; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 2, ctx->count); tag[0] = pad[0] ^ ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, ctx->l2_state); tag[1] = pad[1] ^ ctx->l3_key2[1] ^ _nettle_umac_l3 (ctx->l3_key1 + 8, ctx->l2_state + 2); memcpy (digest, tag, UMAC64_DIGEST_SIZE); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-4.0/umac96.c0000644000000000000000000000650515141166424011060 0ustar00/* umac96.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 3); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC96_BLOCK(ctx, block) do { \ uint64_t __umac96_y[3]; \ _nettle_umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac96_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[2] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ } while (0) void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC96_BLOCK, (void)0); } void umac96_digest (struct umac96_ctx *ctx, uint8_t *digest) { uint32_t tag[4]; unsigned i; if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[3]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count); for (i = 0; i < 3; i++) tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, UMAC96_DIGEST_SIZE); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-4.0/version.c0000644000000000000000000000230415141166424011432 0ustar00/* version.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "version.h" int nettle_version_major (void) { return NETTLE_VERSION_MAJOR; } int nettle_version_minor (void) { return NETTLE_VERSION_MINOR; } nettle-4.0/version.h.in0000644000000000000000000000326315141166424012051 0ustar00/* version.h Information about library version. Copyright (C) 2015 Red Hat, Inc. Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_VERSION_H_INCLUDED #define NETTLE_VERSION_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Individual version numbers in decimal */ #define NETTLE_VERSION_MAJOR @MAJOR_VERSION@ #define NETTLE_VERSION_MINOR @MINOR_VERSION@ #define NETTLE_USE_MINI_GMP @NETTLE_USE_MINI_GMP@ /* We need a preprocessor constant for GMP_NUMB_BITS, simply using sizeof(mp_limb_t) * CHAR_BIT is not good enough. */ #if NETTLE_USE_MINI_GMP # define GMP_NUMB_BITS @GMP_NUMB_BITS@ #endif int nettle_version_major (void); int nettle_version_minor (void); #ifdef __cplusplus } #endif #endif /* NETTLE_VERSION_H_INCLUDED */ nettle-4.0/write-be32.c0000644000000000000000000000330215141166424011627 0ustar00/* write-be32.c Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; unsigned j = leftover; word = src[i]; switch (leftover) { default: abort(); case 3: dst[--j] = (word >> 8) & 0xff; /* Fall through */ case 2: dst[--j] = (word >> 16) & 0xff; /* Fall through */ case 1: dst[--j] = (word >> 24) & 0xff; } } } nettle-4.0/write-le32.c0000644000000000000000000000302615141166424011644 0ustar00/* write-le32.c Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) LE_WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-4.0/write-le64.c0000644000000000000000000000300715141166424011650 0ustar00/* write-le64.c Copyright (C) 2001, 2011, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-write.h" #include "macros.h" void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src) { size_t i; size_t words; unsigned leftover; words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, dst += 8) LE_WRITE_UINT64(dst, src[i]); if (leftover) { uint64_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-4.0/x86/0000755000000000000000000000000015141166424010227 5ustar00nettle-4.0/x86/aes-decrypt-internal.asm0000644000000000000000000000772715141166424015000 0ustar00C x86/aes-decrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86/aes.m4') C Register usage: C AES state define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. define(`T',`%ebp') define(`TMP',`%edi') define(`KEY',`%esi') define(`PARAM_ROUNDS', `40(%esp)') define(`PARAM_KEYS', `44(%esp)') define(`PARAM_TABLE', `48(%esp)') define(`PARAM_LENGTH', `52(%esp)') define(`PARAM_DST', `56(%esp)') define(`PARAM_SRC', `60(%esp)') define(`FRAME_KEY', `16(%esp)') define(`FRAME_COUNT', `12(%esp)') define(`TA', `8(%esp)') define(`TB', `4(%esp)') define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH decl PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT subl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SD,SC,SB, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SA,SD,SC, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SB,SA,SD, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SC,SB,SA, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD subl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB,T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SA,SD,SC,T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SB,SA,SD,T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SC,SB,SA,T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C Inverse S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store decrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_decrypt) nettle-4.0/x86/aes-encrypt-internal.asm0000644000000000000000000000772715141166424015012 0ustar00C x86/aes-encrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86/aes.m4') C Register usage: C AES state define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. define(`T',`%ebp') define(`TMP',`%edi') define(`KEY',`%esi') define(`PARAM_ROUNDS', `40(%esp)') define(`PARAM_KEYS', `44(%esp)') define(`PARAM_TABLE', `48(%esp)') define(`PARAM_LENGTH', `52(%esp)') define(`PARAM_DST', `56(%esp)') define(`PARAM_SRC', `60(%esp)') define(`FRAME_KEY', `16(%esp)') define(`FRAME_COUNT', `12(%esp)') define(`TA', `8(%esp)') define(`TB', `4(%esp)') define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH subl $1, PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT addl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SB,SC,SD, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SC,SD,SA, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SD,SA,SB, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SA,SB,SC, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD addl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SC,SD,SA, T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SD,SA,SB, T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SA,SB,SC, T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store encrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_encrypt) nettle-4.0/x86/aes.m40000644000000000000000000000366615141166424011254 0ustar00dnl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(`AES_ROUND', ` movzbl LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzbl HREG($3), $7 xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,$7 shrl `$'16,$7 andl `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,$7 shrl `$'24,$7 xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. dnl Note that we have to quote $ in constants. define(`AES_FINAL_ROUND', ` movzbl LREG($1),$6 movzbl ($5, $6), $6 movl $2,$7 andl `$'0x0000ff00,$7 orl $7, $6 movl $3,$7 andl `$'0x00ff0000,$7 orl $7, $6 movl $4,$7 andl `$'0xff000000,$7 orl $7, $6 roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, ptr) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(`AES_SUBST_BYTE', ` movzbl LREG($1),$6 movb ($5, $6),LREG($1) roll `$'8,$1 movzbl LREG($2),$6 movb ($5, $6),LREG($2) roll `$'8,$2 movzbl LREG($3),$6 movb ($5, $6),LREG($3) roll `$'8,$3 movzbl LREG($4),$6 movb ($5, $6),LREG($4) roll `$'8,$4')dnl nettle-4.0/x86/camellia-crypt-internal.asm0000644000000000000000000001111215141166424015445 0ustar00C x86/camellia-crypt-internal.asm ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Camellia state, 128-bit value in little endian order. C L0, H0 corresponds to D1 in the spec and i0 in the C implementation. C while L1, H1 corresponds to D2/i1. define(`L0',`%eax') define(`H0',`%ebx') define(`L1',`%ecx') define(`H1',`%edx') define(`TMP',`%ebp') define(`KEY',`%esi') define(`T',`%edi') C Locals on the stack define(`FRAME_L0', `(%esp)') define(`FRAME_H0', `4(%esp)') define(`FRAME_L1', `8(%esp)') define(`FRAME_H1', `12(%esp)') define(`FRAME_CNT', `16(%esp)') C Arguments on stack. define(`FRAME_NKEYS', `40(%esp)') define(`FRAME_KEYS', `44(%esp)') define(`FRAME_TABLE', `48(%esp)') define(`FRAME_LENGTH', `52(%esp)') define(`FRAME_DST', `56(%esp)') define(`FRAME_SRC', `60(%esp)') define(`SP1110', `(T,$1,4)') define(`SP0222', `1024(T,$1,4)') define(`SP3033', `2048(T,$1,4)') define(`SP4404', `3072(T,$1,4)') C ROUND(xl, xh, yl, yh, key-offset) C xl and xh are rotated 16 bits at the end C yl and yh are read from stack, and left in registers define(`ROUND', ` movzbl LREG($1), TMP movl SP1110(TMP), $4 movzbl HREG($1), TMP xorl SP4404(TMP), $4 roll `$'16, $1 movzbl LREG($2), TMP movl SP4404(TMP), $3 movzbl HREG($2), TMP xorl SP3033(TMP), $3 roll `$'16, $2 movzbl LREG($1), TMP xorl SP3033(TMP), $4 movzbl HREG($1), TMP xorl SP0222(TMP), $4 movzbl LREG($2), TMP xorl SP0222(TMP), $3 movzbl HREG($2), TMP xorl SP1110(TMP), $3 xorl $5(KEY), $4 xorl $5 + 4(KEY), $3 xorl $3, $4 rorl `$'8, $3 xorl $4, $3 xorl FRAME_$3, $3 xorl FRAME_$4, $4 ') C Six rounds, with inputs and outputs in registers. define(`ROUND6', ` movl L0, FRAME_L0 movl H0, FRAME_H0 movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L0,H0,`L1',`H1',0) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,`L0',`H0',8) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,`L1',`H1',16) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,`L0',`H0',24) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,`L1',`H1',32) ROUND(L1,H1,`L0',`H0',40) roll `$'16, L1 roll `$'16, H1 ') C FL(x0, x1, key-offset) define(`FL', ` movl $3 + 4(KEY), TMP andl $2, TMP roll `$'1, TMP xorl TMP, $1 movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 ') C FLINV(x0, x1, key-offset) define(`FLINV', ` movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 movl $3 + 4(KEY), TMP andl $2, TMP roll `$'1, TMP xorl TMP, $1 ') .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) C save all registers that need to be saved pushl %ebx C 32(%esp) pushl %ebp C 28(%esp) pushl %esi C 24(%esp) pushl %edi C 20(%esp) subl $20, %esp movl FRAME_LENGTH, %ebp testl %ebp,%ebp jz .Lend .Lblock_loop: C Load data, note that we'll happily do unaligned loads movl FRAME_SRC, TMP movl (TMP), H0 bswap H0 movl 4(TMP), L0 bswap L0 movl 8(TMP), H1 bswap H1 movl 12(TMP), L1 bswap L1 addl $16, FRAME_SRC movl FRAME_KEYS, KEY movl FRAME_NKEYS, TMP subl $8, TMP movl TMP, FRAME_CNT xorl (KEY), L0 xorl 4(KEY), H0 addl $8, KEY movl FRAME_TABLE, T ROUND6 .Lround_loop: addl $64, KEY FL(L0, H0, -16) FLINV(L1, H1, -8) ROUND6 subl $8, FRAME_CNT ja .Lround_loop movl FRAME_DST, TMP bswap H0 movl H0,8(TMP) bswap L0 movl L0,12(TMP) xorl 52(KEY), H1 bswap H1 movl H1, 0(TMP) xorl 48(KEY), L1 bswap L1 movl L1, 4(TMP) addl $16, FRAME_DST subl $16, FRAME_LENGTH ja .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_camellia_crypt) nettle-4.0/x86/machine.m40000644000000000000000000000057415141166424012103 0ustar00C OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(`OFFSET', `ifelse($1,0,,eval(4*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(`LREG',`ifelse( $1, %eax, %al, $1, %ebx, %bl, $1, %ecx, %cl, $1, %edx, %dl)')dnl define(`HREG',`ifelse( $1, %eax, %ah, $1, %ebx, %bh, $1, %ecx, %ch, $1, %edx, %dh)')dnl nettle-4.0/x86/sha1-compress.asm0000644000000000000000000007217315141166424013430 0ustar00C x86/sha1-compress.asm ifelse(` Copyright (C) 2004, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`SE',`%ebp') define(`DATA',`%esp') define(`T1',`%edi') define(`T2',`%esi') C Constants define(`K1VALUE', `0x5A827999') C Rounds 0-19 define(`K2VALUE', `0x6ED9EBA1') C Rounds 20-39 define(`K3VALUE', `0x8F1BBCDC') C Rounds 40-59 define(`K4VALUE', `0xCA62C1D6') C Rounds 60-79 C Reads the input via T2 into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(`SWAP', ` movl OFFSET($1)(T2), $2 bswap $2 movl $2, OFFSET($1) (DATA) ')dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(`ROUND_F1', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 and $2, T2 xor $4, T2 rol `$'30, $2 lea K1VALUE (T1, $5), $5 mov $1, T1 rol `$'5, T1 add T1, $5 add T2, $5 ') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(`ROUND_F1_NOEXP', ` mov $4, T2 xor $3, T2 mov $1, T1 and $2, T2 add OFFSET($6) (DATA), $5 xor $4, T2 add T2, $5 rol `$'30, $2 rol `$'5, T1 lea K1VALUE (T1, $5), $5 ') dnl ROUND_F2(a, b, c, d, e, i, k) define(`ROUND_F2', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 xor $2, T2 rol `$'30, $2 lea $7 (T1, $5), $5 mov $1, T1 rol `$'5, T1 add T1, $5 add T2, $5 ') dnl ROUND_F3(a, b, c, d, e, i) define(`ROUND_F3', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 and $3, T2 lea K3VALUE (T1, $5), $5 mov $4, T1 xor $3, T1 and $2, T1 add T2, $5 rol `$'30, $2 mov $1, T2 rol `$'5, T2 add T1, $5 add T2, $5 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *data) .text ALIGN(16) PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved C 88(%esp) data C 84(%esp) state C 80(%esp) Return address pushl %ebx C 76(%esp) pushl %ebp C 72(%esp) pushl %esi C 68(%esp) pushl %edi C 64(%esp) subl $64, %esp C %esp = W C Loop-mixed to 520 cycles (for the complete function call) on C AMD K7. ALIGN(32) mov 88(%esp), T2 mov OFFSET(2)(T2), %ecx mov OFFSET(0)(T2), %eax bswap %ecx bswap %eax mov %ecx, OFFSET(2) (DATA) mov %eax, OFFSET(0) (DATA) mov OFFSET(3)(T2), %edx mov OFFSET(6)(T2), %ecx mov OFFSET(4)(T2), %eax mov OFFSET(1)(T2), %ebx bswap %ebx bswap %eax bswap %ecx mov %ecx, OFFSET(6) (DATA) mov %eax, OFFSET(4) (DATA) bswap %edx mov %edx, OFFSET(3) (DATA) mov %ebx, OFFSET(1) (DATA) mov OFFSET(10)(T2), %ecx mov OFFSET(8)(T2), %eax mov OFFSET(7)(T2), %edx bswap %eax bswap %edx mov %edx, OFFSET(7) (DATA) mov OFFSET(5)(T2), %ebx mov %eax, OFFSET(8) (DATA) mov OFFSET(11)(T2), %edx bswap %ecx bswap %edx mov OFFSET(12)(T2), %eax bswap %ebx mov %ecx, OFFSET(10) (DATA) mov %ebx, OFFSET(5) (DATA) mov %edx, OFFSET(11) (DATA) mov OFFSET(15)(T2), %edx mov 84(%esp),T1 mov OFFSET(9)(T2), %ebx bswap %edx bswap %ebx bswap %eax mov OFFSET(14)(T2), %ecx mov %edx, OFFSET(15) (DATA) bswap %ecx mov %ecx, OFFSET(14) (DATA) mov %ebx, OFFSET(9) (DATA) mov OFFSET(13)(T2), %ebx mov 12(T1), SD bswap %ebx mov %ebx, OFFSET(13) (DATA) mov 8(T1), SC mov 16(T1), SE mov 4(T1), SB mov SD, T2 add OFFSET(0) (DATA), SE xor SC, T2 mov %eax, OFFSET(12) (DATA) mov (T1), SA and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SA, T1 mov SC, T2 add OFFSET(1) (DATA), SD rol $5, T1 xor SB, T2 and SA, T2 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 rol $30, SA xor SA, T2 and SE, T2 mov SE, T1 add OFFSET(2) (DATA), SC rol $30, SE xor SB, T2 rol $5, T1 lea K1VALUE (T1, SD), SD mov SD, T1 rol $5, T1 add T2, SC mov SA, T2 xor SE, T2 lea K1VALUE (T1, SC), SC and SD, T2 xor SA, T2 add OFFSET(3) (DATA), SB mov SC, T1 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 rol $5, T1 xor SE, T2 add OFFSET(4) (DATA), SA lea K1VALUE (T1, SB), SB add T2, SA rol $30, SC mov SD, T2 xor SC, T2 and SB, T2 mov SB, T1 rol $5, T1 add OFFSET(5) (DATA), SE rol $30, SB xor SD, T2 add T2, SE mov SC, T2 xor SB, T2 lea K1VALUE (T1, SA), SA mov SA, T1 add OFFSET(6) (DATA), SD and SA, T2 rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE rol $30, SA add T2, SD mov SB, T2 mov SE, T1 xor SA, T2 and SE, T2 rol $5, T1 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(7) (DATA), SC rol $30, SE add OFFSET(8) (DATA), SB mov SD, T1 add T2, SC mov SA, T2 xor SE, T2 rol $5, T1 and SD, T2 lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 mov SC, T1 rol $30, SD xor SD, T2 rol $5, T1 lea K1VALUE (T1, SB), SB and SC, T2 xor SE, T2 add OFFSET(10) (DATA), SE add OFFSET(9) (DATA), SA mov SB, T1 add T2, SA rol $5, T1 lea K1VALUE (T1, SA), SA mov SD, T2 rol $30, SC xor SC, T2 and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SC, T2 mov SA, T1 xor SB, T2 add OFFSET(11) (DATA), SD and SA, T2 rol $30, SA rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 xor SA, T2 mov SE, T1 rol $5, T1 and SE, T2 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(12) (DATA), SC add T2, SC rol $30, SE mov SA, T2 xor SE, T2 mov SD, T1 rol $5, T1 and SD, T2 add OFFSET(13) (DATA), SB lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 mov SC, T1 rol $5, T1 rol $30, SC add OFFSET(14) (DATA), SA xor SE, T2 add T2, SA mov SD, T2 xor SC, T2 lea K1VALUE (T1, SB), SB and SB, T2 mov SB, T1 rol $5, T1 lea K1VALUE (T1, SA), SA mov SA, T1 xor SD, T2 add OFFSET(15) (DATA), SE add T2, SE rol $5, T1 lea K1VALUE (T1, SE), SE mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 mov SC, T2 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SB xor SB, T2 and SA, T2 xor SC, T2 rol $1, T1 lea K1VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 and SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 xor SB, T2 rol $1, T1 mov T1, OFFSET(1) (DATA) lea K1VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(2) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $30, SE add T2, SC mov SA, T2 xor SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 and SD, T2 rol $1, T1 xor SA, T2 mov T1, OFFSET(2) (DATA) lea K1VALUE (T1, T2), T2 mov SC, T1 rol $30, SD rol $5, T1 add T1, SB add T2, SB mov SE, T2 mov OFFSET(3) (DATA), T1 xor SD, T2 xor OFFSET(5) (DATA), T1 and SC, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $1, T1 mov T1, OFFSET(3) (DATA) lea K1VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 rol $30, SC xor OFFSET(12) (DATA), T1 add T2, SA xor OFFSET(1) (DATA), T1 mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(5) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(7) (DATA), T1 rol $30, SB xor OFFSET(13) (DATA), T1 xor SB, T2 xor OFFSET(2) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD rol $30, SA xor OFFSET(14) (DATA), T1 mov SB, T2 xor OFFSET(3) (DATA), T1 xor SA, T2 rol $1, T1 xor SE, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(6) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 rol $30, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor SE, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 xor SD, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(7) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SA xor OFFSET(6) (DATA), T1 mov SD, T2 rol $1, T1 rol $30, SC xor SC, T2 mov T1, OFFSET(9) (DATA) xor SB, T2 lea K2VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor OFFSET(7) (DATA), T1 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(10) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SA xor OFFSET(3) (DATA), T1 add T2, SD xor OFFSET(8) (DATA), T1 mov SB, T2 xor SA, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) xor SE, T2 lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $30, SE add T2, SC xor OFFSET(4) (DATA), T1 mov SA, T2 xor OFFSET(9) (DATA), T1 xor SE, T2 rol $1, T1 xor SD, T2 mov T1, OFFSET(12) (DATA) lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 xor OFFSET(10) (DATA), T1 xor SC, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA mov SD, T2 mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SC xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 xor SC, T2 xor SB, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor SB, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD mov SB, T2 rol $30, SA xor SA, T2 xor OFFSET(13) (DATA), T1 rol $1, T1 xor SE, T2 mov T1, OFFSET(0) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $1, T1 xor SD, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(2) (DATA), T1 rol $30, SD xor OFFSET(4) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 add T2, SA rol $30, SC mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(3) (DATA) mov SA, T1 rol $5, T1 rol $30, SB add T1, SE mov OFFSET(4) (DATA), T1 add T2, SE xor OFFSET(6) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(1) (DATA), T1 mov SC, T2 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD mov OFFSET(5) (DATA), T1 mov SB, T2 rol $30, SA xor SA, T2 xor SE, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SC xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 mov T1, OFFSET(6) (DATA) mov SA, T2 rol $30, SE xor SE, T2 xor SD, T2 lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB add T2, SB mov OFFSET(7) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(9) (DATA), T1 xor SD, T2 xor SC, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $1, T1 mov T1, OFFSET(7) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 rol $30, SC xor OFFSET(0) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(5) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 mov SD, T2 xor SC, T2 and SB, T2 rol $30, SB rol $5, T1 add T1, SE mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 and SB, T2 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SC, T2 xor SB, T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(10) (DATA), T1 and SA, T2 add T2, SD xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $30, SA mov SB, T2 and SA, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 add T1, SC mov OFFSET(11) (DATA), T1 xor SA, T2 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 and SE, T2 xor OFFSET(8) (DATA), T1 add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(11) (DATA) rol $30, SE and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 rol $30, SD add T2, SB rol $1, T1 mov T1, OFFSET(12) (DATA) mov SE, T2 and SD, T2 lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 and SC, T2 xor OFFSET(10) (DATA), T1 add T2, SA rol $1, T1 rol $30, SC mov T1, OFFSET(13) (DATA) mov SD, T2 and SC, T2 lea K3VALUE (T1, T2), T1 mov SD, T2 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor SC, T2 and SB, T2 xor OFFSET(6) (DATA), T1 rol $30, SB xor OFFSET(11) (DATA), T1 rol $1, T1 add T2, SE mov SC, T2 mov T1, OFFSET(14) (DATA) and SB, T2 lea K3VALUE (T1, T2), T1 mov SC, T2 add T1, SD mov SE, T1 xor SB, T2 rol $5, T1 add T1, SD mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 and SA, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 add T2, SD rol $30, SA mov SB, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) and SA, T2 lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 mov SB, T2 rol $5, T1 add T1, SC mov OFFSET(0) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 and SE, T2 add T2, SC rol $30, SE rol $1, T1 mov T1, OFFSET(0) (DATA) mov SA, T2 and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SC, T1 mov SA, T2 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 xor OFFSET(14) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 rol $1, T1 and SD, T2 mov T1, OFFSET(1) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov SE, T2 mov OFFSET(2) (DATA), T1 xor SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(10) (DATA), T1 and SC, T2 add T2, SA xor OFFSET(15) (DATA), T1 rol $30, SC mov SD, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) and SC, T2 lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 mov SD, T2 rol $1, T1 xor SC, T2 and SB, T2 mov T1, OFFSET(3) (DATA) rol $30, SB add T2, SE mov SC, T2 and SB, T2 lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 mov SC, T2 rol $5, T1 add T1, SD mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SB, T2 and SA, T2 add T2, SD mov SB, T2 xor OFFSET(12) (DATA), T1 rol $30, SA and SA, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 mov T1, OFFSET(4) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(5) (DATA), T1 xor OFFSET(7) (DATA), T1 mov SB, T2 xor OFFSET(13) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 and SE, T2 rol $30, SE add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(5) (DATA) and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 rol $5, T1 add T1, SB xor SE, T2 and SD, T2 mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 add T2, SB rol $30, SD mov SE, T2 and SD, T2 mov T1, OFFSET(6) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(15) (DATA), T1 and SC, T2 rol $30, SC add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(7) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 mov SD, T2 add T1, SE mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 xor SC, T2 xor OFFSET(0) (DATA), T1 and SB, T2 add T2, SE xor OFFSET(5) (DATA), T1 rol $30, SB mov SC, T2 and SB, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 rol $5, T1 mov SC, T2 xor SB, T2 add T1, SD and SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SA xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SD mov SB, T2 and SA, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 xor SA, T2 and SE, T2 add T1, SC mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor OFFSET(7) (DATA), T1 rol $1, T1 and SE, T2 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 mov SA, T2 xor SE, T2 add T1, SB mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(8) (DATA), T1 and SD, T2 add T2, SB mov SE, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) rol $30, SD and SD, T2 lea K3VALUE (T1, T2), T1 mov SE, T2 add T1, SA xor SD, T2 mov SB, T1 and SC, T2 rol $30, SC rol $5, T1 add T1, SA mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 rol $1, T1 mov T1, OFFSET(12) (DATA) xor SC, T2 xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SE rol $30, SB mov SC, T2 xor OFFSET(5) (DATA), T1 xor SB, T2 xor OFFSET(10) (DATA), T1 rol $1, T1 mov T1, OFFSET(13) (DATA) xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 xor SE, T2 xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov OFFSET(15) (DATA), T1 mov SA, T2 rol $30, SE xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 xor SE, T2 xor SD, T2 xor OFFSET(12) (DATA), T1 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K4VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(0) (DATA), T1 add T2, SB xor OFFSET(2) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(8) (DATA), T1 xor SD, T2 xor OFFSET(13) (DATA), T1 xor SC, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(1) (DATA), T1 rol $30, SC xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(2) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 add T2, SE mov SC, T2 xor SB, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SA, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(2) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 rol $1, T1 mov T1, OFFSET(3) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(4) (DATA), T1 add T2, SC rol $30, SE xor OFFSET(6) (DATA), T1 mov SA, T2 xor OFFSET(12) (DATA), T1 xor SE, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 xor SD, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(5) (DATA), T1 add T2, SB xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(2) (DATA), T1 xor SC, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA xor OFFSET(3) (DATA), T1 mov SD, T2 rol $30, SC rol $1, T1 xor SC, T2 mov T1, OFFSET(6) (DATA) xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE add T2, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(15) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 mov SC, T2 rol $1, T1 mov T1, OFFSET(7) (DATA) xor SB, T2 xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD rol $30, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SD xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 rol $1, T1 mov SB, T2 mov T1, OFFSET(8) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SE xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SE, T2 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(9) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SB mov SE, T2 xor SD, T2 xor SC, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SA mov SD, T2 rol $30, SC xor SC, T2 xor OFFSET(8) (DATA), T1 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(11) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(12) (DATA), T1 add T2, SE xor OFFSET(14) (DATA), T1 rol $30, SB mov SC, T2 xor OFFSET(4) (DATA), T1 xor SB, T2 xor SA, T2 xor OFFSET(9) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(12) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD rol $30, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SB, T2 xor OFFSET(5) (DATA), T1 xor SA, T2 xor OFFSET(10) (DATA), T1 xor SE, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor OFFSET(6) (DATA), T1 add T2, SC rol $30, SE mov SA, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 rol $30, SD add T2, SB xor OFFSET(12) (DATA), T1 mov SE, T2 xor SD, T2 rol $1, T1 xor SC, T2 lea K4VALUE (T1, T2), T2 rol $30, SC mov T1, OFFSET(15) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA C C Load and byteswap data C movl 88(%esp), T2 C C SWAP( 0, %eax) SWAP( 1, %ebx) SWAP( 2, %ecx) SWAP( 3, %edx) C SWAP( 4, %eax) SWAP( 5, %ebx) SWAP( 6, %ecx) SWAP( 7, %edx) C SWAP( 8, %eax) SWAP( 9, %ebx) SWAP(10, %ecx) SWAP(11, %edx) C SWAP(12, %eax) SWAP(13, %ebx) SWAP(14, %ecx) SWAP(15, %edx) C C C load the state vector C movl 84(%esp),T1 C movl (T1), SA C movl 4(T1), SB C movl 8(T1), SC C movl 12(T1), SD C movl 16(T1), SE C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) C ROUND_F1(SE, SA, SB, SC, SD, 16) C ROUND_F1(SD, SE, SA, SB, SC, 17) C ROUND_F1(SC, SD, SE, SA, SB, 18) C ROUND_F1(SB, SC, SD, SE, SA, 19) C C ROUND_F2(SA, SB, SC, SD, SE, 20, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 21, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 22, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 23, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 24, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 25, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 26, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 27, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 28, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 29, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 30, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 31, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 32, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 33, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 34, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 35, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 36, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 37, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 38, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 39, K2VALUE) C C ROUND_F3(SA, SB, SC, SD, SE, 40) C ROUND_F3(SE, SA, SB, SC, SD, 41) C ROUND_F3(SD, SE, SA, SB, SC, 42) C ROUND_F3(SC, SD, SE, SA, SB, 43) C ROUND_F3(SB, SC, SD, SE, SA, 44) C C ROUND_F3(SA, SB, SC, SD, SE, 45) C ROUND_F3(SE, SA, SB, SC, SD, 46) C ROUND_F3(SD, SE, SA, SB, SC, 47) C ROUND_F3(SC, SD, SE, SA, SB, 48) C ROUND_F3(SB, SC, SD, SE, SA, 49) C C ROUND_F3(SA, SB, SC, SD, SE, 50) C ROUND_F3(SE, SA, SB, SC, SD, 51) C ROUND_F3(SD, SE, SA, SB, SC, 52) C ROUND_F3(SC, SD, SE, SA, SB, 53) C ROUND_F3(SB, SC, SD, SE, SA, 54) C C ROUND_F3(SA, SB, SC, SD, SE, 55) C ROUND_F3(SE, SA, SB, SC, SD, 56) C ROUND_F3(SD, SE, SA, SB, SC, 57) C ROUND_F3(SC, SD, SE, SA, SB, 58) C ROUND_F3(SB, SC, SD, SE, SA, 59) C C ROUND_F2(SA, SB, SC, SD, SE, 60, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 61, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 62, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 63, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 64, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 65, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 66, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 67, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 68, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 69, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 70, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 71, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 72, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 73, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 74, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 75, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 76, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 77, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 78, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 79, K4VALUE) C Update the state vector movl 84(%esp),T1 addl SA, (T1) addl SB, 4(T1) addl SC, 8(T1) addl SD, 12(T1) addl SE, 16(T1) addl $64, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(nettle_sha1_compress) C TODO: C * Extend loopmixer so that it can exploit associativity, and for C example reorder C C add %eax, %ebx C add %ecx, %ebx C * Use mmx instructions for the data expansion, doing two words at a C time. nettle-4.0/x86_64/0000755000000000000000000000000015141166424010540 5ustar00nettle-4.0/x86_64/README0000644000000000000000000000271315141166424011423 0ustar00ABI, according to http://www.x86-64.org/documentation/abi-0.99.pdf: Up to 6 integer and pointer arguments are passed in registers. Nine registers, %rax, %rcx, %rdx, %rsi, %rdi and %r8-%r11 can be used freely. Integers and pointers are returned in %rax. At entry, it is required that %rsp == 8 (mod 16). Registers May be Argument clobbered number %rax Y %rbx %rcx Y 4 %rdx Y 3 %rbp %rsi Y 2 %rdi Y 1 %rsp (SP) %r8 Y 5 %r9 Y 6 %r10 Y %r11 Y %r12 %r13 %r14 %r15 W64 ABI, according to http://msdn.microsoft.com/en-us/library/9z1stfyw.aspx: Registers May be Argument clobbered number %rax Y %rbx %rcx Y 1 %rdx Y 2 %rbp %rsi %rdi %rsp (SP) %r8 Y 3 %r9 Y 4 %r10 Y %r11 Y %r12 %r13 %r14 %r15 Additional arguments are passed on the stack. "backing store" on the stack for the four register arguments is also required. %xmm6 to %xmm15 are callee-saved. The "long" type is just 32 bits. If we have six arguments, and push the additional callee-save registers %rdi and %rsi on the stack, we get a stack frame like 64(%rsp): Sixth argument 56(%rsp): Fifth argument 48(%rsp): Space for fourth argument 40(%rsp): Space for third argument 32(%rsp): Space for second argument 24(%rsp): Space for first argument 16(%rsp): Return address 8(%rsp) : Saved %rdi (%rsp): Saved %rsi If, in addition, we use more than 6 %xmm registers, we push them *after* %rdi (but before %rsi), so that they are stored at 16-byte aligned addresses. nettle-4.0/x86_64/aes-decrypt-internal.asm0000644000000000000000000000653315141166424015303 0ustar00C x86_64/aes-decrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`TA',`%r10d') define(`TB',`%r11d') define(`TC',`%r12d') C Input argument define(`ROUNDS', `%rdi') define(`KEYS', `%rsi') define(`PARAM_TABLE', `%rdx') define(`PARAM_LENGTH',`%rcx') define(`DST', `%r8') define(`SRC', `%r9') define(`TABLE', `%r13') define(`LENGTH',`%r14') define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(`TMP',`%rbp') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds stored at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) sub $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP) AES_ROUND(TABLE, SB,SA,SD,SC, TB, TMP) AES_ROUND(TABLE, SC,SB,SA,SD, TC, TMP) AES_ROUND(TABLE, SD,SC,SB,SA, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD sub $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SA,SD,SC, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SB,SA,SD, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SC,SB,SA, TABLE, SD, TMP) C Inverse S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store decrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_decrypt) nettle-4.0/x86_64/aes-encrypt-internal.asm0000644000000000000000000000651615141166424015316 0ustar00C x86_64/aes-encrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`TA',`%r10d') define(`TB',`%r11d') define(`TC',`%r12d') C Input argument define(`ROUNDS', `%rdi') define(`KEYS', `%rsi') define(`PARAM_TABLE', `%rdx') define(`PARAM_LENGTH',`%rcx') define(`DST', `%r8') define(`SRC', `%r9') define(`TABLE', `%r13') define(`LENGTH',`%r14') define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(`TMP',`%rbp') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SB,SC,SD, TA, TMP) AES_ROUND(TABLE, SB,SC,SD,SA, TB, TMP) AES_ROUND(TABLE, SC,SD,SA,SB, TC, TMP) AES_ROUND(TABLE, SD,SA,SB,SC, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD add $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SC,SD,SA, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SD,SA,SB, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SA,SB,SC, TABLE, SD, TMP) C S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store encrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_encrypt) nettle-4.0/x86_64/aes.m40000644000000000000000000000552415141166424011560 0ustar00dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(`LREG',`ifelse( $1, %eax, %al, $1, %ebx, %bl, $1, %ecx, %cl, $1, %edx, %dl, $1, %esi, %sil, $1, %edi, %dil, $1, %ebp, %bpl, $1, %esp, %spl, $1, %r8d, %r8b, $1, %r9d, %r9b, $1, %r10d, %r10b, $1, %r11d, %r11b, $1, %r12d, %r12b, $1, %r13d, %r13b, $1, %r14d, %r14b, $1, %r15d, %r15b)')dnl define(`HREG',`ifelse( $1, %eax, %ah, $1, %ebx, %bh, $1, %ecx, %ch, $1, %edx, %dh, error)') define(`XREG',`ifelse( $1, %rax, %eax, $1, %rbx, %ebx, $1, %rcx, %ecx, $1, %rdx, %edx, $1, %rsi, %esi, $1, %rdi, %edi, $1, %rbp, %ebp, $1, %rsp, %esp, $1, %r8, %r8d, $1, %r9, %r9d, $1, %r10,%r10d, $1, %r11,%r11d, $1, %r12,%r12d, $1, %r13,%r13d, $1, %r14,%r14d, $1, %r15,%r15d)')dnl dnl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(`AES_ROUND', ` movzb LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzb HREG($3), XREG($7) xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,XREG($7) shr `$'16,$7 and `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,XREG($7) shr `$'24,$7 xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. Leaves result in $6. Also dnl performs the first substitution step, on the least significant dnl byte, and rotates 8 bits. define(`AES_FINAL_ROUND', ` movzb LREG($1),$7 movzbl ($5, $7), $6 movl $2,XREG($7) andl `$'0x0000ff00,XREG($7) orl XREG($7), $6 movl $3,XREG($7) andl `$'0x00ff0000,XREG($7) orl XREG($7), $6 movl $4,XREG($7) andl `$'0xff000000,XREG($7) orl XREG($7), $6 roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, tmp) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(`AES_SUBST_BYTE', ` movzb LREG($1),$6 movb ($5, $6),LREG($1) roll `$'8,$1 movzb LREG($2),$6 movb ($5, $6),LREG($2) roll `$'8,$2 movzb LREG($3),$6 movb ($5, $6),LREG($3) roll `$'8,$3 movzb LREG($4),$6 movb ($5, $6),LREG($4) roll `$'8,$4')dnl nettle-4.0/x86_64/aesni/0000755000000000000000000000000015141166424011637 5ustar00nettle-4.0/x86_64/aesni/aes128-decrypt.asm0000644000000000000000000000551515141166424015022 0ustar00C x86_64/aesni/aes128-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`Y', `%xmm12') .file "aes128-decrypt.asm" C nettle_aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes128_decrypt) W64_ENTRY(4, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 160(CTX), KEY0 movups 144(CTX), KEY1 movups 128(CTX), KEY2 movups 112(CTX), KEY3 movups 96(CTX), KEY4 movups 80(CTX), KEY5 movups 64(CTX), KEY6 movups 48(CTX), KEY7 movups 32(CTX), KEY8 movups 16(CTX), KEY9 movups (CTX), KEY10 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY7, X aesdec KEY8, X aesdec KEY9, X aesdeclast KEY10, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY7, X aesdec KEY7, Y aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdeclast KEY10, X aesdeclast KEY10, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 13) ret EPILOGUE(nettle_aes128_decrypt) nettle-4.0/x86_64/aesni/aes128-encrypt.asm0000644000000000000000000000551515141166424015034 0ustar00C x86_64/aesni/aes128-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`Y', `%xmm12') .file "aes128-encrypt.asm" C nettle_aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes128_encrypt) W64_ENTRY(4, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenclast KEY10, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY7, X aesenc KEY7, Y aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenclast KEY10, X aesenclast KEY10, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 13) ret EPILOGUE(nettle_aes128_encrypt) nettle-4.0/x86_64/aesni/aes192-decrypt.asm0000644000000000000000000000602715141166424015022 0ustar00C x86_64/aesni/aes192-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`Y', `%xmm14') .file "aes192-decrypt.asm" C nettle_aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes192_decrypt) W64_ENTRY(4, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 192(CTX), KEY0 movups 176(CTX), KEY1 movups 160(CTX), KEY2 movups 144(CTX), KEY3 movups 128(CTX), KEY4 movups 112(CTX), KEY5 movups 96(CTX), KEY6 movups 80(CTX), KEY7 movups 64(CTX), KEY8 movups 48(CTX), KEY9 movups 32(CTX), KEY10 movups 16(CTX), KEY11 movups (CTX), KEY12 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY7, X aesdec KEY8, X aesdec KEY9, X aesdec KEY10, X aesdec KEY11, X aesdeclast KEY12, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY7, X aesdec KEY7, Y aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdec KEY10, X aesdec KEY10, Y aesdec KEY11, X aesdec KEY11, Y aesdeclast KEY12, X aesdeclast KEY12, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 15) ret EPILOGUE(nettle_aes192_decrypt) nettle-4.0/x86_64/aesni/aes192-encrypt.asm0000644000000000000000000000602715141166424015034 0ustar00C x86_64/aesni/aes192-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`Y', `%xmm14') .file "aes192-encrypt.asm" C nettle_aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes192_encrypt) W64_ENTRY(4, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenclast KEY12, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY7, X aesenc KEY7, Y aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenc KEY10, X aesenc KEY10, Y aesenc KEY11, X aesenc KEY11, Y aesenclast KEY12, X aesenclast KEY12, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 15) ret EPILOGUE(nettle_aes192_encrypt) nettle-4.0/x86_64/aesni/aes256-decrypt.asm0000644000000000000000000000644615141166424015030 0ustar00C x86_64/aesni/aes256-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`Y', `%xmm15') .file "aes256-decrypt.asm" C nettle_aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes256_decrypt) W64_ENTRY(4, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 224(CTX), KEY0_7 movups 208(CTX), KEY1 movups 192(CTX), KEY2 movups 176(CTX), KEY3 movups 160(CTX), KEY4 movups 144(CTX), KEY5 movups 128(CTX), KEY6 movups 96(CTX), KEY8 movups 80(CTX), KEY9 movups 64(CTX), KEY10 movups 48(CTX), KEY11 movups 32(CTX), KEY12 movups 16(CTX), KEY13 movups (CTX), KEY14 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0_7, X movups 112(CTX), KEY0_7 aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY0_7, X movups 224(CTX), KEY0_7 aesdec KEY8, X aesdec KEY9, X aesdec KEY10, X aesdec KEY11, X aesdec KEY12, X aesdec KEY13, X aesdeclast KEY14, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0_7, X pxor KEY0_7, Y movups 112(CTX), KEY0_7 aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY0_7, X aesdec KEY0_7, Y movups 224(CTX), KEY0_7 aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdec KEY10, X aesdec KEY10, Y aesdec KEY11, X aesdec KEY11, Y aesdec KEY12, X aesdec KEY12, Y aesdec KEY13, X aesdec KEY13, Y aesdeclast KEY14, X aesdeclast KEY14, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 16) ret EPILOGUE(nettle_aes256_decrypt) nettle-4.0/x86_64/aesni/aes256-encrypt.asm0000644000000000000000000000643715141166424015042 0ustar00C x86_64/aesni/aes256-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`Y', `%xmm15') .file "aes256-encrypt.asm" C nettle_aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes256_encrypt) W64_ENTRY(4, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0_7 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups 208(CTX), KEY13 movups 224(CTX), KEY14 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0_7, X movups 112(CTX), KEY0_7 aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY0_7, X movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenc KEY12, X aesenc KEY13, X aesenclast KEY14, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0_7, X pxor KEY0_7, Y movups 112(CTX), KEY0_7 aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY0_7, X aesenc KEY0_7, Y movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenc KEY10, X aesenc KEY10, Y aesenc KEY11, X aesenc KEY11, Y aesenc KEY12, X aesenc KEY12, Y aesenc KEY13, X aesenc KEY13, Y aesenclast KEY14, X aesenclast KEY14, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 16) ret EPILOGUE(nettle_aes256_encrypt) nettle-4.0/x86_64/aesni/cbc-aes128-encrypt.asm0000644000000000000000000000474715141166424015567 0ustar00C x86_64/aesni/cbc-aes128-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`BLOCK', `%xmm12') .file "cbc-aes128-encrypt.asm" C nettle_cbc_aes128_encrypt(struct cbc_aes128_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes128_encrypt) W64_ENTRY(5, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0, X pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenclast KEY10, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 13) ret EPILOGUE(nettle_cbc_aes128_encrypt) nettle-4.0/x86_64/aesni/cbc-aes192-encrypt.asm0000644000000000000000000000515515141166424015562 0ustar00C x86_64/aesni/cbc-aes192-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`BLOCK', `%xmm14') .file "cbc-aes192-encrypt.asm" C nettle_cbc_aes192_encrypt(struct cbc_aes192_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes192_encrypt) W64_ENTRY(5, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0, X pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenclast KEY12, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 15) ret EPILOGUE(nettle_cbc_aes192_encrypt) nettle-4.0/x86_64/aesni/cbc-aes256-encrypt.asm0000644000000000000000000000537315141166424015565 0ustar00C x86_64/aesni/cbc-aes256-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`BLOCK', `%xmm15') .file "cbc-aes256-encrypt.asm" C nettle_cbc_aes256_encrypt(struct cbc_aes256_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes256_encrypt) W64_ENTRY(5, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0_7 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups 208(CTX), KEY13 movups 224(CTX), KEY14 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0_7, X movups 112(CTX), KEY0_7 pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY0_7, X movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenc KEY12, X aesenc KEY13, X aesenclast KEY14, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 16) ret EPILOGUE(nettle_cbc_aes256_encrypt) nettle-4.0/x86_64/camellia-crypt-internal.asm0000644000000000000000000000777715141166424016004 0ustar00C x86_64/camellia-crypt-internal.asm ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Performance, cycles per block C C Intel SU4100 C C asm C Camellia-128 415 347 C Camellia-256 543 461 C Register usage: define(`NKEYS', `%rdi') define(`KEYS', `%rsi') define(`TABLE', `%rdx') define(`LENGTH', `%rcx') define(`DST', `%r8') define(`SRC', `%r9') C Camellia state define(`I0', `%rax') define(`I1', `%rbx') C callee-save define(`KEY', `%r13') C callee-save define(`TMP', `%rbp') C callee-save define(`CNT', `%r10') define(`IL', `%r11') define(`IR', `%r12') C callee-save define(`SP1110', `(TABLE,$1,4)') define(`SP0222', `1024(TABLE,$1,4)') define(`SP3033', `2048(TABLE,$1,4)') define(`SP4404', `3072(TABLE,$1,4)') C ROUND(x, y, key-offset) define(`ROUND', ` C Byte 0,1 movzbl LREG($1), XREG(TMP) movl SP1110(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP4404(TMP), XREG(IR) ror `$'32, $1 C Byte 4,5 movzbl LREG($1), XREG(TMP) movl SP4404(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IL) rol `$'16, $1 C Byte 2,3 movzbl LREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IR) ror `$'32, $1 C Byte 6,7 movzbl LREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP1110(TMP), XREG(IL) ror `$'16, $1 C 76543210 xorl XREG(IL), XREG(IR) rorl `$'8, XREG(IL) xorl XREG(IR), XREG(IL) shl `$'32, IR or IL, IR xor $3(KEY), $2 xor IR, $2 ') C FL(x, key-offset) define(`FL', ` mov $1, TMP shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl `$'32, TMP xor TMP, $1 ') C FLINV(x0, key-offset) define(`FLINV', ` movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl `$'32, TMP xor TMP, $1 mov $1, TMP shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 ') .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) W64_ENTRY(6, 0) test LENGTH, LENGTH jz .Lend push %rbx push %rbp push %r12 push %r13 sub $8, NKEYS .Lblock_loop: C Load data, note that we'll happily do unaligned loads mov (SRC), I0 bswap I0 mov 8(SRC), I1 bswap I1 add $16, SRC mov XREG(NKEYS), XREG(CNT) mov KEYS, KEY C Whitening using first subkey xor (KEY), I0 add $8, KEY ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) .Lround_loop: add $64, KEY FL(I0, -16) FLINV(I1, -8) ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) sub $8, CNT ja .Lround_loop bswap I0 mov I0, 8(DST) xor 48(KEY), I1 bswap I1 mov I1, (DST) add $16, DST sub $16, LENGTH ja .Lblock_loop pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_camellia_crypt) nettle-4.0/x86_64/chacha-core-internal.asm0000644000000000000000000000504015141166424015210 0ustar00C x86_64/chacha-core-internal.asm ifelse(` Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`T0', `%xmm4') define(`T1', `%xmm5') define(`USE_PSHUFW', `yes') C ROTL_BY_16(REG, TMP) ifelse(USE_PSHUFW, `yes', ` define(`ROTL_BY_16', ` pshufhw `$'0xb1, $1, $1 pshuflw `$'0xb1, $1, $1 ')', ` define(`ROTL_BY_16', ` pslld `$'16, $1 psrld `$'16, $2 por $2, $1 ') ') C QROUND(x0, x1, x2, x3) define(`QROUND', ` paddd $2, $1 pxor $1, $4 movaps $4, T0 ROTL_BY_16($4, T0) paddd $4, $3 pxor $3, $2 movaps $2, T0 pslld `$'12, $2 psrld `$'20, T0 por T0, $2 paddd $2, $1 pxor $1, $4 movaps $4, T0 pslld `$'8, $4 psrld `$'24, T0 por T0, $4 paddd $4, $3 pxor $3, $2 movaps $2, T0 pslld `$'7, $2 psrld `$'25, T0 por T0, $2 ') C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_core) W64_ENTRY(3, 6) movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x39, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x93, X3, X3 QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x39, X3, X3 decl XREG(COUNT) jnz .Loop movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 6) ret EPILOGUE(_nettle_chacha_core) nettle-4.0/x86_64/ecc-curve25519-modp.asm0000644000000000000000000000416015141166424014462 0ustar00C x86_64/ecc-curve25519-modp.asm ifelse(` Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve25519-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') C Overlaps with mul register define(`U0', `%rdi') C Overlaps unused modulo input define(`U1', `%rcx') define(`U2', `%r8') define(`U3', `%r9') define(`T0', `%r10') define(`T1', `%r11') define(`M', `%rbx') .text ALIGN(16) PROLOGUE(_nettle_ecc_curve25519_modp) W64_ENTRY(3, 0) push %rbx push RP mov XP, RP C First fold the limbs affecting bit 255 mov 56(RP), %rax mov $38, M mul M mov 24(RP), U3 xor T0, T0 add %rax, U3 adc %rdx, T0 mov 40(RP), %rax C Do this early as possible mul M add U3, U3 adc T0, T0 shr U3 C Undo shift, clear high bit C Fold the high limb again, together with RP[5] imul $19, T0 mov (RP), U0 mov 8(RP), U1 mov 16(RP), U2 add T0, U0 adc %rax, U1 mov 32(RP), %rax adc %rdx, U2 adc $0, U3 C Fold final two limbs, RP[4] and RP[6] mul M mov %rax, T0 mov 48(RP), %rax mov %rdx, T1 mul M pop RP add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc %rax, U2 mov U2, 16(RP) adc %rdx, U3 mov U3, 24(RP) pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_curve25519_modp) nettle-4.0/x86_64/ecc-curve448-modp.asm0000644000000000000000000000524515141166424014321 0ustar00C x86_64/ecc-curve448-modp.asm ifelse(` Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve448-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`X0', `%rax') define(`X1', `%rbx') define(`X2', `%rcx') define(`X3', `%rbp') define(`X4', `%rdi') define(`X5', `%r8') define(`X6', `%r9') define(`X7', `%r10') define(`T0', `%r11') define(`T1', `%r12') define(`T2', `%r13') .text ALIGN(16) PROLOGUE(_nettle_ecc_curve448_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 C First load the values to be shifted by 32. mov 88(XP), X1 mov X1, X0 mov 96(XP), X2 mov X1, T0 mov 104(XP), X3 mov X2, T1 mov 56(XP), X4 mov X3, T2 mov 64(XP), X5 mov 72(XP), X6 mov 80(XP), X7 C Multiply by 2^32 shl $32, X0 shrd $32, X2, X1 shrd $32, X3, X2 shrd $32, X4, X3 shrd $32, X5, X4 shrd $32, X6, X5 shrd $32, X7, X6 shr $32, X7 C Multiply by 2 add T0, T0 adc T1, T1 adc T2, T2 adc $0, X7 C Main additions add 56(XP), X0 adc 64(XP), X1 adc 72(XP), X2 adc 80(XP), X3 adc T0, X4 adc T1, X5 adc T2, X6 adc $0, X7 add (XP), X0 adc 8(XP), X1 adc 16(XP), X2 adc 24(XP), X3 adc 32(XP), X4 adc 40(XP), X5 adc 48(XP), X6 adc $0, X7 C X7 wraparound mov X7, T0 mov X7, T1 shl $32, T0 shr $32, T1 xor T2, T2 add X7, X0 adc $0, X1 adc $0, X2 adc T0, X3 adc T1, X4 adc $0, X5 adc $0, X6 adc $0, T2 C Final carry wraparound. Carry T2 > 0 only if C X6 is zero, so carry is absorbed. mov T2, T0 shl $32, T0 add T2, X0 mov X0, (RP) adc $0, X1 mov X1, 8(RP) adc $0, X2 mov X2, 16(RP) adc T0, X3 mov X3, 24(RP) adc $0, X4 mov X4, 32(RP) adc $0, X5 mov X5, 40(RP) adc $0, X6 mov X6, 48(RP) pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_curve448_modp) nettle-4.0/x86_64/ecc-secp192r1-modp.asm0000644000000000000000000000367015141166424014366 0ustar00C x86_64/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`T0', `%rdi') C Overlaps unused modulo input define(`T1', `%rcx') define(`T2', `%rax') define(`T3', `%r8') define(`H', `%r9') define(`C1', `%r10') define(`C2', `%r11') C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text ALIGN(16) PROLOGUE(_nettle_ecc_secp192r1_modp) W64_ENTRY(3, 0) mov 16(XP), T2 mov 24(XP), T3 mov 40(XP), H xor C1, C1 xor C2, C2 add H, T2 adc H, T3 C Carry to be added in at T1 and T2 setc LREG(C2) mov 8(XP), T1 mov 32(XP), H adc H, T1 adc H, T2 C Carry to be added in at T0 and T1 setc LREG(C1) mov (XP), T0 adc T3, T0 adc T3, T1 adc $0, C2 C Add in C1 and C2 add C1, T1 adc C2, T2 setc LREG(C1) C Fold final carry. adc $0, T0 adc C1, T1 adc $0, T2 mov T0, (RP) mov T1, 8(RP) mov T2, 16(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-4.0/x86_64/ecc-secp224r1-modp.asm0000644000000000000000000000535015141166424014357 0ustar00C x86_64/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" GMP_NUMB_BITS(64) define(`RP', `%rsi') define(`XP', `%rdx') define(`T0', `%rdi') C Overlaps unused modulo input define(`T1', `%rcx') define(`H0', `%rax') define(`H1', `%r8') define(`H2', `%r9') define(`F0', `%rsi') C Overlaps RP define(`F1', `%r10') define(`F2', `%r11') C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text ALIGN(16) PROLOGUE(_nettle_ecc_secp224r1_modp) W64_ENTRY(3, 0) push RP mov 48(XP), H0 mov 56(XP), H1 C Set (F2,F1,F0) <-- (H1,H0) << 32 mov H0, F0 mov H0, F1 shl $32, F0 shr $32, F1 mov H1, F2 mov H1, T0 shl $32, T0 shr $32, F2 or T0, F1 xor H2, H2 mov 16(XP), T0 mov 24(XP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 C No further borrow adc 32(XP), H0 adc 40(XP), H1 adc $0, H2 C Set (F2,F1,F0) <-- (H2,H1,H0) << 32 C To free registers, add in T1, T0 as soon as H0, H1 have been copied mov H0, F0 mov H0, F1 add T0, H0 mov H1, F2 mov H1, T0 adc T1, H1 mov H2, T1 adc $0, H2 C Shift 32 bits shl $32, F0 shr $32, F1 shl $32, T0 shr $32, F2 shl $32, T1 or T0, F1 or T1, F2 mov (XP), T0 mov 8(XP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 sbb $0, H2 C We now have H2, H1, H0, T1, T0, with 33 bits left to reduce C Set F0 <-- (H2, H1) >> 32 C Set (F2,F1) <-- (H2, H1 & 0xffffffff00000000) C H1 <-- H1 & 0xffffffff mov H1, F0 mov H1, F1 mov H2, F2 movl XREG(H1), XREG(H1) C Clears high 32 bits sub H1, F1 C Clears low 32 bits shr $32, F0 shl $32, H2 or H2, F0 sub F0, T0 sbb $0, F1 sbb $0, F2 add F1, T1 adc F2, H0 adc $0, H1 pop RP mov T0, (RP) mov T1, 8(RP) mov H0, 16(RP) mov H1, 24(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-4.0/x86_64/ecc-secp256r1-redc.asm0000644000000000000000000000516615141166424014347 0ustar00C x86_64/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2013, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp256r1-redc.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`U0', `%rdi') C Overlaps unused modulo input define(`U1', `%rcx') define(`U2', `%rax') define(`U3', `%r8') define(`F0', `%r9') define(`F1', `%r10') define(`F2', `%r11') define(`F3', `%rdx') C Overlap XP, used only in final carry folding C FOLD(x), sets (x,F2,F1,F0 ) <-- (x << 192) - (x << 160) + (x << 128) + (x << 32) define(`FOLD', ` mov $1, F0 mov $1, F1 mov $1, F2 shl `$'32, F0 shr `$'32, F1 sub F0, F2 sbb F1, $1 ') C FOLDC(x), sets (x,F2,F1,F0) <-- ((x+c) << 192) - (x << 160) + (x << 128) + (x << 32) define(`FOLDC', ` mov $1, F0 mov $1, F1 mov $1, F2 adc `$'0, $1 C May overflow, but final result will not. shl `$'32, F0 shr `$'32, F1 sub F0, F2 sbb F1, $1 ') .text ALIGN(16) PROLOGUE(_nettle_ecc_secp256r1_redc) W64_ENTRY(3, 0) mov (XP), U0 FOLD(U0) mov 8(XP), U1 mov 16(XP), U2 mov 24(XP), U3 add F0, U1 adc F1, U2 adc F2, U3 adc 32(XP), U0 FOLDC(U1) add F0, U2 adc F1, U3 adc F2, U0 adc 40(XP), U1 FOLDC(U2) add F0, U3 adc F1, U0 adc F2, U1 adc 48(XP), U2 FOLDC(U3) add F0, U0 adc F1, U1 adc F2, U2 adc 56(XP), U3 C Sum, including carry, is < 2^{256} + p. C If carry, we need to add in 2^{256} mod p = 2^{256} - p C = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> C and this addition can not overflow. sbb F2, F2 mov F2, F0 mov F2, F1 mov XREG(F2), XREG(F3) neg F0 shl $32, F1 and $-2, XREG(F3) add F0, U0 mov U0, (RP) adc F1, U1 mov U1, 8(RP) adc F2, U2 mov U2, 16(RP) adc F3, U3 mov U3, 24(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-4.0/x86_64/ecc-secp384r1-modp.asm0000644000000000000000000001023515141166424014364 0ustar00C x86_64/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" C Input arguments: C %rdi (unused) define(`RP', `%rsi') define(`XP', `%rdx') define(`D5', `%rax') define(`T0', `%rbx') define(`T1', `%rcx') define(`T2', `%rdi') define(`T3', `%rbp') define(`T4', `%rsi') define(`T5', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`H2', `%r11') define(`H3', `%r12') define(`H4', `%r13') define(`H5', `%r14') define(`C2', `%r15') define(`C0', H5) C Overlap define(`TMP', XP) C Overlap C void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text ALIGN(16) PROLOGUE(_nettle_ecc_secp384r1_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 push RP C Output pointer C First get top 2 limbs, which need folding twice. C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. C We handle the terms as follow: C C B^6: Folded immediatly. C C B^4: Delayed, added in in the next folding. C C 2^32(B-1) B^4: Low half limb delayed until the next C folding. Top 1.5 limbs subtracted and shifter now, resulting C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added C in. mov 80(XP), H4 mov 88(XP), H5 C Shift right 32 bits, into H1, H0 mov H4, H0 mov H5, H1 mov H5, D5 shr $32, H1 shl $32, D5 shr $32, H0 or D5, H0 C H1 H0 C - H1 H0 C -------- C H1 H0 D5 mov H0, D5 neg D5 sbb H1, H0 sbb $0, H1 xor C2, C2 add H4, H0 adc H5, H1 adc $0, C2 C Add in to high part add 48(XP), H0 adc 56(XP), H1 adc $0, C2 C Do C2 later C +1 term mov (XP), T0 add H0, T0 mov 8(XP), T1 adc H1, T1 mov 16(XP), T2 mov 64(XP), H2 adc H2, T2 mov 24(XP), T3 mov 72(XP), H3 adc H3, T3 mov 32(XP), T4 adc H4, T4 mov 40(XP), T5 adc H5, T5 sbb C0, C0 neg C0 C FIXME: Switch sign of C0? C +B^2 term add H0, T2 adc H1, T3 adc H2, T4 adc H3, T5 adc $0, C0 C Shift left, including low half of H4 mov H3, TMP shl $32, H4 shr $32, TMP or TMP, H4 mov H2, TMP shl $32, H3 shr $32, TMP or TMP, H3 mov H1, TMP shl $32, H2 shr $32, TMP or TMP, H2 mov H0, TMP shl $32, H1 shr $32, TMP or TMP, H1 shl $32, H0 C H4 H3 H2 H1 H0 0 C - H4 H3 H2 H1 H0 C --------------- C H4 H3 H2 H1 H0 TMP mov H0, TMP neg TMP sbb H1, H0 sbb H2, H1 sbb H3, H2 sbb H4, H3 sbb $0, H4 add TMP, T0 adc H0, T1 adc H1, T2 adc H2, T3 adc H3, T4 adc H4, T5 adc $0, C0 C Remains to add in C2 and C0 C Set H1, H0 = (2^96 - 2^32 + 1) C0 mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 C Set H3, H2 = (2^96 - 2^32 + 1) C2 mov C2, H2 mov C2, H3 shl $32, H3 sub H3, H2 sbb $0, H3 add C0, H2 C No carry. Could use lea trick xor C0, C0 add H0, T0 adc H1, T1 adc H2, T2 adc H3, T3 adc C2, T4 adc D5, T5 C Value delayed from initial folding adc $0, C0 C Use sbb and switch sign? C Final unlikely carry mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 pop XP C Original RP argument add H0, T0 mov T0, (XP) adc H1, T1 mov T1, 8(XP) adc C0, T2 mov T2, 16(XP) adc $0, T3 mov T3, 24(XP) adc $0, T4 mov T4, 32(XP) adc $0, T5 mov T5, 40(XP) pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-4.0/x86_64/ecc-secp521r1-modp.asm0000644000000000000000000000542315141166424014360 0ustar00C x86_64/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" GMP_NUMB_BITS(64) define(`RP', `%rsi') define(`XP', `%rdx') define(`U0', `%rax') define(`U1', `%rbx') define(`U2', `%rcx') define(`U3', `%rbp') define(`U4', `%rdi') define(`U5', `%r8') define(`U6', `%r9') define(`U7', `%r10') define(`U8', `%r11') define(`U9', `%r12') define(`T0', `%r13') define(`T1', `%r14') .text ALIGN(16) PROLOGUE(_nettle_ecc_secp521r1_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 push %r14 C Read top 17 limbs, shift left 55 bits mov 72(XP), U1 mov U1, U0 shl $55, U0 shr $9, U1 mov 80(XP), U2 mov U2, T0 shr $9, U2 shl $55, T0 or T0, U1 mov 88(XP), U3 mov U3, T0 shr $9, U3 shl $55, T0 or T0, U2 mov 96(XP), U4 mov U4, T0 shr $9, U4 shl $55, T0 or T0, U3 mov 104(XP), U5 mov U5, T0 shr $9, U5 shl $55, T0 or T0, U4 mov 112(XP), U6 mov U6, T0 shr $9, U6 shl $55, T0 or T0, U5 mov 120(XP), U7 mov U7, T0 shr $9, U7 shl $55, T0 or T0, U6 mov 128(XP), U8 mov U8, T0 shr $9, U8 shl $55, T0 or T0, U7 mov 136(XP), U9 mov U9, T0 shr $9, U9 shl $55, T0 or T0, U8 add (XP), U0 adc 8(XP), U1 adc 16(XP), U2 adc 24(XP), U3 adc 32(XP), U4 adc 40(XP), U5 adc 48(XP), U6 adc 56(XP), U7 adc 64(XP), U8 adc $0, U9 C Top limbs are . Keep low 9 bits of 8, and fold the C top bits (at most 65 bits). mov U8, T0 shr $9, T0 and $0x1ff, U8 mov U9, T1 shl $55, U9 shr $9, T1 or U9, T0 add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc $0, U2 mov U2, 16(RP) adc $0, U3 mov U3, 24(RP) adc $0, U4 mov U4, 32(RP) adc $0, U5 mov U5, 40(RP) adc $0, U6 mov U6, 48(RP) adc $0, U7 mov U7, 56(RP) adc $0, U8 mov U8, 64(RP) pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-4.0/x86_64/fat/0000755000000000000000000000000015141166424011312 5ustar00nettle-4.0/x86_64/fat/aes128-decrypt-2.asm0000644000000000000000000000224415141166424014630 0ustar00C x86_64/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes128-decrypt.asm') nettle-4.0/x86_64/fat/aes128-encrypt-2.asm0000644000000000000000000000224415141166424014642 0ustar00C x86_64/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes128-encrypt.asm') nettle-4.0/x86_64/fat/aes192-decrypt-2.asm0000644000000000000000000000224415141166424014631 0ustar00C x86_64/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes192-decrypt.asm') nettle-4.0/x86_64/fat/aes192-encrypt-2.asm0000644000000000000000000000224415141166424014643 0ustar00C x86_64/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes192-encrypt.asm') nettle-4.0/x86_64/fat/aes256-decrypt-2.asm0000644000000000000000000000224415141166424014632 0ustar00C x86_64/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes256-decrypt.asm') nettle-4.0/x86_64/fat/aes256-encrypt-2.asm0000644000000000000000000000224415141166424014644 0ustar00C x86_64/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes256-encrypt.asm') nettle-4.0/x86_64/fat/cbc-aes128-encrypt-2.asm0000644000000000000000000000226015141166424015365 0ustar00C x86_64/fat/cbc-aes128-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes128-encrypt.asm') nettle-4.0/x86_64/fat/cbc-aes192-encrypt-2.asm0000644000000000000000000000226015141166424015366 0ustar00C x86_64/fat/cbc_aes192-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes192-encrypt.asm') nettle-4.0/x86_64/fat/cbc-aes256-encrypt-2.asm0000644000000000000000000000226015141166424015367 0ustar00C x86_64/fat/cbc_aes256-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes256-encrypt.asm') nettle-4.0/x86_64/fat/cpuid.asm0000644000000000000000000000265515141166424013130 0ustar00C x86_64/fat/cpuid.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument C cpuid input: %edi C output pointer: %rsi .file "cpuid.asm" C void _nettle_cpuid(uint32_t in, uint32_t *out) .text ALIGN(16) PROLOGUE(_nettle_cpuid) W64_ENTRY(2, 0) push %rbx movl %edi, %eax xorl %ecx, %ecx C Information we need use ecx = 0 cpuid mov %eax, (%rsi) mov %ebx, 4(%rsi) mov %ecx, 8(%rsi) mov %edx, 12(%rsi) pop %rbx W64_EXIT(2, 0) ret EPILOGUE(_nettle_cpuid) nettle-4.0/x86_64/fat/ghash-set-key-2.asm0000644000000000000000000000225115141166424014624 0ustar00C x86_64/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_pclmul') include_src(`x86_64/pclmul/ghash-set-key.asm') nettle-4.0/x86_64/fat/ghash-update-2.asm0000644000000000000000000000224615141166424014531 0ustar00C x86_64/fat/ghash-update-2.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_pclmul') include_src(`x86_64/pclmul/ghash-update.asm') nettle-4.0/x86_64/fat/ghash-update.asm0000644000000000000000000000223415141166424014367 0ustar00C x86_64/fat/ghash-update.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_table') include_src(`x86_64/ghash-update.asm') nettle-4.0/x86_64/fat/memxor-2.asm0000644000000000000000000000215615141166424013466 0ustar00C x86_64/fat/memxor-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_sse2') define(`USE_SSE2', `yes') include_src(`x86_64/memxor.asm') nettle-4.0/x86_64/fat/memxor.asm0000644000000000000000000000212415141166424013322 0ustar00C x86_64/fat/memxor.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_x86_64') include_src(`x86_64/memxor.asm') nettle-4.0/x86_64/fat/sha1-compress-2.asm0000644000000000000000000000215215141166424014640 0ustar00C x86_64/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_sha_ni') include_src(`x86_64/sha_ni/sha1-compress.asm') nettle-4.0/x86_64/fat/sha1-compress.asm0000644000000000000000000000214115141166424014477 0ustar00C x86_64/fat/sha1-compress.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_x86_64') include_src(`x86_64/sha1-compress.asm') nettle-4.0/x86_64/fat/sha256-compress-n-2.asm0000644000000000000000000000216115141166424015247 0ustar00C x86_64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_sha_ni') include_src(`x86_64/sha_ni/sha256-compress-n.asm') nettle-4.0/x86_64/fat/sha256-compress-n.asm0000644000000000000000000000215015141166424015106 0ustar00C x86_64/fat/sha256-compress-n.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_x86_64') include_src(`x86_64/sha256-compress-n.asm') nettle-4.0/x86_64/ghash-update.asm0000644000000000000000000000476215141166424013625 0ustar00C x86_64/ghash-update.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`KEY', `%rdi') define(`XP', `%rsi') define(`BLOCKS', `%rdx') define(`SRC', `%rcx') define(`CNT', `%rax') define(`KEY32', `%r8') define(`X', `%xmm0') define(`R', `%xmm1') define(`M0', `%xmm2') define(`M1', `%xmm3') define(`M2', `%xmm4') define(`M3', `%xmm5') define(`T0', `%xmm6') define(`T1', `%xmm7') .file "ghash-update.asm" C const uint8_t *_ghash_update (const struct gcm_key *key, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_ghash_update) W64_ENTRY(4, 8) sub $1, BLOCKS movups (XP), X jc .Ldone C Table offset corresponding to 32 bits. lea 1024(KEY), KEY32 ALIGN(16) .Lblock_loop: C Unaligned input movups (SRC), M0 pxor M0, X pxor R, R mov $992, CNT ALIGN(16) .Loop_bit: movdqa X, M3 psrad $31, M3 pshufd $0x00, M3, M0 pshufd $0x55, M3, M1 pshufd $0xaa, M3, M2 pshufd $0xff, M3, M3 pslld $1, X C Tabulated values are only 8-byte aligned, and therefore C can't be used as memory operands to pand. It would be nice C if we could force 16-byte alignment on nettle_block16, using C C11 alignas. movups (KEY, CNT), T0 movups (KEY32, CNT), T1 pand T0, M0 pand T1, M1 movups 16(KEY, CNT), T0 movups 16(KEY32, CNT), T1 pand T0, M2 pand T1, M3 pxor M0, M1 pxor M2, M3 pxor M1, R pxor M3, R sub $32, CNT jnc .Loop_bit movaps R, X add $16, SRC sub $1, BLOCKS jnc .Lblock_loop .Ldone: movups X, (XP) mov SRC, %rax W64_EXIT(4, 8) ret EPILOGUE(_nettle_ghash_update) nettle-4.0/x86_64/machine.m40000644000000000000000000000675115141166424012417 0ustar00C OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(`OFFSET', `ifelse($1,0,,eval(4*$1))') C OFFSET64(i) C Expands to 8*i, or to the empty string if i is zero define(`OFFSET64', `ifelse($1,0,,eval(8*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 64-bit register. define(`LREG',`ifelse( $1, %rax, %al, $1, %rbx, %bl, $1, %rcx, %cl, $1, %rdx, %dl, $1, %rsi, %sil, $1, %rdi, %dil, $1, %rbp, %bpl, $1, %r8, %r8b, $1, %r9, %r9b, $1, %r10, %r10b, $1, %r11, %r11b, $1, %r12, %r12b, $1, %r13, %r13b, $1, %r14, %r14b, $1, %r15, %r15b)')dnl define(`HREG',`ifelse( $1, %rax, %ah, $1, %rbx, %bh, $1, %rcx, %ch, $1, %rdx, %dh)')dnl define(`WREG',`ifelse( $1, %rax, %ax, $1, %rbx, %bx, $1, %rcx, %cx, $1, %rdx, %dx, $1, %rsi, %si, $1, %rdi, %di, $1, %rbp, %bp, $1, %r8, %r8w, $1, %r9, %r9w, $1, %r10, %r10w, $1, %r11, %r11w, $1, %r12, %r12w, $1, %r13, %r13w, $1, %r14, %r14w, $1, %r15, %r15w)')dnl define(`XREG',`ifelse( $1, %rax, %eax, $1, %rbx, %ebx, $1, %rcx, %ecx, $1, %rdx, %edx, $1, %rsi, %esi, $1, %rdi, %edi, $1, %rbp, %ebp, $1, %r8, %r8d, $1, %r9, %r9d, $1, %r10, %r10d, $1, %r11, %r11d, $1, %r12, %r12d, $1, %r13, %r13d, $1, %r14, %r14d, $1, %r15, %r15d)')dnl dnl W64_ENTRY(nargs, xmm_used) define(`W64_ENTRY', ` ifelse(W64_ABI,yes,` dnl unconditionally push %rdi, making %rsp 16-byte aligned push %rdi dnl Save %xmm6, ..., if needed ifelse(eval($2 > 6), 1, ` sub `$'eval(16*($2 - 6)), %rsp movdqa %xmm6, 0(%rsp) ') ifelse(eval($2 > 7), 1, ` movdqa %xmm7, 16(%rsp) ') ifelse(eval($2 > 8), 1, ` movdqa %xmm8, 32(%rsp) ') ifelse(eval($2 > 9), 1, ` movdqa %xmm9, 48(%rsp) ') ifelse(eval($2 > 10), 1, ` movdqa %xmm10, 64(%rsp) ') ifelse(eval($2 > 11), 1, ` movdqa %xmm11, 80(%rsp) ') ifelse(eval($2 > 12), 1, ` movdqa %xmm12, 96(%rsp) ') ifelse(eval($2 > 13), 1, ` movdqa %xmm13, 112(%rsp) ') ifelse(eval($2 > 14), 1, ` movdqa %xmm14, 128(%rsp) ') ifelse(eval($2 > 15), 1, ` movdqa %xmm15, 144(%rsp) ') dnl Move around arguments ifelse(eval($1 >= 1), 1, ` mov %rcx, %rdi ') ifelse(eval($1 >= 2), 1, ` dnl NOTE: Breaks 16-byte %rsp alignment push %rsi mov %rdx, %rsi ') ifelse(eval($1 >= 3), 1, ` mov %r8, %rdx ') ifelse(eval($1 >= 4), 1, ` mov %r9, %rcx ') ifelse(eval($1 >= 5), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+56),56)(%rsp), %r8 ') ifelse(eval($1 >= 6), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+64),64)(%rsp), %r9 ') ') ') dnl W64_EXIT(nargs, xmm_used) define(`W64_EXIT', ` ifelse(W64_ABI,yes,` ifelse(eval($1 >= 2), 1, ` pop %rsi ') ifelse(eval($2 > 15), 1, ` movdqa 144(%rsp), %xmm15 ') ifelse(eval($2 > 14), 1, ` movdqa 128(%rsp), %xmm14 ') ifelse(eval($2 > 13), 1, ` movdqa 112(%rsp), %xmm13 ') ifelse(eval($2 > 12), 1, ` movdqa 96(%rsp), %xmm12 ') ifelse(eval($2 > 11), 1, ` movdqa 80(%rsp), %xmm11 ') ifelse(eval($2 > 10), 1, ` movdqa 64(%rsp), %xmm10 ') ifelse(eval($2 > 9), 1, ` movdqa 48(%rsp), %xmm9 ') ifelse(eval($2 > 8), 1, ` movdqa 32(%rsp), %xmm8 ') ifelse(eval($2 > 7), 1, ` movdqa 16(%rsp), %xmm7 ') ifelse(eval($2 > 6), 1, ` movdqa (%rsp), %xmm6 add `$'eval(16*($2 - 6)), %rsp ') pop %rdi ') ') nettle-4.0/x86_64/memxor.asm0000644000000000000000000000637615141166424012565 0ustar00C x86_64/memxor.asm ifelse(` Copyright (C) 2010, 2014, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`DST', `%rax') C Originally in %rdi define(`SRC', `%rsi') define(`N', `%rdx') define(`TMP', `%r8') define(`TMP2', `%r9') define(`CNT', `%rdi') define(`S0', `%r11') define(`S1', `%rdi') C Overlaps with CNT define(`USE_SSE2', `no') .file "memxor.asm" .text C memxor(void *dst, const void *src, size_t n) C %rdi %rsi %rdx ALIGN(16) PROLOGUE(nettle_memxor) W64_ENTRY(3, 0) test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifdef(`USE_SSE2', ` cmp $16, N jnc .Lsse2_case ') C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(SRC, N), TMP mov (SRC, N), TMP2 xor TMP, 8(DST, N) xor TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(SRC, N), TMP xor TMP, 8(DST, N) .Lone_word: mov (SRC, N), TMP xor TMP, (DST, N) W64_EXIT(3, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: W64_EXIT(3, 0) ret ifdef(`USE_SSE2', ` .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (SRC, N), %xmm0 movdqa (DST, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (SRC), %xmm0 movdqa (DST), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) W64_EXIT(3, 0) ret ') EPILOGUE(nettle_memxor) nettle-4.0/x86_64/memxor3.asm0000644000000000000000000001157215141166424012642 0ustar00C x86_64/memxor3.asm ifelse(` Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`DST', `%rax') C Originally in %rdi define(`AP', `%rsi') define(`BP', `%rdx') define(`N', `%r10') define(`TMP', `%r8') define(`TMP2', `%r9') define(`CNT', `%rdi') define(`S0', `%r11') define(`S1', `%rdi') C Overlaps with CNT define(`USE_SSE2', `no') .file "memxor3.asm" .text C memxor3(void *dst, const void *a, const void *b, size_t n) C %rdi %rsi %rdx %rcx ALIGN(16) PROLOGUE(nettle_memxor3) W64_ENTRY(4, 0) C %cl needed for shift count, so move away N mov %rcx, N .Lmemxor3_entry: test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifelse(USE_SSE2, yes, ` cmp $16, N jnc .Lsse2_case ') C Check for the case that AP and BP have the same alignment, C but different from DST. mov AP, TMP sub BP, TMP test $7, TMP jnz .Lno_shift_case mov AP, %rcx sub DST, %rcx and $7, %rcx jz .Lno_shift_case sub %rcx, AP sub %rcx, BP shl $3, %rcx C Unrolling, with aligned values alternating in S0 and S1 test $8, N jnz .Lshift_odd mov (AP, N), S1 xor (BP, N), S1 jmp .Lshift_next .Lshift_odd: mov -8(AP, N), S1 mov (AP, N), S0 xor -8(BP, N), S1 xor (BP, N), S0 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, -8(DST, N) sub $8, N jz .Ldone jmp .Lshift_next ALIGN(16) .Lshift_loop: mov 8(AP, N), S0 xor 8(BP, N), S0 mov S0, TMP shr %cl, TMP neg %cl shl %cl, S1 neg %cl or S1, TMP mov TMP, 8(DST, N) mov (AP, N), S1 xor (BP, N), S1 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, (DST, N) .Lshift_next: sub $16, N C FIXME: Handle the case N == 16 specially, C like in the non-shifted case? C ja .Lshift_loop C jz .Ldone jnc .Lshift_loop add $15, N jnc .Ldone shr $3, %rcx add %rcx, AP add %rcx, BP jmp .Lfinal_loop .Lno_shift_case: C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(AP, N), TMP mov (AP, N), TMP2 xor 8(BP, N), TMP xor (BP, N), TMP2 mov TMP, 8(DST, N) mov TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(AP, N), TMP xor 8(BP, N), TMP mov TMP, 8(DST, N) .Lone_word: mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ifelse(USE_SSE2, yes, ` .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (AP, N), %xmm0 movdqu (BP, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (AP), %xmm0 movdqu (BP), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ') EPILOGUE(nettle_memxor3) nettle-4.0/x86_64/pclmul/0000755000000000000000000000000015141166424012034 5ustar00nettle-4.0/x86_64/pclmul/ghash-set-key.asm0000644000000000000000000000544615141166424015220 0ustar00C x86_64/ghash-set-key.asm ifelse(` Copyright (C) 2022 Niels Möller Copyright (C) 2023 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Common registers define(`CTX', `%rdi') define(`KEY', `%rsi') define(`P', `%xmm0') define(`BSWAP', `%xmm1') define(`H', `%xmm2') define(`D', `%xmm3') define(`T', `%xmm4') define(`R', `%xmm5') define(`M', `%xmm6') define(`F', `%xmm7') define(`MASK', `%xmm7') C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) .text ALIGN(16) PROLOGUE(_nettle_ghash_set_key) W64_ENTRY(2, 8) movdqa .Lpolynomial(%rip), P movdqa .Lbswap(%rip), BSWAP movups (KEY), H pshufb BSWAP, H C Multiply by x mod P, which is a left shift. movdqa H, T psllq $1, T psrlq $63, H C 127 --> 64, 63 --> 0 pshufd $0xaa, H, MASK C 64 --> (96, 64, 32, 0) pslldq $8, H C 0 --> 64 por T, H pxor T, T psubd MASK, T C All-ones if bit 127 was set pand P, T pxor T, H movups H, (CTX) C Set D = x^{-64} H = {H0, H1} + P1 H0 movdqa H, T pshufd $0x4e, H, D C Swap H0, H1 pclmullqhqdq P, T pxor T, D movups D, 16(CTX) movdqa H, M movdqa H, F movdqa H, T pclmulhqlqdq H, T C H0 * M1 pclmulhqhqdq H, M C H1 * M1 pclmullqlqdq D, F C D0 * M0 pclmullqhqdq D, H C D1 * M0 pxor T, F pxor M, H pshufd $0x4e, F, T C Swap halves of F pxor T, H pclmullqhqdq P, F pxor F, H movups H, 32(CTX) C Set D2 = x^{-64} H^2 = {H0, H1} + P1 H0 pshufd $0x4e, H, D C Swap H0, H1 pclmullqhqdq P, H pxor H, D movups D, 48(CTX) W64_EXIT(2, 8) ret EPILOGUE(_nettle_ghash_set_key) RODATA C The GCM polynomial is x^{128} + x^7 + x^2 + x + 1, C but in bit-reversed representation, that is C P = x^{128}+ x^{127} + x^{126} + x^{121} + 1 C We will mainly use the middle part, C P1 = (P + a + x^{128}) / x^64 = x^{563} + x^{62} + x^{57} ALIGN(16) .Lpolynomial: .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xC2 .Lbswap: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 nettle-4.0/x86_64/pclmul/ghash-update.asm0000644000000000000000000001102615141166424015110 0ustar00C x86_64/ghash-update.asm ifelse(` Copyright (C) 2022 Niels Möller Copyright (C) 2023 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Common registers define(`CTX', `%rdi') define(`X', `%rsi') define(`BLOCKS', `%rdx') define(`DATA', `%rcx') define(`P', `%xmm0') define(`BSWAP', `%xmm1') define(`H', `%xmm2') define(`D', `%xmm3') define(`H2', `%xmm4') define(`D2', `%xmm5') define(`T', `%xmm6') define(`R', `%xmm7') define(`M', `%xmm8') define(`F', `%xmm9') define(`T2', `%xmm10') define(`R2', `%xmm11') define(`M2', `%xmm12') define(`F2', `%xmm13') C Use pclmulqdq, doing one 64x64 --> 127 bit carry-less multiplication, C with source operands being selected from the halves of two 128-bit registers. C Variants: C pclmullqlqdq low half of both src and destination C pclmulhqlqdq low half of src register, high half of dst register C pclmullqhqdq high half of src register, low half of dst register C pclmulhqhqdq high half of both src and destination C To do a single block, M0, M1, we need to compute C C R = M0 D1 + M1 H1 C F = M0 D0 + M1 H0 C C Corresponding to x^{-127} M H = R + x^{-64} F C C Split F as F = F1 + x^64 F0, then the final reduction is C C R + x^{-64} F = R + P1 F0 + x^{64} F0 + F1 C C In all, 5 pclmulqdq. If we we have enough registers to interleave two blocks, C final reduction is needed only once, so 9 pclmulqdq for two blocks, etc. C C We need one register each for D and H, one for P1, one each for accumulating F C and R. That uses 5 out of the 16 available xmm registers. If we interleave C blocks, we need additionan D ang H registers (for powers of the key) and the C additional message word, but we could perhaps interlave as many as 4, with two C registers left for temporaries. C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_ghash_update) W64_ENTRY(4, 14) movdqa .Lpolynomial(%rip), P movdqa .Lbswap(%rip), BSWAP movups (CTX), H movups 16(CTX), D movups 32(CTX), H2 movups 48(CTX), D2 movups (X), R pshufb BSWAP, R mov BLOCKS, %rax shr $1, %rax jz .L1_block .Loop: movups (DATA), M pshufb BSWAP, M pxor M, R movdqa R, M movdqa R, F movdqa R, T pclmullqlqdq D2, F C {D^2}0 * M1_0 pclmullqhqdq D2, R C {D^2}1 * M1_0 pclmulhqlqdq H2, T C {H^2}0 * M1_1 pclmulhqhqdq H2, M C {H^2}1 * M1_1 movups 16(DATA), M2 pshufb BSWAP, M2 movdqa M2, R2 movdqa M2, F2 movdqa M2, T2 pclmullqlqdq D, F2 C D0 * M2_0 pclmullqhqdq D, R2 C D1 * M2_0 pclmulhqlqdq H, T2 C H0 * M2_1 pclmulhqhqdq H, M2 C H1 * M2_1 pxor T, F pxor M, R pxor T2, F2 pxor M2, R2 pxor F2, F pxor R2, R pshufd $0x4e, F, T C Swap halves of F pxor T, R pclmullqhqdq P, F pxor F, R add $32, DATA dec %rax jnz .Loop .L1_block: test $1, BLOCKS jz .Ldone movups (DATA), M pshufb BSWAP, M pxor M, R movdqa R, M movdqa R, F movdqa R, T pclmullqlqdq D, F C D0 * M0 pclmullqhqdq D, R C D1 * M0 pclmulhqlqdq H, T C H0 * M1 pclmulhqhqdq H, M C H1 * M1 pxor T, F pxor M, R pshufd $0x4e, F, T C Swap halves of F pxor T, R pclmullqhqdq P, F pxor F, R add $16, DATA .Ldone: pshufb BSWAP, R movups R, (X) mov DATA, %rax W64_EXIT(4, 14) ret EPILOGUE(_nettle_ghash_update) RODATA C The GCM polynomial is x^{128} + x^7 + x^2 + x + 1, C but in bit-reversed representation, that is C P = x^{128}+ x^{127} + x^{126} + x^{121} + 1 C We will mainly use the middle part, C P1 = (P + a + x^{128}) / x^64 = x^{563} + x^{62} + x^{57} ALIGN(16) .Lpolynomial: .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xC2 .Lbswap: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 nettle-4.0/x86_64/poly1305-blocks.asm0000644000000000000000000000517415141166424014020 0ustar00C x86_64/poly1305-blocks.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "poly1305-blocks.asm" define(`CTX', `%rdi') C First argument to all functions define(`BLOCKS', `%rsi') define(`MP_PARAM', `%rdx') C Moved to MP, to not collide with mul instruction. define(`MP', `%r8') C May clobber, both with unix and windows conventions. define(`T0', `%rbx') define(`T1', `%rcx') define(`H0', `%rbp') define(`H1', `%r9') define(`H2', `%r10') define(`F0', `%r11') define(`F1', `%r12') C const uint8_t * C _nettle_poly1305_blocks (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m) .text ALIGN(16) PROLOGUE(_nettle_poly1305_blocks) W64_ENTRY(3, 0) mov MP_PARAM, MP test BLOCKS, BLOCKS jz .Lend push %rbx push %rbp push %r12 mov P1305_H0 (CTX), H0 mov P1305_H1 (CTX), H1 mov P1305_H2 (CTX), H2 ALIGN(16) .Loop: mov (MP), T0 mov 8(MP), T1 add $16, MP add H0, T0 adc H1, T1 adc $1, H2 mov P1305_R1 (CTX), %rax mul T0 C R1*T0 mov %rax, F0 mov %rdx, F1 mov T0, %rax C Last use of T0 input mov P1305_R0 (CTX), T0 mul T0 C R0*T0 mov %rax, H0 mov %rdx, H1 mov T1, %rax mul T0 C R0*T1 add %rax, F0 adc %rdx, F1 mov P1305_S1 (CTX), T0 mov T1, %rax C Last use of T1 input mul T0 C S1*T1 add %rax, H0 adc %rdx, H1 mov H2, %rax mul T0 C S1*H2 add %rax, F0 adc %rdx, F1 mov H2, T0 and $3, H2 shr $2, T0 mov P1305_S0 (CTX), %rax mul T0 C S0*(H2 >> 2) add %rax, H0 adc %rdx, H1 imul P1305_R0 (CTX), H2 C R0*(H2 & 3) add F0, H1 adc F1, H2 dec BLOCKS jnz .Loop mov H0, P1305_H0 (CTX) mov H1, P1305_H1 (CTX) mov H2, P1305_H2 (CTX) pop %r12 pop %rbp pop %rbx .Lend: mov MP, %rax W64_EXIT(3, 0) ret EPILOGUE(_nettle_poly1305_blocks) nettle-4.0/x86_64/poly1305-internal.asm0000644000000000000000000001027515141166424014355 0ustar00C x86_64/poly1305-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "poly1305-internal.asm" C Registers mainly used by poly1305_block define(`CTX', `%rdi') C First argument to all functions define(`KEY', `%rsi') define(`MASK',` %r8') C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) .text ALIGN(16) PROLOGUE(_nettle_poly1305_set_key) W64_ENTRY(2,0) mov $0x0ffffffc0fffffff, MASK mov (KEY), %rax and MASK, %rax and $-4, MASK mov %rax, P1305_R0 (CTX) imul $5, %rax mov %rax, P1305_S0 (CTX) C 5*R0 mov 8(KEY), %rax and MASK, %rax mov %rax, P1305_R1 (CTX) shr $2, %rax imul $5, %rax mov %rax, P1305_S1 (CTX) C 5*(R1>>2) xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov %rax, P1305_H2 (CTX) W64_EXIT(2,0) ret undefine(`KEY') undefine(`MASK') EPILOGUE(_nettle_poly1305_set_key) define(`T0', `%rcx') define(`T1', `%rsi') C Overlaps message input pointer. define(`T2', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`F0', `%r11') define(`F1', `%r12') C First accumulate the independent products C C {H1,H0} = R0 T0 + S1 T1 + S0 (T2 >> 2) C {F1,F0} = R1 T0 + R0 T1 + S1 T2 C T = R0 * (T2 & 3) C C Then add together as C C +--+--+--+ C |T |H1|H0| C +--+--+--+ C + |F1|F0| C --+--+--+--+ C |H2|H1|H0| C +--+--+--+ C _poly1305_block (struct poly1305_ctx *ctx, const uint8_t m[16], unsigned hi) .text ALIGN(16) PROLOGUE(_nettle_poly1305_block) W64_ENTRY(3, 0) push %r12 mov (%rsi), T0 mov 8(%rsi), T1 mov XREG(%rdx), XREG(T2) C Also zero extends add P1305_H0 (CTX), T0 adc P1305_H1 (CTX), T1 adc P1305_H2 (CTX), T2 mov P1305_R1 (CTX), %rax mul T0 C R1*T0 mov %rax, F0 mov %rdx, F1 mov T0, %rax C Last use of T0 input mov P1305_R0 (CTX), T0 mul T0 C R0*T0 mov %rax, H0 mov %rdx, H1 mov T1, %rax mul T0 C R0*T1 add %rax, F0 adc %rdx, F1 mov P1305_S1 (CTX), T0 mov T1, %rax C Last use of T1 input mul T0 C S1*T1 add %rax, H0 adc %rdx, H1 mov T2, %rax mul T0 C S1*T2 add %rax, F0 adc %rdx, F1 mov $3, XREG(T1) and T2, T1 shr $2, T2 mov P1305_S0 (CTX), %rax mul T2 C S0*(T2 >> 2) add %rax, H0 adc %rdx, H1 imul P1305_R0 (CTX), T1 C R0*(T2 & 3) add F0, H1 adc T1, F1 mov H0, P1305_H0 (CTX) mov H1, P1305_H1 (CTX) mov F1, P1305_H2 (CTX) pop %r12 W64_EXIT(3, 0) ret EPILOGUE(_nettle_poly1305_block) undefine(`T0') undefine(`T1') undefine(`T2') undefine(`H0') undefine(`H1') undefine(`F0') undefine(`F1') C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) define(`S', `%rsi') define(`T0', `%rcx') define(`T1', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`F0', `%r11') define(`F1', `%rrd') C Overlaps CTX .text ALIGN(16) PROLOGUE(_nettle_poly1305_digest) W64_ENTRY(2, 0) mov P1305_H0 (CTX), H0 mov P1305_H1 (CTX), H1 mov P1305_H2 (CTX), F0 xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov %rax, P1305_H2 (CTX) mov $3, XREG(%rax) and XREG(F0), XREG(%rax) shr $2, F0 imul $5, F0 add F0, H0 adc $0, H1 adc $0, XREG(%rax) C Add 5, use result if >= 2^130 mov $5, T0 xor T1, T1 add H0, T0 adc H1, T1 adc $-4, XREG(%rax) C Carry if %rax + c >= 4 cmovc T0, H0 cmovc T1, H1 add H0, (S) adc H1, 8(S) W64_EXIT(2, 0) ret EPILOGUE(_nettle_poly1305_digest) nettle-4.0/x86_64/salsa20-2core.asm0000644000000000000000000001435215141166424013524 0ustar00C x86_64/salsa20-2core.asm ifelse(` Copyright (C) 2012, 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') C State, even elements in X, odd elements in Y define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`T0', `%xmm8') define(`T1', `%xmm9') define(`T2', `%xmm10') define(`T3', `%xmm11') define(`M0011', `%xmm12') include_src(`x86_64/salsa20.m4') .text ALIGN(16) C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_salsa20_2core) W64_ENTRY(3, 13) movups (SRC), T0 C [0, 1, 2, 3] movups 16(SRC), T1 C [4, 5, 6, 7] movups 32(SRC), T2 C [8, 9, 10, 11] movups 48(SRC), T3 C [12, 13, 14, 15] pshufd $0xa0, T0, X0 C X0: [0,0,2,2] pshufd $0xf5, T0, Y3 C Y3: [1,1,3,3] pshufd $0xa0, T1, X1 C X1: [4,4,6,6] pshufd $0xf5, T1, Y0 C Y0: [5,5,7,7] pshufd $0xa0, T2, X2 C X2: [8,8,10,10] pshufd $0xf5, T2, Y1 C Y1: [9,9,11,11] pshufd $0xa0, T3, X3 C [12,12,14,14] pshufd $0xf5, T3, Y2 C [13,13,15,15] C Complicated counter increment. Could be done with C mov $1, %eax; movd %eax, TMP; paddq T2, TMP C earlier, but then it gets more complicated to construct X2 and Y1. mov $1, %eax movd %eax, T0 C [1,0,0,0] pshufd $0x51, T0, T0 C [0,1,0,0] pxor T1, T1 paddd T0, X2 pcmpeqd X2, T1 pand T0, T1 paddd T1, Y1 C Load mask registers mov $-1, %eax movd %eax, M0011 pshufd $0x09, M0011, M0011 C 01 01 00 00 C Swap, to get C X0: 0 10 Y0: 5 15 C X1: 4 14 Y1: 9 3 C X2: 8 2 Y2: 13 7 C X3: 12 6 Y3: 1 11 SWAP(X0, X2, M0011) SWAP(X1, X3, M0011) SWAP(Y0, Y2, M0011) SWAP(Y1, Y3, M0011) shrl $1, XREG(COUNT) ALIGN(16) .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 movaps X0, T0 paddd X3, T0 movaps T0, T1 movaps Y0, T2 pslld $7, T0 paddd Y3, T2 psrld $25, T1 movaps T2, T3 pxor T0, X1 pslld $7, T2 pxor T1, X1 psrld $25, T3 movaps X0, T0 pxor T2, Y1 paddd X1, T0 pxor T3, Y1 movaps T0, T1 movaps Y0, T2 pslld $9, T0 paddd Y1, T2 psrld $23, T1 movaps T2, T3 pxor T0, X2 pslld $9, T2 pxor T1, X2 psrld $23, T3 movaps X1, T0 pxor T2, Y2 paddd X2, T0 pxor T3, Y2 movaps T0, T1 movaps Y1, T2 pslld $13, T0 paddd Y2, T2 psrld $19, T1 movaps T2, T3 pxor T0, X3 pslld $13, T2 pxor T1, X3 psrld $19, T3 movaps X2, T0 pxor T2, Y3 paddd X3, T0 pxor T3, Y3 movaps T0, T1 movaps Y2, T2 pslld $18, T0 paddd Y3, T2 psrld $14, T1 movaps T2, T3 pxor T0, X0 pslld $18, T2 pxor T1, X0 psrld $14, T3 pxor T2, Y0 pxor T3, Y0 C Register layout: C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) pshufd $0x4e, Y1, Y1 C 10 11 00 01 pshufd $0x4e, X2, X2 pshufd $0x4e, Y2, Y2 pshufd $0x4e, X3, X3 movaps X0, T0 paddd Y1, T0 movaps T0, T1 movaps Y0, T2 pslld $7, T0 paddd X1, T2 psrld $25, T1 movaps T2, T3 pxor T0, Y3 pslld $7, T2 pxor T1, Y3 psrld $25, T3 movaps Y3, T0 pxor T2, X3 paddd X0, T0 pxor T3, X3 movaps T0, T1 movaps X3, T2 pslld $9, T0 paddd Y0, T2 psrld $23, T1 movaps T2, T3 pxor T0, X2 pslld $9, T2 pxor T1, X2 psrld $23, T3 movaps X2, T0 pxor T2, Y2 paddd Y3, T0 pxor T3, Y2 movaps T0, T1 movaps Y2, T2 pslld $13, T0 paddd X3, T2 psrld $19, T1 movaps T2, T3 pxor T0, Y1 pslld $13, T2 pxor T1, Y1 psrld $19, T3 movaps Y1, T0 pxor T2, X1 paddd X2, T0 pxor T3, X1 movaps T0, T1 movaps X1, T2 pslld $18, T0 paddd Y2, T2 psrld $14, T1 movaps T2, T3 pxor T0, X0 pslld $18, T2 pxor T1, X0 psrld $14, T3 pxor T2, Y0 pxor T3, Y0 pshufd $0x4e, Y1, Y1 C 10 11 00 01 pshufd $0x4e, X2, X2 pshufd $0x4e, Y2, Y2 pshufd $0x4e, X3, X3 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0011) SWAP(Y0, Y2, M0011) SWAP(Y1, Y3, M0011) movaps X0, T0 punpckldq Y3, X0 C [A0, A1, B0, B1] punpckhdq Y3, T0 C [A2, A3, B2, B3] movaps X0, Y3 punpcklqdq T0, X0 C [A0, A1, A2, A3] punpckhqdq T0, Y3 C [B0, B1, B2, B3] movups (SRC), T0 paddd T0, X0 paddd T0, Y3 movaps X1, T1 punpckldq Y0, X1 C [A4, A5, B4, B5] punpckhdq Y0, T1 C [A6, A7, B6, B7] movaps X1, Y0 punpcklqdq T1, X1 C [A4, A5, A6, A7] punpckhqdq T1, Y0 C [B4, B5, B6, B7] movups 16(SRC), T1 paddd T1, X1 paddd T1, Y0 movaps X2, T2 punpckldq Y1, X2 C [A8, A9, B8, B9] punpckhdq Y1, T2 C [A10, A11, B10, B11] movaps X2, Y1 punpcklqdq T2, X2 C [A8, A9, A10, A11] punpckhqdq T2, Y1 C [B8, B9, B10, B11] movups 32(SRC), T2 paddd T2, X2 mov $1, %eax movd %eax, M0011 paddq M0011, T2 paddd T2, Y1 movaps X3, T3 punpckldq Y2, X3 C [A12, A13, B12, B13] punpckhdq Y2, T3 C [A14, A15, B14, B15] movaps X3, Y2 punpcklqdq T3, X3 C [A12, A13, A14, A15] punpckhqdq T3, Y2 C [B12, B13, B14, B15] movups 48(SRC), T3 paddd T3, X3 paddd T3, Y2 movups X0,(DST) movups X1,16(DST) movups X2,32(DST) movups X3,48(DST) movups Y3,64(DST) movups Y0,80(DST) movups Y1,96(DST) movups Y2,112(DST) W64_EXIT(3, 13) ret EPILOGUE(_nettle_salsa20_2core) nettle-4.0/x86_64/salsa20-core-internal.asm0000644000000000000000000000507415141166424015255 0ustar00C x86_64/salsa20-core-internal.asm ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`T0', `%xmm4') define(`T1', `%xmm5') define(`M0101', `%xmm6') define(`M0110', `%xmm7') define(`M0011', `%xmm8') include_src(`x86_64/salsa20.m4') C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_salsa20_core) W64_ENTRY(3, 9) C Load mask registers mov $-1, %eax movd %eax, M0101 pshufd $0x09, M0101, M0011 C 01 01 00 00 pshufd $0x41, M0101, M0110 C 01 00 00 01 pshufd $0x22, M0101, M0101 C 01 00 01 00 movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 C The original rows are now diagonals. SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) SWAP(X1, X3, M0110) SWAP(X0, X2, M0011) shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 C 11 00 01 10 (least sign. left) pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x39, X3, X3 C 01 10 11 00 QROUND(X0, X3, X2, X1) C Inverse rotation of the rows pshufd $0x39, X1, X1 C 01 10 11 00 pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x93, X3, X3 C 11 00 01 10 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0110) SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 9) ret EPILOGUE(_nettle_salsa20_core) nettle-4.0/x86_64/salsa20.m40000644000000000000000000000143015141166424012245 0ustar00C Needs T0 and T1 C QROUND(x0, x1, x2, x3) define(`QROUND', ` movaps $4, T0 C 0 paddd $1, T0 C 1 movaps T0, T1 C 2 pslld `$'7, T0 C 2 psrld `$'25, T1 C 3 pxor T0, $2 C 3 pxor T1, $2 C 4 movaps $1, T0 C 0 paddd $2, T0 C 5 movaps T0, T1 C 6 pslld `$'9, T0 C 6 psrld `$'23, T1 C 7 pxor T0, $3 C 7 pxor T1, $3 C 8 movaps $2, T0 C 0 paddd $3, T0 C 9 movaps T0, T1 C 10 pslld `$'13, T0 C 10 psrld `$'19, T1 C 11 pxor T0, $4 C 11 pxor T1, $4 C 12 movaps $3, T0 C 0 paddd $4, T0 C 13 movaps T0, T1 C 14 pslld `$'18, T0 C 14 psrld `$'14, T1 C 15 pxor T0, $1 C 15 pxor T1, $1 C 16 ') C SWAP(x0, x1, mask) C Swaps bits in x0 and x1, with bits selected by the mask define(`SWAP', ` movaps $1, T0 pxor $2, $1 pand $3, $1 pxor $1, $2 pxor T0, $1 ') nettle-4.0/x86_64/serpent-decrypt.asm0000644000000000000000000002452115141166424014376 0ustar00C x86_64/serpent-decrypt.asm ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies define(`x0', `%eax') define(`x1', `%ebx') define(`x2', `%ebp') define(`x3', `%r8d') define(`y0', `%r9d') define(`y1', `%r10d') define(`y2', `%r11d') define(`y3', `%r12d') C Quadruple block serpent state, two copies define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`MINUS1', `%xmm8') define(`T0', `%xmm9') define(`T1', `%xmm10') define(`T2', `%xmm11') define(`T3', `%xmm12') C Arguments define(`CTX', `%rdi') define(`N', `%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`CNT', `%r13') define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(`SBOX0I', ` mov $1, $5 xor $3, $5 mov $1, $7 or $2, $7 mov $3, $6 xor $4, $6 xor $6, $7 and $3, $6 or $2, $3 xor $4, $2 or $1, $6 and $3, $2 xor $2, $6 or $7, $1 xor $6, $1 mov $7, $2 and $1, $2 not $7 or $7, $4 xor $3, $4 mov $1, $8 xor $4, $8 or $4, $2 xor $2, $5 ') define(`SBOX1I', ` mov $2, $6 or $4, $6 xor $3, $6 mov $1, $8 xor $2, $8 mov $1, $5 or $6, $5 and $8, $5 xor $5, $2 xor $6, $8 and $4, $2 mov $1, $7 and $3, $7 or $7, $6 or $4, $7 xor $5, $7 not $7 xor $2, $6 xor $6, $5 xor $3, $5 or $7, $1 xor $1, $5 ') define(`SBOX2I', ` mov $1, $5 xor $4, $5 mov $3, $7 xor $4, $7 mov $2, $6 or $7, $6 xor $6, $5 mov $4, $6 or $5, $6 and $2, $6 not $4 mov $1, $8 or $3, $8 and $8, $7 xor $7, $6 and $2, $8 and $3, $1 or $4, $1 xor $1, $8 and $8, $3 xor $1, $3 mov $5, $7 xor $6, $7 xor $3, $7 ') define(`SBOX3I', ` mov $3, $8 or $4, $8 mov $2, $5 and $8, $5 mov $1, $7 or $4, $7 mov $3, $6 xor $7, $6 xor $6, $5 xor $1, $4 xor $4, $8 xor $2, $7 and $6, $7 xor $4, $7 xor $1, $6 or $5, $4 and $4, $6 xor $2, $6 and $7, $1 or $2, $1 xor $1, $8 ') define(`SBOX4I', ` mov $3, $6 xor $4, $6 mov $3, $7 or $4, $7 xor $2, $7 or $4, $2 mov $1, $5 xor $7, $5 xor $7, $4 and $1, $7 xor $7, $6 xor $1, $7 or $3, $7 and $2, $1 mov $1, $8 xor $4, $8 not $1 or $6, $1 xor $1, $5 xor $2, $1 xor $1, $7 ') define(`SBOX5I', ` mov $1, $6 and $4, $6 mov $3, $8 xor $6, $8 mov $2, $5 and $8, $5 mov $1, $7 xor $4, $7 xor $2, $4 xor $7, $5 and $1, $3 and $5, $1 or $2, $3 xor $5, $6 xor $3, $6 mov $5, $7 or $6, $7 xor $8, $7 xor $4, $7 not $2 or $1, $2 xor $2, $8 ') define(`SBOX6I', ` mov $1, $7 xor $3, $7 not $3 mov $2, $5 xor $4, $5 mov $1, $6 or $3, $6 xor $5, $6 mov $2, $8 and $7, $8 or $4, $8 or $3, $4 or $2, $3 and $1, $3 mov $3, $5 xor $8, $5 not $5 and $7, $8 xor $3, $8 xor $6, $1 xor $1, $8 and $5, $2 xor $2, $7 xor $4, $7 ') define(`SBOX7I', ` mov $1, $8 and $2, $8 mov $2, $7 xor $4, $7 or $8, $7 mov $1, $6 or $4, $6 and $3, $6 xor $6, $7 or $3, $8 mov $1, $5 or $2, $5 and $4, $5 xor $5, $8 xor $2, $5 mov $4, $6 xor $8, $6 not $6 or $5, $6 xor $3, $5 xor $1, $6 or $6, $4 xor $4, $5 ') define(`LTI', ` rol `$'10, $3 rol `$'27, $1 mov $2, TMP32 shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 xor $2, $1 xor $4, $1 rol `$'25, $4 rol `$'31, $2 mov $1, TMP32 shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 xor $1, $2 xor $3, $2 rol `$'29, $3 rol `$'19, $1 ') define(`PNOT', ` pxor MINUS1, $1 ') define(`WSBOX0I', ` movdqa $1, $5 pxor $3, $5 movdqa $1, $7 por $2, $7 movdqa $3, $6 pxor $4, $6 pxor $6, $7 pand $3, $6 por $2, $3 pxor $4, $2 por $1, $6 pand $3, $2 pxor $2, $6 por $7, $1 pxor $6, $1 movdqa $7, $2 pand $1, $2 PNOT($7) por $7, $4 pxor $3, $4 movdqa $1, $8 pxor $4, $8 por $4, $2 pxor $2, $5 ') define(`WSBOX1I', ` movdqa $2, $6 por $4, $6 pxor $3, $6 movdqa $1, $8 pxor $2, $8 movdqa $1, $5 por $6, $5 pand $8, $5 pxor $5, $2 pxor $6, $8 pand $4, $2 movdqa $1, $7 pand $3, $7 por $7, $6 por $4, $7 pxor $5, $7 PNOT($7) pxor $2, $6 pxor $6, $5 pxor $3, $5 por $7, $1 pxor $1, $5 ') define(`WSBOX2I', ` movdqa $1, $5 pxor $4, $5 movdqa $3, $7 pxor $4, $7 movdqa $2, $6 por $7, $6 pxor $6, $5 movdqa $4, $6 por $5, $6 pand $2, $6 PNOT($4) movdqa $1, $8 por $3, $8 pand $8, $7 pxor $7, $6 pand $2, $8 pand $3, $1 por $4, $1 pxor $1, $8 pand $8, $3 pxor $1, $3 movdqa $5, $7 pxor $6, $7 pxor $3, $7 ') define(`WSBOX3I', ` movdqa $3, $8 por $4, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 por $4, $7 movdqa $3, $6 pxor $7, $6 pxor $6, $5 pxor $1, $4 pxor $4, $8 pxor $2, $7 pand $6, $7 pxor $4, $7 pxor $1, $6 por $5, $4 pand $4, $6 pxor $2, $6 pand $7, $1 por $2, $1 pxor $1, $8 ') define(`WSBOX4I', ` movdqa $3, $6 pxor $4, $6 movdqa $3, $7 por $4, $7 pxor $2, $7 por $4, $2 movdqa $1, $5 pxor $7, $5 pxor $7, $4 pand $1, $7 pxor $7, $6 pxor $1, $7 por $3, $7 pand $2, $1 movdqa $1, $8 pxor $4, $8 PNOT($1) por $6, $1 pxor $1, $5 pxor $2, $1 pxor $1, $7 ') define(`WSBOX5I', ` movdqa $1, $6 pand $4, $6 movdqa $3, $8 pxor $6, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 pxor $4, $7 pxor $2, $4 pxor $7, $5 pand $1, $3 pand $5, $1 por $2, $3 pxor $5, $6 pxor $3, $6 movdqa $5, $7 por $6, $7 pxor $8, $7 pxor $4, $7 PNOT($2) por $1, $2 pxor $2, $8 ') define(`WSBOX6I', ` movdqa $1, $7 pxor $3, $7 PNOT($3) movdqa $2, $5 pxor $4, $5 movdqa $1, $6 por $3, $6 pxor $5, $6 movdqa $2, $8 pand $7, $8 por $4, $8 por $3, $4 por $2, $3 pand $1, $3 movdqa $3, $5 pxor $8, $5 PNOT($5) pand $7, $8 pxor $3, $8 pxor $6, $1 pxor $1, $8 pand $5, $2 pxor $2, $7 pxor $4, $7 ') define(`WSBOX7I', ` movdqa $1, $8 pand $2, $8 movdqa $2, $7 pxor $4, $7 por $8, $7 movdqa $1, $6 por $4, $6 pand $3, $6 pxor $6, $7 por $3, $8 movdqa $1, $5 por $2, $5 pand $4, $5 pxor $5, $8 pxor $2, $5 movdqa $4, $6 pxor $8, $6 PNOT($6) por $5, $6 pxor $3, $5 pxor $1, $6 por $6, $4 pxor $4, $5 ') define(`WLTI', ` WROL(10, $3) WROL(27, $1) movdqa $2, T0 pslld `$'7, T0 pxor $4, $3 pxor T0, $3 pxor $2, $1 pxor $4, $1 WROL(25, $4) WROL(31, $2) movdqa $1, T0 pslld `$'3, T0 pxor $3, $4 pxor T0, $4 pxor $1, $2 pxor $3, $2 WROL(29, $3) WROL(19, $1) ') .file "serpent-decrypt.asm" C serpent_decrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_decrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0,X1,X2,X3) mov $384, CNT C FIXME: CNT known, no index register needed WKEYXOR(128, X0,X1,X2,X3) jmp .Lwround_start ALIGN(16) .Lwround_loop: WLTI(X0,X1,X2,X3) .Lwround_start: WSBOX7I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX6I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX5I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX4I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX3I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX2I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX1I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX0I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(, X0,X1,X2,X3) sub $128, CNT jnc .Lwround_loop WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 xor 512(CTX), x0 xor 516(CTX), x1 xor 520(CTX), x2 xor 524(CTX), x3 mov $384, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LTI(x0,x1,x2,x3) .Lround_start: SBOX7I(x0,x1,x2,x3, y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX6I(y0,y1,y2,y3, x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX5I(x0,x1,x2,x3, y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX4I(y0,y1,y2,y3, x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX3I(x0,x1,x2,x3, y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX2I(y0,y1,y2,y3, x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX1I(x0,x1,x2,x3, y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX0I(y0,y1,y2,y3, x0,x1,x2,x3) xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 sub $128, CNT jnc .Lround_loop movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret EPILOGUE(nettle_serpent_decrypt) nettle-4.0/x86_64/serpent-encrypt.asm0000644000000000000000000003002715141166424014406 0ustar00C x86_64/serpent-encrypt.asm ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies define(`x0', `%eax') define(`x1', `%ebx') define(`x2', `%ebp') define(`x3', `%r8d') define(`y0', `%r9d') define(`y1', `%r10d') define(`y2', `%r11d') define(`y3', `%r12d') C Quadruple block serpent state, two copies define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`MINUS1', `%xmm8') define(`T0', `%xmm9') define(`T1', `%xmm10') define(`T2', `%xmm11') define(`T3', `%xmm12') C Arguments define(`CTX', `%rdi') define(`N', `%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`CNT', `%r13') define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(`SBOX0', ` mov $2, $8 C y3 = x1 ^ x2 xor $3, $8 mov $1, $5 C y0 = x0 | x3 or $4, $5 mov $1, $6 C y1 = x0 ^ x1 xor $2, $6 xor $5, $8 C y3 ^= y0 mov $3, $7 C y2 = x2 | y3 or $8, $7 xor $4, $1 C x0 ^= x3 and $4, $7 C y2 &= x3 xor $3, $4 C x3 ^= x2 or $2, $3 C x2 |= x1 mov $6, $5 C y0 = y1 & x2 and $3, $5 xor $5, $7 C y2 ^= y0 and $7, $5 C y0 &= y2 xor $3, $5 C y0 ^= x2 and $1, $2 C x1 &= x0 xor $1, $5 C y0 ^= x0 not $5 C y0 = ~y0 mov $5, $6 C y1 = y0 ^ x1 xor $2, $6 xor $4, $6 C y1 ^= x3 ') define(`SBOX1', ` mov $1, $6 C y1 = x0 | x3 or $4, $6 mov $3, $7 C y2 = x2 ^ x3 xor $4, $7 mov $2, $5 C y0 = ~x1 not $5 mov $1, $8 C y3 = x0 ^ x2 xor $3, $8 or $1, $5 C y0 |= x0 and $4, $8 C y3 &= x3 mov $6, $1 C x0 = y1 & y2 and $7, $1 or $2, $8 C y3 |= x1 xor $5, $7 C y2 ^= y0 xor $1, $8 C y3 ^= x0 mov $6, $1 C x0 = y1 ^ y3 xor $8, $1 xor $7, $1 C x0 ^= y2 mov $2, $6 C y1 = x1 & x3 and $4, $6 xor $1, $6 C y1 ^= x0 mov $6, $4 C x3 = y1 | y3 or $8, $4 not $8 C y3 = ~y3 and $4, $5 C y0 &= x3 xor $3, $5 C y0 ^= x2 ') define(`SBOX2', ` mov $1, $7 C y2 = x1 | x2 or $3, $7 mov $1, $6 xor $2, $6 mov $4, $8 xor $7, $8 mov $6, $5 xor $8, $5 or $1, $4 xor $5, $3 mov $2, $1 xor $3, $1 or $2, $3 and $7, $1 xor $3, $8 or $8, $6 xor $1, $6 mov $8, $7 xor $6, $7 xor $2, $7 not $8 xor $4, $7 ') define(`SBOX3', ` mov $1, $6 xor $3, $6 mov $1, $5 or $4, $5 mov $1, $8 and $4, $8 and $5, $6 or $2, $8 mov $1, $7 and $2, $7 or $3, $7 mov $4, $3 xor $6, $3 xor $8, $6 or $3, $1 xor $2, $3 and $4, $8 xor $8, $5 mov $7, $8 xor $3, $8 xor $5, $7 or $8, $4 and $4, $2 mov $1, $5 xor $2, $5 ') define(`SBOX4', ` mov $1, $8 or $2, $8 mov $2, $7 or $3, $7 xor $1, $7 and $4, $8 mov $2, $5 xor $4, $5 or $7, $4 and $4, $1 and $3, $2 xor $8, $3 xor $7, $8 or $2, $7 mov $8, $6 and $5, $6 xor $6, $7 xor $5, $6 or $2, $6 xor $1, $6 and $4, $5 xor $3, $5 not $5 ') define(`SBOX5', ` mov $2, $5 or $4, $5 xor $3, $5 mov $2, $3 xor $4, $3 mov $1, $7 xor $3, $7 and $3, $1 xor $1, $5 mov $2, $8 or $7, $8 or $5, $2 not $5 or $5, $1 xor $3, $8 xor $1, $8 mov $4, $6 or $5, $6 xor $6, $4 xor $7, $6 or $4, $7 xor $2, $7 ') define(`SBOX6', ` mov $1, $5 xor $4, $5 mov $1, $6 and $4, $6 mov $1, $7 or $3, $7 or $2, $4 xor $3, $4 xor $2, $1 mov $2, $8 or $3, $8 xor $2, $3 and $5, $8 xor $3, $6 not $6 and $6, $5 and $6, $2 xor $8, $2 xor $4, $8 xor $2, $7 not $7 xor $7, $5 xor $1, $5 ') define(`SBOX7', ` mov $1, $5 and $3, $5 mov $2, $8 or $5, $8 C t04 xor $3, $8 mov $4, $6 not $6 C t02 and $1, $6 xor $6, $8 mov $3, $6 or $8, $6 xor $1, $6 mov $1, $7 and $2, $7 xor $7, $3 or $4, $7 xor $7, $6 mov $2, $7 or $5, $7 C t04 and $8, $7 xor $6, $2 or $2, $7 xor $1, $7 xor $6, $5 not $4 C t02 or $4, $5 xor $3, $5 ') define(`LT', ` rol `$'13, $1 rol `$'3, $3 xor $1, $2 xor $3, $2 mov $1, TMP32 shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 rol $2 rol `$'7, $4 xor $2, $1 xor $4, $1 mov $2, TMP32 shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 rol `$'5, $1 rol `$'22, $3 ') C Parallel operation on four blocks at a time. C pnot instruction is missing. For lack of a spare register, XOR with C constant in memory. define(`PNOT', ` pxor MINUS1, $1 ') define(`WSBOX0', ` movdqa $2, $8 C y3 = x1 ^ x2 pxor $3, $8 movdqa $1, $5 C y0 = x0 | x3 por $4, $5 movdqa $1, $6 C y1 = x0 ^ x1 pxor $2, $6 pxor $5, $8 C y3 ^= y0 movdqa $3, $7 C y2 = x2 | y3 por $8, $7 pxor $4, $1 C x0 ^= x3 pand $4, $7 C y2 &= x3 pxor $3, $4 C x3 ^= x2 por $2, $3 C x2 |= x1 movdqa $6, $5 C y0 = y1 & x2 pand $3, $5 pxor $5, $7 C y2 ^= y0 pand $7, $5 C y0 &= y2 pxor $3, $5 C y0 ^= x2 pand $1, $2 C x1 &= x0 pxor $1, $5 C y0 ^= x0 PNOT($5) C y0 = ~y0 movdqa $5, $6 C y1 = y0 ^ x1 pxor $2, $6 pxor $4, $6 C y1 ^= x3 ') define(`WSBOX1', ` movdqa $1, $6 C y1 = x0 | x3 por $4, $6 movdqa $3, $7 C y2 = x2 ^ x3 pxor $4, $7 movdqa $2, $5 C y0 = ~x1 PNOT($5) movdqa $1, $8 C y3 = x0 ^ x2 pxor $3, $8 por $1, $5 C y0 |= x0 pand $4, $8 C y3 &= x3 movdqa $6, $1 C x0 = y1 & y2 pand $7, $1 por $2, $8 C y3 |= x1 pxor $5, $7 C y2 ^= y0 pxor $1, $8 C y3 ^= x0 movdqa $6, $1 C x0 = y1 ^ y3 pxor $8, $1 pxor $7, $1 C x0 ^= y2 movdqa $2, $6 C y1 = x1 & x3 pand $4, $6 pxor $1, $6 C y1 ^= x0 movdqa $6, $4 C x3 = y1 | y3 por $8, $4 PNOT($8) C y3 = ~y3 pand $4, $5 C y0 &= x3 pxor $3, $5 C y0 ^= x2 ') define(`WSBOX2', ` movdqa $1, $7 C y2 = x1 | x2 por $3, $7 movdqa $1, $6 pxor $2, $6 movdqa $4, $8 pxor $7, $8 movdqa $6, $5 pxor $8, $5 por $1, $4 pxor $5, $3 movdqa $2, $1 pxor $3, $1 por $2, $3 pand $7, $1 pxor $3, $8 por $8, $6 pxor $1, $6 movdqa $8, $7 pxor $6, $7 pxor $2, $7 PNOT($8) pxor $4, $7 ') define(`WSBOX3', ` movdqa $1, $6 pxor $3, $6 movdqa $1, $5 por $4, $5 movdqa $1, $8 pand $4, $8 pand $5, $6 por $2, $8 movdqa $1, $7 pand $2, $7 por $3, $7 movdqa $4, $3 pxor $6, $3 pxor $8, $6 por $3, $1 pxor $2, $3 pand $4, $8 pxor $8, $5 movdqa $7, $8 pxor $3, $8 pxor $5, $7 por $8, $4 pand $4, $2 movdqa $1, $5 pxor $2, $5 ') define(`WSBOX4', ` movdqa $1, $8 por $2, $8 movdqa $2, $7 por $3, $7 pxor $1, $7 pand $4, $8 movdqa $2, $5 pxor $4, $5 por $7, $4 pand $4, $1 pand $3, $2 pxor $8, $3 pxor $7, $8 por $2, $7 movdqa $8, $6 pand $5, $6 pxor $6, $7 pxor $5, $6 por $2, $6 pxor $1, $6 pand $4, $5 pxor $3, $5 PNOT($5) ') define(`WSBOX5', ` movdqa $2, $5 por $4, $5 pxor $3, $5 movdqa $2, $3 pxor $4, $3 movdqa $1, $7 pxor $3, $7 pand $3, $1 pxor $1, $5 movdqa $2, $8 por $7, $8 por $5, $2 PNOT($5) por $5, $1 pxor $3, $8 pxor $1, $8 movdqa $4, $6 por $5, $6 pxor $6, $4 pxor $7, $6 por $4, $7 pxor $2, $7 ') define(`WSBOX6', ` movdqa $1, $5 pxor $4, $5 movdqa $1, $6 pand $4, $6 movdqa $1, $7 por $3, $7 por $2, $4 pxor $3, $4 pxor $2, $1 movdqa $2, $8 por $3, $8 pxor $2, $3 pand $5, $8 pxor $3, $6 PNOT($6) pand $6, $5 pand $6, $2 pxor $8, $2 pxor $4, $8 pxor $2, $7 PNOT($7) pxor $7, $5 pxor $1, $5 ') define(`WSBOX7', ` movdqa $1, $5 pand $3, $5 movdqa $2, $8 por $5, $8 C t04 pxor $3, $8 movdqa $4, $6 pandn $1, $6 C t02 implicit pxor $6, $8 movdqa $3, $6 por $8, $6 pxor $1, $6 movdqa $1, $7 pand $2, $7 pxor $7, $3 por $4, $7 pxor $7, $6 movdqa $2, $7 por $5, $7 C t04 pand $8, $7 pxor $6, $2 por $2, $7 pxor $1, $7 pxor $6, $5 PNOT($4) C t02 por $4, $5 pxor $3, $5 ') C WLT(x0, x1, x2, x3) define(`WLT', ` WROL(13, $1) WROL(3, $3) pxor $1, $2 pxor $3, $2 movdqa $1, T0 pslld `$'3, T0 pxor $3, $4 pxor T0, $4 WROL(1, $2) WROL(7, $4) pxor $2, $1 pxor $4, $1 movdqa $2, T0 pslld `$'7, T0 pxor $4, $3 pxor T0, $3 WROL(5, $1) WROL(22, $3) ') .file "serpent-encrypt.asm" C serpent_encrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_encrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend C Point at the final subkey. lea 512(CTX), CTX cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0, X1, X2, X3) mov $-512, CNT jmp .Lwround_start ALIGN(16) .Lwround_loop: WLT(X0,X1,X2,X3) .Lwround_start: WKEYXOR(, X0,X1,X2,X3) WSBOX0(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WSBOX1(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WSBOX2(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WSBOX3(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WSBOX4(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WSBOX5(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WSBOX6(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WSBOX7(Y0,Y1,Y2,Y3, X0,X1,X2,X3) add $128, CNT jnz .Lwround_loop C FIXME: CNT known to be zero, no index register needed WKEYXOR(, X0,X1,X2,X3) WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop C The single-block loop here is slightly slower than the double-block C loop in serpent-encrypt.c. C FIXME: Should use non-sse2 code only if we have a single block left. C With two or three blocks, it should be better to do them in C parallell. .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 mov $-512, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LT(x0,x1,x2,x3) .Lround_start: xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 SBOX0(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 SBOX1(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 SBOX2(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 SBOX3(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 SBOX4(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 SBOX5(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 SBOX6(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 SBOX7(y0,y1,y2,y3, x0,x1,x2,x3) add $128, CNT jnz .Lround_loop C Apply final subkey. xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret EPILOGUE(nettle_serpent_encrypt) nettle-4.0/x86_64/serpent.m40000644000000000000000000000462015141166424012464 0ustar00C x86_64/serpent.m4 ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C WROL(count, w) define(`WROL', ` movdqa $2, T0 pslld `$'$1, $2 psrld `$'eval(32 - $1), T0 por T0, $2 ') C Note: Diagrams use little-endian representation, with least C significant word to the left. C Transpose values from: C +----+----+----+----+ C x0: | a0 | a1 | a2 | a3 | C x1: | b0 | b1 | b2 | b3 | C x2: | c0 | c1 | c2 | c3 | C x3: | d0 | d1 | d2 | d3 | C +----+----+----+----+ C To: C +----+----+----+----+ C x0: | a0 | b0 | c0 | d0 | C x1: | a1 | b1 | c1 | d1 | C x2: | a2 | b2 | c2 | d2 | C x3: | a3 | b3 | c3 | d3 | C +----+----+----+----+ define(`WTRANSPOSE', ` movdqa $1, T0 punpcklqdq $3, T0 C |a0 a1 c0 c1| punpckhqdq $3, $1 C |a2 a3 c2 c3| pshufd `$'0xd8, T0, T0 C |a0 c0 a1 c1| pshufd `$'0xd8, $1, T1 C |a2 c2 a3 c3| movdqa $2, T2 punpcklqdq $4, T2 C |b0 b1 d0 11| punpckhqdq $4, $2 C |b2 b3 d2 d3| pshufd `$'0xd8, T2, T2 C |b0 d0 b1 d1| pshufd `$'0xd8, $2, T3 C |b2 d2 b3 d3| movdqa T0, $1 punpckldq T2, $1 C |a0 b0 c0 d0| movdqa T0, $2 punpckhdq T2, $2 C |a1 b1 c1 d1| movdqa T1, $3 punpckldq T3, $3 C |a2 b2 c2 d2| movdqa T1, $4 punpckhdq T3, $4 C |a3 b3 c3 d3| ') C FIXME: Arrange 16-byte alignment, so we can use movaps? define(`WKEYXOR', ` movups $1(CTX, CNT), T0 pshufd `$'0x55, T0, T1 pshufd `$'0xaa, T0, T2 pxor T1, $3 pxor T2, $4 pshufd `$'0xff, T0, T1 pshufd `$'0x00, T0, T0 pxor T1, $5 pxor T0, $2 ') nettle-4.0/x86_64/sha1-compress.asm0000644000000000000000000001732115141166424013733 0ustar00C x86_64/sha1-compress.asm ifelse(` Copyright (C) 2004, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage. KVALUE and INPUT share a register. define(`SA',`%eax')dnl define(`SB',`%r8d')dnl define(`SC',`%ecx')dnl define(`SD',`%edx')dnl define(`SE',`%r9d')dnl define(`DATA',`%rsp')dnl define(`T1',`%r10d')dnl define(`T2',`%r11d')dnl define(`KVALUE', `%esi')dnl C Arguments define(`STATE',`%rdi')dnl define(`INPUT',`%rsi')dnl C Constants define(`K1VALUE', ``$'0x5A827999')dnl C Rounds 0-19 define(`K2VALUE', ``$'0x6ED9EBA1')dnl C Rounds 20-39 define(`K3VALUE', ``$'0x8F1BBCDC')dnl C Rounds 40-59 define(`K4VALUE', ``$'0xCA62C1D6')dnl C Rounds 60-79 C Reads the input into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(`SWAP', ` movl OFFSET($1)(INPUT), $2 bswap $2 movl $2, OFFSET($1) (DATA) ')dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & y) | (z & (x | y)) C = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C expand(i) is the expansion function C C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1 C C where W[i] is stored in DATA[i mod 16]. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(`ROUND_F1', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 andl $2, T2 xorl $4, T2 roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll `$'5, T1 addl T1, $5 addl T2, $5 ') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(`ROUND_F1_NOEXP', ` movl $4, T2 xorl $3, T2 movl $1, T1 andl $2, T2 addl OFFSET($6) (DATA), $5 xorl $4, T2 addl T2, $5 roll `$'30, $2 roll `$'5, T1 addl T1, $5 addl KVALUE, $5 ') dnl ROUND_F2(a, b, c, d, e, i) define(`ROUND_F2', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 xorl $2, T2 roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll `$'5, T1 addl T1, $5 addl T2, $5 ') dnl ROUND_F3(a, b, c, d, e, i) define(`ROUND_F3', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 andl $3, T2 addl T1, $5 addl KVALUE, $5 movl $4, T1 xorl $3, T1 andl $2, T1 addl T2, $5 roll `$'30, $2 movl $1, T2 roll `$'5, T2 addl T1, $5 addl T2, $5 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 0) sub $64, %rsp C %rsp = W C Load and byteswap data SWAP( 0, SA) SWAP( 1, SB) SWAP( 2, SC) SWAP( 3, SD) SWAP( 4, SA) SWAP( 5, SB) SWAP( 6, SC) SWAP( 7, SD) SWAP( 8, SA) SWAP( 9, SB) SWAP(10, SC) SWAP(11, SD) SWAP(12, SA) SWAP(13, SB) SWAP(14, SC) SWAP(15, SD) C Load the state vector movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl K1VALUE, KVALUE ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) ROUND_F1(SE, SA, SB, SC, SD, 16) ROUND_F1(SD, SE, SA, SB, SC, 17) ROUND_F1(SC, SD, SE, SA, SB, 18) ROUND_F1(SB, SC, SD, SE, SA, 19) movl K2VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 20) ROUND_F2(SE, SA, SB, SC, SD, 21) ROUND_F2(SD, SE, SA, SB, SC, 22) ROUND_F2(SC, SD, SE, SA, SB, 23) ROUND_F2(SB, SC, SD, SE, SA, 24) ROUND_F2(SA, SB, SC, SD, SE, 25) ROUND_F2(SE, SA, SB, SC, SD, 26) ROUND_F2(SD, SE, SA, SB, SC, 27) ROUND_F2(SC, SD, SE, SA, SB, 28) ROUND_F2(SB, SC, SD, SE, SA, 29) ROUND_F2(SA, SB, SC, SD, SE, 30) ROUND_F2(SE, SA, SB, SC, SD, 31) ROUND_F2(SD, SE, SA, SB, SC, 32) ROUND_F2(SC, SD, SE, SA, SB, 33) ROUND_F2(SB, SC, SD, SE, SA, 34) ROUND_F2(SA, SB, SC, SD, SE, 35) ROUND_F2(SE, SA, SB, SC, SD, 36) ROUND_F2(SD, SE, SA, SB, SC, 37) ROUND_F2(SC, SD, SE, SA, SB, 38) ROUND_F2(SB, SC, SD, SE, SA, 39) movl K3VALUE, KVALUE ROUND_F3(SA, SB, SC, SD, SE, 40) ROUND_F3(SE, SA, SB, SC, SD, 41) ROUND_F3(SD, SE, SA, SB, SC, 42) ROUND_F3(SC, SD, SE, SA, SB, 43) ROUND_F3(SB, SC, SD, SE, SA, 44) ROUND_F3(SA, SB, SC, SD, SE, 45) ROUND_F3(SE, SA, SB, SC, SD, 46) ROUND_F3(SD, SE, SA, SB, SC, 47) ROUND_F3(SC, SD, SE, SA, SB, 48) ROUND_F3(SB, SC, SD, SE, SA, 49) ROUND_F3(SA, SB, SC, SD, SE, 50) ROUND_F3(SE, SA, SB, SC, SD, 51) ROUND_F3(SD, SE, SA, SB, SC, 52) ROUND_F3(SC, SD, SE, SA, SB, 53) ROUND_F3(SB, SC, SD, SE, SA, 54) ROUND_F3(SA, SB, SC, SD, SE, 55) ROUND_F3(SE, SA, SB, SC, SD, 56) ROUND_F3(SD, SE, SA, SB, SC, 57) ROUND_F3(SC, SD, SE, SA, SB, 58) ROUND_F3(SB, SC, SD, SE, SA, 59) movl K4VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 60) ROUND_F2(SE, SA, SB, SC, SD, 61) ROUND_F2(SD, SE, SA, SB, SC, 62) ROUND_F2(SC, SD, SE, SA, SB, 63) ROUND_F2(SB, SC, SD, SE, SA, 64) ROUND_F2(SA, SB, SC, SD, SE, 65) ROUND_F2(SE, SA, SB, SC, SD, 66) ROUND_F2(SD, SE, SA, SB, SC, 67) ROUND_F2(SC, SD, SE, SA, SB, 68) ROUND_F2(SB, SC, SD, SE, SA, 69) ROUND_F2(SA, SB, SC, SD, SE, 70) ROUND_F2(SE, SA, SB, SC, SD, 71) ROUND_F2(SD, SE, SA, SB, SC, 72) ROUND_F2(SC, SD, SE, SA, SB, 73) ROUND_F2(SB, SC, SD, SE, SA, 74) ROUND_F2(SA, SB, SC, SD, SE, 75) ROUND_F2(SE, SA, SB, SC, SD, 76) ROUND_F2(SD, SE, SA, SB, SC, 77) ROUND_F2(SC, SD, SE, SA, SB, 78) ROUND_F2(SB, SC, SD, SE, SA, 79) C Update the state vector addl SA, (STATE) addl SB, 4(STATE) addl SC, 8(STATE) addl SD, 12(STATE) addl SE, 16(STATE) add $64, %rsp W64_EXIT(2, 0) ret EPILOGUE(nettle_sha1_compress) nettle-4.0/x86_64/sha256-compress-n.asm0000644000000000000000000001205315141166424014337 0ustar00C x86_64/sha256-compress-n.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" define(`STATE', `%rdi') define(`K', `%rsi') define(`BLOCKS', `%rdx') define(`INPUT', `%rcx') define(`STATE_SAVED', `64(%rsp)') define(`SA', `%eax') define(`SB', `%ebx') define(`SC', `%ebp') define(`SD', `%r8d') define(`SE', `%r9d') define(`SF', `%r10d') define(`SG', `%r11d') define(`SH', `%r12d') define(`T0', `%r13d') define(`T1', `%r14d') define(`COUNT', `%rdi') C Overlap STATE define(`W', `%r15d') define(`EXPN', ` movl OFFSET($1)(%rsp), W movl OFFSET(eval(($1 + 14) % 16))(%rsp), T0 movl T0, T1 shrl `$'10, T0 roll `$'13, T1 xorl T1, T0 roll `$'2, T1 xorl T1, T0 addl T0, W movl OFFSET(eval(($1 + 1) % 16))(%rsp), T0 movl T0, T1 shrl `$'3, T0 roll `$'14, T1 xorl T1, T0 roll `$'11, T1 xorl T1, T0 addl T0, W addl OFFSET(eval(($1 + 9) % 16))(%rsp), W movl W, OFFSET($1)(%rsp) ') C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` movl $5, T0 movl $5, T1 roll `$'7, T0 roll `$'21, T1 xorl T0, T1 roll `$'19, T0 xorl T0, T1 addl W, $8 addl T1, $8 movl $7, T0 xorl $6, T0 andl $5, T0 xorl $7, T0 addl OFFSET($9)(K,COUNT,4), $8 addl T0, $8 addl $8, $4 movl $1, T0 movl $1, T1 roll `$'10, T0 roll `$'19, T1 xorl T0, T1 roll `$'20, T0 xorl T0, T1 addl T1, $8 movl $1, T0 movl $1, T1 andl $2, T0 xorl $2, T1 addl T0, $8 andl $3, T1 addl T1, $8 ') define(`NOEXPN', ` movl OFFSET($1)(INPUT, COUNT, 4), W bswapl W movl W, OFFSET($1)(%rsp, COUNT, 4) ') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_sha256_compress_n) W64_ENTRY(4, 0) test BLOCKS, BLOCKS jz .Lend sub $120, %rsp mov STATE, STATE_SAVED C Save state, to free a register mov %rbx, 72(%rsp) mov %rbp, 80(%rsp) mov %r12, 88(%rsp) mov %r13, 96(%rsp) mov %r14, 104(%rsp) mov %r15, 112(%rsp) movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl 20(STATE), SF movl 24(STATE), SG movl 28(STATE), SH .Loop_block: xorl XREG(COUNT), XREG(COUNT) ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) addl $8, XREG(COUNT) cmpl $16, XREG(COUNT) jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) addl $16, XREG(COUNT) cmpl $64, XREG(COUNT) jne .Loop2 mov STATE_SAVED, STATE addl (STATE), SA addl 4(STATE), SB addl 8(STATE), SC addl 12(STATE), SD addl 16(STATE), SE addl 20(STATE), SF addl 24(STATE), SG addl 28(STATE), SH movl SA, (STATE) movl SB, 4(STATE) movl SC, 8(STATE) movl SD, 12(STATE) movl SE, 16(STATE) movl SF, 20(STATE) movl SG, 24(STATE) movl SH, 28(STATE) add $64, INPUT dec BLOCKS jnz .Loop_block mov 72(%rsp), %rbx mov 80(%rsp), %rbp mov 88(%rsp), %r12 mov 96(%rsp), %r13 mov 104(%rsp),%r14 mov 112(%rsp),%r15 add $120, %rsp .Lend: mov INPUT, %rax W64_EXIT(4, 0) ret EPILOGUE(_nettle_sha256_compress_n) nettle-4.0/x86_64/sha3-permute.asm0000644000000000000000000002465015141166424013566 0ustar00C x86_64/sha3-permute.asm ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`CTX', `%rdi') C 25 64-bit values, 200 bytes. define(`COUNT', `%r8') C Avoid clobbering %rsi, for W64. define(`A00', `%rax') define(`A0102', `%xmm0') define(`A0304', `%xmm1') define(`A05', `%rcx') define(`A0607', `%xmm2') define(`A0809', `%xmm3') define(`A10', `%rdx') define(`A1112', `%xmm4') define(`A1314', `%xmm5') define(`A15', `%rbp') define(`A1617', `%xmm6') define(`A1819', `%xmm7') define(`A20', `%r9') define(`A2122', `%xmm8') define(`A2324', `%xmm9') define(`C0', `%r10') define(`C12', `%xmm10') define(`C34', `%xmm11') define(`D0', `%r11') define(`D12', `%xmm12') define(`D34', `%xmm13') C Wide temporaries define(`W0', `%xmm14') define(`W1', `%xmm15') define(`W2', `%xmm12') C Overlap D12 define(`W3', `%xmm13') C Overlap D34 define(`T0', `%r12') define(`T1', `%r13') define(`T2', `%r11') C Overlap D0 define(`T3', `%r10') C Overlap C0 define(`RC', `%r14') define(`OFFSET', `ifelse($1,0,,eval(8*$1))') define(`STATE', `OFFSET($1)(CTX)') define(`SWAP64', `pshufd `$'0x4e,') define(`DIRECT_MOVQ', `no') C MOVQ(src, dst), for moves between a general register and an xmm C register. ifelse(DIRECT_MOVQ, yes, ` C movq calls that are equal to the corresponding movd, C where the Apple assembler requires them to be written as movd. define(`MOVQ', `movd $1, $2') ', ` C Moving via (cached) memory is generally faster. define(`MOVQ', ` movq $1, (CTX) movq (CTX), $2 ')') C ROTL64(rot, register, temp) C Caller needs to or together the result. define(`ROTL64', ` movdqa $2, $3 psllq `$'$1, $2 psrlq `$'eval(64-$1), $3 ') .file "sha3-permute.asm" C sha3_permute(struct sha3_state *ctx) .text ALIGN(16) PROLOGUE(nettle_sha3_permute) W64_ENTRY(1, 16) push %rbp push %r12 push %r13 push %r14 movl $24, XREG(COUNT) lea .rc-8(%rip), RC movq STATE(0), A00 movups STATE(1), A0102 movups STATE(3), A0304 movq A00, C0 movq STATE(5), A05 movdqa A0102, C12 movups STATE(6), A0607 movdqa A0304, C34 movups STATE(8), A0809 xorq A05, C0 movq STATE(10), A10 pxor A0607, C12 movups STATE(11), A1112 pxor A0809, C34 movups STATE(13), A1314 xorq A10, C0 movq STATE(15), A15 pxor A1112, C12 movups STATE(16), A1617 pxor A1314, C34 movups STATE(18), A1819 xorq A15, C0 movq STATE(20), A20 pxor A1617, C12 movups STATE(21), A2122 pxor A1819, C34 movups STATE(23), A2324 xorq A20, C0 pxor A2122, C12 pxor A2324, C34 ALIGN(16) .Loop: C The theta step. Combine parity bits, then xor to state. C D0 = C4 ^ (C1 <<< 1) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) C Shift the words around, putting (C0, C1) in D12, (C2, C3) in C D34, and (C4, C0) in C34. C Notes on "unpack" instructions: C punpckhqdq 01, 23 gives 31 C punpcklqdq 01, 23 gives 20 SWAP64 C34, C34 C Holds C4, C3 movdqa C12, D34 MOVQ(C0, D12) punpcklqdq C12, D12 C Holds C0, C1 punpckhqdq C34, D34 C Holds C2, C3 punpcklqdq D12, C34 C Holds C4, C0 MOVQ(C34, D0) MOVQ(C12, T0) rolq $1, T0 xorq T0, D0 C Can use C12 as temporary movdqa D34, W0 movdqa D34, W1 psllq $1, W0 psrlq $63, W1 pxor W0, D12 pxor W1, D12 C Done D12 movdqa C34, C12 psrlq $63, C34 psllq $1, C12 pxor C34, D34 pxor C12, D34 C Done D34 xorq D0, A00 xorq D0, A05 xorq D0, A10 xorq D0, A15 xorq D0, A20 pxor D12, A0102 pxor D12, A0607 pxor D12, A1112 pxor D12, A1617 pxor D12, A2122 pxor D34, A0304 pxor D34, A0809 pxor D34, A1314 pxor D34, A1819 pxor D34, A2324 C theta step done, no C, D or W temporaries alive. C rho and pi steps. When doing the permutations, also C transpose the matrix. C The combined permutation + transpose gives the following C cycles (rotation counts in parenthesis) C 0 <- 0(0) C 1 <- 3(28) <- 4(27) <- 2(62) <- 1(1) C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C Do the 1,2,3,4 row. First rotate, then permute. movdqa A0102, W0 movdqa A0102, W1 movdqa A0102, W2 psllq $1, A0102 psrlq $63, W0 psllq $62, W1 por A0102, W0 C rotl 1 (A01) psrlq $2, W2 por W1, W2 C rotl 62 (A02) movdqa A0304, A0102 movdqa A0304, W1 psllq $28, A0102 psrlq $36, W1 por W1, A0102 C rotl 28 (A03) movdqa A0304, W1 psllq $27, A0304 psrlq $37, W1 por W1, A0304 C rotl 27 (A04) punpcklqdq W0, A0102 punpckhqdq W2, A0304 C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C __ _______ C _ L' ` L_ __` C |5| |6|7| |8|9| C `-_________-^`-^ rolq $36, A05 MOVQ(A05, W0) MOVQ(A0607, A05) rolq $44, A05 C Done A05 ROTL64(6, A0607, W1) por A0607, W1 movdqa A0809, A0607 ROTL64(20, A0607, W2) por W2, A0607 punpckhqdq W1, A0607 C Done A0607 ROTL64(55, A0809, W1) por A0809, W1 movdqa W0, A0809 punpcklqdq W1, A0809 C Done 0809 C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C _____ ___ C __L' __`_L_ `_____ C |10| |11|12| |13|14| C `-___-^`-______-^ C rolq $42, A10 C 42 + 25 = 3 (mod 64) SWAP64 A1112, W0 MOVQ(A10, A1112) MOVQ(W0, A10) rolq $43, A10 C Done A10 punpcklqdq A1314, A1112 ROTL64(25, A1112, W1) por W1, A1112 C Done A1112 ROTL64(39, A1314, W2) por A1314, W2 ROTL64(10, W0, A1314) por W0, A1314 punpckhqdq W2, A1314 C Done A1314 C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C _____________ C / _______ C _L' ____L' | `_ C |15| |16|17| |18|19| C \ `_____-^ ^ C \_________________/ SWAP64 A1819, W0 rolq $41, A15 MOVQ(A15, W1) MOVQ(A1819, A15) rolq $21, A15 C Done A15 SWAP64 A1617, A1819 ROTL64(45, A1617, W2) por W2, A1617 ROTL64(8, W0, W3) por W3, W0 punpcklqdq W0, A1617 C Done A1617 ROTL64(15, A1819, W2) por W2, A1819 punpcklqdq W1, A1819 C Done A1819 C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C _______________ C / \ C _L' _L'\_ ___`_ C |20| |21|22| |23|24| C \ `__ ^________-^ C \_______/ rolq $18, A20 MOVQ(A20, W0) SWAP64 A2324, W1 movd W1, A20 rolq $14, A20 C Done A20 ROTL64(56, A2324, W1) por W1, A2324 movdqa A2122, W2 ROTL64(2, W2, W1) por W1, W2 punpcklqdq W2, A2324 C Done A2324 ROTL64(61, A2122, W1) por W1, A2122 psrldq $8, A2122 punpcklqdq W0, A2122 C Done A2122 C chi step. With the transposed matrix, applied independently C to each column. movq A05, T0 notq T0 andq A10, T0 movq A10, T1 notq T1 andq A15, T1 movq A15, T2 notq T2 andq A20, T2 xorq T2, A10 movq A20, T3 notq T3 andq A00, T3 xorq T3, A15 movq A00, T2 notq T2 andq A05, T2 xorq T2, A20 xorq T0, A00 xorq T1, A05 movdqa A0607, W0 pandn A1112, W0 movdqa A1112, W1 pandn A1617, W1 movdqa A1617, W2 pandn A2122, W2 pxor W2, A1112 movdqa A2122, W3 pandn A0102, W3 pxor W3, A1617 movdqa A0102, W2 pandn A0607, W2 pxor W2, A2122 pxor W0, A0102 pxor W1, A0607 movdqa A0809, W0 pandn A1314, W0 movdqa A1314, W1 pandn A1819, W1 movdqa A1819, W2 pandn A2324, W2 pxor W2, A1314 movdqa A2324, W3 pandn A0304, W3 pxor W3, A1819 movdqa A0304, W2 pandn A0809, W2 pxor W2, A2324 pxor W0, A0304 pxor W1, A0809 xorq (RC, COUNT, 8), A00 C Transpose. C Swap (A05, A10) <-> A0102, and (A15, A20) <-> A0304, C and also copy to C12 and C34 while at it. MOVQ(A05, C12) MOVQ(A15, C34) MOVQ(A10, W0) MOVQ(A20, W1) movq A00, C0 punpcklqdq W0, C12 punpcklqdq W1, C34 MOVQ(A0102, A05) MOVQ(A0304, A15) psrldq $8, A0102 psrldq $8, A0304 xorq A05, C0 xorq A15, C0 MOVQ(A0102, A10) MOVQ(A0304, A20) movdqa C12, A0102 movdqa C34, A0304 C Transpose (A0607, A1112) movdqa A0607, W0 punpcklqdq A1112, A0607 xorq A10, C0 xorq A20, C0 punpckhqdq W0, A1112 SWAP64 A1112, A1112 C Transpose (A1819, A2324) movdqa A1819, W0 punpcklqdq A2324, A1819 pxor A0607, C12 pxor A1112, C12 punpckhqdq W0, A2324 SWAP64 A2324, A2324 C Transpose (A0809, A1314) and (A1617, A2122), and swap movdqa A0809, W0 movdqa A1314, W1 movdqa A1617, A0809 movdqa A2122, A1314 pxor A1819, C34 pxor A2324, C34 punpcklqdq A2122, A0809 punpckhqdq A1617, A1314 SWAP64 A1314, A1314 movdqa W0, A1617 movdqa W1, A2122 pxor A0809, C34 pxor A1314, C34 punpcklqdq W1, A1617 punpckhqdq W0, A2122 SWAP64 A2122, A2122 decl XREG(COUNT) pxor A1617, C12 pxor A2122, C12 jnz .Loop movq A00, STATE(0) movups A0102, STATE(1) movups A0304, STATE(3) movq A05, STATE(5) movups A0607, STATE(6) movups A0809, STATE(8) movq A10, STATE(10) movups A1112, STATE(11) movups A1314, STATE(13) movq A15, STATE(15) movups A1617, STATE(16) movups A1819, STATE(18) movq A20, STATE(20) movups A2122, STATE(21) movups A2324, STATE(23) pop %r14 pop %r13 pop %r12 pop %rbp W64_EXIT(1, 16) ret EPILOGUE(nettle_sha3_permute) ALIGN(16) .rc: C In reverse order .quad 0x8000000080008008 .quad 0x0000000080000001 .quad 0x8000000000008080 .quad 0x8000000080008081 .quad 0x800000008000000A .quad 0x000000000000800A .quad 0x8000000000000080 .quad 0x8000000000008002 .quad 0x8000000000008003 .quad 0x8000000000008089 .quad 0x800000000000008B .quad 0x000000008000808B .quad 0x000000008000000A .quad 0x0000000080008009 .quad 0x0000000000000088 .quad 0x000000000000008A .quad 0x8000000000008009 .quad 0x8000000080008081 .quad 0x0000000080000001 .quad 0x000000000000808B .quad 0x8000000080008000 .quad 0x800000000000808A .quad 0x0000000000008082 .quad 0x0000000000000001 nettle-4.0/x86_64/sha512-compress.asm0000644000000000000000000001107015141166424014075 0ustar00C x86_64/sha512-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha512-compress.asm" define(`STATE', `%rdi') define(`INPUT', `%rsi') define(`K', `%rdx') define(`SA', `%rax') define(`SB', `%rbx') define(`SC', `%rcx') define(`SD', `%r8') define(`SE', `%r9') define(`SF', `%r10') define(`SG', `%r11') define(`SH', `%r12') define(`T0', `%r13') define(`T1', `%rdi') C Overlap STATE define(`COUNT', `%r14') define(`W', `%r15') define(`EXPN', ` mov OFFSET64($1)(%rsp), W mov OFFSET64(eval(($1 + 14) % 16))(%rsp), T0 mov T0, T1 shr `$'6, T0 rol `$'3, T1 xor T1, T0 rol `$'42, T1 xor T1, T0 add T0, W mov OFFSET64(eval(($1 + 1) % 16))(%rsp), T0 mov T0, T1 shr `$'7, T0 rol `$'56, T1 xor T1, T0 rol `$'7, T1 xor T1, T0 add T0, W add OFFSET64(eval(($1 + 9) % 16))(%rsp), W mov W, OFFSET64($1)(%rsp) ') C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` mov $5, T0 mov $5, T1 rol `$'23, T0 rol `$'46, T1 xor T0, T1 rol `$'27, T0 xor T0, T1 add W, $8 add T1, $8 mov $7, T0 xor $6, T0 and $5, T0 xor $7, T0 add OFFSET64($9)(K,COUNT,8), $8 add T0, $8 add $8, $4 mov $1, T0 mov $1, T1 rol `$'25, T0 rol `$'30, T1 xor T0, T1 rol `$'11, T0 xor T0, T1 add T1, $8 mov $1, T0 mov $1, T1 and $2, T0 xor $2, T1 add T0, $8 and $3, T1 add T1, $8 ') define(`NOEXPN', ` mov OFFSET64($1)(INPUT, COUNT, 8), W bswap W mov W, OFFSET64($1)(%rsp, COUNT, 8) ') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text ALIGN(16) PROLOGUE(_nettle_sha512_compress) W64_ENTRY(3, 0) sub $184, %rsp mov %rbx, 128(%rsp) mov STATE, 136(%rsp) C Save state, to free a register mov %rbp, 144(%rsp) mov %r12, 152(%rsp) mov %r13, 160(%rsp) mov %r14, 168(%rsp) mov %r15, 176(%rsp) mov (STATE), SA mov 8(STATE), SB mov 16(STATE), SC mov 24(STATE), SD mov 32(STATE), SE mov 40(STATE), SF mov 48(STATE), SG mov 56(STATE), SH xor COUNT, COUNT ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) add $8, COUNT cmp $16, COUNT jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) add $16, COUNT cmp $80, COUNT jne .Loop2 mov 136(%rsp), STATE add SA, (STATE) add SB, 8(STATE) add SC, 16(STATE) add SD, 24(STATE) add SE, 32(STATE) add SF, 40(STATE) add SG, 48(STATE) add SH, 56(STATE) mov 128(%rsp), %rbx mov 144(%rsp), %rbp mov 152(%rsp), %r12 mov 160(%rsp), %r13 mov 168(%rsp),%r14 mov 176(%rsp),%r15 add $184, %rsp W64_EXIT(3, 0) ret EPILOGUE(_nettle_sha512_compress) nettle-4.0/x86_64/sha_ni/0000755000000000000000000000000015141166424012001 5ustar00nettle-4.0/x86_64/sha_ni/sha1-compress.asm0000644000000000000000000000723215141166424015174 0ustar00C x86_64/sha_ni/sha1-compress.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage. C Arguments define(`STATE',`%rdi')dnl define(`INPUT',`%rsi')dnl define(`MSG0',`%xmm0') define(`MSG1',`%xmm1') define(`MSG2',`%xmm2') define(`MSG3',`%xmm3') define(`ABCD',`%xmm4') define(`E0',`%xmm5') define(`E1',`%xmm6') define(`ABCD_ORIG', `%xmm7') define(`E_ORIG', `%xmm8') define(`SWAP_MASK',`%xmm9') C QROUND(M0, M1, M2, M3, E0, E1, TYPE) define(`QROUND', ` sha1nexte $1, $5 movdqa ABCD, $6 sha1msg2 $1, $2 sha1rnds4 `$'$7, $5, ABCD sha1msg1 $1, $4 pxor $1, $3 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) .Lswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 10) movups (STATE), ABCD movd 16(STATE), E0 movups (INPUT), MSG0 movdqa .Lswap_mask(%rip), SWAP_MASK pshufd $0x1b, ABCD, ABCD pshufd $0x1b, E0, E0 movdqa ABCD, ABCD_ORIG movdqa E0, E_ORIG pshufb SWAP_MASK, MSG0 paddd MSG0, E0 movdqa ABCD, E1 sha1rnds4 $0, E0, ABCD C Rounds 0-3 movups 16(INPUT), MSG1 pshufb SWAP_MASK, MSG1 sha1nexte MSG1, E1 movdqa ABCD, E0 sha1rnds4 $0, E1, ABCD C Rounds 4-7 sha1msg1 MSG1, MSG0 movups 32(INPUT), MSG2 pshufb SWAP_MASK, MSG2 sha1nexte MSG2, E0 movdqa ABCD, E1 sha1rnds4 $0, E0, ABCD C Rounds 8-11 sha1msg1 MSG2, MSG1 pxor MSG2, MSG0 movups 48(INPUT), MSG3 pshufb SWAP_MASK, MSG3 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 0) C Rounds 12-15 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 0) C Rounds 16-19 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 20-23 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 1) C Rounds 24-27 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 1) C Rounds 28-31 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 1) C Rounds 32-35 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 36-39 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 40-43 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 2) C Rounds 44-47 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 2) C Rounds 48-51 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 2) C Rounds 52-55 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 56-59 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 3) C Rounds 60-63 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 3) C Rounds 64-67 sha1nexte MSG1, E1 movdqa ABCD, E0 sha1msg2 MSG1, MSG2 sha1rnds4 $3, E1, ABCD C Rounds 68-71 pxor MSG1, MSG3 sha1nexte MSG2, E0 movdqa ABCD, E1 sha1msg2 MSG2, MSG3 sha1rnds4 $3, E0, ABCD C Rounds 72-75 sha1nexte MSG3, E1 movdqa ABCD, E0 sha1rnds4 $3, E1, ABCD C Rounds 76-79 sha1nexte E_ORIG, E0 paddd ABCD_ORIG, ABCD pshufd $0x1b, ABCD, ABCD movups ABCD, (STATE) pshufd $0x1b, E0, E0 movd E0, 16(STATE) W64_EXIT(2, 10) ret EPILOGUE(nettle_sha1_compress) nettle-4.0/x86_64/sha_ni/sha256-compress-n.asm0000644000000000000000000001046215141166424015602 0ustar00C x86_64/sha_ni/sha256-compress-n.asm ifelse(` Copyright (C) 2018, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" define(`STATE', `%rdi') define(`K', `%rsi') define(`BLOCKS', `%rdx') define(`INPUT', `%rcx') define(`MSGK',`%xmm0') C Implicit operand of sha256rnds2 define(`MSG0',`%xmm1') define(`MSG1',`%xmm2') define(`MSG2',`%xmm3') define(`MSG3',`%xmm4') define(`ABEF',`%xmm5') define(`CDGH',`%xmm6') define(`ABEF_ORIG',`%xmm7') define(`CDGH_ORIG', `%xmm8') define(`SWAP_MASK',`%xmm9') define(`TMP', `%xmm10') C QROUND(M0, M1, M2, M3, R) define(`QROUND', ` movdqa eval($5*4)(K), MSGK paddd $1, MSGK sha256rnds2 ABEF, CDGH pshufd `$'0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF movdqa $1, TMP palignr `$'4, $4, TMP paddd TMP, $2 sha256msg2 $1, $2 sha256msg1 $1, $4 ') C FIXME: Do something more clever, taking the pshufd into account. C TRANSPOSE(ABCD, EFGH, scratch) --> untouched, ABEF, CDGH define(`TRANSPOSE', ` movdqa $2, $3 punpckhqdq $1, $2 punpcklqdq $1, $3 ') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) .text ALIGN(16) .Lswap_mask: .byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12 PROLOGUE(_nettle_sha256_compress_n) W64_ENTRY(4, 11) test BLOCKS, BLOCKS jz .Lend movups (STATE), TMP movups 16(STATE), ABEF pshufd $0x1b, TMP, TMP pshufd $0x1b, ABEF, ABEF TRANSPOSE(TMP, ABEF, CDGH) movdqa .Lswap_mask(%rip), SWAP_MASK .Loop: movups (INPUT), MSG0 pshufb SWAP_MASK, MSG0 movdqa ABEF, ABEF_ORIG movdqa CDGH, CDGH_ORIG movdqa (K), MSGK paddd MSG0, MSGK sha256rnds2 ABEF, CDGH C Round 0-1 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 2-3 movups 16(INPUT), MSG1 pshufb SWAP_MASK, MSG1 movdqa 16(K), MSGK paddd MSG1, MSGK sha256rnds2 ABEF, CDGH C Round 4-5 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 6-7 sha256msg1 MSG1, MSG0 movups 32(INPUT), MSG2 pshufb SWAP_MASK, MSG2 movdqa 32(K), MSGK paddd MSG2, MSGK sha256rnds2 ABEF, CDGH C Round 8-9 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 10-11 sha256msg1 MSG2, MSG1 movups 48(INPUT), MSG3 pshufb SWAP_MASK, MSG3 QROUND(MSG3, MSG0, MSG1, MSG2, 12) C Round 12-15 QROUND(MSG0, MSG1, MSG2, MSG3, 16) QROUND(MSG1, MSG2, MSG3, MSG0, 20) QROUND(MSG2, MSG3, MSG0, MSG1, 24) QROUND(MSG3, MSG0, MSG1, MSG2, 28) QROUND(MSG0, MSG1, MSG2, MSG3, 32) QROUND(MSG1, MSG2, MSG3, MSG0, 36) QROUND(MSG2, MSG3, MSG0, MSG1, 40) QROUND(MSG3, MSG0, MSG1, MSG2, 44) QROUND(MSG0, MSG1, MSG2, MSG3, 48) movdqa 208(K), MSGK paddd MSG1, MSGK sha256rnds2 ABEF, CDGH C Round 52-53 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 54-55 movdqa MSG1, TMP palignr $4, MSG0, TMP paddd TMP, MSG2 sha256msg2 MSG1, MSG2 movdqa 224(K), MSGK paddd MSG2, MSGK sha256rnds2 ABEF, CDGH C Round 56-57 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 58-59 movdqa MSG2, TMP palignr $4, MSG1, TMP paddd TMP, MSG3 sha256msg2 MSG2, MSG3 movdqa 240(K), MSGK paddd MSG3, MSGK sha256rnds2 ABEF, CDGH C Round 60-61 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 62-63 paddd ABEF_ORIG, ABEF paddd CDGH_ORIG, CDGH add $64, INPUT dec BLOCKS jnz .Loop TRANSPOSE(ABEF, CDGH, TMP) pshufd $0x1b, CDGH, CDGH pshufd $0x1b, TMP, TMP movups CDGH, 0(STATE) movups TMP, 16(STATE) .Lend: mov INPUT, %rax W64_EXIT(4, 11) ret EPILOGUE(_nettle_sha256_compress_n) nettle-4.0/x86_64/umac-nh-n.asm0000644000000000000000000001253715141166424013035 0ustar00C x86_64/umac-nh-n.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`OUT', `%rdi') define(`ITERS', `%rsi') define(`KEY', `%rdx') define(`LENGTH', `%rcx') define(`MSG', `%r8') define(`XM0', `%xmm0') define(`XM1', `%xmm1') define(`XM2', `%xmm2') define(`XM3', `%xmm3') define(`XK0', `%xmm4') define(`XK1', `%xmm5') define(`XK2', `%xmm6') define(`XK3', `%xmm7') define(`XT0', `%xmm8') define(`XT1', `%xmm9') define(`XT2', `%xmm10') define(`XT3', `%xmm11') define(`XY0', `%xmm12') define(`XY1', `%xmm13') C Copy [0,1,2,3] to [1,1,3,3] define(`HI2LO', `pshufd `$'0xf5,') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh-n.asm" C umac_nh_n(uint64_t *out, unsigned n, const uint32_t *key, C unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh_n) W64_ENTRY(5, 14) pxor XY0, XY0 cmp $3, ITERS jc .Lnh2 je .Lnh3 .Lnh4: movups (KEY), XK0 movups 16(KEY), XT2 movups 32(KEY), XK2 lea 48(KEY), KEY C Leave XK2 untouched, and put permuted keys in XK0, XK1, XT2, XT3 movaps XK0, XT0 movaps XK0, XK1 punpcklqdq XT2, XK0 C [0,1,4,5] punpckhqdq XT2, XK1 C [2,3,6,7] movaps XT2, XT3 punpcklqdq XK2, XT2 C [4,5, 8, 9] punpckhqdq XK2, XT3 C [6,7,10,11] movaps XY0, XY1 .Loop4: movups (MSG), XT0 movups 16(MSG), XT1 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] paddd XM0, XK0 paddd XM1, XK1 paddd XM2, XT2 paddd XM3, XT3 HI2LO XK0, XT0 HI2LO XT2, XT1 pmuludq XK0, XT2 pmuludq XT0, XT1 paddq XT2, XY0 paddq XT1, XY0 HI2LO XK1, XT0 HI2LO XT3, XT1 pmuludq XK1, XT3 pmuludq XT0, XT1 paddq XT3, XY0 paddq XT1, XY0 movaps XK2, XK0 movaps XK2, XK1 movups (KEY), XT2 movups 16(KEY), XK2 punpcklqdq XT2, XK0 C [ 8, 9,12,13] punpckhqdq XT2, XK1 C [10,11,14,15] movaps XT2, XT3 punpcklqdq XK2, XT2 C [12,13,16,17] punpckhqdq XK2, XT3 C [14,15,18,19] paddd XK0, XM0 paddd XK1, XM1 paddd XT2, XM2 paddd XT3, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY1 paddq XT1, XY1 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY1 paddq XT1, XY1 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop4 movups XY0, (OUT) movups XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh3: movups (KEY), XK0 movups 16(KEY), XK1 movaps XY0, XY1 .Loop3: lea 32(KEY), KEY movups (MSG), XT0 movups 16(MSG), XT1 movups (KEY), XK2 movups 16(KEY), XK3 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] C Iteration 2 paddd XK2, XT0 paddd XK3, XT1 HI2LO XT0, XT2 HI2LO XT1, XT3 pmuludq XT0, XT1 pmuludq XT2, XT3 paddq XT1, XY1 paddq XT3, XY1 C Iteration 0,1 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG movaps XK2, XK0 movaps XK3, XK1 ja .Loop3 pshufd $0xe, XY1, XT0 paddq XT0, XY1 movups XY0, (OUT) movlpd XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh2: C Explode message as [0,1,0,1] [2,3,2,3] [4,5,4,5] [6,7, 6, 7] C Interleave keys as [0,1,4,5] [2,3,6,7] [4,5,8,9] [7,8,10,11] movups (KEY), XK0 lea 16(KEY), KEY .Loop2: movups (MSG), XM0 movups 16(MSG), XM1 pshufd $0xee, XM1, XM3 C [6,7,6,7] pshufd $0x44, XM1, XM2 C [4,5,4,5] pshufd $0xee, XM0, XM1 C [2,3,2,3] pshufd $0x44, XM0, XM0 C [0,1,0,1] movups (KEY), XK1 movups 16(KEY), XK2 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop2 movups XY0, (OUT) .Lend: W64_EXIT(5, 14) ret EPILOGUE(_nettle_umac_nh_n) nettle-4.0/x86_64/umac-nh.asm0000644000000000000000000000371215141166424012575 0ustar00C x86_64/umac-nh.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`KEY', `%rdi') define(`LENGTH', `%rsi') define(`MSG', `%rdx') define(`XA', `%xmm0') define(`XB', `%xmm1') define(`XK0', `%xmm2') define(`XK1', `%xmm3') define(`XY', `%xmm4') define(`XT0', `%xmm5') define(`XT1', `%xmm6') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh.asm" C umac_nh(const uint32_t *key, unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh) W64_ENTRY(3, 7) pxor XY, XY .Loop: movups (KEY), XK0 movups 16(KEY), XK1 movups (MSG), XA movups 16(MSG), XB paddd XK0, XA paddd XK1, XB pshufd $0x31, XA, XT0 pshufd $0x31, XB, XT1 pmuludq XT0, XT1 paddq XT1, XY pmuludq XA, XB paddq XB, XY C Length is only 32 bits subl $32, XREG(LENGTH) lea 32(KEY), KEY lea 32(MSG), MSG ja .Loop pshufd $0xe, XY, XT0 paddq XT0, XY C Really a movq, but write as movd to please Apple's assembler movd XY, %rax W64_EXIT(3, 7) ret EPILOGUE(_nettle_umac_nh) nettle-4.0/xts-aes128.c0000644000000000000000000000457115141166424011574 0ustar00/* xts-aes128.c XTS Mode using AES128 as the underlying cipher. Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "xts.h" void xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { aes128_set_encrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } void xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { aes128_set_decrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } void xts_aes128_encrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes128_encrypt, tweak, length, dst, src); } void xts_aes128_decrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes128_decrypt, (nettle_cipher_func *) aes128_encrypt, tweak, length, dst, src); } nettle-4.0/xts-aes256.c0000644000000000000000000000457115141166424011576 0ustar00/* xts-aes256.c XTS Mode using AES256 as the underlying cipher. Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "xts.h" void xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { aes256_set_encrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } void xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { aes256_set_decrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } void xts_aes256_encrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes256_encrypt, tweak, length, dst, src); } void xts_aes256_decrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes256_decrypt, (nettle_cipher_func *) aes256_encrypt, tweak, length, dst, src); } nettle-4.0/xts.c0000644000000000000000000001267215141166424010574 0ustar00/* xts.c XEX-based tweaked-codebook mode with ciphertext stealing (XTS) Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "xts.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" #include "block-internal.h" static void check_length(size_t length, uint8_t *dst) { assert(length >= XTS_BLOCK_SIZE); /* asserts may be compiled out, try to save the user by zeroing the dst in * case the buffer contains sensitive data (like the clear text for inplace * encryption) */ if (length < XTS_BLOCK_SIZE) memset(dst, '\0', length); } /* works also for inplace encryption/decryption */ void xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { union nettle_block16 T; union nettle_block16 P; check_length(length, dst); encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); /* the zeroth power of alpha is the initial ciphertext value itself, so we * skip shifting and do it at the end of each block operation instead */ for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) { memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C */ /* shift T for next block if any */ if (length > XTS_BLOCK_SIZE) block16_mulx_le(&T, &T); } /* if the last block is partial, handle via stealing */ if (length) { /* S Holds the real C(n-1) (Whole last block to steal from) */ union nettle_block16 S; memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, S.b, P.b); /* CC */ memxor(S.b, T.b, XTS_BLOCK_SIZE); /* CC -> S */ /* shift T for next block */ block16_mulx_le(&T, &T); length -= XTS_BLOCK_SIZE; src += XTS_BLOCK_SIZE; memxor3(P.b, src, T.b, length); /* P |.. */ /* steal ciphertext to complete block */ memxor3(P.b + length, S.b + length, T.b + length, XTS_BLOCK_SIZE - length); /* ..| S_2 -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C(n-1) */ /* Do this after we read src so inplace operations do not break */ dst += XTS_BLOCK_SIZE; memcpy(dst, S.b, length); /* S_1 -> C(n) */ } } void xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { union nettle_block16 T; union nettle_block16 C; check_length(length, dst); encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) { memxor3(C.b, src, T.b, XTS_BLOCK_SIZE); /* c -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P */ /* shift T for next block if any */ if (length > XTS_BLOCK_SIZE) block16_mulx_le(&T, &T); } /* if the last block is partial, handle via stealing */ if (length) { union nettle_block16 T1; /* S Holds the real P(n) (with part of stolen ciphertext) */ union nettle_block16 S; /* we need the last T(n) and save the T(n-1) for later */ block16_mulx_le(&T1, &T); memxor3(C.b, src, T1.b, XTS_BLOCK_SIZE); /* C -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, S.b, C.b); /* PP */ memxor(S.b, T1.b, XTS_BLOCK_SIZE); /* PP -> S */ /* process next block (Pn-1) */ length -= XTS_BLOCK_SIZE; src += XTS_BLOCK_SIZE; /* Prepare C, P holds the real P(n) */ memxor3(C.b, src, T.b, length); /* C_1 |.. */ memxor3(C.b + length, S.b + length, T.b + length, XTS_BLOCK_SIZE - length); /* ..| S_2 -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P(n-1) */ /* Do this after we read src so inplace operations do not break */ dst += XTS_BLOCK_SIZE; memcpy(dst, S.b, length); /* S_1 -> P(n) */ } } nettle-4.0/xts.h0000644000000000000000000000761715141166424010604 0ustar00/* xts.h XEX-based tweaked-codebook mode with ciphertext stealing (XTS) Copyright (C) 2005 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_XTS_H_INCLUDED #define NETTLE_XTS_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define xts_encrypt_message nettle_xts_encrypt_message #define xts_decrypt_message nettle_xts_decrypt_message #define xts_aes128_set_encrypt_key nettle_xts_aes128_set_encrypt_key #define xts_aes128_set_decrypt_key nettle_xts_aes128_set_decrypt_key #define xts_aes128_encrypt_message nettle_xts_aes128_encrypt_message #define xts_aes128_decrypt_message nettle_xts_aes128_decrypt_message #define xts_aes256_set_encrypt_key nettle_xts_aes256_set_encrypt_key #define xts_aes256_set_decrypt_key nettle_xts_aes256_set_decrypt_key #define xts_aes256_encrypt_message nettle_xts_aes256_encrypt_message #define xts_aes256_decrypt_message nettle_xts_aes256_decrypt_message #define XTS_BLOCK_SIZE 16 void xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); /* XTS Mode with AES-128 */ struct xts_aes128_key { struct aes128_ctx cipher; struct aes128_ctx tweak_cipher; }; void xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key); void xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key); void xts_aes128_encrypt_message(const struct xts_aes128_key *xtskey, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_aes128_decrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); /* XTS Mode with AES-256 */ struct xts_aes256_key { struct aes256_ctx cipher; struct aes256_ctx tweak_cipher; }; void xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key); void xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key); void xts_aes256_encrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_aes256_decrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_XTS_H_INCLUDED */ nettle-4.0/yarrow.h0000644000000000000000000000672015141166424011303 0ustar00/* yarrow.h The yarrow pseudo-randomness generator. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_YARROW_H_INCLUDED #define NETTLE_YARROW_H_INCLUDED #include "aes.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define yarrow256_init nettle_yarrow256_init #define yarrow256_seed nettle_yarrow256_seed #define yarrow256_update nettle_yarrow256_update #define yarrow256_random nettle_yarrow256_random #define yarrow256_is_seeded nettle_yarrow256_is_seeded #define yarrow256_needed_sources nettle_yarrow256_needed_sources #define yarrow256_fast_reseed nettle_yarrow256_fast_reseed #define yarrow256_slow_reseed nettle_yarrow256_slow_reseed #define yarrow_key_event_init nettle_yarrow_key_event_init #define yarrow_key_event_estimate nettle_yarrow_key_event_estimate enum yarrow_pool_id { YARROW_FAST = 0, YARROW_SLOW = 1 }; struct yarrow_source { /* Indexed by yarrow_pool_id */ uint32_t estimate[2]; /* The pool next sample should go to. */ enum yarrow_pool_id next; }; #define YARROW256_SEED_FILE_SIZE (2 * AES_BLOCK_SIZE) /* Yarrow-256, based on SHA-256 and AES-256 */ struct yarrow256_ctx { /* Indexed by yarrow_pool_id */ struct sha256_ctx pools[2]; int seeded; /* The current key and counter block */ struct aes256_ctx key; uint8_t counter[AES_BLOCK_SIZE]; /* The entropy sources */ unsigned nsources; struct yarrow_source *sources; }; void yarrow256_init(struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources); void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file); /* Returns 1 on reseed */ int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data); void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst); int yarrow256_is_seeded(struct yarrow256_ctx *ctx); unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx); void yarrow256_fast_reseed(struct yarrow256_ctx *ctx); void yarrow256_slow_reseed(struct yarrow256_ctx *ctx); /* Key event estimator */ #define YARROW_KEY_EVENT_BUFFER 16 struct yarrow_key_event_ctx { /* Counter for initial priming of the state */ unsigned index; unsigned chars[YARROW_KEY_EVENT_BUFFER]; unsigned previous; }; void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx); unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time); #ifdef __cplusplus } #endif #endif /* NETTLE_YARROW_H_INCLUDED */ nettle-4.0/yarrow256.c0000644000000000000000000002162315141166424011532 0ustar00/* yarrow256.c The yarrow pseudo-randomness generator. Copyright (C) 2001, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "yarrow.h" #include "macros.h" #ifndef YARROW_DEBUG #define YARROW_DEBUG 0 #endif #if YARROW_DEBUG #include #endif /* Parameters */ /* An upper limit on the entropy (in bits) in one octet of sample * data. */ #define YARROW_MULTIPLIER 4 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_FAST_THRESHOLD 100 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_SLOW_THRESHOLD 160 /* Number of sources that must exceed the threshold for slow reseed */ #define YARROW_SLOW_K 2 /* The number of iterations when reseeding, P_t in the yarrow paper. * Should be chosen so that reseeding takes on the order of 0.1-1 * seconds. */ #define YARROW_RESEED_ITERATIONS 1500 /* Entropy estimates sticks to this value, it is treated as infinity * in calculations. It should fit comfortably in an uint32_t, to avoid * overflows. */ #define YARROW_MAX_ENTROPY 0x100000 /* Forward declarations */ static void yarrow_gate(struct yarrow256_ctx *ctx); void yarrow256_init(struct yarrow256_ctx *ctx, unsigned n, struct yarrow_source *s) { unsigned i; sha256_init(&ctx->pools[0]); sha256_init(&ctx->pools[1]); ctx->seeded = 0; /* Not strictly necessary, but it makes it easier to see if the * values are sane. */ memset(ctx->counter, 0, sizeof(ctx->counter)); ctx->nsources = n; ctx->sources = s; for (i = 0; isources[i].estimate[YARROW_FAST] = 0; ctx->sources[i].estimate[YARROW_SLOW] = 0; ctx->sources[i].next = YARROW_FAST; } } void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file) { assert(length > 0); sha256_update(&ctx->pools[YARROW_FAST], length, seed_file); yarrow256_fast_reseed(ctx); } /* FIXME: Generalize so that it generates a few more blocks at a * time. */ static void yarrow_generate_block(struct yarrow256_ctx *ctx, uint8_t *block) { unsigned i; aes256_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); /* Increment counter, treating it as a big-endian number. This is * machine independent, and follows appendix B of the NIST * specification of cipher modes of operation. * * We could keep a representation of the counter as 4 32-bit values, * and write entire words (in big-endian byteorder) into the counter * block, whenever they change. */ for (i = sizeof(ctx->counter); i--; ) { if (++ctx->counter[i]) break; } } static void yarrow_iterate(uint8_t *digest) { uint8_t v0[SHA256_DIGEST_SIZE]; unsigned i; memcpy(v0, digest, SHA256_DIGEST_SIZE); /* When hashed inside the loop, i should run from 1 to * YARROW_RESEED_ITERATIONS */ for (i = 0; ++i < YARROW_RESEED_ITERATIONS; ) { uint8_t count[4]; struct sha256_ctx hash; sha256_init(&hash); /* Hash v_i | v_0 | i */ WRITE_UINT32(count, i); sha256_update(&hash, SHA256_DIGEST_SIZE, digest); sha256_update(&hash, sizeof(v0), v0); sha256_update(&hash, sizeof(count), count); sha256_digest(&hash, digest); } } /* NOTE: The SHA-256 digest size equals the AES key size, so we need * no "size adaptor". */ void yarrow256_fast_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_fast_reseed\n"); #endif /* We feed two block of output using the current key into the pool * before emptying it. */ if (ctx->seeded) { uint8_t blocks[AES_BLOCK_SIZE * 2]; yarrow_generate_block(ctx, blocks); yarrow_generate_block(ctx, blocks + AES_BLOCK_SIZE); sha256_update(&ctx->pools[YARROW_FAST], sizeof(blocks), blocks); } sha256_digest(&ctx->pools[YARROW_FAST], digest); /* Iterate */ yarrow_iterate(digest); aes256_set_encrypt_key(&ctx->key, digest); ctx->seeded = 1; /* Derive new counter value */ memset(ctx->counter, 0, sizeof(ctx->counter)); aes256_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_FAST] = 0; } void yarrow256_slow_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_slow_reseed\n"); #endif /* Get digest of the slow pool*/ sha256_digest(&ctx->pools[YARROW_SLOW], digest); /* Feed it into the fast pool */ sha256_update(&ctx->pools[YARROW_FAST], sizeof(digest), digest); yarrow256_fast_reseed(ctx); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_SLOW] = 0; } int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source_index, unsigned entropy, size_t length, const uint8_t *data) { enum yarrow_pool_id current; struct yarrow_source *source; assert(source_index < ctx->nsources); if (!length) /* Nothing happens */ return 0; source = &ctx->sources[source_index]; if (!ctx->seeded) /* While seeding, use the slow pool */ current = YARROW_SLOW; else { current = source->next; source->next = !source->next; } sha256_update(&ctx->pools[current], length, data); /* NOTE: We should be careful to avoid overflows in the estimates. */ if (source->estimate[current] < YARROW_MAX_ENTROPY) { if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; if ( (length < (YARROW_MAX_ENTROPY / YARROW_MULTIPLIER)) && (entropy > YARROW_MULTIPLIER * length) ) entropy = YARROW_MULTIPLIER * length; entropy += source->estimate[current]; if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; source->estimate[current] = entropy; } /* Check for seed/reseed */ switch(current) { case YARROW_FAST: #if YARROW_DEBUG fprintf(stderr, "yarrow256_update: source_index = %d,\n" " fast pool estimate = %d\n", source_index, source->estimate[YARROW_FAST]); #endif if (source->estimate[YARROW_FAST] >= YARROW_FAST_THRESHOLD) { yarrow256_fast_reseed(ctx); return 1; } else return 0; case YARROW_SLOW: { if (!yarrow256_needed_sources(ctx)) { yarrow256_slow_reseed(ctx); return 1; } else return 0; } default: abort(); } } static void yarrow_gate(struct yarrow256_ctx *ctx) { uint8_t key[AES256_KEY_SIZE]; unsigned i; for (i = 0; i < sizeof(key); i+= AES_BLOCK_SIZE) yarrow_generate_block(ctx, key + i); aes256_set_encrypt_key(&ctx->key, key); } void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst) { assert(ctx->seeded); while (length >= AES_BLOCK_SIZE) { yarrow_generate_block(ctx, dst); dst += AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE; } if (length) { uint8_t buffer[AES_BLOCK_SIZE]; assert(length < AES_BLOCK_SIZE); yarrow_generate_block(ctx, buffer); memcpy(dst, buffer, length); } yarrow_gate(ctx); } int yarrow256_is_seeded(struct yarrow256_ctx *ctx) { return ctx->seeded; } unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx) { /* FIXME: This is somewhat inefficient. It would be better to * either maintain the count, or do this loop only if the * current source just crossed the threshold. */ unsigned k, i; for (i = k = 0; i < ctx->nsources; i++) if (ctx->sources[i].estimate[YARROW_SLOW] >= YARROW_SLOW_THRESHOLD) k++; #if YARROW_DEBUG fprintf(stderr, "yarrow256_needed_sources: source_index = %d,\n" " slow pool estimate = %d,\n" " number of sources above threshold = %d\n", source_index, source->estimate[YARROW_SLOW], k); #endif return (k < YARROW_SLOW_K) ? (YARROW_SLOW_K - k) : 0; } nettle-4.0/yarrow_key_event.c0000644000000000000000000000413415141166424013344 0ustar00/* yarrow_key_event.c Example entropy estimator for key-like input events. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "yarrow.h" void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx) { unsigned i; ctx->index = 0; ctx->previous = 0; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) ctx->chars[i] = 0; } unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time) { unsigned entropy = 0; unsigned i; /* Look at timing first. */ if (ctx->previous && (time > ctx->previous) ) { if ( (time - ctx->previous) >= 256) entropy++; } ctx->previous = time; if (!key) return entropy; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) if (key == ctx->chars[i]) /* This is a recent character. Ignore it. */ return entropy; /* Count one bit of entropy, unless this was one of the initial 16 * characters. */ if (ctx->chars[ctx->index]) entropy++; /* Remember the character. */ ctx->chars[ctx->index] = key; ctx->index = (ctx->index + 1) % YARROW_KEY_EVENT_BUFFER; return entropy; }